Hillary Clinton Wants A 'Manhattan Project' For Encryption... But Not A Back Door. That Makes No Sense

from the politics-is-dumb dept

Mon, Dec 21st 2015 6:54am — Mike Masnick

In the Democratic Presidential debate on Saturday night, Hillary Clinton followed up on her recent nonsensical arguments about why Silicon Valley has to "solve" the problem of encryption. As we've noted, it was pretty clear that she didn't fully understand the issue, and that was even more evident with her comments on Saturday night.

Here's what's clear: she's trying to do the old politician's trick of attempting to appease everyone with vague ideas that allow her to tap dance around the facts.

First, she proposed a "Manhattan-like project" to create more cooperation between tech companies and the government in fighting terrorism. The Manhattan Project was the project during World War II where a bunch of scientists were sent out to the desert to build an atomic bomb. But they had a specific goal of "build this." Here, the goal is much more vague and totally meaningless: have tech and government work together to stop bad people. How do you even do that? The only suggestion that has been made so far -- and the language around which Clinton has been echoing -- has been to undermine encryption with backdoors.

However, since that resulted in a (quite reasonable) backlash from basically anyone who knows anything about computer security, we get the second statement from Clinton that she doesn't want backdoors.

"Maybe the back door isn't the right door, and I understand what Apple and others are saying about that. I just think there's got to be a way, and I would hope that our tech companies would work with government to figure that out."

No, she clearly does not understand what Apple and others are saying about that. Just a week or so ago, she insisted that Apple's complaint about it was that it might lead to the government invading users' privacy, but that's only a part of the concern. The real concern is that backdooring encryption means that everyone is more exposed to everyone, including malicious hackers. You create a backdoor and you open up the ability for malicious hackers from everywhere else to get in.

So, she's trying to walk this ridiculously stupid line in trying to appease everyone. She wants the security/intelligence officials to hear "Oh, I'll get Silicon Valley to deal with the 'going dark' thing you're so scared of," and she wants the tech world to hear "Backdoors aren't the answer." But, that leaves a giant "HUH?!?" in the middle.

It seems to come down to this: None of the candidates for president appear to have the slightest clue how encryption or computer security work and that allows them to make statements like this that are totally nonsensical, while believing that they make sense.

The issue, again, is that what they're really asking for is "Can you make a technology where only 'good' people can use it safely, and everyone else cannot?" And the answer to that question is to point out how absolutely astoundingly stupid the question is. Because there's no way to objectively determine who is "good" and who is "bad," and thus the only possible response is to create code that really thinks everyone is "bad." And to do that, you have to completely undermine basic security practices..

So this whole idea of "if we just throw smart people in a room, they'll figure it out" is wrong. It's starting from the wrong premise that there's some sort of magic formula for "good people" and "bad people." And without understanding that basic fact, the policy proposals being tossed out are nothing short of ridiculous.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, going dark, hillary clinton, manhattan project, silicon valley

198 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

That One Guy (profile), 21 Dec 2015 @ 5:20am

However, since that resulted in a (quite reasonable) backlash from basically anyone who knows anything about computer security, we get the second statement from Clinton that she doesn't want backdoors.

Not quite. She still wants broken encryption, she just wants to call it something else.

"Maybe the back door isn't the right door, and I understand what Apple and others are saying about that. I just think there's got to be a way, and I would hope that our tech companies would work with government to figure that out."

That's not 'backdoors in encryption are bad', that's 'holes in encryption are good, but because of the backlash I'll ask for them by another name'.

It seems to come down to this: None of the candidates for president appear to have the slightest clue how encryption or computer security work and that allows them to make statements like this that are totally nonsensical, while believing that they make sense.

As I've noted before, and will continue to note: She and others who make the same claims absolutely do know that they're asking for the impossible, they simply don't care.

The only way they might not know is if they've intentionally kept themselves willfully ignorant on the subject, and that's not any better.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:00am

There already is an Encryption Manhattan project
It's called the NSA.
[ link to this | view in thread ]
This comment has been flagged by the community. Click here to show it

Anonymous Coward, 21 Dec 2015 @ 7:02am

Here's what's clear: she's trying to do the old politician's trick of attempting to appease everyone with vague ideas that allow her to tap dance around the facts.

That's exactly what you do when it comes to talking about whether we should have copyright, Mike! HILARIOUS!!!!
[ link to this | view in thread ]
wereisjessicahyde (profile), 21 Dec 2015 @ 7:02am

Has she hired Frank Winter?
[ link to this | view in thread ]
wereisjessicahyde (profile), 21 Dec 2015 @ 7:05am

She also said..
"I don’t know enough about the technology to say what it is," Really she did. Says it all really. She should shut the fuck up then.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:05am

Re: There already is an Encryption Manhattan project
They have been found out though, we need a new secret agency that is even LESS known by citizens, more corrupt, and even less beholden to anything other than a rubber stamping machine!
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:05am

hey, while the lady's sharpies are convened, could they do something about us having short days in the winter and long days in the summer? much better to even them out, and if her sharpies can solve her request, that daylight problem should be a breather for them.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:06am

Bob Dylan's reply
Front door's shut
Back door too
Blind's pulled down
What you gonna do
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:12am

Dear Hillary, the object of encryption is is keep a conversation private between the senders and recipients of messages; and if any other party has the means of reading those messages, the encryption system is broken. Giving governments the ability to read messages where they are not an intended recipient means that the encryption system is broken.
You have just has a hissy fit over someone gaining access to information you thought was private, so why are you objecting to people wishing to keep their data private.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:12am

I want a pony but I also want it to be a dog.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:14am

Re: Re: There already is an Encryption Manhattan project
If that existed, we wouldn't know about it. So who's to say it doesn't already?
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:16am

For almost 100 years via a warrant, law enforcement has been able to tap telephones. And they should be able to do the same with internet communications.
[ link to this | view in thread ]
That One Guy (profile), 21 Dec 2015 @ 7:16am

Re:
https://www.techdirt.com/articles/20130121/14473121743/global-hackathons-prepared-to-carry-forward-w ork-aaron-swartz.shtml#c377

https://www.techdirt.com/articles/20130404/03365722575/dmca-as-censorship -chilling-effects-research.shtml#c825
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:17am

Re:
So?
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:19am

I think what the government ultimately wants is a "digital TSA" of sort - or in other words, "digital security theater" - especially going after their "golden/master key" talk (TSA's own master key was only recently exposed for everyone to copy).

They want everyone to see the HTTPS lock and everything and think their conversations are kept safe from "cyber criminals and cyber terrorists", when in fact the government as well as those cyber hackers or anyone else who cares can get past those weak defenses made just for show.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:20am

Re:
OIC, so because asshole hackers exist, law enforcement shouldn't be able to tap into internet communications?

Sorry, no.
[ link to this | view in thread ]
That One Guy (profile), 21 Dec 2015 @ 7:21am

Re:
And for even longer than that, people have been able to have private conversations outside of hearing of the police. Just because the police and government really want to be able to listen in on everything, doesn't mean they have the right to it.

If, as could be argued to be the case, technology advances to the point where people are able to communicate over the phone with the same level of privacy that they would enjoy talking in-person at a private location, then too bad for those that want to listen in, the privacy and security of the public trumps the police and government's desire to spy.
[ link to this | view in thread ]
Matthew (profile), 21 Dec 2015 @ 7:23am

Shirley...
Surely there must be a way for the government to have complete and total control without causing riots and rebellion? Bread and Circuses - the real reason government is so cozy with Hollywood. If only the Republicans would get on board with the social programs all their Orwellian wet dreams could come true.
[ link to this | view in thread ]
Ryunosuke, 21 Dec 2015 @ 7:24am

Re:
You would think, that with the email scandal, and working with the FUCKING STATE DEPT. that Clinton would have been the MOST qualified person to talk about electronic encryption?!?!?!

I suspect money is involved...
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:24am

The issue, again, is that what they're really asking for is "can you make a technology where only "good" people can use it safely, and everyone else cannot?" And the answer to that question is to point out how absolutely astoundingly stupid the question is. Because there's no way to objectively determine who is "good" and who is "bad" and thus the only possible response is to create code that really things everyone is "bad." And to do that, you have to completely undermine basic security practices.

You've fallen into their framing trap, Mike. All decent crypto already assumes everyone is "bad" except the sender and the intended recipient(s). Clinton et al. want to mandate their way into the "good" list.
[ link to this | view in thread ]
Steve R. (profile), 21 Dec 2015 @ 7:26am

Hillary Fumbled
Hillary is pretty good, unfortunately, at slick rhetoric that allows her to be on "both" sides of an issue. She did the same with encryption, but she was clearly outside of her element and fumbled at finding the appropriate language.
[ link to this | view in thread ]
That One Guy (profile), 21 Dec 2015 @ 7:26am

Re: Re:
Some? I guarantee you that there are vastly more criminals that would use security holes for their own gain, at the cost of the public, than there are criminals that are currently hiding behind encryption that the police and/or government can't catch as a result.

Crippling encryption to catch criminals is like chopping off someone's arm to deal with a paper-cut. The proposed 'solution' is massively more damaging than the 'problem'.
[ link to this | view in thread ]
Ryunosuke, 21 Dec 2015 @ 7:28am

so uhh....
aside from obvious LEO shill being obvious, How pray tell, do you even let one specific group of people into communications without letting everyone ELSE into said communications if they have the knowledge and capabilities?

how about mass wire-tapping?

how about mass mail/package searches?
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:28am

Re: Re:
"And for even longer than that, people have been able to have private conversations outside of hearing of the police."

They still can.

"technology advances to the point where people are able to communicate over the phone with the same level of privacy that they would enjoy talking in-person at a private location, then too bad for those that want to listen in"

No. you wanting to break the law via technology doesn't usurp the government's obligation to protect me from you.
[ link to this | view in thread ]
annonymouse, 21 Dec 2015 @ 7:30am

When it comes to "good guys" and "Bad guys" it pretty much boils down to, if what you want to do is what the bad guys do that means you are a bad guy.

