Clipper Chip Redux: Security, eavesdropping and the question of privacy

Not a lot of people remember the Clipper Chip controversy of 1997, but something similar is occurring today. The US government would like to require tech companies to provide a “backdoor” to their customer’s encrypted data, while a recent report by computer security pioneers claims that it would be unwise to provide such exceptional access because, among other things, it would increase technical vulnerabilities and “undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm.”

Government officials, such as the director of the FBI, James Comey Jr., worry that end-to-end encryption prevents the government from being able to effectively investigate crime and terrorism. They believe that there must be a balance between the “right to privacy” and the “needs of law enforcement.”

The elite group of security researchers, including some that contributed to the 1997 report that analyzed the Clipper Chip proposal of the Clinton administration, believes that providing governments with special access to user data is a bad idea for a number of reasons.

The trouble with backdoors

The government itself is the victim of data breaches. If the government stores the special backdoor encryption keys, those keys are then vulnerable to theft and abuse. Keeping the keys safe would be a major headache, and key theft would be inevitable. Unlike the private sector, the government does not have to suffer the loss of customers and legal trouble that result from a data breach.

More and more critical infrastructure, including banking, nuclear reactors, and cars, are controlled by our networked infrastructure. A recent Wired article demonstrated that a new Jeep could be hacked and controlled remotely! Thus, a government-mandated backdoor provides a tempting target to hackers, foreign governments, and rogue employees of the NSA or other agencies.

Providing governments with exceptional access to encrypted communications would also have unknown but real economic costs, according to the researchers. Tech companies might lose customers, or be forced to stay out of markets. Companies in the USA might lose business to foreign companies that do not have to provide backdoor access. But the main risk is simply lack of privacy: anything that “dumbs down” data security is going to expose user data to more breaches, data theft, financial losses and identity theft.

The outcome of the debate is still unknown. If the USA mandates a backdoor, it is likely that many other governments around the world will mandate the same access. That would be a zero-sum game. Bruce Schneier, cryptographer, computer security and privacy specialist, and the author of several books on security topics writes:

If there’s a debate that sums up post-9/11 politics, it’s security versus privacy. Which is more important? How much privacy are you willing to give up for security? Can we even afford privacy in this age of insecurity? Security versus privacy: It’s the battle of the century.

One could even argue that a government backdoor would undermine security: particularly if the government itself is the bad actor. For example, if a whistleblower wanted to expose government corruption, he or she would be at risk until government misconduct could be made public.

Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.

Code42_Guide_to_Modern_Endpoint_Backup_Banner


Leave a Reply

Your email address will not be published. Required fields are marked *

*