You’re From The Government? Come In!

 

shutterstock_148619159“Encryption” generally conjures up images of clandestine communication between spies, saboteurs, hackers, and the mildly paranoid, often typing away furiously on a keyboard in a dark room until someone says “I’m in!”

The truth, however, is far more mundane. Almost everyone in the West — and certainly everyone reading this — uses some kind of encryption technology on a weekly, if not daily, basis. You may not be aware that you’re using it, but you’re using it nonetheless. If you like buying things on Amazon, doing your banking from home, or paying your bills from your computer, you rely on ubiquitous, relatively inexpensive, and strong encryption. Companies also use it in a myriad of other, equally mundane, ways that are essential to their business. Encryption makes the world go ’round.

Unfortunately, it’s also useful to those trying to make the world stop. That, understandably, has FBI Director James Comey worried. In order to help fight criminals and terrorists, Comey has been calling for greater cooperation between industry and the government on encryption. Specifically, Comey wants industry to design its encryption technologies to be quickly accessible to law enforcement and national security. Just last week, Comey testified before congress to that effect (from the NYT):

A spokesman for the F.B.I. declined to comment ahead of Mr. Comey’s appearance before the Senate Judiciary Committee hearings on Wednesday. Mr. Comey recently told CNN, “Our job is to find needles in a nationwide haystack, needles that are increasingly invisible to us because of end-to-end encryption.”

A Justice Department official, who spoke on the condition of anonymity before the hearing, said that the agency supported strong encryption, but that certain uses of the technology — notably end-to-end encryption that forces law enforcement to go directly to the target rather than to technology companies for passwords and communications — interfered with the government’s wiretap authority and created public safety risks.

It takes little imagination to see how such access could be incredibly useful in foiling criminals and terrorists. But, as Patrick G. Eddington points out via the Cato Daily Podcast, any means that allow the government to gain access to encrypted information also make it easier for malefactors to access as well. Adding an extra door to your house — no matter how well-locked — always makes it easier for someone unwanted to break in. As such, the government’s request for back-door access is not merely costly to encryption, but fundamentally at odds with its purpose.

If you go back to that NYT piece, you’ll see that industry figures are arguing forcibly that, if Comey’s requests are met, their businesses won’t work. Basically, their argument is that his desire to protect us from the malicious use of encryption — i.e., Islamic State or al Qaeda members sending each other coded messages about attacks, etc. — risks destroying innocuous-but-important use of the same technology for the rest of us.

So here’s the question: putting aside the legal matters for a moment — i.e., let’s just assume that it’s all constitutional — is it good policy for our law enforcement and national security agencies to have back-door access to all encrypted material? Put another way, should all commercial encryptors be legally required to share their methodologies with the government?

There are 68 comments.

Become a member to join the conversation. Or sign in if you're already a member.
  1. Frank Soto Contributor
    Frank Soto
    @FrankSoto

    I’m in favor of the government trying to find ways to overcome encryption.  I’m against them building back doors that make it easier for our enemies.

    Whenever this topic has come up on the law talk podcast, both John and Richard haven’t addressed this problem.  I hope Troy brings this up to them the next time the topic is brought up.

    • #1
  2. SPare Member
    SPare
    @SPare

    My bigger concern is that in creating a back-door for government, we will also be creating the same back-door for even more nefarious malefactors.  You’ll note of late the ability of the government to keep its own data safe, right?

    • #2
  3. JimGoneWild Coolidge
    JimGoneWild
    @JimGoneWild

    Having a ‘back door’ and sharing methodologies is not the same thing.

    But if you mean giving them a back door in (because they already have the methodologies), the answer is ‘No’.

    The Clinton Administration tried this same ploy with the same reasoning. Would that have been correct? No.

    • #3
  4. Fake John Galt Coolidge
    Fake John Galt
    @FakeJohnJaneGalt

    Let see.  An organization that brought you the OPM data breach of 2015, the postal data breach of 2014, the rainbow (white) house data breach of 2014, the state department data breach of 2014, the Clinton email scandal, the IRS lost emails, Snowden, etc.  Wants the secret backdoor keys to everybody’s data that it promises nobody else will get?  I have my doubts about their ability to secure these backdoor keys but less how they will use them.

    • #4
  5. Gödel's Ghost Member
    Gödel's Ghost
    @GreatGhostofGodel

    There are three problems, each of which is insurmountable by itself:

    1. “Give us a back door only good guys can use, not bad guys.”
    2. “In a post-FBI-Dr.-King-NSA-Snowden world, we’re the good guys.”
    3. “Even if you haven’t died laughing from 1) and 2), in a post-OPM-hack world, you can trust us not to leak to bad guys.”

