European Security Agency Comes Out Strongly Against Backdoors In New Encryption Report

The European Union Agency for Network and Information Security (ENISA), whose objective is to improve network and information security in the EU, released a report on its views on encryption. The report argued against backdoors because they could increase harm to regular citizens, lower trust in EU-based services, and disrupt the implementation of the “Digital Single Market” strategy, which aims to streamline business regulations across the EU.

Backdoors Are A Risk To Innocent Citizens

The main point of the ENISA’s report is that backdoors represent a risk to innocent citizens that may outweigh any of the potential benefits. As we’ve seen from another report in the U.S., backdoors not only expose users to more cybercrime but can also turn millions of devices into weapons that rival nations can wield against the very country that enforced the backdoors. That means backdoors are not only a public safety issue, but also a national security issue.

ENISA also argued that the “wrong people are punished” when backdoors are enabled. That’s because for every one criminal who is an owner of a backdoored device and is caught because of it, 1,000 or 10,000 innocents may be affected by that backdoor in various ways. Personal information and pictures could be leaked, financial information could be stolen, devices that cost hundreds of euro could be disabled, and so on.

Backdoors Can Still Be Bypassed By Criminals

ENISA said that backdoors may not be as effective of a solution as some governments may think they are, because criminals could just adapt to use non-backdoored solutions, while everyone else uses the dangerous backdoored devices.

So many free and open source solutions with end-to-end encryption are available these days, though, that even if some commercial solutions were backdoored, criminals could easily switch to an open source one. If one of those solutions was somehow backdoored, they could also switch to a fork of it that’s not backdoored and maintain it in another country outside of the jurisdiction of the governments that mandate backdoors.

Judicial Oversight Not Enough

The ENISA argued that interpretations of the law may be different in some countries, so judicial oversight for backdoors may not be sufficient, which means the use of backdoors could get out of control.

As we’ve seen in the U.S., Lavabit was forced to shut down because the company’s owner wouldn’t provide the key that would expose all of the users’ emails. Even if the FBI was after only one target, the judge in the case ordered that Lavabit had to give the key for all users' emails to the FBI. Therefore, although in some countries backdoors may be used only to target individuals, in others they could be used to see everyone’s data, exposing this solution to significant abuse.

Encryption Restrictions Can Be Harmful To The Economy

If certain services can’t be guaranteed to be secure, they may not base their headquarters in countries that mandate backdoors. For instance, if one country demands a certain key size that can already be broken by its own intelligence agencies, then that would represent a grave risk to e-commerce and financial websites.

Even if nobody else except the biggest and richest intelligence agencies in the world can break that encryption at a given time, due to rapid progress in computing power it’s usually a few years before others could break the same encryption.

The situation becomes worse when those weak encryption standards don’t evolve. As we’ve seen more recently, websites’ security still suffers today from the crypto export rules that were created in the 1990s--even if those cryptographic protocols aren’t in use anymore. That’s because they were still kept around in crypto libraries, and attackers could downgrade a website’s protocols to using them instead and then decrypt their communications.

Backdoors Not A Solution To Law Enforcement’s Encryption Problem

Although the ENISA recognizes that law enforcement has a legitimate concern about the rise of encryption, it ultimately concluded that backdooring or weakening encryption is not a viable solution. Backdoors could have many other unintended consequences that could create a more significant harm to society, including allowing cybercriminals and terrorists to take advantage of the very backdoors that would be mandated.

“There is a legitimate need to protect communications among individuals and between individuals and public and private organisations,” said the ENISA in its recent paper on encryption and backdoors.

“Cryptography provides the electronic equivalent of letter cover, seal or rubber stamp and signature. In the light of terror attacks and organised crime, law enforcement and intelligence services have requested to create means to circumvent these protection measures. While their aims are legitimate, limiting the use of cryptographic tools will create vulnerabilities that can in turn be used by terrorists and criminals, and lower trust in electronic services, which will eventually damage industry and civil society in the EU,” warned the European Union agency.