https://www.eff.org/deeplinks/2024/10/salt-typhoon-hack-shows-theres-no-security-backdoor-thats-only-good-guys Skip to main content * About + Contact + Press + People + Opportunities * Issues + Free Speech + Privacy + Creativity and Innovation + Transparency + International + Security * Our Work + Deeplinks Blog + Press Releases + Events + Legal Cases + Whitepapers + Podcast + Annual Reports * Take Action + Action Center + Electronic Frontier Alliance + Volunteer * Tools + Privacy Badger + Surveillance Self-Defense + Certbot + Atlas of Surveillance + Cover Your Tracks + Street Level Surveillance + apkeep * Donate + Donate to EFF + Giving Societies + Shop + Org. Membership + Other Ways to Give + Membership FAQ * Donate + Donate to EFF + Shop + Other Ways to Give * Search form Search [ ] --------------------------------------------------------------------- Email updates on news, actions, and events in your area. Join EFF Lists * Copyright (CC BY) * Trademark * Privacy Policy * Thanks Electronic Frontier Foundation Donate Electronic Frontier Foundation * About + Contact + Press + People + Opportunities * Issues + Free Speech + Privacy + Creativity and Innovation + Transparency + International + Security * Our Work + Deeplinks Blog + Press Releases + Events + Legal Cases + Whitepapers + Podcast + Annual Reports * Take Action + Action Center + Electronic Frontier Alliance + Volunteer * Tools + Privacy Badger + Surveillance Self-Defense + Certbot + Atlas of Surveillance + Cover Your Tracks + Street Level Surveillance + apkeep * Donate + Donate to EFF + Giving Societies + Shop + Org. Membership + Other Ways to Give + Membership FAQ * Donate + Donate to EFF + Shop + Other Ways to Give * Search form Search [ ] Salt Typhoon Hack Shows There's No Security Backdoor That's Only For The "Good Guys" DEEPLINKS BLOG By Joe Mullin and Cindy Cohn October 9, 2024 [OG-Encrypt] Salt Typhoon Hack Shows There's No Security Backdoor That's Only For The "Good Guys" Share It Share on Twitter Share on Facebook Copy link [OG-Encryption-DefendEncryption] At EFF we've long noted that you cannot build a backdoor that only lets in good guys and not bad guys. Over the weekend, we saw another example of this: The Wall Street Journal reported on a major breach of U.S. telecom systems attributed to a sophisticated Chinese-government backed hacking group dubbed Salt Typhoon. According to reports, the hack took advantage of systems built by ISPs like Verizon, AT&T, and Lumen Technologies (formerly CenturyLink) to give law enforcement and intelligence agencies access to the ISPs' user data. This gave China unprecedented access to data related to U.S. government requests to these major telecommunications companies. It's still unclear how much communication and internet traffic, and related to whom, Salt Typhoon accessed. That's right: the path for law enforcement access set up by these companies was apparently compromised and used by China-backed hackers. That path was likely created to facilitate smooth compliance with wrong-headed laws like CALEA, which require telecommunications companies to facilitate "lawful intercepts"--in other words, wiretaps and other orders by law enforcement and national security agencies. While this is a terrible outcome for user privacy, and for U.S. government intelligence and law enforcement, it is not surprising. The idea that only authorized government agencies would ever use these channels for acquiring user data was always risky and flawed. We've seen this before: in a notorious case in 2004 and 2005, more than 100 top officials in the Greek government were illegally surveilled for a period of ten months when unknown parties broke into Greece's "lawful access" program. In 2024, with growing numbers of sophisticated state-sponsored hacking groups operating, it's almost inevitable that these types of damaging breaches occur. The system of special law enforcement access that was set up for the "good guys" isn't making us safer; it's a dangerous security flaw. Internet Wiretaps Have Always Been A Bad Idea Passed in 1994, CALEA requires that makers of telecommunications equipment provide the ability for government eavesdropping. In 2004, the government dramatically expanded this wiretap mandate to include internet access providers. EFF opposed this expansion and explained the perils of wiretapping the internet. The internet is different from the phone system in critical ways, making it more vulnerable. The internet is open and ever-changing. "Many of the technologies currently used to create wiretap-friendly computer