About Locks and Encryption

Should we really have government mandated backdoors?

May 5, 2024 (6mo ago) • 5 min read • Updated October 30, 2024

Let's talk about locks.

The ones on your door. They're not as secure as you've been led to believe. They're more of a cope for our anxiety than a real guarantee that they'll keep unwanted people out. Sure, you can spend more and get better locks. But a quick search on YouTube will tell you that given enough tools and time, any physical lock can be picked. This doesn't really matter much because criminals have to deal with the constraints of the physical world. They have to spend time searching for a target, cruising neighbourhoods, picking victims, planning – all while risking getting caught in the act.

Digital, however, is different. On the Internet, there are no neighbourhoods, localities or homes for the bad guys to scout. The constraints of the physical world no longer apply. Physical locks have to protect you from a couple of people at a time, with logistical advantage being against them. And on the Internet, there is no such thing as distance.

In the digital realm, you're fending off thousands of criminals trying to find a crack in your keyholes. Even some guy sitting on the opposite side of the world can have a shot at your locks. Worse yet, they don't play alone. They construct an army of brute-forcing bots that find cracks, however minuscule, to score a chance to break in. Worst of all, people in jurisdictions with legally weak infrastructure (or enough political motivation) can just have a go at every insecure lock in the world without any traceability or accountability. Thousands of bad guys at your doorstep or a guy next door, it's all the same.

Bots online exist in millions for malicious activity. Honeypot is a method to deter spam bots by using input fields that are invisible to humans but can be detected by the bots.

This sounds like a bad time, but math has given us several frameworks that have helped make our locks virtually unbreakable. I'm talking about encryption and cryptography. A digital lock with these cannot be broken into without the key they're forged with. The bad guys can try all they want, but all will be in vain, as any successful hit will take longer than any span of time anyone can fathom. No key? No entry. Simple as that.

Steps involved in AES encryption methods for one rounds. Multiple rounds are executed depending on the algorithm variant. In the end, it is all matrices and linear algebra.

Steps involved in AES encryption methods for one rounds. Multiple rounds are executed depending on the algorithm variant. In the end, it is all matrices and linear algebra.

But it hasn't been all sunshine and roses. The unbreakability of these locks has been a hot debate topic for as long as they've existed. Think for a second: there's a criminal almost convicted for national crimes with undoubtable proofs locked in their digital device. Maybe a terrorist responsible for large-scale heinous crimes with action plans on their phone. How do you get access to it? In the physical world, no problems – the police can simply break into your house with a warrant. If the lock doesn't open, they can use a battering ram. In the digital world, not so easy. This makes physical locks not only physically weak but also legally weak.

We could live in a world with privacy laws that forbade police from breaking into all locks, no matter how flimsy, but we don't, because that would be dumb. This is where gears start turning in government heads. If digital locks are physically invulnerable, maybe they can be made legally vulnerable: to require digital locks be built with a keyhole for which police have the key. Highly secure, top secret, for state emergencies only, obviously. This legal vulnerability to ban citizens from owning perfect digital locks, to require companies to manufacture their devices with keyholes, is an idea that many, many governments are interested in. And governments argue that a warrant which lets police into your house and into your papers should let police into your phone.

This situation has occurred in the US a few time against Apple and has recently made headlines in India too. A few days back, there was a statement made by Meta Inc. regarding WhatsApp exiting the India market if the government forces them to break their end-to-end encryption protocol for messages. Now, whatever your opinion might be about how secure the protocol actually is or how "privacy centric" Meta's record has been, it is not about them. It's obvious that this is basically asking them to make a secret backdoor, a key to which would only be usable by the government. This is an extremely dangerous precedent to set. Asking corporations to manufacture backdoors is insanity. These companies hold a lot more personal data than we realise and access to it can be utilised in harmful ways we don't know.

Whatsapp by Meta Inc. threatens to exit India if it is forced to break message encryption.

Even if it was legalised to make cryptographic backdoors a reality, and the government was full of saints devoted to the good of its citizens (and let's be real here, they aren't), on the Internet, there's no such thing as distance. Bad actors from elsewhere could find this hole and exploit it with no legal ramifications. Any mandated backdoor will be discovered and exploited by criminals and hostile nations, putting all of our data at risk, as we've seen time and time again.

Current situation in India, summarised.

Current situation in India, summarised.

Unbreakable cryptographic locks are the foundation upon which modern digital infrastructure is built. Shopping, banking, expression, and just about everything online works because we have unbreakable locks.

Without making this overly political, I want to emphasise that this places our privacy in general under a huge risk regardless of who exploits the locks. Forced weakness, even with the best of intentions, places everybody in danger. The nature of a lock is to be picked, and the nature of the Internet is to bring criminals to your doorstep. No matter how much we might wish it, there's no way to build a digital lock that only angels can open and demons cannot.

Anyone saying otherwise is either ignorant or less of an angel than they appear.

Mayur Bhoi @ mayurbhoi.com