My Question To Deputy Attorney General Rod Rosenstein On Encryption Backdoors

from the golden-key-and-databreach dept

Never mind all the other reasons Deputy Attorney General Rod Rosenstein's name has been in the news lately... this post is about his comments at the State of the Net conference in DC on Monday. In particular: his comments on encryption backdoors.

As he and so many other government officials have before, he continued to press for encryption backdoors, as if it were possible to have a backdoor and a functioning encryption system. He allowed that the government would not itself need to have the backdoor key; it could simply be a company holding onto it, he said, as if this qualification would lay all concerns to rest.

But it does not, and so near the end of his talk I asked the question, "What is a company to do if it suffers a data breach and the only thing compromised is the encryption key it was holding onto?"

There were several concerns reflected in this question. One relates to what the poor company is to do. It's bad enough when they experience a data breach and user information is compromised. Not only does a data breach undermine a company's relationship with its users, but, recognizing how serious this problem is, authorities are increasingly developing policy instructing companies on how they are to respond to such a situation, and it can expose the company to significant legal liability if it does not comport with these requirements.

But if an encryption key is taken it is so much more than basic user information, financial details, or even the pool of potentially rich and varied data related to the user's interactions with the company that is at risk. Rather, it is every single bit of information the user has ever depended on the encryption system to secure that stands to be compromised. What is the appropriate response of a company whose data breach has now stripped its users of all the protection they depended on for all this data? How can it even begin to try to mitigate the resulting harm? Just what would government officials, who required the company to keep this backdoor key, now propose it do? Particularly if the government is going to force companies to be in this position of holding onto these keys, these answers are something they are going to need to know if they are going to be able to afford to be in the encryption business at all.

Which leads to the other idea I was hoping the question would capture: that encryption policy and cybersecurity policy are not two distinct subjects. They interrelate. So when government officials worry about what bad actors do, as Rosenstein's comments reflected, it can't lead to the reflexive demand that encryption be weakened simply because, as they reason, bad actors use encryption. Not when the same officials are also worried about bad actors breaching systems, because this sort of weakened encryption so significantly raises the cost of these breaches (as well as potentially makes them easier).

Unfortunately Rosenstein had no good answer. There was lots of equivocation punctuated with the assertion that experts had assured him that it was feasible to create backdoors and keep them safe. Time ran out before anyone could ask the follow-up question of exactly who were these mysterious experts giving him this assurance, especially in light of so many other experts agreeing that such a solution is not possible, but perhaps this answer is something Senator Wyden can find out...

Filed Under: cybersecurity, encryption backdoors, going dark, responsible encryption, rod rosenstein

FBI Director Chris Wray Says Secure Encryption Backdoors Are Possible; Sen. Ron Wyden Asks Him To Produce Receipts

from the not-so-great-when-you're-on-the-receiving-end-of-a-bludgeoning-interrogation dept

I cannot wait to see FBI Director Christopher Wray try to escape the petard-hoisting Sen. Ron Wyden has planned for him. Wray has spent most of his time as director complaining about device encryption. He continually points at the climbing number of locked phones the FBI can't crack. This number signifies nothing, not without more data, but it's illustrative of Wray's blunt force approach to encryption.

I'm sure Wray views himself as a man carefully picking his way through the encryption minefield. But there's nothing subtle about his approach. He has called encryption a threat to public safety. His lead phone forensics person has called Apple "evil" for offering it to its users. He has claimed the move to default encryption is motivated by profit. And if that's not the motivation, then it's probably just anti-FBI malice. Meanwhile, he claims the FBI has nothing but the purest intentions when it calls for encryption backdoors, even while Wray does everything he can to avoid using that term.

He claims the solution is out there -- a perfect, seamless blend of secure encryption and easy law enforcement access. The solution, he claims, is most likely deliberately being withheld by the "smart people." These tech companies that have made billionaires of their founders are filled with the best nerds, but they're just not applying themselves. Wray asserts -- without evidence -- that secure encryption backdoors are not only possible, but probable.

