We use words like “cloud” and “World Wide Web” to describe internet fundamentals – words that make it all seem like magic. But the mechanics of how the Internet works – connecting us to everything from our friends and families to our workplaces and retail locations – is anything but magic.
Understanding this vast digital ecosystem is incredibly complicated and, as a result, few truly comprehend how the Internet works. It should come as no surprise that even fewer understand how something like an encryption ‘backdoor’ would work in practice.
Simply put, we use encryption to keep things safe online. Anytime you go to a website that starts with “https://,” you are visiting an encrypted site. We’ve been teaching people for years not to trust their personal data to sites that don’t encrypt, and today, it’s unlikely that you’ll find a website that collects personal data but does not encrypt.
Data is encrypted in transit, which means it is protected while moving from one place to another. Alternately, it is encrypted at rest, or when it is sitting in storage. A useful analogy is to imagine how a brick-and-mortar bank protects money. The bank protects money in transit to a safe delivery through the use of armored cars, and at rest by placing it in a secure vault. As is true with the bank, to decrypt data in both cases you need the appropriate key.
Internet infrastructure companies touch most of the data on the global internet, either when in transit or at rest. Some of that data is protected by the providers themselves through their own encryption key systems. Other data is protected independently by individual users, who leverage free and open-source solutions to protect their communications as they pass over Internet infrastructure resources. One provider may have tens or hundreds of thousands of clients, and each may use its own encryption system and methodology. That’s a whole lot of keys, and very few of them may be under the direct control of the provider.
The internet is, after all, a series of decentralized networks (please insert your own “series of tubes” joke here). These networks might be run by big guys like Apple, Facebook, Google, Amazon and Microsoft, but those are the exceptions. To get a real handle on encrypted communications nationwide, the U.S government would need to look at the far greater list of smaller providers that make up the majority of the internet’s infrastructure. Most of the controversial programs that the NSA was running to collect metadata ran on the Internet’s telecommunications networks.
There are very few major telecommunications companies in the United States. Regulation has made it a relatively uncompetitive space, with few players and points of contact. The same is not true of the rest of the internet’s infrastructure, which is highly competitive and innovative. Implementing backdoors to the cloud would be exponentially harder than it was to monitor the telcos not to mention more expensive and far less effective.
If the U.S. government were to institutionalize backdoors, it would be a heavy burden to businesses, and an operational lift that would likely force a large number of small companies to shut their doors. Many wouldn’t be able to comply with the needs of the new technology or the liability imposed from significantly weakened security online. If they were willing to make the internet a less safe and friendly place, for small business, they could do it, one forced engagement with one internet provider at a time.
The U.S. government would have to engage with tens of thousands of such businesses, each one with a client list they would need to consult in order to change the way they administer encrypted communications. Many of those clients would likely leave the United States for a country where such invasive tactics weren’t practiced, further hampering those businesses and the U.S. economy as a whole.
Once this was done, and the full cost to internet business was incurred, we would have a landscape where only encrypted communications came from overseas sources, individuals who set up their own encryption systems and noncompliant companies still existed without backdoors – by which I mean, we would still have a whole lot of unbreakable encryption. We would have a less competitive economy, a less safe internet, and plenty of pathways to still talk in privately.
Chasing millions of rabbit holes makes no sense. So what if the government instead tries to pass laws that chase only “major” providers? They could target Apple, Facebook, Google, Amazon and Microsoft and just make them comply. But why? What criteria would be used to single out providers, saddling them with costly requirements that make providers less competitive and reliable? At what threshold would a provider be considered big enough to be forced to endure less safe encryption technology for its users?
These unanswered questions make it clear that at any scale, encryption backdoors are not operationally feasible.
Christian Dawson is the Executive Director of the Internet Infrastructure Coalition (i2Coalition), an organization comprised of over 80 member companies who build and maintain the infrastructure of the Internet. Follow him on Twitter @mrcjdawson.