Abuse-Resistant Government Backdoors

By Gabe Kaptchuk.


It is common to use encryption hundreds of times each day: when unlocking a phone, connecting to the wifi, or loading a webpage. The rise of personal computing and the internet has transformed encryption from an esoteric military tool to critical infrastructure that gives you control over your data.  

Modern encryption doesn’t just protect against hackers, it also often prevents law enforcement from seeing your data.  Even when law enforcement gets a warrant from a court, it won’t help them decrypt this data.  This limitation is at the center of an ongoing debate about the appropriate role of encryption in US society that first started in the 1990’s.

Law enforcement advocates have claimed that encryption poses a fundamental threat to public safety, because court-sanctioned searches cannot be executed.  Privacy advocates and businesses have stressed the importance of encryption in ensuring personal privacy, protecting business transactions, and putting limits on government power.  In an attempt to accommodate both needs, law enforcement has pushed for special law enforcement “backdoors” in encrypted systems, i.e. a special decryption method that can only be used by law enforcement while executing a legal search.  This debate has recently reignited, focusing on encrypted mobile devices and ubiquitous end-to-end encrypted messaging apps, like Signal and WhatsApp.  

At the heart of this socio-political debate is a technical question: is it possible to build a strong encryption system with a backdoor that only law enforcement can use? There has been little progress answering this question in the last 30 years.  Most proposed constructions of encryption systems with backdoors give the government a “master key” that can decrypt everything, and hope that no one misuses the key.   The vast majority of researchers and activists agree that this approach is inherently flawed.  There are simply too many ways for this all-powerful master key to be abused: a government agent might overstep their authority or the key might be stolen by a foreign government.  Indeed, proposals using master keys from the 1990s were ultimately defeated in part because concerns over abuse of power.

Progress has stalled on this technical question because the requirements of the desired systems have never been fully defined.  Put another way, there are actually two questions masquerading as one: (1) what properties should encryption systems with law enforcement backdoors provide? and (2) is it possible to construct systems that provide these properties?   It is rare to see a clear and coherent answer to the first question, and there is no consensus.  This makes it difficult to get to the second question.

In our recent work, we progress the discussion around encrypted systems that permit law enforcement access by proposing some minimum criteria that any such system should meet.  We focus on “abuse resistance,” meaning that improper use of the backdoor can be swiftly detected and addressed.  This allows law enforcement to hold technical power, while limiting the potential for individuals — or even foreign governments — misappropriating that power.

Specifically, in our work we suggest that encrypted systems should have the following minimum properties:

  • Law Enforcement Access only with a Warrant. Encrypted content should remain totally secure by default.  Law enforcement — and only law enforcement — should be able to use the master key if a relevant warrant is issued by the appropriate court.
  • Abuse Detectability. A huge problem with existing proposals is that abuse can happen covertly; a government agent can use the master key for their own purposes and no one would ever know.  We belive that systems should require a publicly audible trail to be generated before a backdoor can be used.  This trail will allow auditors to raise the alarm whenever misuse is detected.
  • Global Warrant Policies. As a society, we should agree on what warrants should look like.  For instance, maybe we want to limit warrants to be about specific individuals.  Maybe we want warrants to only be usable for short periods of time.  By defining some global warrant policy, we can limit the destructive capability of a hawkish court or overzealous law enforcement.
  • Cryptographic Enforcement. It is (theoretically) easy to write a law that requires a system to have the properties above.  Unfortunately, we are primarily concerned with preventing the system from being abused by individuals who have no regard for the law.  As such, we need to design technical systems that enforce all these properties using something more robust than the law, e.g. mathematics.  Put another way, we want the math used to construct the system to make the master key unusable if the warrant does not comply with the warrant policy or the audit trail has not been created.

Deploying a law enforcement backdoor without these minimum abuse resistance properties is clearly a recipe for disaster.  Using these properties as inspiration, we hope the encryption debate shifts to include discussion about what other properties are necessary.  Before discussion can begin on how to implement backdoors, it is imperitive to agree on the minimum abuse resistance properties for such a system.

If you are interested in these ideas, check out our paper at https://eprint.iacr.org/2021/321!

Gabe Kaptchuk is a Research Assistant Professor in Computer Science at Boston University. His research focuses on applied cryptography and he has worked both in industry and in policy (in the US Senate). His current research interests are at the intersection of privacy, cryptography, and society.  Visit his personal website at kaptchuk.com

“iPhone 6 with lock” by MatthewKeys is licensed with CC BY-ND 2.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-nd/2.0/

View all posts

One comment

Post Your Comment