Senator Ron Wyden has had enough. He's calling out Director Wray on his bullshit. Publicly. His letter [PDF] demands Wray hand over information on his encryption backdoor plans. Specifically, Wyden wants Wray to name names. [via Kate Conger at Gizmodo]

Your stated position parrots the same debunked arguments espoused by your predecessors, all of whom ignored the widespread and vocal consensus of cryptographers. For years, these experts have repeatedly stated that what you are asking for is not, in fact, possible. Building secure software is extremely difficult, and vulnerabilities are often introduced inadvertently in the design process. Eliminating these vulnerabilities is a mammoth task, and experts are unified in their opinion that introducing deliberate vulnerabilities would likely create catastrophic unintended consequences that could debilitate software functionality and security entirely.

I would like to learn more about how you arrived at and justify this ill-informed policy proposal. Please provide me with a list of the cryptographers with whom you've personally discussed this topic since our July 2017 meeting and specifically identify those experts who advised you that companies can feasibly design government access features into their products without weakening cybersecurity. Please provide this information by February 23, 2018.

Remember how FBI directors (Wray, Jim Comey) claimed they just wanted to have "an adult conversation" with tech experts and cryptographers? My guess is they've never even tried. Wray hasn't held the post for long, but he's been beating Comey's weathered anti-encryption drum as long as he's held the title. And in all this time, I doubt he has talked to anyone in the tech industry directly about his encryption backdoor theory. Even if he has, he certainly hasn't found anyone who agrees such a thing can be done without weakening device security. Wray will have no answers for Wyden. We can only hope being publicly embarrassed by Senator Wyden will force him to rethink his position.

Filed Under: backdoors, chris wray, encryption, fbi, going dark, responsible encryption, ron wyden

Latest DOJ WTFness: Encryption Is Like A Locked House That Won't Let Its Owners Back Inside

from the spare-the-Rod,-spoil-the-horse-carcass dept

Deputy Attorney General Rod Rosenstein continues his push for law enforcement-friendly broken encryption. The ultimate goal is the same but the arguments just keep getting worse. Trying to pitch worthless encryption (i.e., encryption easily compromised in response to government demands) as "responsible" encryption is only the beginning of Rosenstein's logical fallacies.

After a month-plus of bad analogies and false equivalents, Rosenstein has managed to top himself. The path to Rosenstein's slaughtering of a metaphor runs through such highlights as the DAG claiming device encryption is solely motivated by profits and that this is the first time in history law enforcement hasn't had access to all forms of evidence. It's an intellectually dishonest campaign against encryption, propelled by the incredibly incorrect belief that the Fourth Amendment was written to provide the government with access, rather than to protect citizens from their government.

In a long article by Cyrus Farivar discussing a recent interview given by Rosenstein, the Deputy Attorney General drops this abomination of an analogy:

"I favor strong encryption, because the stronger the encryption, the more secure data is against criminals who are trying to commit fraud," he explained. "And I'm in favor of that, because that means less business for us prosecuting cases of people who have stolen data and hacked into computer networks and done all sorts of damage. So I'm in favor of strong encryption."

"This is, obviously, a related issue, but it's distinct, which is, what about cases where people are using electronic media to commit crimes? Having access to those devices is going to be critical to have evidence that we can present in court to prove the crime. I understand why some people merge the issues. I understand that they're related. But I think logically, we have to look at these differently. People want to secure their houses, but they still need to get in and out. Same issue here."

It is nowhere near the "same issue." I sincerely hope DAG Rosenstein regrets every word of this statement.

Let's streamline the analogy: People want to protect the data on their phones. People still want to be able to access this data on their phones. In no case ever has encryption prevented people from accessing the data on their phones. Forgotten passcodes might, but that's like losing house keys. You might need outside assistance to get back in.

Rosenstein's analogy skips a step. It has to. There's no way this analogy can ever work couched in Rosenstein's anti-encryption statements. People lock their houses when they leave and unlock them with their keys when they get back. Rosenstein's analogy is completely baffling, given the context of his remarks. How does strong security prevent people from "entering" their devices? It doesn't and Rosenstein knows this. It only prevents people other than the device owner from doing so.

