Hillary Clinton Wants A 'Manhattan Project' For Encryption... But Not A Back Door. That Makes No Sense
from the politics-is-dumb dept
In the Democratic Presidential debate on Saturday night, Hillary Clinton followed up on her recent nonsensical arguments about why Silicon Valley has to "solve" the problem of encryption. As we've noted, it was pretty clear that she didn't fully understand the issue, and that was even more evident with her comments on Saturday night.Here's what's clear: she's trying to do the old politician's trick of attempting to appease everyone with vague ideas that allow her to tap dance around the facts.
First, she proposed a "Manhattan-like project" to create more cooperation between tech companies and the government in fighting terrorism. The Manhattan Project was the project during World War II where a bunch of scientists were sent out to the desert to build an atomic bomb. But they had a specific goal of "build this." Here, the goal is much more vague and totally meaningless: have tech and government work together to stop bad people. How do you even do that? The only suggestion that has been made so far -- and the language around which Clinton has been echoing -- has been to undermine encryption with backdoors.
However, since that resulted in a (quite reasonable) backlash from basically anyone who knows anything about computer security, we get the second statement from Clinton that she doesn't want backdoors.
"Maybe the back door isn't the right door, and I understand what Apple and others are saying about that. I just think there's got to be a way, and I would hope that our tech companies would work with government to figure that out."No, she clearly does not understand what Apple and others are saying about that. Just a week or so ago, she insisted that Apple's complaint about it was that it might lead to the government invading users' privacy, but that's only a part of the concern. The real concern is that backdooring encryption means that everyone is more exposed to everyone, including malicious hackers. You create a backdoor and you open up the ability for malicious hackers from everywhere else to get in.
So, she's trying to walk this ridiculously stupid line in trying to appease everyone. She wants the security/intelligence officials to hear "Oh, I'll get Silicon Valley to deal with the 'going dark' thing you're so scared of," and she wants the tech world to hear "Backdoors aren't the answer." But, that leaves a giant "HUH?!?" in the middle.
It seems to come down to this: None of the candidates for president appear to have the slightest clue how encryption or computer security work and that allows them to make statements like this that are totally nonsensical, while believing that they make sense.
The issue, again, is that what they're really asking for is "Can you make a technology where only 'good' people can use it safely, and everyone else cannot?" And the answer to that question is to point out how absolutely astoundingly stupid the question is. Because there's no way to objectively determine who is "good" and who is "bad," and thus the only possible response is to create code that really thinks everyone is "bad." And to do that, you have to completely undermine basic security practices..
So this whole idea of "if we just throw smart people in a room, they'll figure it out" is wrong. It's starting from the wrong premise that there's some sort of magic formula for "good people" and "bad people." And without understanding that basic fact, the policy proposals being tossed out are nothing short of ridiculous.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, going dark, hillary clinton, manhattan project, silicon valley
Reader Comments
Subscribe: RSS
View by: Time | Thread
Not quite. She still wants broken encryption, she just wants to call it something else.
"Maybe the back door isn't the right door, and I understand what Apple and others are saying about that. I just think there's got to be a way, and I would hope that our tech companies would work with government to figure that out."
That's not 'backdoors in encryption are bad', that's 'holes in encryption are good, but because of the backlash I'll ask for them by another name'.
It seems to come down to this: None of the candidates for president appear to have the slightest clue how encryption or computer security work and that allows them to make statements like this that are totally nonsensical, while believing that they make sense.
As I've noted before, and will continue to note: She and others who make the same claims absolutely do know that they're asking for the impossible, they simply don't care.
The only way they might not know is if they've intentionally kept themselves willfully ignorant on the subject, and that's not any better.
[ link to this | view in chronology ]
Re:
Sorry, no.
[ link to this | view in chronology ]
Re: Re:
Crippling encryption to catch criminals is like chopping off someone's arm to deal with a paper-cut. The proposed 'solution' is massively more damaging than the 'problem'.
[ link to this | view in chronology ]
Re: Re: Re:
The internet has never been a secure space, due to asshole hackers. And it never will be. Ever. Anyone that uses it for things they want kept private is a moron.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
However, the core point stands, adding built in security vulnerabilities to deal with a minuscule problem is a colossally foolish and counter-productive idea. The number of criminals that evade the police and/or government via encryption are tiny in comparison to the number of crimes prevented by encryption. Better security is always going to be a good thing for the public, and if it makes the jobs of the police and government more difficult than they want it to be, tough.
[ link to this | view in chronology ]
Re: Re: Re: Re:
That, by the way, would be you.
Oh, you might not mean to, and you probably don't even know that's what you're doing. But, even if you don't personally use the internet for anything other than posting anonymous comments on forums, the places you bank, shop, work and deal with in any way almost certainly uses some form of encryption over the internet. Huge amounts of modern business is only possible because of online encryption, and very few of those businesses are doing so on their own private dedicated connections.
Which is part of the reason why this is such a big issue. Even if you've never used a VPN, SSH shell or SSL login in your life, your safety will be compromised.
[ link to this | view in chronology ]
so uhh....
how about mass wire-tapping?
how about mass mail/package searches?
[ link to this | view in chronology ]
Re: so uhh....
Care to try again?
[ link to this | view in chronology ]
Re: Re: so uhh....
[ link to this | view in chronology ]
Re: Re: so uhh....
Care to try again?
[ link to this | view in chronology ]
Re: Re: so uhh....
Yet, they manage to do so without demanding backdoors that would allow others to listen to phone calls and intercept mail from people they are not currently investigating.
Do you see the difference? They're not merely asking for the ability to listen to phone calls, they're asking for every phone to do this automatically for anyone who asks.
[ link to this | view in chronology ]
Re: Re:
According to you, law enforcement already can tap into Internet communications, by means of using "asshole hackers".
I am glad that you are in agreement that further weakening security, to increase the number of asshole hackers, is unnecessary.
[ link to this | view in chronology ]
Re: Re:
Sorry - if you don't understand the technology, you shouldn't be making half-baked statements like that. It makes you sound just as out of touch as Hillary.
