Senator Richard Burr: Confused And Wrong On Encryption
from the this-is-ridiculous dept
Senator Richard Burr, head of the Senate Intelligence Committee and long time friend to the intelligence community, has now penned a ridiculous, misleading, fear-mongering opinion piece for the Wall Street Journal, entitled: Stopping Terrorists From "Going Dark." It's pretty much exactly what you'd expect if you've paid any attention to the ridiculous "going dark" debate in the US. But, let's dig in and show just how bad this one is:While the terrorist attacks in Paris, San Bernardino, Calif., and Garland, Texas, have brought discussions about encryption to the front pages, criminals in the U.S. have been using this technology for years to cover their tracks. The time has come for Congress and technology companies to discuss how encryption—encoding messages to protect their content—is enabling murderers, pedophiles, drug dealers and, increasingly, terrorists.Right, except so far officials haven't been able to show evidence of any of those cases actually using encryption. Similarly, law enforcement has failed to show that criminals using encryption have really been that much of a problem either. And that's because it's not a problem. Even in the (still mostly rare) cases where encryption is being used, criminals still reveal plenty of information that would allow law enforcement to track them down. It's called doing basic detective work.
Consumer information should be protected, and the development of stronger and more robust levels of encryption is necessary. Unfortunately, the protection that encryption provides law-abiding citizens is also available to criminals and terrorists. Today’s messaging systems are often designed so that companies’ own developers cannot gain access to encrypted content—and, alarmingly, not even when compelled by a court order. This allows criminals and terrorists, as the law enforcement community says, to “go dark” and plot with abandon.Yes, criminals and terrorists can use encryption just like law-abiding citizens. But that's true of any technology. There's no way to build technology that "only the good people can use." Criminals use cars and computers and guns. And they eat food and drink too. Some of them talk to each other in person. Yet we don't freak out about any of that other stuff. And, again, it's simply incorrect to say they can "plot with abandon." They cannot. Even when using encryption, many people either mess it up or still leave other clues. Most encrypted communication still reveals metadata about who was contacted, for example.
Leaving aside the terrorism challenges, encryption is affecting the investigations of kidnapping, child pornography, gang activity and other crimes. Federal, state, local and tribal law-enforcement officers can obtain legal authority to conduct electronic communications surveillance on terrorists and criminals. But encrypted devices and applications sometimes block access to the data. This means that even when the government has shown probable cause under the Fourth Amendment, it cannot acquire the evidence it seeks.Yes, yes, the FBI and folks like the Manhattan DA's office keep making this claim, but every time they're asked to provide actual evidence of investigations stymied because of encryption, they come up empty. Official stats on lawful interception orders show that encryption is almost never a problem. They just don't run into it.
Technology has outpaced the law. The core statute, the Communications Assistance for Law Enforcement Act, was enacted in 1994, more than a decade before the iPhone existed. The law requires telecommunications carriers—for instance, phone companies—to build into their equipment the capability for law enforcement to intercept communications in real time. The problem is that it doesn’t apply to other providers of electronic communications, including those supporting encrypted applications.This is wrong. Technology has not outpaced the law -- quite the opposite. Thanks to technology, law enforcement has more access to more information about every person alive than ever before in history. Technology now allows police to know where basically everyone has been at any moment in the day, who they spoke with, who they called or who they contacted via email. The fact that one small bit of data might be encrypted is hardly the case that technology has somehow outpaced the law.
Separately, yes, it's true that CALEA (the wiretapping statute) requires that phone calls can be tapped, but that's entirely different than undermining encryption. In fact, as we noted last week law already makes clear that phone companies are not required to backdoor encryption.
