With the rise of cyberattacks, encryption is becoming increasingly important in order to secure business-relevant, public-important or private-sensitive information. More and more companies are adding encryption technology to their security standards. Nevertheless, not all encryption solutions are the same. One important difference is between a form of encryption where secured data is still available to intermediaries and one where data is only available to its owner. The latter would be particularly important in real-time reporting systems, where huge amounts of taxpayers’ data is collected.
In this blog post we want to show the importance of making data only owner-accessible in order to prevent data leaks. In order to do so, we will first focus on the meaning of “backdoors of encryption” and then and then how it can be prevented through more private forms of encryption.
Explaining the meaning of “Backdoor” of encryption
An encryption backdoor is a method that allows privileged users or encryption-providing companies to bypass encryption and gain access to a system. They can be depicted as the spare key we keep for our car when we lose the main one.
Backdoors can be very useful in order to help users find their data in case they lost their key. Nevertheless, they can also be misused to intentionally leak sensitive information both through ransomware attacks or internal leaks. In the first case, hackers manage to find out the encryption backdoor and take control of the data. In a previous blog post, we showed how cyberattacks are affecting our economy and are becoming one of the biggest threats of this century.
Internal leaks may be even harder to detect as they come from the inside of the service providers. They are usually performed by employees of a company who make use of the backdoor in order to leak data and make profit out of it.
In may 2022, it was discovered that an employee of the Swiss Mitto AG Surveillance company managed to leak encrypted data from users by making use of an encryption backdoor. Mitto AG surveillance offers encrypted text messages around the world and provides services to tech companies such as Google, Whatsapp and Twitter. Ilja Gorelik, Mitto AG’s co-founder and chief operating officer, allegedly helped private surveillance companies and government agencies to track people via their mobile phones by making use of the encryption backdoor provided for exceptional cases.
The development of the support to encryption backdoors
In 2015, the American security company Vormetric published a study showing that 91% of the citizens surveyed recognize that there are risks associated with backdoor access by government entities to businesses’ encrypted data.
Nevertheless, a case opened the way for a backdoor-proposal in the American Senate: as Apple refused to unlock an iPhone used by terrorists in 2016, the FBI hired a hacking firm to unlock the device. In response to the litigation between tech companies and the FBI, a bill-proposal was introduced in the American Senate in 2020 that would require companies to help the government decrypt user data when ordered by a court. However, after the American elections the bill has come to a stake.
Similarly, the five-eye’s demand to insert encryption backdoors has not come to a result. The five-eye is a secret service alliance between the United-States, Canada, UK and New-Zealand. This proposal would have allowed national agencies to decrypt messages or access calls in case of serious allegations such as terrorism.
Opposingly, in Europe the German ruling coalition that took office in 2021 refused to require encryption backdoors by law for cases of serious offences because it would not guarantee secure end-to-end encryption.
How to avoid the threat of encryption backdoors?
Encryption backdoors pose a serious threat to the privacy of user data. As we have seen, these backdoors could be exploited by both hackers and internal employees to leak data and use it for other purposes. Furthermore, their efficacy in case of preventing terrorism is not straightforward as their use would only be limited to a number of cases which will require the approval of a court.
Furthermore, if backdoors are applied to invoicing exchange systems such as real-time reporting, their misuse might create an even harder effect on the users as all invoice information would be disclosed, potentially harming the economy as a whole. For this reason, it is essential to avoid the use of backdoors and provide only data owners with the encryption/decryption key where possible.
In this way, the risk of harmful cyber-attacks would decrease to a minimum while still allowing users the complete ownership of their data. As we explained in a previous blog post, this type of encryption would allow public entities to check for violations without actually seeing the subset of data, thus reaching the required results without affecting the citizens’ privacy.
Encryption backdoors increase the risk of cyber attacks and data leaks while they do not have the potential to properly fight terrorism or other serious offenses. As the amount of information shared with technology tools increases, so will our cybersecurity standards have to do as well. This is particularly true for real-time reporting systems, where invoice information will be systematically collected.