Securing the Digital World

Exceptional Access: An 'Exceptionally' Bad Idea

Apr 23, 2016 | by Zulfikar Ramzan, PhD. |

We the people - citizens, residents, visitors - have fundamental needs and inalienable rights. To give these concepts any meaning, we need to be secure from our adversaries and free to communicate.

As such, we've given the government a mission: the money, mandate, and framework to help keep us safe. This vital work is performed by the law enforcement community, intelligence community, military, and other areas of government.

Also sharing this world are businesses. Some seek to provide needed communication services to consumers like us. They are also similar to us, as corporate citizens. In this context, they seek to help the government in its vital role.

Sometimes, however, the respective interests in this ecosystem conflict.

To understand these overlapping and conflicting needs - consider a Venn diagram. The first set comprises consumers who want to be safe and communicate securely. The second set comprises the government, whose mission is to keep us safe. And the third set comprises businesses looking to provide goods or services and typically endorsing the government's mission. Outside the sets, we have adversaries whose motives, objectives, and activities are antagonistic to us all.

These sets illustrate a debate that spans from the congressional floor to the boardroom to the dinner table: should businesses be required by law to develop "exceptional" or backdoor access for the US Government to communications that can help in their mission?

This question seems simple, but delving in reveals numerous layers of complexity.

Law enforcement looks to gather as much information as they can during investigations. This goal, while laudable, comes at great cost. Let's dig deeper. Our adversaries' communication can be captured and stored. Certain forms of this communication are, however, encrypted. The government believes that it should be able to quickly retrieve and analyze this communication if it greatly threatens the public good.

Consumers may care about privacy and security, subject to some caveats. For example, most US-based citizens are against extending exceptional access to foreign governments. It's unclear, however, how businesses transacting in those countries could legally prevent these capabilities from being used.

Businesses are often caught in the middle - supporting consumer demand and the government's mandates. In the case of exceptional or backdoor access, they're being asked to modify their business as a result of the proposals put forward.

Technology vendors, like RSA, have raised the following four points of concern:

  1. We live in a golden age of surveillance. Law enforcement has access to a treasure trove of data about individuals. How much incremental value is there in being able to get to that last bit? In many cases, returns are quickly diminishing and all of the extra effort may not produce any results.
  2. Exceptional access to data incurs significant risk by fundamentally weakening security, adding extra points of failure, and significantly increasing system complexity.
  3. It's hard enough to design secure systems as it is. We still don't know how to do it, which explains why an entire industry is dedicated to this effort and why companies like RSA exist. Adding in exceptional access makes a bad situation much worse.
  4. This process is a procedural nightmare. How will decisions around when one should or should not have exceptional access be made? How will checks and balances be put into ensure that these abilities aren't abused? How do we handle cases of international jurisdiction?

Observers on the sidelines of this debate include our adversaries, like criminals, terrorists, and so on. They're probably not as attached to this debate as policy makers and law enforcement might think. They can readily access a wealth of encryption tools (in much the same way that a petty thief can access a pair of gloves to prevent having their fingerprints on a crime scene or a ski mask to hide their identity on a surveillance camera). Sophisticated threat actors, including those who are enemies to the US, may be especially interested in the outcome. If exceptional access to systems is required, these threat actors believe that they can benefit from weaker systems that they can then subsequently exploit.

We find ourselves in the crossroads of one of the most consequential decisions of the internet age. It's not a question of security versus privacy in a binary sense; the debate is much more rich, multifaceted, nuanced, and it encompasses a continuum of possibilities. At RSA we believe that exceptional access by the government is antithetical to the fundamental principles of secure system design and is therefore an 'exceptionally' bad idea.