DOJ Continues Its Push For Encryption Backdoors With Even Worse Arguments
from the let-us-save-you-from-your-security dept
Early last week, the Deputy Attorney General (Rod Rosenstein) picked up the recently-departed James Comey's Torch of Encroaching Darkness +1 and delivered one of the worst speeches against encryption ever delivered outside of the UK.
Rosenstein apparently has decided UK government officials shouldn't have a monopoly on horrendous anti-encryption arguments. Saddling up his one-trick pony, the DAG dumped out a whole lot of nonsensical words in front of a slightly more receptive audience. Speaking at the Global Cyber Security Summit in London, Rosenstein continued his crusade against encryption using counterintuitive arguments.
After name-dropping his newly-minted term -- responsible encryption™ -- Rosenstein stepped back to assess the overall cybersecurity situation. In short, it is awful. Worse, perhaps, than Rosenstein's own arguments. Between the inadvertently NSA-backed WannaCry ransomware, the Kehlios botnet, dozens of ill-mannered state actors, and everything else happening seemingly all at once, the world's computer users could obviously use all the security they can get.
Encryption is key to security. Rosenstein agrees… up to a point. He wants better security for everyone, unless those everyones are targeted by search warrants. Then they have too much encryption.
Encryption is essential. It is a foundational element of data security and authentication. It is central to the growth and flourishing of the digital economy. We in law enforcement have no desire to undermine encryption.
But “warrant-proof” encryption poses a serious problem.
Well, you can't really have both secure encryption and law enforcement-friendly encryption. Rosenstein knows this just as surely as Comey knew it. That didn't stop Comey from pretending it was all about tech company recalcitrance. The same goes for Rosenstein who, early on in his speech, plays a shitty version of Sympathy for the Tech Devil by using the phrase "competitive forces" as a stand-in for "profit seeking" when speaking about the uptick in default encryption.
The underlying message of his last speech was that American tech companies should spurn profits for helping out the government by unwrapping one end of end-to-end encryption. The same pitch is made here, softened slightly in the lede thanks to the presence of UK tech companies in the audience. The language may be less divisive, but the arguments are no less stupid this time around.
In the United States, when crime is afoot, impartial judges are responsible for balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement. The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns. That is how we obtain search warrants for homes and court orders to require witnesses to testify.
Warrant-proof encryption overrides our ability to balance privacy and security. Our society has never had a system where evidence of criminal wrongdoing was impervious to detection by officers acting with a court-authorized warrant. But that is the world that technology companies are creating.
I'm not sure what this "system" is Rosenstein speaks about, but there has always been evidence that's eluded the grasp of law enforcement. Prior to common telephone use, people still communicated criminal plans but no one insisted citizens hold every conversation within earshot of law enforcement. Even in a digital world, evidence production isn't guaranteed, even when encryption isn't a factor.
Going on from there, the rest of speech is pretty much identical to his earlier one. In other words: really, really bad and really, really wrong.
Rosenstein believes the government should be able to place its finger on the privacy/security scale without being questioned or stymied by lowly citizens or private companies. Even if he's right about that (he isn't), he's wrong about the balance. This isn't privacy vs. security. This is security vs. insecurity. For a speech so front-loaded with tales of security breaches and malicious hacking, the back end is nothing more than bad arguments for weakened encryption -- something the government may benefit from, but will do nothing to protect people from malicious hackers or malicious governments.
All the complaints about a skewed balance are being presented by an entity that's hardly a victim. Electronic devices -- particularly cellphones -- generate an enormous amount of data that's not locked behind encryption. The government can -- without a warrant -- track your movements, either post-facto, or with some creative paperwork, in real time. Tons of other "smart" devices are generating a wealth of records only a third party and a subpoena away. And that's just the things citizens own. This says nothing about the wealth of surveillance options already deployed by the government and those waiting in the wings for the next sell off of civil liberties
It also should be noted Rosenstein is trying to make "responsible encryption" a thing. He obviously wants the word "backdoor" erased from the debate. While it's tempting to sympathize with Rosenstein's desire to take a loaded word out of the encryption debate lexicon, the one he's replacing it with is worse. As Rob Graham at Errata Security points out, the new term is loaded language itself, especially when attached to Rosenstein's bullshit metric: "measuring success in prevented crimes and saved lives."
