Washington Post's Clueless Editorial On Phone Encryption: No Backdoors, But How About A Magical 'Golden Key'?
from the golden-key-cryptography dept
The Washington Post editorial board has weighed in on the recent "controversy" over Apple and Google's smart decision to start encrypting mobile devices by default. The "controversy" itself seems pretty hyped up by law enforcement types who are either lying or clueless about the technology. Throwing a bunch of technically ignorant newspaper editors into the mix probably wasn't the wisest of decisions.Much of the editorial engages in hand-wringing about what law enforcement is going to do when they need the info on your phone (answer: same thing they did for years before smartphones, and most of the time with smartphones as well, which is regular detective work). It even repeats the bogus use of the phrase "above the law" that FBI director James Comey bizarrely keeps repeating (hint: putting a lock on your stuff isn't making you above the law). But the real kicker is the final paragraph:
How to resolve this? A police “back door” for all smartphones is undesirable — a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant. Ultimately, Congress could act and force the issue, but we’d rather see it resolved in law enforcement collaboration with the manufacturers and in a way that protects all three of the forces at work: technology, privacy and rule of law.Did you get that? No "back door," but rather a "golden key." Now, I'm not sure which members of the Washington Post editorial board is engaged in mythical "golden key" cryptography studies, but to most folks who have even the slightest understanding of technology, they ought to have recognized that what they basically said is: "a back door is a bad idea, so how about creating a magic back door?" A "golden key" is a backdoor and a "backdoor" is a "golden key." The two are indistinguishable and the Post's first point is the only accurate one: it "can and will be exploited by bad guys, too." That's why Apple and Google are doing this. To protect users from bad guys.
In the meantime, just watch, and we'll start to see ignorant politicians and law enforcement start to echo this proposal as well, talking down "backdoors" and talking up "golden keys." The fact that we already had this debate in the 1990s, when the "golden key" was called "key escrow" and when having the government lose that was was fairly important in allowing the internet to become so useful, will apparently be lost on the talking heads.
Still, a small request for the Washington Post Editorial Board: before weighing in on a subject like this, where it's fairly clear that none of you have the slightest clue, perhaps try asking a security expert first?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, editorial board, encryption, golden key, mobile encryption, privacy, security
Companies: washington post
Reader Comments
The First Word
“I'm going for funniest techdirt comment of the week
"However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant."Subscribe: RSS
View by: Time | Thread
I love how you hold others to such a high standard when you yourself don't meet that standard. Recent example: your silly post about how a design patent is invalid even though you demonstrated no such thing: https://www.techdirt.com/articles/20141003/06500028716/design-patent-granted-toothpick.shtml Do as you say, not as you do, right?
[ link to this | view in thread ]
Re:
I'll leave this to your entertainment (please follow the link in that comment, it might make you slightly less dumb):
https://www.techdirt.com/articles/20141003/06500028716/design-patent-granted-toothpick.shtml#c 485
[ link to this | view in thread ]
Really, why are we reading some ignorant piece of crap like WP when not happy with being clueless they display said lack of clue in all its glory by treating science as wizardry?
Perhaps they could actually study what they call wizardry and notice it's highly complex science and that they just proposed exactly what they said it's not desirable?
[ link to this | view in thread ]
Re: Re:
How is that linked-to comment an example of me doing the same thing? At least that person acknowledged that it's the "ordinary observer" test--something Mike didn't even do. Mike didn't give us any legal analysis before reaching his legal conclusion. He just posted a picture of toothpicks that had three grooves with the implication that they're substantially similar to ones that have two painted-on stripes. My point is that the IP reporting on Techdirt is often laughable--such as that post. It's not just Mike. His flunkies are guilty of shoddy IP reporting even more so than he is. It's just funny that he criticizes others so much when his own house isn't in order.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
This is Magical Golden Journalism
I mean, "David Brooks"? C'mon, he's no better than that Krauthammer moron, or Thomas Sowell. They're just low blood pressure medicine.
I live for the inane mistakes, like when the text of an article includes the literals "START ITAL" and "END ITAL". Or some half-drunk city desk guy gets to opine about Magic Golden Keys. It's priceless, i tell you. You give a sinus-clearing snort, and resign yourself once again to a newspaper written and edited by posturing pieces of wood, and you laugh and get on with life.
[ link to this | view in thread ]
Response to: Baron von Robber on Oct 6th, 2014 @ 9:24am
[ link to this | view in thread ]
newspeak
[ link to this | view in thread ]
OK, so we don't want any magical Golden Keys
We would only need one such key, so creating one such key would not put the population of unicorns in any danger.
[ link to this | view in thread ]
Re: Re:
http://en.wikipedia.org/wiki/Clarke%27s_three_laws
[ link to this | view in thread ]
Gold Key
[ link to this | view in thread ]
I'm going for funniest techdirt comment of the week
[ link to this | view in thread ]
Singalong Time
I got a safe encrypted telephone.
I hacked its golden key!
Wonder what other uses that master key might have for me?