What he's actually talking about is government access, but he can't find a credible argument for weakening the strong encryption he just claimed he believed in. And he doesn't have the intellectual honesty to say what he really means. The "they" in "but they still need to get in and out" is meant to encompass law enforcement agencies. In the context of Rosenstein's anti-encryption argument, that's the only interpretation that makes any sort of sense. Otherwise, it's a non sequitur -- one that claims strong security is somehow capable of preventing home owners from coming and going as they please.

A boneheaded analogy like this is the only rhetorical option left. That's because what Rosenstein wants -- easily-compromised "strong" encryption (i.e., "responsible encryption") -- simply cannot exist. Impossible demands can only be justified by implausible arguments. Given the swift and steady deterioration of Rosenstein's rhetoric, it's probably time to put his "Dead Horses and the Men Who Beat Them" show on ice.

Filed Under: bad analogies, doj, encryption, going dark, responsible encryption, rod rosenstein

White House Cyber Security Boss Also Wants Encryption Backdoors He Refuses To Call Backdoors

from the torturing-words dept

Deputy Attorney General Rod Rosenstein recently pitched a new form of backdoor for encryption: "responsible encryption." The DAG said encryption was very, very important to the security of the nation and its citizens, but not so important it should ever prevent warrants from being executed.

According to Rosenstein, this is the first time in American history law enforcement officers haven't been able to collect all the evidence they seek with warrants. And that's all the fault of tech companies and their perverse interest in profits. Rosenstein thinks the smart people building flying cars or whatever should be able to make secure backdoors, but even if they can't, maybe they could just leave the encryption off their end of the end-to-end so cops can have a look-see.

This is the furtherance of former FBI director James Comey's "going dark" dogma. It's being practiced by more government agencies than just the DOJ. Calls for backdoors echo across Europe, with every government official making them claiming they're not talking about backdoors. These officials all want the same thing: a hole in encryption. All that's really happening is the development of new euphemisms.

Rob Joyce, the White House cybersecurity coordinator, is the latest to suggest the creation of encryption backdoors -- and the latest to claim the backdoor he describes is not a backdoor. During a Q&A at Cyber Summit 2017, Joyce said this:

[Encryption is] "definitely good for America, it's good for business, it's good for individuals," Joyce said. "So it's really important that we have strong encryption and that's available."

Every pitch against secure encryption begins exactly like this: a government official professing their undying appreciation for security. And like every other pitch, the undying appreciation is swiftly smothered by follow-up statements specifying which kinds of security they like.

"The other side of that is there are some evil people in this world, and the rule of law needs to proceed, and so what we're asking for is for companies to consider how they can support legal needs for information. Things that come from a judicial order, how can they be responsive to that, and if companies consider from the outset of building a platform or building a capability how they're going to respond to those inevitable asks from a judge's order, we'll be in a better place."

In other words, Joyce loves the security encrypted devices provide. But he'd love them more if they weren't quite so encrypted. Perhaps if the manufacturers held the keys… The same goes for encrypted communications. Wonderful stuff. Unless the government has a warrant. Then it should be allowed to use its golden key or backdoor or whatever to gain access.

Once again, a government official asks for a built-in backdoor, but doesn't have the intellectual honesty to describe it as such, nor the integrity to take ownership of the collateral damage. Neither the White House nor Congress seem interested in encryption bans or mandated backdoors. The officials talking about the "going dark" problem keep hinting tech companies should just weaken security for the greater good -- with the "greater good" apparently benefiting only government agencies.

This way, when everything goes to hell, officials can wash their hands of the collateral blood because there's no mandate or legislation tech companies can point to as demanding they acquiesce to the government's desires. Officials like Joyce and Rosenstein want all of the access, but none of the responsibility. And every single person offering these arguments think the smart guys should do all the work and carry 100% of the culpability. Beyond being stupid, these arguments are disingenuous and dangerous. And no one making them seems to show the slightest bit of self-awareness.

Filed Under: cybersecurity, doj, responsible encryption, rob joyce, rod rosenstein

DOJ Continues Its Push For Encryption Backdoors With Even Worse Arguments

from the let-us-save-you-from-your-security dept

Early last week, the Deputy Attorney General (Rod Rosenstein) picked up the recently-departed James Comey's Torch of Encroaching Darkness +1 and delivered one of the worst speeches against encryption ever delivered outside of the UK.

