IEEE joins the ranks of non-backdoored strong cryptography defenders

'Exceptional access' is a really bad idea, says standards-setter, but one-off malware is cool


The Institute of Electrical and Electronics Engineers (IEEE) has joined the ranks of objectors to proposed law enforcement measures that would compromise access to strong cryptography.

The august engineering body went beyond merely opposing the popular understanding of what constitutes a “backdoor”, instead framing its opposition in terms of the broader expression“ exceptional access mechanisms”.

According to the statement the Institute issued this week, its reasoning is:

  • ”Exceptional access mechanisms” weaken systems and embed vulnerabilities, creating risk for end users;
  • Such mechanisms don't stop bad actors from using strong encryption, either created specifically for them, or obtained from countries that don't require access mechanisms;
  • Busting crypto would hamper companies' ability to compete globally; and
  • ”Efforts to constrain strong encryption or introduce key escrow schemes into consumer products can have long-term negative effects on the privacy, security and civil liberties of the citizens so regulated.”

The IEEE does, however, acknowledge law enforcement requirements, and accepts that cleartext data on corporate servers should be available under warrant.

Likewise, and possibly controversially, the Institute listed “targeted exploits on individual machines” among the options it feels should be available to law enforcement, along with the less-worrying “forensic analysis of suspected computers, and compelling suspects to reveal keys or passwords.”

While none of this represents new thinking, it puts the IEEE firmly alongside individuals and organisations who have also criticised the idea that cryptography can be undermined without putting people at risk, en masse.

Most notably, Stanford professor Martin Hellman, of Diffie-Hellman fame and who helped invent the foundations of today's crypto systems; Columbia professor and USENET co-creator Steve Bellovin; top cryptographer Paul Kocher; and information security guru Bruce Schneier panned the FBI's repeated assertions that there's a crypto magic bullet.

Meanwhile with much less fuss, Internet engineers have talked far less, issuing RFC 7258 and stating that “Pervasive Monitoring is an Attack”, That document has informed dozens of drafts and RFCs since, most designed to eventually make strong crypto ubiquitous. ®

Similar topics


Other stories you might like

  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • Former chip research professor jailed for not disclosing Chinese patents
    This is how Beijing illegally accesses US tech, say Feds

    The former director of the University of Arkansas’ High Density Electronics Center, a research facility that specialises in electronic packaging and multichip technology, has been jailed for a year for failing to disclose Chinese patents for his inventions.

    Professor Simon Saw-Teong Ang was in 2020 indicted for wire fraud and passport fraud, with the charges arising from what the US Department of Justice described as a failure to disclose “ties to companies and institutions in China” to the University of Arkansas or to the US government agencies for which the High Density Electronics Center conducted research under contract.

    At the time of the indictment, then assistant attorney general for national security John C. Demers described Ang’s actions as “a hallmark of the China’s targeting of research and academic collaborations within the United States in order to obtain U.S. technology illegally.” The DoJ statement about the indictment said Ang’s actions had negatively impacted NASA and the US Air Force.

    Continue reading
  • Five Eyes alliance’s top cop says techies are the future of law enforcement
    Crims have weaponized tech and certain States let them launder the proceeds

    Australian Federal Police (AFP) commissioner Reece Kershaw has accused un-named nations of helping organized criminals to use technology to commit and launder the proceeds of crime, and called for international collaboration to developer technologies that counter the threats that behaviour creates.

    Kershaw’s remarks were made at a meeting of the Five Eyes Law Enforcement Group (FELEG), the forum in which members of the Five Eyes intelligence sharing pact – Australia, New Zealand, Canada, the UK and the USA – discuss policing and related matters. Kershaw is the current chair of FELEG.

    “Criminals have weaponized technology and have become ruthlessly efficient at finding victims,” Kerhsaw told the group, before adding : “State actors and citizens from some nations are using our countries at the expense of our sovereignty and economies.”

    Continue reading

Biting the hand that feeds IT © 1998–2022