The ongoing political debate about government built-in or specially created backdoors in IT products is hitting the nerve of millions of people. This is about far more than “merely” decrypting a single mobile phone of a suspected criminal. It threatens our fundamental right to personal data privacy and security. Some see it as a declaration of war against all those who have worked hard to create end-to-end encryption technologies in recent years, and even as an attack on basic democratic rights.
Crypto wars – a never-ending story
The United States, for instance, have a long history of crypto wars. One side of the battle line is taken by the crypto pioneers and technology companies striving to create powerful encryption; the other side is occupied by state agencies trying to hack into encrypted communications to facilitate mass surveillance. Former crypto wars reached a peak in the mid-1990s when the NSA even designed a physical chipset with an integrated backdoor — the Clipper Chip — and tried to force phone makers in the U.S. to adopt it. Luckily, this failed due to backlash from consumers and politicians, and the chipset was buried.
After this epic high of the crypto war in the 90s, things went a little quieter until Edward Snowden appeared on the scene in 2013 and poured fuel on the fire. The NSA scandal prompted the tech industry to increase security measures and strengthen encryption, which once again triggered political initiatives to apply the legal thumb-screws to the industry and the use of encrypted communications.
Putting backdoors into devices would increase national security; this is the argument proposed most frequently by state officials. But this is an argument that security specialists and also civil rights activists fiercely oppose. The problem is that backdoors allow not only state agencies to gain access to encrypted communications; they also open the door to “bad” hackers and cyber criminals. What’s more, the use of decrypted data to solve or prevent crimes has yet to be demonstrated as being at all effective.
Fundamental rights at stake
A look at the ongoing crypto debate from a global perspective reveals two main opposing forces; those who are in favour of government backdoors in ICT products and the decryption of devices by force – mostly in English speaking countries like the United States and Great Britain, but also China – and those who oppose any kind of backdoors or access to encrypted data. The latter group consists of a number of European countries spearheaded by Germany.
The opponents of data security always argue that they need access to encrypted systems in order for law enforcement agencies to gather information on crime suspects or to prevent terrorist attacks. Only recently, British Prime Minister David Cameron pledged to ban encryption and legally intercept communications in certain cases, all in the greater interests of society.
This was quickly followed by a widely criticized draft of the “Investigatory Powers Bill” by British minister of the interior Theresa May, which even prompted the United Nations to openly interfere. The UN report states that massive surveillance and hacking as contemplated in the Investigatory Powers Bill would be an attack on personal privacy and even democracy and should rather be forbidden than legitimized.
The tendency to limit one’s individual freedom in order to protect other citizens is widely accepted in the English speaking world, and the terrorist attacks of 9/11 and the subsequent fear of the unknown enemy have amplified this. Unsurprisingly, France only recently urged similar notions of banning encryption and increase surveillance.
However, recent details about the Paris attacks reveal that the terrorists seem to have used not encryption, but mainly prepaid, disposable cell phones in order to stay under the radar of the intelligence services. This rather undermines the whole argument that encryption must be weakened in order for law enforcement agencies to prevent or solve crimes.
However, this does not seem to hinder the anti-privacy parties. Only last week, the draft text of a new US bill called the “Compliance with Court Orders Act of 2016,” by offices of Senators Diane Feinstein and Richard Burr, was leaked and caused uproar within the tech-world.
It would rule end-to-end encryption illegal and force companies to “cooperate” in revealing encrypted data when instructed to do so by court order. Moreover, it targets not only hardware companies but also software manufacturers and providers of electronic communication services like WhatsApp, who only recently introduced end-to-end encryption for almost one billion users worldwide.
With Germany and the Netherlands in the other corner, we have two heavy-weights who are fighting for better data protection and encryption. Both countries have a strong anti-spy and “no-backdoor” attitude and the governments have officially uttered their dismissal of government imposed backdoors and weakened encryption.
Fuelled by the Snowden revelations, the German government even agreed to enhance data protection and establish the groundwork for encrypted communication and independence for technologies. The goal of initiatives like the “Charta zur Stärkung der vertrauenswürdigen Komunikation” (charter to strengthen trustworthy communication) is to make Germany the worldwide leader in (end-to-end) encryption, with encrypted communications being used by virtually everybody.
There is one major argument that almost all of the pro-backdoor countries and politicians ignore: Whenever a backdoor is created it can—and will—be misused by bad actors and criminals to steal information, cause failures, or manipulate hardware. In particular people working in industry should be alarmed: The implementation of backdoors or weakened encryption would immediately put new innovations or patents at risk of being copied and industrial espionage would be facilitated on a wide scale.
Acknowledging the great importance of backdoor-free infrastructures, Germany in recent weeks introduced new procurement conditions for the purchase of hardware for the public sector. At the heart of these conditions is a mandatory “technical no-spy declaration”. From now on, IT service providers and hardware manufacturers must guarantee that the hardware they supply is free of backdoors. The regulations are mandatory for all federal authorities in Germany, but they are also being applied by the individual German states and local authorities.
The reason for this is that many decision makers in Germany regard any kind of backdoor to be a threat to the integrity, confidentiality and authenticity of data in general – as we found out in a study on digital sovereignty, conducted last year among more than 400 German decision-makers.
“No backdoor” guarantee
Trusted communications and effective protection from espionage, tampering and sabotage can only be guaranteed if IT infrastructures, and the devices in them, are free from backdoors that grant uncontrolled, secret access by third parties.
Since our foundation, LANCOM Systems has consistently pursued an anti-backdoor policy across its entire product portfolio. The core product range is developed and manufactured in Germany in line with the highest standards of data protection. A written declaration about the freedom from backdoors is available on our website (Link to PDF).
LANCOM is not alone in providing “no-backdoor” declarations like this. There are currently around 150 ICT companies in Germany that provide this guarantee within the framework of the “IT Security Made in Germany” (ITSMIG) quality seal. ITSMIG dates back to 2005, when it was first introduced by the German ministries of economics and the interior to distinguish particularly secure and trustworthy products. The seal is a result of Germany’s – fortunately – highly stable and constant legislative framework with regard to data protection and privacy. The seal underlines the immense importance of backdoor-free ICT solutions for the protection of industry from sabotage and espionage, as well as personal digital rights.
What’s more, German privacy rights are a vital pillar of our constitution. In this digital age, this right directly translates into the right for digital data protection and the protection from mass surveillance. The only guarantee of this is to regain full control over our ICT systems and to maintain our digital sovereignty, which also means the robustness of our systems against foreign and criminal attackers. The director of the European Agency for Network and Information Security ENISA Udo Helmbrecht recently demanded higher encryption standards in order to protect individual rights and restore the trust in electronic business connections.
We are well aware that achieving these goals depends on our working together on an international basis. Our goal must be to create a common understanding of our digital rights and of our right to digital sovereignty. This may be a tricky issue to solve, but hopefully we will at least be able to do so across Europe.