Is this megalomania?
Can I rule the world?
'Cause I got a safe encrypted telephone
I hacked its golden key!
[ link to this | view in thread ]
(Yes, I know, but playing wordgames is all the rage at the moment.)
[ link to this | view in thread ]
Re: OK, so we don't want any magical Golden Keys
[ link to this | view in thread ]
[ link to this | view in thread ]
Does this apply to components? If a Chinese supplier of say, wifi chips doesn't like what Apple is doing, can they just brick every device with their chip in it?
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
#popcorn
[ link to this | view in thread ]
Playing devil's advocate
A "golden key" implies a key, contrasting with other kinds of backdoor which do not use a key.
For instance, a backdoor where turning on the phone while shorting a couple of test points in its main board were enough to bypass the phone encryption would not be a "golden key".
[ link to this | view in thread ]
Apple File Vault 2: http://support.apple.com/kb/ht4790
For Microsoft in a business situation: http://technet.microsoft.com/en-us/library/dd875531%28v=ws.10%29.aspx
For Microsoft in a home situation: http://windows.microsoft.com/en-us/windows-8/bitlocker-recovery-keys-faq
[ link to this | view in thread ]
Where has the Washington Post been for the last year? I'm sure China's gonna want it's own "Golden Key" too, so they can crack down on all the unruly young people protesting in Hong Kong.
The Washington Post is advocating for repression and tyranny. Shame on them.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Yes you do. If a third party is holding your private key, then it isn't private anymore. Functionally, doing so is exactly the same as having a universal key and it has all the same problems and all the same unicorns and rainbows.
[ link to this | view in thread ]
Re:
Not quite. The ECC problem was not a golden key, it was an intentional weakening of the random number generator. This by itself did not remove or bypass encryption. It made it possible to break the encryption, but doing so still took nontrivial effort.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
Please, you couldn't get Dwarves to work elvish steel. That's how I know your claim is made up.
[ link to this | view in thread ]
Future Shock
I'm not saying that there aren't bad actors. However, we should also consider that in less than a decade we went from moble phones to a universe of powerful internet-connected devices capable of storing and doing so much more than that.
I think today that there is a valid argument for the growth of an excluded middle between the clued-in, and the willfully ignorant, and thanks to Alvin Toffler there's a name for the cause - Future Shock.
[ link to this | view in thread ]
Encryption security
Intercepting US mail and reading it requires a court order. The public should expect no less for private phone conversations. Unfortunately official snoopers consider all communications their business even without probable cause. Justice prevails.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Encryption security
Perhaps I misunderstood what Apple & Google have done here, but my understanding is that they're encrypting the contents of the phone itself and not keeping a key for themselves. This has nothing to do with whether or not the data is encrypted outside the phone (is the server's hands).
[ link to this | view in thread ]
Re: Re: Encryption security
They are encrypting by default the contents of what is on a phone itself, with only the end user/owner being able to decrypt it.
Anything outside the phone (text messages, call logs, emails, etc.) is still subject to subpoena through a proper warrant. And that's what really drives home the point about the lack of understanding on the part of many complaining about the encryption coming to these devices pretty soon. That data is still legally accessible through the proper channels. All this means is you can't just grab a phone and go through it down the line.
[ link to this | view in thread ]
Re: Re:
"No one understands the Cloud, it's a fscking mystery!"
[ link to this | view in thread ]
Re: I'm going for funniest techdirt comment of the week
[ link to this | view in thread ]
Re: Re: Re: Encryption security
And we need to keeping pointing out that anything on the phone is also still subject to subpoena. The only change is that the subpoena must be issued to the owner of the phone instead of to Apple or Google.
[ link to this | view in thread ]
Re: Re:
I hate to tell you, but almost every FDE product out there has something like this. I used Apple and Microsoft as examples, but CheckPoint uses an EndPoint Policy Manager. Do you think the average consumer is going to have a server to backup the private keys to? Most that I know will end up using DropBox, iCloud, OneDrive, et al which is basically the same thing. You can't store the private key for decryption on the same device for recovery, so it's either purchase a server to run your own and make sure you have backups or lease cloud space which basically makes the key public to someone else.
Actually, this whole argument sounds like a good KickStarter project, some cheap Arduino boards to basically do a password/key manager and I would integrate OAuth with a mini lcd display.
[ link to this | view in thread ]
Re: newspeak
You mean the WP is now involved in enhanced interrogation techniques on the English Language?
[ link to this | view in thread ]
It works...
[ link to this | view in thread ]
Re: Re: Re:
I'm not sure what you're talking about here. I've used several FDE solutions for Windows and Linux, and have yet to be required to store my keys on a server of any sort, let alone a third party server.
"You can't store the private key for decryption on the same device for recovery, so it's either purchase a server to run your own and make sure you have backups or lease cloud space"
Or do what I do: store the keys on a memory stick. They'll also fit on floppies if you are really old-school.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Encryption security
[ link to this | view in thread ]
Re: It works...
