Report: China wants backdoors in imported tech, but only its own

Western companies are doing big business in China, but storm clouds lie on the horizon. According to a New York Times report, new banking security rules approved in the People’s Republic at the end of 2014 require those selling hardware and software to Chinese banks to install backdoors for the benefit of Chinese security services.

The rules also state that companies must “turn over secret source code [and] submit to invasive audits.” While seriously problematic for many firms, this element isn’t particularly surprising.

In the wake of Edward Snowden’s NSA revelations and the U.S.’s indictment of Chinese army officials for industrial espionage, China’s authorities have repeatedly implied that U.S. products are themselves a threat to national security, because they track users and/or may contain NSA backdoors. Reports in May 2014 suggested that China was considering banning banks from using [company]IBM[/company] servers.

On the consumer side, [company]Apple[/company] for one has already reportedly agreed to let China’s security services screen its products to ensure their safety. However, many firms may find this demand impossible to meet, due to intellectual property and security concerns.

Of course, the U.S. is also pushing companies dealing in communications devices and services to install backdoors for its own intelligence and law enforcement purposes. Both administrations – and that of the U.K. — want firms such as Apple to hand over a key to users’ private communications, even though the companies have recently been moving to a more secure end-to-end encryption model where they don’t hold any keys. This is effectively a backdoor demand, though authorities generally prefer to call it “lawful intercept.”

Draft Chinese anti-terrorism laws are pushing for the same thing. This is one of the many problems with official policies that undermine genuinely strong encryption. Particularly in a globalized trade context where your nation’s companies want to make money in foreign markets, it’s a bit hopeful to think backdoor privileges can be reserved only for your own security apparatus.

However, the Times piece talked about China’s new banking regulations forcing equipment makers to build in “ports” for official monitoring purposes. This is where things get really complicated: the rules may require companies to create special versions of their products for China, and U.S. tech firms and the Chamber of Commerce are reportedly anxious that the move may be protectionist in nature.

US lawmaker pushes back against FBI backdoor calls

U.S. Senator Ron Wyden (D-OR) has introduced a bill that would stymie almost any attempt by a government agency to force device manufacturers and app developers to install backdoors for surveillance purposes.

Wyden’s Secure Data Act, introduced on Thursday, follows calls by FBI chief James Comey for companies such as [company]Apple[/company] and [company]Google[/company] to give his agents a way through their encryption mechanisms, which have been tightened in the wake of Edward Snowden’s NSA revelations and episodes such as the celebrity iCloud hack.

Apple’s most recent move, for example, makes it impossible for the company to bypass the passcode on a user’s iPhone for the benefit of law enforcement or intelligence agencies.

Wyden’s bill gives an exemption to CALEA, the U.S. law that already compels carriers and router manufacturers to install “lawful intercept” capabilities, but beyond that it states:

… no agency may mandate that a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.

“Covered products” means any hardware or software made available to the general public, so the bill would arguably not cover, say, flawed random number generators.

Wyden’s main impetus for this move, the NSA critic said in a statement, was that backdoors inherently weaken the security of the systems they’re installed in. He also reckons that backdoor mandates are a disincentive to innovation in “strong new data security technologies”, and harmful to trust in American products and services.

“Strong encryption and sound computer security is the best way to keep Americans’ data safe from hackers and foreign threats,” he said in the statement. “It is the best way to protect our constitutional rights at a time when a person’s whole life can often be found on his or her smartphone. And strong computer security can rebuild consumer trust that has been shaken by years of misstatements by intelligence agencies about mass surveillance of Americans.”

It’s interesting, if unsurprising, that Wyden’s bill gives a get-out to CALEA. His own statement cites the 2005 case of senior Greek politicians being illicitly tapped, using an [company]Ericsson[/company] lawful intercept feature, as an example of how backdoors can compromise a system’s security for the benefit of more people than they’re supposed to.

Earlier this year, security researchers also identified critical weaknesses in some companies’ lawful intercept products.

Cisco “deeply concerned” over NSA backdoor claims

The U.S. networking equipment manufacturer, which has already warned over the revenue implications of the Snowden revelations, says it is trying to find out more about the NSA’s alleged exploitation of its security architecture.