[ link to this | view in chronology ]
Re: Re:
Not directly, no. There needs to be a judge and a comms carrier in the way.
police => judge => warrant => carrier
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
I was talking purely about procedure. I think someone else posted before I did along the lines of "if law enforcement gets crud, then hard-cheese". And I agree with that 100%.
[ link to this | view in chronology ]
Re:
I suspect money is involved...
[ link to this | view in chronology ]
Re: Politicians and absolutes
There is no bargaining stance that they can assume for or against the absolute of encryption where they leave the table with a win. They can only mitigate eventual failure through the strategies we keep seeing; keep rephrasing the problem, "we did everything we could"; transfer the failure, "if only those smart people at the tech companies would try harder" and "it's not my fault - they didn't try hard enough".
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
There already is an Encryption Manhattan project
[ link to this | view in chronology ]
Re: There already is an Encryption Manhattan project
[ link to this | view in chronology ]
Re: Re: There already is an Encryption Manhattan project
[ link to this | view in chronology ]
Re: Re: Re: There already is an Encryption Manhattan project
[ link to this | view in chronology ]
That's exactly what you do when it comes to talking about whether we should have copyright, Mike! HILARIOUS!!!!
[ link to this | view in chronology ]
Re:
https://www.techdirt.com/articles/20130404/03365722575/dmca-as-censorship -chilling-effects-research.shtml#c825
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
She also said..
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Bob Dylan's reply
Back door too
Blind's pulled down
What you gonna do
[ link to this | view in chronology ]
Re: Bob Dylan's reply
[ link to this | view in chronology ]
You have just has a hissy fit over someone gaining access to information you thought was private, so why are you objecting to people wishing to keep their data private.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
If, as could be argued to be the case, technology advances to the point where people are able to communicate over the phone with the same level of privacy that they would enjoy talking in-person at a private location, then too bad for those that want to listen in, the privacy and security of the public trumps the police and government's desire to spy.
[ link to this | view in chronology ]
Re: Re:
They still can.
"technology advances to the point where people are able to communicate over the phone with the same level of privacy that they would enjoy talking in-person at a private location, then too bad for those that want to listen in"
No. you wanting to break the law via technology doesn't usurp the government's obligation to protect me from you.
[ link to this | view in chronology ]
Re: Re: Re:
The government is not obligated to protect me from you.
Just saying.
[ link to this | view in chronology ]
Re: Re: Re: Re:
There are plenty of sources on the internet that can help explain how government works if you're having trouble understanding this concept.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Ahhh, the land of the free and the home of the chicken shit cowards like you. Ready to piss way freedom and make a police state because you're scared.
Grow a set of balls, coward.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Keep paying someone else to protect you because you don't have a working set of testicles. I'm sure they love your tax dollars.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
I don't feel the need to take that away from them. If they can't decipher the encryption, well, that's exactly their problem now, isn't it?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Enough strawmen to fill up a dozen fields.
While you're posting anonymously.
So then, what illegal activities are you hiding, hmm?
[ link to this | view in chronology ]
Re: Enough strawmen to fill up a dozen fields.
The guy posting that he has no problem with wiretaps but says "no way" on encryption busting? Just like most everyone here, he just doesn't want to get busted for his torrenting addiction.
[ link to this | view in chronology ]
Re: Re: Enough strawmen to fill up a dozen fields.
Or, you know, have his bank accounts stolen or his work passwords stolen, or any number of other things backdoors in encryption will cause.
[ link to this | view in chronology ]
Re: Re: Re: Enough strawmen to fill up a dozen fields.
Cant say I like the odds on that one.
[ link to this | view in chronology ]
Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Do you telecommute to work? Go to the doctor's office? Use a credit card? All of that stuff and far, far more rely on secure communication. Break that and everything you know falls apart around you.
Constantly hiding under the "Copyright Infringement" banner just shows you have absolutely no idea of the horrors you're calling for.
[ link to this | view in chronology ]
Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Not sure what demographic you are referring to, but, it surely isn't the audence here at Techdirt:
49% over the age of 35 (74% over age 25)
61% earn over 50k/year
72% college educated
Source: https://www.quantcast.com/techdirt.com
[ link to this | view in chronology ]
Re: Re: Enough strawmen to fill up a dozen fields.
Given the number of people using it, and the processing power required to brute force it, I don't think it'll scale well, but again - please go for it!
I love it when stupid people try stupid things, fail, and then keep trying. It makes me smile.
[ link to this | view in chronology ]
Re: Re: Enough strawmen to fill up a dozen fields.
I never said that. Basically I'm saying "good luck trying."
They have your federal, state, and municipal tax dollars after all...should be pretty easy with that kind of fiscal muscle.
[ link to this | view in chronology ]
Re: Re: Enough strawmen to fill up a dozen fields.
So come now, either back up you assertion that only criminals desire privacy by providing your real name, refuse to provide your real name, and in so doing admit that you're doing so to hide your criminal activity, or retract the claim, and continue to post anonymously.
[ link to this | view in chronology ]
Re: Re: Re: Enough strawmen to fill up a dozen fields.
I'll post my name, address and phone number just as soon as you find this quote in one of my posts.
[ link to this | view in chronology ]
Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
...
I have no interest in the government not being able to do its job just so you can hide your torrenting habit.
...
Just like most everyone here, he just doesn't want to get busted for his torrenting addiction.
...
So you think Congress is going to listen to the demographic that is known for flouting laws?
Now then, your personal information if you would. Or are you really going to claim that your multiple instances of responding to people objecting to broken encryption by insisting that they're doing so to hide illegal activity isn't an argument that the only people desiring strong encryption are criminals?
Either provide your personal information as you said you would, or admit that despite your responses so far people can object to broken encryption for valid reasons that have nothing to do with wishing to hide illegal activity.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Step 2 is getting remedial reading lessons, idiot.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
To save time, I'll just copy/paste the last part until you answer it(and if anyone else wants to do the same, have at it).
