As debates about privacy versus encryption rage on, with the US, UK, and France on one side and Germany and the Netherlands on the other, Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar decided to take a look at the encryption products market and replicate a study conducted in 1999. The purpose of the recently released study was to understand where in the world encryption products are made and sold today. The researchers found that the highest number of products identified (865 in total) were developed in the US (about one-third of the total), followed by Germany and the UK. Many smaller countries, like Estonia, Algeria, and Tanzania, were also represented.
Why does this matter?
The NSA has been arguing that a backdoor for unencrypting private data is needed so they can hunt down and stop the bad guys. Backdoors, they claim, will speed the process of accessing pertinent information about suspected terrorist plots and cyber attacks. These backdoors, theoretically, will be attainable by law enforcement and will not impact the average, law-abiding citizens’ privacy. The backdoors will be included in the same products used to protect your grandmother’s tablet on which she does crossword puzzles and your kids’ LeapFrog, but the government won’t bother with that information. That’s not what they’re after so most consumers can rest easy. The backdoor is there to catch criminals and if you’re not one, it’s all good.
Plenty of US citizens know the history of government spying in the name of “national security,” and the security community, more than any other, understands that “backdoors” are rarely (if ever) kept a secret. Cryptography experts and even a former Director of the NSA have warned that one backdoor is like any other backdoor; if it can be opened by one person, it can opened by many people, not all with the same intent. In other words, if the NSA and GCHQ can open the backdoor, so can cyber criminals.
A vulnerability by any other name…
A backdoor is a vulnerability like any other; it’s exploitable. While France, the US, and the UK are pushing hard for legally mandated backdoors, as the study illustrates, plenty of other countries are developing and selling encryption products today. This is important: if a certain country mandates that all encryption products sold in that jurisdiction include a backdoor, a consumer—be it a large enterprise or individual person—can buy a different product that’s been developed and is sold in another country. Unlike back in 1999, massive globalization and the accessibility of the Internet has made it relatively easy to purchase a product or service from anywhere in the world. Further, no evidence to support the overall superiority of one country's encryption products exists. Even though the US and UK currently lead in terms of encryption product production right now, Germany is not far behind. Should certain countries forge ahead with these laws, it would not be out of the question for some multinational organizations to beef up operations in countries not subject to backdoor laws. It’s possible we would see more products start to emerge from those countries as a result of a law, meaning more competition and potential revenue or job loss in places where the laws exist. “Some encryption products are jurisdictionally agile. They have source code stored in multiple jurisdictions simultaneously, or their services are offered from servers in multiple jurisdictions. Some organizations can change jurisdictions, effectively moving to countries with more favorable laws,” says the Schneier/Seidel/Vijayakumar report.
Companies concerned with the security and privacy of their data will have more options. It’s the uninformed consumer, or companies who can’t or won’t invest in new solutions, that will be most affected. Criminals—at least the ones the government is after—are paying attention and won’t be impacted in the way the NSA is trying to claim. Mandated backdoors just mean that business moves elsewhere, and we all know that cybercrime is big business.
Easy as pie
There are other aspects to the encryption debate that are not necessarily within the scope of this post but worth mentioning: encryption is not impossible to crack, quite a lot of data loss occurs due to failure to encrypt (hello, OPM! Oh, you are part of the US government), and mistakes are made during development lifecycles that render products vulnerable. Even without backdoors, theft or access to private/sensitive data will occur.
Why make it even easier? Why risk the chance of moving business to geographies whose lawmakers are staunch defenders of privacy? Even taking privacy out of the equation, I don’t believe that many people would agree that the instances of data breaches and data theft are decreasing. Backdoors make exploit easier, and those that care (or know, on the consumer side) about protecting data will seek solutions that have a greater chance of succeeding, no matter where in the world they originate.