DOJ Back To Pushing For Legislation Targeting Encryption

from the CLIPPER-CHIP-2K18 dept

Tue, Mar 27th 2018 3:23am — Tim Cushing

The New York Times is reporting that the War on Encryption continues, with a renewed push for legislation the Justice Department couldn't talk Obama into.

Federal law enforcement officials are renewing a push for a legal mandate that tech companies build tools into smartphones and other devices that would allow access to encrypted data in criminal investigations.

F.B.I. and Justice Department officials have been quietly meeting with security researchers who have been working on approaches to provide such “extraordinary access” to encrypted devices, according to people familiar with the talks.

[...]

Against that backdrop, law enforcement officials have revived talks inside the executive branch over whether to ask Congress to enact legislation mandating the access mechanisms.

FBI Director Chris Wray still has yet to hand over his list of agreeable security experts to Sen. Ron Wyden. Wray continues to assert there's a way to solve the "going dark" problem that won't involve make device encryption less secure, but every suggestion he offers involves making device encryption less secure. There are a few techies looking for solutions, and that small group may be who Wray believes can talk legislators into prepping a mandated access bill.

A National Academy of Sciences committee completed an 18-month study of the encryption debate, publishing a report last month. While it largely described challenges to solving the problem, one section cited presentations by several technologists who are developing potential approaches.

They included Ray Ozzie, a former chief software architect at Microsoft; Stefan Savage, a computer science professor at the University of California, San Diego; and Ernie Brickell, a former chief security officer at Intel.

The solutions presented by this group are more of the same: key escrow, weakened encryption, or technological assistance mandates. None of these work out particularly well for customers, as each options provides additional attack vectors for criminals, not just law enforcement. So, even if Wray hopes to rely on more sympathetic tech experts, he's still going to run into the same facts: you cannot provide access to law enforcement without increasing the chance of access by criminals and state-sponsored hackers.

It appears the DOJ isn't interested in letting the perfect be the enemy of the good. And why should it? It won't be affected by mandated access and/or weakened encryption. Those affected most will be members of the general public, and they simply don't matter when the FBI's agitating for destroying the encryption the public relies on to keep their devices and communications secure.

[O]ne Justice Department official familiar with the deliberations contended that it might not be necessary to come up with a foolproof system, arguing that a solution that would work for ordinary, less-savvy criminals was still worth pursuing.

Take a long look at that statement. This is the DOJ saying it's willing to sacrifice the security of millions of Americans to make sure it can round up the nation's least intelligent criminals. This isn't a balance anyone outside of the FBI's inner circle will be happy with. Wray and others routinely claim encryption is preventing them from solving serious crimes and hunting down dangerous criminals, but when all is said and done, it will apparently be satisfied locking up the most inept suspects.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, doj, encryption, fbi, going dark, legislation, responsible encryption

35 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 27 Mar 2018 @ 3:45am

Eat your own cooking
They need to trial the proposed solutions on their systems for at least a year prior to requiring it in public. This should prove just how impractical it is, in the process we should be able to show how secure their solutions are. A win-win for all.
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 4:27am

Stallman would be proud
#deletefacebook is trending, and now this development will raise the profile of free/libre software.
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 4:30am

They used to be able to solve crimes without all the encrypted data they now want access to because it was never recorded before the smart device era. So what is stopping them using the means they used to use to solve crimes, might it be a problem of the police alienating the communities they police. They certainly seem hell bent on alienating everybody in the world by removing all vestiges of privacy.
[ link to this | view in thread ]
That One Guy (profile), 27 Mar 2018 @ 4:38am

Well he's at least HONESTLY a blatant threat to the public
[O]ne Justice Department official familiar with the deliberations contended that it might not be necessary to come up with a foolproof system, arguing that a solution that would work for ordinary, less-savvy criminals was still worth pursuing.

'We're willing to undermine the protections that hundreds of millions depend on if it means it will be easier to go after the inept criminals who are so stupid that they would have been caught anyway.'

You'd be hard pressed to find a better demonstration that those pushing for broken encryption are willing to throw millions of people to criminals of all stripes than this little admission. They're willing to betray the public on a national scale if it means they have to do slightly less work.

This obsession with giving criminals the biggest gift ever has been a dangerously stupid obsession for some from the get-go, but it's statements like this that show just how low they are willing to sink, how little they care for anyone but themselves.
[ link to this | view in thread ]
Peter (profile), 27 Mar 2018 @ 4:46am

What is the point- commercial tools are available and affordable
In case the DOJ's investigative skills aren't all they are cracked up to be, here is a little help:

Media report that GrayKey offers a box that will crack an unlimited number of iphones for $30,000. If they'd rather pay on a case-by-case basis: "police usually spend about $1,500 on each device unlocked by Cellebrite."
http://www.zdnet.com/article/graykey-box-promises-to-unlock-iphones-for-police/
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 5:36am

