Michael Hayden and the Dutch Government Are against Crypto Backdoors

Last week, former NSA Director Michael Hayden made a very strong argument against deliberately weakening security products by adding backdoors:

Americans’ safety is best served by the highest level of technology possible, and that the country’s intelligence agencies have figured out ways to get around encryption.

“Before any civil libertarians want to come up to me afterwards and get my autograph,” he explained at a Tuesday panel on national security hosted by the Council on Foreign Relations, “let me tell you how we got around it: Bulk data and metadata [collection].”

Encryption is “a law enforcement issue more than an intelligence issue,” Hayden argued, “because, frankly, intelligence gets to break all sorts of rules, to cheat, to use other paths.”


“I don’t think it’s a winning hand to attempt to legislate against technological progress,” Hayden said.


“It’s a combination of technology and business,” Hayden said. “Creating a door for the government to enter, at the technological level, creates a very bad business decision on the parts of these companies because that is by definition weaker encryption than would otherwise be available … Both of those realities are true.”

This isn’t new, and is yet another example of the split between the law-enforcement and intelligence communities on this issue. What is new is Hayden saying, effectively: Hey FBI, you guys are idiots for trying to get back doors.

On the other side of the Atlantic Ocean, the Dutch government has come out against backdoors in security products, and in favor of strong encryption.

Meanwhile, I have been hearing rumors that “serious” US legislation mandating backdoors is about to be introduced. These rumors are pervasive, but without details.

Posted on January 12, 2016 at 1:22 PM34 Comments


Winter January 12, 2016 1:51 PM

The Dutch government backs strong encryption for two reasons: politicians from the left want to protect privacy, and politicians from the right want to protect tge business of the second biggest internet exchange in the world, the Amsterdam Exchange.

Morals and business are aligned on this one.

Ken January 12, 2016 2:03 PM

RE: “…rumors that “serious” US legislation mandating backdoors is about to be introduced.”

Dejua Vu — recall the Clipper Chip / Fortezza …

Daniel January 12, 2016 2:44 PM

Encryption is “a law enforcement issue more than an intelligence issue,” Hayden argued, “because, frankly, intelligence gets to break all sorts of rules, to cheat, to use other paths.”

Frankly, that is nonsense. There is no normative distinction between the two because law enforcement is predicated upon domestic surveillance. It is true enough that there are more restrictions on domestic surveillance than foreign surveillance, at least in the USA because of the 4A, but that distinction doesn’t amount to a hill of beans in a digital world. For one, there is no viable distinction between foreign and domestic when it comes to the internet, see MS and Ireland…and if it did it would just turn the the internet into what Bruce has called “the feudal internet”. Second, as we know from posse comitatus and parallel construction…the intelligence community is going to break all the rules and then feed that data to the FBI.

So if there is a war between the FBI and the NSA it is purely rhetorical–a war of words–whose only purpose is to distract the populace from what is really going on viz. the wholesale flushing of their democracy down the drain.

Gerard van Vooren January 12, 2016 3:21 PM

@ Winter,

“Morals and business are aligned on this one.”

Completely true. There is a lot more to loose than to win and thankfully the Dutch government came to that conclusion too.

MK January 12, 2016 3:25 PM

Regarding the Dutch situation, also note that the Dutch Intelligence & Security Act of 2002 (‘Wiv2002’) provides two powers for compelled decryption: one related to hacking (Article 24, third paragraph) and one related selected/targeted interception (Article 25, seventh paragraph). AFAIK, no information is available about how often these existing powers have been used, against whom, and with regard to what communication or data, over the past decade.

Also, the Dutch government is planning to expand the non-selected/non-targeted interception power: that power can currently only be exercised on ether communications (e.g. radio, satellite), not on cable communications. This is similar to the situation in Sweden prior to ‘the FRA law’ (the one enacted in 2009). The Dutch draft bill expands the existing power to “any form of communication” (ether, cable, whatever) processed by (yet to be determined categories of) “service providers” (ISPs, hosting providers, webforum operators). It also includes a new compelled-decryption provision.