Federal Bureau of Investigation Director James Comey has said that one of the two Garland, Texas, shooters who died carrying out an attack on a Muhammad art exhibit in May exchanged 109 messages with an operative overseas. “We have no idea what he said,” Mr. Comey told the Senate this month, “because those messages were encrypted.” He described this as a “big problem”—and I couldn’t agree more.Yes, yes, this is the example it took Comey over a year to finally come up with, but again it's an incredibly weak one. Note: the encryption did not stop them from knowing who the shooter was communicating with, because the encryption does not impact the metadata. Yes, it may limit the ability to read the exact content of the messages, but the same would be true if they had just communicated via a phone call on an untapped line. Or if they had simply communicated with a simple code that those two knew and the FBI did not. This is really no different than any other criminal investigation situation, and it's not the encryption that's the problem.
Last month Manhattan District Attorney Cyrus R. Vance Jr. released an in-depth report specifically on “smartphone encryption and public safety.” Many cellphones, including those designed by Apple and Google, now encrypt by default all the data they store, which is accessible only with a passcode.Yeah, and we talked about how ridiculously wrong that report was at the time. And, again, the default mobile encryption only applies to data stored on those phones, not metadata. Apple would still have the keys to most data backed up in the cloud. Same with information shared with others where encryption may not be used. The amount of data that is truly "unobtainable" is minimal -- which is why no one has any really good examples of it being a problem.
The challenges presented by encryption extend to financial transactions. In August Sen. Elizabeth Warren wrote letters to six federal agencies voicing concerns that banks were using Symphony, an encrypted messaging system that could prevent regulators from detecting illegal activities. The letter came shortly after New York’s top banking regulator, the New York State Department of Financial Services, raised the same concern with several major banks and Symphony’s developer.That is not an apples to apples comparison by any stretch of the imagination. The reason for the concern with the banks is that banks are a highly regulated industry in which they are legally required to keep records of certain communications. That's not true of the general public, and unless Senator Burr is looking to wipe out the 4th Amendment, he shouldn't even pretend these things have anything in common.
In response, the banks agreed to store decryption keys with independent custodians, and Symphony agreed to retain electronic communications for seven years. All parties also agreed to a periodic review process to make sure that oversight keeps in sync with new technologies.
It would seem to me that daily financial flows shouldn’t command more attention than terrorist or criminal communications, yet here we are. Although the agreement described above may not be the solution for all encrypted communications, it does show that cooperative solutions are possible.
Second, what a cheap politician's trick to pull out the "daily financial flows shouldn’t command more attention than terrorist or criminal communications" line. This is blatant fear mongering, because the issue is not about terrorists or criminals, but you, me, and everyone reading this who has an expectation of privacy. The only way to break encryption for "terrorists and criminals" is to make everyone less safe by putting in dangerous backdoors.
And, every time we put backdoors into encryption we see how it's abused -- such as with the recent Juniper vulnerability.
Finally, the "cooperative solution" in the case of the financial industry is an entirely different animal as well. Again, that's a limited use case in a specific, highly regulated industry. To even suggest that because of that specific use case, there must be some sort of "cooperative solution" once again highlights a near total ignorance of how encryption works.
I and other lawmakers in Washington would like to work with America’s leading tech companies to solve this problem, but we fear they may balk. When Apple objected to a recent court order in a New York criminal case requiring it to unlock an iPhone running iOS 7—an operating system that Apple can unlock—the company refused, arguing: “This is a matter for Congress to decide.” On that point, Apple and I agree. It’s time to update the law.You fear they may balk? You want to know why? Perhaps because your friends in the intelligence community spent the last fifteen years breaking into their systems at every opportunity, undermining the trust and security of all of their users. You think that might have something to do with it? Maybe?
Senator Burr is doing something incredibly dangerous here. He's misleading the American public in a totally ignorant way, that will put our security at risk. He is making the world a more dangerous place, on purpose, because of a misunderstanding of how technology works. He has no place regulating technology issues at all.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, congress, encryption, going dark, richard burr, senate intelligence committee
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Yea it's not like we had other forms of encryption before this was enacted *cough* PGP *cough*
[ link to this | view in thread ]
Excessive word use
Senator Richard Burr: Confused And Wrong
[ link to this | view in thread ]
Wrong again
[ link to this | view in thread ]
He's basically doing that but he either doesn't understand it or he's being dishonest.
