In the wake of another domestic terrorist attack, the UK government has decided that the Internet must not be a place for terrorists to hide. Saying that, the Internet is a pretty big place (with about 4.55 billion pages) thats a needle in a pretty big haystack, so how does the government want to shine the spotlight on the bad guys? By adding a back door to encryption of course, easy right? Well no, not really.
So what the hell is end-to-end encryption?
End-to-end encryption (e2e) allows only the users communicating with each other to read the messages being sent and received. In theory this prevents anyone else, even the provider of the service from being able to read the conversation. This system is designed to defend against any tampering or surveillance as a third party will see messages as a random mess of characters both in transit and when stored on the providers servers.
So if one user sends “this message is secret” only the sender and recipient can see the real message. Any third party including the service provider will see “elgUEaEPp3jGvm9AnmPd8z1z3eyr8v03lJE2zUUo8=” instead of the message.
This is until you add a backdoor to the system, to enable access to the message. All you need to know is a backdoor is a secret way of bypassing authentication or encryption. This would allow that third party (or the service provider) to decrypt the messages and read them.
“So the government wants a way to bypass encryption, I have nothing to hide.”
That is a valid point, you’re not evil so you don’t mind if the government sees what you write. Keeping that in mind there are a few points I want to cover (other than the obvious “everyone has a right to privacy”).
Governments change and so do laws, what is legal/acceptable now might not be tomorrow
Admittedly this point is on the line between genuine concern and tinfoil hat paranoia, but its still valid. Laws and values have changed a lot through history, so it’s naive to think that they wont in the future. Depending how the backdoor is implemented the government could see not only what you write today but also all that you have ever written in the past.
Imagine everything you have ever written, that angry rant you don’t agree with anymore or that picture you sent to your partner at the time. That creates a digital paper trail of your written thoughts that possibly could be used against you when convenient for the government. Apply this scenario to being gay in another country or a drug that is only legal today and it doesn’t seem that outlandish.
Who is allowed to use this backdoor?
Most programs (that use e2e) are used by a global market. If a backdoor is made for the UK (and the provider doesn’t create an international version of the program) then there is a backdoor able to be used potentially by any government. So whats the problem with this? If the backdoor was not protected properly, this would allow the mass surveillance of citizens of every nation by any other nation, friend or foe.
The very existence of the backdoor means that any party with enough knowledge and resources could break in and leverage it. While a government of a country might have good intentions, a malicious party could use it to compromise secrets of a nation or a individual (if the attack was targeted).
Imagine a strong brick wall, then you install a wooden door. Sure it allows authorities to enter easily, but it just existing means that anyone could bring enough axes to knock it down, rending the wall useless. You just can’t know if the backdoor will be used by only the “good guys”.
What is it allowed to be used for?
Compared to getting a warrant, a backdoor is much easier and quicker to get the data you need. Why is this a possible problem? Well its not guaranteed that the backdoor would be used responsibly, take the 12 cases of NSA employee’s performing unauthorised surveillance. I don’t know about you but I feel like a bitter ex-lover snooping around emails wouldn’t prevent a terrorist attack.
Even if the resource is used responsibly, how far should it go? Using the backdoor to prevent terrorist attacks is all well and good but it might not be used just for that one case. Is it lawful to use the backdoor to try and find tax evaders or illegal refugees?
As the backdoor provides information that is readily available there is the temptation to use it for less serious issues. Take for example councils in the UK using RIPA to monitor dog barking, spying should be a last resort, not the primary tool. Using the backdoor for trivial cases would not only be inappropriate (and would do nothing to keep society safe) it would create more data to sift through when looking for actual threats. Which leads me to my last point.
Will a backdoor even help?
The issue with mass surveillance is it’s a needle in a (enormous) haystack, the solution is not to add more hay but to create and use a smarter search method. Imagine the amount of data that goes through your phone, laptop or any device that uses encryption, as 99.99% of us are not terrorists, thats a lot of extra hay added to the pile. Even in its current state the current mass surveillance program in the U.S has failed to stop ANY terrorist attack to date (27/10/17) so why would increase the amount of data to sift through do anything? Keeping these points in mind, adding a backdoor:
- Will weaken encryption in general
- Cannot be controlled effectively
- Can be used to suppress people or ideas (think the mass surveillance/ oppression of certain demographic of people)
- Hurts the freedom and privacy of the innocent
- Is ineffective in catching the guilty
Therefore in my (given not very consequential) opinion, adding a backdoor is nothing but a knee jerk response to a bigger issue that will lead to many problems in the future.