US Attorney General Reignites Call For Encryption Backdoors

By Lucian Armasu
published

(Image credit: Shutterstock)

U.S. Attorney General (AG) William Barr is making the same request of technology companies as his predecessor, AG Rod Rosenstein, as well as former FBI Director James Comey have made: that they implement encryption backdoors that allow law enforcement to “detect crimes before they happen.” 

“As we use encryption to improve cybersecurity, we must ensure that we retain society’s ability to gain lawful access to data and communications when needed to respond to criminal activity,” Barr said during a keynote address at the International Conference on Cybersecurity in New York City, according to The New York Times.

Barr added that this approach should fit tech companies' business models.

“Our societal response to advances in technology that affect the balance between individual privacy and public safety always has been — and always should be — a two-way street,” he said.

Exploring Encryption Backdoors

Barr and his predecessors have said that companies must stop making “warrant-proof encryption,” as noted by the Wall Street Journal. However, in the past, officials form the U.S. Department of Justice (DOJ) have implied or even directly said that the encryption backdoors would require a warrant. 

In practice, if encryption backdoors were accepted by technology companies, it's possible that some could offer law enforcement various degrees of direct and warrant-less access, which would be more in line with the idea of attempting to “detect crimes before they happen.” 

A warrant usually implies that a crime has already happened. Detecting crime before it happens implies direct access to data and mass surveillance, while phishing for crimes with automated detection tools that may take into account various text keywords, online behavior, etc -- a type of action called “fishing expeditions.”

It's also worth noting that while encryption may protect data in some cases (only a handful of applications use end-to-end encryption that keeps data private between sender and receiver), the move to the cloud, GPS-enabled devices and generally performing more and more personal activities online has led to an explosion of data that law enforcement can access today -- with or without a warrant. Contrastingly, there are many situation where is encryption is used, law enforcement can, in fact, use warrants to gain access to the data.

Generally speaking, the only mainstream app that uses end-to-end encryption by default is Signal. iMessage and WhatsApp also do so, but their makers state that the apps could allow law enforcement to invisibly snoop on specific users, due to flawed designs.

And when it comes to smartphone encryption, that's also protected with a client-side encryption key, which means it’s not up to the companies to decrypt it but to the owners of the devices. 

There's no direct evidence proving that the AG’s call for encryption backdoors and the DOJ's big tech antitrust review announced this week are connected. However, Barr has at least helped to reinvigorate the encryption issue at the same time that related companies are being investigated. 

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
20 Comments Comment from the forums
  • AllanGH
    Fortunately that idiot's ravings have no impact on Open Source solutions.
    Reply
  • Warsaw
    These guys are just absolutely ridiculous it just boggles me how they are in office and supported.
    Reply
  • -> USA doesn't want China spying on them.
    -> China has used NSA-made tools to spy on people in the past.
    -> USA wants backdoors

    I'm glad to see there are such great minds sharing their opinion on a subject as sensitive as security. It makes me feel very safe.
    Reply
  • derekullo
    "U.S. Attorney General (AG) William Barr is making the same request of technology companies as his predecessor, AG Rod Rosenstein, as well as former FBI Director James Comey have made: that they implement encryption backdoors that allow law enforcement to “detect crimes before they happen.” "


    Sounds like the plot to Minority Report.

    https://en.wikipedia.org/wiki/Minority_Report_(film)
    Reply
  • AllanGH
    The unfortunate result of allowing anti-intellectuals to participate in governance....
    Reply
  • digitalgriffin
    AllanGH said:
    The unfortunate result of allowing anti-intellectuals to participate in governance....

    A result of Politicians who want to control something they just don't understand. Even worse they don't possibly comprehend the choices of their decisions. It's a bit of a hypocrisy that Congress doesn't care what happens with spying, just as long as it doesn't happen to them.

    That said, secrets can be exposed and hard to remove. (ie: Eternal Blue/Wanna Cry) and the ramifications ever lasting. The weakest link isn't the technology, but the people who use it and maintain it. People make mistakes. It's part of human nature. And the devices made by man (including back doors) therefore can be inherent with bad design choices including exploitable ones. No amount of code reviews, design, and security procedures can stop the weakest link: A dumb person (IE: A contractor who installed cracked keys on his classified laptop.) Or a politician who doesn't even listen to security rules (IE: Hillary Clinton's private email server)

    There are only two remote controlled systems that are critical and can't be compromised. (Power plant controls, and our nuclear defenses) Why? Because there is no complete digital point A -> B and the technology is proprietary to just one specific system. The final end point of said commands is controlled by a human being. They are the ones who manually throw the switches on an isolated system. Quite simply compromising a device through a digital chain opens it up to remote compromise by threat actors.

    It's entirely possible the back door can be exploited by other actors who the government did not intend. For example, a Russian, North Korean, Iranian, or Chinese hacker group may compromise someone in a sensitive position here in the USA. Look how WannaCry and Stuxnet type viruses were used against the public after they were exposed. There are always new ways to exploit once was thought safe. That includes encryption (WEP/WPA/TLS 1, etc...) and APIs (SMBv1, Struts) , languages (Javascript) and hardware (RowHammer/Spectre/Meltdown)

    And to be honest they don't need more back doors. They solved a lot of these problems YEARS ago. They don't try to get around the encryption. They just compromise the end point where the end encryption happens. This way you have full access to that data and everything on that device that might be related.

    Theres also another unintended side effect: If backdoors are suspected in your product, then the customers in question will move away from your product. There's a reason China is creating their own OS and CPU chips. And there's a reason the USA refuses to use Huawei isn't allowed to sell 5G infrastructure to the USA.
    Reply
  • digitalgriffin
    I'll say one more thing: Once you provide a common widely used ecosystem, that target becomes the #1 focus of people who attack them.

    Windows wasn't subjected to so many viruses because it was less secure (Post XP) It was because Windows is the most ubiquitous platform, thereby providing for the largest potential of victims. Create a common backdoor access, and you just create a new #1 target to hack.

    I said the same thing at PDC when Azure was released. Cloud services provide a new attack vector where exploits can be gained from a common interface. These interfaces can be accessed by any hacker. (ie: Amazon unecrypted S3 buckets)
    Reply
  • AllanGH
    digitalgriffin said:
    Windows wasn't subjected to so many viruses because it was less secure (Post XP) It was because Windows is the most ubiquitous platform, thereby providing for the largest potential of victims.
    windows is still the least secure platform out there, so you'll never be able to modify that security variable to test the hypothesis. I still maintain that exploits will, by and large, be directed toward those systems which provide fertile ground for such exploits; and that presumption has still never been demonstrated to be false by anything approaching credible evidence.

    Just IMHO, you understand, and let's leave it at that. ;)
    Reply
  • mdd1963
    Nothing to hide here, but, he (The US AG) can kiss my --- anyway, this whole 'need to read all your stuff whenever we wish, in order to prevent crimes before they happen' mentality...

    Sounds a bit like sacrificing liberty for 'security'...

    There will always be something available, even if only usable within a Linux VM, that has no backdoors...
    Reply
  • bit_user
    Warsaw said:
    These guys are just absolutely ridiculous it just boggles me how they are in office and supported.
    Really? You know who nominated him, right? One guess.

    He got the job after writing an open letter about how the Mueller Investigation is BS.

    Back when he was first Attorney General (1991), exporting > 40-bit encryption outside the US was illegal. I can't attribute that to him, in any way, but suffice to say he's a creature of that time.
    Reply