Plans by David Cameron and other politicians to weaken encryption by inserting backdoors are “a farce”, says Olivier Thierry, CMO at Zimbra, the open-source email and collaboration company.
Many security experts have questioned the practicality, let alone the desirability, of such plans, pointing out that algorithms that underpin asymmetric encryption are being created outside of the jurisdiction of the UK and its allies and are being offered for free over the internet, rather than as paid-for products by proprietary companies which might be brought to heel.
“The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available, and thanks to things like cryptographic signing, it is possible to download these packages from any server in the world … and verify, with a very high degree of confidence, that the software you’ve downloaded hasn’t been tampered with,” wrote journalist and privacy activist Cory Doctorow, recently.
And of course, the ease of distribution of code over the internet has a dark side, too. The thriving black market for exploits means that any backdoors or vulnerabilities introduced by security services be will widely and rapidly exploited by criminals (and enemy states) from the moment they are discovered, and given the propensity of digital information to leak (just imagine what such a secret would be worth), that is likely to be sooner rather than later. The future of secure transactions over the web must therefore be in serious doubt if Cameron’s plans were followed.
Thierry compares those proposals to a scheme introduced by the US Transport Security Agency (TSA) which, just after 9/11, mandated that luggage locks on all baggage passing through US transport hubs be unlockable using a universal key, which was held by the agency. The result? An increase in reported thefts from locked luggage as thieves managed to duplicate the TSA keys.
“Cameron wants a universal key so he can get in and make sure that nothing nefarious is in your case, ” he said. “It’s a farce. Those TSA locks on luggage are a farce – because they’re not locks.”
Certainly, having to rely on the equivalent of a TSA lock to protect their bank account is not something most people would be too happy about.
The TSA lock is analogous to the “key escrow” plans that were doing the rounds more than a decade ago, before they were unceremoniously ditched. These would have demanded that anyone using encryption place a copy of their key in a global database accessible by the relevant authorities, something that experts believe is impractical as well as creating a fabulous prize for hackers.
However, lessons have not been learned and today Ed Vaizey, minister for culture and the digital economy, invited tech companies to “meet politicians halfway” on sensitive issues around privacy and internet safety, as if encryption can be half-secure.
Encryption has been weakened before of course, as we know from information leaked by Edward Snowden. The NSA’s tampering with RSA’s security software means that the US government’s National Institute of Standards and Technology (NIST), which approved the algorithm, is no longer trusted as a reliable arbiter of security.
Organisations quickly sought alternatives to RSA and other NIST-approved security software, and any weakening of encryption would see a flight from the proprietary security vendors, especially those based in countries known to be compromising their products, and towards open-source alternatives and those from other jurisdictions.
Thierry says the number of “eyeballs” on all parts of the code means that open-source software is harder to corrupt and quicker to fix.
“The transparency of open source provides a feedback mechanism to either deter this behaviour [introduction of backdoors] or quickly remediate it,” he said. “It would be irresponsible to say something malicious like a backdoor isn’t possible, but this is when the open-source community of developers – 70,000 in Zimbra’s case – steps up.”
Meanwhile, Finnish security firm F-Secure is already using the fact that it is not American (or British) to its advantage.
“Our messaging over the last 12 months has been quite often promoting the fact that we’re from Finland, operated under Finnish privacy laws and that we’re coming from a neutral country. Finland is not part of Five-Eyes or Nine-Eyes or even 14-Eyes. Heck, we’re not even in NATO,” Mikko Hyppönen, chief research officer at the company, told Computing.
It seems likely that, as soon as it is politically expedient David Cameron will seek to back quietly away from his demands that encryption be weakened. Sadly for him, the internet never forgets. What’s more, it loves a good farce.