Would you feel more or less safe if there was a ‘back door’ into your personal data?
Imagine the situation, you are at home one day minding your own business and a knock at the door comes. It’s the Police. Immediately your heart races as you rapidly imagine all the scenarios as why they need to talk to you. You have nothing to worry about, they are just calling in to collect a spare set of keys to your house. Just in case at some point in the future they need to let themselves in to investigate a crime that you may, or may not have committed.
How would you feel about that? Would you say give it to them? Of course not. Who would. This scenario will never of course happen in the physical world, but in the cyber world, the concept of being compelled by law to leave ‘back doors’ in encryption technologies is being openly discussed.
The best-known case of this was during 2015-2016 when Apple point blank refused to assist the FBI investigating the iPhone of an individual who committed a terrorist attack in San Bernardino, California, that killed 14 people and injured 22. The iPhone had been locked with a 4-digit password, which after ten failed attempts to access it would erase all its data. The FBI wanted to compel Apple to write new software that would let the Government bypass iPhone security and unlock the phones. Meaning that they would have a permanent ‘back door’ into the devices.
Apple stated that they did not have and would not develop such functionality. The case moved to court but was delayed and then dropped after the FBI found a third party who could assist in unlocking the iPhone.
To clarify and publise its position on ‘back doors’, Apple publicly states on their website “We also refuse to add a backdoor into any of our products because that undermines the protections we’ve built in”
But it is a dilemma. Would you be more, or less inclined to purchase a phone, or some software, that has a ‘back door’ in it? I’m in the less inclined category and here’s why.
If Apple, or some other technology provider did provide a ‘back door’ for the FBI, then they would have to do it for the UK Police Service, the French, the Germans, the Japanese in fact they would have to do it for all the law enforcement agencies that operate locally in any country or territory where they sell their products.
That many agencies in that many countries all having access to one technical ‘back door’ would inevitably lead to its details being leaked onto the internet into directly into the hands of the hacker community and wider cyber-crime world.
IT vendors of all flavours are tightening up security, adding encryption technologies and resolving vulnerabilities. In many cases they no longer issue details on exactly what has been fixed in a security patch – why? Because if you announce what you have fixed, then by virtue you have told the cyber criminals how to compromise previous software versions. In order to maintain their customers, IT vendors want to provide the most secure product they can, no vulnerabilities and definitely no ‘back doors’
However, I do have great sympathy for the law enforcement profession as technology is finding its way into more and more crimes. Not just cyber-crimes, but like the case in America, where technology is used to research and plan crimes. The electronic evidence contained within these devices could be the detail needed to secure a conviction.
Saying that the crime statistics for England and Wales published by the Office for National Statistics (ONS) in September 2016 state that there are 70 reported crimes per 1000 people, and that’s for the full range of crimes from the most heinous to the petty. This means that 7% of the population were effected by crime in that period, leaving 93% ‘crime free’. Now it’s impossible to determine from the figures what role technology played in some, all or none of those crimes, but common sense would suggest that it is lower than 7%. So, with that in mind it would be a very tough sell to the public, by either the IT vendors or the law enforcement agencies that such ‘back doors’ are a good idea as it theoretically could make the 93% potentially more vulnerable to crime!
We are at an impasse. The IT vendors will want to protect their customers’ data, respect their privacy and to do their level best to inhibit cyber-crime, but conversely the law enforcement profession needs to gather evidence, physical or digital, when investigating a crime. This is a moral, legal and technical Venn diagram where nothing obviously intersects to give a plausible solution.
For the time being ‘back doors’ remain firmly locked, regardless of who comes knocking on them.