Senators Burr & Feinstein Write Ridiculous Ignorant Op-Ed To Go With Their Ridiculous Ignorant Bill
from the learn-something-people dept
Senators Richard Burr and Dianne Feinstein are not giving up that quickly on their ridiculous and technically ignorant plan to outlaw real encryption. The two have now penned an op-ed in the WSJ that lays out all the same talking points they've laid out before, without adding anything new. Instead, it just continues to make statements that show how incredibly ignorant they are. The piece is called Encryption Without Tears (and may be paywalled, though by now everyone knows how to get around that), which already doesn't make any sense. What they're pushing for is ending basic encryption, which will lead to many, many tears.It starts out with their standard ridiculous line, pretending that because a company builds end-to-end encryption, it's acting "above the law."
In an increasingly digital world, strong encryption of devices is needed to prevent criminal misuse of data. But technological innovation must not mean placing individuals or companies above the law.People have gone over this time and time again: this is not about anyone being "above the law." It's about whether or not companies can be forced to directly undermine the safety and security of their products (and the public). A paper shredder can destroy evidence. A paper shredder maker is not "above the law" when it decides not to build a system for piecing back together the shreds.
And speaking of "above the law" I still don't see Feinstein or Burr commenting on the FBI/DOJ announcing that it will ignore a court order to reveal how it hacked into computers over Tor. That is being above the law. That involves a situation where a court has asked for information that the FBI absolutely has. The FBI is just saying "nope." If Burr and Feinstein are really worried about being "above the law," shouldn't they worry about this situation?
Over the past year the two of us have explored the challenges associated with criminal and terrorist use of encrypted communications. Two examples illustrate why the status quo is unacceptable.I love this. They give two examples that have been rolled out a bunch in the last few weeks. The attack in Garland, Texas, where the attackers supposedly exchanged some messages with potential ISIS people, and the case of Brittney Mills, who was tragically murdered, and whose case hasn't been solved. Mills had her smartphone, but no one can get into it. Of course, it took nearly two years of fretting before law enforcement could dig up these two cases, and neither make a very strong argument for why we need to undermine all encryption.
It's a simple fact that law enforcement never gets to have all of the evidence. In many, many, many criminal scenarios, that's just the reality. People destroy evidence, or law enforcement doesn't find it or law enforcement just doesn't understand it. That's not the end of the world. This is why we have police detectives, who are supposed to piece together whatever evidence they do have and build a picture for a case. Burr and Feinstein are acting like in the past, law enforcement immediately was handed all evidence. That's never been the way it works. Yes, law enforcement doesn't get access to some information. That's how it works.
You don't go and undermine the very basis of computer security just because law enforcement can't find a few pieces of evidence.
Our draft bill wouldn’t impose a one-size-fits-all solution on all covered entities, which include device manufacturers, software developers and electronic-communications services. The proposal doesn’t define the technological solutions or tell businesses how to solve the problem.This is also misleading. The bill requires an end to real encryption. That's it. Real encryption means that only one person has the key. This is what Burr and Feinstein don't seem to get. They seem to think it's trivial to leave a key with Apple or whoever. But as basically every crypto expert has explained, it is not. Doing so creates a vulnerability... and worse, it's a vulnerability that cannot be patched. That's hellishly dangerous. Sure, the bill doesn't tell them exactly how to do this, but it does make it clear: you cannot offer real encryption, you can only offer something that can be hacked. That's a problem.
We want to provide businesses with full discretion to decide how best to design and build systems that maintain data security while at the same time complying with court orders.We want to provide businesses with full discretion to decide how best to travel back in time, in order to prevent crimes.
Seriously: this is basically the same thing that Burr and Feinstein are saying here. They're asking for something that's impossible, and acting like it's a routine suggestion. If they need to comply with these All Writs Act style orders, they cannot build systems that maintain data security. That's a fact. It's mind-boggling that Burr and Feinstein still can't understand this.