networks make the people on those networks more pregnable to attackers who want to steal their data or personal information," EFF wrote, nearly 20 years ago. Towards Transparency And Security The irony should be lost on no one that now the Chinese government may be in possession of more knowledge about who the U.S. government spies on, including people living in the U.S., than Americans. The intelligence and law enforcement agencies that use these backdoor legal authorities are notoriously secretive, making oversight difficult. Companies and people who are building communication tools should be aware of these flaws and implement, where possible, privacy by default. As bad as this hack was, it could have been much worse if it wasn't for the hard work of EFF and other privacy advocates making sure that more than 90% of web traffic is encrypted via HTTPS. For those hosting the 10% (or so) of the web that has yet to encrypt its traffic, now is a great time to consider turning on encryption, either using Certbot or switching to a hosting provider that offers HTTPS by default. What can we do next? We must demand real privacy and security. That means we must reject the loud law enforcement and other voices that continue to pretend that there are "good guy only" ways to ensure access. We can point to this example, among many others, to push back on the idea that the default in the digital world is that governments (and malicious hackers) should be able to access all of our messages and files. We'll continue to fight against US bills like EARN IT, the EU "Chat Control" file-scanning proposal, and the UK's Online Safety Act, all of which are based on this flawed premise. It's time for U.S. policymakers to step up too. If they care about China and other foreign countries engaging in espionage on U.S. citizens, it's time to speak up in favor of encryption by default. If they don't want to see bad actors take advantage of their constituents, domestic companies, or security agencies, again--speak up for encryption by default. Elected officials can and have done so in the past. Instead of holding hearings that give the FBI a platform to make digital wiretaps easier, demand accountability for the digital lock-breaking they're already doing. The lesson will be repeated until it is learned: there is no backdoor that only lets in good guys and keeps out bad guys. It's time for all of us to recognize this, and take steps to ensure real security and privacy for all of us. Related Issues Law Enforcement Access Encrypting the Web Security Share It Share on Twitter Share on Facebook Copy link Join EFF Lists Discover more. Email updates on news, actions, events in your area, and more. Email Address [ ] Postal Code (optional) [ ] Anti-spam question: Enter the three-letter abbreviation for Electronic Frontier Foundation: [ ] Don't fill out this field (required) [ ] [Submit] Thanks, you're awesome! Please check your email for a confirmation link. Oops something is broken right now, please try again later. Related Updates ?Quien defiende tus datos? Deeplinks Blog by Karen Gullo | October 10, 2024 New IPANDETEC Report Shows Panama's ISPs Still Lag in Protecting User Data Telecom and internet service providers in Panama are entrusted with the personal data of millions of users. Digital rights organization IPANDETEC has evaluated how well companies have lived up to their responsibilities in ?Quien Defiende Tus Datos? ("Who Defends Your Data?") reports. California Privacy Deeplinks Blog by Mario Trujillo, Brendan Gilligan | August 30, 2024 The California Supreme Court Should Help Protect Your Stored Communications When you talk to your friends and family on Snapchat or Facebook, you should have the assurance that those services will not freely disclose your communications to the government or other private parties. hands with circuit patterns in LGBTQ+ flag colors Deeplinks Blog by George Wong | January 23, 2024 EFF and More Than 100+ NGOS Set of Redlines Ahead of UN Cybercrime Treaty Negotiations EFF has joined forces with 110 NGOs today in a joint statement delivered to the United Nations Ad Hoc Committee, clearly outlining civil society non-negotiable redlines for the proposed UN Cybercrime Treaty, and asserting that states should reject the proposed treaty if these essential changes are not... [eff-pr-og] Press Release | November 16, 2023 EFF to Supreme Court: Fifth Amendment Protects People from Being Forced to Enter or Hand Over Cell Phone Passcodes to the Police WASHINGTON, D.C.