I feel for Rosenstein, because the term "backdoor" does have a pejorative connotation, which can be considered unfair. But that's like saying the word "murder" is a pejorative term for killing people, or "torture" is a pejorative term for torture. The bad connotation exists because we don't like government surveillance. I mean, honestly calling this feature "government surveillance feature" is likewise pejorative, and likewise exactly what it is that we are talking about.
Then there's the problem with Rosenstein deploying rhetorical dodges in his discussions about encryption, which presumably include a number of government officials. Alex Gaynor, who worked for the United States Digital Service and participated in the Obama Administration's discussion of potential encryption backdoors, points out Rosenstein's abuse of his position.
Mr. Rosenstein plainly wants to reopen the "going dark" debate that began under the previously administration, spearheaded by FBI Director Jim Comey. While I disagree vehemently with him, it's a valid policy position - and I have every reason to believe him that there are investigations in which encryption does hamper the Justice Department and FBI's ability to investigate. However, he is not entitled to mislead the public in order to make that point. And make no mistake. Attempting to use the spectre of familiar computer security challenges in order to make the argument that his policy is necessary, even though his policy has nothing to do with these challenges, is the height of intellectual dishonesty.
There's an endgame to Rosenstein's dishonest rhetoric. And it won't be tech companies being guilted into participating in his "responsible encryption" charade. It will be backdoors. And they will be legislated.
The Deputy Attorney General says that he is interested in "frank discussion". However, his actual remarks demonstrate he is interested in anything but -- his goal is to secure legislation akin to CALEA for your cellphone, and he doesn't care who he has to mislead to accomplish this. Mr. Deputy Attorney General, I expect better.
This is what the DOJ wants. But Rosenstein is too weak-willed to say it out loud. So he spouts this contradictory, misleading, wholly asinine garbage to whatever audience will have him. Rosenstein is obtuse enough to be dangerous. Fortunately, most legislators (so far) seem unwilling to sacrifice the security of citizens on the altar of lawful access.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, doj, going dark, james comey, nerd harder, responsible encryption, rod rosenstein
Reader Comments
Subscribe: RSS
View by: Time | Thread
No need to pull punches
But Rosenstein is too weak-willed to say it out loud.
No, he's too dishonest.
Were he honest he'd flat out admit that he is against any form of encryption that he can't break on demand, in other words any encryption that works.
He would admit that he knows that broken encryption would be an absolute gold-mine to the very criminals he claims to want to stop, but that he considers that a price he's willing to have the public pay. That he considers the harm that will result from weakening encryption an acceptable trade for any gains he might achieve.
He would stop trying to blame the companies for fighting to keep the 'responsible (read: working) encryption' they have in place, stop trying to make them out to be holding their ground purely for monetary purposes while the poor, beleaguered government only wants broken encryption for the very best of purposes.
It's not a 'weak will' that keeps him from admitting to these things, it's a lack of honesty and a clear willingness to lie and mislead if it achieves his aims.
[ link to this | view in chronology ]
Re: No need to pull punches
but but... We gotta stop those criminals from selling weed!
[ link to this | view in chronology ]
Responsible encryption would be great
Actually, this idea is not so new. Many people have been discussing this for a quite a while, most notably folks like Bruce Schneier. There are responsible ways to implement encryption, and the notion that this term is being hijacked to mean exactly the opposite of what it currently means is a bit frightening. Changing the meaning of important terms is the modus operandi of important people who want to openly lie and deceive.
[ link to this | view in chronology ]
Can someone give me an example???
Oh wait... it doesn't exist? Hmmm... fancy that.
Side Note: Just today there was another example of RSA encryption falling apart on public key generation since 2012 that opened up vulnerabilities. Some of the most talented people in the world are working on this stuff and they still aren't perfect 100% of the time when guarding one door. Good luck guarding a second (or 3rd, 4th, and 5th once other countries demand the same).