Rosenstein apparently has decided UK government officials shouldn't have a monopoly on horrendous anti-encryption arguments. Saddling up his one-trick pony, the DAG dumped out a whole lot of nonsensical words in front of a slightly more receptive audience. Speaking at the Global Cyber Security Summit in London, Rosenstein continued his crusade against encryption using counterintuitive arguments.

After name-dropping his newly-minted term -- responsible encryption™ -- Rosenstein stepped back to assess the overall cybersecurity situation. In short, it is awful. Worse, perhaps, than Rosenstein's own arguments. Between the inadvertently NSA-backed WannaCry ransomware, the Kehlios botnet, dozens of ill-mannered state actors, and everything else happening seemingly all at once, the world's computer users could obviously use all the security they can get.

Encryption is key to security. Rosenstein agrees… up to a point. He wants better security for everyone, unless those everyones are targeted by search warrants. Then they have too much encryption.

Encryption is essential. It is a foundational element of data security and authentication. It is central to the growth and flourishing of the digital economy. We in law enforcement have no desire to undermine encryption.

But “warrant-proof” encryption poses a serious problem.

Well, you can't really have both secure encryption and law enforcement-friendly encryption. Rosenstein knows this just as surely as Comey knew it. That didn't stop Comey from pretending it was all about tech company recalcitrance. The same goes for Rosenstein who, early on in his speech, plays a shitty version of Sympathy for the Tech Devil by using the phrase "competitive forces" as a stand-in for "profit seeking" when speaking about the uptick in default encryption.

The underlying message of his last speech was that American tech companies should spurn profits for helping out the government by unwrapping one end of end-to-end encryption. The same pitch is made here, softened slightly in the lede thanks to the presence of UK tech companies in the audience. The language may be less divisive, but the arguments are no less stupid this time around.

In the United States, when crime is afoot, impartial judges are responsible for balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement. The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns. That is how we obtain search warrants for homes and court orders to require witnesses to testify.

Warrant-proof encryption overrides our ability to balance privacy and security. Our society has never had a system where evidence of criminal wrongdoing was impervious to detection by officers acting with a court-authorized warrant. But that is the world that technology companies are creating.

I'm not sure what this "system" is Rosenstein speaks about, but there has always been evidence that's eluded the grasp of law enforcement. Prior to common telephone use, people still communicated criminal plans but no one insisted citizens hold every conversation within earshot of law enforcement. Even in a digital world, evidence production isn't guaranteed, even when encryption isn't a factor.

Going on from there, the rest of speech is pretty much identical to his earlier one. In other words: really, really bad and really, really wrong.

Rosenstein believes the government should be able to place its finger on the privacy/security scale without being questioned or stymied by lowly citizens or private companies. Even if he's right about that (he isn't), he's wrong about the balance. This isn't privacy vs. security. This is security vs. insecurity. For a speech so front-loaded with tales of security breaches and malicious hacking, the back end is nothing more than bad arguments for weakened encryption -- something the government may benefit from, but will do nothing to protect people from malicious hackers or malicious governments.

All the complaints about a skewed balance are being presented by an entity that's hardly a victim. Electronic devices -- particularly cellphones -- generate an enormous amount of data that's not locked behind encryption. The government can -- without a warrant -- track your movements, either post-facto, or with some creative paperwork, in real time. Tons of other "smart" devices are generating a wealth of records only a third party and a subpoena away. And that's just the things citizens own. This says nothing about the wealth of surveillance options already deployed by the government and those waiting in the wings for the next sell off of civil liberties

It also should be noted Rosenstein is trying to make "responsible encryption" a thing. He obviously wants the word "backdoor" erased from the debate. While it's tempting to sympathize with Rosenstein's desire to take a loaded word out of the encryption debate lexicon, the one he's replacing it with is worse. As Rob Graham at Errata Security points out, the new term is loaded language itself, especially when attached to Rosenstein's bullshit metric: "measuring success in prevented crimes and saved lives."

