The conversation about backdoors in encrypted services has resurfaced following reports that the U.K. government is pressuring Apple to compromise its end-to-end encrypted (E2EE) iCloud device backup functionality. Authorities are allegedly urging Apple to implement a “backdoor” in order to permit state entities to access user data without hindrance.
Since the passage of the 2016 update to state surveillance laws, the U.K. has granted itself extensive authority to regulate how technology companies utilize robust encryption. According to reports from the Washington Post, U.K. officials are invoking the Investigatory Powers Act (IPA) to demand direct access to data shielded by Apple’s iCloud Advanced Data Protection (ADP) service, which is designed to prevent unauthorized access, even from Apple itself.
Apple’s ADP service is architected to ensure that not even the tech giant retains the encryption keys due to its use of E2EE, allowing Apple to assert that it has “zero knowledge” of user data.
A backdoor refers to a covert vulnerability embedded in software code, designed to bypass or undermine security protocols for the benefit of third parties. In this iCloud scenario, such an order would enable U.K. intelligence or law enforcement officials to access users’ encrypted information.
While the U.K. government typically declines to confirm or deny information regarding notices issued under the IPA, security specialists have cautioned that a secret order could have international consequences if Apple is compelled to relax the security measures it provides to users worldwide.
Once a software vulnerability is introduced, it poses a risk of exploitation by various malicious entities, including hackers aiming to access sensitive information for purposes like identity theft, data trafficking, or deploying ransomware.
This contextualizes why discussions involving state-driven efforts to access E2EE services often revolve around the metaphor of a backdoor; requesting a vulnerability be purposely integrated into code clarifies the significant trade-offs involved.
To illustrate: In the context of physical entrances — doors, walls, etc. — there is no guarantee that only the rightful owner or key holder will have access.
The existence of an entry point establishes the potential for unauthorized access; for instance, a copy of the key could be obtained, or one might forcibly enter by breaking down the door.
The crux of the matter is this: No entrance can be entirely selective for a single individual. If one person can access it, it stands to reason that others might be able to do the same.
The same principle concerning access risk applies to vulnerabilities implanted in software or hardware.
The idea of NOBUS (standing for “nobody but us”) backdoors has been proposed by some security agencies in the past. This type of backdoor relies on the assessment that the capabilities of state actors for exploiting a specific vulnerability exceed those of any others — effectively creating an ostensibly secure backdoor exclusively accessible to their agents.
However, technical expertise and capabilities are not static; evaluating the technical abilities of unknown entities is also imprecise. The NOBUS concept is built on fundamentally questionable premises; any third-party access introduces countless new attack entry points, such as social engineering strategies targeting individuals with “authorized” access.
It’s no surprise that many security professionals criticize the NOBUS idea as fundamentally flawed. In essence, any access poses a risk, making the pursuit of backdoors contradictory to robust security.
Nevertheless, despite the well-documented security dilemmas, governments persistently advocate for backdoors, which is why the topic remains vital.
The term “backdoor” also suggests that such requests can be hidden rather than made public — just as backdoors typically aren’t designed for public use. In the instance of Apple’s iCloud, a request to weaken encryption via the U.K.’s IPA, presented as a “technical capability notice” (TCN), cannot legally be disclosed by the recipient. The intention behind the law is for any resultant backdoors to remain secret. (While leaking information about a TCN to the media is one way to bypass the information embargo, it’s crucial to emphasize that Apple has yet to publicly address these claims.)
The rights organization Electronic Frontier Foundation notes that the term “backdoor” originated in the 1980s, when it described covert accounts or passwords enabling someone unknown accesses to a system. Over time, the term has come to represent various attempts to undermine, circumvent, or compromise the data protection provided by encryption.
While backdoors are in the spotlight again due to the U.K.’s actions against Apple’s encrypted iCloud backups, it’s essential to remember that demands for data access have a lengthy history.
In the 1990s, for example, the U.S. National Security Agency (NSA) developed voice and data processing hardware that contained a built-in backdoor, intending to enable the security services to intercept encrypted communications. Known as the “Clipper Chip,” this system utilized key escrow — whereby an encryption key was generated and stored by governmental bodies to facilitate access to encrypted data should state authorities choose to intervene.
The NSA’s initiative to promote backdoor-equipped chips faltered due to public outcry over privacy and security concerns. However, the Clipper Chip is credited with sparking efforts among cryptologists to develop and popularize strong encryption solutions aimed at safeguarding data from unwarranted government intrusion.
The Clipper Chip also serves as an example of a publicly mandated system access attempt. Notably, backdoors need not always be clandestine. (In Apple’s iCloud scenario, government agents obviously aimed for access while keeping users oblivious.)
Moreover, governments frequently utilize emotionally charged rhetoric to rally public support for data access requests, often arguing that obtaining entry to E2EE is crucial in combating child exploitation, terrorism, or other grave offenses.
Ironically, backdoors can create significant challenges for those who implement them. For instance, China-backed hackers managed to infiltrate federally mandated wiretap systems last fall, reportedly accessing the data of users from U.S. telecommunications and internet service providers due to a long-standing federal law that mandated such backdoor access (albeit not specifically targeting E2EE data). This incident highlights the risks associated with intentionally integrating universal access points within systems.
Governments must also be cautious about foreign backdoors jeopardizing the safety of their own citizens and national security.
Numerous incidents have raised suspicions regarding the presence of backdoors in Chinese hardware and software over the years. Concerns over potential backdoor risks have prompted some nations, including the U.K., to take measures to ban or restrict the use of Chinese technology components in critical telecommunications infrastructure in recent years. Fears surrounding backdoors can also motivate significant actions.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
