IEEE official stance in support of strong encryption
Even in my rather narrow circle of communication, consisting mostly of techies, there are people who do not understand why the requirements to provide access to correspondence by weakening encryption or introducing backdoors into cryptographic protection mechanisms is another step that doesn’t pursue the wrong interests, which are declared. This translation is for them and for those who also do not see threats in these initiatives.
IEEE supports unlimited use of strong encryption to protect the confidentiality and integrity of transmitted and stored data. We oppose the efforts of governments to limit the use of strong encryption and / or the granting of exclusive access authority using mechanisms such as backdoors or a key deposit system designed to facilitate government access to encrypted data.
Governments have a legal basis for law enforcement and the protection of national interests. IEEE believes that the requirement of deliberate creation of backdoors or deposit schemes - no matter how well-intentioned are behind it - does not satisfy these interests and leads to the creation of vulnerabilities that threaten both unforeseen and quite predictable negative consequences.
')
Strong encryption is essential to protect individuals, businesses, and governments from malicious cyber activity. Encryption protects the confidentiality and integrity of stored and transmitted data. Virtually all online commerce relies on encryption to protect data.
Exclusive access mechanisms can create risks by allowing attackers to use weakened systems or embedded vulnerabilities for criminal purposes. If attackers know about the existence of exclusive access mechanisms, this will allow them to concentrate on finding and using them. Centralized key depositing schemes would create the risk that an adversary will be able to compromise the security of all participants, including those who were not originally targeted. As a result, the risk of successful cyber-theft, cyber-espionage, cyber-attack and cyber-terrorism can increase. The consequences of malicious cyber activity for individuals and societies can take many forms:
In addition, by increasing the risk of maliciously changing data, unrestricted access mechanisms can reduce confidence in data authenticity and lead to mistakes in decision making and miscalculations.
Exclusive access mechanisms will not prevent attackers from taking advantage of strong encryption, created specifically for them or available in countries where there are no requirements for creating exclusive access mechanisms. Devices and systems with a high level of information security and / or for sure not having exclusive access mechanisms exist now and will always be available to intruders that law enforcement agencies and intelligence services want to follow.
Efforts to restrict strong encryption or introduce deposited key schemes in consumer products can have a long-term negative impact on the privacy, security, and civil rights of people affected by such regulation. Encryption is used throughout the world, and not all countries and institutions will comply with the security policies of exclusive access mechanisms. A goal deemed to be legitimate by one country and consistent with its national interests may be considered by other countries as illegal or violating their standards or interests. Thus, jurisdictional issues can be the biggest obstacle to the work of exclusive access mechanisms.
Law enforcement agencies have a number of other investigative tools that provide access to systems and data when this is warranted. Methods include legal mechanisms for accessing data stored in clear text on corporate servers, targeted exploits for individual devices, forsensics for computers of suspects, and forcing suspects to provide keys and passwords.
Exclusive access mechanisms may prevent regulated companies from innovating and competing in the global market. The requirement to provide exclusive access can give companies that are not obliged to fulfill it, the ability to create products and services that look to customers in the global market more reliable than they deserve.
IEEE seeks to develop technology credibility through transparency, the creation of technical communities, and building partnerships between regions and countries. Measures that reduce information security or contribute to the abuse of secure information systems will inevitably damage this trust, which in turn will impede the ability of technology to achieve much more significant social benefits.
The Institute of Electrical and Electronics Engineers - IEEE (Engl. Institute of Electrical and Electronics Engineers) is the largest technical professional organization dedicated to the promotion of technology for the benefit of mankind. Due to frequently cited publications, conferences, technology standards, professional and educational activities, IEEE is an authoritative source in many different areas: from aerospace systems, computers and telecommunications to biomedical engineering, power engineering and consumer electronics.
IEEE supports unlimited use of strong encryption to protect the confidentiality and integrity of transmitted and stored data. We oppose the efforts of governments to limit the use of strong encryption and / or the granting of exclusive access authority using mechanisms such as backdoors or a key deposit system designed to facilitate government access to encrypted data.
