Cryptography Weakening: A Tale of the Law-abiding Criminal

The EU Council says backdoor and security are compatible. The idea is fundamentally flawed.

This is not the first and probably not the last time that the right to privacy and the fight against crime and terrorism are facing each other in the world political arena. Various means of encryption play an important role in both.

The Council of the European Union has published a draft declaration on encryption that has been examined by Statewatch; a non-profit-making voluntary group that supports the publication of investigative journalism and critical research in Europe in the fields of the state, justice and home affairs, civil liberties, accountability and openness. Based on the content of the document, the European Union is preparing to adopt regulations that would allow law enforcement agencies access to material encrypted by criminal groups. The United States, during the Trump era, also moved in this direction and the new presidential administration does not seem to indicate any change in stance with regards to this topic. However, the goal is undeniably positive so why are both big technology and advocacy organizations protesting? The answer is so simple: you cannot have your cake and eat it.

The fundamentals of the encryption algorithms used in information technology are exactly the same as those of secrecy and confidentiality in everyday life. What only one person knows is a secret, what more than one person knows is no longer a secret. So, if someone has a way to access data that has been intentionally hidden from outsiders by IT tools by weakening the encryption process or installing backdoors, the secret will cease to be a secret. Access to secrecy can, of course, be of serious public interest; for example, in the fight against terrorism, cybercrime or the spread of child pornography but we must definitely ask the following questions: to what extent can weakening encryption serve the purposes of the fight against terrorism and other criminals? Should we pay, and if so, what price to achieve that goal? Are the two proportional to each other, i.e. is privacy or terrorism threatened more by weakening encryption? Do we not already have the tools to deal effectively with the problem on either the technological or legal front?

Before answering the questions, it must be stated: the European Union’s draft, which has now been revealed, although it emphasizes the importance of strong encryption methods, it is, however, difficult to put into practice without weakening encryption. This is because end-to-end encryption software such as Signal that has been recommended by Elon Musk, or Telegram provides messages unencrypted at only the two endpoints whilst data is transmitted encrypted over the Internet.

Let’s see what methods can be used to weaken encryption and what practical consequences would be. The methodological part is not accidentally unclear in the EU draft. This is explained, on the one hand, by the fact that the Council is currently only in the process of drafting the directive. On the other hand, the history of cryptography so far has basically been about strengthening encryption rather than weakening it. However, two directions are certainly conceivable.

One possible solution is that we get to the point, through some deliberate weakening of the cryptographic algorithms, where encryption becomes fragile for certain organizations. The situation is very similar to the story of Achilles; one of the best-known figures in ancient Greek mythology. Anyone who knows the weak point of the algorithm can overcome it - in this case, to break it. Well of course, this is not necessarily true as the extent of weakening and weakness may be so small that it can only be exploited with a significant amount of resources that may be available to only one state body. An important difference from the example is the fact that, unlike Achilles, we are aware of the weak point in this case so we can prepare a defence.

The other possible solution is to use a kind of master key which carries a significantly higher risk than the previous solution as it would be able to decrypt encrypted data even with modest resources. If these keys are compromised, it is not required to possess nation-state level technical or financial conditions for encryption, so the consequences are unthinkable. Using backdoor techniques is the same problem: if unauthorized people access the backdoor, they can also decrypt our encrypted content easily.

Whichever method we choose, it is certain that we will put a very serious target in the hands of criminal groups, terrorists or even secret services because if they have the information on how to break our encryption initially, they may secondarily definitely be capable of breaking the encryption. Therefore, it is in their primary interest to obtain this information. It is just a question of political conviction as to which countries’ services we are envisioning as they are fighting with each other to gain access to the data of European Union citizens.

The quest to find the weaknesses of encryption algorithms exists completely independent of the current EU legislative idea. This is because the history of cryptography is also the history of searching for the Achilles heel of the algorithms used. Whoever was ever interested in the secrets of others searched for the weak points and then, after finding them, tried to keep them a secret, for he could only abuse them as long as he knew about them. On the other hand, not only the disclosure of the secrets of others, but also the intention to keep secrets can guide the search for weaknesses in the methods used as by drawing attention to potential problems, the quality of encryption can be constant over time.

The Law-abiding Criminal Problem

The weakening of encryption algorithms, even if it ever materializes, does not mean that previous methods, which cannot be deciphered by public bodies, will disappear from the world. Both the math toolkit and the software used stay with us. Legislators are clearly in a position to outlaw these previous encryption algorithms - which cannot be deciphered by anyone - and to punish their use but it is doubtful as to whether this will have a deterrent effect; among perhaps law-abiding citizens who can be held accountable through state bodies. But it would be absolute naivety to think that members of a group preparing to commit a terrorist act would be deterred by legislation which exposes them using encryption that cannot be deciphered by bodies seeking them.

