Building backdoors into encryption to counter criminals and terrorists is doomed from the start, EU cybersecurity policy body ENISA has warned in a new discussion document.
The agency offers a number of arguments in support of its conclusion, which can be summed up with reference to the unwritten first law of backdoors: they only work well when the people targeted by them don’t know they’re there.
As soon as they do, they no longer trust that technology or service and stop using it, undermining the point of putting the backdoor there in the first place.
Using them in the way mooted by successive UK and US governments over the last quarter of a century – including through independent key escrow – would risk ushering in a dystopian era of unintended consequences, ENISA said.
The first is that cybercriminals would quickly migrate to alternative encryption platforms or, worse still, start building their own. At that point, police and intelligence agencies would find themselves at an even greater disadvantage than they are today.
A second consequence is that the same cybercriminals (including nation states) would hunt down the secret backdoors, using any they found to turn the system against ordinary internet users.
By that point, the network of trust that makes the internet possible might start to collapse as billions of users and businesses wondered which bits of software (digital certificates, HTTPS, messaging privacy and encrypted personal data held by organisations) were safe to use.
Backdoors could end up being more like an open door, says the agency: “The use of backdoors in cryptography not a solution. Existing legitimate users are put at risk by the very existence of backdoors. The wrong people are punished.”
ENISA steers clear of mentioning another seeming paradox brought into sharper focus by legislation such as the recent UK Investigatory Powers Act (IPA), also called the “Snooper’s Charter”.
Citizens value encryption because it secures them from criminals. But when governments start watching citizens it also protects them from governments, trust for which is falling post-Snowden.
Ergo, overbearing surveillance risks spreading the very thing that annoys governments most: ever more sophisticated encryption technologies such as the end-to-end design used by the hugely popular WhatsApp.
These work without centrally held keys, which makes life much harder for snoopers. It’s an evolution that makes backdoors futile and blunts surveillance:
“There is every reason to believe that more technology advances will emerge that will continue to erode the possibility of identifying or decrypting electronic communications.”
European governments are under no obligation to take ENISA’s advice on any of this, but at least they can’t say they weren’t warned.
Encryption is the great technological leveller. No matter how much police and intelligence services wish it otherwise, encryption was invented to secure communication, not undermine it.