Weakening Encryption Does Not Strengthen Security
The U.K. office of the Home Secretary has reportedly handed Apple a secret order requiring the company to essentially cripple its strongest encrypted data storage offering in order to allow the country’s law enforcement agencies to access users’ data backups during investigations. The order, which was issued last month, would affect Apple customers not just in the UK but around the world, and set a dangerous precedent that other countries could use to justify similar demands.
The order, reported by The Washington Post, poses a significant challenge to consumer access to strong encryption and is the latest chapter in a long and sordid history of governments resistance to encryption for data at rest and in transit. Depending upon how loose you want to get with your definitions and how far back you look, you can find dozens of examples of this type of behavior in the last few decades from governments around the world, including democracies such as the UK and the United States. Most of those examples have to do with efforts to compromise encryption of data in transit, such as backdoors in secure messaging services or the absurd Clipper Chip proposal.
But the U.K. order concerns data at rest, specifically the data stored by Apple users in their iCloud backups. And even more specifically, the data stored by users who have enabled Advanced Data Protection, Apple’s high-level encrypted backup service, an option that allows users to take control of their own backups and ensures that only they, and not Apple, have possession of the keys to decrypt those backups. This option defeats one of the main methods that law enforcement uses to gain access to users’ iPhone data: a search warrant for the iCloud backup. The ADP service isn’t available in every country, but it is available in the U.K. and U.S., among many others.
The order would force Apple to either create a method for law enforcement to access those backups–which would completely defeat the purpose of the service–or…what? Stop doing business in the UK? The latter is the more likely outcome, but that doesn’t address the larger issue, which is the continued efforts by governments to weaken or disable encryption and encrypted services. These efforts are counterproductive at best and actively harmful at worst.
On the potential impacts of this order, Thorin Klosowski of the Electronic Frontier Foundation wrote: “There is no technological compromise between strong encryption that protects the data and a mechanism to allow the government special access to this data. Any “backdoor” built for the government puts everyone at greater risk of hacking, identity theft, and fraud. There is no world where, once built, these backdoors would only be used by open and democratic governments. These systems can be, and quickly will be, used by more repressive governments around the world to read protesters’ and dissenters’ communications.”
Modern encryption is nothing short of a miracle. Go read The Code Book or anything that Matthew Green has written if you need some background. The fact that any of this works is incredible. Some incredibly spooky math is essentially the basis of the security for the modern internet. It’s taken the better part of a hundred years to get to this point, and it could be undone in the space of a few days. Cryptographers and computer scientists have warned about the dangers of these ideas for decades, and security engineers have worked diligently to develop resilient and defensible cryptosystems and products. These systems are the foundation of our banking, ecommerce, and communications platforms.
And yet the efforts to hamstring these systems continue unabated. No scenario exists in which weakening encryption leads to strengthening a country.