Encryption tools that are free and easy for anyone to use and the infrastructure that they provide can cause extremely low entry thresholds for a wide variety of criminal groups into the world of messaging which cannot be eavesdropped. However, it would not be wise to underestimate the preparedness of either individual criminal groups or intelligence services in this area. By raising the entry threshold, citizens who want to protect their privacy would certainly be excluded at an earlier stage from the usage of effective cryptographic tools in contrast to slightly more prepared organizations and criminal groups. The source code of a significant part of the software that implements encryption is freely available so they do not need to be re-developed in the event of a possible ban; only the existing ones should be improved which undoubtedly requires some expertise but it is far from impossible.

Of course, it is also conceivable that the use of these applications will be restricted by law and that ISPs are required to filter out this type of traffic. However, the feasibility of this is highly doubtful. If this were technically easy to do, the spread of viruses, spam, and any type of illegal content on computer networks would also be easily prevented. As a counterexample, many cite the Chinese Golden Shield Project (or Great Firewall) which can prevent citizens from accessing content that the state deems undesirable. And here comes the catch-22: the firewall can be bypassed, but there are only a few who dare to risk the serious consequences. However, due to the few attempts, the bypass methods are relatively easy to recognize so the only way to reserve the right to use strong encryption algorithms is to use strong encryption algorithms en masse, independent from the fact that an individual is in need of them or not.

In Europe, encryption is unlikely to be banned in general. At most, certain algorithms will not be allowed - particularly the ones that will not be able to be decrypted by the Union’s institutions so they will be filtered out of internet traffic. It should be noted that this is a much more difficult and resource-intensive task than what China is doing. Of course, the right regulatory framework can marginalize the use of encrypted communications, especially if the confidence in their effectiveness would be shaken. And then we return to the subject of China because if there is little encrypted traffic, all of its participants can be observed.

Certainty of Uncertainty

If you were aware that there is a process by which your encrypted documents, photos, videos, conversations, health or other personal information can be decrypted, you will have to face very serious uncertainties or at least, serious risks. The most obvious question would be: who will have the right, and under what conditions, to have access to my data that I believed to be private and intended to be private? The fight against crime needs fast reaction times, meaning that a decision on the declassification and decommissioning of a secret must be made quickly which naturally increases the probability of mistakes, so it can be guaranteed that there will be cases where people’s private data is disclosed, even to a limited extent, which should not have been. What about this information? How long will it be kept, where and under what circumstances?

The possibility of intentionality must also be taken into account. For an official who has much wider access to private data than before, how much easier will it be for an official to be compromised? Would a citizen be informed about access to the data or would it be hidden from that citizen? For what reason and for how long would it be possible to obtain such data? Many difficult-to-answer questions, even if we are thinking in the context of a well-functioning rule of law. Even though the questions are hard to answer, there is no reason not to look for answers and these are just the doubts but there are also serious risks. In the case of a poorly functioning rule of law and/or a state organization or society burdened with corruption, we have to reckon with the damage caused by mistakes and possible intentional abuses. However, one case or another is not necessarily serious but the multiplicity of them and thereby the losses in the entire society may be significant. It must be kept in mind that the method itself can fall into the wrong hands, not only outside the Union, but also within it and can be utilized by politicians. The _interception of _Angela Merkel may have been in the interest of not only the NSA but also of certain groups within the Union.

It is also an open question as to how such legislation can and should be applied to people, companies and other organizations that are prioritized for whatever reason. Anyway, if these measures do not cover private bodies and companies equally, that may mean that we leave a loophole for criminal groups and citizens could justifiably argue the point of why companies, organizations or groups of people have an advantage over others in this regard. Of course, there may be ideologies for this and even realistic reasons. We can say that trade secrets have an advantage over private secrets because the former can have a much greater impact. A company can be seen as a concentration of economic power. On one hand, it means that revealing its secrets has a greater impact on the community as that of a particular citizen. On the other hand, the analogy can be further extended. There can also be a significant concentration of power in case of an individual citizen. For example, political or media power, which can have a strong impact on public life. It is no coincidence that certain tasks can only be performed after some level of screening or clearance, the basic purpose of which is to clarify a person’s compromise assessment. The subject of such due diligence is essentially voluntary and although they share their secrets, it is known exactly with who and for what purpose they are doing it. If we give up the principle of volunteering, favoring or disadvantaging individual groups can easily become a political issue, generate social contradictions and mistrust of the measure and discredit the goal.

Risk on Back of Risk

From the aforementioned, it is assumed that the cryptographic algorithms should be intentionally weakened. However, the proposal in question states the importance of string cryptographic algorithms. Obviously, the weakening could not only be exploited by the Union or its bodies, but also by all parties who have the appropriate information on the methodology. Access to these methodologies must be verified in the strictest possible way for very understandable reasons but it must also be mentioned that the intention to acquire them would be certainly strong by criminals and agencies, as the private information of EU citizens could be obtained by them.

