In light of the recent terrorist attacks, domestic and foreign governments have questioned how much access they should have to encryption keys and electronic backdoors. The debate of balancing the privacy of individuals and the need for law enforcement to have access to the exchange of information for public safety is once again on the table. How can encryption standards keep information safe from criminal hackers while balancing the right of the individual’s privacy in the government’s quest to maintain public safety?
Understanding the Risks in the Debate
The first step is to understand the upside and downside of increased access to computers and networks.
The primary contention for opponents of backdoor access for governments is that it would defeat security best practices, especially when it comes to perfect forward secrecy, where decryption keys are removed immediately after they are utilized. Another concern about putting in backdoors for public safety officials is that it would add another potential exploit for hackers to cause harm. In other words, code that's intended to be utilized by public safety officials to monitor criminal activity can also be used by criminals to cause harm on a targeted network.
Many proponents of backdoor access for encryption argue that while people have a right to privacy, public safety officials should have access to electronic communication in order to circumvent terrorists and criminals alike who use encryption through Virtual Private Networks (VPN), full-disk encryption programs and even popular mobile device operating systems.
Potential for Misuse
Just as encryption can be used for protection against hackers, it can also be used for illegal purposes. Vulnerabilities discovered by malicious parties or security researchers can also be used by state entities (or those acting in concert with state agencies) to spy on private individuals.
The potential for misuse by any organization already exists when a previously unknown vulnerability in computer code is used. One example is the alleged Israeli-American malware that meddled with the Iranian nuclear program. If backdoors are mandated for technology companies, the potential for unauthorized monitoring of incoming and outgoing data is a constant threat for Internet users.
Factors Affecting the Debate
There are many private and public sector factors that impact the debate for government mandated backdoors against encrypted data. One common argument is that while terrorists are known to use encryption for unlawful purposes, many civilians use VPNs to protect themselves against hackers when conducting personal or financial transactions.
The question is also raised as to who really owns the data that’s subject to search by public safety officials. When data is created and sent through a telecommunication company’s system, questions could arise as to whether the customer or the telecommunication company can disclose the data.
The fight to insert encryption backdoors has met resistance on many fronts, including consumers, the technology sector, organizations with limited resources, and foreign developers who want to create their own encryption standards. Technology companies have already asserted that they value their customers’ privacy. Many customers are concerned with how companies hold and share their data, including how the company responds to data requests from the government. While there are reports the National Security Agency has the capability to break some encryption algorithms, the budget for these activities is limited. Also, foreign developers of encryption programs might be hesitant to disclose source code or add a backdoor.
The pushback from the private sector, along with the government’s limited capability, is expected to keep the encryption debate alive and well for the foreseeable future.