Critics in the industry suggest that providing access to encrypted data will weaken their systems. But these same companies, for business purposes, already maintain and have access to vast amounts of encrypted personal information, such as credit-card numbers, bank-account information and purchase histories.Argh. This paragraph shows that whatever poor staffer Burr and Feinstein assigned to write this drivel doesn't understand even the first thing about what he or she is talking about. Storing encrypted passwords, credit card info, bank account info, etc. is a totally different thing. Those are encrypted to keep them safe, and part of the reason they're encrypted is so that even those companies cannot reveal them. This point is making the opposite point of what Burr and Feinstein think. Companies encrypt passwords and credit card info and the like so that they're not storing the plaintext info, and there's no easy way for anyone to get that info. This protects user data, and the companies cannot actually provide the plaintext. They're comparing hashes. That's what keeps it safe.
If we received a court order demanding our users' passwords, we couldn't provide them. Because they're encrypted. We don't know our users' passwords and can't give them to you. When someone logs in to our website, we can compare a hash of their password to our hashed version and then if they match, we let them in. But we don't know what their password is. So this is a terrible example that actually goes against what Burr and Feinstein are saying. Those encrypted stores of information would be illegal under this bill!
We are not asking companies to provide law enforcement with unfettered access to encrypted data. We aren’t even asking companies to tell the government how they gain access to this encrypted data. All we are doing is asking companies to find a way to keep their data secure while also cooperating with law enforcement in terrorism and criminal investigations.Again, that last line is impossible. They're asking the impossible -- and in the process, making everyone less safe. The only way to provide such info to law enforcement is to no longer keep the data truly secure. And the big concern is not unfettered access for law enforcement, but rather whatever this backdoor means for those with malicious intent, who will be very, very, very focused on finding these vulnerabilities and exploiting them.
President Obama said earlier this year, “You cannot take an absolutist view on this.” We agree—and believe that strong data security and compliance with the justice system don’t have to be mutually exclusive.Because you don't know what you're talking about.
American technology companies have done some amazing things that are the envy of the world. We think that finding a way to achieve both goals simultaneously is not beyond their capabilities.So, in the end, despite basically every cryptography expert telling them this is impossible, Burr and Feinstein come back with "NERD HARDER, NERDS!"
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: above the law, dianne feinstein, doj, encryption, fbi, going dark, richard burr
Companies: apple
Reader Comments
The First Word
“Might as well apply this template to other areas too
Doctors are not above the law. When a witness dies, valuable information is irretrievably lost. So we propose a bill that requires doctors to comply with court orders to bring these witnesses back from the dead so they can be questioned. We aren't mandating how this is accomplished, only that they comply with our demands.Subscribe: RSS
View by: Time | Thread
Hashing is not encryption
[ link to this | view in chronology ]
Re: Yes it is (in their view)
If you don't provide them with a 'key' to un-ROT13 the encrypted data, then they can throw you in jail until you do.
[ link to this | view in chronology ]
Re: Hashing is not encryption
I've never heard of 'generates and saves key' to be a required step for something to be encrypted. You apparently have though -- where did you hear it?
[ link to this | view in chronology ]
Re: Re: Hashing is not encryption
As for where I heard it, it's common knowledge among people who work in this area. Simply Googling "difference between hashing and encryption" turns up plenty of useful references.
[ link to this | view in chronology ]
Re: Hashing is not encryption
But the proposals would outlaw it just the same.
[ link to this | view in chronology ]
Banning strong encryption is the same as banning private conversations.
[ link to this | view in chronology ]
Re:
The specific that they are throwing fits about at the moment is encryption, but the general idea that they are so opposed to seems to be privacy itself, the idea that someone may say or write or receive something and that information might not available for those in authority to listen to or read.
[ link to this | view in chronology ]
Re:
OMG! You just revealed a huge problem that could prevent the FBI from being able to prosecute crimes discussed in private! Think of the children!
The bill must be immediately improved to correct this oversight.
Thank you!
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
This is the VERY same reason MMO's/other services say regularly "If you receive an email requesting your password for verification, it is a scam" that hits every so often/regularly, it's BECAUSE they CANNOT verify it themselves, and this has been going on since the mid-90's.
so... ya... those who drafted and wrote this up have absolutely NO idea how the internet works.
[ link to this | view in chronology ]
Nerds reply: make a waterfall flow in reverse and we will try. Without consulting Shiryu. Or Poseidon.