Either provide your personal information as you said you would, or admit that despite your responses so far people can object to broken encryption for valid reasons that have nothing to do with wishing to hide illegal activity.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Of course people can, and do object to that; your mom, for example.
It's just that most commenters on Techdirt, yourself for example, are torrent addicts, and that is why they're sweating encryption laws.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
"It's just that most commenters on Techdirt, yourself for example, are torrent addicts"
OK, at this point this guy is most definitely a troll. He knows everything he's saying is a lie, he's just doing it to get under everyone's skin.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Yeah, other trolls like Angry Dude and Avarage Joe. You're just another in a long line of people intentionally antagonizing other commenters by false accusations, insults, and dragging the discussion off topic.
The truth has outlived those trolls, it'll outlive you.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Fearful of, well, everything where he's funneling federal, state, and municipal tax dollars to law enforcement so that he can be safe in his closet, under a blanket, firmly grasping his assault rifle, waiting for, something.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
You seem overly paranoid about torrenting. Weird.
I've actually never used BitTorrent myself. Don't even have any BitTorrent clients on my computer. And I'm quite worried about encryption issues. It's got nothing to do with copyright stuff, and everything to do with privacy.
Do you always project so much on people who actually know what they're talking about when you get into arguments?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Techdirt isnt about torrenting, if you ever read ... well ANY post whatsoever
Techdirt deals with copyright law, and technology mostly, but also cyberlaws.
you sir, just made yourself look like a fool... at best, at worst, you just made yourself look like a politician.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
As for your repeated baseless assertions, you really need to stop projecting so much. Just because you cannot help but torrent anything and everything that catches you eye, doesn't mean the rest of us engage in similar practices.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
...and will the citation for this be forthcoming at any point? Rhetorical question, of course, since you are a pathological liar.
Is your life really so pathetic that you have to lie about people you've never met? I know it's easier that addressing reality, but it's not healthy to live so much time in a fantasy world.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
[ link to this | view in chronology ]
Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Don't want to expose your torrenting habits, criminal?
What have you got to hide?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
I have no problem them getting my name, address, phone number and any other info under those same conditions.
Now if only TOG hadn't made up a quote, he could have gotten the same. But now he'll need a warrant :)
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Not so, I don't need to provide anything more than I already have, or wouldn't anyway were you honest enough to own up to your own words.
You implied, multiple times, that the only reason someone could desire privacy and/or protest against breaking encryption was to hide criminal actions. I called you out on it. You then said:
I'll post my name, address and phone number just as soon as you find this quote in one of my posts.
I did so by posting several examples where you implied without any subtlety at all that the reason people were objecting to breaking encryption was to hide illegal actions, giving you the option to either admit to being wrong, admit to being a criminal, or stand behind your claims and provide your personal data. You dishonestly dodged again, choosing instead to respond with a grade-school level 'your mother' insult.
If you're going to lie, at least realize that people are able to read what's been posted, and adjust your lies accordingly. Claiming 'I haven't said X', when people can simply scroll up and see that you absolutely have for example is not the best way to dishonestly defend your position.
[ link to this | view in chronology ]
Re: Re: Enough strawmen to fill up a dozen fields.
I actually have no idea who you are. I could dig your IP address out of the files, but I haven't and I don't know anything more about you other than you seem woefully uninformed about encryption.
So feel free to enlighten us.
[ link to this | view in chronology ]
Re: Re: Enough strawmen to fill up a dozen fields.
Mind posting exactly where you're posting from and who you are? And don't try lying to me because I'll know if you do, because I'm Santa Claus, fo real.
[ link to this | view in chronology ]
Re: Re: Enough strawmen to fill up a dozen fields.
Meanwhile, outside of your fantasy world, what people are actually talking about are the vital technologies used by banking and virtually every other kind of business to keep financial and private information safe.
It's sad, really. We're talking about undermining every sector of the modern world, and all you people can think about is whether people are getting MP3s. You can't stop lying about people even on unrelated conversations. But those strawmen keep you from realising what's happening in the real world, I suppose...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
If anyone brings up that point, you tend to not ever respond.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
And all without pay! Doesn't cost us a cent. That's amazing!
Keep paying someone else to protect you because you don't have a working set of testicles. I'm sure they love your tax dollars.
If they could just find someone to protect us for FREE like the military does!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
If I encrypt my communications and don't tell anyone the key and no one else figures it out, unless they spend an insane amount of time bruteforcing they'll never get what I encrypted. If they make it so everyone has to use a backdoored algorithm people will just encrypt with something that hasn't been backdoored.
There isn't really a law against math so they won't be able to stop people from creating new non-backdoored encryption. If they make non-backdoored encryption illegal... well I'd really like to see them try to enforce that.
Pro-Surveillance people should probably get a better understanding of how technology actually works before trying to win impossible battles. It might make them look a little less silly too. ^.^
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
The government is not required to protect your ass. You're on your own.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
http://www.nytimes.com/2005/06/28/politics/justices-rule-police-do-not-have-a-constitutional-duty -to-protect-someone.html?_r=0
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
http://www.nytimes.com/2005/06/28/politics/justices-rule-police-do-not-have-a-constitutional-duty-to -protect-someone.html?_r=0
Hmm...are you really, really, really sure?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Said the guy using the Obama fallacy of "I'm here to protect the American people" rather than what he's sworn to do: uphold the constitution.
[ link to this | view in chronology ]
Re: Re: Re:
Unless you're using an electronic device to communicate, at which point both you and them are insisting that no, you are not allowed any privacy.
No. you wanting to break the law via technology doesn't usurp the government's obligation to protect me from you.
Nice strawman, but no, you don't get to sacrifice my privacy and security just so you can enjoy a false sense of security.
Sorry to break it to you, but the rights of people to privacy, and the security protecting countless aspects of their life(banking, email, health information) are both vastly more valuable than your sense of security and the government's voyeuristic fetish.
[ link to this | view in chronology ]
Re: Re: Re:really?
[ link to this | view in chronology ]
Re: Re: Re: Re:really?
