White House Takes The Cowardly Option: Refuses To Say No To Encryption Backdoors, Will Quietly Ask Companies

from the ridiculous dept

Fri, Oct 9th 2015 8:13am — Mike Masnick

Last month, we wrote about a document leaked to the Washington Post that showed the three "options" that the White House was considering for responding to the debate about backdooring encryption. The document made it clear that the White House knew that there was zero chance that any legislation mandating encryption backdoors would pass. But the question then was what to do about it: take a strong stand on the importance of freedom and privacy, and make it clear that the US would not mandate backdoors... or take the sleazy way out and say "no new legislation for now." As we said at the time, option 1 was the only real option. You take a stand. You talk about the importance of encryption in protecting the public.

However, it appears that the White House has taken the cowardly approach. Yesterday, the leading voice in favor of mandating encryption backdoors, FBI Director James Comey, announced that the administration would not push for legislation to mandate backdoors... for now. But it will still push for backdoors quietly behind doors with companies.

After months of deliberation, the Obama administration has made a long-awaited decision on the thorny issue of how to deal with encrypted communications: It will not — for now — call for legislation requiring companies to decode messages for law enforcement.

Rather, the administration will continue trying to persuade companies that have moved to encrypt their customers’ data to create a way for the government to still peer into people’s data when needed for criminal or terrorism investigations.

“The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry,” FBI Director James B. Comey said at a Senate hearing Thursday of the Homeland Security and Governmental Affairs Committee.

This is a totally bullshit response. Of course the administration isn't asking for legislation: because everyone knows (1) it couldn't pass and (2) it would be a really, really stupid thing to ask for. In that leaked document last month, the administration noted that with this option public interest groups "would likely see this outcome as a solid win." They're wrong. This option is bullshit. It's one notch up from literally "the least they could do." It doesn't help anyone. It provides cover to countries that do want to undermine the tech industry and mandate backdoors. It leaves open the ways to pressure tech companies to secretly include backdoors that undermine everyone's safety. And, worst of all, it takes away any and all "high ground" positions for the administration to point out that it doesn't want to undermine the safety and security of the American public.

In short, the administration didn't take the strong stand when the strong stand was the only feasible path. There are enough people within the administration who know this is the stupid choice, and yet they still took it. A very weak move from an administration that should know better (and does know better), just to please some technologically-clueless law enforcement folks.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, encryption, encryption backdoors, going dark, james comey, obama administration, white house

36 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

That One Guy (profile), 9 Oct 2015 @ 7:35am

"Safety? Please, our ability to spy on you trumps your right to privacy and security."
“The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry,” FBI Director James B. Comey said at a Senate hearing Thursday of the Homeland Security and Governmental Affairs Committee.

One more time with feeling:

The 'conversation' is over, and has been for decades.

They're asking for the impossible with 'secure' broken encryption. Not 'difficult', not even 'extremely difficult' but flat out impossible. Encryption with a baked in vulnerability is by definition not secure. They know it, the tech companies know it, anyone with even the slightest bit of knowledge regarding any form of security knows it.

That they continue to push for breaking encryption like this is just another piece of evidence showing that they don't give a damn about the public's safety, all they care about is that they be able to do whatever they want with the least amount of interference. Put the public at risk by intentionally sabotaging the security that protects their private information, from emails to banking? Why should they care, it's not their data at risk, and so long as they can grab as much data as they want, so what if others do the same?
[ link to this | view in chronology ]
- Ninja (profile), 9 Oct 2015 @ 10:59am
  
  Re: "Safety? Please, our ability to spy on you trumps your right to privacy and security."
  Oh but you just need a bit of magic and you'll get a perfect golden key, surely the bright technical minds can do it!
  