The bad guy we know is bad and we can prepare for their antics but if the those who are supposed to protect us betray us then they broke trust and are far worse and need to be appropriately dealt with in the harshest way possible.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:33am

Re: Re: Re:
'Some' what? The word 'some' isn't in my post. You magically projected it there.

The internet has never been a secure space, due to asshole hackers. And it never will be. Ever. Anyone that uses it for things they want kept private is a moron.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:35am

Re: so uhh....
Law enforcement is already allowed to tap phones and search mail/packages.

Care to try again?
[ link to this | view in thread ]
NJD, 21 Dec 2015 @ 7:35am

It's a bit like "What I want is for the gun manufacturers to work with government to figure out how to make bulletproof vests that don't protect bad people so that the police can shoot them".
[ link to this | view in thread ]
Mike Masnick (profile), 21 Dec 2015 @ 7:36am

Re:
For almost 100 years via a warrant, law enforcement has been able to tap telephones. And they should be able to do the same with internet communications.

You are, apparently, totally unaware of how a cost-benefit analysis works, huh?

The issue here is not just the ability to tap internet communications. If it were just that, I don't think many would complain. Tapping phone is mostly possible to only be limited to law enforcement. But that's not the case with internet communications. Because it's software based, and because of the nature of encryption, opening up a backdoor puts everyone at significant risk. The "benefits" are much smaller than the "costs."

Your simplistic "well we do it for telephones" misses the point in a huge way.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:38am

Re: Re:
No, you're just trying to complicate the issue. Badly, I might add.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:40am

Re:
Not if the eavesdropper is the same person as the intended recipient, i.e. Bob is Eve.
[ link to this | view in thread ]
Jes Lookin, 21 Dec 2015 @ 7:40am

It's all in the ownership
Another bad name for the media to latch on to - like 'global warming'. The intent is to have ownership of some super-techo-thing that can decrypt the bad guys on the fly. The only problem is that only the people who design, fabricate, assemble, and control the technology can do that - and that isn't the US. For nuc stuff it was, but we can even make the components for that anymore.
[ link to this | view in thread ]
Anonymous Howard, 21 Dec 2015 @ 7:42am

If we can't call it a backdoor
I propose that from now on, when Hillary talks crap, we say she's talking out of her Manhattan.
[ link to this | view in thread ]
Ryunosuke, 21 Dec 2015 @ 7:47am

Re: Re: so uhh....
Meant unwarranted, unlimited, unrestricted access with NO oversight.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:48am

Re: Re:
>so because asshole hackers exist, law enforcement shouldn't be able to tap into internet communications?

According to you, law enforcement already can tap into Internet communications, by means of using "asshole hackers".

I am glad that you are in agreement that further weakening security, to increase the number of asshole hackers, is unnecessary.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:49am

Re: Re: Re:
No. you wanting to break the law via technology doesn't usurp the government's obligation to protect me from you.

The government is not obligated to protect me from you.

Just saying.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:49am

Re: Re: Re: Re:
Ahh, so some government backdooring VPNs on Juniper ScreenOS devices is perfectly okay? (link) Perhps your bank is using Juniper firewalls to communicate between branch offices as per SOX guidelines and now your account is compromised by anyone with knowledge of that hack. I'm sure they will admit to putting the backdoor in place and bankrupting you...
[ link to this | view in thread ]
Chronno S. Trigger (profile), 21 Dec 2015 @ 7:50am

Re: Re: Re:
Care to actually elaborate on your oh so unclear response?

All telephone communication goes through one of a few central hubs, so tapping the communication securely is relatively simple.

Encrypted communication does not go through any central hubs thus cannot be tapped into in that way. The only possible way is to create a security flaw in the encryption and thus destroy everything because you're afraid.

And don't get the wrong idea. If these assholes get what they want, it will be found by or leaked to the wrong people and you, along with everyone else, will be harmed by it.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:50am

By definition, nothing designed by humans can be infallible.

Being connected to everyone and everything in the world means that there are built-in risks when using the internet that will never disappear. People weigh those risks when deciding what they use the internet for. That is the way it has always been and the way it will always be.
[ link to this | view in thread ]
Anonymous Anonymous Coward, 21 Dec 2015 @ 7:51am

Re: Re: Re: Re:
Um, where do you bank?
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:53am

Re: Re:
Sure - they can tap into whatever they want. If it's encrypted, and they can't decrypt it, tough shit.

Sorry - if you don't understand the technology, you shouldn't be making half-baked statements like that. It makes you sound just as out of touch as Hillary.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:54am

Re: Re: Re: Re:
My tax dollars at the municipal, state and federal level are most certainly being paid to protect me from you.

There are plenty of sources on the internet that can help explain how government works if you're having trouble understanding this concept.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:55am

Re: Re: so uhh....
And they can continue to tap encrypted communications. Breaking the encryption is their problem, though, so I'm not sure the point you're trying to make.

Care to try again?
[ link to this | view in thread ]
Almost Anonymous (profile), 21 Dec 2015 @ 7:55am

Re: Re: Re:
I just don't have the patience anymore, so I'll just go with this:

You're stupid.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:56am

Re:
They can - breaking the encryption is their problem.

It's not like we took the tapping capabilities away, amirite?
[ link to this | view in thread ]
Guardian, 21 Dec 2015 @ 7:56am

everyday the us govt sounds more like retards
repeat after me:
"everyday the us govt sounds more like retards"
"everyday the us govt sounds more like retards"
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:57am

Re: Re: Re:
And you're trying to simply something that just isn't as simple as you'd like it to be.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 7:58am

Re: Re: Re: Re: Re:
My tax dollars at the municipal, state and federal level are most certainly being paid to protect me from you.

Ahhh, the land of the free and the home of the chicken shit cowards like you. Ready to piss way freedom and make a police state because you're scared.

Grow a set of balls, coward.
[ link to this | view in thread ]
Ryunosuke, 21 Dec 2015 @ 7:59am

Meanwhile.....
Over at Juniper Networks,

"A major breach at computer network company Juniper Networks has U.S. officials worried that hackers working for a foreign government were able to spy on the encrypted communications of the U.S. government and private companies for the past three years" -- CNN

So hey, how about that backdoor encryption "only for good guys"
[ link to this | view in thread ]
AJ, 21 Dec 2015 @ 8:00am

With the amount of time she should be doing behind bars for breaking the law with her email server (among other things), You would think she would be a strong supporter of encryption.
[ link to this | view in thread ]
This comment has been flagged by the community. Click here to show it

Anonymous Coward, 21 Dec 2015 @ 8:04am

Re: Re: Re: Re: Re: Re:
Sorry you lost the debate, and blew a gasket. The truth is unpleasant for some people.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:07am

Re: Re: Re: Re: Re: Re: Re:
I find cowards like you unpleasant. They're a disgrace to all the men and women who bravely fought and are still fighting for this country.

Keep paying someone else to protect you because you don't have a working set of testicles. I'm sure they love your tax dollars.
[ link to this | view in thread ]
Chronno S. Trigger (profile), 21 Dec 2015 @ 8:09am

Re: Re: Re: Re: Re:
I can't find it and I don't remember enough detail to search for it. Can someone link this asshole the article about the court case stating the Police don't have to stand between anyone and harm?

The government is not required to protect your ass. You're on your own.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:11am

Re: Re: Re: Re: Re: Re:
For the asshole you're referring to:

http://www.nytimes.com/2005/06/28/politics/justices-rule-police-do-not-have-a-constitutional-duty -to-protect-someone.html?_r=0
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:12am

Re: Re: Re: Re: Re:
You may want them to protect you, you may pay them to protect you, but all they're obligated to do is take a report after you get hurt. In fact, I'm not sure they're even obligated to do that.
[ link to this | view in thread ]
That One Guy (profile), 21 Dec 2015 @ 8:12am

Re: Re: Re: Re:
Hmm, so it isn't, not sure how I got turned around into thinking that it is.

However, the core point stands, adding built in security vulnerabilities to deal with a minuscule problem is a colossally foolish and counter-productive idea. The number of criminals that evade the police and/or government via encryption are tiny in comparison to the number of crimes prevented by encryption. Better security is always going to be a good thing for the public, and if it makes the jobs of the police and government more difficult than they want it to be, tough.
[ link to this | view in thread ]
This comment has been flagged by the community. Click here to show it

Anonymous Coward, 21 Dec 2015 @ 8:13am

Re: Re: Re: Re: Re: Re: Re: Re:
Yes, I'm sure for decades your whole family has been out in the streets protesting law enforcement having the right to tap phones. Don't forget to post some pics.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:14am

Well, if she doesn't mind the difference in name, Russia and China supposedly launched a "Juniper Project" for encryption, and they seemed to get it right...

Oh, wait! These aren't the backdoors we are looking for...
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:14am

Re: Re: Re: Re: Re:
My tax dollars at the municipal, state and federal level are most certainly being paid to protect me from you.

http://www.nytimes.com/2005/06/28/politics/justices-rule-police-do-not-have-a-constitutional-duty-to -protect-someone.html?_r=0

Hmm...are you really, really, really sure?
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:17am

Re: Re: Re: Re: Re: Re: Re: Re: Re:
It's not like they still can't tap phones.

I don't feel the need to take that away from them. If they can't decipher the encryption, well, that's exactly their problem now, isn't it?
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:18am

Re: Re: Re: Re: Re: Re:
Yes, I am.
[ link to this | view in thread ]
That One Guy (profile), 21 Dec 2015 @ 8:20am

Re: Re: Re:
They still can.

Unless you're using an electronic device to communicate, at which point both you and them are insisting that no, you are not allowed any privacy.

