Tech

US AG Barr demands tech firms break encryption, 'it can and must be done'

Opinion: The losing battle against encryption is a situation the US government created for itself.

Written by Charlie Osborne, Contributing Writer July 24, 2019 at 5:51 a.m. PT

It seems a lifetime ago, but the moment former US National Security Agency (NSA) contractor Edward Snowden revealed the mass surveillance activity of the intelligence agency, the United States -- and other countries -- were set on a path towards the widespread adoption of encryption.

The US' bulk data collection, China's citizen ID cards, and the UK's Snoopers Charter are only some examples of how government surveillance is permeating the lives of innocent citizens.

Security

The idea that "innocent until proven guilty" might still hold some weight in the courtroom, but more and more, pre-emptive surveillance on otherwise innocent parties is becoming accepted and commonplace.

This does not mean, however, that individuals are simply willing to accept that elected officials have the right to monitor the daily lives of citizens just because of their role or job.

In response to Snowden's disclosure, tech giants began to implement encryption into their services to appease the outrage of individuals across the globe. WhatsApp and Signal, for example, are encrypted communication platforms which do not allow widespread eavesdropping.

Governments worldwide -- including those in the US, UK, and Australia -- saw the spark light the fire in encrypted communications development and began to throw their weight around, demanding that service providers create backdoors in their products for the use of law enforcement agencies.

Unsurprisingly, tech companies, including Apple, Google, and Microsoft have resisted every step of the way.

On Tuesday, US Attorney General Bill Barr told attendees of a cybersecurity conference in New York that "warrant-proof encryption is already imposing huge costs on society," and he has had enough of "dogmatic pronouncements that lawful access simply cannot be done."

"It can be, and it must be," Barr added.

Of course, it can be, but not in a way that ensures individual security and privacy. Backdoors would satisfy law enforcement but cyberattackers would also enjoy utilizing such deliberate weaknesses in order to spy and potentially steal data.

"We are confident that technical solutions will allow lawful access to encrypted data and communications by law enforcement without materially weakening the security provided by encryption," the US official said.

"It is well past time for some in the tech community to abandon a posture that a technical solution is not worth exploring and instead turn their considerable talent to developing products that will reconcile good cybersecurity to the imperative of public safety and national security."

The existence of any backdoor will materially weaken a product, and not just in relation to the software. Should a technology service provider bow to such demands and citizens are made aware of the existence of a deliberate backdoor, this is akin to asking them to have a front door installed in their home which is always left slightly ajar.

You are demanding that the majority of innocent users accept a security vulnerability which could be weaponized against them in order for overreaching intelligence agencies to have a stab at mass data collection once more and perhaps, on occasion, catch a criminal in the act.

"It [encryption] seriously degrades the ability of law enforcement to detect and prevent crime before it occurs and after crimes are committed, it is thwarting law enforcement's ability to identify those responsible or to successfully prosecute the guilty parties," Barr says.

This statement implies that given access to a backdoored service, US law enforcement would not reactively scan through communication to compile evidence against a suspect, but would, instead, proactively monitor messages just in case a crime might take place.

Let's not forget, too, that forcing companies to install a backdoor for the US may also pave the way for allied countries to scour user data in the same way, made possible through law enforcement agreements or legislation.

TechRepublic: How businesses can reduce the financial impact of data breaches

In May, Apple, Google, Microsoft, and WhatsApp rejected a proposal by the UK's GCHQ to add "ghost" users to private chats that could be used by police to monitor communications. While this would not require a standard backdoor, such a system would bypass authentication and erode consumer trust -- and so cannot be deemed any more acceptable.

CNET: Equifax breach: How to claim your share of the $700M settlement

It simply won't do. Users will abandon services that permit these 'solutions' to be implemented to spy on them, the provider in question would immeasurably suffer, and trust between company and consumer would break down.

The US government has experience of this, already, since breaking the trust of citizens with mass data collection activities years ago. Is it any wonder that critics are concerned with the potential abuse of backdoor access in the future?

The fight against the widespread adoption of encryption launched by law enforcement is a self-fulfilling prophecy. After all, it was the US government's own actions and breach of trust which prompted the increased adoption of encryption as a technology in the first place.