    No. Hell, no. F___ no. Not even once.

    • #5
  6. user_233140 Member
    user_233140
    @JohnMurdoch

    To amplify Tom’s point, look at the URL for this post: you’re connecting to Ricochet using the HTTPS protocol, which encrypts communication between your browser and the web server.

    That means no one can read your messages–especially those posts you made about President Obama and the Choom Gang last summer….

    • #6
  7. Midget Faded Rattlesnake Contributor
    Midget Faded Rattlesnake
    @Midge

    Tom Meyer, Ed.: So here’s the question: putting aside the legal matters for a moment — i.e., let’s just assume that it’s all constitutional — is it good policy for our law enforcement and national security agencies to have back-door access to all encrypted material? Put another way, should all commercial encryptors be legally required to share their methodologies with the government?

    No! Moral reasons aside (and there are many), if I were a crook and this policy were in place, then, as SPare also notes, I’d know just where to look to get my crook on.

    • #7
  8. Fake John Galt Coolidge
    Fake John Galt
    @FakeJohnJaneGalt

    Frank Soto:I’m in favor of the government trying to find ways to overcome encryption. I’m against them building back doors that make it easier for our enemies.

    Whenever this topic has come up on the law talk podcast, both John and Richard haven’t addressed this problem. I hope Troy brings this up to them the next time the topic is brought up.

    I hope they don’t.

    Listening to Richard talk about technology makes my head hurt.  To hear such a distinguished and smart person talking authoritatively about a subject they have such a poor grasp on is frustrating.  A person should know their limitations.  It is obvious to anybody that is the least bit tech savvy that Richard on the subject of technology is lost.

    • #8
  9. Gödel's Ghost Member
    Gödel's Ghost
    @GreatGhostofGodel

    John Murdoch:To amplify Tom’s point, look at the URL for this post: you’re connecting to Ricochet using the HTTPS protocol, which encrypts communication between your browser and the web server.

    That means no one can read your messages–especially those posts you made about President Obama and the Choom Gang last summer….

    Apart from that whole Google index thing, that is.

    HTTPS means there’s a reduced chance someone can maliciously alter your communication in transit. Sounds like too much work to me. I’d concentrate on hacking into Ricochet itself and adding code that would mirror all posts to my state department server in my bedroom via hidden Tor services.

    You’re welcome.

    • #9
  10. Misthiocracy Member
    Misthiocracy
    @Misthiocracy

    We don’t require that everybody hand over to police an extra set of keys to their house. That doesn’t stop police from smashing the door open.

    Are lock companies required to teach police how to pick their locks?

    • #10
  11. Fake John Galt Coolidge
    Fake John Galt
    @FakeJohnJaneGalt

    Misthiocracy:We don’t require that everybody hand over to police an extra set of keys to their hours. That doesn’t stop police from smashing the door open.

    Are lock companies required to teach police how to pick their locks?

    No, but that is because the government is more a brute force kinda operation.

    • #11
  12. Locke On Member
    Locke On
    @LockeOn

    Great Ghost of Gödel:There are three problems, each of which is insurmountable by itself:

    1. “Give us a back door only good guys can use, not bad guys.”
    2. “In a post-FBI-Dr.-King-NSA-Snowden world, we’re the good guys.”
    3. “Even if you haven’t died laughing from 1) and 2), in a post-OPM-hack world, you can trust us not to leak to bad guys.”

    No. Hell, no. F___ no. Not even once.

    Stated better than I can, but I’ll try for a synopsis:

    No.  You can’t be trusted.

    • #12
  13. Midget Faded Rattlesnake Contributor
    Midget Faded Rattlesnake
    @Midge

    SPare:My bigger concern is that in creating a back-door for government, we will also be creating the same back-door for even more nefarious malefactors. You’ll note of late the ability of the government to keep its own data safe, right?

    I was just a wee slip of a girl in some summer camp for geeks when the scary grad student in charge of us, black Byronic locks aflame and skin milk-white from lack of sun, gathered us all around a computer terminal to show us this:

    In response to DES Challenge II-2, on July 15, 1998, Deep Crack decrypted a DES-encrypted message after only 56 hours of work, winning $10,000. This was the final blow to DES, against which there were already some published cryptanalytic attacks. The brute force attack showed that cracking DES was actually a very practical proposition. Most governments and large corporations could reasonably build a machine like Deep Crack.

    Wikipedia goes on to say that “The small key-space of DES, and relatively high computational costs of Triple DES resulted in its replacement by AES as a Federal standard, effective May 26, 2002,” but since then, it’s been hard to shake the expectation that government security will always be at least one step behind.

    I haven’t kept up on my cryptography, so maybe I’m missing something. Nonetheless…

    • #13
  14. Aaron Miller Member
    Aaron Miller
    @AaronMiller

    As technology enables ever faster, broader, and deeper access to information, our police and defense agencies argue that all of this information should be at their fingertips.

    The assumption seems to be that any information that is available is necessary for adequate security. What was not available yesterday is a minimum requirement today.

    In other words, Americans are not content today with the level of security they accepted a decade ago. We demand ever more security. That of course comes with costs to freedom.

    Security and freedom are both admirable goals, but we should prefer freedom. This ratcheting of standards needs to end.

    • #14
  15. user_331141 Member
    user_331141
    @JamieLockett

    SPare: My bigger concern is that in creating a back-door for government, we will also be creating the same back-door for even more nefarious malefactors.

    Why is the government of less concern to you than other nefarious malefactors?

    • #15
  16. Herbert E. Meyer Contributor
    Herbert E. Meyer
    @HerbertEMeyer

    I’ve got a problem with all the recent conversations and commentary about encryption, and more broadly about what to do about cyber warfare:  It’s all defensive.  That is, it’s all intended to block further attacks.

    But these attacks aren’t a natural phenomenon, like some virus that’s escaped from a pig farm in China and mutated.  There are individuals, and government, behind these attacks.

    After Pearl Harbor we didn’t just tighten up our air defenses in Los Angeles and San Francisco; we went on the offensive against those who’d attacked us.

    I understand the need to tighten our defenses against all sorts of cyber attacks.  But please, just once, can we talk about going on the offense?  Imagine if we told those geniuses in Beijing that we’ve just formed a team of American programmers — specifically including three 15-year-olds — and told them to have some fun with China.  If one night the lights go out in Shanghai, or Beijing, let’s see how China’s leaders handle history’s most stupendous traffic jam….

    Well, you get the idea…..let’s fight back.

    • #16
  17. skipsul Member
    skipsul
    @skipsul

    Tom Meyer, Ed.: So here’s the question: putting aside the legal matters for a moment — i.e., let’s just assume that it’s all constitutional — is it good policy for our law enforcement and national security agencies to have back-door access to all encrypted material? Put another way, should all commercial encryptors be legally required to share their methodologies with the government?

    NO NO NO NO NO NO NO!

    Geez, but we’ve been having this silly argument for 20+ years now.  Anyone here remember when Netscape and IE got embroiled with ITAR because they offered a 128 bit encryption browser?  For a while you could only legally download those browsers if you were in the US.

    It’s the same utterly stupid mendacious argument that you should give the local cops the keys to your home just in case they “needed” to get in.  The only time this is even rational is for allowing your local fire department to put in a Knox Box (a locked box where only the local fire chief has access, where you put a spare key) at your business.

    • #17
  18. user_989419 Member
    user_989419
    @ProbableCause

    An historical example of encryption:

    One if by land.  Two if by sea.

    • #18
  19. user_189393 Member
    user_189393
    @BarkhaHerman

    I think the solution is AI.  AI powerful and complex enough to asses if the “seeker” is “virtuous” or not.  That way, Government or no government, only the virtuous can access the decryption key (because any backdoor to modern encryption is essentially the key).

    But then there is the entire complication of making sure the AI is virtuous and does not decide to kill us all after spending 5 minutes with us…  So, in essence we would be replacing an incompetent Government with an AI of dubious intent.

    No backdoor for government!

    • #19
  20. Misthiocracy Member
    Misthiocracy
    @Misthiocracy

    Aaron Miller:As technology enables ever faster, broader, and deeper access to information, our police and defense agencies argue that all of this information should be at their fingertips.

    As technology and economic progress enabled more and more people to own their own home, it did not necessitate that police and defense agencies be given instant access to everybody’s domicile.

    • #20
  21. Midget Faded Rattlesnake Contributor
    Midget Faded Rattlesnake
    @Midge

    Misthiocracy:We don’t require that everybody hand over to police an extra set of keys to their hours. That doesn’t stop police from smashing the door open.

    Are lock companies required to teach police how to pick their locks?