I feel for Rosenstein, because the term "backdoor" does have a pejorative connotation, which can be considered unfair. But that's like saying the word "murder" is a pejorative term for killing people, or "torture" is a pejorative term for torture. The bad connotation exists because we don't like government surveillance. I mean, honestly calling this feature "government surveillance feature" is likewise pejorative, and likewise exactly what it is that we are talking about.

Then there's the problem with Rosenstein deploying rhetorical dodges in his discussions about encryption, which presumably include a number of government officials. Alex Gaynor, who worked for the United States Digital Service and participated in the Obama Administration's discussion of potential encryption backdoors, points out Rosenstein's abuse of his position.

Mr. Rosenstein plainly wants to reopen the "going dark" debate that began under the previously administration, spearheaded by FBI Director Jim Comey. While I disagree vehemently with him, it's a valid policy position - and I have every reason to believe him that there are investigations in which encryption does hamper the Justice Department and FBI's ability to investigate. However, he is not entitled to mislead the public in order to make that point. And make no mistake. Attempting to use the spectre of familiar computer security challenges in order to make the argument that his policy is necessary, even though his policy has nothing to do with these challenges, is the height of intellectual dishonesty.

There's an endgame to Rosenstein's dishonest rhetoric. And it won't be tech companies being guilted into participating in his "responsible encryption" charade. It will be backdoors. And they will be legislated.

The Deputy Attorney General says that he is interested in "frank discussion". However, his actual remarks demonstrate he is interested in anything but -- his goal is to secure legislation akin to CALEA for your cellphone, and he doesn't care who he has to mislead to accomplish this. Mr. Deputy Attorney General, I expect better.

This is what the DOJ wants. But Rosenstein is too weak-willed to say it out loud. So he spouts this contradictory, misleading, wholly asinine garbage to whatever audience will have him. Rosenstein is obtuse enough to be dangerous. Fortunately, most legislators (so far) seem unwilling to sacrifice the security of citizens on the altar of lawful access.

Filed Under: backdoors, doj, going dark, james comey, nerd harder, responsible encryption, rod rosenstein

Deputy AG Pitches New Form Of Backdoor: 'Responsible Encryption'

from the laugh-and-the-world-laughs-with;-pull-this-crap-and-you're-on-your-own dept

The DOJ is apparently going to pick up where the ousted FBI boss James Comey left off. While Attorney General Jeff Sessions continues building his drug enforcement time machine, Deputy AG Rod Rosenstein is keeping the light on for Comey's prophesies of coming darkness.

Rosenstein recently gave a speech at the US Naval Academy on the subject of encryption. It was… well, it was pretty damn terrible. Once again, a prominent law enforcement official is claiming to love encryption while simultaneously extolling the virtues of fake encryption with law enforcement-ready holes in it.

The whole thing is filled with inadvertently hilarious assertions, like the following:

Encryption is a foundational element of data security and authentication. It is essential to the growth and flourishing of the digital economy, and we in law enforcement have no desire to undermine it.

Actually, Rosenstein has plenty of desire to do that, which will be amply demonstrated below, using his own words.

But the advent of “warrant-proof” encryption is a serious problem. Under our Constitution, when crime is afoot, impartial judges are charged with balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement. The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns.

The law indeed recognizes this and provides law enforcement access to communications, documents, etc. with the proper paperwork. What the law cannot do is ensure the evidence is intact, accessible, or exactly what law enforcement is looking for.

Rosenstein is disingenuously reframing the argument as lawful access v. personal privacy, when it's really about law enforcement's desires v. user security. The latter group -- users -- includes a large percentage of people who've never been suspected of criminal activity, much less put under investigation. Weakened encryption affects everyone, not just criminal suspects.

Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, especially when officers obtain a court-authorized warrant. But that is the world that technology companies are creating.

Our society has had plenty of systems where evidence was "impervious to detection." Calls, text messages, emails, personal conversations, passed notes, dead drops, coded transmissions, etc. have existed for years without law enforcement complaining about everything getting so damn dark. Law enforcement has never had 100% access to means of communications even with the proper paperwork in hand. And yet, police departments and investigative agencies routinely solved crimes, even without access to vast amounts of personal communications.