If you really believe that, then you're delusional.
[ link to this | view in chronology ]
Re:
You are, apparently, totally unaware of how a cost-benefit analysis works, huh?
The issue here is not just the ability to tap internet communications. If it were just that, I don't think many would complain. Tapping phone is mostly possible to only be limited to law enforcement. But that's not the case with internet communications. Because it's software based, and because of the nature of encryption, opening up a backdoor puts everyone at significant risk. The "benefits" are much smaller than the "costs."
Your simplistic "well we do it for telephones" misses the point in a huge way.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
All telephone communication goes through one of a few central hubs, so tapping the communication securely is relatively simple.
Encrypted communication does not go through any central hubs thus cannot be tapped into in that way. The only possible way is to create a security flaw in the encryption and thus destroy everything because you're afraid.
And don't get the wrong idea. If these assholes get what they want, it will be found by or leaked to the wrong people and you, along with everyone else, will be harmed by it.
[ link to this | view in chronology ]
Re: Re: Re:
You're stupid.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
What is possible and likely to happen is that Apple and Google will add a second public key to phones that they will use when presented with a court order to do so. This is basically analogous to the access law enforcement currently has with the current phone system and that has mostly worked ok.
I think that's a pretty reasonable compromise and returns us to how things were a few years ago when Apple would brute-force phones when ordered to do so by a court.
[ link to this | view in chronology ]
Re: Re: Re:
Except for the fact that it really hasn't.
To save you some time, the link above leads to an article talking about how the police were accessing phones without warrants to such an extent that it reached the US Supreme Court, which thankfully came down on the side of the public in saying that no, they are not allowed to search a phone without a warrant. If they can't be trusted to respect the public's privacy, then they have no-one to blame but themselves when the public and tech companies step in to protect their own privacy.
I think that's a pretty reasonable compromise and returns us to how things were a few years ago when Apple would brute-force phones when ordered to do so by a court.
No, it isn't. Any security hole, whether you call it a 'master key' or 'second public key' is available for the 'good guys' and 'bad guys' alike to use, because there is no way for the security to tell the difference. Therefore the less security holes in general the better off the public will be, and if that makes it difficult for the government and/or police, that's just too bad for them.
Just because it was an option to force companies to break the security of their devices to allow access to the police/government in the past does not mean that they are owed that ability perpetually.
[ link to this | view in chronology ]
Re: Re: Re: Re:
That's what I most strongly object to -- the bulk collection of data. Sucking all data up with no probably cause is waaaay over the line (IMHO) and I would hope is a violation of the 4th amendment. Targeted decryption is reasonable and clearly not a violation of the 4th amendment. It would grant law enforcement similar, but slightly weaker abilities than what they currently have with land lines.
What I would like to ask politicians that are promoting much weaker privacy protections is this: when the PRC presents Apple with a valid court order demanding the decryption of some communications that had an endpoint in the US (possibly a politician or a dissident or an engineer), do they comply? The answer is clearly "yes they do". The weakened technology will affect the US government as well and they have to accept that.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Like the HDDVD encryption key? How long did that take to crack? How often does Blu-Ray have to change their encryption keys?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
No. One private/public pair per handset. The public key on the handset, the private key held by Apple or Google. That would cover the vast majority of phones out there.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
No. One private/public pair per handset. The public key on the handset, the private key held by Apple or Google. That would cover the vast majority of phones out there.
And it would be nothing like encryption used in video players. Those things put the private key in the hardware and rely on obfuscation and technical barriers to keep it secret.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
You're still making one central target to crack everything.
The biggest advantage of encryption is it's decentralization. Crack one device and you don't crack everything. But with your idea, crack Google or Apple's database and you've got everything. And it wouldn't take a master hacker, all it would take is one lazy/malicious/mistaken employee.
This, of course, assumes that the government would even allow a database like that to exist outside of their control.
And why are we even bothering? Smart criminals will never be caught by this. ISIS has their own encryption now, drug dealers use burner phones (and they don't even bother with encryption), smart criminals would just use the not intentionally flawed software we already have. Stupid criminals already incriminate themselves. Why make everyone else less secure?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
For example, Apple's messaging app sends encrypted encrypted messages but if you could crack Apple, you could silently add a foreign key to the transaction and the user would never know (the encryption keys are managed entirely by Apple).
You already are trusting Apple and Google. I think they can be trusted to manage keys (the certainly know how to do so).
> Smart criminals will never be caught by this.
That's ok. There are enough dumb criminals to keep law enforcement busy for a long, long time. There's no perfect solution and looking for a single, magical solution is foolish.
Change is coming. I answered what the minimal compromise I think is reasonable. If the solution is forced on tech companies via legislation, it's going to be much, much worse than simply adding the ability to unlock a device.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
However, the government (who clearly has network security issues - see "OPM hack") is trying to tell them what to do.
So no, it's not a matter of trust with Google/Apple - it's them taking direction from someone with a shitty track record.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
That's exactly why the big tech companies should start talking about the compromises that least impact normal users. Installing a public key that can be used when presented with a court order is the least problematic solution that I can think of. If the tech companies don't start, legislation will tell them what they have to do and that would be the worst outcome.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
That still doesn't address the single point of failure you're creating, nor the ramifications of what happens when the key(s) are compromised.
The companies keep saying it can't be done, yet the government insists that it can. Since they're so sure, the onus is on the government to create a working model/proof of concept. Not Apple or Google - they have a profit motive and shareholders to be responsible to.
If the tech companies don't start, legislation will tell them what they have to do and that would be the worst outcome.
In other words, legislate that 2+2=5?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
The tech companies are already a single point of failure. They are pushing stuff to your phone all the time.
> In other words, legislate that 2+2=5?
No, they will pass legislation that gives law enforcement everything without regard to the harm it does to people and businesses in the US.
Going dark on a mass scale won't be allowed to happen. What's a compromise that you could live with? I already trust Google and Apple, so for them to have a way to unlock my phone doesn't change much (it goes back to how things were a few years ago).
