Technology firms have responded to a letter written by ministers in the French and German governments – which calls for legislation to mandate secure encryption with backdoors – saying it is impossible.
The ministers who wrote the letter believe that encryption backdoors are essential for counter-terrorism.
The letter, sent by Thomas de Maizière and Bruno Le Roux, respectively the German and French ministers of the interior, was sent to security experts in the European Commission such as Brit Julian King.
In addition to calling for encryption with backdoors, they also want EU states to share counter-terrorism intelligence more effectively and make greater use of biometrics.
The ministers have asked for new legislation to cement these in law, and it will be considered in October once both countries have elected their new leaders in parliamentary elections.
This isn't the first time the two minister have asked for such measures, but this time the ministers have garnered EC backing. EU Home Affairs Commissioner Dimitris Avramopoulos said he welcomed the proposals, describing them as “in line with” the Commission's thinking.
However, the tech industry was quick to issue a reality check.
Jason Ginsberg, senior director at Echoworx, told SC Media UK: "European lawmakers need to remember that cyber-surveillance is no different than old school wire-tapping. However, the government requires court approval for a wiretap and only after they have demonstrated evidence of reasonable suspicion.”
Ginsberg added: “They should not be allowed to circumvent existing laws based on the type of media being surveilled. These laws were put in place to protect the average person from this kind of intrusion. The same rules should apply regardless of whether it's phone conversations or web and social media use being tapped. There is a balance that needs to be struck but it is absolutely vital that there is appropriate judicial oversight dictating the use of these powers.”
Likewise, Christian Borggreen, director of international policy in Brussels for the Computer & Communications Industry Association, a nonprofit organisation that lobbies for the technology industry, wasn't impressed by the idea.
In a statement, Borggreen said: "Any backdoors to encrypted data would pose serious risks to the overall security and confidentiality of Europeans' communications, which seems inconsistent with existing legal protections for personal data.”
He added: "Weakened security ultimately leaves online systems more vulnerable to all types of attacks, from terrorists to hackers. This should be a time to increase security – not weaken it."
Many experts have said this before: it isn't mathematically or technologically possible to build a backdoor into encryption that will allow a select set of people in without being exploited by others.
Cryptographer Bruce Schneier asserts on his blog: “If a backdoor exists, then anyone can exploit it. All it takes is knowledge of the backdoor and the capability to exploit it. And while it might temporarily be a secret, it's a fragile secret. Backdoors are one of the primary ways to attack computer systems.”
He later points out that, “the bad guys”, could just “move to one of [the other] 546 foreign-made encryption products, [which are] safely out of the reach of any U.S. law.”
There is a possibility of "key escrow," where a third party holds the keys, which has been suggested in recent years by government agencies seeking to conduct covert surveillance of communications.
However, as pointed out by a 1997 paper by a number of experts from MIT, AT&T, Sun Microsystems and the University of Cambridge, “All key-recovery systems require the existence of a highly sensitive and highly-available secret key or collection of keys that must be maintained in a secure manner over an extended time period.”Essentially, it presents a single point of failure, and a single point which someone would have to access in order to gain access to all the keys.