Welcome news arrived over the holidays in the form of editorial support for strong encryption from the Economist magazine. The opinion piece entitled, When Backdoors Backfire, observes pointedly: “Without encryption, internet traffic might as well be written on postcards.” It concludes: “Rather than weakening everyone’s encryption by exploiting back doors, spies should use other means…That is harder and slower than using a universal back door—but it is safer for everyone else.”
In the middle the Economist cites an example of what can go wrong with built-in vulnerabilities:
“The problem with back doors is that, though they make life easier for spooks, they also make the internet less secure for everyone else. Recent revelations involving Juniper, an American maker of networking hardware and software, vividly demonstrate how. Juniper disclosed in December that a back door, dating to 2012, let anyone with knowledge of it read traffic encrypted by its “virtual private network” software, which is used by companies and government agencies worldwide to connect different offices via the public internet. It is unclear who is responsible, but the flaw may have arisen when one intelligence agency installed a back door which was then secretly modified by another. The back door involved a faulty random-number generator in an encryption standard championed by America’s National Security Agency (NSA); other clues point to Chinese or British intelligence agencies…The danger is that back doors introduced for snooping may also end up being used for nefarious ends by rogue spooks, enemy governments, or malefactors who wish to spy on the law-abiding. It is unclear who installed Juniper’s back door or used it and to what end.”
In line with the Economist’s call for resistance to “mandatory inclusion of back doors,” the U.S. Administration has not pressed Congress for a new law mandating encryption. But in the aftermath of horrifying attacks against civilians in Paris and San Bernardino, they seem content to permit calls for tech companies to sit down with surveillance agencies to work something out. Indeed, they have passively allowed national security officials to encourage providers to keep all internet traffic on postcards by simply not using encryption.
The U.S. government and industry rightly rejects closed-door cooperation with surveillance agencies when this is advocated by other countries – especially those with a less than perfect record on democratic oversight and the rule of law. Backdoors are security vulnerabilities whether mandated by law or put in place through governmental soft power. We should just say no.