Why you can't have backdoored crypto that is secure
Blog Article Published: 10/03/2019
By Kurt Seifried, Chief Blockchain Officer, CSA
So as you have probably seen some parts of the US government are again making noise about end-to-end encryption.
We’ve seen this before (clipper chip, key escrow, etc., etc.). The new twist is that they appear to be trying a thin end of the wedge approach, banning end-to-end encryption in consumer applications (like Whatsapp, Signal and so on) but large corporations will be allowed to have end-to-end encryption to protect their systems.
Let’s ignore the whole consumer vs. corporate argument for a minute (does the CSA qualify? Would we be allowed to have internally secure communications? What about small and medium businesses? What about people who are self-employed?).
So in order to be effective against an attacker that steals your laptop or cell phone, the encryption system also needs to be effective against a nation-state that takes (e.g. at the border, legally) your laptop or cell phone. Is this a lawful matter with a warrant and judicial transparency? Or is this part of a widespread crackdown by a repressive regime on pro-democracy supporters? Security can either be controlled by the end-user(s) involved in some specific communication/data processing, or it can also be controlled by some third party (e.g., the data processing platform). If a third party is involved, then that third party can choose to reveal the data without consent or even knowledge in most cases of the end parties, due to a lawful warrant, or because they decided to monetize your data and sell it to advertisers. Once you lose technical control of your encryption and privacy you are at risk of a number of attacks, ranging from bribery and theft from the third party to that third party going bankrupt and your data assets being auctioned off to the highest bidder.
This is why the CSA is actively exploring and engineering Blockchain solutions that involve end-to-end privacy and technical controls that are placed in the hands of the end-users, because anything less is just a data breach away from failure.