If you’re a policymaker in the UK or the US supporting crypto backdoors, now would be a really good time – assuming you haven’t melted into your shoes – to hide under a rock and cry:
Mother of God.
Cryptographers aren’t generally as well known as, say, theoretical physicists, so it might not be immediately apparent quite how stinging a rebuke this is. The rough equivalent would be sort of like having Paul Dirac, Werner Heisenberg, Albert Einstein, Max Born, Niels Bohr, John von Neumann and Erwin Schrodinger show up at your front door – uninvited, all at once, on live television, in complete agreement with each other, and having gone out of their way to do so – to tell you, and the world, that you don’t know jack about quantum mechanics.
Except it’s way, way worse. Because crypto is a practical discipline.
Put another way:
On the European side of the pond, we at Eris have been on the front lines fighting against crypto bans since January – indeed, from the very day that David Cameron announced the policy. We’re glad to see the big guns finally wading in – who make the argument better and more comprehensively than we ever could:
We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse “forward secrecy” design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws.
Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.
My immediate reaction was disbelief, followed by confusion and despair. When I first read about Cameron’s remarks, I was convinced he had no idea what he was really proposing. The idea is so preposterous that it was hard to imagine it being seriously suggested.
He can ensure that UK businesses are vulnerable to attack. But he cannot hope to prevent bad actors from using encryption to hide themselves from the police.
As an engineer, I cannot design a system that works differently in the presence of a particular badge or a signed piece of paper. I have two options. I can design a secure system that has no backdoor access, meaning neither criminals nor foreign intelligence agencies nor domestic police can get at the data. Or I can design a system that has backdoor access… but anyone who has followed all of the high-profile hacking over the past few years knows how futile that would be.
even if Cameron turned the UK into the police state required to even attempt this sort of thing, he still wouldn’t get what he claims he wants. That’s the worst of it: It wouldn’t work, and trying would destroy the internet.
Complete, total, unremitting evisceration. And the official response:
Number 10 has not responded to requests for clarification about Cameron’s comments.
Says it all, really.