Yoran says RSA “wouldn’t do it” if laws required backdoors. RSA is getting out of the encryption business, because “it’s not part of our vision for the future,” he says. It’s an open question whether the company would make modifications to its encryption products already sold.
Pironti says he wouldn’t do it either. “I’m not going to work with a client to degrade technology to decrypt,” he says. “They would rely on the vendors.”
Designing in a way to decrypt encrypted messages creates guaranteed weak points in the security of the encryption, says Zimmermann, leaving the system more open to cracking by unauthorized parties.
Pironti says setting up a way to protect encryption keys would be hard. “How do I protect this in a way it can’t be used for malicious purposes by a malicious party or an insider?” he says.
A prime reason not to create backdoors is that malicious actors - who are already criminals - will use technology created outside the jurisdiction of U.S. laws or build their own, Pironti says; the law wouldn’t be effective.
Peter Swire, a professor at the Scheller College of Business at the Georgia Institute of Technology, testified to the Senate Judiciary Committee this year that the downside of such a law would be widespread.
“[G]overnment-mandated vulnerabilities would threaten severe harm to cybersecurity, privacy, human rights, and U.S. technological leadership, while not preventing effective encryption by adversaries,” Swire says.
Sign up for CIO Asia eNewsletters.