[ link to this | view in chronology ]
Re: Can someone give me an example???
So if Rosenstein (or anybody else) want to persuade us to take them seriously, then they need to put a reference implementation of their proposed cryptographic standard on the table for study and discussion.
Put up or shut up.
[ link to this | view in chronology ]
CALEA
"In the years since CALEA was passed it has been greatly expanded to include all VoIP and broadband Internet traffic. From 2004 to 2007 there was a 62 percent growth in the number of wiretaps performed under CALEA – and more than 3,000 percent growth in interception of Internet data such as email."
just another, earlier example of mission creep.
[ link to this | view in chronology ]
Re: CALEA
CALEA for VoIP hardly seems necessary. VoIP providers rarely mention anything about security, probably because most of them don't encrypt at all—even though "VOIP calls are vulnerable to a variety of threats that traditional telephone calls are not." (Some of them send call detail records in plaintext email too.)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Non Sequitur.
There is no requirement to pilfer thru everyone's stuff on some sort of highfalutin fishing expedition - but there is a requirement to keep the government "honest" ... (smirk)
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I have a deal to offer the DOJ.
You can have “responsible encryption” when you prove you can be “responsible” with it.
[ link to this | view in chronology ]
Re:
It's not just the DOJ. It's every other government agency in every other country that will demand the backdoor. And make no mistake; it the US government has a backdoor, other governments will demand it too.
Consider the Stinger cell phone mass surveillance devices, intended for intelligence and anti-terrorism work. Now more than a dozen federal agencies have them. And many state and local police forces in the US in Canada, Britain and elsewhere. There's a large list of private companies who will sell them to any totalitarian government who wants them.
You won't just have to trust the DOJ; you'll have to trust ALL of the other agencies in ALL the other countries to keep that backdoor password a secret.
[ link to this | view in chronology ]
Re:
Clever, but impossible as there is no such thing.
[ link to this | view in chronology ]
That's about as unobtainable as an educated, integer politician.
[ link to this | view in chronology ]
Re: integer politician
You are looking in the wrong places, in northern Europe they are not that hard to find...
[ link to this | view in chronology ]
Here's a thought
Of course, when it fails, they'll say it wasn't done "right" but it was done exactly how they asked it to be done. They got what they wanted, but didn't like the results. Imagine that...
[ link to this | view in chronology ]
Backdoors
I feel safer already...
[ link to this | view in chronology ]
Encryption and Computers
The expert that said he wanted his GPG crypto system to be able to *forget*, or at least disavow some of his youthful indiscretions had a point.
[ link to this | view in chronology ]
Poor Security from the Government
I agree that responsible encryption is important. The responsibility is to thwart attack. The problem is that being blind to traffic is not the biggest threat to the government, it is penetration.
If they expect that can work to a state where they can view all traffic, those days have gone. They need to focus on penetration and hardening and help companies, state and local governments, and citizens to harden openings in their communications such as firewalls, tunnels, and encryption as well as secure ways to harden accessing of those communications such as sandboxing and process filtering so that penetration isn't compromised by receipt of communications.
That is the government's responsibility to the country, whatever country it may be. Ours isn't doing very well.
It just allowed its key system to be compromised with the Equifax hack of the security through obscurity SSN method of identification. How long is that going to take to remediate
vs. Esontia?
If the US government feels the need to get with business to talk about encryption, it should always keep an eye to ensuring it is unbreakable and public. Public scrutiny is important for rooting out flaws.
[ link to this | view in chronology ]
Re: Poor Security from the Government
No such thing.
[ link to this | view in chronology ]
"responsible" defn
Oops! Got the wrong word...
[ link to this | view in chronology ]
I'll be in your base killing your dudes
Meanwhile, the rest of the world—which last I checked the US still does not control—will continue to use the real thing. So the US would essentially be putting themselves at a huge disadvantage.
SMH
[ link to this | view in chronology ]
Reporter: How long until Rod Rosenstein cites Denuvo as an example of responsible, unbreakable encryption?
Gamer: Go away.
