200 experts line up to tell governments to get stuffed over encryption

No laws, policies or secret agreements with companies, urge crypto-eggheads

A group of 200 experts have urged the world's governments not to introduce backdoors into encryption products in an open letter posted Monday.

The group, which includes Amnesty International, Human Rights Watch, the Electronic Frontier Foundation (EFF), the American Civil Liberties Union (ACLU) and CloudFlare among many others, formed as the debate about encryption has intensified. The Obama Administration met tech giants in Silicon Valley last week in an effort to find a compromise and as the UK government tries to pass legislation that would give security services access to encrypted data.

The letter addresses itself to "the leaders of the world's governments" and urges them to support encryption as a way to "protect the security of your citizens, your economy, and your government."

Echoing sentiments expressed by the Dutch government in a formal position on encryption that was published last week, the group notes that "economic growth in the digital age is powered by the ability to trust and authenticate our interactions and communicate and conduct business securely, both within and across borders."

As such, it argues that all governments should "reject laws, policies, or other mandates or practices, including secret agreements with companies, that limit access to or undermine encryption and other secure communications tools and technologies."

The letter, which was posted on a new campaign website at SecureTheInternet.org, ends with a five-point argument that government should:

  • Not limit access to encryption
  • Not mandate backdoors
  • Not require that third parties have access to encryption keys
  • Not try to weaken encryption standards
  • Not pressure companies into breaking any of the previous four points

While the list is odd in that it appears to make the same point repeatedly, the reality is that US politicians and law enforcement agencies have recently been pushing tech companies such as Apple, Google and Microsoft to create systems by which the security services can access information sent through their products and services, but have been very careful to avoid using the term "backdoor."

Apple CEO Tim Cook has been particularly vocal about the fact that introducing any backdoor into an encryption product means that it will be accessible by others. The term "magical thinking" to imagine any other scenario has even been used by the law enforcement officials that want to access encrypted data.

When is a backdoor not a backdoor?

The Obama Administration also recently ruled out any possibility of legislation passing through Congress that would mandate government access.

That has led to a curious formulation from politicians about the need for the "best minds" to come together and develop a system that works. Or, in other words, to create a backdoor of some kind that doesn't have to be called a backdoor. The wording of the letter is intended to cover all possible scenarios.

The encryption debate itself kicked off shortly after Edward Snowden revealed the extent to which the US security services were spying on internet communications, even tapping the networks and data centers of large tech companies like Google without informing them.

In one specific response that really set the ball rolling, Apple changed the way it carried out encryption on its iPhone so that users were in control of the system and it was simply not possible to de-encrypt messages, even if it were presented with a legal warrant.

That approach put law enforcement on edge, and there has been a huge pushback on the approach in the hope that it can be stopped before it becomes the default approach by tech companies.

In the meantime, those who want access to encrypted communications, including most notably US presidential candidates, have been using the gun attacks in Paris and San Bernardino to argue the case for access, even though there is no evidence that encryption played a role in those attacks.

The groups behind the open letter are encouraging others to sign it – something that it appears many people online are hoping to do: the website fell over earlier today due to demand. ®

Other stories you might like

  • Workers win vote to form first-ever US Apple Store union
    Results set to be ratified by labor board by end of the week

    Workers at an Apple Store in Towson, Maryland have voted to form a union, making them the first of the iGiant's retail staff to do so in the United States.

    Out of 110 eligible voters, 65 employees voted in support of unionization versus 33 who voted against it. The organizing committee, known as the Coalition of Organized Retail Employees (CORE), has now filed to certify the results with America's National Labor Relations Board. Members joining this first-ever US Apple Store union will be represented by the International Association of Machinists and Aerospace Workers (IAM).

    "I applaud the courage displayed by CORE members at the Apple store in Towson for achieving this historic victory," IAM's international president Robert Martinez Jr said in a statement on Saturday. "They made a huge sacrifice for thousands of Apple employees across the nation who had all eyes on this election."

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading

Biting the hand that feeds IT © 1998–2022