Government Encryption Backdoors Still Impossible and Pointless, Experts Say

WhatsApp on a Samsung Galaxy phone.
WhatsApp on a smartphone. (Image credit: Alex Ruhl/Shutterstock)

After U.S. Attorney General William S. Barr called on tech companies to give law-enforcement agents access to encrypted apps like WhatsApp and devices like the iPhone this past week, FBI Director Christopher Wray doubled-down on that demand.

"Just as technology has become a force multiplier for the good guys, it has become a force multiplier for all sorts of bad guys," Wray said during an address Thursday (July 25) at the International Conference on Cyber Security, an FBI-sponsored gathering held every 18 months in New York. "Our agents continue to encounter criminals, from street drug dealers to foreign spies, who relish the ability to hide on encrypted devices and inside encrypted messaging platforms."

But encryption and technology experts told Tom's Guide that law-enforcement "backdoors" in encrypted apps and data would end up being backdoors for everyone else — and that they might not work in the long run anyway, because encryption that police couldn't crack would still be widely available.

"Cryptography can't only work for the good guys and only allow access to authorities, no more than guns that only allow you to shoot in self-defense," Chester Wisniewski, a senior security researcher with digital-protection firm Sophos, told Tom's Guide. "Were [Barr and Wray] to talk to experts in cryptography, of which the FBI has a few, they would understand that they are asking for a rainbow-colored unicorn."

MORE: Best Encrypted Messaging Apps

"It's the same fallacy as being a little bit pregnant," said Robert Graham, CEO of Atlanta consulting firm Errata Security, in a long Twitter thread. "Encryption is either breakable by everybody or breakable by nobody, without much difference in between."

Barr dismissed such arguments in his speech, stating that "there have been enough dogmatic pronouncements that lawful access simply cannot be done. It can be, and it must be." 

Sliding scale, if it's a scale at all

The attorney general said that legislators and tech-industry companies need to find the right spot where virtual security and real-world security can be properly balanced.

"If the choice is between a world where we can achieve a 99% assurance against cyber threats to consumers, while still providing law enforcement 80% of the access it might seek," Barr said, "or a world, where we have boosted our cybersecurity to 99.5% but at a cost reducing law enforcement's access to zero percent -— the choice for society is clear."

That kind of linear gradation makes sense to a layman, and legislators and other government officials naturally have take such balancing interests into consideration all the time. But Graham said it doesn't make sense when it comes to encryption.

"People's instinct [is to] treat crypto strength as linear," he tweeted. "This isn't how it works. Crypto is instead exponential in difficulty.

"[An] 80-bit key is not twice as difficult to crack as a 40-bit key, but a trillion times more difficult," he added. "Said another way, the thing that's twice as difficult to crack as a 40-bit key is a 41-bit key: each additional bit doubles the the number of combinations you have to try."

However, renowned encryption expert Bruce Schneier welcomed Barr's argument about balancing digital and real-world security, even if he ultimately disagreed with Barr's conclusion.

"With this change, we can finally have a sensible policy conversation," Schneier wrote in a post Tuesday on the Lawfare blog

"Adding a backdoor increases our collective security because it allows law enforcement to eavesdrop on the bad guys," he said. "But adding that backdoor also decreases our collective security because the bad guys can eavesdrop on everyone. This is exactly the policy debate we should be having — not the fake one about whether or not we can have both security and surveillance."

Would the U.S. government ban full encryption?

What worries law enforcement the most is "end-to-end" encryption, such as found in WhatsApp and Apple Messages, in which the only parties able to read the messages are those on either end. No one else -- not Facebook, not Apple, not the government -- is able to intercept and read the messages along the way. 

FBI Director Wray's words Thursday were an echo of what he'd told another ICCS audience a year and a half ago. Then as now, he diplomatically pleaded with the tech industry to come to the table and help craft a solution to this "going dark" issue that U.S. law-enforcement officials have been trying to bring to public attention for the past 25 years.

Barr, on the other hand, did something new: He gave a warning — or perhaps a threat — to the tech industry. He said legislation governing encrypted communications and data was inevitable, perhaps to be spurred by a "sensational case [that] crystallizes the issue for the public," and that the tech industry could either come to the table now or, well, end up being on the menu. 

"American companies have an opportunity to advance their interests by setting industry standards now," Barr said. "While we remain open to a cooperative approach, the time to achieve that may be limited."

Matthew Green, a computer-science professor at Johns Hopkins University, told Tom's Guide that he found Barr's words to be "pretty blunt." 