Ode to the day when our rights have marched away
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 5:40am

no law enforcement agency or government is going to stop doing whatever it has to to get their ability to break into encrypted devices into law. as long as the public can be held accountable for everything and anything and none of those involved in the various agencies and governments can have their devices inspected, or be held accountable for the crap they pull, without charges being brought against whoever manages to invade those devices, they will be happy. basically, they want to know everything about everyone else but no one is allowed to know what they are up to! if that doesn't make anyone suspicious, it should! just look at the erosion of the various parts of the constitution since the very first case went to court involving the entertainment industries and 'copyright infringement'! then look at how USA law enforcement has taken to arresting people and holding them at airports and border crossings, inspecting phones, tablets and laptops, all without warrants, even when the should have had! privacy and freedom is being annihilated and not because of terrorism, because of the fears of governments, politicians, the rich and famous, all scared we will find out what they're up to, contrary to our best interests, while demanding, not just expecting to know every single thing about us!!
[ link to this | view in thread ]
kallethen, 27 Mar 2018 @ 5:57am

Second verse, same as the first...
I am reminded of the Clipper Chip.

https://en.wikipedia.org/wiki/Clipper_chip

Yeah, that didn't work out well back then. Spoiler alert: it still won't work out well.
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 6:49am

Fresh off its win with SESTA...
The current government figures it can get anything it wants passed.
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 6:50am

Oh look... A former employee of a company whose products have more security vulnerabilities than a screen door is trying to design an an encryption system.

Really, how secure can a system be when you're basing it upon a unicorn and wishes algorithm?
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 6:57am

"satisfied locking up the most inept suspects. "
And if even that proves too difficult, it can always resort to creating it's own straw-men.
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 7:06am

Re:
Microsoft and Intel have *both* has massive security failures under the watch of these two security "experts". Exactly the kind of "experts" the DOJ would go to.
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 7:38am

I think you've misinterpreted the statement.

[O]ne Justice Department official familiar with the deliberations contended that it might not be necessary to come up with a foolproof system, arguing that a solution that would work for ordinary, less-savvy criminals was still worth pursuing.

They're not looking for a system that only catches the dumbest of criminals. They're looking for a system that can't be broken by the dumbest of criminals.
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 7:40am

Re: Re:

Exactly the kind of "experts" the DOJ would go to.

Intel-SA-00086
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 8:20am

Poster Child
U.S. Department of Justice - Office of the Inspector General:“A Special Inquiry Regarding the Accuracy of FBI Statements Concerning its Capabilities to Exploit an iPhone Seized During the San Bernardino Terror Attack Investigation” (March 2018)

After the outside vendor successfully demonstrated its technique to the FBI in late March, EAD Hess learned of an alleged disagreement between the CEAU and ROU Chiefs over the use of this technique to exploit the Farook iPhone – the ROU Chief wanted to use capabilities available to national security programs, and the CEAU Chief did not. She became concerned that the CEAU Chief did not seem to want to find a technical solution, and that perhaps he knew of a solution but remained silent in order to pursue his own agenda of obtaining a favorable court ruling against Apple. According to EAD Hess, the problem with the Farook iPhone encryption was the “poster child” case for the Going Dark challenge.

[ link to this | view in thread ]
Anonymous Anonymous Coward (profile), 27 Mar 2018 @ 8:25am

Re:
FBI: But, but, but if those encrypted digital devices didn't exist we wouldn't know that any laws were broken...

Intelligent Lawmaker: If you don't know what is on the devices, how can you know that some law was broken?

FBI: Why else would they use them?

Intelligent Lawmaker: Well, you use them.

FBI: Well, that's why we call our employees 'special' agents.
[ link to this | view in thread ]
JoeCool (profile), 27 Mar 2018 @ 8:56am

Re: I think you've misinterpreted the statement.
Either interpretation is still horrific to the general public. With your interpretation, instead of no one getting into your phone, only semi-smart criminals will be able to get into your phone... unless the dumb ones sell your phone to a slighter smarter criminal. So in the end, you're still hosed.
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 9:09am

Re: Re:

Intelligent Lawmaker: If you don't know what is on the devices, how can you know that some law was broken?

FBI, that why our agents, cops and DHS agents need to be able to examine the devices whenever they stop someone because they just know the person is breaking some law.
[ link to this | view in thread ]
NeghVar (profile), 27 Mar 2018 @ 9:45am

minimal impact
Even if there is a ruling forcing encryption to have a government backdoor, there is always open-source.
Vericrypt and CipherShed are such examples. If the government slips in some kind of backdoor, the community of programmers will notice and remove or not compile that variation. And if the government comes after them, move to Belize like RedFox did
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 10:09am

Re: Re:
Schroedinger's felony
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 10:24am

The DOJ IS affected....

It appears the DOJ isn't interested in letting the perfect be the enemy of the good. And why should it? It won't be affected by mandated access and/or weakened encryption.

I can think of a number of ways the DOJ will be affected by mandated insecurity.

First off, good luck for them to try and buy consumer hardware that doesn't have this implemented. This means that anyone who gains control of the access control system will have full access to DOJ equipment as well.