  Remember, magic!
  [ link to this | view in chronology ]
Anonymous Coward, 9 Oct 2015 @ 8:21am

time to burn my windows machine and start trying to find microchip developers who don't bake vulnerabilities into their firmware
[ link to this | view in chronology ]
- Aaron Walkhouse (profile), 9 Oct 2015 @ 8:40am
  
  Almost anything that predates Vista [2005?] should be safe,
  and they're not too slow for most uses other than the newest
  games. Look for ACPI motherboards without UEFI, max out the
  RAM and the CPU speed and it should last you quite a while.
  [ link to this | view in chronology ]
  - Aaron Walkhouse (profile), 9 Oct 2015 @ 8:43am
    
    And if you use Windows stick to XP pro or Server 2003.
    Anything after that is not as trustworthy.
    [ link to this | view in chronology ]
    - Anonymous Coward, 9 Oct 2015 @ 10:00am
      
      Re:
      Nothing is safe. Not Windows XP (still better then 8 & 10, do to the lack of DRMed software and spyware), not Linux, no Mac OS X, not anything. The NSA as security vulnerabilities on all popular operating systems, whether, they wore put the on purpose or not. There more, they have a program that brute forces anything they don't have vulnerabilities for.
      [ link to this | view in chronology ]
  - techflaws (profile), 9 Oct 2015 @ 10:28pm
    
    Re:
    Almost anything that predates Vista [2005?] should be safe
    
    Really?
    [ link to this | view in chronology ]
    - Aaron Walkhouse (profile), 10 Oct 2015 @ 8:06am
      
      That NSAKEY oddity never amounted to anything.
      
      My point is that pre-UEFI motherboards are far
      less vulnerable to BIOS infection and offer no
      obstructions to installing an operating system
      of your choice and your choice alone; even if
      you built it from scratch.
      
      It's a bonus that they still perform well enough
      for most uses, partly why PC sales are down lately. ;]
      [ link to this | view in chronology ]
Anonymous Coward, 9 Oct 2015 @ 8:37am

Let's hope we can get Bernie Sanders to kill any left-over attempt to backdoor American technology when he becomes president - and this time for good (by supporting legislation that achieves that, too, not just new policies - right now Obama/NSA/FBI/DEA/etc are all actively fighting against any serious privacy/anti-spying legislation).
[ link to this | view in chronology ]
- Anonymous Coward, 9 Oct 2015 @ 11:51am
  
  Re:
  He is a BIG Government guy. What makes you think he will roll anything back. If he were to get elected it would be expansion and growth of these types of things.
  [ link to this | view in chronology ]
  - Anonymous Coward, 10 Oct 2015 @ 4:54am
    
    Re: Re:
    Because his voting record is consistently against things like gov spying?
    [ link to this | view in chronology ]
    - Anonymous Coward, 13 Oct 2015 @ 6:36am
      
      Re: Re: Re:
      Will he oppose Big Brother when he is Big Brother?
      [ link to this | view in chronology ]
      - Wendy Cockcroft, 13 Oct 2015 @ 7:40am
        
        Re: Re: Re: Re:
        We can only hope. Let's give him a chance, shall we?
        [ link to this | view in chronology ]
Ben Dover, 9 Oct 2015 @ 8:44am

Are you suffocating there James?
James B. Comey - I know you're all about putting it to the backdoor, but seriously, pull your head out of your ass before you die from asphyxiation. You've already had your head there so long that you're nearly brain dead. If you want to continue to "exist" as a mental vegetable then do yourself a favor and remove your head from your ass.

The entire world KNOWS that there is absolutely no way to backdoor encryption without breaking it.
[ link to this | view in chronology ]
Anonymous Hero, 9 Oct 2015 @ 9:07am

In other words, "we tried having a public debate, but we disagreed with the public, so moving forward, we're going to exclude the public from the debate."
[ link to this | view in chronology ]
Anonymous Coward, 9 Oct 2015 @ 9:12am

Obvious Obama Administration Position
And the American people will pay the backroom bribes for the backdoors to their stuff.
[ link to this | view in chronology ]
NeghVar (profile), 9 Oct 2015 @ 9:49am

open-source
Don't expect the open-source communities to comply
[ link to this | view in chronology ]
- Anonymous Coward, 9 Oct 2015 @ 11:42am
  
  Re: open-source
  Yes, and this means now more than ever you can no longer trust anything closed source from America.
  [ link to this | view in chronology ]
- art guerrilla (profile), 9 Oct 2015 @ 3:33pm
  
  Re: open-source
  you are assuming the 'open source' hive mind would know...
  they may very well not, for all kinds of reasons...
  
  moles, social engineering, bribery, threats, or other means of injecting the alphabet spook's code could/would be used...
  how would 99.999% of have any knowledge of such sophisticated attacks ? ? ?
  
  zey haf vays uf maching you sprech...
  [ link to this | view in chronology ]
  - Uriel-238 (profile), 9 Oct 2015 @ 3:56pm
    
    The Open Source Hive Mind has been pretty forthright before.
    When the NSA was pushing the Eliptic Curve Random Number Generator (allegedly at the time to improve crypto strength), plenty of people saw that it could be a flawed algo that might have an exploitable weakness. Jokes were even made about the NSA baking in a backdoor.
    
