DOJ Back To Pushing For Legislation Targeting Encryption
from the CLIPPER-CHIP-2K18 dept
The New York Times is reporting that the War on Encryption continues, with a renewed push for legislation the Justice Department couldn't talk Obama into.
Federal law enforcement officials are renewing a push for a legal mandate that tech companies build tools into smartphones and other devices that would allow access to encrypted data in criminal investigations.
F.B.I. and Justice Department officials have been quietly meeting with security researchers who have been working on approaches to provide such “extraordinary access” to encrypted devices, according to people familiar with the talks.
[...]
Against that backdrop, law enforcement officials have revived talks inside the executive branch over whether to ask Congress to enact legislation mandating the access mechanisms.
FBI Director Chris Wray still has yet to hand over his list of agreeable security experts to Sen. Ron Wyden. Wray continues to assert there's a way to solve the "going dark" problem that won't involve make device encryption less secure, but every suggestion he offers involves making device encryption less secure. There are a few techies looking for solutions, and that small group may be who Wray believes can talk legislators into prepping a mandated access bill.
A National Academy of Sciences committee completed an 18-month study of the encryption debate, publishing a report last month. While it largely described challenges to solving the problem, one section cited presentations by several technologists who are developing potential approaches.
They included Ray Ozzie, a former chief software architect at Microsoft; Stefan Savage, a computer science professor at the University of California, San Diego; and Ernie Brickell, a former chief security officer at Intel.
The solutions presented by this group are more of the same: key escrow, weakened encryption, or technological assistance mandates. None of these work out particularly well for customers, as each options provides additional attack vectors for criminals, not just law enforcement. So, even if Wray hopes to rely on more sympathetic tech experts, he's still going to run into the same facts: you cannot provide access to law enforcement without increasing the chance of access by criminals and state-sponsored hackers.
It appears the DOJ isn't interested in letting the perfect be the enemy of the good. And why should it? It won't be affected by mandated access and/or weakened encryption. Those affected most will be members of the general public, and they simply don't matter when the FBI's agitating for destroying the encryption the public relies on to keep their devices and communications secure.
[O]ne Justice Department official familiar with the deliberations contended that it might not be necessary to come up with a foolproof system, arguing that a solution that would work for ordinary, less-savvy criminals was still worth pursuing.
Take a long look at that statement. This is the DOJ saying it's willing to sacrifice the security of millions of Americans to make sure it can round up the nation's least intelligent criminals. This isn't a balance anyone outside of the FBI's inner circle will be happy with. Wray and others routinely claim encryption is preventing them from solving serious crimes and hunting down dangerous criminals, but when all is said and done, it will apparently be satisfied locking up the most inept suspects.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, doj, encryption, fbi, going dark, legislation, responsible encryption
Reader Comments
Subscribe: RSS
View by: Time | Thread
Eat your own cooking
[ link to this | view in thread ]
Stallman would be proud
[ link to this | view in thread ]
[ link to this | view in thread ]
Well he's at least HONESTLY a blatant threat to the public
[O]ne Justice Department official familiar with the deliberations contended that it might not be necessary to come up with a foolproof system, arguing that a solution that would work for ordinary, less-savvy criminals was still worth pursuing.
'We're willing to undermine the protections that hundreds of millions depend on if it means it will be easier to go after the inept criminals who are so stupid that they would have been caught anyway.'
You'd be hard pressed to find a better demonstration that those pushing for broken encryption are willing to throw millions of people to criminals of all stripes than this little admission. They're willing to betray the public on a national scale if it means they have to do slightly less work.
This obsession with giving criminals the biggest gift ever has been a dangerously stupid obsession for some from the get-go, but it's statements like this that show just how low they are willing to sink, how little they care for anyone but themselves.
[ link to this | view in thread ]
What is the point- commercial tools are available and affordable
Media report that GrayKey offers a box that will crack an unlimited number of iphones for $30,000. If they'd rather pay on a case-by-case basis: "police usually spend about $1,500 on each device unlocked by Cellebrite."
http://www.zdnet.com/article/graykey-box-promises-to-unlock-iphones-for-police/
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Second verse, same as the first...
https://en.wikipedia.org/wiki/Clipper_chip
Yeah, that didn't work out well back then. Spoiler alert: it still won't work out well.
[ link to this | view in thread ]
Fresh off its win with SESTA...
[ link to this | view in thread ]
Really, how secure can a system be when you're basing it upon a unicorn and wishes algorithm?
[ link to this | view in thread ]
"satisfied locking up the most inept suspects. "
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
I think you've misinterpreted the statement.
They're not looking for a system that only catches the dumbest of criminals. They're looking for a system that can't be broken by the dumbest of criminals.
