Rockin’ Encryption, Open Back Door…
Few doubt Chaum’s cryptography skills or pedigree. He was instrumental in the early days of computer cryptography and what anonymity we have online today owes a lot to Chaum. But his latest plan is… troubling:
At the Real World Crypto conference at Stanford University today, Chaum plans to present for the first time a new encryption scheme he calls PrivaTegrity. Like other tools Chaum has spent his long career developing, PrivaTegrity is designed to allow fully secret, anonymous communications that no eavesdropper can crack, whether a hacker or an intelligence agency.
That part sounds good, right? But then there’s this:
That ambitious privacy toolset aside, Chaum is also building into PrivaTegrity another feature that’s sure to be far more controversial: a carefully controlled backdoor that allows anyone doing something “generally recognized as evil” to have their anonymity and privacy stripped altogether.
Whoever controls that backdoor within PrivaTegrity would have the power to decide who counts as “evil”—too much power, Chaum recognizes, for any single company or government. So he’s given the task to a sort of council system. When PrivaTegrity’s setup is complete, nine server administrators in nine different countries would all need to cooperate to trace criminals within the network and decrypt their communications. The result, Chaum argues, is a new approach that “breaks the crypto wars,” satisfying both the law enforcement agencies who argue that encryption offers a haven for criminals, and also those who argue that it’s necessary to hobble mass spying.
Unfortunately, Chaum is both totally missing the point and playing right into the FBI’s hands. The argument of basically every other cryptographer is that building any encryption system is incredibly difficult — and introducing any sort of backdoor opens up massive and dangerous vulnerabilities — whether the original creators recognize it or not. The second you introduce a backdoor — even using Chaum’s weird “nine people in nine countries” system — you have introduced a vulnerability. A vulnerability that can and will be abused by others. You are introducing a security flaw. And that’s a massive security problem.