[ link to this | view in chronology ]
Larger issue
USA citizens live in a country where anything that is not forbidden by law is legal. We do not live in a country where we may only act in ways the law prescribes. This is so fundamental to the values of our country that no one who believes otherwise should be allowed to hold the post of deputy attoney general.
[ link to this | view in chronology ]
Re: Larger issue
[ link to this | view in chronology ]
Just mandate the use of the Infineon libraries...
Oh, wait..
https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-secu rity-keys-750k-estonian-ids/
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Oh, it fits.
But that does not preclude you from getting a budget for it. Putting a round peg in a square hole just requires a big enough hydraulic press. Of course, afterwards neither the peg will be round nor the hole will be square. But that does not preclude you from writing a success report.
[ link to this | view in chronology ]
After all, if the criminals can't get in then there would be no need, and when money is involved you can bet there will be disingenuous arguments to keep the flow going...
[ link to this | view in chronology ]
Re: Where to put the money
That is, research into how to make things like stuxnet impossible by design by bounding the behavior of software.
Right now, God only knows where *else* this comment went besides just Techdirt!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
You are being redundant.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Maybe the future U.S. will be gentler -- maybe they'll just require all of us to have "stun chip" implants, so our betters can press a button and stop us in our tracks if we become inconvenient.
[ link to this | view in chronology ]
Our government is on a similar track with backdoors. Give a mathematician, computer scientist or other tech a week to come up with a backdoor, and should the individual fail, execute him. Perhaps one will eventually find a backdoor that only lets nice people in.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
responsible encryption™
undocumented worker
I love these word games... what? you hate it when they are used against you?
[ link to this | view in chronology ]
Wrong
[ link to this | view in chronology ]
There are no such things...
as impartial judges or, for that matter legitimate law enforcement needs.
Even government agencies openly abuse their access to private data. And then they fail to secure that data from outside hackers.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Trust Me Not
DOJ Continues Its Push For Encryption Backdoors With Even Worse Arguments
Is this the same US government that can't even keep the data it has already been entrusted with secure?
U.S. Office of Personnel Management in June 2015 with 21.5 million person data exposed for potential exploit.
https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/
U.S. Department of Veteran Affairs in May 2006 with 26.5 million veterans data exposed.
https://identity.utexas.edu/veterans-and-active-service-personnel/the-veterans-affairs-data -breach-of-2006
National Archives and Records Administration in October 2009 with 76 million persons data potentially exposed.
https://www.forbes.com/2009/11/24/security-hackers-data-technology-cio-network-breaches.htm l
U.S. Voter Database December 2015 with 191 million persons data potentially exposed
http://uk.reuters.com/article/us-usa-voters-breach/database-of-191-million-u-s-voters-exposed-on-in ternet-researcher-idUKKBN0UB1E020151229
Or the same US government (boondoggles R' US) that is repeatedly exploited every time it contracts building a new network or data base.
Social Security spent $300M on 'IT boondoggle'
http://www.foxnews.com/politics/2014/07/23/social-security-spent-300m-on-it-boondoggle.html
The FBI's Upgrade That Wasn't
http://www.washingtonpost.com/wp-dyn/content/article/2006/08/17/AR2006081701485.html
IRS spends millions to upgrade to outdated version of Windows
http://www.washingtontimes.com/news/2015/oct/15/golden-hammer-irs-spends-millions-to-upgrade -to-ob/
[ link to this | view in chronology ]
The only argument that shuts these guys up is this:
and network-related technology "made in U.S.A."will dry up.
Everybody, Americans included, will shop elsewhere for tech.
That's trillions of dollars in new trade deficits, hundreds
of billions in lost profits to tech industries and tens of
billions in lost taxes every year until a new administration
undoes the damage and stops the bleeding.
Arguing about security and rights of the American people has
no effect on these clowns because they hold the public in
contempt, and always will. Show them what effect their dumb-
ass meddling will do to their billionaire friends and corporate
backers and they'll quietly let the issue die off without ever
having to admit why it was a stupid idea to start with.
[Yes, I've said it before; and I'll say it again every time. ;]
[ link to this | view in chronology ]