[ link to this | view in thread ]
[ link to this | view in thread ]
UP next...
[ link to this | view in thread ]
Re:
Yes, though I didn't realize it when I wrote this post, the WSJ actually published a counterpoint at the same time, written by Cindy Cohn, the head of EFF:
http://www.wsj.com/articles/the-debate-over-encryption-the-backdoor-is-a-trapdoor-1450914316
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: UP next...
It is now a Class 1 Felony to talk to, or about, someone or something accused of a crime. Crimes include:
Talking too loudly;
Thinking counter to government;
Mel Brooks and viewing anything related to Mel Brooks;
Camels;
Water;
Rock music;
Black Lives Matter; and
Hugh Jackman.
(NB: This is a non-profit fan-based parody. Criminal acitvity is a product of the United States Government and the Department of Justice. Please support the official release.)
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Not really comparable
With phone encryption, the manufacturer is not and endpoint of the communication, so they - properly! - do not have a key.
The way it's supposed to work: if LEO show up with a warrent, banks either produce the information or loose their charter; with people, they produce the information or go to jail (for contempt and obstruction).
I fail to see the actual problem here. And, using the "banks do it" example, the same avenue already exists for "private communications"!
[ link to this | view in thread ]
http://www.databreaches.net/191-million-voters-personal-info-exposed-by-misconfigured-database/
Perha ps the good senator would agree to everyone carrying voice recorders to everything is recorded in real time. (That includes you senator) No more hiding by anyone.
If it is terrorists you're worried about, they already have a home brewed encryption program. You can be sure they are not going to change that program for a state sponsored one. Why would they knowing this sort of push is in the air. So it comes down to the real point of this isn't terrorists but rather the domestic population. What the senator proposes is that no one in the US be allowed to communicate privately on line. Again I remind the senator what is good for the goose is good for the gander. That means those intelligent committee meetings should be open as well so the public knows what is being discussed. Sounds fair to me.
[ link to this | view in thread ]
Next up on the war on Terror..........
That is all.
The US Intell er Metadata Gathering State
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Encryption != Encoding
[ link to this | view in thread ]
Is it though? CALEA was designed to require exceptional access on the PSTN. Now many communication occurs over IP (note that VoIP is covered under CALEA when it connects to PSTN).
CALEA set a precedent that communications providers must allow exceptional access. There is a real debate as to whether there should be a CALEA II*, but from a procedural standpoint it would fall under the precedent of CALEA. Calling attention to the other ways LE has access to investigatory material is a red herring, and does not address the precedent set by CALEA.
*https://www.schneier.com/blog/archives/2013/06/the_problems_wi_3.html
[ link to this | view in thread ]
FTFY
[ link to this | view in thread ]
Government Encryption
[ link to this | view in thread ]
Well I Did Send Burr an Email Letter
[ link to this | view in thread ]
“Criminals use cars and computers and guns”
[ link to this | view in thread ]
Re: “Criminals use cars and computers and guns”
[ link to this | view in thread ]
Re:
I hear the North Koreans are even better at it. I bet they're his heroes.
[ link to this | view in thread ]
Re: “Criminals use cars and computers and guns”
[ link to this | view in thread ]
Re: “Criminals use cars and computers and guns”
[ link to this | view in thread ]
Re: Re: “Criminals use cars and computers and guns”
Trying to clamp down on guns at this point will be about as effective as trying to clamp down on encryption, for many of the same reasons. And the idea that clamping down on guns will only hurt bad actors is about as accurate as the idea that clamping down on encryption will only hurt bad actors.
Just because you don't see any constructive uses for guns doesn't mean that they don't exist. Would you ban archery, martial arts, knives, explosives, loud noises, strong acids, ...?
[ link to this | view in thread ]
Re: Re: Re: “Criminals use cars and computers and guns”
Unless you have a magic wand that will remove all guns from a (city? country? world?), as well as the knowledge of how to make new guns, anyway. If that's the case, then we can have a completely different conversation.
