At EFF we have noticed this for a long time I can’t build a back door that only lets good people in and no bad guys. Over the weekend we saw another example of this: The Wall Street Journal reported a major breach of U.S. telecommunications systems attributed to a sophisticated Chinese government-backed hacking group called Salt Typhoon.

The hack reportedly exploited systems at ISPs such as Verizon, AT&T and Lumen Technologies (formerly CenturyLink) to give law enforcement and intelligence agencies access to the ISPs’ user data. This gave China unprecedented access to Data related to U.S. government requests to these large telecommunications companies. It is still unclear how much communications and internet traffic and who Salt Typhoon accessed.

That’s right: The law enforcement access path established by these companies appears to have been compromised and used by Chinese-backed hackers. This path was probably created to facilitate smooth compliance with false laws CALEA, that require telecommunications companies to enable “lawful wiretapping”—in other words, wiretapping and other orders from law enforcement and national security agencies. While this is a terrible outcome for user privacy as well as for U.S. government intelligence and law enforcement, it is not surprising.

The idea that only authorized government agencies would ever use these channels to collect user data was always risky and flawed. We’ve seen this before: in an infamous case in 2004 and 2005, more than 100 top Greek government officials were affected illegally monitored for a period of ten months when unknown parties penetrated Greece’s “access to justice program”. In 2024, with the growing number of sophisticated, state-sponsored hacking groups, it is almost inevitable that such damaging security breaches will occur. The system of special access to law enforcement set up for the “good guys” does not make us safer; This is a dangerous security vulnerability.

Eavesdropping on the Internet has always been a bad idea

Adopted in 1994, CALEA Requires telecommunications equipment manufacturers to provide government eavesdropping capabilities. In 2004, the government dramatically expanded this interception mandate to include Internet access providers. EFF opposed this expansion and explained the dangers of Internet eavesdropping.

The Internet differs from the telephone system in important ways and is therefore more vulnerable. The Internet is open and constantly changing. “Many of the technologies currently used to build intercept-friendly computer networks make the people on those networks more vulnerable to attackers seeking to steal their data or personal information,” EFF wrote nearly 20 years ago.

On the way to transparency and security

The irony should not be lost on anyone that the Chinese government may now know more about who the U.S. government is spying on, including people living in the U.S., than Americans do. The intelligence and law enforcement agencies that use these backdoor legal agencies are notoriously secretive, making oversight difficult.

Companies and individuals developing communication tools should be aware of these shortcomings and take action where possible. Data protection by default. As bad as this hack was, it could have been much worse if not for the hard work of EFF and other privacy advocates who ensured that more than 90% of web traffic is encrypted over HTTPS. For those hosting the 10% (approximately) of the web that do not yet need to encrypt their traffic, now is a good time to think about enabling encryption, either with Certbot or by switching to a hosting provider that does by default HTTPS offers.

What can we do next? We must demand real privacy and security.

This means we must reject the loud law enforcement and other voices who continue to act as if there are “only good people” ways to ensure access. We can use this example, among many others, to reject the idea that the default in the digital world is that governments (and malicious hackers) should have access to all of our messages and files. We will continue to fight against US laws EARN ITThe EU proposal for file scanning “Chat Control”.and the The UK Online Security Actall of which are based on this flawed premise.

It is time for U.S. policymakers to take action, too. If you’re concerned that China and other countries are spying on U.S. citizens, it’s time to speak up for standard encryption. If they don’t want malicious actors to exploit their constituents, domestic companies, or security agencies again, they should embrace encryption by default. Elected Officials can and have done in the past. Instead of holding hearings that give the FBI a platform to facilitate digital wiretapping, demand accountability for it the digital locks they are already cracking.

The lesson is repeated until it is learned: There is no back door that lets only good people in and keeps bad guys out. It’s time we all recognize this and take action to ensure true security and privacy for all of us.