A group of eminent cryptographers and computer scientists have come out strongly against demands by the US and UK governments to mandate backdoors in encryption to allow state agencies access for communications surveillance.
A report entitiled Keys under doormats: mandating insecurity by requiring government access to all data and communications [pdf] was published yesterday by the prestigious Massachusetts Institute of Technology's Computer Science and Artificial Intelligence Laboratory (CSAIL).
CSAIL assembled some of the foremost experts on cryptography in the world for the report, which pointed out that the government calls for law enforcement access to all communications and data were not new, with the same mandates being debated 20 years ago.
However, the cryptographers noted that the damage that could be caused by law enforcement backdoors was much greater today than the mid 90s, when government backdoors such as the Clipper Chip key escrow system were considered damaging and harmful.
"In the wake of the growing economic and social cost of the fundamental insecurity of today's internet environmnet, any proposals that alter the security dynamics online should be approached with caution," the group warned.
Mandating government backdoor access to encrypted communications and data would mean protective measures such as perfect forward secrecy (PFS) as used by Google - which limits the amount of user information disclosed even if digital keys are compromised - would have to be removed.
Furthermore, the requirements to provide full access to law enforcement is likely to introduce unanticipated and hard to detect security flaws in today's complex and large internet environment with billions of interconnected devices and services, the cryptographers wrote.
The backdoors themselves would create "concentrated targets that could attract bad actors", further upping the risk of data breaches, the group wrote.
The crypto specialists pointed out that the UK intends to soon introduce laws to compel all communications providers, including US companies, to grant access to British security and law enforcement agencies.
This would lead to other countries demanding the same, reversing US and UK policy to keep the internet free and away from the control of authoritiarian regimes, the group argued.
"China has already intimated that it may require exceptional access. If a British-based developer deploys a messaging application used by citizens of China, must it provide exceptional access to Chinese law enforcement?" the crypto experts wrote.
"Which countries have sufficient respect for the rule of law to participate in an international exceptional access framework? How would such determinations be made?
"How would timely approvals be given for the millions of new products with communications capabilities? And how would this new surveillance ecosystem be funded and supervised?"