No. you wanting to break the law via technology doesn't usurp the government's obligation to protect me from you.

Nice strawman, but no, you don't get to sacrifice my privacy and security just so you can enjoy a false sense of security.

Sorry to break it to you, but the rights of people to privacy, and the security protecting countless aspects of their life(banking, email, health information) are both vastly more valuable than your sense of security and the government's voyeuristic fetish.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:21am

Re: Re: Re: Re: Re: Re: Re:
That's what makes you an idiot.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:21am

Anyone can build encryption...
The other major issue here is that anyone with a years with of math and programing education can build a suitable uncrackable encryption software if necessary.
So even if we end up forcing Google, Apple and the other major tech companies to build in back doors for the government all it it would do is let them spy on all the regular law abiding citizens while anyone who actually want to use real encryption would do so.
This is also so damn obvious to anyone with the smallest amount of sense that one have to assume this is their true goal....
[ link to this | view in thread ]
This comment has been flagged by the community. Click here to show it

Anonymous Coward, 21 Dec 2015 @ 8:22am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
I have no interest in the government not being able to do its job just so you can hide your torrenting habit. So I fully support them having complete access to internet communications when they have obtained legal authority to do so.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:26am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Well, then perhaps you can help them fix this problem - perhaps with more of your tax dollars.
[ link to this | view in thread ]
That One Guy (profile), 21 Dec 2015 @ 8:29am

Enough strawmen to fill up a dozen fields.
I love how you continue to imply that the only possible reason someone could want privacy and security is to hide illegal actions.

While you're posting anonymously.

So then, what illegal activities are you hiding, hmm?
[ link to this | view in thread ]
That One Guy (profile), 21 Dec 2015 @ 8:31am

Re: Anyone can build encryption...
Well, clearly banning effective encryption is only the first step. The next step is to make not using crippled encryption a criminal offense, since clearly criminals are always careful to obey the laws, especially the ones that make it easier for the authorities to catch and prosecute them.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:32am

Re: Re: Re: Re: Re: Re: Re:
One of the things I enjoy so much about this whole encryption debate is that at the end of the day pro-spying people can bitch all they want but it doesn't matter.

If I encrypt my communications and don't tell anyone the key and no one else figures it out, unless they spend an insane amount of time bruteforcing they'll never get what I encrypted. If they make it so everyone has to use a backdoored algorithm people will just encrypt with something that hasn't been backdoored.

There isn't really a law against math so they won't be able to stop people from creating new non-backdoored encryption. If they make non-backdoored encryption illegal... well I'd really like to see them try to enforce that.

Pro-Surveillance people should probably get a better understanding of how technology actually works before trying to win impossible battles. It might make them look a little less silly too. ^.^
[ link to this | view in thread ]
Klaus, 21 Dec 2015 @ 8:34am

Re: Re:
"law enforcement shouldn't be able to tap into internet communications?"

Not directly, no. There needs to be a judge and a comms carrier in the way.

police => judge => warrant => carrier
[ link to this | view in thread ]
Glenn, 21 Dec 2015 @ 8:36am

Stopping the "bad" people...
Step 1: get/keep the bad people out of our govt. (an uphill battle)
[ link to this | view in thread ]
DannyB (profile), 21 Dec 2015 @ 8:39am

Dear Hillary
For someone who has already had eight years experience running the country, I would expect you to understand something so simple.

You can have either:
1. A SECURE system. Secure against hackers, and secure against the government and law enforcement.
2. An INSECURE system. The government and law enforcement have access, but so do the Russians, the Chinese, Anonymous, Hackers and Criminals.

Please choose.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:40am

The biggest issue...
The biggest issue is not the problem of politicians rattling off inane bullshit. That's par for the course. The issue is that the common voter in the US is so mind numbingly stupid when it comes to anything dealing with those "magical computer TV boxes" that any sort of vague technical mumbo jumbo impresses them, so they'll vote for the bullshit.

You want candidates to stop doing this shit? Educate the idiot masses.
[ link to this | view in thread ]
Chronno S. Trigger (profile), 21 Dec 2015 @ 8:49am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Despite what anyone thinks about the government and it's trustworthyness, you keep forgetting (probably intentionally)that it's physically impossible to give the good guys a way to monitor encrypted traffic without giving the bad guys the same ability.

If anyone brings up that point, you tend to not ever respond.
[ link to this | view in thread ]
techflaws (profile), 21 Dec 2015 @ 8:52am

Re: Re: Re: Re: Re:
There are plenty of sources on the internet that can help explain how government works if you're having trouble understanding this concept.

Said the guy using the Obama fallacy of "I'm here to protect the American people" rather than what he's sworn to do: uphold the constitution.
[ link to this | view in thread ]
AricTheRed (profile), 21 Dec 2015 @ 8:52am

"Maybe the back door isn't the right door..."

Wifey said the exact same thing...
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:52am

Can we get guns and cars to not be used by those bad guys too? I am pretty sure those terrorist guys are using those a lot too.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:54am

Re: Enough strawmen to fill up a dozen fields.
Hmm, you're confused. It says 'Anonymous' because I'm not a member of this site. But the reality is that Mike knows exactly where I'm posting from and who I am.

The guy posting that he has no problem with wiretaps but says "no way" on encryption busting? Just like most everyone here, he just doesn't want to get busted for his torrenting addiction.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:55am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
No need, they're doing that right now. It's just more delicate since it's an election year.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:56am

I still need an answer... but nobody seems to be asking the question.
So the US of A gets its not-backdoor backdoors and then what?
How can anyone assume that other governments around the world won't be asking for the same prvilege?
How can anyone expect companies to deny access to anyone when the big can of worms has been opened?
Maybe we shouldn't entertain the fantasy that it is actually possible, because the politicians will try to force the "best" solution through, and the best solution will be a bad solution, but here we assume that they get their wet dream fulfilled.
It is quite fitting to compare it to the Manhattan project, because even though it might have just been a question of time before somone else invented the nuke, we now live in a world with doomsday clocks where mutual annihilation starts as soon as some bastard in power, probably in a bunker somewhere, is insane enough to fire the first shot.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:57am

She is dedicated to learning from what Obama and most presidents before him got away with. "say what people want to hear, then do whatever the hell you planned to do from the start"
[ link to this | view in thread ]
Chronno S. Trigger (profile), 21 Dec 2015 @ 8:58am

Re: Re: Enough strawmen to fill up a dozen fields.
"he just doesn't want to get busted for his torrenting addiction."

Or, you know, have his bank accounts stolen or his work passwords stolen, or any number of other things backdoors in encryption will cause.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 8:59am

Re: Re: Enough strawmen to fill up a dozen fields.
The government) can certainly try to break whatever encryption I may be running.

Given the number of people using it, and the processing power required to brute force it, I don't think it'll scale well, but again - please go for it!

I love it when stupid people try stupid things, fail, and then keep trying. It makes me smile.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 9:02am

Re: Re: Enough strawmen to fill up a dozen fields.
"no way" on encryption busting

I never said that. Basically I'm saying "good luck trying."

They have your federal, state, and municipal tax dollars after all...should be pretty easy with that kind of fiscal muscle.
[ link to this | view in thread ]
This comment has been flagged by the community. Click here to show it

Anonymous Coward, 21 Dec 2015 @ 9:07am

Re: Re: Re: Enough strawmen to fill up a dozen fields.
So you think Congress is going to listen to the demographic that is known for flouting laws?

Cant say I like the odds on that one.
[ link to this | view in thread ]
That One Guy (profile), 21 Dec 2015 @ 9:09am

Re: Re: Enough strawmen to fill up a dozen fields.
Nonsense, you could easily comment using your real name, don't even need to create an account for that. And if the only reason someone could desire privacy is to hide criminal actions, as you have implied multiple times now, clearly you are trying to hide your criminal actions by refusing to provide your real name.

So come now, either back up you assertion that only criminals desire privacy by providing your real name, refuse to provide your real name, and in so doing admit that you're doing so to hide your criminal activity, or retract the claim, and continue to post anonymously.
[ link to this | view in thread ]
Chronno S. Trigger (profile), 21 Dec 2015 @ 9:15am

Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
You have a bank account, right? You're an upstanding citizen (OK, I'm making an assumption there), so I'm sure you do. You are aware that if encryption is broken, you don't even have to be on the Internet to have your account information stolen? Banks use VPN encryption to transfer data between offices and other banks. Break encryption, that information is no longer secure. You suddenly find your account balance $0.

Do you telecommute to work? Go to the doctor's office? Use a credit card? All of that stuff and far, far more rely on secure communication. Break that and everything you know falls apart around you.

Constantly hiding under the "Copyright Infringement" banner just shows you have absolutely no idea of the horrors you're calling for.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 9:15am

Re: Re: Re: Enough strawmen to fill up a dozen fields.
"back up you assertion that only criminals desire privacy"

I'll post my name, address and phone number just as soon as you find this quote in one of my posts.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 9:19am

Re: Re:
I think you have to read between the lines. The police would like a master key for all encryption, but that's just not possible or even desirable (outside of law enforcement circles).

What is possible and likely to happen is that Apple and Google will add a second public key to phones that they will use when presented with a court order to do so. This is basically analogous to the access law enforcement currently has with the current phone system and that has mostly worked ok.

I think that's a pretty reasonable compromise and returns us to how things were a few years ago when Apple would brute-force phones when ordered to do so by a court.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 9:31am

Re: Re: Re: There already is an Encryption Manhattan project
If any "state sponsored organisation" do operate completely rogue, it would most likely exist under the US national security complex and likely in conjunction with NSA. The effects from such a digital organisation would be indistinguishable from hackers/NSA. Thus, the relevance of knowing it would be limited.
[ link to this | view in thread ]
That One Guy (profile), 21 Dec 2015 @ 9:37am

Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
No. you wanting to break the law via technology doesn't usurp the government's obligation to protect me from you.

