Welcome to our Blog

The Foundry Files


No More Secrets

No More Secrets

Once again, the topic of backdoored encryption services is being hotly discussed. Arguments discussing the philosophical [1], ethical [2], and technological [3] consequences of such legislation have been written and discussed at length. Overwhelmingly, it seems that the citizens and businesses of America are strongly against government mandated encryption backdoors in their software and services.

Security agencies feel that the best way to do this is through monitoring communications. I reject the claim that there is a need for mandated backdoors, but from a different angle then the referenced articles above; I am focused on what the endgame would be for such legislation. I understand the struggle that governments face - they wish to protect their citizens and national interests, a difficult task as the digital attack surface increases. I, however, assert that backdoored services are an ineffective stopgap solution at best, and in the worst case, deeply affect the commerce and security of American corporations, to say nothing of the American citizenry.

What is the endgame here, should such legislation pass? Directed, blanket backdoors are only as powerful as the visibility that those backdoors provide. Should legislation directly call out service providers, attackers will simply move their communications elsewhere, beginning an untenable game of cat and mouse for legislators, and a great deal of broken trust between the government and corporate America.

Should instead service providers have blanket legislation cover them, how would this contend with small businesses? Open source tools? Personally hosted chat servers? Such legislation could be some of the most far-reaching powers ever granted, to say nothing of the difficulty of enforcing that legislation. Tracking down every hosted chat service would be a nigh-untenable task, and the possibility of hosting such services overseas only further complicates matters. We would be left with a patchwork enforcement, something that presents its own ethical and legal concerns.

If legislation merely makes it easier to obtain NSL’s for accessing chat log data, attackers will likely move to methods which allow them to communicate using encrypted payloads which are decrypted in real-time by external chat clients. Systems such as OTR exist which allow popular chat clients to communicate using encrypted messages over chat services which do not natively support encrypted communications. While it may not be a perfect solution, attack prevention is a matter of timing, and even the weakest of these methods can increase an attacker's operating window.

Finally, citizens, particularly the digital generation, have demonstrated that blanket surveillance is something they do not support. If legislation forces American companies to make communication information more available to the American security and intelligence apparatus against the desires of the consumer, that would result in the favoring of foreign businesses by the government. Overly draconian enforcement could even drive developers outside the US border - a loss of software development experience that we so often hear is desperately in demand.

Ultimately, I am unconvinced that legislation targeting encryption is needed. Attackers savvy enough to encrypt their communications are savvy enough to stay a step ahead of comparatively slow-moving legislation or devise technological solutions that circumvent such laws. This kind of reliance on short-term, easy answers does not speak well of our intelligence apparatus and serves as a chilling effect for American business innovation and commerce.


Screen Shot 2016-01-05 at 10.28.35 AM         Zach Hanif is the CTO of Eastern Foundry.