New Report Contends Mandatory Crypto Backdoors Would Be Futile
An estimated 63 percent of the encryption products available today are developed outside US borders, according to a new report that takes a firm stance against the kinds of mandated backdoors some federal officials have contended are crucial to ensuring national security.
The report, prepared by researchers Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar, identified 865 hardware or software products from 55 countries that incorporate encryption. Of them, 546 originated from outside the US. The most common non-US country was Germany, a country that has publicly disavowed the kinds of backdoors advocated by FBI Director James Comey and other US officials. Although the Obama administration is no longer asking Congress for legislation requiring them, it continues to lobby private industry to include ways law enforcement agencies can decrypt encrypted data sent or stored by criminal or terrorism suspects.
The authors said that they found no reason to believe the quality of encryption products developed abroad are any better or worse than their counterparts in the US or in the UK or France, whose officials have also hinted they favor encryption backdoors. The conclusion of their survey—which the researchers said represents the lower bound of the number of encryption products available worldwide—was that criminals or terrorists who are savvy enough to use encryption would also be smart enough to choose a product that isn’t subject to mandatory backdoor laws. The result, the authors argued, is that US competitiveness would be harmed with little benefit to national security.
In the report, they wrote:
Currently in the US, UK, and other countries, there are policy discussions about mandatory backdoors in encryption products. Law enforcement is the impetus behind these discussions; they claim that they are “going dark” and unable to decrypt either communications or data in storage. Security researchers have long argued that such backdoors are impossible to implement securely, and will result in substandard security for everyone. Others argue that going dark is the wrong metaphor, and that many avenues for surveillance remain.
Our research points to a different argument. Proposed mandatory backdoors have always been about modifying the encryption products used by everyone to eavesdrop on the few bad guys. That is, the FBI wants Apple—for example—to ensure that everyone’s iPhone can be decrypted on demand so the FBI can decrypt the phones of the very few users under FBI investigation.
For this to be effective, those people using encryption to evade law enforcement must use Apple products. If they are able to use alternative encryption products, especially products created and distributed in countries that are not subject to US law, they will naturally switch to those products if Apple’s security weaknesses become known.
Our survey demonstrates that such switching is easy. Anyone who wants to evade an encryption backdoor in US or UK encryption products has a wide variety of foreign products they can use instead: to encrypt their hard drives, voice conversations, chat sessions, VPN links, and everything else. Any mandatory backdoor will be ineffective simply because the marketplace is so international. Yes, it will catch criminals who are too stupid to realize that their security products have been backdoored or too lazy to switch to an alternative, but those criminals are likely to make all sorts of other mistakes in their security and be catchable anyway. The smart criminals that any mandatory backdoors are supposed to catch—terrorists, organized crime, and so on—will easily be able to evade those backdoors. Even if a criminal has to use, for example, a US encryption product for communicating with the world at large, it is easy for him to also use a non-US non-backdoored encryption product for communicating with his compatriots.
The report comes 17 years after a similar survey found there were 805 hardware and software products from 35 non-US countries incorporating encryption. That study argued against controls mandated by the Clinton administration on the export of strong encryption developed in the US. While both reports reached similar conclusions, very few of the products in the 1999 survey were found in the one published Thursday, showing how much the market has changed.