...

I have no interest in the government not being able to do its job just so you can hide your torrenting habit.

...

Just like most everyone here, he just doesn't want to get busted for his torrenting addiction.

...

So you think Congress is going to listen to the demographic that is known for flouting laws?

Now then, your personal information if you would. Or are you really going to claim that your multiple instances of responding to people objecting to broken encryption by insisting that they're doing so to hide illegal activity isn't an argument that the only people desiring strong encryption are criminals?

Either provide your personal information as you said you would, or admit that despite your responses so far people can object to broken encryption for valid reasons that have nothing to do with wishing to hide illegal activity.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 9:38am

Re: Politicians and absolutes
Politicians are negotiators. To a negotiator "impossible" is not usually an absolute; instead meaning "long and costly solution" ergo "a Manhattan Project".
There is no bargaining stance that they can assume for or against the absolute of encryption where they leave the table with a win. They can only mitigate eventual failure through the strategies we keep seeing; keep rephrasing the problem, "we did everything we could"; transfer the failure, "if only those smart people at the tech companies would try harder" and "it's not my fault - they didn't try hard enough".
[ link to this | view in thread ]
David, 21 Dec 2015 @ 9:40am

Can someone explain to me?
Why do those politicians equate "good guys" with "the government"? Haven't they heard of the Snowden files? Didn't they get the memo about the NSA heads perjuring themselves before Congress? Have they forgotten the CIA spying on Senate staffers?

Didn't they understand that the NSA is incapable of keeping their hands out of the cookie jar? They aren't the good guys. They are the ones trying to undermine the Constitution. They are the ones trying to abolish the U.S.A. as defined by the Founding Fathers. And they are the worst enemies of the U.S.A. since they are the most likely to succeed.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 9:46am

Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Reading comprehension issues, I see...
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 9:47am

Re: Anyone can build encryption...
As always, perfect is the enemy of good. Just because a perfect solution can't be found, doesn't mean that a good solution (from the perspective of law enforcement) isn't available. I think a reasonable compromise would be for Apple and Google to encrypt the device keys with a second public/private pair - one belongs to the user, the other belongs to Apple or Google.

You're right though - banning math is hard. Anybody with high school level mathematics knowledge can understand something like Diffie-Hellman key exchange (and it's a magical idea, lots of fun).
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 9:49am

Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Identifying that you have reading comprehension issues is step 1 - congratulations on realizing your shortcoming.

Step 2 is getting remedial reading lessons, idiot.
[ link to this | view in thread ]
That One Guy (profile), 21 Dec 2015 @ 9:49am

Re: Re: Re:
This is basically analogous to the access law enforcement currently has with the current phone system and that has mostly worked ok.

Except for the fact that it really hasn't.

To save you some time, the link above leads to an article talking about how the police were accessing phones without warrants to such an extent that it reached the US Supreme Court, which thankfully came down on the side of the public in saying that no, they are not allowed to search a phone without a warrant. If they can't be trusted to respect the public's privacy, then they have no-one to blame but themselves when the public and tech companies step in to protect their own privacy.

I think that's a pretty reasonable compromise and returns us to how things were a few years ago when Apple would brute-force phones when ordered to do so by a court.

No, it isn't. Any security hole, whether you call it a 'master key' or 'second public key' is available for the 'good guys' and 'bad guys' alike to use, because there is no way for the security to tell the difference. Therefore the less security holes in general the better off the public will be, and if that makes it difficult for the government and/or police, that's just too bad for them.

Just because it was an option to force companies to break the security of their devices to allow access to the police/government in the past does not mean that they are owed that ability perpetually.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 9:52am

Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Wassamatter?

Don't want to expose your torrenting habits, criminal?

What have you got to hide?
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 9:55am

Intention
Even if you could find a method that would accurately identify an entity as good, how does that prevent the 'good' entity from doing something 'bad'?
Are they suddenly a 'bad guy' based on their intention?

for bonus points, even in intentions are 'good', how do you determine that the result will be 'good'.

Good people with good intentions can still do 'bad' things.
[ link to this | view in thread ]
That One Guy (profile), 21 Dec 2015 @ 9:56am

Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Option C it is then, dodge and deflect while admitting neither. Yeah, I suppose expecting honesty from you with regards to your own comments was a bit unrealistic on my part.

To save time, I'll just copy/paste the last part until you answer it(and if anyone else wants to do the same, have at it).

Either provide your personal information as you said you would, or admit that despite your responses so far people can object to broken encryption for valid reasons that have nothing to do with wishing to hide illegal activity.
[ link to this | view in thread ]
This comment has been flagged by the community. Click here to show it

Anonymous Coward, 21 Dec 2015 @ 9:57am

Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Eh? Nothing to hide at all. That's why I have no problem with law enforcement accessing internet communications with a warrant.

I have no problem them getting my name, address, phone number and any other info under those same conditions.

Now if only TOG hadn't made up a quote, he could have gotten the same. But now he'll need a warrant :)
[ link to this | view in thread ]
This comment has been flagged by the community. Click here to show it

Anonymous Coward, 21 Dec 2015 @ 10:00am

Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
"people can object to broken encryption for valid reasons that have nothing to do with wishing to hide illegal activity."

Of course people can, and do object to that; your mom, for example.

It's just that most commenters on Techdirt, yourself for example, are torrent addicts, and that is why they're sweating encryption laws.
[ link to this | view in thread ]
Chronno S. Trigger (profile), 21 Dec 2015 @ 10:04am

Re: Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
"your mom, for example."

"It's just that most commenters on Techdirt, yourself for example, are torrent addicts"

OK, at this point this guy is most definitely a troll. He knows everything he's saying is a lie, he's just doing it to get under everyone's skin.
[ link to this | view in thread ]
This comment has been flagged by the community. Click here to show it

Anonymous Coward, 21 Dec 2015 @ 10:09am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Nope, not a troll. Been reading this site for years. My thoughts on this are the same as many others.
[ link to this | view in thread ]
Chronno S. Trigger (profile), 21 Dec 2015 @ 10:11am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
"My thoughts on this are the same as many others."

Yeah, other trolls like Angry Dude and Avarage Joe. You're just another in a long line of people intentionally antagonizing other commenters by false accusations, insults, and dragging the discussion off topic.

The truth has outlived those trolls, it'll outlive you.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 10:23am

Re: Re: Re:
And your baddy baddy Russkie/Chinese/ hacker won't be able to use that same "second public key" that all phones got now, of course.

Because that "second public key" will realize that they are evil guys, and won't let herself be used. She'll die before letting herself be violated.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 10:23am

Re: Re: Re: Re:
I used to think in exactly the same terms that you have outlined. I've recently shifted my opinion. Change *is* coming. Maintaining the nothing-can-decrypt-phones line isn't tenable. So, what is the smallest compromise you would be willing to make? For me, it's that every phone encrypts the master key with the user's password and the manufacturers public key. Individual phones can be decrypted with a warrant but bulk real-time decryption isn't happening.

That's what I most strongly object to -- the bulk collection of data. Sucking all data up with no probably cause is waaaay over the line (IMHO) and I would hope is a violation of the 4th amendment. Targeted decryption is reasonable and clearly not a violation of the 4th amendment. It would grant law enforcement similar, but slightly weaker abilities than what they currently have with land lines.

What I would like to ask politicians that are promoting much weaker privacy protections is this: when the PRC presents Apple with a valid court order demanding the decryption of some communications that had an endpoint in the US (possibly a politician or a dissident or an engineer), do they comply? The answer is clearly "yes they do". The weakened technology will affect the US government as well and they have to accept that.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 10:24am

Re: Re: Re: Re:
The baddie hacker doesn't need the second key - they can use the first one. Like you said, the key doesn't care.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 10:29am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Or, he's not a troll, and just a gutless coward, who can't feel safe unless he's got law enforcement to protect him (despite the lack of obligation they have for protecting him - that other thing he's glossed over).

Fearful of, well, everything where he's funneling federal, state, and municipal tax dollars to law enforcement so that he can be safe in his closet, under a blanket, firmly grasping his assault rifle, waiting for, something.
[ link to this | view in thread ]
Mat (profile), 21 Dec 2015 @ 10:32am

Re: Re: Re:
The problem: Even with that line of protections, if the communication is end to end encrypted (SSL/TLS for instance), all you get is scrambled nonsense. If a third party can defeat the encryption in anything resembling real time (what is being asked for), then the encryption isn't worth being used as someone else will figure out the same breakhole. Because encryption isn't magic, it's math. And you can't make a reversible math algorithm that only works for one group.
[ link to this | view in thread ]
Chronno S. Trigger (profile), 21 Dec 2015 @ 10:34am

Re: Re: Re: Re: Re:
So, one key to unencrypt all phones of a specific manufacturer? One key that can be copied infinitely and can't be returned to the manufacturer? One key that becomes a vary large target for all hackers out there?

Like the HDDVD encryption key? How long did that take to crack? How often does Blu-Ray have to change their encryption keys?
[ link to this | view in thread ]
Joem5636, 21 Dec 2015 @ 10:42am

Re:
Legislating a back door is equivalent to legislating that 2X2=5. Crypto IS math and unless you can change math, forget trying to stop it.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 10:48am

Re: Re: Re: Re: Re: Re:
> one key to unencrypt all phones of a specific manufacturer?

No. One private/public pair per handset. The public key on the handset, the private key held by Apple or Google. That would cover the vast majority of phones out there.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 10:48am

Manhattan project?
Remember what happened with the first Manhattan Project? It worked... and then, because of spies, the Soviets had it within 4 years. For something like this, that's probably optimistic.

There are so many problems with what they are trying to do. If you have a password or number or code that can decrypt a message, that password or number or code can be stolen. And if you put the means to decrypt EVERY message in one place, it almost certainly WILL be stolen.

But even if we found what the government thought was perfect encryption - easy to use, government access on demand, otherwise secure (including against foreign governments and in-government corruption), and everyone was somehow forced to use it - there is no possible way that we could force the bad guys to use it *exclusively*. They could encrypt their message using normal methods and then encrypt the encrypted message using the government-sponsored method, so when the government uses the magic key all they get is an encrypted message.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 10:51am

Re: Re: Re: Re: Re: Re:
> one key to unencrypt all phones of a specific manufacturer?

No. One private/public pair per handset. The public key on the handset, the private key held by Apple or Google. That would cover the vast majority of phones out there.

And it would be nothing like encryption used in video players. Those things put the private key in the hardware and rely on obfuscation and technical barriers to keep it secret.
[ link to this | view in thread ]
Mike Masnick (profile), 21 Dec 2015 @ 11:06am

Re: Re: Enough strawmen to fill up a dozen fields.
But the reality is that Mike knows exactly where I'm posting from and who I am.

I actually have no idea who you are. I could dig your IP address out of the files, but I haven't and I don't know anything more about you other than you seem woefully uninformed about encryption.

So feel free to enlighten us.
[ link to this | view in thread ]
Mike Masnick (profile), 21 Dec 2015 @ 11:11am

Re: Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
It's just that most commenters on Techdirt, yourself for example, are torrent addicts, and that is why they're sweating encryption laws.

You seem overly paranoid about torrenting. Weird.

I've actually never used BitTorrent myself. Don't even have any BitTorrent clients on my computer. And I'm quite worried about encryption issues. It's got nothing to do with copyright stuff, and everything to do with privacy.

Do you always project so much on people who actually know what they're talking about when you get into arguments?
[ link to this | view in thread ]
Chronno S. Trigger (profile), 21 Dec 2015 @ 11:11am

Re: Re: Re: Re: Re: Re: Re:
So you're saying that there should be one central database holding the passwords for each and every device out there? As much as there is wrong with what you're saying, there's one giant flaw that even those who don't understand encryption should be able to see:

You're still making one central target to crack everything.

The biggest advantage of encryption is it's decentralization. Crack one device and you don't crack everything. But with your idea, crack Google or Apple's database and you've got everything. And it wouldn't take a master hacker, all it would take is one lazy/malicious/mistaken employee.

This, of course, assumes that the government would even allow a database like that to exist outside of their control.

And why are we even bothering? Smart criminals will never be caught by this. ISIS has their own encryption now, drug dealers use burner phones (and they don't even bother with encryption), smart criminals would just use the not intentionally flawed software we already have. Stupid criminals already incriminate themselves. Why make everyone else less secure?
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 11:14am

Re:
Bawk!
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 11:17am

Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Pay up or shut up.
[ link to this | view in thread ]
Whoever, 21 Dec 2015 @ 11:20am

Manhatten projects
Perhaps we could have a project to make pi equal to 3, or another project to make 1 + 1 = 3. Because that's what she is asking for, and the reason it won't work is just as obvious.

She knows this, so the real question is why is she asking for it?
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 11:22am

Re: Re: Re: Re: Re: Re: Re:
So the one key pair would be stored in a centralized location, and be completely impervious to attack - like the OPM database holding all the information for those having security clearances?

Not for nothing, if they can't keep what they have safe, I don't see why they get MORE information to not keep safe. Seems like they don't deserve that privilege.
[ link to this | view in thread ]
JoeCool (profile), 21 Dec 2015 @ 11:23am

Re: Bob Dylan's reply
They'll pass a law that mandates the shades be capable of being raised from the outside by law enforcement. Of course, only the "good guys" will have that ability, so no need to worry about perverts trying to peek in the windows.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 11:26am

Re: Re: Re: Re: Re: Re: Re: Re:
I find cowards like you unpleasant. They're a disgrace to all the men and women who bravely fought and are still fighting for this country.

And all without pay! Doesn't cost us a cent. That's amazing!

Keep paying someone else to protect you because you don't have a working set of testicles. I'm sure they love your tax dollars.

If they could just find someone to protect us for FREE like the military does!
[ link to this | view in thread ]
None, 21 Dec 2015 @ 11:31am

Re:
She's asking for a side door, with a sign that says Government only :)
[ link to this | view in thread ]
Santa Claus, fo real., 21 Dec 2015 @ 11:33am

Re: Re: Enough strawmen to fill up a dozen fields.
Mike knows exactly where I'm posting from and who I am.

Mind posting exactly where you're posting from and who you are? And don't try lying to me because I'll know if you do, because I'm Santa Claus, fo real.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 11:41am

Re:
For almost 100 years via a warrant, law enforcement has been able to tap telephones. And they should be able to do the same with internet communications.

They can. So what's the problem? They may not understand those communications, but the same holds true for telephones as well. Or don't you understand that?
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 11:43am

Re: Re: Re: Re: Re: Re: Re: Re:
There already is one target to crack everything for most phones - Apple or Google.

For example, Apple's messaging app sends encrypted encrypted messages but if you could crack Apple, you could silently add a foreign key to the transaction and the user would never know (the encryption keys are managed entirely by Apple).

You already are trusting Apple and Google. I think they can be trusted to manage keys (the certainly know how to do so).

> Smart criminals will never be caught by this.

That's ok. There are enough dumb criminals to keep law enforcement busy for a long, long time. There's no perfect solution and looking for a single, magical solution is foolish.

Change is coming. I answered what the minimal compromise I think is reasonable. If the solution is forced on tech companies via legislation, it's going to be much, much worse than simply adding the ability to unlock a device.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 11:47am

Re: Manhatten projects
She knows this, so the real question is why is she asking for it?

Because she wants know when someone is even thinking about crossing her. To do that she needs to be able to spy on everyone.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 11:48am

Re: Re: Re: Re: Re: Re: Re: Re: Re:
You already are trusting Apple and Google. I think they can be trusted to manage keys (the certainly know how to do so).

However, the government (who clearly has network security issues - see "OPM hack") is trying to tell them what to do.

So no, it's not a matter of trust with Google/Apple - it's them taking direction from someone with a shitty track record.
[ link to this | view in thread ]
Robert Beckman (profile), 21 Dec 2015 @ 12:01pm

Delayed-Escrow Encryption
There may actually be a way to get both a secure(ish) device and a way to decrypt it.

We've seen recently that there's a way to break PGP through factoring of very large primes (which is what some people think the NSA's Utah data center is for), but that it takes a huge amount of compute time.

If your iPhone uses a rolling set of encryption keys, but where the rolling refactoring could be stopped with physical possession of the device, then a nation-state could seize the phone and eventually decrypt it, since the rolling key would stop rolling.

Now the catch, of course, is that you'd need to keep the key size growing with Moore's Law, so that even with physical possession it would still be a significant effort to break, essentially making it so that only in rare circumstances would it be worth breaking the encryption.

We used this same paradigm for years with location information - the law evolved that having the police "tail" someone wasn't an invasion of privacy, because anything you do in public isn't private. But the paradigm in place meant that mass surveillance was impracticably expensive, so it was only used when it was really worth it. Now that mass surveillance is cheap, we're stuck with a legal landscape that no longer yields the same relative privacy as before - where you were private simply due to the cost of breaking your privacy.

Professor Kerr explains this in his Equilibrium-Adjustment theory of the 4th Amendment, but the same principle could be applied to computer encryption - grow the keys steadily to make it hard to decrypt a phone you have physical possession of, but possible if it's worth it.

This gets trickier with stored data (suck up everything, sit on it for 10 years until it's easy to break, and then charge anyone you find with an ongoing conspiracy for whatever violation you find), but there may be solutions to this (extremely large keys on transmitted data, smaller rolling keys locally).

Of course, this would necessarily mean that older data could be decrypted, so the US Government would need to thing long and hard about whether it wants it to be practical to break US encryption standards for older data.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 12:04pm

She misspoke
She meant to say that we need a Madison Ave Project to come up with a term for backdoors that she can sell to the American public.
[ link to this | view in thread ]
Ryunosuke, 21 Dec 2015 @ 12:05pm

Re: Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
do you have ANY sort of information to back that claim up?

Techdirt isnt about torrenting, if you ever read ... well ANY post whatsoever

Techdirt deals with copyright law, and technology mostly, but also cyberlaws.

you sir, just made yourself look like a fool... at best, at worst, you just made yourself look like a politician.
[ link to this | view in thread ]
Chronno S. Trigger (profile), 21 Dec 2015 @ 12:14pm

Re: Re: Re: Re: Re: Re: Re: Re: Re:
You're confusing two different things. You're talking about local encryption and communication encryption at the same time and getting confused.

Google's chat encryption is not end to end, it's from your PC to the central server and from the other PC to the central server. The government doesn't need to crack encryption to get that information.

Google chat and Apple chat are not secure systems, we all know this.

Local encryption is something else entirely. If I encrypt a file on my phone, say a password list, there is no central server between me and the file. I expect that file to be secure. At least as secure as the software used to encrypt it, not some unrelated, uninterested third party. I expect my communication with my bank to be as secure as the bank, not some unrelated, uninterested third party. Google should not have access to this information.

The government doesn't want access to Google chat, they want access to everything encrypted. Your compromise will never be enough for them because they already have it.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 12:37pm

A very clear and logical statement, Mike. Bravo. Your point about it being impossible to build software that can discern between 'good' and 'evil' users, really is the core issue.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 12:48pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
> However, the government (who clearly has network security issues - see "OPM hack") is trying to tell them what to do.

That's exactly why the big tech companies should start talking about the compromises that least impact normal users. Installing a public key that can be used when presented with a court order is the least problematic solution that I can think of. If the tech companies don't start, legislation will tell them what they have to do and that would be the worst outcome.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 12:50pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
> Google chat and Apple chat are not secure systems, we all know this.

I don't know how Google Chat works, but Apple details their security model in their iOS security white paper and it is end-to-end encrypted. Apple can't see the messages.