Also similar to Sweden, such interception will — at least per the draft bill — not require a court warrant: approval from the minister suffices. (This may change as result of a plethora of public comments pleading for some form of legally binding oversight, and studies performed into EU-level jurisprudence.)

I have no idea to what extent the compelled-decryption powers in practice provide the Dutch intelligence services with the access they want; end-to-end encryption might (eventually) necessitate the Dutch government to review its position regarding encryption, unless exercise of other powers (e.g. hacking) can sufficiently compensate.

Clive Robinson January 12, 2016 3:43 PM

@ Daniel,

So if there is a war between the FBI and the NSA it is purely rhetorical-

Oh there’s a war going on all right and like most “turf wars” it’s very far from rhetorical. It’s the name of the game on the hill where power plays make prizes.

You can be absolutely certain that the FBI would never alow it’s self to become reliant on the NSA for intel for a couple of good reasons. The first is dependency, the FBI does not want to become a strung out junkie utterly dependent on the NSA as pusher, it gives them way way to much power. Secondly the NSA has it’s own fish to catch and are realy not interested in soiling their lilly white status just to catch criminals, thus the FBI work would be a long long way behind any in house work.

So as far as the FBI are concerned there is a very real war going on, a war of independence and self determination free from external influence, for primacy in their own domain. They are still not happy they missed out on various domestic cyber-gigs that the NSA etc got.

This is by no means recent, look up what Louis Freeh used to get upto in times past doing the “international policy gig” giving confidential briefings on encryption and going dark to European countries.

Clive Robinson January 12, 2016 4:37 PM

Obama Flys to Silicon Valley

Obama and Co flew down to California last Friday supposadly for a meeting on how Silicon Valley could help with dealing with IS.



Well the story is that encryption was not originally on the agenda, but Comey made it conditional on his going. Even then it was supposed to be a minor talking point.

Well from what I’ve heard apparently that is not what happened, and the story is the Silicon Valley execs who attended got sand bagged by Comey who made backdoors in encryption and handing over of passwords/keys to the FBI priority one. And discussions on dealing with IS propaganda a long way second…

If it’s true and the other Whitehouse staff let Comey do that then it would appear that what @Bruce has been hearing,

Meanwhile, I have been hearing rumors that “serious” US legislation mandating backdoors is about to be introduced. These rumors are pervasive, but without details.

May well have a lot of substance to it.

I suspect we will get to hear more one way or the other in the next few hours or days as Obama’s last “State of the Union” speech is imminent.

Frank Wilhoit January 12, 2016 6:30 PM

Hayden (like all of his innumerable predecessors) wins the argument by bait-and-switch. He opens a debate on the validity of his methods, and thereby gains points for candor; but what this does is to close off debate on the validity of his purposes.

(Broad hint: they haven’t any.)

Daniel January 12, 2016 8:11 PM


Your response enforces my point that Hayden’s stance is nonsense.

Bruce writes, “What is new is Hayden saying, effectively: Hey FBI, you guys are idiots for trying to get back doors.” According to you that’s wrong. What Hayden is saying is, “Dear FBI, your problems are not our problems. So don’t let the door hit you on the way out.” That may be true from a DC turf war perspective. But from the point of view of the citizen in the country I do not care one single iota who wins DC turf wars. My point is that anyone who thinks that the FBI is going to be left blind while the NSA sits there are rolls with laughter as the FBI stumbles in the dark is a fool. There is no principled basis for that stance. Either they both fly blind or neither of them will. So Hayden stance is at best disingenuous and at worst nonsense.

Target Sheep January 12, 2016 8:55 PM

Some say Mr. Hayden is a liar and war criminal. That’s about Bush era CIA torture of prisoners and Mr. Hayden’s conduct and responses to Congress about it. Others do not think so, maybe because they are all crooks and liars.

Anyway. It could be a big mistake to trust the words of any government official these days. Certainly at the federal level elected officials and their bureaucratic overseers do not feel a need to represent the American people or uphold the Constitution.