I can still install 3rd party secure messaging apps just like I could use a scrambler on my phone line to secure my conversations.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
And if it's all encrypted anyways, nothing will change. They'll still have collected everything, and will still not have the processing power to decrypt it all.
Nothing changes.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
I don't need to compromise. I have encryption, and choose to use it to make my communications private.
Law enforcement has the ability to collect it, and with enough processing power, possibly decrypt it within my lifetime.
They already have exactly what they need. What they should be lobbying for is to change how time works. I think they'd have a better shot of making a 30 hour day instead of getting any backdoor to pass.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
Google's chat encryption is not end to end, it's from your PC to the central server and from the other PC to the central server. The government doesn't need to crack encryption to get that information.
Google chat and Apple chat are not secure systems, we all know this.
Local encryption is something else entirely. If I encrypt a file on my phone, say a password list, there is no central server between me and the file. I expect that file to be secure. At least as secure as the software used to encrypt it, not some unrelated, uninterested third party. I expect my communication with my bank to be as secure as the bank, not some unrelated, uninterested third party. Google should not have access to this information.
The government doesn't want access to Google chat, they want access to everything encrypted. Your compromise will never be enough for them because they already have it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
I don't know how Google Chat works, but Apple details their security model in their iOS security white paper and it is end-to-end encrypted. Apple can't see the messages.
> Your compromise will never be enough for them because they already have it.
No, they don't. Recent iOS devices and some Android devices are still secure, even to Apple and Google.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Why does Apple have end to end encryption for their chat service? Think about that for a second, why would they spend that much effort into creating that? Is it to help the criminals stay under the radar? Or maybe because Apple knows that keeping everything in a central repository is a stupid idea.
Your compromise will end up like the 6 strike compromise the ISPs put in place. Utterly worthless yet still being ratcheted up. ISPs should have stood their ground and Google and Apple should as well.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Two big reasons:
1) It's fantastic for marketing. Their chief rival makes money by mining everything you do on the device for advertising purposes (that's a cynical view, but somewhat correct). It makes sense to zig where their rival zags.
2) It saves them a lot of money. When they are presented with a court order saying "reveal the contents of this", an intern can prepare the response: "sorry, but due to technical limitations, there's no possible way to comply".
Change is coming. It's the perfect climate right now for anti-privacy legislation to be passed. It's important that tech companies (and communities like this one) get involved.
Many in this community are holding the position that they are unwilling to cede any privacy protections to law enforcement. It's a principled position to hold for sure, but when there's no compromise to be made, none will be offered. That's how you end up with terrible legislation that makes everybody a criminal.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Primarily because it's been well documented that law enforcement can't be trusted.
Question for you, if I may...why does law enforcement absolutely need this? Exactly how many people are flying under the radar and causing random acts of violence, where they now must be suspicious of EVERYONE?
And if that's the case, and everyone needs to be treated with suspicion, then inevitably, some of those suspicious people WILL end up in law enforcement...what in your solution will prevent THEM from also exploiting the TSA key, I mean, master encryption key?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Does the fact that your landline is easily tapped imply that you are under suspicion?
> what in your solution will prevent THEM from also exploiting the TSA key, I mean, master encryption key?
Transparency and real oversight would be a good start. If all law enforcement decryption requests are eventually made public, it would be easier to spot abuse.
I think that's why it's important for this community to get involved. If legislators hear law enforcement say "tech companies must be made to comply with a court order demanding decryption" and hear tech companies say "under our current set up, that's not possible", then it's easy to predict what will happen: CALEA for mobile phone companies with no reasonable limits, oversight, or transparency.
We can stand around here and pretend that any ability to decrypt is the same as not encrypting at all in the first place (which is ridiculous), or get involved and give up as little ground as possible.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
I can still speak in code over my potentially tapped landline. Should I also have to make the cipher available to law enforcement?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
For secure messaging my favorite app is Threema.
Law enforcement doesn't want to make it impossible to communicate securely (they need that too), they just don't want it to be the default.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
For secure messaging my favorite app is Threema."
Cool. Are you aware that Threema depends on encryption technology that's the very thing that's being called to be compromised here?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Something they would like to outlaw.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
How much ground will the government take? It will enough to ensure that they and their corporate buddies cannot be easily challenged.
Terrorists know enough to keep their planning secure, while a local neighbourhood trying to organize replacement of their politician; or a group trying to organize a protest against an unjust law, or against a corporation ruining their environment, are easily disrupted if their communications can be monitored.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Let that happen first, then come back. But since that is never going to happen,
If all law enforcement decryption requests are eventually made public, it would be easier to spot abuse.
Eventually. Forever minus a day. Kind of the opposite of the "transparency" you were just promoting. You're already being self-contradictory.
I think that's why it's important for this community to get involved.
In case you hadn't notice, it is.
it's easy to predict what will happen: CALEA for mobile phone companies ... blah blah blah
CALEA already applies to mobile phone companies. Nice try.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
No, it doesn't. Right now Apple doesn't have to provide surveillance hooks to law enforcement and that's precisely what is being pushed for. Phone companies aren't allowed to buy telecom gear unless it has surveillance capabilities. Soon, they may not be allowed to activate handsets unless they too have surveillance capabilities.
I trust Apple more than I trust AT&T or Verizon. If somebody is going to have to manage keys (and I really think that's where we are headed), I want Apple to do it. That's really the bottom line of everything I've been saying.
In the little Techdirt bubble, that's an insane thing that everybody hates, but among the general population, it's entirely sensible. You may have noticed that people really don't give a shit about privacy. Most don't worry about adblocking or trackers, they give up their demographic info for a chance to win a car, they are happy to fill out a survey to get a free sandwich, or apply for a credit card to save 5% on today's purchase. Privacy isn't a big deal, but security is. They are scared about terrorists even though the probability of being hurt or killed by terrorists is about as likely as being killed by a shark. Generally, people may not like their city or state police, but they are mostly happy with the FBI, the CIA, and they LOVE every branch of the armed forces.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Well, trust is only part of the issue here. Even if you trust the ability of a company to manage the security, you're talking about introducing a single point of failure that cannot be repaired. Mistakes happen, and Apple have been compromised in the past. Not only that, but you won't be able to pick and choose. This isn't just an argument about your mobile handset, it's about encryption in total. If Apple are forced to do this for your phone, others you trust less will need to do it for their systems too. Some of whom you will not know are involved, because you don't know the backend of every business you interact with and you don't know who's managing those keys.
"You may have noticed that people really don't give a shit about privacy."
Until it's compromised or there's real negative effects from a breach. People not interested in the subject have a hard time understanding future implications, but tend to have stronger opinions when it actually affects something they can see.
"Most don't worry about adblocking or trackers, they give up their demographic info for a chance to win a car, they are happy to fill out a survey to get a free sandwich, or apply for a credit card to save 5% on today's purchase."
This is all true. However, basic demographic info (much of which is public anyway) is rather different from what's being requested here. If someone doesn't mind giving away their email address for some free crap, that doesn't mean they'd agree to hand over live access to their phone conversations and financial transactions. There's different levels of importance to consider here.
Also, those people do demand that data be protected even as they're handing it over. They'll give their email, address or phone number over for a free sandwich, yes, but they also demand that junk mail and unsolicited phone calls can be avoided. The suggestions so far don't seem to involve any protection once a compromise happens with keys.
"Privacy isn't a big deal, but security is. They are scared about terrorists..."
Privacy and security often go hand in hand. Perhaps instead of whining about a "bubble" on a site that understands these things, you'd be better off explaining to less savvy users why those terrorists would potentially be able to access these backdoors. You'd be amazed how quickly their opinions can change.
Part of the issue is not that people don't care about their privacy, it's that they're not educated in the subject enough to know why it matters to their security. of course, the reason why they're scared of terrorists is they also don't know how rare such attacks are, but just because they're misinformed in one area that's not an excuse to misinform them in another.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
There's plenty of other options. Not least because what you seem to be missing is that this isn't just about mobile phone communication but encryption as a whole. For some reason, you seem to be intent on trying to simplify the whole issue to 2 companies. Despite the fact that there would be more than that involved even if this was only about mobile handsets.
I can't tell the future, but I can tell you that letting people get away with the ignorant comments described in the article without comment is certainly not going to lead us anywhere positive. I can also tell you that breaking encryption will lead to people you don't want to give access to having full access. Unless you have a solution that doesn't involve putting such a back door in, which you're failed to suggest so far. Sorry, the idea of an extra private key doesn't count, that's still a back door no matter how much you trust Apple.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
For example?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
There's an entire spectrum of possibilities, ranging from a long political and legal battle to fight against any such requirement, to tech companies giving in but having to agree to increasingly draconian demands, to a major attack on existing vulnerabilities proving that encryption is absolutely necessary, to discovering some fundamental existing vulnerability that makes the whole demand moot.
But, we can't deal with huge numbers of possible outcomes based on what we can guess. We can only realistically address the suggestion being made. When you consider the entire landscape rather than whatever handy false dichotomy you can dream up, the predictable consequences are not good.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
No, it doesn't.
CALEA applies to all telecommunications providers. If you want to argue that doesn't apply to AT&T, Verizon, T-Mobile, Sprint etc. then you are truly delusional.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
No, but then a landline is not factory set to be tapped by whoever requests it without any other intervention.
"Transparency and real oversight would be a good start"
How would that stop non-government entities from using the key, which you've now blocked by law from being re-secured?
"We can stand around here and pretend that any ability to decrypt is the same as not encrypting at all in the first place (which is ridiculous)"
That might be what you think they're saying. What others are actually saying is that once you create a master key, it works for everyone who wishes to use it. Which is the same as not encrypting at all to those people who have the key.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
One would think we would have learned better by now.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
I think the lesson that we should have learned by now is that if we don't get involved, we get terrible, unbalanced, overreaching legislation. Decrypting a phone they capture is one thing, the real time decryption of all communications is another. Granting the first doesn't give them the second thing.
Everybody has their own line in the sand. Mine is untargeted surveillance. I have no problem with narrowly scoped spying but bulk data collection of everybody is too much.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Assuming a 'central repository' of decryption keys as you've suggested several times so far, if they can do the first, they can do the second(and if they can't do it for whatever reason now, just give it a few years). The only way to keep them from doing the second is to keep them from being able to do the first.
Not to mention, as has been demonstrated time, and time, and time again, they always want more. Give them the ability to do A now, and it's only a matter of time before they're insisting that, because Terrorism, they absolutely need the ability to do B, C, and D as well(assuming they even ask).
They want to search a phone? Get a warrant, and present it to the owner of the phone to unlock. Don't want to do either of the above? Then no search allowed.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
We already have that.
but bulk data collection of everybody is too much.
which we also already have. So, you think they've already gone too far, yet you argue for them to go further? I detect duplicity.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Here, I think you actually agree with people. The problem is simple - the solution you are calling for eventually hands the ability for bulk data collection from anyone, government and civilian, with no way to take it back.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
The government can't directly force Apple or Google to implement interception capabilities. What they will do (this is a guess) is pass a law prohibiting mobile network operators from accepting devices that lack that capability. They already require the network gear to have that capability (CALEA) and so I think it could be argued that requiring the same capability in the handsets is logical (from a law enforcement perspective).
Apple and Google would have no choice but to build that in and hand over the keys to the network operators. For me, that's basically the worst case scenario because I *do* trust Apple and Google, but have zero trust in AT&T, Verizon, Sprint, or TMobile.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
There are far more than 2 companies involved here, and more than mobile phones. I mean, Google don't even manufacture their handsets' hardware and 3rd party Android devices can patch the OS at any time. So, wherever you expect the decryption to happen, you're looking at way more than 2 vectors. Yes, that also means that carriers may have the keys as well.