    So the Open Source sector has detected these things before, and were distracted by social politics within the project. Now they have cause to be paranoid about it. I suspect they'll jump on any discovered exploit like Americans on a disruptive airline passenger.
    [ link to this | view in chronology ]
Adrian Lopez, 9 Oct 2015 @ 10:36am

Initially, in a democracy, the government looks out for the people. In the end, the government looks out for itself.
[ link to this | view in chronology ]
- Uriel-238 (profile), 9 Oct 2015 @ 11:33am
  
  Jerry Pournelle's Iron Law of Bureaucracy
  In truth it applies to specific agencies, not the government as a whole (as it's too big and will go through changes and reforms).
  
  But yeah, future administrations are going to have to be engineered to curb this problem.
  
  But long before Bush and Obama have our administrations been looking out for themselves, or their plutarch masters before their alleged bosses, the American People.
  [ link to this | view in chronology ]
Anon, 9 Oct 2015 @ 11:01am

Also...
How secret will a secret back door be? After all, it only takes one person in the know to blab. Unless the backdoor software is handed to by the NSA, there will be a decent sized contingent of people who know of the project. All it takes is one to blab - and what are the odds one will develop a conscience, or find themselves with cancer and 4 months to live, or move home to and willingly tell the world since they can't be punished. Once the cat is out of the bag, the hunt will intensify for the elusive code. Plus, if there's a technique for "unlocking" then the key code will be platinum - would make a good basis for a spy thriller, no doubt.

Plus, any critical code is obviously torn apart by every major country's version of the NSA, just looking for such back doors. Suggesting they may appear will simply make those foreign agencies more paranoid.

I don't give the white house credit for this being a clever fake-out to make foreign agencies work overtime looking for nothing. More likely, I expect it to be a version of the old Law & Order tactic - "you can give us what we want, or we'll call the Health Inspector and every other regulatory agency and tie you up in knots for the next 5 years..."
[ link to this | view in chronology ]
Uriel-238 (profile), 9 Oct 2015 @ 11:40am

This is how it's going to go down.
Someone is going to say yes, and bake in their secret backdoor and probably get paid big bucks.

Someone within that company is going to leak that there is a secret back door, and probably a couple of clues as to how to crack it.

Someone will crack it. If they're smart, since whitehats get prosecuted these days, they'll go totally blackhat and use it for their own exploits.

Someone will realize they got hacked

The company will dismiss it as a aberration, probably human error.

More people will get hacked. The backdoor will seep into the cracking community.

At that point, with no way to trace it back to the leaks or the original cracking research, the backdoor will go public. Whitehats will quickly determine the back-door is not an exploit, but was willfully baked in.

The company will lose all its user trust, as will the United States. As will any software exports from the US.
[ link to this | view in chronology ]
- Anonymous Coward, 9 Oct 2015 @ 1:52pm
  
  Re: This is how it's going to go down.
  Then those involved re-incorporate under new names and repeat the cycle.
  [ link to this | view in chronology ]
Will-INI (profile), 9 Oct 2015 @ 1:07pm

This looks like a punt to me. They're trying to keep the FBI and NSA happy so they'll do this. But it's obvious they don't really care about it.
[ link to this | view in chronology ]
Anonymous Coward, 9 Oct 2015 @ 2:48pm

State Actors
Don't forget everyone they are no longer 3rd parties once they begin working with the government to circumvent your rights.
[ link to this | view in chronology ]
Anonymous Coward, 9 Oct 2015 @ 4:52pm

Bend over America, the Chinese have found your back door.
[ link to this | view in chronology ]
Anonymous Coward, 10 Oct 2015 @ 3:18pm

Backdoor access to cellphones is what everyone's after. The government administrations wants to be able to defeat cellphone encryption so they can spy on voice and text conversations.

Cellphones will never be secure so long as the baseband radio transceiver's processor remains a black box full of secret closed-source backdoor exploits.

The best privacy advocates can do is to connect separate hardware devices to their cellphones for handling the encryption process. Hardware encryption devices such as JackPair (http://www.jackpair.com).

