Peter Swire, Backdoors
Comment by: Orin Kerr
PLSC 2012
Workshop draft abstract:
This article, which hopefully will be the core of a forthcoming book, uses the idea of “backdoors” to unify previously disparate privacy and security issues in a networked and globalized world. Backdoors can provide government law enforcement and national security agencies with lawful (or unlawful) access to communications and data. The same, or other, backdoors, can also provide private actors, including criminals, with access to communications and data.
Four areas illustrate the importance of the law, policy, and technology of backdoors:
(1) Encryption. As discussed in my recent article on “Encryption and Globalization,” countries including India and China are seeking to regulate encryption in ways that would give governments access to encrypted communications. An example is the Chinese insistence that hardware and software built there use non-standard cryptosystems developed in China, rather than globally-tested systems. These types of limits on encryption, where implemented, give governments a pipeline, or backdoor, into the stream of communications.
(2) CALEA. Since 1994, the U.S. statute CALEA has required telephone networks to make communications “wiretap ready.” CALEA requires holes, or backdoors, in communications security in order to assure that the FBI and other agencies have a way into communications flowing through the network. The FBI is now seeking to expand CALEA-style requirements to a wide range of Internet communications that are not covered by the 1994 statute.
(3) Cloud computing. We are in the midst of a massive transition to storage in the cloud of companies’ and individuals’ data. Cloud providers promise strong security for the stored data. However, government agencies increasingly are seeking to build automated ways to gain access to the data, potentially creating backdoors for large and sensitive databases.
(4) Telecommunications equipment. A newly important issue for defense and other government agencies is the “secure supply chain.” The concern here arises from reports that major manufacturers, including the Chinese company Huawei, are building equipment that has the capability to “phone home” about data that moves through the network. The Huawei facts (assuming they are true) illustrate the possibility that backdoors can be created systematically by non-government actors on a large scale in the global communications system.
These four areas show key similarities with the more familiar software setting for the term “backdoor” – a programmer who has access to a system, but leaves a way for the programmer to re-enter the system after manufacturing is complete. White-hat and black-hackers have often exploited backdoors to gain access to supposedly secure communications and data. Lacking to date has been any general theory, or comparative discussion, about the desirability of backdoors across these settings. There are of course strongly-supported arguments for government agencies to have lawful access to data in appropriate settings, and these arguments gained great political support in the wake of September 11. The arguments for cybersecurity and privacy, on the other hand, counsel strongly against pervasive backdoors throughout our computing systems.
Government agencies, in the U.S. and globally, have pushed for more backdoors in multiple settings, for encryption, CALEA, and the cloud. There has been little or no discussion to date, however, about what overall system of backdoors should exist to meet government goals while also maintaining security and privacy. The unifying theme of backdoors will highlight the architectural and legal decisions that we face in our pervasively networked and globalized computing world.