Two bills are making their way through Congress right now that scare the ever loving crap out of me! Both of them are being pushed by Senator Lindsey Graham.
“My advice to you is to get on with it, because this time next year, if we haven’t found a way that you can live with, we will impose our will on you.”
-Senator Lindsey Graham (after being told a “backdoor only for the good guys” is impossible1.)
Not the will of the people as he is sworn to do, but his own personal will, against the advice of every cyber security expert that has ever testified on this topic.
The EARN IT Act which horrifyingly passed the Senate Committee with a unanimous vote2 is the “lesser evil” of the two bills. The LAED Act is fortunately only at the “Introduced” phase as of this post’s publishing date.
I’m going to discuss these bills after I explain my position on backdoors, and why in my expert opinion, they are a horrible idea.
What’s a “backdoor?”
It’s important to know what exactly a “backdoor” is in the context of computing before we can debate the benefits and risks of one. A backdoor is defined in the cyber security industry as:
Backdoor: Any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka full administrative control) on a computer system, network, or application.
So what does all of this mean? Basically, a backdoor is a way for someone to gain access to your data without you providing them with a password or normal access measure.
The TSA Accepted Locks are a good example of this. They all have a unique key sold with the lock, but every single one of them can be opened by one of seven keys the TSA has.
The TSA Accepted locks also serve as a physical world example of why backdoors and master keys are such a bad idea. The key designs have been leaked and anyone can 3D print them and have the ability to open every single TSA Accepted Lock3.
Why backdoors are just “open windows”
The term “backdoor” doesn’t go far enough, in my opinion. A back door of a house has the same level of security as the front door.
Think about this for a few minutes. In your home every door has the same style of lock (unless you change it). In many homes they all even share the same key.
In cyber security though, the “backdoor” is meant as a way to bypass the hard security requirements of the “front door”. This is more akin to climbing through your open window because you forgot your keys on the kitchen counter, than it is to still needing to go through a strong lock.
Personally I think we need to start calling backdoors “open windows” because it is not just more accurate, but truly shines a light on how poor the security of the backdoor really is.
Private backdoors have been compromised many times
Over the years the IT industry has come across many backdoors that existed without any government demand. We’ve already seen backdoors become compromised.
I’m just going to list a few examples here.
- Fortinet firewalls had a hard-coded backdoor password leak to the public4.
Anyone could use the username
Fortimanager_Accessand the password
FGTAbc11*xy+Qqz27to login to any Fortinet firewall appliance.
This could not be disabled by Fortinet customers until a software update removed the backdoor.
- A month prior to the Fortinet backdoor discovery a Juniper Networks backdoor was discovered that allows attackers to decrypt VPN traffic5.
Juniper claimed this code was discovered in their product but that they don’t know how it got there.
- Two ZTE phone models had backdoors found in them that give instant administrative (root) access to the device via a hardcoded password6.
sync_agent ztex1609523as a command on the device gave you full device control.
That’s just 3 examples that took me only a few minutes of googling to find. There are dozens if not hundreds more examples.
The government repeatedly had secrets stolen
Now you might say “Hey Matt. The government would keep a backdoor more secure. It’ll be fine!”
There are a few problems with this argument. The first is that the companies that make our products would also have access to the backdoors as they put them there. The examples from the previous section show why this is a bad idea. Additionally the government has lost control of its secrets more than once.
I won’t be linking directly to anything that hasn’t been declassified but I will provide examples of how the government can’t be trusted to keep a backdoor safe.
- The CIA lost access to a large amount of confidential documents. 34TB of data was stolen from an isolated high security network7.
This treasure trove of data exposed a lax cyber security practice not just for the CIA but of the wider intelligence community.
“Vault 7” as it was called by Wikileaks contained documentation and advanced, easy to use hacking tools that were classified as
This classification means this data is not only at the Secret level, but it is not even to be shared with our allies. It’s kept only for U.S. intelligence agencies. Now it’s publicly available.
- By now you have probably heard of Edward Snowden. Regardless of your opinion on his actions, Snowden proved
an important thing (regarding backdoors): Government secrets can be leaked by whistleblowers.
The “Snowden archive” was fortunately trusted only to a select few journalists8 and not just dumped on the internet, but it contained data on government hacking and spying programs classified at the highest levels.
Snowden’s leaks showed the government is willing to go above and beyond what is legal, in secret to accomplish it’s goals. These leaks also prove the government has enough ability to monitor and catch criminals without backdoors.
- The famous WannaCry ransomware used an NSA developed malware internally called “ETERNALBLUE” to spread through networks.
This tool leaked when it was stolen from NSA servers by a group called The Shadow Brokers9.
Could you imagine if The Shadow Brokers stole the master password for everyone’s iPhone?
- This has already been tried and it failed10. In the 1990’s the Clinton Administration proposed a “Clipper chip”. This would be used by voice and data providers (re:telecom companies) to allow interception of calls and messages. Each chip was manufactured with a unique serial number and secret “unit key”. The Clipper chip was vulnerable to a brute force attack. It was also trivial to prevent key escrow thus locking law enforcement out of the product anyway.
