Just As FBI Looks To Undermine Encryption, Federal Government Searches For Better Encryption

(Mis)Uses of Technology

from the left-hand,-right-hand dept

Thu, Jul 9th 2015 11:43am — Mike Masnick

One of the most bizarre points that became clear in yesterday's Senate hearings on encryption was that many Senators are so focused on the big bad threat of theoretical ISIS violence in the US, that they don't understand the very real (and not at all theoretical) threat of our personal data that is being hacked into and exposed on a regular basis, often due to a lack of encryption. The ACLU's Chris Soghoian summed it up nicely with the following tweet:

Congress: OPM should have encrypted federal employee data. Congress: Apple has blood on its hands for encrypting user data. Got it?
— Christopher Soghoian (@csoghoian) July 8, 2015

If you can't read it, it says:

Congress: OPM should have encrypted federal employee data.

Congress: Apple has blood on its hands for encrypting user data.

Got it?

Indeed, there has been plenty of talk, including from Congress, over the fact that the Office of Personnel Management, whose computers were hacked to reveal all sorts of information on government employees (past and present), didn't use encryption, in part because their computers were too old. To be fair, there are indications that encryption might not have mattered that much, since the hackers allegedly got working credentials to access the system, and thus may have been able to decrypt anything anyway.

However, it does seem quite telling that at the same time Congress is freaking out about the supposed evils of encryption, the National Institute of Standards and Technology (NIST) is trying to design a better system for encrypting emails via end-to-end encryption -- the very thing that the FBI and some Senators have been complaining about.

The National Institute of Standards and Technology is designing a “security platform” to authenticate mail servers using crytographic keys. The platform would let individual users encrypt emails.

The system aims to “provide Internet users confidence that entities to which they believe they are connecting are the entities to which they are actually connecting," according to a NIST draft report on the topic. A subpar system, the draft said, could result in "unauthorized parties being able to read or modify supposedly secure information, or to use email as a vector for inserting malware into the system," among other consequences. The draft report is open for comment until Aug. 14, 2015.

NIST soon plans to issue Federal Register notices to vendors developing individual parts of the end-to-end system.

In other words, as clueless Senators and FBI officials demand ways to undermine end-to-end encryption, the folks who actually understand technology (NIST) are asking for stronger end-to-end encryption. Perhaps, instead of letting FBI director James Comey prattle on about how he doesn't actually understand this stuff (as he said repeatedly), the Senators could have someone from NIST explain why end-to-end encryption is so important.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, fbi, nist, privacy, security

13 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 9 Jul 2015 @ 12:13pm

Entire US infrastructure is currently vulnerable to attack,
so the FBI wants to further weaken encryption?

Wake up & smell the bacon (oops, not a good thing to say in front of Congress)!

Forget about ISIS on Facebook; we're at far greater risk from ISIS in our power plants, communications networks, banking networks, etc.
[ link to this | view in chronology ]
- Anonymous Coward, 10 Jul 2015 @ 6:46am
  
  Re: Entire US infrastructure is currently vulnerable to attack,
  Critical infrastructure has no business being connected to the internet. The only reason this is being done is because some people are lazy, stupid and cheap.
  [ link to this | view in chronology ]
jilocasin (profile), 9 Jul 2015 @ 12:22pm

Almost right.....
The quote makes perfect sense if you include the missing part.

Congress: OPM [the governmet] should have encrypted federal employee data.

Congress: Apple [not the government] has blood on its hands for encrypting user data.

There, does that help?

Congress is all for encryption that they can use to keep them safe.

On the other hand Congress is against encryption when it it used by others and thwarts their ability to run roughshod over the Constitution.

The government had mostly unencrypted access to everyone's data, as long as they followed the Constitution and did so legally. Since they have demonstrated that they can't help themselves, now they have to deal with mostly encrypted access to everyone's data.

It's their [the governments] own short sightedness that has caused this problem. No amount of;

"We only want to access data legally, with a court order..."

Is going to be believed.... nor should it be.
[ link to this | view in chronology ]
Anonymous Coward, 9 Jul 2015 @ 1:25pm

I don't know how this can be explained to the FBI more easily than either you let people use encryption or you ban encryption. There's nothing in the middle.

I'm sure FBI agents use off the shelf Apple and Android phones. Are they comfortable with China having a means to decrypt those phones? Because if one government can demand access, then every government can and going forward, China may very well be a more important market than the US.