[ link to this | view in thread ]
Re: Trying to clamp down on guns at this point ...
What’s so different about the US?
[ link to this | view in thread ]
Re: Depends on how you define constructive and destructive.
[ link to this | view in thread ]
Re: Re: Depends on how you define constructive and destructive.
As I said above, lack of imagination is no substitute for correctness.
[ link to this | view in thread ]
Historians must reveal the origins of the Voynich Manuscript.
Mathematicians required to come up with a clear and indisputable proof of the validity of the Continuum Hypothesis.
Physicists must produce the Theory of Everything by noon on Friday.
Universe must explain where that weird hum is coming from. Please. Honestly, where is that damn humming sound coming from!?
[ link to this | view in thread ]
Re: Can a car feed your family
How else will I get that kangaroo home to the cooking-pot?
[ link to this | view in thread ]
NO.
[ link to this | view in thread ]
Re:
The Source.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re:
CH: Either this or this.
TOE: Maybe this?
Or maybe CH+TOE would be this...
I got myself Thing Explainer for Xmas. Kinda fun, but don't try to enjoy it on a phone. (Instead, enjoy this game.)
[ link to this | view in thread ]
Happy you wrote this; Mad because you think THEY care...
I really, really wanted to read an argument for Criminals and Terrorists, and all the relevant technology they employ in the acts they imagine, create, and then carry out EVERYDAY.
Do you think Hezbollah manufactures the rockets they fire off every now and then. IS does not have an arms factory building them Kalashnikovs.
Threats Levels are truly an arbitrary point now, where it concerns actual threats. Encryption has to be exposed for what it is... A tool 'Ready at Hand' for use in everyday life. I have add-ons, extensions, a Tor browser, and VPNs, but it doesn't mean that I am any more secure.
Governments and their agencies have more access and tools than we can imagine - and some people have very vivid imaginations.
I sat with a former 'Military' Pilot nee Commercial, who explained to me in no uncertain terms that anything I can think of, the "Government is at least twenty years beyond that", although I should think because that is a twenty year old conversation, those gaps have been seriously closed - the public sector pays better, and treats their employees surprisingly well.
What I am saying here, is that the government has everything at its fingertips - all of it, and the "stuff" they don't have, is because it is truly out of everyone's reach. I am, you are, truly out of league if you think you're anonymous, or insecure. Briefly recall that the CELLBRITE only costs ten grand and you get almost everything... imagine what a twenty, fifty, or two-hundred million dollar budget gets you.
I'm just saying. The old ways are lost, but not altogether. I needed an Ambulance Tout de suite; Ive had the same cellphone since 2001; it took them almost twenty minutes to get to me because they couldn't find me. They had absolutely no idea where I was except that I was somewhere in Halifax.
Eventually I made it to the hospital, started breathing again, then got a small lecture on getting my technology updated. I think it works just fine, and I spent a hundred and ten thousand on my education, so I better have a freaking answer if somebody asks me - I do not need google on my cellphone (or Twitter or Facebook or SoundCloud or Spotify or Ello or blah blah blah).
This is what leads me to the assumption that governments are less concerned with encryption, and more concerned with location. Conversations can be had if needed; locations are needed.
Encryption will forevermore be a buzz word. Budgets need it... The 'Old Guard is leaving, and a new, and hopefully smarter, shift is about to punch in - although there is still a huge problem with trying to keep State and Church separate.
[ link to this | view in thread ]
Re: Re: Depends on how you define constructive and destructive.
Other people may different definitions. That you seem to think yours is the only one that matters is telling.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Other people may different definitions.
Feel free. And then show how your definitions strengthen your case rather than mine.
[ link to this | view in thread ]
Re: Re: Other people may different definitions.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:There are those that consider the use of fossil fuel to be destructive
[ link to this | view in thread ]
[ link to this | view in thread ]