[ link to this | view in chronology ]
POLITICIAN HARDER POLITICIANS!
For example, balance the country's budget in a way that makes everyone happy.
I'm sure if you all just politician the hell out of it, you can do it.
Get that done then come talk to us about the stuff you don't understand.
[ link to this | view in chronology ]
Re: POLITICIAN HARDER POLITICIANS!
[ link to this | view in chronology ]
The stupidity
[ link to this | view in chronology ]
Re: The stupidity
Hopefully it will soon go the way of Evolution is only a theory.
The anti-nerd sentiment within our civic sectors is conspicuous, though I don't know if that's from 70s era academy culture or more general anti-intellectualism, which reoccurs whenever political discourse within a society gets too demagogy-esque. (e.g. Genocide more scapegoat minorities!) People don't like the more deliberate folk going Um...that doesn't sound like a very good idea.
Really they just want us brainy types to shut up and make them some better, faster, boomier nukes so they can blow each other to kingdom come.
[ link to this | view in chronology ]
Re: Re: The stupidity
Actually I think it's more like bill #246 of the 1897 sitting of the Indiana General Assembly
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: reality
[ link to this | view in chronology ]
Banks are a big user of encryption
[ link to this | view in chronology ]
Re: Banks are a big user of encryption
All business require encryption for their accountancy, not just banks. Then there's company data and company secrets all of which can be problematic in the hands of rivals.
Your local corner store needs encryption for money management. Anything bigger needs a lot of encryption for data security.
[ link to this | view in chronology ]
Re: Banks are a big user of encryption
The hardest part of building absolutely anything is knowing if it is possible or not. Building a hacking tool to break through security you know nothing about, not even whether it has any exploitable weaknesses, is really damned hard outside of a Hollywood action movie -- hard enough to be a daunting task even for the NSA. But if you know a flaw exists? It WILL be found, and probably not by the good guys (assuming government == good guys, they wouldn't even go looking, they already have a key).
For such a key to be useful, it would need to be a master key -- unlocking not just one lock, but all the locks the company makes. So once the bad guys crack into the system, it's game over for everyone using that system.
Last time I checked, the federal government didn't make its own encryption that it uses for national security purposes in house that often -- this bill, as written, would mandate security flaws in those systems as well.
[ link to this | view in chronology ]
Might as well apply this template to other areas too
[ link to this | view in chronology ]
Re: Might as well apply this template to other areas too
[ link to this | view in chronology ]
Re: Re: Might as well apply this template to other areas too
And if they "refuse" (wink wink, nod nod) we'll just put them in jail until they comply.
[ link to this | view in chronology ]
Quantum encryption will save them.
Just like Schrödinger's cat, the data will be both encrypted and plaintext at the same time.
If presented with the owner's key or law enforcement's warrant the quantum encryption wave function will collapse into plaintext. For everyone else (especially the bad guys) the wave function will collapse into a state of encrypted data.
So, Senators Richard Burr and Dianne Feinstein are right. As soon as we get our brightest minds to develop this special blend of mathematics, quantum physics, and computer science everyone will be both safe and private.
[ /sarc ]
[ link to this | view in chronology ]
We can save the step.
Criminal data is left in plaintext for all to see.
So if it's encrypted you know it's legal.
Oh and in the meantime, we should make bullets that only kill bad people.
[ link to this | view in chronology ]
Re: We can save the step.
As God Himself said: there will be miracles if you believe! You can also wish upon a star. Guaranteed.
Or was it Disney?
[ link to this | view in chronology ]
Re: We can save the step.
So, who defines the term "bad people"? what sorts of people would be on the list? Pedophiles, terrorists, and politicians?
[ link to this | view in chronology ]
You're catching on.
[ link to this | view in chronology ]
Re: We can save the step.
[ link to this | view in chronology ]
Re: Quantum encryption will save them.
[ link to this | view in chronology ]
Criminal Court Evidence Standards
This is one reason why courts operate on the evidence standard of 'beyond a reasonable doubt' -- prosecutors CANNOT prove guilt to the 'without doubt' standard because they've never had that amount of proof before.