I can see where you're coming from, but so long as you continue to oversimplify the realities of the situation, you're going to be arguing something other than what's being discussed. Any security is only as good as its weakest link, and you're demanding that at least one be weakened further.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
Yes, if you want to massively over-simplify things. Bear in mind we're not just talking about phones here, nor are we just talking about consumer level devices.
But, you know what people at both of those companies spend a lot of their time doing ? Fixing flaws that allow people to crack their devices. What's you're supporting here is not only introducing numerous extra vulnerable points, but making sure that nobody is allowed to fix them. Ensuring that once that target has been compromised, it is never allowed to re-secure their devices.
Do you see the problem yet?
"That's ok. There are enough dumb criminals to keep law enforcement busy for a long, long time"
So, you support handing smarter, more organised criminals the tools to operate unhindered because some dumber people will get caught? Do you even understand what you're saying here?
"Change is coming. I answered what the minimal compromise I think is reasonable"
If you think that's reasonable, you don't understand the issue.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Not for nothing, if they can't keep what they have safe, I don't see why they get MORE information to not keep safe. Seems like they don't deserve that privilege.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
None whatsoever.
If you've got one person saying 'I don't think it's a smart idea to play russian roulette', and another person saying 'I think it is a smart idea to play russian' roulette, there is no room for compromise. The first person is right, the second person is wrong, and it's not in any way reasonable for the first person to give any ground, 'compromise' or not.
In the case of security and encryption, you either have encryption that works, and is secure for everyone, or you have encryption that doesn't work, and is secure for no-one. Those are the only two options. There is no room, at all, for 'compromise' when it comes to encryption. It either works or it doesn't, that's it.
For me, it's that every phone encrypts the master key with the user's password and the manufacturers public key.
Creating a 'master key' rather than a 'golden key'. Well, I guess you changed the name, that's got to count for something, right?
No, no it doesn't.
No matter what you call it, a security vulnerability is a security vulnerability, and not something to be desired or deliberately introduced.
Individual phones can be decrypted with a warrant but bulk real-time decryption isn't happening.
Right up until someone gets the master key and uses that. If the system you are envisioning allows for individual real-time decryption, then it also allows for bulk real-time decryption, it's simply a matter of resources. And even if it doesn't allow for real-time bulk decryption, the fact that it might take them a little bit longer to get around to decrypting everything they scooped up doesn't make it any better or acceptable.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Oh come on, Russian Roulette is perfectly safe, on average. Can't we just compromise and say that it's "usually" a good idea?
[ link to this | view in chronology ]
Re: Re: Re:
Because that "second public key" will realize that they are evil guys, and won't let herself be used. She'll die before letting herself be violated.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
It's not like we took the tapping capabilities away, amirite?
[ link to this | view in chronology ]
Re:
They can. So what's the problem? They may not understand those communications, but the same holds true for telephones as well. Or don't you understand that?
[ link to this | view in chronology ]
They want everyone to see the HTTPS lock and everything and think their conversations are kept safe from "cyber criminals and cyber terrorists", when in fact the government as well as those cyber hackers or anyone else who cares can get past those weak defenses made just for show.
[ link to this | view in chronology ]
Shirley...
[ link to this | view in chronology ]
You've fallen into their framing trap, Mike. All decent crypto already assumes everyone is "bad" except the sender and the intended recipient(s). Clinton et al. want to mandate their way into the "good" list.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Hillary Fumbled
[ link to this | view in chronology ]
The bad guy we know is bad and we can prepare for their antics but if the those who are supposed to protect us betray us then they broke trust and are far worse and need to be appropriately dealt with in the harshest way possible.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
It's all in the ownership
[ link to this | view in chronology ]
If we can't call it a backdoor
[ link to this | view in chronology ]
Being connected to everyone and everything in the world means that there are built-in risks when using the internet that will never disappear. People weigh those risks when deciding what they use the internet for. That is the way it has always been and the way it will always be.
[ link to this | view in chronology ]
everyday the us govt sounds more like retards
"everyday the us govt sounds more like retards"
"everyday the us govt sounds more like retards"
[ link to this | view in chronology ]
Meanwhile.....
"A major breach at computer network company Juniper Networks has U.S. officials worried that hackers working for a foreign government were able to spy on the encrypted communications of the U.S. government and private companies for the past three years" -- CNN
So hey, how about that backdoor encryption "only for good guys"
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Oh, wait! These aren't the backdoors we are looking for...
[ link to this | view in chronology ]
Anyone can build encryption...
So even if we end up forcing Google, Apple and the other major tech companies to build in back doors for the government all it it would do is let them spy on all the regular law abiding citizens while anyone who actually want to use real encryption would do so.
This is also so damn obvious to anyone with the smallest amount of sense that one have to assume this is their true goal....
[ link to this | view in chronology ]
Re: Anyone can build encryption...
[ link to this | view in chronology ]
Re: Anyone can build encryption...
You're right though - banning math is hard. Anybody with high school level mathematics knowledge can understand something like Diffie-Hellman key exchange (and it's a magical idea, lots of fun).
[ link to this | view in chronology ]
Stopping the "bad" people...
[ link to this | view in chronology ]
Dear Hillary
You can have either:
1. A SECURE system. Secure against hackers, and secure against the government and law enforcement.
2. An INSECURE system. The government and law enforcement have access, but so do the Russians, the Chinese, Anonymous, Hackers and Criminals.
Please choose.
[ link to this | view in chronology ]
The biggest issue...
You want candidates to stop doing this shit? Educate the idiot masses.
[ link to this | view in chronology ]
Re: The biggest issue...
I think you would be surprised at how many people *want* the government to be able to spy on everything.
[ link to this | view in chronology ]
Re: Re: The biggest issue...
[ link to this | view in chronology ]
Re: Re: The biggest issue...
[ link to this | view in chronology ]
Wifey said the exact same thing...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I still need an answer... but nobody seems to be asking the question.
How can anyone assume that other governments around the world won't be asking for the same prvilege?
How can anyone expect companies to deny access to anyone when the big can of worms has been opened?
Maybe we shouldn't entertain the fantasy that it is actually possible, because the politicians will try to force the "best" solution through, and the best solution will be a bad solution, but here we assume that they get their wet dream fulfilled.
