itestro - Fotolia

Government backdoor security concerns prompt letter to president

As privacy and security concerns rise, President Obama is urged to dismiss the call for government backdoors.

One day after an open letter was sent to President Barack Obama urging the resistance of mandatory backdoors on products, the Pew Research Center released its report on Americans' views of privacy and surveillance, tying in with the letter's theme.

New America's Open Technology Institute's letter defending U.S. citizens' right to use strong encryption was signed by 140 privacy and human rights organizations, technology companies and trade associations, and individual security and policy experts -- including Apple, Cisco and Google, as well as the Electronic Frontier Foundation, Open Source Initiative and Tor Project, and Whitefield Diffie, Ronald Rivest and Bruce Schneier.

The letter arrives amid a barrage of appeals for mandated government backdoors, while at the same time, the Obama administration debates section 215 of the Patriot Act and the NSA is under more scrutiny than ever. Against this backdrop, citizen privacy concerns are higher than one might have expected. The Pew Research report, published Wednesday, found 93% of Americans believe in controlling who can access information about them, while 90% believe controlling the type of information collected is critical. Furthermore, 88% of those polled felt they shouldn't be observed without their approval.

Additionally, as the government makes a push for information sharing -- and as only 6% of respondents to the Pew poll claim they are confident the government can keep collected data secure -- opinions only grow stronger.

"We urge you to reject any proposal that U.S. companies deliberately weaken the security of their products," the letter to Obama reads. "We request that the White House instead focus on developing policies that will promote rather than undermine the wide adoption of strong encryption technology. Such policies will in turn help to promote and protect cybersecurity, economic growth and human rights, both here and abroad."

The letter also calls out the NSA -- and the public's distrust in it.

"U.S. companies are already struggling to maintain international trust in the wake of revelations about the National Security Agency's surveillance programs. Introducing mandatory vulnerabilities into American products would further push many customers -- be they domestic or international, individual or institutional -- to turn away from those compromised products and services."

To add fuel to this fire, details about an eavesdropping unit named the Network Tradecraft Advancement Team -- which includes members from each of the "Five Eyes" countries -- was published on Wednesday. A document obtained from NSA whistleblower Edward Snowden outlines workshops the Network Tradecraft Advancement Team held in November 2011 and February 2012 which, The Intercept reports, were to explore smartphone exploitation methods.

The public appears to believe such eavesdropping campaigns go too far, with 65% of those polled by Pew researchers believing there are not adequate limits on phone and Internet data collected by the government. Four in 10 adults disapprove of the government collecting telephone and Internet data as part of antiterrorism efforts.

The surveillance issue is not limited to the United States. Last month, the Republic of South Korea's Communications Commission set legislation requiring telecom companies and parents to install monitoring apps on new smartphones of anyone under the age of 19.

In January, the Chinese government mandated backdoors be added to technology, source code be disclosed, and audits be adhered to.

Obama criticized Chinese leadership in March, saying, "We have made it very clear that this is something they are going to have to change if they are to do business with the United States."

And in February, Obama told Re/Code he is a "strong believer in strong encryption" and he "lean(s) probably further on the side of strong encryption than some in law enforcement."

However, he also noted that encryption can stymy an investigation.

Others have that same point of view; U.S. Attorney General Eric H. Holder made headlines in October, urging tech companies to not lock police out of their devices in the name of catching kidnappers and child predators. FBI Director James Comey said encryption could "lead all of us to a very dark place," as it had "very serious consequences for law enforcement and national security agencies at all levels."

Across the pond, Prime Minister David Cameron has advocated the ban of encrypted online messaging services in an antiterrorism movement.

So, will Obama hold his stance on strong encryption or, as he said in a January interview, find a way to "meet legitimate privacy concerns" while also meeting the "very real concerns" of Holder, Comey and Cameron?

"I would argue that although there are some legitimate concerns there," Obama said in January, "the United States government and, from what I've seen, the British government, have operated in a scrupulous and lawful way to try to balance these security and privacy concerns. And we can do better, and that's what we're doing."

The letter on Obama's desk this week outlining backdoor security concerns paints a different picture.

"Whether you call them 'front doors' or 'back doors', introducing intentional vulnerabilities into secure products for the government's use will make those products less secure against other attackers.

"More than undermining every American's cybersecurity and the nation's economic security," the letter continues, "introducing new vulnerabilities to weaken encrypted products in the U.S. would also undermine human rights and information security around the globe."

The letter comments on the "Crypto Wars" of the end of the 20th century, noting several of the same concerns and arguments up for debate that are being debated now.

"U.S. policymakers correctly concluded that the serious costs of undermining encryption technology outweighed the purported benefits. So, too, did the president's Review Group on Intelligence and Communications Technologies, which unanimously recommended in its December 2013 report that the U.S. government should (1) fully support and not undermine efforts to create encryption standards; (2) not in any way subvert, undermine, weaken or make vulnerable generally available commercial software; and (3) increase the use of encryption and urge U.S. companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage."

Ammunition that can also be added to the letter writers' argument is the Logjam TLS vulnerability disclosed this week, which dates back to the 1990s. The flaw, which experts speculate was previously and secretly exploited by the NSA, is a "government backdoor" that is the result of legislation in the Bill Clinton-era/Crypto Wars period. Congress at the time restricted export of cryptographic systems using keys longer than 512 bits. This was deemed reasonable because the lower CPU throughput of the era effectively put 512-bit keys out of reach of all but advanced nation-state attackers. Jump ahead to present day, however, and anything that forces a downgrade of bit length to 512 results in encryption that's within reach of today's multi-core desktop CPUs. The research team behind the news reported this week estimates 8.4% of the top million Internet domains are susceptible to the vulnerability, which affects the majority of commonly used browsers.

Proposed changes to the Wassenaar Arrangement

In what is being "likened to the efforts in 1990s to regulate the export of strong encryption mechanisms and limit the distribution of PGP technology," the U.S. Department of Commerce's Bureau of Industry and Security (BIS) released a proposal Wednesday for a 60-day comment period on regulatory controls on the export of malware and zero-day exploits.

Proposed changes to the Wassenaar Arrangement, an international agreement reached in 1995, hope to establish tighter export rules for security tools, namely "dual use" technologies that can be used for harm. The BIS proposes requiring a license to export cybersecurity tools used for penetration testing and analyzing network communications. Changes would modify rules added to the Wassenaar Arrangement in 2013 that limited the export of technologies related to intrusion and traffic inspection.

Hypervisors, debuggers and reverse engineering tools would not be considered intrusion software.

However, many security researchers disagree with the proposed changes because they could interfere with research, which would result in less secure systems. They took to Twitter to argue that the wording is too broad. Robert Graham of Errata security noted that the changes would make it illegal for him to export code.

Next Steps

Learn how to "lock the backdoor" and reduce the risk of unauthorized access

Dig Deeper on Security operations and management