CISA passed without a whimper of protest from Congress, gutted of any privacy protections whatsoever. Literally anything you communicate on an electronic device can and will be used as evidence in court against you, because that’s what the law says. A new law outlawing encryption would thus seem to be a slam dunk. Besides, think of all the great arrests DHS will be able to make. After all anyone who uses encryption is guilty of being unpatriotic, and maybe terroristc.

It took many years and millions of, sometimes violent, protests to stop the Viet Nam War. That’s what it would take to get mass surveillance off our backs. But, no one dies from using an iPhone and it’s so fun and easy to find out stuff….so….that’s the way it is and will be.

Jacob January 12, 2016 10:05 PM

@ Clive , @Bruce

“If it’s true and the other Whitehouse staff let Comey do that then it would appear that what @Bruce has been hearing,
“Meanwhile, I have been hearing rumors that “serious” US legislation mandating backdoors is about to be introduced. These rumors are pervasive, but without details.””

The local floodgates have been opened:


Thoth January 13, 2016 3:09 AM

re: Broken-berry
There are more than one way to break a Blackberry down and I remember in my past posts I did mention about the chips Blackberry uses is not suitable for security critical applications. The chip for the latest Blackberry series (since BB10 or even earlier) uses Qualcomm ARM chips equipped with ARM TrustZone technology. It only provides separated hardware domains (a secure and insecure domain respected on the hardware) but the catch is most of these ARM chips are not the tamper resistant type and so you can mount classical electrical analysis attacks like DFA, DPA or SPA which is simply to analysis the power consumption and chip RF emissions to determine the crypto keys from the patterns they produce. The lack of a tamper resistant chip meant someone could grab your chip and dump the keys from the chip either by physical penetration into the chip circuitry to look for the keys.

Not to forget, NXP / Philips Usfa which has the technology and resources to makes a whole ton of smartcard,TPM and military crypto chips is based there and I am not surprised the years of experience in attacking and protecting security chips that Netherlands has would make it a very likely candidate (together with US, UK, Germany, France and Russia) to have the technology and resources when it comes to chip attacks.

Essentially, a non-secure chip like the commercial smartphone ARM chips are rather powerless at protecting any cryptographic secrets from more advanced threat actors (MSA and above).

I wouldn’t be surprised that Netherlands backing of strong encryption is to boost sales of it’s cryptographic chips (NXP’s chips et. al.) and security technology as NXP is one of the biggest security chip providers world-wide and not backing encryption would be to ruin it’s major income. Do be careful of the yummy crypto-honeypot 🙂 .

The only way to ensure survivability of privacy and personal security is to make them highly ubiquitous and become a common place. Making End-to-End encryption a common sight which only users can verify and control their keys would also make it harder for a “single point of failure” in terms of legislature trying to ban privacy and personal security.

Chris W January 13, 2016 3:51 AM

Publicly advocating for backdoors is a fools errand, no one serious about security would trust solutions provided by those companies and would instead be reliant on publicly vetted open-source security products, or custom ones. So advocating backdoors is counter-productive, any existing exploit against corporate security products would become much less valuable.

The intelligence community doesn’t want to discuss intelligence publicly, they rather just silently develop exploits or introduce backdoors covertly.

And that’s where the FBI is behind on the NSA, the FBI doesn’t have the luxury of special laws and executive orders to authorize ‘grey’ intelligence operations. Well, at least they have NSLs, right?

But even when looking at it objectively, backdoors are damaging to the economy. Just look at the Patriot Act and cloud storage, and the shift we saw to local European cloud storage solutions. US cloud storage companies scrambled to provide assurances that EU data would be safe, even going as far as moving the cloud storage divisions into their own EU companies. Just to try preserve revenue.
Just imagine what will happen when you say “Here is our nice security product, it may or may not have a mandated backdoor.”

So what Hayden and the Dutch government are saying is exactly what you would expect from any government. Except the Chinese of course, because everyone in China already knows you’re being spied upon, so backdoors isn’t that much worse.
The .5m grant is just a gesture to convince the general public, everyone knows that, right?