And yet, they have rarely had problems convicting people, even when those people were later exonerated of the charges.
If the government requires that they be allowed to know all of the information, we the people must require that they must present evidence beyond any doubt to get a conviction in court -- after all, in the current privacy-rich environment, any competent prosecutor can get a grand jury to indict a ham sandwich. What will they be able to do when privacy no longer exists?
When they are able to meet the goal of 'beyond any doubt' evidence due to how much information they are able to gather on anyone they choose, then if the person is truly guilty, they really ought to be able to do it in order to convict that person.
[ link to this | view in chronology ]
If you don't want absolutes, then go play with differential calculus. _That's_ the kind of math that deals with fuzzy things.
Of course, we could always be stupidly wrong in the most ostentatious way about both sides of math--just add a rider to define "pi" equal to "4".
[ link to this | view in chronology ]
This "people let Google have personal information, so it's okay for the government to get people's personal information" argument is not only idiotic, it is offensive. It is precisely equivalent to "that stuck-up bitch has no business complaining that I pinched her butt when she goes out in public dressed like that".
[ link to this | view in chronology ]
Well, that wouldn't be a problem any more, since Burr-Feinstein would prohibit hashes, lossy compression, etc.
[ link to this | view in chronology ]
Let's get started
I believe we should first start with the Banking industry. I can't think of a better place to start implementing a mandatory back door to encryption. We all know terrorists and pedofiles need and use money. That's a no-brainer we should move on the financial districts immediately.
Also, I want the encryption key to Feinsteins phone because I'm sure that bitch has nothing to hide, no back room deals or quid pro quo relationships in play.
[ link to this | view in chronology ]
Re: Let's get started
[ link to this | view in chronology ]
Re: Re: Let's get started
He bought a small game hunting rifle that had purely cosmetic features that made it resemble a military rifle. A rifle that is illegal to use on human-size animals because it is so unlikely to kill them that using it on them constitutes animal cruelty.
If purely cosmetic looks can turn a weak hunting rifle into a high performance military weapon, then you really ought to be able to win a NASCAR race on your bicycle by covering it with sponsor stickers.
[ link to this | view in chronology ]
https://www.youtube.com/watch?v=BKorP55Aqvg
[ link to this | view in chronology ]
"Now I'm not an expert, or even have any knowledge in the field but..."
'Meanwhile Burr and Feinstien were heard insisting that mathematicians can make two plus two equal five if they just tried harder, doctors could make people immortal if they just put their backs into it, and architects could make gravity defying housing if they just cared enough to attempt to do so.
Experts in the fields listed were unavailable for comment, having face-palmed so hard as to knock themselves unconscious, with the mathematician suffering a broken nose.'
[ link to this | view in chronology ]
Unicorns and perpetual motion machines
FTFY: "The proposal doesn't define how to conjure up a unicorn or tell business how to make a perpetual motion machine"
[ link to this | view in chronology ]
It's hard to determine where their arrogance stops and their ignorance begins. Though, I suppose, the mistake is in thinking there are boundaries to either...
BTW, since any propose law will punish failure to provide the backdoor but not punish insufficiently strong security, you can guess where the compromises will come, if this nightmare passes.
[ link to this | view in chronology ]
This was demonstrated when she was pushing to make drones a legal way to spy on the public. One protest group flew a drone to the window of her personal residence. Suddenly she could get to the news fast enough to protest her personal privacy being invaded. Good for the peons but not good for the overlords was the basic theme.
Another came up with the issue of Congress critters themselves being subject to having their phone calls monitored and I strongly suspect this was the driving reason behind why the House passed the newest email protection bill is to prevent these same security agencies from having a carte blanc to spying without any checks whatever on who they do it to without a warrant. It just so happened in the process of preventing the spying on their own personal uses that the public benefited.
On the whole each and every time this sort of thing is attempted to be justified it is because they are attempting to throw the Constitution out the window and want a convenient way around it.
Now if Feinstein, Burr, and the rest of the Intelligence Oversight Committee, were actually doing their jobs, I don't think I'd have much trouble with their recommendations. So far it just looks like the usual, which is both parties are corrupt. Face it, spying on the average public has nothing to do with terrorism or even law enforcement. It has everything to do with the fear they've already went too far and want an early warning system in place to catch potential grass roots protesters that can and eventually will object to their methods.
