WaPo's Excellent Explainer On Encryption Debunks WaPo's Stupid Editorial In Favor Of Encryption Backdoors

from the hey,-you-guys-should-talk! dept

Washington Post reporter Andrea Peterson has put together a really excellent explainer piece on what you should know about encryption. Considering the source, it's a good "general knowledge" explainer piece for people who really aren't that aware of encryption or technically savvy. That's important and useful, given how important this debate is and how many participants in it don't seem to understand the first thing about encryption. But what struck me is this little tidbit:

Can the government stop terrorists from using encryption?

Well, no. The most the government can probably do is bar companies from offering the most secure forms of encryption to their users. But encryption isn't just one product. Just like the math it's based on, it's really more of a concept or an idea rather than a specific technical tool.

And it's pretty impossible to outlaw ideas.

It goes on, in some depth, to explain just what a stupid idea it would be to outlaw end-to-end encryption, noting that there are lots of non-US companies and plenty of open source offerings for encryption that would still be widely available and used.

Now, compare that to the ridiculous editorial that the Washington Post put out a year ago, advocating for just such a solution:

How to resolve this? A police “back door” for all smartphones is undesirable — a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant. Ultimately, Congress could act and force the issue, but we’d rather see it resolved in law enforcement collaboration with the manufacturers and in a way that protects all three of the forces at work: technology, privacy and rule of law.

Hey, Washington Post editorial board, I hope you read your own newspaper.

Filed Under: andrea peterson, backdoors, encryption, going dark, golden key
Companies: washington post

Washington Post Observes Encryption War 2.0 For Several Months, Learns Absolutely Nothing

from the we're-going-to-take-this-stupidity-and-DOUBLE-it dept

Last October -- following Apple and Google's announcements of encryption-by-default for iOS and Android devices -- was greeted with law enforcement panic, spearheaded by FBI director James Comey, who has yet to find the perfect dead child to force these companies' hands.

The Washington Post editorial board found Comey's diatribes super-effective! It published a post calling for some sort of law enforcement-only, magical hole in Apple and Google's encryption.

How to resolve this? A police “back door” for all smartphones is undesirable — a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant. Ultimately, Congress could act and force the issue, but we’d rather see it resolved in law enforcement collaboration with the manufacturers and in a way that protects all three of the forces at work: technology, privacy and rule of law.

When is a "backdoor" not a "backdoor?" Well, apparently when an editorial board spells it G-O-L-D-E-N K-E-Y. It's the same thing, but in this particular pitch, it magically isn't, because good intentions. Or something.

Months later, the debate is still raging. But it's boiled down to two arguments:

1. This is impossible. You can't create a "law enforcement only" backdoor in encryption. It's simply not possible because a backdoor is a backdoor and can be used by anyone who can locate the door handle.

2. No, it isn't. Please see below for citations and references:

The FBI is at an impasse. Comey firmly believes this is possible, despite openly admitting he has zero evidence to back this claim up. When asked for specifics, Comey defers to "smart tech guys" and their warlock-like skills.

Sensing James Comey might be struggling a bit, the editorial board of the Washington Post is once again riding to the rescue. And they've brought the same level of cluelessness with them. (h/t to Techdirt reader Steve R.)

Mr. Comey’s assertions should be taken seriously. A rule-of-law society cannot allow sanctuary for those who wreak harm. But there are legitimate and valid counter arguments from software engineers, privacy advocates and companies that make the smartphones and software. They say that any decision to give law enforcement a key — known as “exceptional access” — would endanger the integrity of all online encryption, and that would mean weakness everywhere in a digital universe that already is awash in cyberattacks, thefts and intrusions. They say that a compromise isn’t possible, since one crack in encryption — even if for a good actor, like the police — is still a crack that could be exploited by a bad actor. A recent report from the Massachusetts Institute of Technology warned that granting exceptional access would bring on “grave” security risks that outweigh the benefits.

After providing some statements opposing its view on the matter -- most notably an actual research paper written by actual security researchers -- the editorial board continues on to declare this all irrelevant.

The tech companies are right about the overall importance of encryption, protecting consumers and insuring privacy. But these companies ought to more forthrightly acknowledge the legitimate needs of U.S. law enforcement.

And by "forthrightly acknowledge," the board means "give law enforcement what it wants, no matter the potential damage." After all, what's PERSONAL safety, security and a handful of civil liberties compared to "legitimate needs of law enforcement?"

All freedoms come with limits; it seems only proper that the vast freedoms of the Internet be subject to the same rule of law and protections that we accept for the rest of society.

Your rights end where law enforcement's "legitimate needs" begin. Except they don't. The needs of law enforcement don't trump the Bill of Rights. The needs of law enforcement don't automatically allow it to define the acceptable parameters of the communications of US citizens.

The editorial finally wraps up by calling for experts in the field to resolve this issue:

This conflict should not be left unattended. Nineteen years ago, the National Academy of Sciences studied the encryption issue; technology has evolved rapidly since then. It would be wise to ask the academy to undertake a new study, with special focus on technical matters, and recommendations on how to reconcile the competing imperatives.

The WaPo editorial board is no better than James Comey. It can cite nothing in support of its view but yet still believes it's right. And just like Comey, the board is being wholly disingenuous in its "deferral" to security researchers and tech companies. It, like Comey, wants to hold two contradictory views.

Tech/security researchers are dumb when they say this problem can't be solved.

Tech/security researchers are super-smart and can solve this problem.

So, they (the board and Comey) want to ignore the "smart guys" when they say this is impossible, but both are willing to listen if they like the answers they're hearing.

