Security Experts:

Mandatory Encryption Backdoors Would Be Ineffective: Study

The introduction of legislation that requires vendors to place backdoors in encryption products would be futile due to the global nature of the encryption marketplace, a new study shows.

In 1999, researchers conducted a global study of more than 800 hardware and software encryption products from 35 countries outside the United States to demonstrate that encryption export controls did not have the desired effect.

Now, with governments demanding backdoors in encryption products to allow them to solve crimes and fight terrorism, cryptography expert Bruce Schneier and researchers Kathleen Seidel and Saranya Vijayakumar replicated the study to determine if such policy would be as efficient as authorities believe it to be.

The researchers identified 865 hardware and software encryption products from 55 different countries, including 546 from outside the United States. Of the non-US products, 47 are for encrypting files, 68 for email, 104 for messages, 35 for voice, and 61 for private networking.

While big players like the US, Germany, the UK, Canada and France account for two-thirds of the total number, small countries like Algeria, Belize, the British Virgin Islands, Chile, Cyprus, Estonia, Iraq, Malaysia, Saint Kitts and Nevis, Thailand, and Tanzania all have at least one product.

Of the total number of non-US products, 44 percent are available for free and 34 percent are open source.

The study found that while both domestic and foreign encryption products use strong algorithms, including proprietary ones, some solutions have been described as “jurisdictionally agile,” meaning their source code and services are stored in multiple jurisdictions and the organizations behind them can easily move to countries with more favorable legislation.

The study concluded that the international nature of the encryption marketplace would make mandatory backdoors ineffective.

“Yes, it will catch criminals who are too stupid to realize that their security products have been backdoored or too lazy to switch to an alternative, but those criminals are likely to make all sorts of other mistakes in their security and be catchable anyway,” researchers said. “The smart criminals that any mandatory backdoors are supposed to catch—terrorists, organized crime, and so on—will easily be able to evade those backdoors. Even if a criminal has to use, for example, a US encryption product for communicating with the world at large, it is easy for him to also use a non-US non-backdoored encryption product for communicating with his compatriots.”

The authors of the study have pointed out that they likely haven’t catalogued every encryption product that is available to the public. The list of products will be expanded as the research continues.

While authorities in countries like the United States and the United Kingdom believe encryption backdoors would be beneficial for law enforcement investigations and national security, experts have argued that a backdoor that can be used by governments can also be exploited by criminals and terrorists. The Dutch and French governments agree with experts and have voiced their opposition to encryption backdoors.

In January, UK Home Secretary Theresa May told a joint committee tasked with analyzing the Draft Investigatory Powers Bill that the government doesn’t want backdoors in encryption, but it does want companies to provide authorities unencrypted data when presented with a warrant. These contradictory statements are in line with the conclusions reached by the Parliament’s Intelligence and Security Committee earlier this week, which said the bill is “inconsistent.”

A report published on Thursday by the joint committee also rejected the idea of encryption backdoors.

Related: Charting a Middle Path on the Encryption Debate

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.