Home / Blogs

Security, Backdoors and Control

“The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”Apple letter to customers

Encryption is a way to keep private information private in the digital world. But there are government actors, particularly here in the US, that want access to our private data.

The NSA has been snooping our data for years. Backdoors have been snuck into router encryption code to make it easier to break.

Today at M3AAWG we had a keynote from Kim Zetter, talking about Stuxnet and how it spread well outside the control of the people who created it.

I commend Tim Cook for his stand against the US Government and his insistence on protecting the data of all iPhone users. The feds are strongly arguing the encryption breaking code would only be used for This One Phone. But can we really trust them with our data or believe they wouldn’t use this in another situation? Or as a way to access data that they can’t currently access through the NSA surveillance program?

It’s a little strange for me to be stating this. It feels weird. I grew up in a suburb about 10 miles outside of DC. My father worked as a civil servant for the DoD. My Friends’ dads were diplomats, senate-confirmed federal appointees and secret service agents. A CIA agent lived across the street and I regularly swam in their pool. Generals were regular visitors to our house. My first job out of high school was in a federal regulatory agency. Government wasn’t bad. It was, on the whole, a force for good. Even some of the dumb seeming things ($1000 hammers) weren’t fails, they were reasonable if you understood the context.

Government wasn’t the enemy and generally had a good reason for the things they did.

Now I’m not as sure as I was then. The government has done some things I don’t really understand. And even when I try and put them in the context of the environment I grew up I still don’t think it’s a good thing. Pervasive monitoring is bad and I don’t think our digital property should be any less secure than our physical property.

I understand and can even sympathize with why the FBI is asking for what they want. But I also support Tim Cook and his efforts to protect all iPhone users. Maybe the FBI would only use the code for this phone. But what about other governments? What about other players in the space? If Apple provides this for the US government, what’s to prevent other governments from getting their hands on it? If the RSA can be hacked and have their root keys stolen then we’re all vulnerable. Apple had one of the iPhone 4 prototypes stolen out of a bar.

If you leave a backdoor unlocked anyone can use it. Putting backdoors in code, sharing keys and creating software to allow one person to compromise security only makes all of us less secure. Stuxnet tells us that malicious software spreads further than we expect and once it exists it can easily escape any control.

By Laura Atkins, Founding partner of anti-spam consultancy & software firm Word to the Wise

Filed Under

Comments

Is there anybody trustable out there? Alessandro Vesely  –  Feb 24, 2016 3:34 PM

The key difference, so to speak, is between managing one’s own private keys and being forced to trust somebody else.  Tim Cook seems to be able to grant the right to decrypt any iPhone to anyone he likes.  Why would users trust him rather than US Government?

Users don’t care because they haven’t had the time to understand crypto stuff.  Some hold that you can’t expect users to be the primary security managers of their own accounts.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API