"If there's any real news here, it's that the Trump administration has decided to take this issue very seriously," Green said. "Barr's speech didn't cover multiple topics — he only focused on this one issue. Moreover, his speech contains some lines that warn about future terrorist attacks, and suggest that the debate may end when one happens."

Last month, POLITICO reported that senior officials from President Donald J. Trump's National Security Council debated asking Congress for legislation to ban encrypted apps that cops can't access. Such laws were recently passed in Britain and Australia. 

No decision among the U.S. officials was reportedly reached, and the general consensus at this moment seems to be that barring a major incident such as the one Barr warned of, there's not enough support in Congress to pass an encryption ban. 

Different kinds of encryption

Barr sought to make a distinction between encryption in consumer technology such as iPhones, Apple Messenger, WhatsApp or Signal, and the supposedly better encryption used by enterprises to lock up corporate secrets and the government to lock up national-security secrets.

"We are talking about consumer products and services such as messaging, smartphones, email and voice and data applications," he said. "We are not talking about protecting the nation's nuclear launch codes. Nor are we necessarily talking about the customized encryption used by large business enterprises to protect their operations."

Again, to the layman it makes sense that consumers don't need extremely strong encryption, and that perhaps that should be reserved for entities that really need it. But Schneier and Graham said that argument was completely divorced from reality.

"The same consumer communications and computing devices are used by our lawmakers, CEOs, legislators, law enforcement officers, nuclear-power-plant operators, election officials and so on ... it's all the same tech," Scheier wrote. "Barr is wrong — it kind of is like these systems are protecting nuclear launch codes."

"In fact, the crypto protecting the military is less than what protects consumers," Graham tweeted. "Your iPhone has all the latest advances in crypto. It gets updated monthly. Nuclear silos still use floppy disks. Consumer grade crypto is therefore way better than what's protecting our launch codes, simply because it's newer."

Consumer data shouldn't get second-rate protection, said Andrea Little Limbago, chief social scientist at data-privacy company Virtru.

"There is a steady pace and growing magnitude of data compromises, and that is what is dangerous, unacceptable and only getting worse," Limbago told Tom's Guide. 

"Any approach that weakens security -- such as banning encrypted communications -- not only empowers the criminals and authoritarian regimes who have already stolen troves of IP [intellectual property] and personal data," she added, "but basically encourages an even greater proliferation of attackers who will target an even broader range of critical infrastructure."

"Encryption protects all of us from threats in both the digital and physical worlds, and we shouldn't let the government undermine it," echoed Andrew Crocker, a senior staff attorney with the Electronic Frontier Foundation, a digital-rights advocacy group in San Francisco.

Would banning full encryption even work?

It's a central tenet of U.S. criminal law that, with a judge's warrant, law enforcement personnel have a right to look into private citizens' communications and stored files if there is evidence that a crime may have been committed. In that respect, American cops already have a firm legal basis for accessing encrypted messages and data.

The question then becomes how U.S. police would access the messages and data if the encryption is essentially unbreakable. In some other countries, including the U.K. and Australia, individuals can be compelled by law to give up their encryption keys, but that generally runs against the American constitutional right to avoid self-incrimination. It also doesn't help when the person who knows the keys is dead or otherwise unreachable.  

The other options would be to ban end-to-end encryption, as is already the case in China and Russia, or to force technology companies to build in backdoors, as is already the law in Australia and as Barr warned might happen in the U.S. From the consumer's perspective, either approach would amount to the same thing.

But could either method really stop Americans, law-abiding or not, from using fully encrypted messaging? 

WhatsApp, Facebook Messenger and Apple Messages are all owned and developed by American companies, but other well-known encrypted messaging apps such as Telegram, Threema and Viber come from other countries and are outside the reach of U.S. laws. Any Android user could "side-load" those apps from the internet even if the apps were removed from the U.S. version of the Google Play app store.

"The genie is already out of the bottle, and things are not likely to go back to the way they once were," said Wisniewski. "For most of us, that is a great thing."

Another well-known encrypted messaging app, Signal, was created in the U.S. but is open-source, as is Telegram. Their encryption protocols can be freely copied and replicated by developers all over the world.

"If the United States wants to go back to the 20th century, it will impose an enormous amount of financial disruption as everyone flees American tech companies and goes to more secure foreign offerings," Wisiewski said. "The knowledge of how to do cryptography properly is well known to anyone who cares to know, and it will not simply go away at the wish of the U.S. government."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.