Any effort to ban encryption or provide government agencies with backdoor access would be unenforceable and prone to failure, according to a Harvard University report released last week.
Bruce Schneier, a fellow at Harvard’sBerkman Center for Internet and Security, and collaborator Kathleen Seidel, together with Harvard student Saranya Vijayakuma, identified and surveyed 865 encryption products from 55 countries; 546 of those products were developed outside the United States.
U.S. mandates forcing backdoors for law enforcement access would be futile, Schneier said in the report. Avoiding U.S. surveillance is easy to do with hundreds of competing products available.
A wide range of high-caliber foreign products offer secure applications for encrypting voice, text messages, files, network traffic and anonymous currency. The products provide the same levels of security as U.S. products do today, he said.
“To this international market, a domestic regulation will have minimal effect. This is something that is obvious to those of us in the industry but not so obvious to the policymakers. I hope the information contributes to the general debate,” Schneier told the E-Commerce Times.
The report counters a move by some U.S. lawmakers and government officials abroad to outlaw encrypted communication or include prefitted backdoors to provide access for government and law enforcement officials.
A U.S.-only ban on encrypted devices would never work, Schneier concluded.
“It would be the same as putting a ban on Americans’ gambling. It would be unenforceable. There is no possible way to make it work,” he said.
In order to enforce a ban against encryption in the U.S. (or any other jurisdiction), law enforcement officials would have to watch every bit coming into the country. Officials would have to inspect every device entering the country and ensure that people from other countries surrender all their devices at the border.
It would require “a full body cavity search,” because who knows where you could hide devices, Schneier said.
More Emphatic Results
The Berkman Center survey was modeled on a similar study George Washington University researchers conducted in 1999. That survey found 805 encryption products from outside the U.S. Few of the products from the George Washington University report show up in the Berkman Center study.
That indicates huge changes in the encryption market over the last 17 years. The new survey identified 587 entities that sell or give away encryption products. Of those, two-thirds are outside the U.S.
Countries outside the U.S. producing the most encryption products are Germany (112 products), followed by the United Kingdom, Canada, France and Sweden, according to the study. Those five countries account for two-thirds of the total number of encryption products available.
Many smaller countries — including Algeria, Argentina, Belize, the British Virgin Islands, Chile, Cyprus, Estonia, Iraq, Malaysia, St. Kitts and Nevis, Tanzania, and Thailand — produce at least one encryption product.
Of the 546 foreign encryption products, 56 percent are available for purchase and 44 percent free. Among those products, 66 percent are proprietary while 34 percent are open source. Some for-sale products also have free versions with some of the same features included.
Products made outside the U.S. include 47 for file encryption, 68 for email encryption, 104 for message encryption, 35 for voice encryption and 61 for virtual private networking.
Results Defy Intent
Laws requiring encryption backdoors will snare innocent users, the survey analysis concludes. The intended targets, such as terrorists and organized crime members, will be unaffected.
Encryption bans will have little benefit for homeland security or crime-fighting efforts. The international marketplace will prevent a successful deployment of encryption bans.
Many people in the information security community have been saying this for quite some time, said Nathan Wenzler, executive director of security atThycotic. Still, legislators continue to insist that companies create backdoors.
The report won’t change how government agencies address the encryption issue, “but it will definitely add to the growing sentiment around [about] just how bad of an idea these encryption backdoors would be,” he told the E-Commerce Times. “I can’t imagine that a universal encryption protocol will ever come about.”
Requiring backdoors and mandating antiencryption rules is doomed to failure because it will be impossible to get every company and every individual user to comply, Wenzler said.
“Government policymakers remain unclear on the technical issues involved. They continue to assume that if they have a backdoor into a single system or application, they will have the access they require,” said Mark Parker, senior product manager atiSheriff.
Having a backdoor doesn’t help get into a message or file delivery service if the messages or files are encrypted using any of the myriad available tools, he told the E-Commerce Times. In addition, universal encryption is extremely difficult to obtain because of inherent distrust.
“Many organizations and governments would not trust universal encryption since, once broken, it would leave them vulnerable,” Parker said.
Federal agencies insisting on mandating backdoors or banning encryption are clueless, said Rod Schultz, vice president of products atRubicon Labs. The digital revolution the Internet created makes physical borders obsolete. It also makes it easier to generate, send and store information.
“The fact that the U.S. is even considering mandating backdoors into technology that either is created or resides within its borders means that our government has failed to grasp the paradigm shift created by the Internet,” he told the E-Commerce Times.
Mandated backdoors or weakened encryption will create a black market for digital goods that do not have those weaknesses, Schultz warned. Deal flow and value creation will shift away from U.S.-based companies.
“Foreign governments all over the world will thank Washington, D.C.,” he said.