Best Practices Backdoors Help Spammers and Hackers Wreak Havoc By Graeme Caldwell | 3 minute read In a recent report, the Congressional Encryption Working Group, defined a position that opposes the introduction of encryption backdoors into otherwise secure software. “Any measure that weakens encryption works against the national interest.” We’d add that in addition to working against the national interest, encryption backdoors harm anyone with an interest in data privacy and security, and in ensuring that the networks and servers that make up the web aren’t abused by online criminals. Mandatory encryption backdoors force platform and service providers, including those focused on improving the security and safety of the web and email, to build software with deliberately degraded security. A backdoor is a mechanism in an otherwise secure system to allow access by a (hopefully) controlled group of people or organizations — often law enforcement or other government agencies. In the case of encrypted services, a backdoor might use a master key or deliberately faulty encryption algorithms to allow anyone with knowledge of the backdoor to evade the system’s security. The problem with backdoors is twofold: it’s next to impossible to keep them secret and they force developers to build insecure paths into applications that would otherwise be secure. In theory, it’s possible to create a backdoor that will allow access to “authorized” groups but not to criminals. In practice, over a long enough timescale, backdoors and vulnerabilities are discovered by bad actors — including state actors. Once malicious groups and online criminals know about the backdoor, everyone who uses the software is at risk, a risk that’s exacerbated by their belief that the software is secure by default. Ideally, software developers want to build systems that are secure and that protect users’ data from prying eyes. Encryption makes a vital contribution to that effort. A well-implemented encryption system makes it essentially impossible for third-parties to snoop on private communications or access private data. But developers can’t build well-implemented encryption systems if they’re forced to include backdoors. This is one of the reasons Apple is so firmly opposed to building such mechanisms into its operating systems. The OS would have to include code that deliberately circumvents security. Its encryption systems would have to be fundamentally broken and insecure for a backdoor to be feasible. When backdoors are installed into software used in enormous scales on the web, and knowledge of those backdoors becomes available to online criminals, the result is millions of insecure systems open to abuse. At MailChannels, we’re especially concerned about backdoors because we want to limit the routes that spammers and other malicious parties have into supposedly secure connected systems. As web hosting companies and email providers know, online criminals — including spammers — strive to hijack server and network resources, but also Internet of Things and mobile devices. Backdoors make life easier for spammers, and much harder for those who fight spammers and criminals.