Major Tech Companies Send Letter Decrying Encryption Backdoors To President Obama

News
By Lucian Armasu
published

Today, almost 150 tech companies, non-profit organizations and security experts signed a letter against encryption backdoors and addressed it to President Obama.

The list includes companies such as Google, Apple, Microsoft, Cisco and Wikimedia; organizations such as the EFF, Fight For The Future, EPIC, Demand Progress; and security experts such as Bruce Schneier, Matthew Green and Philip Zimmermann (PGP, Silent Circle).

They all joined together to tell President Obama that he should not only end any efforts to undermine encryption, but he should also promote and fight for the adoption of strong encryption everywhere.

According to the group, working to undermine encryption in U.S. products will only serve to increase the mistrust international users and consumers have in American products, which means this could ultimately defeat the purpose of helping the U.S. government catch the "bad guys." Criminals will just start using secure applications and services from other countries, or they'll use available open source software.

The letter also said that strong encryption is a critical part of the modern information economy's security. It protects billions of people from threats every day, whether that's street criminals stealing laptops or phones, hackers trying to defraud people, corporate spies trying to steal trade secrets, or foreign spies trying to compromise our most sensitive national security secrets.

“Whether you call them 'front doors' or 'back doors,' introducing intentional vulnerabilities into secure products for the government's use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government's own experts."

Companies also argued that if they are forced to introduce a mechanism that allows U.S. law enforcement to access their data whenever they want, that would also encourage foreign governments to ask for the same capability. This would create a system riddled with security issues that would make companies vulnerable to hacking from other state actors or criminal organizations.

The letter ended by reminding President Obama that this debate has existed before -- in the 1990s during the "Crypto Wars" -- and it concluded that it's better to allow strong encryption to secure everyone, than to make everyone vulnerable just to catch a few.

It also said that back in 2013, President Obama's own Review Group on Intelligence and Communications Technologies unanimously recommended that the U.S. government should:

“(1) fully support and not undermine efforts to create encryption standards; (2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and (3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage."

Recently, there was also a House hearing on the same topic, and the Committee, as well as all the security experts and technologists available as witnesses, agreed that encryption backdoors are a terrible idea that should not be entertained further.

It remains to be seen if President Obama will follow through on all of these recommendations and end any attempts from his own administration to kill strong encryption (such as having FBI Director James Comey continuously promote encryption backdoors in public).

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
6 Comments Comment from the forums
  • stevenrix
    How ironic, these companies crying "wolf" are the same companies who helped China make it more secure with the "Great Firewall" ten years ago. They shot themselves in the toes for sure, but in secret their attitude is completely different from what we are being told in reality.


    Reply
  • t53186
    I'm actually glad President Obama and members of the Administration have become "transparent" or opaque, at least we know some of what they are up to and have a chance for the people (business) to stand up to the government.
    Reply
  • falchard
    transparent by kicking, screaming, and charging those who talked about it.
    Reply
  • razor512
    One issue that is not properly explored, is the main flaw of a backdoor. Anything that gets in the way of trust no one security (where only the user of the device has the key), will create an attack vector that will be broken in the future.

    For example suppose your communications with a company involves the transmission of some highly sensitive data that you cannot easily change. For example, your social security information and a wide range of financial and historical information that can be used as part of social engineering to perform identify theft.

    If that communication system uses encryption with a back door available, then it suddenly becomes highly desirable for criminals to simply work on capturing the encrypted data in bulk for decryption at a later date when the backdoor is discovered by the back doors.

    Modern encryption is very simple (simpler than it was in the past). It does not rely on there being some secret algorithm to encrypt, instead it relies on an operation that is quick to do one way, but insanely slow to reverse.

    For example, I bet that roughly 99.9% of the readers of this site can teach a toddler how to begin the process of cracking most of the industry standard encryptions within 2 hours.

    And this is by design, the encryption is fully open source and it does not rely on hiding any aspect of its self. Instead it encrypts and by understanding how it does it, you also know how to undo it, the downside for the malicious user is that even with 2015's fastest super computer, it will take trillions of years to crack.

    When you have a back door, you are creating a way for law enforcement to bypass trillions of years of work to crack a modern industry standard encryption. Due to that, if the back door is discovered, then the criminals will have a field day decrypting all of the encrypted data that they have been capturing while waiting for the backdoor to be discovered.

    What the FBI wants is for encryption to essentially go back to the days of the enigma machine. The flaws with the old encryption methods is they relied on all or part of how they functioned to remain secret, and what that secret was discovered, and then all past recorded, and future encrypted content can easily be decrypted.
    Another example is a bribe that the NSA did in order to try and have a flawed elliptic curve encryption. It seemed secure even to experts for a while, but then someone found the flaw, and thus was instantly able to decrypt all traffic using that flawed curve. The flaw was the NSA's backdoor, and that is essentially what is trying to be put into law. Encryption that on the surface looks secure, but hidden somewhere, is a flaw that allows the content to be decrypted with no effort. When such a flaw is discovered, you cannot simply retroactively replace the encryption on old data. That flaw is known and all of the old data is now no longer protected for all those who have used it.

    Proper encryption using salted hashes to avoid the allocation of resources by criminals because it is only ever good for a single hash. Lets assume that you have multiple accounts with different companies, all of which implemented the industry standard crypto 100% properly. If a criminal decided to do something like devote every CPU on the planet to cracking the encryption to your account with company A, then in order to crack it for company B, they would have to repeat the entire process.

    If a backdoor is created then if they break it for 1 system, then it is broken for everyone.

    Remember, with current crpyto, there is no confusion on how to crack it, and that is what makes it amazing. It fully details exactly what it does to the data and even with knowing that, the most efficient way for you to crack it will require super computers working for trillions of years.

    Even with computers getting faster each year,it is likely that you will be long dead before the current crypto is fully broken to a point where it is trivial to break. It never looks for ways to be unbreakable.

    PS, the rock solid crypto is already available in open source. if a law is passed that will force backdoors to be used, then then the criminals will still have access to that crypto.
    Reply
  • Lordos
    How ironic, these companies crying "wolf" are the same companies who helped China make it more secure with the "Great Firewall" ten years ago. They shot themselves in the toes for sure, but in secret their attitude is completely different from what we are being told in reality.


    so your point? You want Great USA firewall just because China has one? Well tbh I would not care as long as it wont distort internet for rest of the world.
    Its only good that such companies publicly complain against such government bullshit.
    Reply
  • Christopher1
    razor512 got most of the issues but I think he left out one big elephant sized one: That sooner or later, the keys to the 'backdoor' will be leaked and malefactors of ALL stripes will be using the backdoor to hack into people's systems.
    That is why NO backdoors is the proper route to go.
    Reply