Michael Chertoff Makes the Case against Back Doors
One of the more interesting comments at the Aspen Security Forum (one that has, as far as I’ve seen, gone unreported) came on Friday when Michael Chertoff was asked about whether the government should be able to require back doors. He provided this response (his response starts at 16:26).
I think that it’s a mistake to require companies that are making hardware and software to build a duplicate key or a back door even if you hedge it with the notion that there’s going to be a court order. And I say that for a number of reasons and I’ve given it quite a bit of thought and I’m working with some companies in this area too.
First of all, there is, when you do require a duplicate key or some other form of back door, there is an increased risk and increased vulnerability. You can manage that to some extent. But it does prevent you from certain kinds of encryption. So you’re basically making things less secure for ordinary people.
The second thing is that the really bad people are going to find apps and tools that are going to allow them to encrypt everything without a back door. These apps are multiplying all the time. The idea that you’re going to be able to stop this, particularly given the global environment, I think is a pipe dream. So what would wind up happening is people who are legitimate actors will be taking somewhat less secure communications and the bad guys will still not be able to be decrypted.
The third thing is that what are we going to tell other countries? When other countries say great, we want to have a duplicate key too, with Beijing or in Moscow or someplace else? The companies are not going to have a principled basis to refuse to do that. So that’s going to be a strategic problem for us.
Finally, I guess I have a couple of overarching comments. One is we do not historically organize our society to make it maximally easy for law enforcement, even with court orders, to get information. We often make trade-offs and we make it more difficult. If that were not the case then why wouldn’t the government simply say all of these [takes out phone] have to be configured so they’re constantly recording everything that we say and do and then when you get a court order it gets turned over and we wind up convicting ourselves. So I don’t think socially we do that.
And I also think that experience shows we’re not quite as dark, sometimes, as we fear we are. In the 90s there was a deb — when encryption first became a big deal — debate about a Clipper Chip that would be embedded in devices or whatever your communications equipment was to allow court ordered interception. Congress ultimately and the President did not agree to that. And, from talking to people in the community afterwards, you know what? We collected more than ever. We found ways to deal with that issue.
So it’s a little bit of a long-winded answer. But I think on this one, strategically, we, requiring people to build a vulnerability may be a strategic mistake.
These are, of course, all the same answers opponents to back doors always offer (and Chertoff has made some of them before). But Chertoff’s answer is notable both because it is so succinct and because of who he is: a long-time prosecutor, judge, and both Criminal Division Chief at DOJ and Secretary of Homeland Security. Through much of that career, Chertoff has been the close colleague of FBI Director Jim Comey, the guy pushing back doors now.
It’s possible he’s saying this now because as a contractor he’s being paid to voice the opinions of the tech industry; as he noted, he’s working with some companies on this issue. Nevertheless, it’s not just hippies and hackers making these arguments. It’s also someone who, for most of his career, pursued and prosecuted the same kinds of people that Jim Comey is today.
Update: Chertoff makes substantially the same argument in a WaPo op-ed also bylined by Mike McConnell and William Lynn.
quote”Nevertheless, it’s not just hippies and hackers making these arguments. “unquote
Hippies? HIPPIES?? OMG. You mean those people who wear long hair, tie dyed clothing and bell bottoms, drive psychedelic buses, don’t take baths, and follow the Grateful Dead, who protest injustice and war and smoke pot by the ton? Omg. And here I thought they went on to become accountants and business owners in the 80’s. Really? Hmmm…I guess I missed something.
note to self…
Must dig out albums of psychedelia, head bands, bell bottomed blue jeans and pictures of myself on concert stages stoned out of my..er…wait..wait.. ut unh. The shock would kill me.
ps..sorry for going there..I couldn’t stop myself. Btw..I haven’t seen a hippie in 40 years.
Puzzled as to why you think that’s relevant. Since as you say this isn’t 1970/1980, hippie in modern parlance refers to self-styled “free spirits” and unabashed idealists: people who espouse generally fringe positions and will brook no talk of reasonable compromise.
With the context, this pretty clearly refers to anti-establishment types, of which Chertoff is not one.
As noted in the prior post regarding the OPM hack, China now makes most backbone equipment meaning that any such backdoors would by definition be encoded in a foreign country with the keys easily accessible. It is kind of surprising that the FBI seems to ignore that.
Well, where’s the evidence that these other countries are hacking stuff?
Innocent until proven guilty, the only one that has been found hacking other countries and even allies is the US.
Please explain why I have not been able to get anyone to help with federal Whistle blower cyber security case? To date every Senator I’ve contacted has never responded or checked into my Merit Systems Protection Board case. Please review my case…. It appears the united states government wants me dead or in jail for continuing to seek justice and truth about Cyber Security Breaches”…
My life has been ruined for telling the truth, and our government and justice system being corrupt. The Federal OPM Breaches are based on a computer flaw and back door the united states created through the computer browsers. As a former US Army soldier I find it worst then “President Nixon”.
It’s unbelievable and I will continue to seek justice and truth about our government and cyber security.
Docket Number SF-0752-11-0427-I-1 .. Whistle-blower Protection case reviewed for Huge VA WhistleBlower on National Electronic Medical Records Leaking Patient Health & Private Data Over Internet
I think the legal angle is interesting on this: if a/the government asks a company to make a product less secure through it having a backdoor, does the government take legal responsibility for misuse that occurs as a result?
If I were the director of a company asked to provide a backdoor this would be my first question; I’d also want the government to insure my uninsured losses if the publication of a backdoor resulted in loss of business.
We live in a capitalist society – backdoors cannot be an exception – they have costs associated with them; costs which the beneficiary (the government) could/should be expected to pay for.
Chertoff saying, “And, from talking to people in the community afterwards, you know what? We collected more than ever. We found ways to deal with that issue,” suggests backdoors are a diversion from how access to encrypted communications can be done. Diversions, red herrings, are commonplace in comsec, as well as spying, law and politics, among others. During the key escrow era there were a slew of diversions which cloaked technology and law. Comey is doing pretty much what FBI director did then, as Obama is reduxing Clinton, invoking executive privilege to promise one thing publicly while doing another secretly. Courts customarily confirm executive power to enforce secrecy, glossed with a few exceptions to assure the excluded citizenry hope for full information about the government is forever on the horizon, albeit in camera for access by those deputized to uphold the law among the lawfully privileged. To wit: technology and law of comsec will forever be deceptive, dual hatted, duplictious, only occasionally judicious.
I’m wondering what all the fuss is about. I could’ve worked through some of those lines of reasoning when I was ten – as a matter of fact I did, with the issue of escalation of conflict, which he touches on gingerly. To be blunt, anything x can do, y can do as well, or will be able to do so if put under pressure fron x. If one actor mandates backdoors, it would be suicidal for other actors not to reciprocate with their own backdoors.
If the US doesn’t want to be laughed at when discussing “cyberwar”, I suggest it start right there. The individual citizen permitted privacy on and through all cybernetic tools. No exception. No silver bullet for the anti-social elements; just doing the hard yards to convict.