If the European Union takes such a measure without consulting its economic and political competitors and they do not take similar measures at almost the same time, the EU is going to be at a disadvantage. It immediately becomes a target and makes its own citizens a target as the Union would be the only place where encryption algorithms can be cracked in the possession of the appropriate information. This will obviously encourage the enemies of the Union, including terrorist organizations, to obtain this information. So while conceived in the spirit of fighting terrorism, it would actually give potential latitude to terrorism.

It is a very serious task to store the information needed to crack encryption (be it master keys, backdoors or other technologies) and to protect access to them. This is because access to the Internet should be provided and without it, the system would be very cumbersome to use and there would be long turnaround time which jeopardizes the original purpose. It is almost irrelevant whether or not a central repository be available to EU members or the members would operate the repositories per state; it would need dozens of repositories that would be exposed to a series of cyber-attacks. EU members would certainly have the right and the possibility to share the information obtained with parties who may be considered a friend of the EU in the international political arena but it is far from certain that it is a friend at the level of the individual. Of course, surveillance is still possible for individual states, even with intelligence tools, against which, for example, we can defend ourselves with appropriate encryption tools within certain limits. It is very important that the widespread use of encryption raises the cost of monitoring to an individual so high that it becomes inapplicable to the masses.

Limitations of Feasibility

The naive legislative idea that it is enough to ban something by the force of law and it will disappear immediately faces serious challenges at this point. It is regarding the idea that neither the weakening of encryption nor the installation of backdoors can be achieved without the support of the technology sector but the European Union’s coercive force is the least here.

The number of software used for different encryption reaches the order of one hundred. There are both free and commercial, open and closed source products. It seems to be very difficult for organizations outside the jurisdiction of the European Union to put pressure on developers to open backdoors to EU offices or to support weakened cryptographic algorithms. The developers of open source software do not seem so influential as their original goal is clearly the opposite of that of the EU. In addition to all this, most of the developers are individuals - even EU citizens - so the projects are international. Therefore, the EU can potentially hold little sway over the operation of those projects.

The software itself, which provides strong, reliable and irreversible encryption, will not disappear just because its use may be banned by the EU in certain circumstances. Anyway this would not be the first attempt to deliberately weaken encryption algorithms. Almost 30 years ago, the U.S. restricted the export of strong cryptographic algorithms. As a result, support has become mandatory for a number of algorithms in U.S. agencies whose credibility was questioned in the middle of the last decade. In 2015, researchers identified two vulnerabilities (FREAK, Logjam, in which export restrictions also affected weakened encryption algorithms. Logjam has mostly affected U.S. government offices, so in the more than 20 years’ since export restrictions of strong encryption algorithms were introduced, the vulnerabilities struck back at just the ones who introduced the restrictions as everyone else has long been out of these algorithms because of their known weaknesses.

What the EU can achieve at best is banning the use of non-cooperative solutions. But as we know, every law is worth as much as it can be obeyed and enforced. Even if the EU were to match the major operating system vendors and distributors and would permit the downloading of legal versions of applications offering encryption that could be accessed on respective app stores by citizens of the EU, it would be a complete solution but there are alternative app stores, such as F-Droid that provide free and open source Android applications, completely vendor-independent Android distributions, such as LineageOS and several desktop Linux distributions which can hardly be legally restricted by the EU so there would be little choice left to put the provisions into practice. But recognizing and blocking the traffic generated by such software ushers us towards the Great European Firewall which, with some irony, could be named after the Chinese one to Aegis, shield of Zeus.

Those Who Have no Secrets …

It used to be said that those who have nothing to hide from the state do not have to worry about state measures. For example, in totalitarian regimes. It must be stated that privacy is not about secrets but about the right to keep your private life confidential. If there is nothing illegal or reprehensible in what and how you go about your life, it does not necessarily mean that you want to share details with anybody. This is privacy.

It is a question of who and how actual constraints impact us as per planned action by the EU. Does terrorism, in connection with similar plans, come up from time to time? Hardly. Or perhaps the criminal groups who have disregarded the law so far – do they often enter public discourse? Doubtful. As discussed above, there are a number of solutions to circumvent such legislation; some that have been challenged by states in the past. Despite authorities making every effort to target Tor and the Dark Web, they are still part of the Internet today. Although GDPR regulation has forced the law-abiding part of the IT world to make a serious effort, it has not brought the expected positive impact.

Weakening encryption or incorporating a backdoor is nothing more than a nonsense attempt to solve serious social problems. It’s like selling blunt knives only in household stores because with sharp knives, people can harm themselves or others. Caution is important but in this case, it may dissimulate great naivety or, even worse, fanciful naivety. Reducing the effectiveness of encryption tools causes obvious disadvantages to law-abiding citizens while with criminal groups and their intentions, it has no significant effect. The unchanged intent to encrypt data will create new and powerful tools that achieve that goal.

Updated: