Hillary Clinton's Staff Recognize She Doesn't Understand Encryption And Is Supporting 'The Impossible'

from the that's-at-least-marginally-reassuring dept

Hillary Clinton's position on encryption -- like so much of her tech policy -- has been kind of vague and wishy-washy. Saying things that possibly sound good, but could easily turn out to be bad depending on what is really meant. It's sort of the classical politician's answer on things, trying to appease multiple sides of an issue without getting fully pinned down on something that might come back to bite you later.

It started back in November of 2015, when Clinton gave a speech, which put her firmly into the "but Silicon Valley should nerd harder to figure out a backdoor" camp. A few weeks later, she doubled down on the "nerd harder" response in an interview with George Stephanopoulos:

STEPHANOPOULOS: How about Apple? No more encryption?

CLINTON: This is something I've said for a long time, George. I have to believe that the best minds in the private sector, in the public sector could come together to help us deal with this evolving threat. And you know, I know what the argument is from our friends in the industry. I respect that. Nobody wants to be feeling like their privacy is invaded.

But I also know what the argument is on the other side from law enforcement and security professionals. So, please, let's get together and try to figure out the best way forward.

A few weeks after that, she went even further, calling for a "Manhattan Project" on backdooring encryption. As we noted at the time, that made no sense and suggested a complete cluelessness about encryption and the issues related to it.

Now, with the release of the hacked emails from Clinton campaign manager John Podesta, we get to find out that Clinton's staff basically agreed with us that her statements on encryption were ridiculous, and felt that she should not support any effort to backdoor encryption. It started with an internal discussion in response to an inbound request from Politico, where some of her staffers sought to avoid answering the question on backdooring encryption, while admitting internally the reality. Here were the "boiled down" talking points, presented by Ben Scott (a former State Dept official who also ran Free Press for a few years):

1-The bad guys could already get crypto -- we helped the good guys get it.

2-The Internet Freedom investments in these technologies were strongly bipartisan (and remain so).

Those are good points. I wish she'd actually said that, rather than what eventually came out.

The second email comes right after that "Manhattan Project" comment at the debate in the middle of December, and there her staffers discuss what a terrible analogy it is and how they should tell the tech industry that Hillary won't support backdoors, but instead supports using hacking/malware to spy on terrorists (which is a better solution all around, though it raises some other issues).

The email thread starts off with lawyer and Clinton (and former Obama) advisor Sara Solow first highlighting the flip-floppy nature of Clinton's comments, and then followed it up by noting that the "flop" side of (supporting backdooring encryption) is "impossible":

She basically said no mandatory back doors last night ("I would not want to go to that point"). In the next paragraph she then said some not-so-great stuff -- about there having to be "some way" to "break into" encrypted content-- but then she again said "a backdoor may be the wrong door."

Please let us know what you hear from your folks. I would think they would be happy -- she's certainly NOT calling for the backdoor now -- although she does then appear to believe there is "some way" to do the impossible.

Teddy Goff, a political strategist and the digital director for Obama for America during the 2012 campaign, responds, calling it "a solid B/B+" and suggests that someone tell Clinton never to use the Manhattan Project line again. He also highlights the point that Ben Scott had raised a month earlier, and that it was clear that Clinton did not understand, that there is open source encryption out there that anyone can use already, and any attempt to backdoor proprietary encryption won't stop anyone from using those other solutions. Finally, he suggests that having "pledged not to mandate backdoors" will be useful going forward.

i think it was fine, a solid B/B+. john tells me that he has actually heard nice things from friends of ours in SV, which is rare! i do think that "i would not want to go to that point" got overshadowed in some circles by the "some way to break in" thing -- which does seem to portend some sort of mandate or other anti-encryption policy, and also reinforces the the ideological gap -- and then, more atmospherically, by the manhattan project analogy (which we truly, truly should not make ever again -- can we work on pressing that point somehow?) and the cringe-y "i don't understand all the technology" line, which i also think does not help and we should avoid saying going forward.

speaking of not understanding the technology, there is a critical technical point which our current language around encryption makes plain she isn't aware of. open-source unencrypted messaging technologies are in the public domain. there is literally no way to put that genie back in the bottle. so we can try to compel a whatsapp to unencrypt, but that may only have the effect of pushing terrorists onto emergent encrypted platforms.

i do think going forward it will be helpful to be able to refer to her having pledged not to mandate a backdoor as president. but we've got to iron out the rest of the message. i actually do believe there is a way to thread the needle here, which i am happy to discuss; it requires us to quickly pivot from encryption to the broader issue of working with tech companies to detect and stop these people, and not getting into the weeds of which app they happen to use and that sort of thing.

Finally, Solow responds to Goff agreeing that the "some way in" line implies undermining encryption, but suggests that they quietly let the tech world know that they don't mean backdoors, but just mean hacking/malware:

That she says no backdoor, which is good, but then says we need a way in, and then the bad line about not understanding technology. The latter two points make the first one seem vulnerable.

But in terms of wanting a way to break in - couldn't we tell tech off the record that she had in mind the malware/key strokes idea (insert malware into a device that you know is a target, to capture keystrokes before they are encrypted). Or that she had in mind really super code breaking by the NSA. But not the backdoor per se?

There are some obvious concerns with the hacking/malware stuff, but it's at a very different level than breaking encryption. While it's still ridiculous that Clinton won't just come out and say that backdooring encryption gives us both less security and less privacy, it does appear that she has people on her team who get the basics here. That's at least moderately encouraging. It would be better if there were some stronger indication that Clinton is actually listening to them.

Filed Under: backdoors, crypto wars, encryption, going dark, hillary clinton, manhattan project, nerd harder

Hillary Clinton Wants A 'Manhattan Project' For Encryption... But Not A Back Door. That Makes No Sense

from the politics-is-dumb dept

In the Democratic Presidential debate on Saturday night, Hillary Clinton followed up on her recent nonsensical arguments about why Silicon Valley has to "solve" the problem of encryption. As we've noted, it was pretty clear that she didn't fully understand the issue, and that was even more evident with her comments on Saturday night.

Here's what's clear: she's trying to do the old politician's trick of attempting to appease everyone with vague ideas that allow her to tap dance around the facts.

First, she proposed a "Manhattan-like project" to create more cooperation between tech companies and the government in fighting terrorism. The Manhattan Project was the project during World War II where a bunch of scientists were sent out to the desert to build an atomic bomb. But they had a specific goal of "build this." Here, the goal is much more vague and totally meaningless: have tech and government work together to stop bad people. How do you even do that? The only suggestion that has been made so far -- and the language around which Clinton has been echoing -- has been to undermine encryption with backdoors.

However, since that resulted in a (quite reasonable) backlash from basically anyone who knows anything about computer security, we get the second statement from Clinton that she doesn't want backdoors.

"Maybe the back door isn't the right door, and I understand what Apple and others are saying about that. I just think there's got to be a way, and I would hope that our tech companies would work with government to figure that out."

No, she clearly does not understand what Apple and others are saying about that. Just a week or so ago, she insisted that Apple's complaint about it was that it might lead to the government invading users' privacy, but that's only a part of the concern. The real concern is that backdooring encryption means that everyone is more exposed to everyone, including malicious hackers. You create a backdoor and you open up the ability for malicious hackers from everywhere else to get in.

So, she's trying to walk this ridiculously stupid line in trying to appease everyone. She wants the security/intelligence officials to hear "Oh, I'll get Silicon Valley to deal with the 'going dark' thing you're so scared of," and she wants the tech world to hear "Backdoors aren't the answer." But, that leaves a giant "HUH?!?" in the middle.

It seems to come down to this: None of the candidates for president appear to have the slightest clue how encryption or computer security work and that allows them to make statements like this that are totally nonsensical, while believing that they make sense.

The issue, again, is that what they're really asking for is "Can you make a technology where only 'good' people can use it safely, and everyone else cannot?" And the answer to that question is to point out how absolutely astoundingly stupid the question is. Because there's no way to objectively determine who is "good" and who is "bad," and thus the only possible response is to create code that really thinks everyone is "bad." And to do that, you have to completely undermine basic security practices..

So this whole idea of "if we just throw smart people in a room, they'll figure it out" is wrong. It's starting from the wrong premise that there's some sort of magic formula for "good people" and "bad people." And without understanding that basic fact, the policy proposals being tossed out are nothing short of ridiculous.

Filed Under: encryption, going dark, hillary clinton, manhattan project, silicon valley