> Your compromise will never be enough for them because they already have it.

No, they don't. Recent iOS devices and some Android devices are still secure, even to Apple and Google.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 1:08pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Before long law enforcement would demand the key so that they can decrypt what they want as soon as they get the court order, and of course they would never abuse it or let a copy leak.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 1:12pm

Re:
No, the core issue is that people have to have privacy from the government, like when gathering information about a law enforcers or politicians wrong doing, or trying to find out if there is enough local support for a protest against planned laws.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 1:13pm

Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
We all know copyrights best and brightest will never live up to their side of a bargain. But we do know this one here works at an IMAX, cause he's a giant projectionist.
[ link to this | view in thread ]
Chronno S. Trigger (profile), 21 Dec 2015 @ 1:15pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Didn't know that, but it helps my point, not yours.

Why does Apple have end to end encryption for their chat service? Think about that for a second, why would they spend that much effort into creating that? Is it to help the criminals stay under the radar? Or maybe because Apple knows that keeping everything in a central repository is a stupid idea.

Your compromise will end up like the 6 strike compromise the ISPs put in place. Utterly worthless yet still being ratcheted up. ISPs should have stood their ground and Google and Apple should as well.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 1:29pm

It's likely that none of the candidates expects golden keys to actually be implemented or work (not that they wouldn't be thrilled). What they do expect is that, if elected, they have a golden scapegoat: anything bad that happens anywhere, anytime during their tenure will be blamed on the "uncooperative tech sector". Terrorism? Apple's fault. Pedophilia? Google's to blame. Mass shootings? Call of Duty's influence. Plaque and tartar build-up? Um... that Candy Crush thing.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 1:38pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
> Why does Apple have end to end encryption for their chat service?

Two big reasons:

1) It's fantastic for marketing. Their chief rival makes money by mining everything you do on the device for advertising purposes (that's a cynical view, but somewhat correct). It makes sense to zig where their rival zags.

2) It saves them a lot of money. When they are presented with a court order saying "reveal the contents of this", an intern can prepare the response: "sorry, but due to technical limitations, there's no possible way to comply".

Change is coming. It's the perfect climate right now for anti-privacy legislation to be passed. It's important that tech companies (and communities like this one) get involved.

Many in this community are holding the position that they are unwilling to cede any privacy protections to law enforcement. It's a principled position to hold for sure, but when there's no compromise to be made, none will be offered. That's how you end up with terrible legislation that makes everybody a criminal.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 1:39pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
...the least problematic solution that I can think of.

That still doesn't address the single point of failure you're creating, nor the ramifications of what happens when the key(s) are compromised.

The companies keep saying it can't be done, yet the government insists that it can. Since they're so sure, the onus is on the government to create a working model/proof of concept. Not Apple or Google - they have a profit motive and shareholders to be responsible to.

If the tech companies don't start, legislation will tell them what they have to do and that would be the worst outcome.

In other words, legislate that 2+2=5?
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 1:40pm

Re: The biggest issue...
> Educate the idiot masses.

I think you would be surprised at how many people *want* the government to be able to spy on everything.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 1:43pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Many in this community are holding the position that they are unwilling to cede any privacy protections to law enforcement.

Primarily because it's been well documented that law enforcement can't be trusted.

Question for you, if I may...why does law enforcement absolutely need this? Exactly how many people are flying under the radar and causing random acts of violence, where they now must be suspicious of EVERYONE?

And if that's the case, and everyone needs to be treated with suspicion, then inevitably, some of those suspicious people WILL end up in law enforcement...what in your solution will prevent THEM from also exploiting the TSA key, I mean, master encryption key?
[ link to this | view in thread ]
Chronno S. Trigger (profile), 21 Dec 2015 @ 1:47pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
That's what it comes down to isn't it. Person A is right and set a line in the sand. Person B is vary wrong and set their line in the sand. If person A steps over their line, they step into the wrong. But person B wants to compromise. Just step a little into the wrong, just a toe, I promise I won't pull you further in.

One would think we would have learned better by now.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 1:50pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
> That still doesn't address the single point of failure you're creating

The tech companies are already a single point of failure. They are pushing stuff to your phone all the time.

> In other words, legislate that 2+2=5?

No, they will pass legislation that gives law enforcement everything without regard to the harm it does to people and businesses in the US.

Going dark on a mass scale won't be allowed to happen. What's a compromise that you could live with? I already trust Google and Apple, so for them to have a way to unlock my phone doesn't change much (it goes back to how things were a few years ago).

I can still install 3rd party secure messaging apps just like I could use a scrambler on my phone line to secure my conversations.
[ link to this | view in thread ]
crade (profile), 21 Dec 2015 @ 1:58pm

Everyone who knows how encryption works are obviously all in a big conspiracy together to pretend we can't just hit this encryption doohicky with a sledge hammer and everyone will be safe.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 1:58pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
> And if that's the case, and everyone needs to be treated with suspicion

Does the fact that your landline is easily tapped imply that you are under suspicion?

> what in your solution will prevent THEM from also exploiting the TSA key, I mean, master encryption key?

Transparency and real oversight would be a good start. If all law enforcement decryption requests are eventually made public, it would be easier to spot abuse.

I think that's why it's important for this community to get involved. If legislators hear law enforcement say "tech companies must be made to comply with a court order demanding decryption" and hear tech companies say "under our current set up, that's not possible", then it's easy to predict what will happen: CALEA for mobile phone companies with no reasonable limits, oversight, or transparency.

We can stand around here and pretend that any ability to decrypt is the same as not encrypting at all in the first place (which is ridiculous), or get involved and give up as little ground as possible.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 2:00pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
No, they will pass legislation that gives law enforcement everything without regard to the harm it does to people and businesses in the US.

And if it's all encrypted anyways, nothing will change. They'll still have collected everything, and will still not have the processing power to decrypt it all.

Nothing changes.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 2:02pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
What's a compromise that you could live with?

I don't need to compromise. I have encryption, and choose to use it to make my communications private.

Law enforcement has the ability to collect it, and with enough processing power, possibly decrypt it within my lifetime.

They already have exactly what they need. What they should be lobbying for is to change how time works. I think they'd have a better shot of making a 30 hour day instead of getting any backdoor to pass.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 2:04pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Does the fact that your landline is easily tapped imply that you are under suspicion?

I can still speak in code over my potentially tapped landline. Should I also have to make the cipher available to law enforcement?
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 2:09pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
I don't think that's a bad analogy.

I think the lesson that we should have learned by now is that if we don't get involved, we get terrible, unbalanced, overreaching legislation. Decrypting a phone they capture is one thing, the real time decryption of all communications is another. Granting the first doesn't give them the second thing.

Everybody has their own line in the sand. Mine is untargeted surveillance. I have no problem with narrowly scoped spying but bulk data collection of everybody is too much.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 2:20pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
If you choose to communicate securely, you can do so.

For secure messaging my favorite app is Threema.

Law enforcement doesn't want to make it impossible to communicate securely (they need that too), they just don't want it to be the default.
[ link to this | view in thread ]
RocRizzo (profile), 21 Dec 2015 @ 2:22pm

They don't need encryption back doors
What they need is better reasons to get search warrants.
They could search someone's phone if they had a warrant to, but even law enforcement is pretty much clueless.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 2:26pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
or get involved and give up as little ground as possible.

How much ground will the government take? It will enough to ensure that they and their corporate buddies cannot be easily challenged.
Terrorists know enough to keep their planning secure, while a local neighbourhood trying to organize replacement of their politician; or a group trying to organize a protest against an unjust law, or against a corporation ruining their environment, are easily disrupted if their communications can be monitored.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 2:32pm

Re: Delayed-Escrow Encryption
What you are calling rolling keys I think cryptographers call ephemeral keys. They are generated for the session then discarded. It's in service of perfect forward secrecy.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 2:51pm

Re: They don't need encryption back doors
Actually, the problem is that even with a warrant, many phones can't be searched unless the owner unlocks it.
[ link to this | view in thread ]
Pavement View (looking up, from beyond the ropes), 21 Dec 2015 @ 3:18pm

Fool me once... Fool me a thousand times (naw, don't think so)
Hillary is really not an intelligent person, re: anything. She has connections, and that is what counts in this day and age of guvmint by crooks. That and appearances (O'Bummer has that down cold).

Making sense, even common sense, is not required.

We have two years of a clown show and then a charade of an elections (ditch rigged machines and bring back the smoke filled back rooms). The two-year theater serves TPTB to keep the attention of the masses diverted from their laws for bribes (and other considerations).

One thing H is good at is a posture of looking concerned.

What a life. This system is broke beyond hope (so much for hope and change Mr. Prez).
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 3:25pm

It has become PAINFULLY OBVIOUS that the federal government is projecting the illusion that it's "helpless" and cannot do what any reasonably minded individual KNOWS it can do - and that is decrypt encrypted messages with relative ease.

The arguments they're using are simply to ludicrous and LOUD (public) to suggest anything else (it is here where any shill worth his/her salt would suggest mere "incompetence" is to blame... that tired falsehood fell apart years ago - they know what they're doing, and you KNOW this to be the case.)
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 3:37pm

Hillary, go stick a Juniper
Hillary, go stick a Juniper where...

well, the thought is too ugly to finish.
[ link to this | view in thread ]
Anonymous Coward, 21 Dec 2015 @ 3:47pm

Re: Hillary, go stick a Juniper
Hillary "Surströmming-Crotch" Clinton probably won't mind - she has everything else stuck up there.
[ link to this | view in thread ]
JuddSandage (profile), 21 Dec 2015 @ 3:50pm

Yeah...
Clinton added some caveats. "Maybe the back door is the wrong door..."

