Become a Patron of Ask Leo! and go ad-free!
Hi, everyone. I’m Leo Notenboom for askleo.com.
So, what does it mean when the government is asking for a back door to encryption? Well, conceptually it’s very simple. Encryption, the intended use for encryption is such that you encrypt something using a password or a key of some sort and then only knowing that password or the appropriate decryption key can you then access the encrypted data.
Several governments, as it turns out, around the world are actually considering requiring that there be developed an encryption algorithm that lets you do that but also includes the concept of a back door – a way for the governments to be able to decrypt the data even when they don’t know the decryption key.
The concept is that there would be some master key that they would have access to that would allow them to decrypt any data encrypted with this new encryption algorithm. Presumably, use of this new algorithm would be mandated somehow by law.
Now as it turns out, we already have something that’s very similar to this in the United States. It’s this: it’s a little padlock. Now, the padlock, in concept, is very similar. We have a combination that allows you to unlock the lock. If you know the combination, you can unlock it.
The TSA, however, the Transportation Security Administration, the folks responsible for inspecting our luggage in the United States as we fly, actually has mandated that TSA approved padlocks also have a key slot. A key slot for which they have a master key.
This allows them to bypass your padlock’s combination completely, open the padlock in order to be able to examine the contents of your luggage. The issue here of course is that you can use a non-compliant padlock, but when you do that, if you do that, the TSA has the right and the ability to break the lock. They can take bolt cutters to the lock itself or they can even damage your luggage in order to inspect its content.
Now, all this is almost exactly to what we’re hearing governments ask for when it comes to encryption. The combination of the padlock is your password. The encryption password or the encryption key that’s used to protect your data.
The TSA back door lock, that’s almost exactly like the back door key that the government is asking be created with these encryption algorithms. If they have the key, they can open the padlock; if they have this master decryption key, they can decrypt the data.
Here’s where the issue breaks down: While this is actually a fairly inexpensive lock, it doesn’t really matter what kind of physical lock you put on your luggage, the TSA can break it. They can take bolt cutters to it or like I said, they can damage your luggage if necessary, if they feel that’s what’s required to inspect the contents.
When in comes to encryption however, that’s simply not the case. If you have something encrypted using good encryption and using encryption properly, then we’ve seen multiple instances of government agencies not being able to decrypt the data no matter how hard they tried.
Government agencies, law enforcement agencies, and politicians hate that. They want to be able to get inside encrypted data for a variety of reasons so why is an encryption back door such a bad idea? Well, there are three reasons:
- You’re trusting that the key will always and only be owned by the right people.
- You’re trusting that whoever had the key will only use it for its intended purpose.
- Good encryption already exists.
So, when we talk about key ownership, in other words, who has the key, it doesn’t really matter who has the key. What we’re doing is we are trusting, in order for the system to work, we are trusting that the owner of this master key, be it whatever government agency or agencies might be involved, will never, ever lose track of the key. It will never, ever fall into the wrong hands. Not even once because once is all it takes.
When it comes to the TSA locks, for example, it didn’t take long. As it turns out, you can actually 3D print your own master keys for TSA locks. The same concern gets raised about back door encryption keys. If such a key exists or such a technique exists, it won’t be long before the key is leaked or lost or somehow exploited by people that shouldn’t have it.
Trusting the individuals that do have the key is another concern. Let’s assume for a moment that the key will always and only remain in the proper hands. Then we’re assuming that the proper hands will never, ever use it for other than its intended purpose. In other words, we’re assuming that the government agencies you are concerned about spying on you will never spy on you using this key if you’re using this encryption algorithm.
We are assuming that the law enforcement agencies will always and only use it properly. Now, when it comes to your TSA padlock, I’m absolutely convinced that the majority, the vast majority of TSA agents are fine, upstanding agents but honestly it only take one bad apple and we know that every TSA agent that actually has the master key even if it weren’t already in public circulation has the ability to open up your luggage. They have the ability to take a look at whatever you placed behind the padlock.
They can – do they? Do we know? We don’t and the same would be true of the government having a master back door decryption key to the encryption algorithm.
And finally, like I said, good encryption already exists. Even if this new algorithm were mandated by law that it must be used, that only it can be legally used to encrypt data, outlaws don’t follow the law. All they need to do is to continue to encrypt their data using the existing good encryption algorithms that we have today.
Encryption back doors, it’s just a silly, bad idea. It does nothing to improve your security and in fact it puts your privacy at risk.
I’d love to hear what you think. This is an important issue. This is a big one and I think we’re going to be hearing a lot more about it in coming weeks. Here’s a link to this article on Ask Leo! if you’re watching it anywhere but there, come over, have a look, read the transcript, that’s where the moderated comments will be. I would love to hear your thoughts on this issue.
Until next week, I’m Leo Notenboom for askleo.com. Take care.