Proposed encryption "backdoor" for the US Government and how it will fail.

Tue 28 September 2010

If you haven't heard, the President is drafting legislation that may require hardware and software developers to install backdoors in their encryption solutions and give the keys to these backdoors to the US Government.  In my opinion, this is an increadibly bad idea.

  • This has already been tried and failed.  As reported by PBS Newshour, back in 2005 Greece created backdoors into the cellular telephone networks to allow the government real-time access to this communication system.  It was promptly hacked by foreign governments and Greece's own government phonecalls were monitored.
  • The United States Government doesn't have a good handle on this court ordered wiretapping program.  As reported by National Public Radio (NPR), when the Bush administration began its wiretapping program it circumvented the US Constitution and seldom got the required warrants.  While I can't say for sure, I'd be willing to guess that this project continues. Lawsuits have been filed but I haven't heard a definitive answer to these.
  • Open source puts the control in the public's hands.  Sorry, you won't find this kind of control if you run one of Microsoft's operating systems but if you are one of millions that run open source Linux you have complete control over how your software operates.  While developers of ssh may be required to put these backdoors into their software, open source users could just as easily remove the weakness prior to utilizing the tool.  This could actually be a useful tool in a legal battle.  The government couldn't charge you with not using "approved" encryption software unless they were trying to break into your data stream which would mean that they would have to have a warrant and have to defend the warrant.  (I am not a lawyer.  If this is something important to you I would recommend discussing it with your attorney.)
  • Wouldn't the [STRIKEOUT:mear] mere threat that others could be watching your Internet traffic severely reduce the amount of ecommerce that happens?  I wouldn't want to pass my personal information across an insecure link.  Information security professionals have been beating the drums to get lay people to understand to look for the lock on webpages before submitting personal information.  Now that will be useless.

Have I missed anything?

By Sparks, Category: Information Security

Tags: Encryption / Privacy /