• Comey Island

    Posted on July 12, 2015 by Lee Whitfield in Methodologies & Best Practices.

    FBI director, James Comey has recently been testifying before various Senate committees that encryption should be significantly weakened so that we can battle terrorist threats. Well, that isn’t exactly what he’s saying, at least not according to him, it just happens to be the eventual outcome of what he’s asking.

    Across the Atlantic the UK Prime Minister has made similar recommendations. So, with both the British Prime Minister and the FBI director both harping on about this topic it must be a good thing, right?

    The continued threat of ISIS has made a lot of people paranoid, to the point that Comey has told these committees that either vendors that create encryption products should voluntarily provide a backdoor to their products or their should be legislation that forces then to do so.

    Cryptographers around the world have widely condemned this course of action. Why? Because putting a backdoor in secure software and hardware means that they are no longer secure! We already have enough of a hard time keeping bad guys from infiltrating our most secure networks, why would we want to make their lives easier?

    What Comey is suggesting is akin to someone leaving a key under the door mat. In fact, it is even worse because if legislation is passed forcing companies to do this then everyone around the world will know that any security product bought or sold in the USA will have such a backdoor. This causes two problems:

    Knowing that such a backdoor exists will cause thousands or people to find and exploit that backdoor, and the American technology business is going to wither and crumble.

    This last comment seems to be a little sensationalist, don’t you agree? Well I don’t. When you have security products from other countries that do not have a legal mandate to create these encryption backdoors, what’s going to happen? Well, people stop buying and using American products. They won’t want any of the associated risk of having a hidden backdoor that they won’t be able to close and/or patch. As a result they’ll buy their products from other countries; trusted countries.

    There’s more! What about regular companies? They’ll be forced to adopt software and hardware that is significantly less secure than their competitors in other countries. So, if I have a big contract to award, where am I going to go? Am I going to go the the American company that has security backdoors or am I going to award it to the German company that isn’t forces to adopt such practices?

    The USA already has enough problems with the theft of data. Even the government isn’t immune. Are you down with OPM? When you can’t keep 1 in 15 Americans’ personal data safe, what hope do you have of keeping these backdoors a secret?

    Finally, the legislation is one thing, but believing that American companies will do this voluntarily is just this side of insane. I can imagine that everyone is climbing over each other to be the first to say “Me! Me! I’ll do it!” Comey talks about incentives but the only incentive to do this is to end up going out of business. Last year when it was revealed that RSA had helped the US government implement soft encryption algorithms in their products by default there was uproar! People abandoned RSA products. RSA conference speakers pulled out and rounded on the company. RSA’s reputation, if it is indeed salvageable, will take years to recover and win back the respect of their customers. Why? Because people don’t want broken products.

    Encryption is used in almost everything these days. Online services use it, your WiFi network uses it, your car may even use it. Not only is this a monumental task to create these backdoors, assuming that they can be done, but it has huge potential for disaster.

    James Comey and David Cameron should go find a desert island and leave the rest of the human race alone.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.