As it is these spying agencies already have an information overload and can't do the job they are claiming they are to do. It is only after the fact, when they have names, places, and methods of contact that they can find the perpetrators. It's never before, only after the fact. It helped not at all in Boston, nor in Paris, despite both countries being able to spy. Encryption breaking won't help either. The smart ones will just communicate face to face.
[ link to this | view in chronology ]
Re:
Yes, the woman who insists that guns have no legitimate use, that they exist solely to commit murders and are useless for any other purpose owned and carried a gun for self defense purposes.
When called on it, she got rid of it. But it's worth noting that her security detail IS still armed with items that are useless for defending people and can only be used to murder innocents. Or at least, that's what she claims about them regularly anyway.
[ link to this | view in chronology ]
Of course, it's unreasonable to expect someone, especially a politician, to understand the intricate details of every issue. Nevertheless, we are supposed to trust them to get up to speed on the issues in front of them and to have staff who can provide them with sound advice when the issue is beyond their grasp. But, it's clear they haven't done either. How could these Senators, with the resources at their disposal, have never asked someone competent whether what they are proposing is technologically and practically realistic? Do they just not care?
Politicians often have a "magic faerie dust" view of the way legislation interacts with the world. They think that writing a law somehow rewrites reality, making the stated intent of the law happen and, if necessary, making the impossible possible. On the flip side of the coin, when some system works well, they assume it must be because good legislation made it happen.
[ link to this | view in chronology ]
Re:
Actually this is the worst one. Politicians only occasionally interact with the other disciplines but they are involved with economics all the time. In fact they are pretty much in charge in the economic sphere in a way that they aren't elsewhere.
[ link to this | view in chronology ]
Ridiculous
And just on a more philosophical level, it find it offensive that the government in a supposedly free society is essentially announcing as a matter of fundamental policy that one citizen has no right to communicate with another citizen in any manner that is un-eavesdropable (yes, I made up a word there) by government surveillors.
[ link to this | view in chronology ]
Re: "But technological innovation must not mean placing individuals or companies above the law."
[ link to this | view in chronology ]
[ link to this | view in chronology ]
They want to make OPM the norm
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Senators Burr & Feinstein encription liability?
Also, will the company even be able to get insurance against a hack?
[ link to this | view in chronology ]
Re: Senators Burr & Feinstein encription liability?
Unless Burr & Feinstein write some sort of liability shield into their bill, any company that complies with it would likely be out of business shortly after the black hats crack the backdoor. They'd go bankrupt trying to defend against all the lawsuits.
[ link to this | view in chronology ]
Government: "It's their fault, take it up with them. " Company: "No, it's their fault, take it up with them."
They'd continue pointing fingers, wasting time and stalling trying to blame the other person, and any potential lawsuit would go nowhere as a result.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
When will the tech overlords...?
Support the heck out of these idiots competition and see how they like it.
[ link to this | view in chronology ]
Re: When will the tech overlords...?
[ link to this | view in chronology ]
...32 years later...
[ link to this | view in chronology ]
Idiocracy in the Making
https://s-media-cache-ak0.pinimg.com/236x/6c/e5/68/6ce568bbbd6087fcff93a52500312120.jpg
[ link to this | view in chronology ]
Re: Idiocracy in the Making
[ link to this | view in chronology ]
"Experts claim that 2+2 will always equal 4, but let's not take an absolutist view of the matter..."
As such there is no 'middle ground', no 'compromise' available, those that are calling for deliberately installing or requiring security flaws are wrong and demanding the impossible, while those that are calling for strong security without deliberately created flaws are right and understand what can and can not be done.
[ link to this | view in chronology ]
Thus this bill isn't intended to block the actual use of crypto by "bad people", most of which aren't even in American jurisdiction.
Who will this bill actually affect? US businesses and US citizens. As the mythical "terrorists" cannot be the target, why is Feinstein trying to undermine domestic business and ruin our ability to export modern technology?
[ link to this | view in chronology ]