A study shows that if the U.S. mandates backdoors to decrypt secret messages in order to help law enforcement, there would still be hundreds of alternative encryption products made outside the reach of U.S. law that terrorists and criminals could get their hands on.
“Smart criminals and terrorists will easily be able to switch to more secure alternatives,” is the conclusion drawn by the study “A Worldwide Survey of Encryption Products”. The authors were Internet security authority Bruce Schneier of Harvard’s Berkman Center for Internet and Society, independent security researcher Kathleen Seidel, and Saranya Vijayakumar, a Harvard student.
The argument from the FBI and others in law enforcement is that they need to be able to see what suspects are saying in encrypted messages in order to catch them. The study concludes that those who want to, can get their hands on secure products because the marketplace for them is international.
“Even if a criminal has to use, for example, a US encryption product for communicating with the world at large, it is easy for him to also use a non-US, non-backdoored encryption product for communicating with compatriots,” the study says. Still, since the study says 304 encryption products are made in the U.S. installing backdoors would affect a significant percentage of the market.
Some companies that make encryption products have business entities in more than one country, making them “jurisdictionally agile,” the study says. “Some organizations can change jurisdictions, effectively moving to countries with more favorable laws.”
+ ALSO ON NETWORK WORLD Bill filed in Congress would ban encryption backdoors +
The bottom line, the study says, is that backdoors will have a bad impact on the masses that rely on encryption for legitimate purposes without helping to catch the cleverest criminals. “The smart criminals that any mandatory backdoors are supposed to catch – terrorists, organized crime and so on – will easily be able to evade those backdoors,” it says.
Of the 587 separate entities that make encryption products 374 are based outside the U.S. Two countries that are major sources of these products, Germany and the Netherlands, have repudiated encryption backdoors.
A similar study in 1999 found 805 encryption products worldwide. That study was intended to measure the effectiveness of blocking exports of advanced encryption technology. It concluded that blocking it did not prevent people in other countries from obtaining the products.
The new study says the strength of encryption products is about the same no matter where they are made since most use the same set of published encryption algorithms, the study says, and there is no reason to believe they are better. The most recent encryption standards put forth by the National Institute of Standards and Technology were based on foreign designs.
“Additionally the seemingly endless stream of bugs and vulnerabilities in U.S. encryption products demonstrates that American engineers are not better [than] their foreign counterparts at writing secure encryption software,” the study says. Plus many U.S. companies making encryption software hire engineers working outside the U.S.
Meanwhile the study, which the authors admit isn’t comprehensive, found 865 hardware and software encryption products worldwide – 546 of them made in the U.S. - with functions ranging from file, messaging, voice and email encryption to VPNs.
The next four behind the U.S. are Germany, the U.K., Canada, France and Sweden, with that top five accounting for more than two-thirds of the total.
“The US produces the most products that use encryption, and also the most widely used products,” the study says. “Any US law mandating backdoors will primarily affect people who are unconcerned about government surveillance, or at least unconcerned enough to make the switch. These people will be vulnerable to abuse of those backdoors by cybercriminals and other government.”
Congress is considering a proposal to create a commission to study the encryption issue as well as considering blocking states from creating their own encryption legislation.