"She's been telling me that for years."
- Bill
[ link to this | view in thread ]
Robert Beckman (profile), 21 Dec 2015 @ 3:58pm

Re: Re: Delayed-Escrow Encryption
That's essentially it. I'm a data scientist, rather than a cryptographer, so I didn't have the term of art (ephemeral keys). I've implemented a similar system for data processing, but what I see would be (essentially) a set of keys that time out where each section of storage gets slowly migrated from key to key, so that for any live system it will have a reasonably fresh key, but that when taken offline they become static.

This would necessarily mean a slightly higher overhead on the device (since it would always be encrypting a new volume), but it could also use smaller keys tied to the generally available compute power - similar to how bitcoin mining gets harder over time.

This sort of escalating encryption would obviously be harder to implement than a static key encryption, and harder to be sure no one planted a back door in it itself, but would have the advantage of maintaining the same relative level of protection over time for current devices.

The non-absurd argument for security is that sometimes they really do need to decrypt things, but as we've seen it's far too often used now as an easy way to bypass other protections, rather than for extraordinary situations. Since we've been shown that we can't trust the watchers on their own when there aren't technical barriers, the alternative may be that practical barriers (total compute available) are a better alternative, like we had until recently due to scalability problems.
[ link to this | view in thread ]
Wyrm (profile), 21 Dec 2015 @ 4:14pm

"Trusted computing", does that ring a bell?
This is the exact same "computer security" that copyright lobbies have asked for a long time.

- Security should be: when a third-party tries to access a resource, it needs authorization as configured by the user.
- "Security" as seen by all those: when a user tries to access a resource, it needs authorization as configured by a third-party. (Government, copyright group, etc.)

That's a fundamental issue: they're basically asking for computers (including smartphones and other mobile devices) to distrust its owner because of their own paranoia.
[ link to this | view in thread ]
Gwiz (profile), 21 Dec 2015 @ 6:13pm

Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
So you think Congress is going to listen to the demographic that is known for flouting laws?

Not sure what demographic you are referring to, but, it surely isn't the audence here at Techdirt:

49% over the age of 35 (74% over age 25)
61% earn over 50k/year
72% college educated

Source: https://www.quantcast.com/techdirt.com
[ link to this | view in thread ]
Your worst nightmare, 21 Dec 2015 @ 10:17pm

Re: Re: Re:really?
The government can't, and is not supposed to, protect you from me. They will deal with the aftermath, that is it.
[ link to this | view in thread ]
techflaws (profile), 21 Dec 2015 @ 10:37pm

Re: Re: Re: Re:
Badly, I might add.
[ link to this | view in thread ]
That One Guy (profile), 21 Dec 2015 @ 11:11pm

Re: Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Called on your dishonesty and you respond with a 'You mother' insult I see. Clearly expecting honesty or maturity from you was unrealistic of me.

As for your repeated baseless assertions, you really need to stop projecting so much. Just because you cannot help but torrent anything and everything that catches you eye, doesn't mean the rest of us engage in similar practices.
[ link to this | view in thread ]
That One Guy (profile), 21 Dec 2015 @ 11:23pm

Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
Now if only TOG hadn't made up a quote, he could have gotten the same. But now he'll need a warrant :)

Not so, I don't need to provide anything more than I already have, or wouldn't anyway were you honest enough to own up to your own words.

You implied, multiple times, that the only reason someone could desire privacy and/or protest against breaking encryption was to hide criminal actions. I called you out on it. You then said:

I'll post my name, address and phone number just as soon as you find this quote in one of my posts.

I did so by posting several examples where you implied without any subtlety at all that the reason people were objecting to breaking encryption was to hide illegal actions, giving you the option to either admit to being wrong, admit to being a criminal, or stand behind your claims and provide your personal data. You dishonestly dodged again, choosing instead to respond with a grade-school level 'your mother' insult.

If you're going to lie, at least realize that people are able to read what's been posted, and adjust your lies accordingly. Claiming 'I haven't said X', when people can simply scroll up and see that you absolutely have for example is not the best way to dishonestly defend your position.
[ link to this | view in thread ]
That One Guy (profile), 21 Dec 2015 @ 11:40pm

Re: Re: Re: Re: Re:
So, what is the smallest compromise you would be willing to make?

None whatsoever.

If you've got one person saying 'I don't think it's a smart idea to play russian roulette', and another person saying 'I think it is a smart idea to play russian' roulette, there is no room for compromise. The first person is right, the second person is wrong, and it's not in any way reasonable for the first person to give any ground, 'compromise' or not.

In the case of security and encryption, you either have encryption that works, and is secure for everyone, or you have encryption that doesn't work, and is secure for no-one. Those are the only two options. There is no room, at all, for 'compromise' when it comes to encryption. It either works or it doesn't, that's it.

For me, it's that every phone encrypts the master key with the user's password and the manufacturers public key.

Creating a 'master key' rather than a 'golden key'. Well, I guess you changed the name, that's got to count for something, right?

No, no it doesn't.

No matter what you call it, a security vulnerability is a security vulnerability, and not something to be desired or deliberately introduced.

Individual phones can be decrypted with a warrant but bulk real-time decryption isn't happening.

Right up until someone gets the master key and uses that. If the system you are envisioning allows for individual real-time decryption, then it also allows for bulk real-time decryption, it's simply a matter of resources. And even if it doesn't allow for real-time bulk decryption, the fact that it might take them a little bit longer to get around to decrypting everything they scooped up doesn't make it any better or acceptable.
[ link to this | view in thread ]
That One Guy (profile), 21 Dec 2015 @ 11:54pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Decrypting a phone they capture is one thing, the real time decryption of all communications is another. Granting the first doesn't give them the second thing.

Assuming a 'central repository' of decryption keys as you've suggested several times so far, if they can do the first, they can do the second(and if they can't do it for whatever reason now, just give it a few years). The only way to keep them from doing the second is to keep them from being able to do the first.

Not to mention, as has been demonstrated time, and time, and time again, they always want more. Give them the ability to do A now, and it's only a matter of time before they're insisting that, because Terrorism, they absolutely need the ability to do B, C, and D as well(assuming they even ask).

They want to search a phone? Get a warrant, and present it to the owner of the phone to unlock. Don't want to do either of the above? Then no search allowed.
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2015 @ 4:06am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Transparency and real oversight would be a good start.

Let that happen first, then come back. But since that is never going to happen,

If all law enforcement decryption requests are eventually made public, it would be easier to spot abuse.

Eventually. Forever minus a day. Kind of the opposite of the "transparency" you were just promoting. You're already being self-contradictory.

I think that's why it's important for this community to get involved.

In case you hadn't notice, it is.

it's easy to predict what will happen: CALEA for mobile phone companies ... blah blah blah

CALEA already applies to mobile phone companies. Nice try.
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2015 @ 4:08am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
I can still speak in code over my potentially tapped landline.

Something they would like to outlaw.
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2015 @ 4:12am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
I have no problem with narrowly scoped spying...

We already have that.

but bulk data collection of everybody is too much.

which we also already have. So, you think they've already gone too far, yet you argue for them to go further? I detect duplicity.
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2015 @ 4:19am

Re: Re: Re: Re:really?
They will deal with the aftermath, that is it.

If you really believe that, then you're delusional.
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2015 @ 4:25am

Re: Re: Re: Re: Re: Re:
If you've got one person saying 'I don't think it's a smart idea to play russian roulette', and another person saying 'I think it is a smart idea to play russian' roulette, there is no room for compromise.

Oh come on, Russian Roulette is perfectly safe, on average. Can't we just compromise and say that it's "usually" a good idea?
[ link to this | view in thread ]
PaulT (profile), 22 Dec 2015 @ 5:01am

Re: Re: Re: Re:
"Anyone that uses it for things they want kept private is a moron."

That, by the way, would be you.

Oh, you might not mean to, and you probably don't even know that's what you're doing. But, even if you don't personally use the internet for anything other than posting anonymous comments on forums, the places you bank, shop, work and deal with in any way almost certainly uses some form of encryption over the internet. Huge amounts of modern business is only possible because of online encryption, and very few of those businesses are doing so on their own private dedicated connections.

Which is part of the reason why this is such a big issue. Even if you've never used a VPN, SSH shell or SSL login in your life, your safety will be compromised.
[ link to this | view in thread ]
PaulT (profile), 22 Dec 2015 @ 5:04am

Re: Re: so uhh....
"Law enforcement is already allowed to tap phones and search mail/packages."

Yet, they manage to do so without demanding backdoors that would allow others to listen to phone calls and intercept mail from people they are not currently investigating.

Do you see the difference? They're not merely asking for the ability to listen to phone calls, they're asking for every phone to do this automatically for anyone who asks.
[ link to this | view in thread ]
PaulT (profile), 22 Dec 2015 @ 5:15am

Re: Re: Enough strawmen to fill up a dozen fields.
"The guy posting that he has no problem with wiretaps but says "no way" on encryption busting? Just like most everyone here, he just doesn't want to get busted for his torrenting addiction."

Meanwhile, outside of your fantasy world, what people are actually talking about are the vital technologies used by banking and virtually every other kind of business to keep financial and private information safe.

It's sad, really. We're talking about undermining every sector of the modern world, and all you people can think about is whether people are getting MP3s. You can't stop lying about people even on unrelated conversations. But those strawmen keep you from realising what's happening in the real world, I suppose...
[ link to this | view in thread ]
PaulT (profile), 22 Dec 2015 @ 5:19am

Re: Re: Re: Re: Re: Re: Re: Re: Enough strawmen to fill up a dozen fields.
"It's just that most commenters on Techdirt, yourself for example, are torrent addicts"

...and will the citation for this be forthcoming at any point? Rhetorical question, of course, since you are a pathological liar.