They aren't saying it, but I think the government wants either key escrow or to have all messages encrypted with their public key. They think it's as easy as convincing Apple and Google to cooperate, but the reality is that this is all just mathematics. And it isn't terribly difficult to create new secure communication apps. Once you exchange a secret key (and this can be demonstrated to school children or FBI administrators with finger paints), secure communication is relatively easy. Since the FBI can't force rogue developers to include escrow or the FBI public keys, the only option is to make it illegal to use encryption.
[ link to this | view in chronology ]
Anonymous Coward, 9 Jul 2015 @ 1:38pm

Body of idiots
Congress would debate the wisdom of using toilet paper if there was hay to be made over it. Never underestimate the avarice of a politician, they make prostitutes and con men seem shy.
[ link to this | view in chronology ]
Anonymous Coward, 9 Jul 2015 @ 2:12pm

NIST... not a very good example, considering they've been successfully undermined by the NSA before (with regard to encryption tools).
[ link to this | view in chronology ]
- tqk (profile), 10 Jul 2015 @ 7:43am
  
  Re:
  NIST... not a very good example, considering they've been successfully undermined by the NSA before ...
  
  I remember NIST was mortified when that came out. They retired their own "standard" upon learning it was intentionally broken (aka. back doored).
  [ link to this | view in chronology ]
Seegras (profile), 9 Jul 2015 @ 3:13pm

Co mey stupid or what?
What I really don't understand is how this FBI guy could even _mention_ the idea of banning crypto. I totally understand that some fuckwit like Cameron (like his predecessor Fox who likes to play into the hands of tyrants and features the same spine) is babbling somesuch nonsense.

But I'd actually expect the head of the FBI to at least get informed by its own department that this is a very bad idea, and prevented from making himself the laughing stock of security and law-enforcement professionals.

Since the bright guys at the FBI couldn't manage to keep their boss from blathering such nonsense, and couldn't have him removed immediately after he did it, I can only surmise that a) he's either convinced it's really a good idea, which put him on par with people that think the odds of winning in russian roulette are quite good, or b) he knows exactly how bad this is and supresses any sane voice within the FBI, because he's actually craving for the next Führer.

Henlons razor states that you should never attribute malice for things that can adequately explained by stupidity, so I must assume Mr. Comey is not a fascist, but instead must conclude that he is is just utterly, abysmally, stupid.
[ link to this | view in chronology ]
Anonymous Coward, 9 Jul 2015 @ 3:35pm

Isn’t obvious to congress that the people (as in We The People) don’t want backdoors in their encryption? Isn’t the recent drive for encryption because the government has violated the trust of the people (We The People)? Are they going to pass a law that says you can not use any encryption except backdoored encryption and would that law pass constitutional muster?

Why is it so hard to understand that any backdoored encryption can be accessed by those other than whom the back door is intended for? Hasn’t recent history made that obvious?
[ link to this | view in chronology ]
- Anonymous Coward, 9 Jul 2015 @ 4:10pm
  
  Re:
  Why is it so hard to understand that any backdoored encryption can be accessed by those other than whom the back door is intended for?
  
  Just presume that FBI Director Comey does indeed understand that. The FBI is the leading domestic counterintelligence agency. So then, where does that train of thought lead you?
  
  Why would our head of counterintelligence urge us to deploy defective defenses?
  [ link to this | view in chronology ]
  - tqk (profile), 10 Jul 2015 @ 7:59am
    
    Re: Re:
    The FBI is the leading domestic counterintelligence agency. [...] Why would our head of counterintelligence urge us to deploy defective defenses?
    
    "Why would our head of domestic counterintelligence urge us to deploy defective defenses?"
    
    You dropped something there. Fixed. Guess who that makes Comey's adversaries. He's not focusing on defending the citizenry. He's annoyed he can't yet find a way to put you in jail.
    [ link to this | view in chronology ]
- Anonymous Coward, 10 Jul 2015 @ 4:16am
  
  Re:
  > Isn’t obvious to congress that the people (as in We The People) don’t want backdoors in their encryption?
  
  You would be surprised. My family got together last weekend and, as is usual at family functions, lots of arguments were had. ISIS was mentioned and then a whole discussion around security and privacy ensued. Out of 25 people there, I was literally the only one who though strong encryption was important.
  
  Some people want encryption, others do not.
  [ link to this | view in chronology ]
Lex Noctem (profile), 9 Jul 2015 @ 6:25pm

Wrong people
Not to be pedantic or anything, but the tweet's completely inaccurate. Members of Congress have said all sorts of things, but that's not the same thing as Congress itself doing things. Also, it was the Executive Branch that was testifying at the hearing yesterday.

Really, really sloppy thinking.
[ link to this | view in chronology ]