Access joins coalition opposing crypto backdoors, but that’s just the beginning
Today, we joined a large coalition [PDF] of human rights, privacy, and technology organizations, companies, and security experts working to oppose any law or policy that would force companies to deliberately weaken the security of their products. Instead, government should defend the rights of users by implementing policies that support the adoption of encryption tools and technologies.
The coalition letter [PDF] we signed refutes statements from high-level government officials who claim that strong encryption would undermine law enforcement and national security. These officials argue that encryption could cause government surveillance programs to “go dark,” an argument that was born in the debates from the 1990s and has repeatedly been debunked by security experts. These experts explain that implementing strong encryption is one of the best ways to protect people against bad actors. As the letter points out, encryption may be the key barrier that protects users from street criminals, malicious hackers, corporate spies, or foreign intelligence agencies.
At Access, we believe you have the fundamental right to secure your data and communications; it’s a prerequisite for the freedom of expression, assembly, and thought. Access’s Encrypt All The Thingsinitiative is an effort to promote the use of available encryption tools. Through the initiative, we ask companies to agree to the importance of protecting networks, data, and users from unauthorized access and surveillance. It’s an example of civil society and the corporate sector working together for a more secure internet.
Government-mandated backdoors, on the other hand, undermine user security by purposefully weakening the protection that they are otherwise afforded. As the letter explains:
“Whether you call them ‘front doors’ or ‘back doors,’ introducing intentional vulnerabilities into secure products for the government’s use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government’s own experts.”
Encryption technologies protect activists, journalists, and members of marginalized classes, as well as everyday users, by safeguarding their most personal information and communications from bad actors and hostile governments. Proper encryption facilitates the exercise of users’ rights to privacy by giving users power over who has access to their data. Additionally, encryption technologies and technologies to enable anonymous speech are integral to the free exercise of rights to expression, association, and opinion, as an upcoming report by David Kaye, UN Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, will address. However, when such technology is improperly implemented or built with secret backdoors, it puts users in the worst possible situation, since they may act under a false sense of security.
While the debate is heating up in the United States, this issue is impacts users around the world. The letter further elucidates the risks:
“If American companies maintain the ability to unlock their customers’ data and devices on request, governments other than the United States will demand the same access, and will also be emboldened to demand the same capability from their native companies. The U.S. government, having made the same demands, will have little room to object. The result will be an information environment riddled with vulnerabilities that could be exploited by even the most repressive or dangerous regimes.”
Already, officials in both the United Kingdom and China have put forward similar proposals, and other countries have explored or implemented policies to the same effect. And once the major markets require backdoors, it could have a ripple effect. Companies won’t have an incentive to build separate, secure products for smaller markets, even where such mandates don’t exist. This could have a negative impact on human rights worldwide.
Back doors and other vulnerabilities are just a few of the ways that governments are undermining cryptography. We must also preserve the integrity of encryption standards and limit the scope of government hacking. The letter quotes from the Report of the President’s Review Group on Intelligence and Communications Technologies [PDF], which recommends:
“…regarding encryption, the U.S.Government should: 1. fully support and not undermine efforts to create encryption standards; 2. not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and 3. increase the use of encryption and urge U.S. companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.”
Access has pushed [PDF] for the National Institute for Standards and Technologies (NIST) to have greater independence. A U.S. federal agency, NIST establishes and promotes the use of cryptographic standards, which in turn provide the basis for user-facing encryption tools and technologies. The agency is currently statutorily required to consult with the NSA to create these standards. We would like to see a legislative fix that would make this consultation permissive instead of mandatory, and increase NIST’s direct funding and resources. We have also submitted comments on both the first and second stages of NIST’s process to establish public, transparent procedures for its standards-making process.
However, there are other efforts to undermine encryption, such as government-sponsored hacking, that have not gotten enough attention from the public or the Obama administration. In fact, in 2013, the U.S. was already one of the biggest documented buyers of exploitable security vulnerabilities in the world.
The U.S. government stockpiles vulnerabilities to be used to exploit hardware or software of users. These vulnerabilities not only allow the government to hack into computers and systems, but leave critical security flaws unaddressed and open to other bad actors to take advantage of. While the White House expressed that it would be re-instituting a “vulnerabilities equities process” last year to guide these acquisitions, there has been only minimal public information released.
Government hacking units have the documented ability to “covertly download files, photographs, and stored emails, or even gather real-time images by activating cameras connected to computers.” Proposals in the U.S. will expand the government’s authority to conduct these operations globally, and other countries have already claimed such authority. This behavior can have unintended consequences and cause unanticipated harm on systems, including systems far detached from the target.
We have to move toward a comprehensive solution to ensure the integrity of our communications and systems against government interference. We need to close back doors and prevent vulnerabilities, but also to promulgate strong encryption standards and limit government hacking, to adequately protect innocent users.