Is your life really so pathetic that you have to lie about people you've never met? I know it's easier that addressing reality, but it's not healthy to live so much time in a fantasy world.
[ link to this | view in thread ]
mistercynical (profile), 22 Dec 2015 @ 5:20am

Re: Re: The biggest issue...
"Ay, there's the rub"
[ link to this | view in thread ]
PaulT (profile), 22 Dec 2015 @ 5:46am

Re: Re: Re: Re: Re: Re: Re: Re: Re:
"There already is one target to crack everything for most phones - Apple or Google."

Yes, if you want to massively over-simplify things. Bear in mind we're not just talking about phones here, nor are we just talking about consumer level devices.

But, you know what people at both of those companies spend a lot of their time doing ? Fixing flaws that allow people to crack their devices. What's you're supporting here is not only introducing numerous extra vulnerable points, but making sure that nobody is allowed to fix them. Ensuring that once that target has been compromised, it is never allowed to re-secure their devices.

Do you see the problem yet?

"That's ok. There are enough dumb criminals to keep law enforcement busy for a long, long time"

So, you support handing smarter, more organised criminals the tools to operate unhindered because some dumber people will get caught? Do you even understand what you're saying here?

"Change is coming. I answered what the minimal compromise I think is reasonable"

If you think that's reasonable, you don't understand the issue.
[ link to this | view in thread ]
That One Guy (profile), 22 Dec 2015 @ 5:48am

Re: Re: The biggest issue...
Right until they realize that 'everything' also includes their private communications as well, at which point the support rather shrinks a bit I imagine.
[ link to this | view in thread ]
PaulT (profile), 22 Dec 2015 @ 5:51am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
"Does the fact that your landline is easily tapped imply that you are under suspicion?"

No, but then a landline is not factory set to be tapped by whoever requests it without any other intervention.

"Transparency and real oversight would be a good start"

How would that stop non-government entities from using the key, which you've now blocked by law from being re-secured?

"We can stand around here and pretend that any ability to decrypt is the same as not encrypting at all in the first place (which is ridiculous)"

That might be what you think they're saying. What others are actually saying is that once you create a master key, it works for everyone who wishes to use it. Which is the same as not encrypting at all to those people who have the key.
[ link to this | view in thread ]
PaulT (profile), 22 Dec 2015 @ 5:57am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
"I have no problem with narrowly scoped spying but bulk data collection of everybody is too much."

Here, I think you actually agree with people. The problem is simple - the solution you are calling for eventually hands the ability for bulk data collection from anyone, government and civilian, with no way to take it back.
[ link to this | view in thread ]
PaulT (profile), 22 Dec 2015 @ 6:00am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
"If you choose to communicate securely, you can do so.

For secure messaging my favorite app is Threema."

Cool. Are you aware that Threema depends on encryption technology that's the very thing that's being called to be compromised here?
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2015 @ 6:07am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
> CALEA already applies to mobile phone companies.

No, it doesn't. Right now Apple doesn't have to provide surveillance hooks to law enforcement and that's precisely what is being pushed for. Phone companies aren't allowed to buy telecom gear unless it has surveillance capabilities. Soon, they may not be allowed to activate handsets unless they too have surveillance capabilities.

I trust Apple more than I trust AT&T or Verizon. If somebody is going to have to manage keys (and I really think that's where we are headed), I want Apple to do it. That's really the bottom line of everything I've been saying.

In the little Techdirt bubble, that's an insane thing that everybody hates, but among the general population, it's entirely sensible. You may have noticed that people really don't give a shit about privacy. Most don't worry about adblocking or trackers, they give up their demographic info for a chance to win a car, they are happy to fill out a survey to get a free sandwich, or apply for a credit card to save 5% on today's purchase. Privacy isn't a big deal, but security is. They are scared about terrorists even though the probability of being hurt or killed by terrorists is about as likely as being killed by a shark. Generally, people may not like their city or state police, but they are mostly happy with the FBI, the CIA, and they LOVE every branch of the armed forces.
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2015 @ 7:06am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
No, it doesn't do that. If you use an iPhone or an Android device you are already trusting Apple or Google. Google is basically doing bulk data collection (with user consent and for the benefit of that user). Apple could, but they have a different business model. Asking either of them to hold a key for you isn't a huge further step as you are already dependent on them for much of your security.

The government can't directly force Apple or Google to implement interception capabilities. What they will do (this is a guess) is pass a law prohibiting mobile network operators from accepting devices that lack that capability. They already require the network gear to have that capability (CALEA) and so I think it could be argued that requiring the same capability in the handsets is logical (from a law enforcement perspective).

Apple and Google would have no choice but to build that in and hand over the keys to the network operators. For me, that's basically the worst case scenario because I *do* trust Apple and Google, but have zero trust in AT&T, Verizon, Sprint, or TMobile.
[ link to this | view in thread ]
PaulT (profile), 22 Dec 2015 @ 7:25am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
"If you use an iPhone or an Android device you are already trusting Apple or Google"

There are far more than 2 companies involved here, and more than mobile phones. I mean, Google don't even manufacture their handsets' hardware and 3rd party Android devices can patch the OS at any time. So, wherever you expect the decryption to happen, you're looking at way more than 2 vectors. Yes, that also means that carriers may have the keys as well.

I can see where you're coming from, but so long as you continue to oversimplify the realities of the situation, you're going to be arguing something other than what's being discussed. Any security is only as good as its weakest link, and you're demanding that at least one be weakened further.
[ link to this | view in thread ]
PaulT (profile), 22 Dec 2015 @ 7:25am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
"I trust Apple more than I trust AT&T or Verizon. If somebody is going to have to manage keys (and I really think that's where we are headed), I want Apple to do it"

Well, trust is only part of the issue here. Even if you trust the ability of a company to manage the security, you're talking about introducing a single point of failure that cannot be repaired. Mistakes happen, and Apple have been compromised in the past. Not only that, but you won't be able to pick and choose. This isn't just an argument about your mobile handset, it's about encryption in total. If Apple are forced to do this for your phone, others you trust less will need to do it for their systems too. Some of whom you will not know are involved, because you don't know the backend of every business you interact with and you don't know who's managing those keys.

"You may have noticed that people really don't give a shit about privacy."

Until it's compromised or there's real negative effects from a breach. People not interested in the subject have a hard time understanding future implications, but tend to have stronger opinions when it actually affects something they can see.

"Most don't worry about adblocking or trackers, they give up their demographic info for a chance to win a car, they are happy to fill out a survey to get a free sandwich, or apply for a credit card to save 5% on today's purchase."

This is all true. However, basic demographic info (much of which is public anyway) is rather different from what's being requested here. If someone doesn't mind giving away their email address for some free crap, that doesn't mean they'd agree to hand over live access to their phone conversations and financial transactions. There's different levels of importance to consider here.

Also, those people do demand that data be protected even as they're handing it over. They'll give their email, address or phone number over for a free sandwich, yes, but they also demand that junk mail and unsolicited phone calls can be avoided. The suggestions so far don't seem to involve any protection once a compromise happens with keys.

"Privacy isn't a big deal, but security is. They are scared about terrorists..."

Privacy and security often go hand in hand. Perhaps instead of whining about a "bubble" on a site that understands these things, you'd be better off explaining to less savvy users why those terrorists would potentially be able to access these backdoors. You'd be amazed how quickly their opinions can change.

Part of the issue is not that people don't care about their privacy, it's that they're not educated in the subject enough to know why it matters to their security. of course, the reason why they're scared of terrorists is they also don't know how rare such attacks are, but just because they're misinformed in one area that's not an excuse to misinform them in another.
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2015 @ 7:41am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
So what's your prediction for what things look like two years from now? Does the tech community successfully fight off government overreach, or does some poorly written rider get attached to a budget bill that mandates phone companies activate only handsets they can unlock? Or is there some third possibility?
[ link to this | view in thread ]
PaulT (profile), 22 Dec 2015 @ 7:57am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
"Or is there some third possibility?"

There's plenty of other options. Not least because what you seem to be missing is that this isn't just about mobile phone communication but encryption as a whole. For some reason, you seem to be intent on trying to simplify the whole issue to 2 companies. Despite the fact that there would be more than that involved even if this was only about mobile handsets.

I can't tell the future, but I can tell you that letting people get away with the ignorant comments described in the article without comment is certainly not going to lead us anywhere positive. I can also tell you that breaking encryption will lead to people you don't want to give access to having full access. Unless you have a solution that doesn't involve putting such a back door in, which you're failed to suggest so far. Sorry, the idea of an extra private key doesn't count, that's still a back door no matter how much you trust Apple.
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2015 @ 8:02am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
> There's plenty of other options.

For example?
[ link to this | view in thread ]
PaulT (profile), 22 Dec 2015 @ 1:08pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Figures... Just as you try to reduce the entire argument to 2 companies, you can only conceive of 2 options for the future. You ignore the rest of my comments, but hone into the parts you can try to wave away with some simplistic misunderstanding.

There's an entire spectrum of possibilities, ranging from a long political and legal battle to fight against any such requirement, to tech companies giving in but having to agree to increasingly draconian demands, to a major attack on existing vulnerabilities proving that encryption is absolutely necessary, to discovering some fundamental existing vulnerability that makes the whole demand moot.

But, we can't deal with huge numbers of possible outcomes based on what we can guess. We can only realistically address the suggestion being made. When you consider the entire landscape rather than whatever handy false dichotomy you can dream up, the predictable consequences are not good.
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2015 @ 1:25pm

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
> CALEA already applies to mobile phone companies.
No, it doesn't.

CALEA applies to all telecommunications providers. If you want to argue that doesn't apply to AT&T, Verizon, T-Mobile, Sprint etc. then you are truly delusional.
[ link to this | view in thread ]
Klaus, 22 Dec 2015 @ 4:57pm

Re: Re: Re: Re:
I understand that Mat and agree 100%.

I was talking purely about procedure. I think someone else posted before I did along the lines of "if law enforcement gets crud, then hard-cheese". And I agree with that 100%.
[ link to this | view in thread ]