Open backdoors into apps and adversaries will use them too

This week I read the news that my government was trying to make it harder for me to communicate securely. That would be a normal occurrence in China, where online privacy has deteriorated every year I’ve lived here. But this latest blow came from a different source: the UK government. The justice departments of the “Five Eyes” intelligence-sharing alliance — the UK, US, Canada, Australia and New Zealand — have asked once more for tech companies to give them “lawful access” to encrypted communications.

In other words, these governments want backdoors into encrypted messaging apps such as WhatsApp and Signal. The term “backdoor” has been popularised more recently by the Trump administration’s campaign against Chinese tech, accusing Huawei and other companies of leaving backdoors for Chinese government access.

As a foreign correspondent in China, I would much prefer to be reading my private messages than , although neither prospect is very comforting. But it is unproductive to say things could be worse in China; that is barely any comfort, either, for citizens living in the west. There is a different link we need to explore between UK and Chinese government backdoors: that bad domestic cyber policy decreases our ability to defend against foreign adversaries.

Any form of surveillance creates a pool of data that bad actors can try to access. Breaking end-to-end encryption, in particular, leaves gaping vulnerabilities for hackers to exploit.

The reason for this is in the otherwise tight design of such programs. An app such as Signal encrypts your messages so that they can only be accessed using a private key, or password, that is generated on your phone and is sealed there. Signal’s servers and programmers can’t access the key and use it to decrypt your messages as they flow through the internet. The only person who can access it is the person in control of the phone, the message’s final “end point”: hence the term end-to-end encryption.

The efficacy of end-to-end encryption means that everyone, from banks to ecommerce sites to healthcare systems, relies on it to protect their users. Without access to the private key, the number of calculations it would take to break open a well-encrypted message would take longer than a lifetime.

As a result, backdoors into end-to-end encrypted communications usually require app designers to produce extra keys that are given to law enforcement agencies. But unlike the keys stored on a device, these extra keys are designed to be shared. Their existence increases dramatically the chance that a key gets leaked. Once a key is leaked, all the contents of the encrypted messages can be read.

In general, if a security flaw exists, it is only a matter of time before someone finds it. Even tools built by government agencies such as the NSA have ended up in the hands of Chinese, North Korean and Russian hackers. Creating a master set of keys to access all encrypted communications would mean building a nuclear internet bomb without the ability to guard it.

Foreign spies have abused “lawful intercept” backdoors in the past. One high-profile example comes from the telecoms industry — the same market Huawei dominates, to the concern of the Five Eyes governments. In what has become known as “Greek Watergate” or the “Athens Affair”, in 2004-05, the prime minister of Greece and more than 100 high-ranking officials and executives had their phonelines hacked. Someone had taken advantage of the lawful intercept ability embedded into the Ericsson equipment used by Vodafone. The episode also involved the apparent suicide of a Vodafone engineer.

Once you lose trust over security, it is difficult to get it back. People would stop conducting commercial transactions, for example, over platforms with backdoors once those backdoors have been exploited. Then they would shift to the newer platforms that spring up — before the government clamps down on them. And enforcement would be ugly: if Facebook continued to hold out against installing backdoors, would the UK ban WhatsApp?

We must make our systems robust against a world in which bad actors, such as China’s spy agencies, will always be a threat. It is pointless to keep fretting over the rise of China — we need to prepare to coexist. To do so, governments should make their domestic cyber policies consistent with their international objectives. There is still, broadly speaking, one global internet: we have to defend it. 

Yuan Yang is the FT’s deputy Beijing bureau chief

Follow @FTMag on Twitter to find out about our latest stories first. Listen to our podcast, Culture Call, where FT editors and special guests discuss life and art in the time of coronavirus. Subscribe on Apple, Spotify, or wherever you listen.

Read original article here.