Keys deposited
The backdoor principle is that the third party has a mechanism for independent and tacit decryption of the transmitted data. In an attempt to protect privacy and prevent unlawful use of the backdoor, the concept of keys deposited was created, suggesting the need for secret cooperation of independent participants with law enforcement agencies to provide access to the backdoor in order to decipher the information transmitted.
ENSIA Encryption Opinion: Strong encryption guarantees our digital self-determination, European Network and Information Security Agency (ENSIA), December 2016, p. 7.
Governments have a legal basis for law enforcement and the protection of national interests. IEEE believes that the requirement of deliberate creation of backdoors or deposit schemes - no matter how well-intentioned are behind it - does not satisfy these interests and leads to the creation of vulnerabilities that threaten both unforeseen and quite predictable negative consequences.
')
Safety basis
Strong encryption is essential to protect individuals, businesses, and governments from malicious cyber activity. Encryption protects the confidentiality and integrity of stored and transmitted data. Virtually all online commerce relies on encryption to protect data.
New risks
Exclusive access mechanisms can create risks by allowing attackers to use weakened systems or embedded vulnerabilities for criminal purposes. If attackers know about the existence of exclusive access mechanisms, this will allow them to concentrate on finding and using them. Centralized key depositing schemes would create the risk that an adversary will be able to compromise the security of all participants, including those who were not originally targeted. As a result, the risk of successful cyber-theft, cyber-espionage, cyber-attack and cyber-terrorism can increase. The consequences of malicious cyber activity for individuals and societies can take many forms:
- direct financial losses;
- identity theft;
- theft of intellectual property and business-sensitive information;
- critical infrastructure damage ;
- threat to national security;
- reputational damage;
- loss of profits, such as loss of productivity;
- and even the threat of life, when computer systems supporting vital functions are turned off.
In addition, by increasing the risk of maliciously changing data, unrestricted access mechanisms can reduce confidence in data authenticity and lead to mistakes in decision making and miscalculations.
It will not help
Exclusive access mechanisms will not prevent attackers from taking advantage of strong encryption, created specifically for them or available in countries where there are no requirements for creating exclusive access mechanisms. Devices and systems with a high level of information security and / or for sure not having exclusive access mechanisms exist now and will always be available to intruders that law enforcement agencies and intelligence services want to follow.
Jurisdictional issues
Efforts to restrict strong encryption or introduce deposited key schemes in consumer products can have a long-term negative impact on the privacy, security, and civil rights of people affected by such regulation. Encryption is used throughout the world, and not all countries and institutions will comply with the security policies of exclusive access mechanisms. A goal deemed to be legitimate by one country and consistent with its national interests may be considered by other countries as illegal or violating their standards or interests. Thus, jurisdictional issues can be the biggest obstacle to the work of exclusive access mechanisms.
Alternative methods
Law enforcement agencies have a number of other investigative tools that provide access to systems and data when this is warranted. Methods include legal mechanisms for accessing data stored in clear text on corporate servers, targeted exploits for individual devices, forsensics for computers of suspects, and forcing suspects to provide keys and passwords.
Unfair competition
Exclusive access mechanisms may prevent regulated companies from innovating and competing in the global market. The requirement to provide exclusive access can give companies that are not obliged to fulfill it, the ability to create products and services that look to customers in the global market more reliable than they deserve.
IEEE seeks to develop technology credibility through transparency, the creation of technical communities, and building partnerships between regions and countries. Measures that reduce information security or contribute to the abuse of secure information systems will inevitably damage this trust, which in turn will impede the ability of technology to achieve much more significant social benefits.
About IEEE
The Institute of Electrical and Electronics Engineers - IEEE (Engl. Institute of Electrical and Electronics Engineers) is the largest technical professional organization dedicated to the promotion of technology for the benefit of mankind. Due to frequently cited publications, conferences, technology standards, professional and educational activities, IEEE is an authoritative source in many different areas: from aerospace systems, computers and telecommunications to biomedical engineering, power engineering and consumer electronics.
Source: https://habr.com/ru/post/422747/
All Articles