Congressional Encryption Working Group says encryption backdoors are near unworkable
The Congressional Encryption Working Group (EWG) was set up in the wake of the Apple vs FBI case in which the FBI wanted to gain access to the encrypted contents of a shooter's iPhone. The group has just published its end-of-year report summarizing months of meetings, analysis and debate.
The report makes four key observations, starting off with: "Any measure that weakens encryption works against the national interest". This is certainly not a new argument against encryption backdoors for the likes of the FBI, but it is an important one. EWG goes on to urge congress not to do anything to weaken encryption.
The group says: "Congress should not weaken this vital technology because doing so works against the national interest. However, it should not ignore and must address the legitimate concerns of the law enforcement and intelligence communities". To overcome situations such as the one that arose in the case of the San Bernadino iPhone, one suggestion is that there should be greater collaboration between technology companies and law enforcement. This sounds like a simple solution, but it has privacy implications which were raised by Apple at the time of the case.
The report recognizes that the issue of encryption is a complex one:
Cryptography experts and information security professionals believe that it is exceedingly difficult and impractical, if not impossible, to devise and implement a system that gives law enforcement exceptional access to encrypted data without also compromising security against hackers, industrial spies, and other malicious actors. Further, requiring exceptional access to encrypted data would, by definition, prohibit some encryption design best practices, such as "forward secrecy," from being implemented.
The group acknowledges that there are different laws in place around the world. This is another reason that backdoors would prove unworkable. As the report says:
Law enforcement stakeholders acknowledged to the EWG that a Congressional mandate with respect to encryption -- requiring companies to maintain exceptional access to data for law enforcement agencies, for example -- would apply only to companies within the United States. The consequences for such a policy may be profound, but they are not likely to prevent bad actors from using encryption.
Representatives of various private companies told the EWG that a mandate compromising encryption in the US technology sector would simply shift consumers to products offered by foreign companies.
The lack of a "one-size-fits-all solution to the encryption challenge" is cited as another stumbling block for consideration.
The full report is available to view online.