The American Civil Liberties Union (ACLU) is warning that software companies may be forced by the US Government to embed tracking and surveillance capabilities, and even malware, into otherwise legitimate software updates, which may damage trust in software updates altogether.
In its report on the issue, the ACLU has highlighted that the US government may force companies to embed snooping code into software updates that can bypass passcode lockouts, enable wiretapping, switch on functions such as microphones and cameras, or physically track people.
The report comes after numerous attempts by the FBI and other government agencies to encourage companies to give the government a “backdoor” – or privileged access a computer system or encrypted data that bypasses security mechanisms. These attempted orders are usually associated with law enforcement.
One such case occurred when the FBI issued a court order to Apple to crack the iPhone belonging to the suspect in the 2016 San Bernardino Shooter case. While these attempts have focused on attempts to access individuals’ systems and/or data, the ACLU has warned that it’s likely the government will attempt to force software companies to install malware via software updates as more existing backdoors and loopholes are closed, and as more companies secure their users’ data with encryption.
At the time of the case, Apple took a stand against this activity. The company stated that although the FBI said that the tool, which “would have the potential to unlock any iPhone in someone’s physical possession,” would only be used in this case – there is “no way to guarantee such control”.
Apple joined forces with Google, Facebook, Dropbox, Microsoft and other tech giants to form the Reform Government Surveillance Coalition (RGS) which sets out to resist such requests and educate other software companies to do the same.
The ACLU’s report emphasises that, if forced to include backdoors in software updates, people will not regularly update software if they fear that the government or cyber criminals will use the code to infringe on their privacy and security – the very civil liberties that the public trusts the government to protect. Meanwhile, it is important that as many people as possible trust software updates so that fixes to product vulnerabilities can be applied swiftly.
According to TechTarget, backdoors are risky because they present a major security gap – there are always threat actors looking for vulnerabilities to exploit. This risk is emphasised by the 2017 leak of the CIA’s Vault 7 archive to the public, which contained what has been described as a “hacking arsenal” containing malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation.
The ACLU’s report issues guidance to companies wishing to resist in the name of their customer’s privacy and the security of the internet at large on how to plan for and respond to potential orders. The union’s four recommendations encourage software companies to:
- Understand the issue.
- Implement privacy-minded designs and policies.
- Plan responses to potential technical assistance orders ahead of time, rather than upon receipt.
- Lawyer up!
At Clavister, we believe that backdoors in any system are bad security practice, which is why we develop our own software and operating systems. And we have not, and never will, put backdoors in our solutions for any reason. As such, we’re one of the few companies in the network security industry that can demonstrate complete freedom from any form of government control over our products—which means greater network security for you.