Hayden’s message is a bit funny though. He’s basically taunting: LOL, we already have other means to get that intelligence. Backdoors? Don’t let me laugh… losers.

Radio Free Moscow January 13, 2016 5:55 AM

The only thing worse than having stuff stolen is having stuff nobody wants to steal. Maybe if they steal more they’ll borrow less and the national debt will go down.

There is no protection. Being alive means being exposed; it’s the nature of life to be hazardous–it’s the stuff of living. Clans of the Alphane Moon

Vesselin Bontchev January 13, 2016 6:32 AM

Bruce, it’s no rumor. New York State has already introduced a bill which, if passed, would require that all mobile phones sold or leased in the state are decryptable on demand.

sam January 13, 2016 6:52 AM

@Radio Free Moscow

There is no protection. Being alive means being exposed; it’s the nature of life to be hazardous

Being alive means exposure to some necessary risk. That doesn’t mean you can be careless about all risk.

Just because you find out about PRISM doesn’t make it okay that you’ve been using password1 on everything for years.


if there is a war between the FBI and the NSA it is purely rhetorical–a war of words–whose only purpose is to distract the populace

It may not be this organised. There might also be a power struggle between FBI and NSA and it might contribute or be incidental to the erosion of liberties. There might be more than one thing happening, and there might not be one central body who is focusing the whole thing. Hanlon’s razor, etc.

wiredog January 13, 2016 8:15 AM

Remember that one of the jobs, the primary job really, of the FBI is to catch criminals and get them convicted. If you catch the next Dillinger, and a court tosses the conviction because the evidence was incorrectly gathered, then you didn’t catch him and this will be reflected in your next evaluation.

I worked on software that the FBI used in counter-terrorism and counter-intelligence, which are secondary to catching bank robbers, and all the software had to have a “mark this data as Criminal Evidence” function. If that mark was applied then the data had to be sequestered, handed off to other investigators, restricted from general access, and otherwise treated with proper chain of evidence procedures.

CallMeLateForSupper January 13, 2016 10:19 AM

I coukd not access the text of New York State Assembly Bill A08093 via the link provided by @Jacob (likely because I allow no JS nor cookies), but the link below does the trick.


In a nut shell, this bill would prohibit the sale or lease, within New York State, of phones that are not unlockable by their manufacturer.

I think the author(s) of this specimen play fast and loose with the term “passcode”. Several examples; here is the final one:
“Simply stated, passcode-protected devices render lawful court orders meaningless and encourage criminals to act with impunity.”

The several passages revolving on “passcode” are muddy, so I will clarify: phone passcodes per se ain’t the problem; encrypted content is the problem.

But encrypted emails, computer files and hard drives abound, so one has to wonder why e.g. LUKS and GPG are not under similar legislative attack as well. Could this be an example of avoiding thorns and going straight to low-hanging fruit? Yeah, probby.

ianf January 13, 2016 2:47 PM

Clive Robinson soothes Daniel’s quandary over the essence of any “war between the FBI and the NSA.”

[…] “like most “turf wars” it’s far from rhetorical. It’s the name of the game on the Capitol Hill, where power plays make prizes.

It needs be added that internal strife, competition for resources, back-biting, top-level lack of coöperation and coördination between U.S. LEO agencies, as well as the State Department and the Pentagon, are nearer the norm, than the exceptions in their daily dealings. Every such body first watches out for their own, then that its own turf not be trodden upon, and first then, perhaps, for the needs of a fellow agency. Post 2001/9/11 the Department of Homeland Security was supposed to obliterate these bad institutional habits, but they proved stronger than that. These are the effects of cumulative normalization of deviation, not some transient subversions of normalcy,

Nowhere was this more clearly outlined than in “The Looming Tower” by Lawrence Wright; in the chapter devoted to John O’Neill, probably the sole FBI exec who “got” what Al Qaeda aimed for AFTER the first failed WTC bombing 1993, who then was thwarted in his investigation of the Khobar Towers bombing (1996) by the Saudis, and of the USS Cole bombing in Aden by then U.S. Ambassador. She saw smoothing the relations with Yemen as a priority even at the price of smothering an FBI investigation of terrorist attacks on the peninsula against American military, and other Western nations’ presence there (she denied reentry to John O’Neill effectively shutting down the investigation). Then he was sidelined by the FBI, left to become the security director of the WTC complex, and died in the attack. Whereas Barbara Bodine went on to fuck up post-invasion Iraq.

