Nobody wants backdoors for the state.
Rather, nobody reasonable wants backdoors for the state. Backdoors are undisclosed accesses to circumvent protections — they create distrust in the affected technology and are an obvious security hazard. But what about hacking? This question is the subject of much discussion at the moment. Do we want the state to make use of computer hacking?
Wait… why would we?
In democracies citizens are supposed to hold the power to determine the limits, role, rights, and responsibilities of the state. This power is an illusion. The reality is that we normally don’t fully understand what the state’s investigative powers are, and we don’t have hard evidence of their success or whether they are justified. It takes leaks or Freedom of Information Act requests to even form a blurred picture of what surveillance and intrusion technologies are adopted, and how frequently they are being used.
And while from a theoretical and technical point of view we might be in some position to contemplate what level of access the state should be granted, I am reluctant to endorse anything particular. Do we, as a security and hacking community, really have the responsibility and the burden to come up and provide feasible options for the state to penetrate and subvert the same technology we’re striving to protect and improve?
In the arm wrestle that is power structures trying to acquire additional powers, I believe we should be the opposing force, and that rather than embracing and — let alone — proposing any given option, we should be contrarian voices, with the hope that the result — if any result is to be achieved — would be satisfying.
So, why would we want to grant the state more power? Normally, that is what citizens should be challenging, rather than enabling. I know, there is always a tension between what would be ideal, and what is realistic. In an ideal world, states would not need to spy and snoop, but we don’t live in such a world. Still, history and recent leaks have shown authorities routinely abuse their power and, by all odds, granting them more power will likely lead to even more abuse. Acting on our ideals, even if they can’t be fully actualized, is an effective way to loudly voice such concern and to make sure that the least possible privileges are being granted.
Truthfully, I have no expectation of preventing hacking from becoming a legitimized tool in the arsenal of a state — it largely is already, and if not, it is inevitable. However, I do believe we should do everything to ensure it is costly, and to oppose it when discovered.
If we find malware used by a state, we should expose it. If we find an exploit used by a state, we should expose it. Whichever the state is, whoever the victims are.
It is through this process of accountability that we can maintain a balance, and this process should be safeguarded and accepted as an unavoidable operational and economic cost of adopting invasive practices.
I am not going to be advocating and legitimizing the use of hacking by any state, to then wait for its exposure to be criminalized. I am not going to agree to government hacking. I might tolerate it, but still continue fighting it.