Making encryption backdoors available to law enforcement would be bad for cybersecurity in general and hurt vendors that make encryption gear, a presidential advisory group says.
While the FBI argues that it needs legislation to require access points into encryption platforms, the National Security Council is preparing to tell President Obama that the downsides include weakening the privacy of Internet communications, according to a draft NSC report obtained by the Washington Post.
“[B]ecause any access point to encrypted data increases risk, if government efforts to secure access are successful, this approach would reduce cybersecurity,” the document says.
At the same time, laws forcing vendors to build in encryption keys for police use would create a thicket of problems for vendors such as losing buyers in other countries that don’t want their communications hackable by U.S. law enforcement. If other countries enacted similar laws, though, that might ease the burden.
“If long-term successful in gaining government access, this option would significantly harm economic competitiveness, though the harm might be somewhat mitigated if there was broad international success in getting government access,” the document says.
The NSC drafted an analysis of three stands Obama might take in regard to encryption backdoors, listing the pros and cons of each. The options are:
* opposing backdoors altogether
* asking vendors to voluntarily provide backdoors or at least help law enforcement any way they can within the limits of their current technology
* making no stand on the issue
None of the options favors a law to mandate backdoors. Falling short of favoring a law “could encourage the use of more encryption which would likely be good for cybersecurity,” the draft says. Further, “eschewing mandated technical changes ensures the greatest technical security.”
Trying to get vendors to voluntarily introduce keys for law enforcement use is a pipedream, some of the NSC policy team says. “Some working group participants, however, have indicated they think it unlikely that industry will be willing to voluntarily modify their technology even if the threat of legislation is removed. Others further expressed the opinion that so long as the threat of future legislation remains on the table, it may dissuade industry cooperation,” the report says.
That threat of future legislation isn’t a very big stick with which to persuade vendors anyway, some in the working group say. “[F]ew, if any, in industry likely find this threat to be credible,” the report says. “U.S. providers have not indicated they would be willing to voluntarily modify their systems to enable law enforcement access to encrypted information, even if the government were to eschew legislation.”
Sign up for Computerworld eNewsletters.