Why Security Backdoors are Bad (Common Sense Version)
Recently, there has been a bit of controversy over the concept of the government or security agencies adding backdoors to services and encryption schemes, supposedly as a way to let them ‘hunt down the bad guys’. But while it’s pretty obvious to a lot of people why this is a stupid as heck concept that’s utterly unworkable in the real world, I thought it’d be useful to explain it in a way that the average Joe can understand.
Basically, imagine an encryption scheme as the tech equivalent of a real world door lock. It’s not a perfect analogy, but let’s go with that because it’s simple to understand.
A backdoor is basically like sticking a key under the rug so the police can enter in case of a disturbance.
So why is it a bad idea? Well, software cannot exactly tell people’s motives or read their minds. It can’t magically tell who’s the government/police and who’s the criminal. Put simply, if a system like this is in place, anyone with the real skillset can use it to bypass any security measures.
Now, picture all the situations in which this could go horribly wrong. Imagine your government made it mandatory to leave keys in a certain place so police could enter a property in a hurry.
Next, think about this. What happens if one of those police officers is corrupt?
You pretty much have a criminal who can bypass any lock in the country, and who can either use it for their own personal gain or sell on the information to the criminal underworld. If it’s the latter? Well, get used to criminal gangs and organisations just waltzing into any house and business they want to attack or steal from, and imagine the consequences. Same deal could happen with an encryption backdoor. The method leaks out, and suddenly all the hacking forums are filled with people passing around ways to take over servers, websites, you name it.
So hang on, you might think? What if only the top officials know about it?
Then the same thing can occur. There’s no correlation between being powerful and a decent person. Or having power and not being corrupt and self serving. So you’d better hope the police chiefs and political leaders aren’t in with the mafia or the likes.
And it doesn’t end there. You see, criminals don’t just wait for information to be available before attempting to commit crimes. They’ll attempt to figure out weaknesses in the security, unlocked entrances, inhabitant behaviour patterns, etc to find a way into a building even without knowledge of a backdoor.
If there is one? Then guess what, some random scumbag could quite easily find it. There are plenty of criminals out there who happen to be decent programmers, have a certain amount of knowledge about security and encryption or simply have enough time on their hands to try whatever random tools and techniques they can find out online in a couple of minutes. If they find your backdoor, then it doesn’t matter what the police or government or security agencies do; it’s now out there in the wild. Oh, and you might not even know it’s out there in the wild, since professional criminals aren’t going to tell every Tom, Dick and Harry that they’ve found an easy way to steal credit card information.
Perhaps you’ll only find out when bank accounts are being emptied en masse, or US/European government secrets end up somewhere in Russia. How you going to explain that to people? Oh sorry, criminals/foreign spies/terrorists took our property and information because we left a giant hole in everyone’s security systems, didn’t tell anyone about it and saw it get exploited by everyone with a certain amount of technical knowledge.
Either way, I think you can see why this idea of ‘putting backdoors’ in systems is a bad one. Don’t do anything stupid…