BY KIM ZETTER
If a handful of lawmakers in the US and abroad have their way, encrypted communication would either be outlawed or come pre-fitted with government-friendly backdoors—insert your friendly government’s name here. There have been proposed bans in at least two states here, and now there’s a proposed federal ban on those state bans.
Some of the smartest minds in cryptography have explained at length that backdoors are a bad idea because they make us all inherently less secure. But legislated backdoors make no sense for yet another reason: the criminals, terrorists, pedophiles and others whom governments hope to target would simply use encryption products made in countries that don’t require mandatory portals. A new worldwide survey of encryption products, compiled by noted cryptographer Bruce Schneier and colleagues Kathleen Seidel and Saranya Vijayakumar, shows just how rich the worldwide catalogue of encryption products is for anyone seeking alternatives. Schneier compiled the list as part of his fellowship at Harvard University’s Berkman Center for Internet and Society.
Mapping Encryption Worldwide
They found 865 hardware and software encryption products available from 55 countries, including the US. Nearly two-thirds (about 540) are made outside the US. They range from virtual private networks, which provide a secured encrypted tunnel for remotely accessing systems over the Internet; email and messaging encryption apps; file and disk encryption; voice encryption and password managers. They also run the gamut from large-scale commercial products made by companies like Microsoft and Cisco to open-source products written by developers in multiple countries to labor-of-love products written by solitary, committed developers.
The US is the country with the most encryption offerings at 304. These include BitLocker, Microsoft’s disk encryption tool; Bitmail, a free email encryption software; the Jabber and Pidgin messaging tools; the password manager LastPass; and even the popular Snapchat, which is encrypted, though its implementation is not perfect.
Not surprisingly, Germany, the former land of the Stasi spies, takes second place on the list with 112 products. Both Germany and the Netherlands (which has 20 encryption products on the list) have publicly disavowed backdoors. Germany’s offerings include TorChat and Diaspora, two free tools for encrypting messages, and GnuPG another free program for encrypting email for Mac users.
Any mandatory backdoor will be ineffective simply because the marketplace is so international. Schneier, et al
The UK, where lawmakers have proposed a ban on encryption products that don’t have backdoors, is the third top provider of encryption apps and tools, with 54 products. They include CelCrypt, a paid tool for encrypting Windows and Android phones and Blackberry communications; Cryptkeeper, a free disk encryption tool; and Hide My Ass, a free proxy for anonymizing your web activity.
A number of small countries have a place on the leader board with a single encryption offering—Belize, Chile, Cyprus, Estonia, Tanzania, and Iraq are among them.
The researchers didn’t endeavor to determine how secure or how well-implemented the products are; they simply compiled any known encryption programs and products.
“Our survey demonstrates that … [a]nyone who wants to evade an encryption backdoor in US or UK encryption products has a wide variety of foreign products they can use instead: to encrypt their hard drives, voice conversations, chat sessions, VPN links, and everything else,” the researchers write in a paper published today (.pdf).
This is not new. A similar survey conducted in 1999 by researchers from George Washington University found 805 hardware and software encryption products available from about three dozen countries back then. Very few encryption products make an appearance on both lists, underscoring the changes and advances that encryption algorithms and methods have undergone in 17 years.
The conclusion that Schneier and his colleagues draw is clear: “Any mandatory backdoor will be ineffective simply because the marketplace is so international. Yes, it will catch criminals who are too stupid to realize that their security products have been backdoored or too lazy to switch to an alternative, but those criminals are likely to make all sorts of other mistakes in their security and be catchable anyway. The smart criminals that any mandatory backdoors are supposed to catch—terrorists, organized crime, and so on—will easily be able to evade those backdoors.”
Any laws mandating encryption backdoors will overwhelmingly affect the innocent users of those products, they note, while having little effect on the rogue parties for which the backdoors are intended.
This doesn’t even address the home-grown encryption products that these groups could develop on their own to evade surveillance.
America’s Encryption Is Not Better
Anyone in the US who turns to ready-made, backdoor-free encryption products offered elsewhere will not have to sacrifice quality, Schneier and his team note. Non-US encryption systems, for example, use the same kinds of strong encryption that US systems use in general. “Cryptography is very much a worldwide academic discipline,” they note, “as evidenced by the quantity and quality of research papers and academic conferences from countries other than the US. Both recent NIST encryption standards—AES and SHA-3—were designed outside of the US, and the submissions for those standards were overwhelmingly non-US.”
And problems with implementing encryption are universal, whether in the US or elsewhere.
“The seemingly endless stream of bugs and vulnerabilities in US encryption products demonstrates that American engineers are not better [than] their foreign counterparts at writing secure encryption software,” they note.
For this survey, the researchers compiled their list from suggestions submitted by readers of Schneier’s blog, Schneier on Security, and his Crypto-Gram newsletter. Others were gleaned through online searches, app stores, GitHub and other sources. The list isn’t complete. The researchers will continue to add products as they uncover more.
They were able to identify the country of origin for most of the encryption services they listed, though sometimes it took a little work to identify the country. They hit a dead-end with at least sixteen, for which they could not assign a country at all. This highlights another weakness with backdoor mandates: it can be difficult to pinpoint authorship of products, particularly in the case of open-source projects where multiple contributors from multiple countries—some of them anonymous contributors—are involved or where someone has deliberately obscured their true locale by using a shell company registered in the British Virgin Islands, St. Kitts or Nevis—notorious havens for those who want to hide their identity.
And sometimes the country of origin can change. Developers who don’t like the laws in one country can simply pick up shop and relocate, as Silent Circle did in 2014 when it moved from the US to Switzerland.
In the end, backdoor mandates have a number of loopholes that can easily undermine them, eliminating their intended effect, while having the unintended effect of making everyone less secure.