--The Electronic Frontier Foundation (EFF) today asked the Supreme Court to overturn a ruling undermining Fifth Amendment protections against self-incrimination and find that constitutional safeguards prevent police from forcing people to provide or use passcodes for their cell phones so officers can access the tremendous amount of private... Proposed UN Cybercrime Treaty Deeplinks Blog by Electronic Frontier Foundation | September 29, 2023 The Growing Threat of Cybercrime Law Abuse: LGBTQ+ Rights in MENA and the UN Cybercrime Draft Convention This is Part II of a series examining the proposed UN Cybercrime Treaty in the context of LGBTQ+ communities. Part I looks at the draft Convention's potential implications for LGBTQ+ rights. Part II provides a closer look at how cybercrime laws might specifically impact the LGBTQ+ community and activists... multi-colored hands with circuit patterns reach to the sky Deeplinks Blog by Katitza Rodriguez | August 22, 2023 Proposed UN Cybercrime Treaty Threatens to be an Expansive Global Surveillance Pact Broadly scoped, ambiguous, and nonspecific international cooperation measures with few conditions and safeguards are simply a recipe for disaster that can put basic privacy and free expression rights at risk. As it stands, the treaty's international cooperation chapter sorely lacks the robust safeguards and personal data protections needed to fill... multi-colored hands with circuit patterns reach to the sky Deeplinks Blog by Katitza Rodriguez | August 10, 2023 The Proposed Cybercrime Treaty's Approach to Cross-Border Spying Update: This analysis is based on an older version of the U.N. Cybercrime Treaty, and outdated. This is Part III of EFF's ongoing series about the proposed UN Cybercrime Convention. Read Part I for a quick snapshot of the ins and outs of the zero draft; Part... multi-colored hands with circuit patterns reach to the sky Deeplinks Blog by Katitza Rodriguez | August 2, 2023 UN Cybercrime Convention Negotiations Enter Final Phase With Troubling Surveillance Powers Still on the Table This is Part II in EFF's ongoing series about the proposed UN Cybercrime Convention. Read Part I for a quick snapshot of the ins and outs of the zero draft; Part III for a deep dive on Chapter V regarding international cooperation: the historical context,... Surveillance cameras peering around, each with a social media company icon. Deeplinks Blog by Cindy Cohn, Rory Mir | July 25, 2023 FBI Seizure of Mastodon Server Data is a Wakeup Call to Fediverse Users and Hosts to Protect their Users We're in an exciting time for users who want to take back control from major platforms like Twitter and Facebook. However, this new environment comes with challenges and risks for user privacy, so we need to get it right and make sure networks like the Fediverse and ... Security camera screens display logos for Facebook, YouTube, SnapChat, Twitter, and Reddit Deeplinks Blog by India McKinney, Andrew Crocker | July 20, 2023 Amended Cooper Davis Act Is a Direct Threat to Encryption Last week, the Senate Committee on the Judiciary amended and passed S.1080, which would require private messaging services, social media companies, and even cloud providers to report their users to the Drug Enforcement Administration (DEA) if they find out about certain illegal drug sales. EFF opposes this bill, both in... Discover more. Email updates on news, actions, events in your area, and more. Email Address [ ] Postal Code (optional) [ ] Anti-spam question: Enter the three-letter abbreviation for Electronic Frontier Foundation: [ ] Don't fill out this field (required) [ ] [Submit] Thanks, you're awesome! Please check your email for a confirmation link. Oops something is broken right now, please try again later. Share It Share on Twitter Share on Facebook Copy link Related Issues Law Enforcement Access Encrypting the Web Security Back to top EFF Home Follow EFF: * x * facebook * instagram * youtube * flicker * linkedin * mastodon * tiktok * threads Check out our 4-star rating on Charity Navigator. Contact * General * Legal * Security * Membership * Press About * Calendar * Volunteer * Victories * History * Internships * Jobs * Staff * Diversity & Inclusion Issues * Free Speech * Privacy * Creativity & Innovation * Transparency * International * Security Updates * Blog * Press Releases * Events * Legal Cases * Whitepapers * EFFector Newsletter Press * Press Contact Donate * Join or Renew Membership Online * One-Time Donation Online * Giving Societies * Shop * Other Ways to Give * Copyright (CC BY) * Trademark * Privacy Policy * Thanks JavaScript license information *