 |
I was reading an interesting open letter sent to President Obama by a big group of technology companies and technologists. In essence, the letter asks for the administration to reject any proposal/legislation that would require for U.S. companies to deliberately weaken the security of their products. This all comes as a result of recent activities by many technology companies to harden their solutions, in terms of how they protect information, both while in transit and @ rest (on devices and in the Cloud). I think it’s a bit odd that we’re still having a conversation asking for weakened security, in light of everyday and ever-growing breaches and hacks occurring on a global basis. Asking for a side-door/back-door/front-door/secret key, to be used by an organization on a wide-scale, is an unacceptable practice. Once the cat’s out of the bag (and it will be out) that such “secret “paths exist, it will be only a matter of time that the wrong actors will be using them as well. In addition, what would stop other nation states from requiring the same type of access, to be on equal and fair footing with the US government? Last but not least, as an individual, I can’t see how this is any different from what we expect in terms of privacy in our physical space, at our homes. This is no different than the government asking for backdoor access to physical safes and vaults within our homes. That’s not going to happen, as vault and safe manufacturers don’t provide a secret key/code that a law-enforcement agency can use to get access to people’s vaults on a blanket/wide-scale basis. Access to such assets only makes sense for targeted and warranted access to a suspect’s safe/vault. For the same reason, the digital safes and vaults that people use today to store personal information on their smart phones, tablets and on the Cloud need to enjoy the same level of privacy protection. I think that people are generally reasonable when it comes to privacy. If we know we’re providing personal information for our own protection, we’ll share such info. How can my company or bank know it’s “me” who is accessing their services? I need to share some info about myself upfront, and that info can be verified when I try to access such services. The individual understands that they provide controlled access to specific aspects of their personal & private identity, to gain access to specific services. What the individual won’t accept is for some organization (government or otherwise) to have access to all their information on all their devices and services, without their consent or for any particular reason. Volunteering information sharing amongst technology companies and nation states to discuss threats imposed on them, on a systematic basis is a great idea (as discussed in President Obama’s recent Cyber Security Summit in February 2015) but this idea of providing a back door access to all information, to an agency, is too wide a net. This is basically asking for technology companies to weaken their security, and that is a dangerous message to send. The post Say no to backdoor access… appeared first on Speaking of Security - The RSA Blog and Podcast. |