So... that would be a back door, right? Although the chest is right up against the wall so you'd have to scoot it out to get to a back door. Or is it metaphorical? Hm...
[ link to this | view in thread ]
Re: Re: Re: Re: Encryption security
Then it's a self incrimination rather than a privacy issue.
The owner of the phone may be someone else than the person whose name is on the purchase invoice or who pays the monthly bill.
Or the phone may have been shared among a large group of persons or it may have been acquired through second hand sale by the most recent user.
One great reason for officially refusing to hand over any password is that you by admitting knowing the password implicitly convey that you likely are aware of any potentially incriminating contents of the phone including contents planted by the police to frame you.
Loudly refusing gives the government more work and forces the issue into court where the self incrimination argument can be determined.
If asked by the police if you are the sole user of the phone just plead the Fifth and state politely that you only answer questions after assistance of counsel.
Answering that you are the sole user of the phone likely makes knowledge of the password a foregone conclusion and effectively waives any Fifth Amendment protection.
The government should have to work hard to establish that you are the sole user of the phone.
The real problem for the government in using the subpoena power to compel a suspect to turn over a password is proving ownership and the other elements sufficient to make the testimonial implications flowing from disclosure of the password a foregone conclusion.
Subpoenaing the information from a person involved in a crime may be possible, but the government doesn't like it because it may compromise the secrecy of an ongoing government investigation.
If Bob's phone is seized by the police, and they can get a subpoena compelling Bob to turn over the password, the investigation is no longer a secret and Bob will be on notice that he is under investigation.
If he is not immediately taken into custody,he can arrange a covert signal with his accomplishes alerting them to the fact that his phone has been seized and that everyone must immediately dispose of their codes.
[ link to this | view in thread ]
Tip of the Iceberg
But the world is bigger than tech. Recently, Biden made (truthful) remarks critical of Turkey. Now Biden has been forced to apologize for his supposed "gaffe". We are living in the world of Orwell's NewSpeak.
[ link to this | view in thread ]
Re: Re: Re:
FTFY
[ link to this | view in thread ]
Re:
Sure, they'll be pissed off when they realize it doesn't work, but we'll be pissed that they so readily abused the power they thought they had.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Encryption security
[ link to this | view in thread ]
Social Engineering
This morning's news had a long piece about a cop who "pimped out his wife" and sold drugs, among other crimes, and was caught ONLY because investigators had the use of "the backdoor" to read his incriminating emails.
The spokesman (I missed his name) claimed they "would never have caught the guy" if his cell phone had the new full encryption that was planned to be put in place by Google and Apple and other manufacturers soon.
It really does seem to be that the cops are going to claim repeatedly that lack of encryption is essential to the capture of criminals. I guess before cell phones, criminals had to arrest themselves and confess on paper before the cops could catch them.
You can't really blame the bad guys in white hats for trying to prevent encryption though. After all, they've spent millions of tax payer's dollars and many years making sure that Americans have the least secure communications on earth.
A step forward for the public is a step backwards for the folks in law enforcement, because then they would have to go back to using barbaric detective work, savage investigation analysis and old fashioned common sense.
Techniques which apparently, never worked and never caught any bad guys.
---
[ link to this | view in thread ]
Re: Social Engineering
Don't you remember the headlines in 1983? "Cellular phones go on sale; police predict some crimes can now be solved".
[ link to this | view in thread ]
Phone Encryption
Between the backdoors, the DRM, the camera, the microphone and the GPS you couldn't possibly be expecting privacy anyway.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Encryption securityf
The only exception to this rule is if the government already can establish from an independent source that you knows something.
Also remember that the civil contempt power is time limited because it's not intended to be punitive.
Criminal contempt is an entirely different beast and you can in fact be sentenced to real punishment for criminal contempt.
But criminal contempt requires proof beyond a reasonable doubt.
[ link to this | view in thread ]
[ link to this | view in thread ]
Not exactly equal
A back door, while it could mean anything, conventionally would be a feature implemented in the software on the phone, that would allow anyone knowing it get around the encryption. It could be anything like a hidden key on the phone, a software service that would leak a few bits of the encryption key, etc. The point is that all the info is on the phone and thus can be found out by only looking at the phone OS and, once found out, can be utilized by having only the phone.
A golden key, on the other hand, is controlled by the phone manufacturer, so utilizing it means their help. Now true, that by a golden key, the WP authors probably really meant a single key, so if that leaks that would make the two equal. The 'golden key', could however be a per phone one (stored or generated on demand at the manufacturers) which would mean that just because the law enforcement guys got hold of a key, they cannot pass it on two the criminals or the other agencies to use it to unlock other phones. Of course, criminals could still steal these from the phone manufacturers which is a real danger.
I agree with you that phones (AND clould storages!) should be encrypted, just saying that the threat level is not 100% equal in both cases.
Also, even if google and apple give in, criminals and privacy aware citizens will still be able to get around this with custom ROMs. At least in the case of android.
[ link to this | view in thread ]