The Quest to Cripple Encryption

It shouldn’t come as a surprise, but it looks like the Attorney General (as well as law enforcement in general) doesn’t understand how encryption works.

At a cybersecurity conference at Fordham University in late July Barr lamented the expanding presence of encryption. In the speech, Barr is trying to play consumers (that use and benefit from secure encryption) victims, with quotes like:

The deployment of warrant-proof encryption is already imposing huge costs on society it seriously degrades the ability of law enforcement to detect and prevent crime before it occurs.

Leaving aside how creepy that sentence is (thoughtcrime anyone?) if encryption has a backdoor it not only weakens the encryption for that device, but it makes every single device using the backdoored encryption a huge target for malicious actors.

Proper encryption is essentially a very, very, very complicated math problem. If you also provide a “secret” shortcut, then the whole system becomes weaker. Imagine if there was a “magic backdoor” that would decrypt any phone by Apple, or Google, or Samsung. There’s not (yet, at least) a way to develop an encryption backdoor for a single phone – either you can backdoor into zero iPhones (or Pixels, etc.) or all of them.

You may think the worst thing that could happen is that the backdoor is leaked and everyone knows. But I think the actual problem would be if a malicious actor discovers the backdoor and no one knows an entire group of phones are vulnerable.

Not only would having these decryption keys weaken the idea of encryption, but it would also undermine security on the entire device. Just looking at some of the unintended security holes in Windows, Android, iPhone, and macOS should be enough to see how tough it actually is to make real secure software without a backdoor. Adding an intentional way to shortcut security would be a nightmare.