[…] the NSA has it’s own fish to catch and are realy not interested in soiling their lilly white status just to catch criminals

That’s correct, they chase their own ghosts, and all the other, non-terror-related, intel that they collect only sees the light of the day when their own trenches are being threatened on the Hill.

    Speaking of the NSA… have I got a related post for y’all, albeit in the Squid Ink Pasta thread.

Dirk Praet January 13, 2016 7:46 PM

@ Clive

If it’s true and the other Whitehouse staff let Comey do that then it would appear that what @Bruce has been hearing … may well have a lot of substance to it.

I kinda wonder which execs of said companies had the balls to tell him to go sod himself and move to China.

Andrew January 13, 2016 10:29 PM

There are different levels of authority, access and classification for agencies. Plus every time a bad guy is caught or information get to media, there is the risk of methods being uncovered.

– highest authority with legal base
– can ask/force companies to put backdoors in products (or they do it themselves)
– spies on Russians and Chinese and the rest of the world for existential threats (or for fun)
– provides information, doesn’t arrest people
– cannot risk their methods being disclosed
– Michael Hayden, ex boss, knows they can access any target, anyway. And weakening encryption only affects good guys.

– lower authority
– they have their own intelligence tools, sometimes based on products vulnerabilities
– may request information from NSA, based on some level of classification
– cries for legal access so they can spy everybody too
– they arrest pedophiles, criminals and terrorists
– exposed to methods disclosure on every action
– Comey knows they can’t push it too much beyond the law, like NSA, that’s why they request legal backdoors.

Thoth January 13, 2016 10:31 PM

Whats happens if you purchase a phone and load your own mobile OS that uses strong encryption of all data by default ?

Are there tools that could simplify and aid “mere peasants” on loading their own OS (e.g. CyanogenOS) and enabling strong encryption without too much hassle ?

CallMeLateForSupper January 14, 2016 8:05 AM

“Whats happens if you purchase a phone and load your own mobile OS that uses strong encryption of all data by default ?”

No problem… under the version of A8093 that I read.

Unless a NYS person has a burning desire to code a personal phone OS, I would suggest she simply go to any state other than New York to buy her encrypted phone.

Sancho_P January 14, 2016 5:39 PM

I’d support that NYS bill.

We’d immediately learn which devices are snake oil and which are secure.

Thoth January 14, 2016 10:36 PM

Going to another state to buy encrypted smartphobes would work for the moment until the anti-privacy bills spread like wildfire across the USA and becomes a national law (Orwellian state) then it wouldn’t work anymore. US laws and governance doesn’t inspire much hope these days and it’s best to be prepared for the worst which is to assume widespread banning of cryptography not using backdoors or with key sizes bigger than export control grade keys (>40 bits key).

Ideally it would be best if everyone takes a few steps to protect themselves but the clamp down and FUD around personal security which the Warhawk Elites are spreading in the US and worldwide smears the image of strong personal security and lays out worldwide prohibition via their influences.

I wonder when they would force device manufacturers to take the next step to prevent side loading of applications into computing devices unless from Government approved programs which would inspect the source codes and signed by a Government key. This would bring us another step into the global Orwellian phenomena.

P.S. Apple’s iPhone and it’s prohibition of sideloading of apps except from downloading from Apple-s iTunes store might me the first step to our global Orwellian nation.

Marcos El Malo January 15, 2016 11:30 AM

The real worry is what happens in Washington DC. If the NY bill passes its legislature, it’s doubtful it would pass judicial review because it involves interstate commerce. Same goes for any state on this issue. Apple, Google, or whomever could sue NY the day the state legislation becomes law and at least tie it up in court for awhile. I think Apple/Google would prevail: they have strong precedents to back their case.

