What are the Security Risks of Encryption Backdoors That can Affect Your Privacy and Security?

On 29th September, 107 Belgian organizations and cybersecurity experts wrote an open letter to their government calling for it to drop the draft law that would force companies to weaken their end-to-end encryption systems to provide access to law enforcement agencies.

In the letter, the signatories say:

Far from making Belgians sager, these requirements would undermine the use of end-to-end encryption in Belgium and, as the Belgian Data Protection Authority wrote in its opinion against the Data Retention Legislation, would force companies to create a 'de facto backdoor'.

Here is the whole open letter.

What are Encryption Backdoors and Why Law Enforcement Agencies Want Them?

Encryption Backdoors

The encryption debate, especially in the United States and the European Union (in China and Russia encryption is strictly controlled by their respective governments so there's not much of a debate) has been going strong for a couple of years now, with government agencies pushing for backdoor encryption and technology companies pushing against it.

In the US, for instance, there have been several acts proposed by the Senate that would essentially give the federal government, law enforcement and other national security agencies access to encrypted devices.

The two most notable encryption backdoor acts in the US are the LAEDA (Lawful Access to Encrypted Data Act) and the EARN IT (Eliminating Abusive and Rampant Neglect of Interactive Technologies) Act.

These two acts are meant to enable law enforcement to better fight against terrorists and criminals (LAEDA) and child abuse (EARN IT) by giving national security agencies backdoor access to end-to-end encrypted systems.

Speaking about the LAEDA, Senate Judiciary Committee Chairman Lindsey Graham and US Senators Marsha Blackburn and Tom Cotton (who also proposed the act) said:

Terrorists and criminals routinely use technology, whether smartphones, apps, or other means, to coordinate and communicate their daily activities. In recent history, we have experienced numerous cases and serious criminal activity where vital information could not be accessed, even after a court order was issued. Unfortunately, tech companies have refused to honor these court orders and assist law enforcement in their investigations.

Speaking about the EARN IT Act, Senator Graham (which has also written the act alongside Richard Blumenthal from the Democrat Party) said after the Senate Judiciary Committee passed it unanimously, 22-0:

There are tens of millions of photos and videos circulating throughout the Internet, showing the most heinous acts of sexual abuse and torture of children. The EARN IT Act removes Section 230 blanket liability protection from service providers in the area of child sexual abuse and child sexual abuse material on their sites. The EARN IT Act's goal is to create voluntary best business practices to protect children from exploitation and to better police these sites when it comes to child predators. If the companies in question are employing the best business practices, that would be a defense in any civil suit.

Although the acts don't explicitly mention it, they clearly introduce a backdoor access system so it's a good idea to understand what that is.

What is backdoor encryption?

Backdoor encryption is, essentially, a way for, say law enforcement, to bypass end-to-end encryption and provide access to encrypted data with, or without authorization.

What are the Security Risks of Encryption Backdoors?

Security Risks of Encryption Backdoors

So how are encryption backdoors different from regular security vulnerabilities?

In reality, they're not. Both allow unauthorized users, whether they are government agents or malicious actors such as hackers, to access information that is otherwise protected with an encryption key.

Think about it this way. If tech companies agree to installing backdoors to assist intelligence agencies in their criminal investigations, how long would it take for malicious actors to use the same backdoors and access those encrypted services?

This already happened to some foreign governments. In China, which manatees private companies to maintain encryption backdoors and encryption key escrows to give its government agency access to such data, hackers have already found a way to do this.

Researchers have found that Chinese hackers exploited a previously unknown Windows backdoor that gives them remote access to devices and collect sensitive data, which they named "SharpPanda".

In its campaign, the Chinese-based group called APT targeted the Ministry of Foreign Affairs in this country via spear-phishing emails that served to deliver an MS Word document loaded with an exploit kit.

Head of Threat Intelligence at Check Point Software, the research team that found discovered this exploit, Lotem Finkelsteen, commented:

All the evidence points to the fact that we are dealing with a highly-organized operation that placed significant effort into remaining under the radar. Every few weeks, the attackers used spear-phishing emails, laced with weaponized versions of government-themed documents, to try and create a foothold into the Ministry of Foreign Affairs of the target country. This means that the attackers first had to attack another department within the targeted state, stealing and weaponizing documents for use against the Ministry of Foreign Affairs. All in all, the attackers, who we believe to be a Chinese threat group, were very systematic in their approach.

What the National Security Agency Gets Wrong About Backdoors Encryption?

Forcing technology companies to install encryption backdoors to give law enforcement access to encrypted user data will not protect those same users from terrorists as its proponents claim.

In fact, a poll done by security company Venafi during the Black Hat 2019 conference in Las Vegas saw 72% of attendees (384 in total) say this.

The same survey also points to the fact that 84% of surveyed said they would never use a program or a device if they knew a company has agreed to install an encryption backdoor and further 70% that the governments who enforce encryption backdoors are at an economic disadvantage in the global marketplace.

Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi commented:

We know that encryption backdoors dramatically increase security risks of every kind of sensitive data, and that includes all types of data that affects our national security. The IT security community overwhelmingly agrees that encryption backdoors would have a disastrous impact on the integrity of our elections and on our digital economy as a whole.

Conclusion

A door is a door and once opened, like an encryption backdoor does, it's very difficult, if not impossible to close it again. Weakened encryption only serves to do the opposite of what its advocates say - it endangers personal security and privacy, public safety and puts companies who agree to it and their products at a disadvantage on the market.

Such measures might help against small criminals that don't have much technical knowledge or know-how. However, more organized groups (that acts like LAEDA and EARN IT are exactly supposed to target), could simply find a way to make their own devices more secure against such encryption backdoors.

Protect your privacy rights with CTemplar's end-to-end encrypted email! Sign up for your CTemplar email account today!