This way cellphones can be completely compromised and it doesn't matter. The cellphone is simply being used as a modem to the internet. Leaving the end-to-end encryption task to the uncompromised hardware device running free software.
[ link to this | view in chronology ]
- John Fenderson (profile), 12 Oct 2015 @ 4:03pm
  
  Re:
  If it were impossible to effectively encrypt things on your cellphone, then the US would not be freaking out about cellphone encryption.
  [ link to this | view in chronology ]
sam1am (profile), 12 Oct 2015 @ 11:21am

People are already looking for alternatives to American companies for anything where data security is essential. If a company is subject to national security letters, they can't be fully trusted. Now, this. This move will only ensure that security companies under the jurisdiction of the US government suffer while overseas companies increasingly secure American business.
[ link to this | view in chronology ]
GEMont, 13 Oct 2015 @ 1:28am

Predictable as flies finding turds
"Rather, the administration will continue trying to persuade companies that have moved to encrypt their customers’ data to create a way for the government to still peer into people’s data when needed for criminal or terrorism investigations."

An excerpt from my response to the techdirt article:
Former NSA Directors Coming Out Strongly *Against* Backdooring Encryption - October 8

"Tell the public that back doors are not cool and that we're dropping that whole idea in the waste basket, then secretly add back-doors to everything the public touches, using public money to bribe companies where possible, and when necessary, secret legislation to force the issue with the companies that balk at the idea."

Looks like the Admin has decided to go back to doing things the old way, like the spy bosses want - secretly, behind the backs of Americans, using tax payer money for bribes and secret laws to make the criminal activities of the agencies legal and to force the companies that refuse to play ball, to assist in the crimes, or pay the price.

Its obvious that the "persuasion" is already underway.

Wonder if the secret legislation is already in effect.

---
[ link to this | view in chronology ]
- Uriel-238 (profile), 13 Oct 2015 @ 2:24am
  
  Re: Predictable as flies finding turds
  It does make for a fantasy that open source options will get better funding, because there won't be any secret back doors in code you compile yourself.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 13 Oct 2015 @ 5:28am
    
    Re: Re: Predictable as flies finding turds
    To be technical, it is less likely that there is a backdoor in code you've personally examined, but there's no guarantee of it. It's possible to backdoor things in a way that requires so much examination to find that it can remain effectively hidden.
    
    The canonical example is Ken Thompson's login hack: http://scienceblogs.com/goodmath/2007/04/15/strange-loops-dennis-ritchie-a/
    [ link to this | view in chronology ]
    - Uriel-238 (profile), 13 Oct 2015 @ 12:17pm
      
      Compilers that are compiled by the previous iteration
      This is a really dangerous practice, using the previous compiler to compile the next. What stops bugs from endlessly being inserted during compilation this way?
      
      I'd think if you wanted a clean compile you'd need it run by an original, assembler-written compiler, yes?
      
      And then the base compiler is sustained on its own and used only to compile the C-Compiler.
      
      A really bad case scenario: The NSA inserts their backdoor scheme into a commonly used C-compiler, and gets away with it for years. Then China gets a hold of the backdoor scheme (which is now in everything used in the US and much of Europe) and disseminates it to black-hat channels for maximum damage.
      
      Then, not only is everything exposed, but it can't be easily fixed without going back to a way outdated iteration.
      
      It's pretty scary.
      [ link to this | view in chronology ]
    - GEMont, 13 Oct 2015 @ 2:32pm
      
      Re: Re: Re: Predictable as flies finding turds
      "...less likely that there is a backdoor in code you've personally examined..."
      
      And it will behoove the snoop and scoop agencies to use more secret laws and whatever amount of tax-payer and drug-sale money necessary to insure that open source is at least partially compromised, since it will soon be the only choice left.
      
      What good is paying/forcing companies to put back-doors in their communications devices if the public can just switch to open-source coded devices?
      
      I see a huge agency-driven anti-marketing scheme in the future - a massively covered media scandal - where a well known open source product line will be "discovered" to be "evil".
      
      The best way to prevent open source from becoming the choice of a nation, is to scare folks away from it and make it look dangerous or criminal.
      
      A cheaper method than trying to find ways to add hidden back doors in user compiled software and a tried and true means of misdirection that has regularly proven effective in making Americans avoid something beneficial in the past.
      
      ---
      [ link to this | view in chronology ]