There is no such thing as a ‘safe backdoor’ in encryption

Most Americans don’t consider the significant role encryption plays in our everyday lives.

Want to send your text messages and emails privately? Encryption makes it possible. Need to transfer money to a relative through online banking? Encryption. Looking to pay your credit card bill online? Well, you get the point.

{mosads}But some federal officials are now pressuring tech companies to create so-called “backdoors” that allow law enforcement to work around encrypted devices. These backdoors would grant them access to Americans’ personal data through a supposedly secure channel.

In theory, a backdoor would be available only to the government and law enforcement agencies. But technology experts warn that tech companies cannot build a backdoor that would guarantee only law-abiding officials have access. If you create a way in, somebody you don’t want to get in will find it.

The bipartisan Secure Data Act would protect the most intimate communications of everyday Americans by barring federal agencies or courts from forcing tech companies to build backdoors into encrypted devices or services.

It is a straightforward, two-page bill safeguarding the Americans who use encrypted services every day. In addition to retroactively protecting manufacturers, developers, and sellers of encrypted products from having to build encryption backdoors in their products, it also forbids the physical search of those products by any agency, unless authorized under the Communications Assistance for Law Enforcement Act.

Earlier this year, FBI Director Christopher Wray called the Bureau’s inability to access private information on cellphones and other devices through backdoors an “urgent public safety issue.”

But lost in that rhetoric are the consequences associated with jeopardizing encrypted services and devices.

Consider this analogy. You are the parent of a seven-year-old mischief-maker. You tell the child, “I’m leaving the house for an hour. There is a bag of candy hidden somewhere, but don’t look for it because it’s so well hidden you cannot ever find it.”

Of course, the child is going to do exactly what you expect and search for the candy. The same principle applies to creating a backdoor for the government in encryption. When bad actors are told there’s a government-mandated backdoor, they’re going to search for it if they know it exists. Even if it’s just to prove they could find the impossible only for bragging rights. Eventually, someone will find it. And once that door is open, it’s almost impossible to close it. 

In the days following the horrific terrorist attack at an office building in San Bernardino, Calif., the FBI attempted to force Apple to unlock the iPhone of one of the shooters. Apple refused, arguing that creating such a loophole would endanger the data of innocent users across the globe.

Ultimately, the FBI was able to access one of the San Bernardino shooter’s devices without forcing Apple to build a backdoor. But many tech experts claim the FBI’s motivation in the Apple case was to set a “legal precedent,” granting the agency the power to coerce companies into weakening their encryption. Fortunately, they were unsuccessful. But the Bureau will likely raise this challenge again following a future incident.

Since San Bernardino, the U.S. Department of Justice has repeatedly called for “responsible encryption” to break encryption on devices. Without legislation like the Secure Data Act protecting the rights of tech companies to create fully encrypted services, the Department of Justice could soon have its way.

And that’s why Americans for Prosperity is urging Congress to pass the Secure Data Act to protect Americans from backdoors that would have unintended – perhaps disastrous – consequences. In an age where data privacy is constantly in jeopardy, passing legislation that protects encrypted services would be a significant step to safeguard the privacy and security of every American.

David Barnes is a policy manager at Americans for Prosperity.