Nope, the NSA isn't sitting in front of a supercomputer hooked up to a terrorist’s hard drive

They wish. Backdooring, encryption, and governments

man in headset in fake fatigues sits in front of monitor, speaks intently to unseen officer
Sir, I think you need to have a look at this. Psyche! I'm just playing Minecraft

Analysis Not since the days of the US Clipper chip in the early 1990s, have backdoors put there by government decree to bypass encryption been this fashionable with governments.

Clipper – an encryption chipset with a US-government-accessible backdoor backed by the US National Security Agency (NSA) – foundered on the stubborn resistance of one man in his spare room, Phil Zimmermann, and a modest home-brew application, PGP, that even some experts struggled to use. But the NSA, which at the time had asked private firms to use Clipper in their telephone and modem designs, never gave up hope. Now it looks as if it's back for another go.

The US and UK governments have been dropping hints about backdoors for some time, which optimists took as aspiration rather than policy. Last week, backdoors stepped back into the realm of the possible with the publication of an Australian memo issued on behalf of the Five Eyes Alliance, which includes the UK, US Canada and New Zealand.

“The governments of the Five Eyes encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services that they create or operate in our countries,” the report states.

Notice, there's no mention of the word "backdoor", which isn’t what anyone in officialdom will ever call the concept of “lawful access”. But the intention is clear: “Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.”

Ozzie backdoor

Despite the stranglehold that vulnerability database keeper the National Institute of Standards and Technology (NIST) has on which encryption schemes get approved for use by the US government (and, by extension, everyone else in a US-dominated industry), it’s no secret that encryption has become a problem for police. It’s not necessarily that they can’t break it at all – every system has its design weaknesses and vulnerabilities - but they can’t do it quickly enough to conduct surveillance on enough targets for that to make a difference.

Angry man bites a smartphone

Spies still super upset they can't get at your encrypted comms data

READ MORE

Everyone imagines the Feds or NSA sitting in a room with a supercomputer hooked up to a terrorist’s hard drive, but that’s not how backdooring works; it's about bypassing rather than breaking encryption. What the Five Eyes want is a way to quietly and unobtrusively monitor communications, including perhaps in real time. No need for Clipper’s complicated key escrow (or Ray Ozzie’s strange reprise) – this is just a way for the spooks to borrow encryption keys.

None of your business

If this became industry standard, really dangerous people would simply look elsewhere for their internet service, but it’s a given that big web companies will resist for fear of becoming an extension of the budding J Edgar Hoovers-on-the-wiretap in ways that risk undermining their businesses long term.

The question is what business customers would feel about this on a legal and conceptual level. While big organisations can overlay their own encryption on cloud, that’s not true of all services. That’s the whole point of the cloud – the cloud does the job, not the customer. In principle, these would be subject to the same surveillance.

This won’t wash for long. Organisations find themselves investing good money to keep the bad guys out and their own employees in check, the so-called insider threat. While it’s true that governments today can ask for access to any organisation’s data, there are always limits to how and when this happens. To the sceptics – let’s call them the silent majority - mandated government access of cloud data at service provider level will sound like just another risk piled on top of the ones they already have.

Spotting rogue insiders is already hard work. Spotting rogue government insiders whose actions come bundled with a warrant won’t be popular. ®




Biting the hand that feeds IT © 1998–2018