The crypto wars have been raging for decades now. The heated discussion has reached a new height after the publication of the EU Council's resolution on encryption "Security through encryption and security despite encryption".
While the resolution does not explicitly mention that the aim is to weaken encryption, experts perceive it as part of an international strategy to undermine encryption in general for the end user. This has led to massive protests from civil society .
The problem in this discussion is that no one seems to actually communicate. On one side, there are governments and law enforcement agencies that argue that they need encryption backdoors to prevent crimes. On the other side, there are tech companies and security experts that argue that a backdoor for the 'good guys' only is technically impossible.
Each has their own viewpoint and is not willing to give in one single step.
So Alice and Bob will try to discuss the question of whether we should be able to encrypt our online communication by exchanging arguments.
Alice: End-to-end encryption is the most secure form of encryption. It protects us from any kind of prying eyes, from government espionage to malicious attacks by hackers as well as from rogue employees working at tech companies.
Bob: Agreed, encryption protects the data of all citizens. But what about criminals, terrorists, child molesters? We must be able to decrypt the communication in a targeted way. The service provider must have a second key that it can use to decrypt the content of suspected criminals. This way we can make sure that the data of law-abiding citizens is well protected while we can still access the data of criminals and prevent crime.
Alice: Hm, what you are asking for sounds compelling. So you want an encryption backdoor for the good guys to only target the bad guys?
Bob: Yes, if tech companies were able to decrypt end-to-end encrypted data with a second key, they could hand out data of suspected criminals upon government requests!
Alice: This means employees of the tech companies decrypt the required data with this backdoor key and hand it out to the officials. In theory this sounds very good. Unfortunately, it misses the fact that not every employee can be trusted. I'm just thinking about the recent Bellingcat investigation on the FSB. It says there: "The humans who manually fetch this data are often low-level employees at banks, telephone companies, and police departments." These people take private data of users and hand it out for money. In other words: The journalists of Bellingcat were able to get highly sensitive information on Russian secret service agents just by paying money for the data. That's the problem with backdoors. It's easy to exploit them.
Bob: Then we have to make it harder! If only the government is allowed to request such data, and everything else is illegal? So the example you just gave is illegal and such employees/companies could be punished by law if they fail to protect users' data?
Alice: Yes, but no matter how hard it is if the option is there, abuse will happen. Two spontaneous risks pop into my mind, potentially there are more: First, the data could be so valuable, for instance business secrets, that others will pay huge amounts of money for this. Would the laws then be able to stop every employee from abusing a backdoor? And, second, I suppose in your scenario, governments are the 'good guys'?
Bob: Yes, that's how it's supposed to be. If you can't trust your own government who else can you trust?
Alice: That's what is up for debate here. Democracies have been built with keeping one major threat in mind: that the government might turn bad. That's why we have checks and balances, the guarantee of a free press and constitutional rights such as freedom of speech and the right to privacy. For that matter, even German judges oppose encryption backdoors .
Bob: But the right to privacy does not equal the right to encryption!
Alice: On the other hand, what is encryption? It's like a secret language that no one listening in on the conversation can understand. If we outlaw encryption online, couldn't criminals still make up their own secret language?
Bob: Yes, that's true. But at least law enforcement would then be able to ask for the data and see what they can do with it.
Alice: Isn't that already the case with encrypted data?
Alice and Bob could continue this conversation forever because they are going in circles. The problem - and that is what politicians like to keep out of the discussion completely - is that encryption can not be outlawed.
The above conversation tries to argue the pros and cons of backdooring encryption. However, any pro must be rejected if you keep the fact in mind that encryption as such - the technology to encrypt data end-to-end - cannot be stopped. So any attempt by governments to weaken encryption in certain services will never achieve what is supposed to be achieved: to stop criminals from using encryption.
The inconvenient truth is that weakening encryption will only weaken it for law-abiding citizens, not for criminals. Instead of asking for encryption backdoors and enabling general mass surveillance, politicians and law enforcement agencies should focus on other investigation techniques.
It's like the famous quote by Phil Zimmermann: "If privacy is outlawed, only outlaws will have privacy."
Even if you weaken encryption in certain online service, criminals can still make up their own secret language or develop their own encrypted apps that are not circulated via standard Play Stores. Criminals could even use Thunderbird's built-in email encryption.
In the crypto war discussion, we often hear the request to implement backdoors for the 'good guys only'. However, such a backdoor for the good guys only is, unfortunately, impossible. Besides the risk of rogue employees, it is impossible to define who the 'good guy' is. Given we had a decryption key for the 'good guys', how would you make sure that the good guys never turn bad? How would you make sure that the good guys never abuse their power? How would you make sure that such a general decryption key never leaks into the wrong hands? To illustrate the last point, here are some famous backdoor fails.
There are many examples worldwide that prove the fact that the government can not be equated with the good guy. If European service providers were forced to implement backdoors for government access, how would you protect the data of opponents, of activists, of journalists in countries that do not adhere to the rule of law, such as Hungary, Russia, China, etc.?
Zach Weinersmith has made an awesome comic, showing what it would mean if the government had a universal key to our online communication - also in democratic countries:
We have to accept that encryption is binary: It is either 'on' or 'off'. There is no inbetween.
To come to a conclusion to this question, we must ask the following:
How much surveillance can a democracy endure?
In what kind of society do we want to live?
The question of how we could develop a master key for the "good guys" is a sham discussion designed to distract from these real questions.