Playing out today is a debate about the control of future of technology. After revelations of massive government surveillance programs, new applications deploy strong encryption, touting privacy as a key feature. The authorities, afraid they will not be able to access communications, are attempting to mandate weaknesses in these applications to ensure they can gather data when needed. This debate hinges on how such backdoors would be used and whether they can be kept out of the hands of criminals. Pro-backdoor groups often point to real criminal investigations that would be helped by backdoors, however pro-security groups have struggled to point to the concrete harm of a backdoor.
The pro-security groups’ hand wringing is not necessary. There is a backdoored technology that we can easily use as a case study: cell phones. The lack of base-station authentication and availability of weak encryption has a similar effect to some of the weaknesses proposed to newer technology. “IMSI-catchers” use these weaknesses to pretend to be a cell phone base-station (i.e. a “tower”) so that cell phones connect to them instead of the real network. The IMSI-catcher can then do what it likes with a connect phone’s connection before forwarding it to the real network. This includes identifying what individuals are present in a location, recording call times and parties and even call content in some cases.
This interception that law enforcement agencies are currently uses closely mirror man-in-the-middle attacks possible on a text chat network that has it’s end-to-end encryption broken.
So what harm has come from providing law enforcement these powerful tools? The most obvious is that criminals are using the same weaknesses. While there is very weak data on what is being done with this power, there is evidence evidence that hijacking cell phone links is widespread. We should expect that if we weaken email, chat, cloud-backups and other online apps criminals will fined a way to use them too.
Damage can run deeper, however, undermining the justice system itself. During criminal prosecutions in the US the use of IMSI-catchers is being hidden from defendants. This hurts defendants’ rights as it limits their legal options. Even scarier, real criminals may have convictions overturned on the basis of the murky tactics used to convict them. Again, we should expect that weakened cryptography will lead to dodgy convictions and procedural acquittals of the guilty.
We have seen a second legal run-around result from stingrays: law enforcement agencies have been using pen-registers as authorization to avoid the more stringent requirements of a warrant, which judges say should be required. This has resulted in several incidents that indicate bulk surveillance of protests, which could never get a warrant. Clearly we should expect that if our lives are easier to be watched, then they will be watched more.
Criminal, procedural and civil rights issues like we have seen as a result of weak security in cell phone technology is a taste of the future – if we allow backdoors in technology. Only with ubiquitous encryption can we preserve the integrity of justice, protecting the public from criminals and unconstitutional government surveillance alike.