Pretty Much Anyone With Any Understanding Of Crypto Tells President Obama That Backdooring Crypto Is Monumentally Stupid

(Mis)Uses of Technology

from the basic-understanding dept

Nearly 150 tech companies (including us via the Copia Institute), non-profits and computer security experts have all teamed up to send a letter to President Obama telling him to stop these stupid ideas about backdooring encryption that keeping coming out of his administration. The press headlines will note that big companies — like Google, Apple, Cisco, Microsoft, Twitter and Facebook — are signing the letter. But significantly more interesting is the signatures from a huge list of computer security experts, all putting their names down on paper to make it clear what a ridiculously bad idea it is to even think about backdooring encryption. Among those signing on are Phil Zimmermann (who lived through this sort of thing before), Whitfield Diffie (guy who invented public key cryptography), Brian Behlendorf, Ron Rivest, Peter Neumann, Gene Spafford, Bruce Schneier, Matt Blaze, Richard Clarke (long-time counterterrorism guy in the White House), Hal Abelson and many, many more. Basically a who’s who of people who actually know what they’re talking about.

We urge you to reject any proposal that U.S. companies deliberately weaken the security of their products. We request that the White House instead focus on developing policies that will promote rather than undermine the wide adoption of strong encryption technology. Such policies will in turn help to promote and protect cybersecurity, economic growth, and human rights, both here and abroad.

Strong encryption is the cornerstone of the modern information economy?s security. Encryption protects billions of people every day against countless threats?be they street criminals trying to steal our phones and laptops, computer criminals trying to defraud us, corporate spies trying to obtain our companies? most valuable trade secrets, repressive governments trying to stifle dissent, or foreign intelligence agencies trying to compromise our and our allies? most sensitive national security secrets.

Encryption thereby protects us from innumerable criminal and national security threats. This protection would be undermined by the mandatory insertion of any new vulnerabilities into encrypted devices and services. Whether you call them ?front doors? or ?back doors?, introducing intentional vulnerabilities into secure products for the government?s use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government?s own experts.

There’s much more in the full letter which I highly recommend reading. It very nicely summarizes why this is a completely insane idea, and highlights why anyone raising it should be immediately told to move on to some other project instead:

The Administration faces a critical choice: will it adopt policies that foster a global digital ecosystem that is more secure, or less? That choice may well define the future of the Internet in the 21st century. When faced with a similar choice at the end of the last century, during the so-called ?Crypto Wars?, U.S. policymakers weighed many of the same concerns and arguments that have been raised in the current debate, and correctly concluded that the serious costs of undermining encryption technology outweighed the purported benefits. So too did the President?s Review Group on Intelligence and Communications Technologies, who unanimously recommended in their December 2013 report that the US Government should ?(1) fully support and not undermine efforts to create encryption standards; (2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and (3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.?

The Washington Post quotes another surprising signatory: Paul Rosenzweig, the former Deputy Assistant Secretary for Policy at Homeland Security. If that name sounds familiar, it’s because we’ve quoted his defense of the NSA, once arguing that “too much transparency defeats the very purpose of democracy.” If even he is arguing against backdooring encryption, you know it’s an idea that should be killed off. In his case, it’s because he recognizes the simple reality that seems to have eluded the FBI director:

The signatories include policy experts who normally side with national-security hawks. Paul Rosenzweig, a former Bush administration senior policy official at the Department of Homeland Security, said: ?If I actually thought there was a way to build a U.S.-government-only backdoor, then I might be persuaded. But that?s just not reality.?

That’s just not reality. And neither should be any policy effort that involves pushing for more backdoors in encryption. It’s bad economic policy. It’s bad security policy. It’s bad crypto policy. It’s bad privacy policy. It’s just bad policy all around.

And the world would be much better off if all of these security experts and companies could focus on better protecting us from harm, rather than having to join in ridiculous debates about what a bunch of clueless bureaucrats think might be some sort of mythical magic unicorn encryption breaker.

Filed Under: 4th amendment, backdoors, bruce schneier, crypto, encryption, paul rosenzweig, phil zimmermann, privacy, richard clarke, ron rivest, security, vulnerabilitities, whitfield diffie
Companies: apple, cisco, facebook, google, microsoft, twitter