If you want to see what a world with built-in backdoors looks like should congress rule on the side of the FBI, look no further than Microsoft.
One of the key points to Apple’s argument — and what made the hearing necessary in the first place — is its inability to decrypt the iPhone. Knowing this, the FBI instead sought Apple’s help in modifying iOS to disable a feature that would wipe the phone after 10 failed password attempts.
But, what if Apple did have a key for every encrypted iPhone? The conflict would basically hinge on Apple’s willingness to turn said key over to the authorities. This is a battle Apple could fight, but probably wouldn’t win.
The All Writs Act, after all, requires companies like Apple to comply with government requests as long as they don’t cause “undue burden.”
Apple’s congressional struggle hangs on just that, undue burden. Apple is arguing that its inability to decrypt the phone or access its contents without creating a new version of iOS would create this burden and that it shouldn’t be required to comply with the original order.
The FBI disagrees that this burden exists.
If the case would have involved a laptop, instead of a smartphone, and Microsoft, instead of Apple, the argument would be irrelevant.
Both Windows and OS X give users the option to encrypt the hard drive, or specific files; the difference is in how they handle the encryption keys.
Since 2013, Microsoft has been automatically uploading a recovery key for Windows users that elect to encrypt their drive. This key is stored on a Microsoft server and is intended to provide access to your PC should you forget the password to decrypt it. It’s the equivalent of Apple uploading your encryption key to iCloud, something it doesn’t do as to avoid creating a backdoor — something it’s vehemently opposed to.
Microsoft has faced criticism from security researchers about this feature before. But, it doesn’t seem to have a problem with the trade-off between security and user convenience.
According to Matthew Green, professor of cryptography at Johns Hopkins University, in a comment to The Intercept:
“Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.”
That’s the problem with backdoors; there’s no way to ensure that they only work for the intended user. At some point in the near-future, it’s likely that Microsoft will be forced to comply with a request that takes full advantage of this security hole.
We asked a Microsoft representative about why it made this choice and were pointed to the company’s transparency report, which doesn’t seem to address the issue, at least not specifically.
She did, however, tell TNW that Microsoft has never provided these keys to law enforcement or intelligence agencies.
While Apple has largely taken the ability to comply with these requests out of its own hands, Microsoft has placed the burden of cooperating with law enforcement back on itself. There will come a time when this decision will prove to be costly.
Here’s to hoping it’s later, rather than sooner. In the mean time, delete your encryption keys.
➤ Microsoft: We Store Disk Encryption Keys, But We’ve Never Given Them to Cops [Motherboard]
Get the TNW newsletter
Get the most important tech news in your inbox each week.