Mandated encryption backdoors? Such a bad idea, says cybersecurity agency

EU security agency ENISA has warned policy makers against limiting any security features in software, even if that makes lawful interception harder.
Written by Liam Tung, Contributing Writer

Encryption restrictions and backdoors only help criminals and terrorists, according to ENISA.

Image: Shutterstock

European cybersecurity agency ENISA has come down firmly against backdoors and encryption restrictions, arguing they only help criminals and terrorists while harming industry and society.

In a newly-released report, ENISA warns against policies that limit the use of cryptography to algorithms with backdoors for law enforcement, and regulations that restrict the key size, so only a powerful attacker, such as a nation state, can break the scheme.

The EU agency said in the 1990s, when the US restricted the export of strong encryption, law makers assumed these capabilities could be used exclusively for a legitimate cause.

"Nowadays computing power as a service is a fact, thus this assumption does not hold anymore." ENISA notes.

ENISA also points to a 1999 report from the US Senate Committee on Commerce, Science, and Transportation, which found that encryption products developed in foreign markets were at least on par with those from US companies, suggesting the export ban eroded a US competitive edge.

That part of ENISA's message chimes with Harvard University research released last week, which illustrated that any effort in the US to ban encryption would only harm its users and firms since most encryption products today are made outside the country.

Of 865 encryption products identified in the study, 546 were made outside the US. One of the report's authors, cryptography expert Bruce Schneier, remarked: "Anyone who wants to avoid US surveillance will have 546 competing products to choose from."

ENISA also points out that policies against encryption can haunt future users, as demonstrated by the recent FREAK and Logjam encryption flaws that stemmed from laws enacted 15 years earlier.

"Computing costs are systematically decreasing, in ever shorter periods. Therefore, attacks that seem out of the reach of anyone but a nation state will not remain so for the lifetime of the implementations," ENISA notes.

ENISA acknowledges that cryptography might make lawful interception harder, but says policy that makes it easier to unscramble communications would only introduce new risks to IT infrastructure and disadvantage regulated firms, while providers outside its scope would be able to deliver more secure services at a lower cost.

It urged European policy makers to avoid limiting in any way security features in computer software.

They should also refrain from limiting the export of security features in computer software and consider lifting all existing limitations on such features.

More on security

Editorial standards