Second off, once this goes down, expect to see the caseload for the DOJ skyrocket as criminals take advantage of the holes the DOJ punched in security. And those criminals will likely mostly be outside the US, which means after spending countless man hours to hunt them down, the DOJ will be powerless to prosecute.

Although I guess you could argue that this is the FBI's problem, not the DOJ's problem.
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 11:01am

Re: I think you've misinterpreted the statement.
A dumb criminal, who wants to hide his data from the government, is smart enough to know that he/she should not use the government approved legal crypto to do so.
[ link to this | view in thread ]
Uriel-238 (profile), 27 Mar 2018 @ 11:57am

Postcards (and software) from Belize
So anyone who is savvy about this is going to either install a foreign-made or open source unhobbled crypto system on their phone right after purchase, or just look for foreign versions of the phone. For business devices, it will become an expected expense.

And everyone else, hackers will arrange, will have Goatse as their homepage background while their phone burns cycles and power as a botnet zombie DDOSing the establishment.

Which means everyone will eventually swap their crypto out on first purchase, the way we used to buy an anti-virus package for our new computer.

How marvelously cyberpunk!
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 12:33pm

Re: Re: I think you've misinterpreted the statement.
Indeed. The real meaning of

[O]ne Justice Department official familiar with the deliberations contended that it might not be necessary to come up with a foolproof system, arguing that a solution that would work for ordinary, less-savvy criminals was still worth pursuing.

is so the justice department can say that the broken encryption isn't broken since that criminal mouth breather over there "can't break into the device using the approved encryption, therefore the approved encryption is 'secure enough' for any law abiding individual."
[ link to this | view in thread ]
Sam, 27 Mar 2018 @ 12:44pm

FreeEmailEncryption.coM - the Most powerful on earth
if you are looking for the the supreMe leader of the pack...
FreeEmailEncryption.com

but accessing them is quite troublesome for the 'less saavy'
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 12:46pm

Re: FreeEmailEncryption.coM - the Most powerful on earth
yep
they be very cool,

either it displays a blank site or slimmed down tiny version or the supreme power crypto
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 12:53pm

If cellphone encryption is too strong,
the FBI won't be able to plant evidence on their stooges' smartphones who they're trying to set up.

No stooges, no manufactured crimes, don't need FBI!
[ link to this | view in thread ]
Mike Masnick (profile), 27 Mar 2018 @ 12:59pm

Re: Stallman would be proud
Is this sarcasm?
[ link to this | view in thread ]
Anonymous Coward, 27 Mar 2018 @ 3:27pm

They want to outlaw secure encryption. Anyone not using insecure encryption will be targeted as terrorists/criminals/whatever. It's an attack on freedom, free speech, privacy, security - an attack on human rights, basically.
[ link to this | view in thread ]
That One Guy (profile), 27 Mar 2018 @ 3:46pm

That's a feature, not a bug
Second off, once this goes down, expect to see the caseload for the DOJ skyrocket as criminals take advantage of the holes the DOJ punched in security. And those criminals will likely mostly be outside the US, which means after spending countless man hours to hunt them down, the DOJ will be powerless to prosecute.

'Would you look at that, there's been an absolute explosion in crime for some mysterious reason, and our current laws are keeping those evil criminals safe from our reach. Clearly our budget needs to be drastically increased, and the law rewritten, or new laws added, that will give us power and authority we need to catch those dastardly fiends.'
[ link to this | view in thread ]
Uriel-238 (profile), 27 Mar 2018 @ 3:48pm

It's good to want things.
The thing is businesses depend on information security to exist, even your local hipster bike cafe. If they mandated hobbled crypto, they'd essentially either make it impossible to do business in the US, or force businesses to find loopholes by which they can retain impenetrable information locks.

This is one of the things that happens with stupid laws: they don't take. So many people will decide to just break the law that it becomes impossible to enforce.
[ link to this | view in thread ]
Anonymous Coward, 28 Mar 2018 @ 12:53am

Same Old Song
"This is the DOJ saying it's willing to sacrifice the security of millions of Americans to make sure it can round up the nation's least intelligent criminals."

The DoJ has never given a shit about the welfare, security or otherwise, of citizens. The DoJ's goal is to maximize the numbers of successful arrests and prosecutions.
[ link to this | view in thread ]
Jigsy, 28 Mar 2018 @ 3:36am

Re: minimal impact
Although one's not supposed to do it, I wrote my own encryption method around the start of the year.

It's a simple substitution cipher but uses Japanese characters in place of english ones.

So A could be one of 3,000 characters.

https://github.com/Jigsy1/JCC
[ link to this | view in thread ]
Uriel-238 (profile), 28 Mar 2018 @ 10:50am

Substitution cypher
Before using that cypher to encrypt anything critical, I suggest you familiarize yourself with the prosecution of Mary, Queen of Scots.
[ link to this | view in thread ]
Uriel-238 (profile), 28 Mar 2018 @ 10:55am

Warm bodies into corporate prisons
When Sessions reinstated for-profit prisons, he indicated as much that this was his agenda.

They must have promised him a really cushy job.
[ link to this | view in thread ]