Rosenstein follows this loop a few times, always arriving at the same mistaken conclusion: law enforcement should be able to access whatever it wants so long it has a warrant. Why? Because it always used to be able to. Except for all those times when it didn't.

Since Rosenstein isn't willing to handle the encryption conversation with any more intellectual honesty than the departed James Comey, he's forced to come up with new euphemisms for encryption backdoors. Here's Rosenstein's new term for non-backdoor encryption backdoors.

Responsible encryption is achievable. Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization.

At worst, this means some sort of built-in backdoor, sort of what Blackberry uses for its non-enterprise customers. Nearly just as bad, this possibly means key escrow. These are the solutions Rosenstein wants, but he doesn't even have the spine to take ownership of them. Not only does the Deputy AG want tech companies to implement whatever the fuck "responsible encryption" is, he wants them to bear all expenses, cope with customers fleeing the market for more secure options, and be the focal point for the inevitable criticism.

Such a proposal would not require every company to implement the same type of solution. The government need not require the use of a particular chip or algorithm, or require any particular key management technique or escrow. The law need not mandate any particular means in order to achieve the crucial end: when a court issues a search warrant or wiretap order to collect evidence of crime, the provider should be able to help.

In other words, the private sector needs to build the doors and hold the keys. All the government needs to do is obtain warrants.

Rosenstein just keeps piling it on. He admits the law enforcement hasn't been able to guilt tech companies into backdooring their encryption. That's the old way. Going forward, the talking points will apparently portray tech companies as more interested in profits than public safety.

The approach taken in the recent past — negotiating with technology companies and hoping that they eventually will assist law enforcement out of a sense of civic duty — is unlikely to work. Technology companies operate in a highly competitive environment. Even companies that really want to help must consider the consequences. Competitors will always try to attract customers by promising stronger encryption.

That explains why the government’s efforts to engage with technology giants on encryption generally do not bear fruit. Company leaders may be willing to meet, but often they respond by criticizing the government and promising stronger encryption.

Of course they do. They are in the business of selling products and making money.

In other words, tech companies are doing it for the clicks. This is a super-lazy argument often used to belittle things someone disagrees with. (A phrase that has since been supplanted by "fake news.") This sort of belittling is deployed by (and created for) the swaying of the smallest of minds.

Having painted the tech industry as selfish, Rosenstein airlifts himself to the highest horse in the immediate area.

We use a different measure of success. We are in the business of preventing crime and saving lives.

The Deputy AG makes a better point when he calls out US tech companies for acquiescing to ridiculous censorship demands from foreign governments. If companies are willing to oblige foreign governments with questionable human rights records, why can't they help out the US of A?

It's still not a very strong point, at least not in this context. But it is something we've warned against for years here at Techdirt: you humor enough stupid demands from foreign governments and pretty soon all of them -- including your own -- are going to start asking for favors.

It would be a much better argument if it wasn't tied to the encryption war Rosenstein's fighting here. Comparing censorship efforts and VPN blocking to the complexities of encryption isn't an apples-to-apples comparison. Blocking or deleting content is not nearly the same thing as opening up all users to heightened security risks because the government can't get at a few communications.

Whatever it is Rosenstein's looking for, he's 100% sure tech companies can not only provide it, but should also bear all liability for anything that might go wrong.

We know from experience that the largest companies have the resources to do what is necessary to promote cybersecurity while protecting public safety. A major hardware provider, for example, reportedly maintains private keys that it can use to sign software updates for each of its devices. That would present a huge potential security problem, if those keys were to leak. But they do not leak, because the company knows how to protect what is important. Companies can protect their ability to respond to lawful court orders with equal diligence.

It's that last sentence that's a killer. This is Rosenstein summing up his portrayal of tech companies as callous, profit-seeking nihilists with a statement letting everyone know the DOJ will pin all the blame for any future security breaches on the same companies who got on board with the feds' "nerd harder" demands.

This is a gutless, stupid, dishonest speech -- one that deliberately misconstrues the issues and lays all the blame, along with all the culpability on companies unwilling to sacrifice users' security just because the government feels it's owed access in perpetuity.

Filed Under: doj, encryption, going dark, moral panic, nerd harder, responsible encryption, rod rosenstein