The best strategic use of energy is to fight in DC. Let the tech companies handle the tactical sideshow in NY with their armies of highly paid lawyers.

vas pup January 16, 2016 1:56 PM

@Daniel • January 12, 2016 2:44 PM.
Goals are not the same.
Even when intel is within LEA. Intel is NOT suppose to be source of prosecution/court utilization directly, but rather to prevent actual and imminent dangerous situations( aka time bomb, terrorist attack, etc.) AND through parallel construction (you like it or not)to move forward to obtain evidence matching requirements of criminal procedure and admissibility which could lead to prosecution/court.
E.g. who is regulating CI, undercover operations? Give me the link, please. But they all utilized for leads for obtaining EVIDENCE. Evidence are goal of prosecutor. For guys of FBI, DEA, etc – intel and evidence. See above.

Mark January 16, 2016 10:22 PM

Interesting overview, but to spin some ‘real world’ examples into the ‘back door’ debate here is one that went public on the 14/1/2016.

? USA Gov funded backdoor exploit into OpenSSH ?


Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778

Information Leak (CVE-2016-0777)
– Analysis
– Private Key Disclosure
– Mitigating Factors
– Examples
Buffer Overflow (CVE-2016-0778)
– Analysis
– Mitigating Factors
– File Descriptor Leak
Proof Of Concept

Having a browse through the affected OpenSSH versions going back 6 years or so :

Copyright © 2004-2009 AppGate Network Security AB*
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.*

htttps://www.appgate.com is a redirect via redirect.portsit.se [ just outside Gothenburg, Sweden ] to https://www.cryptzone.com/ [ just outside Washington, U.S.A. ]

Am sure you can fill in the blanks as to why, the code made it’s way into the OpenSSH tree, and who really funded it’s development / use.


Wow, there are alot of USA Gov ones…..no wonder they get hacked….;)

Cryptzone is a Silver Member of the International Association of Privacy Professionals (IAPP), the world’s largest information privacy organization. It is a resource for professionals who want to develop and advance their careers by helping their organizations successfully manage these risks and protect their data.

I wonder how IAPP feel about their code and membership now…considering it leaked, keys, files, memory from any one who used it for the past 6 years or so ;)





What happens when you go to AppGate.Com


Clive Robinson January 17, 2016 5:16 AM

@ Mark,

? USA Gov funded backdoor exploit into OpenSSH ?

Whilst there is not direct evidence, there is a great deal of circumstantial evidence. Thus on the balance of probability measure I think it would not be to hard to convince a jury that at the very least further investigation was warranted.

Personally I think it’s got to the point where people should stop beliving that the standard PKI based encryption we all get to use is giving them any privacy against IC or LEO snooping. Thus the “chilling effect” of having to assume all electronic communications are being read or stored away.

Thoth January 17, 2016 6:14 AM

@Mark, Clive Robinson
Maybe the more accurate thing is anything that cannot be provably verified should be held suspicious until verified.

Regardless of asymmetric or symmetric crypto, everything has to be taken with huge care. We are in an era where lots of communications are passing through highly vulnerable and highly untrusted and insecure channels with greater ease of disruption, spying and storage with many Governments bending on suppressing the thoughts, ideas and free expression of their civilians and using military means to attempt to solve situations that do not warrant such extreme methods.

Mark January 18, 2016 1:40 AM

@Thoth, Clive Robinson

Time will tell and disclose all as they say….;)

In the mean time, I am still waiting for my permit to ‘think’ about encryption here in Australia, ohhh and one to publish a children’s book [ aimed at 2+ years old if you can type ].

You know, with the Swedish connections, and all the .mil and .gov from the USA, one could almost understand some of ‘Assange`s’ belief’s on Sweden’s motivations, etc…;)

Michael Moser January 18, 2016 10:44 PM

So Mr. Hayden says: no matter what, we 0wn your network and your box, and that’s enough for us. The FBI wants to 0wn the line, owning the line is worse because this trick can then be used by everybody else to 0wn you box. Is that a correct summary?

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.