- When it comes to things like encrypted phones the government has plenty of options without backdoors.11
The Graykey, which is only sold to law enforcement, is a tool used to break in to iOS devices without a backdoor. It is sadly very effective, but also proves that backdoors are not needed.
There are many more examples of this but like the above section, I think these 5 really damaging examples are enough to show why we can’t trust the government to keep any master keys or backdoors safe.
What about the children?
Ah yes, the children. Protecting children from criminals and abusers is a favorite argument of authoritarian regimes12 throughout history.
“Think of the children” works very well when seeking a power grab, because opponents can be smeared as being pro-child abuser.
In a world of dirty politics and attack ads invoking “think of the children” is a way to protect bad legislation from being responsibly opposed out of fear of being smeared in campaign ads and attacked (figuratively) by mobs of angry parents.
There are a few flaws in this argument though.
- Child sexual abuse material (AKA “CSAM”) is 100% illegal regardless of encryption. If you are caught with it, you are going to jail (once convicted of course).
- It doesn’t take a backdoor to catch someone with it. Even the “dark web” isn’t safe from the FBI13.
- The “Section 230” law that protects companies like social networks from liability for their users’ content already exempts CSAM from protection as well as all other illegal material14.
- Criminals don’t obey the law and there are plenty of backdoor-free open source encryption tools15 that they will use to protect their illegal data that law abiding citizens would be unable to use if a backdoor law passes.
We can protect our children without the government compromising the security of our personal data. Education of “stranger danger”, and a close relationship with your child that encourages them to share with you goes a lot further than tracking devices, or backdoors. The FBI does a fantastic job at catching pedophiles and that is without the aid of backdoors.
The EARN IT Act
Now that we’ve discussed why backdoors are really open windows, let’s discuss the two bills that prompted me to write this post today.
We’re going to start with the EARN IT Act which is sponsored by Lindsey Graham.
First let’s have a brief overview of what “Section 230” is. Section 230 of U.S. Code 47 is the part of American law that protects companies from liability relating to the content uploaded by their end users/customers.
A simple example would be a slander case. Let’s say Peter is angry at his boss Bill, and uploads a YouTube video making false claims that Bill is a pervert. Without Section 230 Bill could sue both Peter and YouTube for slander. With Section 230 protection, Bill’s case against YouTube would be invalid as it is not responsible for Bill’s actions as long as it removes the unlawful content once pointed out or discovered.
The purpose of this law is to act as a sort of backdoor to get backdoors. This law gates Section 230 protection behind a set of guidelines created by a committee controlled by our very anti-encryption Attorney General16. The risk is that this committee will consider end-to-end encryption to be a “bad practice.”
Forcing companies to choose between much needed Section 230 legal protection, and protecting their customers’ data will put them in a very tough spot. People fear that most companies will opt for the legal protection and weaken encryption despite them not being legally obligated to do so.
This bill is an ignorant attempt at obfuscating the true goal of backdoors. Fortunately an amendment was added before it passed the Senate committee which allegedly takes encryption off the table, but the underlying function of this law is still one of malice towards technology and security.
The LAED Act
The LAED Act is truly the more horrifying bill. This bill directly mandates backdoors in
products and services. It even goes so far as to create a prize competition for development of the best “good guys only” backdoor. They even left themselves plenty of ways to avoid
paying out, which just goes to show you the underhandedness of this bill, its author, and the people co-sponsoring it.
The LAED Act is a direct attack on the privacy and security of Americans’ personal data. Medical records, financial and banking records, as well as anything else that goes on computers or through the internet would eventually be intercepted by criminals who discover these mandated backdoors. Identity theft, and cyber crime will spike to record highs. The American people will suffer, and in return the ease of executing warrants on digital data will be slightly better.
I for one, think the cons far outweigh the benefits.
Personally I think if American tech companies are obligated to build backdoors in to their products, we will suffer a major economic loss. Even as an American citizen
living in America, I can’t imagine buying technology from a company that I know is forced to include backdoors when secure foreign options are available.
I sincerely doubt the rest of the world will continue using the physical and digital products of American tech companies should these laws come to pass. I know if I was a foreign person or company I would opt for anything else, even if it’s not as good. I’d rather know my data is secure on a U.K. based phone manufacturer’s device, than trust a known backdoored American cell phone manufacturer.
How you can help
Anyone, and everyone can help stop this. There are a few easy ways you can help keep these awful bills from seeing the President’s desk.
- The most important thing you can do is call your senator!
Calling is more effective than petitions or writing emails. The effort it takes to call goes a long long way.
- Donate to the EFF. The EFF and its attorneys do an amazing job of stopping legislation like this from becoming law.
- Spread the word! Share this post17. Talk to people about this issue.
I’d just like to say a special thanks to a few folks who helped peer review this blog post for accuracy before posting.
- Bryan Biedenkapp reviewed technical accuracy.
- Tanveer Wahid reviewed technical accuracy.
- Andrew Ahrenstein reviewed spelling and grammar.
Thank you for helping me verify the accuracy of this important message!
I personally use Cryptomator to backup personal financial data securely to a cloud storage vendor. They are a legitimate tool that by no means would support illegal use. ↩
My website has no trackers and no advertising on it. The only thing I gain by asking you to share this post, is a larger voice on this important issue. ↩