Obama administration explored backdoors for bypassing smartphone crypto

An Obama Administration working group considered four backdoors that tech companies could adopt to allow government investigators to decipher encrypted communications stored on phones of suspected terrorists or criminals, according to a news article published Thursday by The Washington Post. Ultimately, the group rejected each one out of concern that they were too controversial.

Citing a draft memo from the group, reporters Andrea Peterson and Ellen Nakashima wrote:

The first potential solution called for providers to add a physical, encrypted port to their devices. Companies would maintain a separate set of keys to unlock devices, using that port only if law enforcement had physical access to a device and obtained a court order to compel the company’s assistance.

The necessary hardware changes could be costly for US manufacturers, but the physical access required by this method could limit some of the cybersecurity risks, the memo said.

The second approach would exploit companies’ automatic software updates. Under a court order, the company could insert spyware onto targeted customers’ phones or tablets—essentially hacking the device. However, the memo warned, this could “call into question the trustworthiness of established software update channels” and might lead some users to opt out of updates, which would eventually leave their devices less secure.

A third idea described splitting up encryption keys, a possibility floated by National Security Agency director Michael S. Rogers earlier this year. That would require companies to create a way to unlock encrypted content, but divide the key into several pieces—to be combined only under court order. Exactly how this would work remains unclear, but the memo warned that such a system would be “complex to implement and maintain.”

Under the final approach, which officials called a “forced backup,” companies under court order would be required to upload data stored on an encrypted device to an unencrypted location. But this might put significant constraints on companies, the memo noted, saying it would require that they design new backup channels or “substantially” modify existing systems.

The approaches were part of a months-long government discussion on how best to deal with the growing inability of government investigators to monitor communications of suspects, a phenomenon the FBI refers to as "going dark." While officials say they remain concerned, they said they had no intention of moving forward with any of the four approaches. "Rather than sparking more discussion, government-proposed technical approaches would almost certainly be perceived as proposals to introduce ‘backdoors’ or vulnerabilities in technology products and services and increase tensions rather [than] build cooperation," the memo said.

Read on Ars Technica | Comments