It is quite fitting to compare it to the Manhattan project, because even though it might have just been a question of time before somone else invented the nuke, we now live in a world with doomsday clocks where mutual annihilation starts as soon as some bastard in power, probably in a bunker somewhere, is insane enough to fire the first shot.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Can someone explain to me?
Didn't they understand that the NSA is incapable of keeping their hands out of the cookie jar? They aren't the good guys. They are the ones trying to undermine the Constitution. They are the ones trying to abolish the U.S.A. as defined by the Founding Fathers. And they are the worst enemies of the U.S.A. since they are the most likely to succeed.
[ link to this | view in chronology ]
Intention
Are they suddenly a 'bad guy' based on their intention?
for bonus points, even in intentions are 'good', how do you determine that the result will be 'good'.
Good people with good intentions can still do 'bad' things.
[ link to this | view in chronology ]
Manhattan project?
There are so many problems with what they are trying to do. If you have a password or number or code that can decrypt a message, that password or number or code can be stolen. And if you put the means to decrypt EVERY message in one place, it almost certainly WILL be stolen.
But even if we found what the government thought was perfect encryption - easy to use, government access on demand, otherwise secure (including against foreign governments and in-government corruption), and everyone was somehow forced to use it - there is no possible way that we could force the bad guys to use it *exclusively*. They could encrypt their message using normal methods and then encrypt the encrypted message using the government-sponsored method, so when the government uses the magic key all they get is an encrypted message.
[ link to this | view in chronology ]
Manhatten projects
She knows this, so the real question is why is she asking for it?
[ link to this | view in chronology ]
Re: Manhatten projects
Because she wants know when someone is even thinking about crossing her. To do that she needs to be able to spy on everyone.
[ link to this | view in chronology ]
Delayed-Escrow Encryption
We've seen recently that there's a way to break PGP through factoring of very large primes (which is what some people think the NSA's Utah data center is for), but that it takes a huge amount of compute time.
If your iPhone uses a rolling set of encryption keys, but where the rolling refactoring could be stopped with physical possession of the device, then a nation-state could seize the phone and eventually decrypt it, since the rolling key would stop rolling.
Now the catch, of course, is that you'd need to keep the key size growing with Moore's Law, so that even with physical possession it would still be a significant effort to break, essentially making it so that only in rare circumstances would it be worth breaking the encryption.
We used this same paradigm for years with location information - the law evolved that having the police "tail" someone wasn't an invasion of privacy, because anything you do in public isn't private. But the paradigm in place meant that mass surveillance was impracticably expensive, so it was only used when it was really worth it. Now that mass surveillance is cheap, we're stuck with a legal landscape that no longer yields the same relative privacy as before - where you were private simply due to the cost of breaking your privacy.
Professor Kerr explains this in his Equilibrium-Adjustment theory of the 4th Amendment, but the same principle could be applied to computer encryption - grow the keys steadily to make it hard to decrypt a phone you have physical possession of, but possible if it's worth it.
This gets trickier with stored data (suck up everything, sit on it for 10 years until it's easy to break, and then charge anyone you find with an ongoing conspiracy for whatever violation you find), but there may be solutions to this (extremely large keys on transmitted data, smaller rolling keys locally).
Of course, this would necessarily mean that older data could be decrypted, so the US Government would need to thing long and hard about whether it wants it to be practical to break US encryption standards for older data.
[ link to this | view in chronology ]
Re: Delayed-Escrow Encryption
[ link to this | view in chronology ]
Re: Re: Delayed-Escrow Encryption
This would necessarily mean a slightly higher overhead on the device (since it would always be encrypting a new volume), but it could also use smaller keys tied to the generally available compute power - similar to how bitcoin mining gets harder over time.
This sort of escalating encryption would obviously be harder to implement than a static key encryption, and harder to be sure no one planted a back door in it itself, but would have the advantage of maintaining the same relative level of protection over time for current devices.
The non-absurd argument for security is that sometimes they really do need to decrypt things, but as we've seen it's far too often used now as an easy way to bypass other protections, rather than for extraordinary situations. Since we've been shown that we can't trust the watchers on their own when there aren't technical barriers, the alternative may be that practical barriers (total compute available) are a better alternative, like we had until recently due to scalability problems.
[ link to this | view in chronology ]
She misspoke
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
They don't need encryption back doors
They could search someone's phone if they had a warrant to, but even law enforcement is pretty much clueless.
[ link to this | view in chronology ]
Re: They don't need encryption back doors
[ link to this | view in chronology ]
Fool me once... Fool me a thousand times (naw, don't think so)
Making sense, even common sense, is not required.
We have two years of a clown show and then a charade of an elections (ditch rigged machines and bring back the smoke filled back rooms). The two-year theater serves TPTB to keep the attention of the masses diverted from their laws for bribes (and other considerations).
One thing H is good at is a posture of looking concerned.
What a life. This system is broke beyond hope (so much for hope and change Mr. Prez).
[ link to this | view in chronology ]
The arguments they're using are simply to ludicrous and LOUD (public) to suggest anything else (it is here where any shill worth his/her salt would suggest mere "incompetence" is to blame... that tired falsehood fell apart years ago - they know what they're doing, and you KNOW this to be the case.)
[ link to this | view in chronology ]
Hillary, go stick a Juniper
well, the thought is too ugly to finish.
[ link to this | view in chronology ]
Re: Hillary, go stick a Juniper
[ link to this | view in chronology ]
Yeah...
"She's been telling me that for years."
- Bill
[ link to this | view in chronology ]
"Trusted computing", does that ring a bell?
- Security should be: when a third-party tries to access a resource, it needs authorization as configured by the user.
- "Security" as seen by all those: when a user tries to access a resource, it needs authorization as configured by a third-party. (Government, copyright group, etc.)
That's a fundamental issue: they're basically asking for computers (including smartphones and other mobile devices) to distrust its owner because of their own paranoia.
[ link to this | view in chronology ]