[ link to this | view in thread ]
Re: Re:
Intel-SA-00086
[ link to this | view in thread ]
Poster Child
U.S. Department of Justice - Office of the Inspector General:“A Special Inquiry Regarding the Accuracy of FBI Statements Concerning its Capabilities to Exploit an iPhone Seized During the San Bernardino Terror Attack Investigation” (March 2018)
[ link to this | view in thread ]
Re:
Intelligent Lawmaker: If you don't know what is on the devices, how can you know that some law was broken?
FBI: Why else would they use them?
Intelligent Lawmaker: Well, you use them.
FBI: Well, that's why we call our employees 'special' agents.
[ link to this | view in thread ]
Re: I think you've misinterpreted the statement.
[ link to this | view in thread ]
Re: Re:
FBI, that why our agents, cops and DHS agents need to be able to examine the devices whenever they stop someone because they just know the person is breaking some law.
[ link to this | view in thread ]
minimal impact
Vericrypt and CipherShed are such examples. If the government slips in some kind of backdoor, the community of programmers will notice and remove or not compile that variation. And if the government comes after them, move to Belize like RedFox did
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
The DOJ IS affected....
I can think of a number of ways the DOJ will be affected by mandated insecurity.
First off, good luck for them to try and buy consumer hardware that doesn't have this implemented. This means that anyone who gains control of the access control system will have full access to DOJ equipment as well.
Second off, once this goes down, expect to see the caseload for the DOJ skyrocket as criminals take advantage of the holes the DOJ punched in security. And those criminals will likely mostly be outside the US, which means after spending countless man hours to hunt them down, the DOJ will be powerless to prosecute.
Although I guess you could argue that this is the FBI's problem, not the DOJ's problem.
[ link to this | view in thread ]
Re: I think you've misinterpreted the statement.
[ link to this | view in thread ]
Postcards (and software) from Belize
So anyone who is savvy about this is going to either install a foreign-made or open source unhobbled crypto system on their phone right after purchase, or just look for foreign versions of the phone. For business devices, it will become an expected expense.
And everyone else, hackers will arrange, will have Goatse as their homepage background while their phone burns cycles and power as a botnet zombie DDOSing the establishment.
Which means everyone will eventually swap their crypto out on first purchase, the way we used to buy an anti-virus package for our new computer.
How marvelously cyberpunk!
[ link to this | view in thread ]
Re: Re: I think you've misinterpreted the statement.
Indeed. The real meaning of
is so the justice department can say that the broken encryption isn't broken since that criminal mouth breather over there "can't break into the device using the approved encryption, therefore the approved encryption is 'secure enough' for any law abiding individual."
[ link to this | view in thread ]
FreeEmailEncryption.coM - the Most powerful on earth
FreeEmailEncryption.com
but accessing them is quite troublesome for the 'less saavy'
[ link to this | view in thread ]
Re: FreeEmailEncryption.coM - the Most powerful on earth
they be very cool,
either it displays a blank site or slimmed down tiny version or the supreme power crypto
[ link to this | view in thread ]
If cellphone encryption is too strong,
No stooges, no manufactured crimes, don't need FBI!
[ link to this | view in thread ]
Re: Stallman would be proud
[ link to this | view in thread ]
[ link to this | view in thread ]
That's a feature, not a bug
Second off, once this goes down, expect to see the caseload for the DOJ skyrocket as criminals take advantage of the holes the DOJ punched in security. And those criminals will likely mostly be outside the US, which means after spending countless man hours to hunt them down, the DOJ will be powerless to prosecute.
'Would you look at that, there's been an absolute explosion in crime for some mysterious reason, and our current laws are keeping those evil criminals safe from our reach. Clearly our budget needs to be drastically increased, and the law rewritten, or new laws added, that will give us power and authority we need to catch those dastardly fiends.'
[ link to this | view in thread ]
It's good to want things.
The thing is businesses depend on information security to exist, even your local hipster bike cafe. If they mandated hobbled crypto, they'd essentially either make it impossible to do business in the US, or force businesses to find loopholes by which they can retain impenetrable information locks.
This is one of the things that happens with stupid laws: they don't take. So many people will decide to just break the law that it becomes impossible to enforce.
[ link to this | view in thread ]
Same Old Song
The DoJ has never given a shit about the welfare, security or otherwise, of citizens. The DoJ's goal is to maximize the numbers of successful arrests and prosecutions.
[ link to this | view in thread ]
Re: minimal impact
It's a simple substitution cipher but uses Japanese characters in place of english ones.
So A could be one of 3,000 characters.
https://github.com/Jigsy1/JCC
[ link to this | view in thread ]
Substitution cypher
Before using that cypher to encrypt anything critical, I suggest you familiarize yourself with the prosecution of Mary, Queen of Scots.
[ link to this | view in thread ]
Warm bodies into corporate prisons
When Sessions reinstated for-profit prisons, he indicated as much that this was his agenda.
They must have promised him a really cushy job.
[ link to this | view in thread ]