Filed Under: backdoors, encryption, golden key, james comey, mobile encryption
Companies: washington post

Intelligence Community's Top Lawyer Endorses Desire For Unicorns, Leprechauns & Golden Keys That Don't Undermine Encryption

from the same-thing dept

Bob Litt, the General Counsel for the Office of the Director of National Intelligence (ODNI), gave a speech on Wednesday trying to address the public's ongoing concerns about government surveillance. The speech is long, but it's well worth reading. There's a lot of "yes, we could have done a better job explaining ourselves, and we promise we're learning" kind of talk, but little of real substance. However, at the very end of the speech, he joins the ridiculous bandwagon of ignorant government and law enforcement attacking the idea of encryption the government can't crack. But, similar to the Washington Post's magical golden key (not a backdoor!) proposal, Litt has some wishful thinking about a magic key that only the government can use:

Encryption is a critical tool to protect privacy, to facilitate commerce, and to provide security, and the United States supports its use. At the same time, the increasing use of encryption that cannot be decrypted when we have the lawful authority to collect information risks allowing criminals, terrorists, hackers and other threats to escape detection. As President Obama recently said, “[i]f we get into a situation in which the technologies do not allow us at all to track someone that we’re confident is a terrorist …that’s a problem.” I’m not a cryptographer, but I am an optimist: I believe that if our businesses and academics put their mind to it, they will find a solution that does not compromise the integrity of encryption technology but that enables both encryption to protect privacy and decryption under lawful authority to protect national security.

I'm not sure how many times in how many different ways this needs to be explained, but what they're asking for is a fantasy. You cannot put a backdoor in encryption and create a magic rule that says "only the government can use this in lawful situations." That's just not how it works. At all. The very idea of decryption by a third party "compromises the integrity of the encryption technology," almost by definition.

Separately, Litt's reassurances elsewhere ring incredibly hollow. In trying to respond to concerns about so-called "incidental" collection of information under Section 702 of the FISA Amendments Act (information that the NSA isn't allowed to collect, but does so anyway and then hangs onto it and makes it searchable by a variety of government agencies), he notes that they have "reaffirmed" that such data must be deleted if they're determined to have no foreign intelligence value, but then (no joke!) his own speech has an asterisk with a giant loophole. Here is the speech posted on the ODNI's own Tumblr page: It's like they're really not even trying to hide the massive loopholes they've built in. In case you're wondering, the loopholes buried in that asterisk include basically everything:

Under the new policy, in addition to any other limitations imposed by applicable law, including FISA, any communication to or from, or information about, a U.S. person acquired under Section 702 of FISA shall not be introduced as evidence against that U.S. person in any criminal proceeding except (1) with the prior approval of the Attorney General and (2) in (A) criminal proceedings related to national security (such as terrorism, proliferation, espionage, or cybersecurity) or (B) other prosecutions of crimes involving (i) death; (ii) kidnapping; (iii) substantial bodily harm; (iv) conduct that constitutes a criminal offense that is a specified offense against a minor as defined in 42 USC 16911; (v) incapacitation or destruction of critical infrastructure as defined in 42 USC 5195c(e); (vi) cybersecurity; (vii) transnational crimes; (or (vii) human trafficking.

Yes, some of the activities covered by this list are pretty bad. But it doesn't change the fact that the NSA isn't supposed to collect such information or retain it at all. Writing in all these exceptions is pretty damn broad, especially given the NSA and its "cute" interpretations of the law.

Filed Under: backdoors, bob litt, encryption, golden key, incidental collection, magic key, nsa, odni, section 702, surveillance

Washington Post's Clueless Editorial On Phone Encryption: No Backdoors, But How About A Magical 'Golden Key'?

from the golden-key-cryptography dept

The Washington Post editorial board has weighed in on the recent "controversy" over Apple and Google's smart decision to start encrypting mobile devices by default. The "controversy" itself seems pretty hyped up by law enforcement types who are either lying or clueless about the technology. Throwing a bunch of technically ignorant newspaper editors into the mix probably wasn't the wisest of decisions.

Much of the editorial engages in hand-wringing about what law enforcement is going to do when they need the info on your phone (answer: same thing they did for years before smartphones, and most of the time with smartphones as well, which is regular detective work). It even repeats the bogus use of the phrase "above the law" that FBI director James Comey bizarrely keeps repeating (hint: putting a lock on your stuff isn't making you above the law). But the real kicker is the final paragraph:

How to resolve this? A police “back door” for all smartphones is undesirable — a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant. Ultimately, Congress could act and force the issue, but we’d rather see it resolved in law enforcement collaboration with the manufacturers and in a way that protects all three of the forces at work: technology, privacy and rule of law.

Did you get that? No "back door," but rather a "golden key." Now, I'm not sure which members of the Washington Post editorial board is engaged in mythical "golden key" cryptography studies, but to most folks who have even the slightest understanding of technology, they ought to have recognized that what they basically said is: "a back door is a bad idea, so how about creating a magic back door?" A "golden key" is a backdoor and a "backdoor" is a "golden key." The two are indistinguishable and the Post's first point is the only accurate one: it "can and will be exploited by bad guys, too." That's why Apple and Google are doing this. To protect users from bad guys.

In the meantime, just watch, and we'll start to see ignorant politicians and law enforcement start to echo this proposal as well, talking down "backdoors" and talking up "golden keys." The fact that we already had this debate in the 1990s, when the "golden key" was called "key escrow" and when having the government lose that was was fairly important in allowing the internet to become so useful, will apparently be lost on the talking heads.

Still, a small request for the Washington Post Editorial Board: before weighing in on a subject like this, where it's fairly clear that none of you have the slightest clue, perhaps try asking a security expert first?

Filed Under: backdoors, editorial board, encryption, golden key, mobile encryption, privacy, security
Companies: washington post