    This strikes me as the right precedent. Just because something is technologically new doesn’t make it functionally old. Similarly, I believe there’s a legal analogy between owning a self-driving car and owning an animal – does it really matter that one is an electronic “beast with a mind of its own” while the other is organic?

    • #21
  22. Aaron Miller Member
    Aaron Miller
    @AaronMiller

    My cousin handles cyber security for the state of Florida. Unfortunately, I can’t get him to participate on an online forum like this because he trusts so few sites with his information. Go figure.

    • #22
  23. user_189393 Member
    user_189393
    @BarkhaHerman

    Misthiocracy:We don’t require that everybody hand over to police an extra set of keys to their house. That doesn’t stop police from smashing the door open.

    Are lock companies required to teach police how to pick their locks?

    No, but we allow them SWAT raids and no-knock warrants….

    The idea that we all must all live transparent lives just to survive is silly and must be dispensed of.

    • #23
  24. Misthiocracy Member
    Misthiocracy
    @Misthiocracy

    Midget Faded Rattlesnake:

    Misthiocracy:We don’t require that everybody hand over to police an extra set of keys to their hours. That doesn’t stop police from smashing the door open.

    Are lock companies required to teach police how to pick their locks?

    This strikes me as the right precedent. Just because something is technologically new doesn’t make it functionally old. Similarly, I believe there’s a legal analogy between owning a self-driving car and owning an animal – does it really matter that one is an electronic “beast with a mind of its own” while the other is organic?

    You want to make it illegal to beat your car?

    • #24
  25. Misthiocracy Member
    Misthiocracy
    @Misthiocracy

    Barkha Herman:

    Misthiocracy:We don’t require that everybody hand over to police an extra set of keys to their house. That doesn’t stop police from smashing the door open.

    Are lock companies required to teach police how to pick their locks?

    No, but we allow them SWAT raids and no-knock warrants….

    …and by that very same token I say governments should be perfectly able to try and decrypt transmissions on their own. There’s no need to give them a key.

    • #25
  26. Aaron Miller Member
    Aaron Miller
    @AaronMiller

    As Misthiocracy implies, a different standard seems to be applied to remote access than is applied to physical searches and seizures.

    Should it matter whether the information is acquired by unlocking doors or by hacking computers?

    • #26
  27. Misthiocracy Member
    Misthiocracy
    @Misthiocracy

    Aaron Miller:As Misthiocracy implies, a different standard seems to be applied to remote access than is applied to physical searches and seizures.

    Should it matter whether the information is acquired by unlocking doors or by hacking computers?

    Well, yes, as a matter of fact. There is a difference.

    If a police officer picks my lock and rummages through my belongings, that’s clearly an unconstitutional search.

    By contrast, if a law enforcement agency is able to decrypt my transmission on its own, I do not believe that would be unconstitutional. Any transmission I send out over public airwaves and/or the wired Internet (i.e. information I electronically publish) is no longer private in any way shape or form. Pretty much anybody can intercept it and save a copy for themselves.

    It’s like a postcard. If I sent someone a postcard and wrote the message in code I wouldn’t expect it to be illegal for some postal worker to try to read it.

    However, forcing everybody to provide the government with a key to their encrypted transmissions would be an unconstitutional seizure. The key is my private property. I didn’t transmit the key over public airwaves or wires. Therefore the government has no right to it. IMHO.

    • #27
  28. Gödel's Ghost Member
    Gödel's Ghost
    @GreatGhostofGodel

    Herbert E. Meyer:I’ve got a problem with all the recent conversations and commentary about encryption, and more broadly about what to do about cyber warfare: It’s all defensive. That is, it’s all intended to block further attacks.

    I understand the need to tighten our defenses against all sorts of cyber attacks. But please, just once, can we talk about going on the offense? 

    Not realistically, no.

    First of all, because these thing take time, energy, etc. that has better uses for the US. Cyberwarfare is a loser’s game: you can do it when you can’t afford, e.g. aircraft carriers. Relatedly: the US’ brightest and best do not work, and cannot be coerced into working, for the government. Not true in China, North Korea…

    Secondly: we really shouldn’t have to. What we should be like is Neo at the end of The Matrix, lazily swatting agents away while not even bothering to look directly at them and thinking about something else—most likely his PVC-clad girlfriend. That a lot of people consider this goal cybersecurity fantasy tells me they’re unfamiliar with KeyKOS, EROS, seL4, etc. Basically anything other than Windows and UNIX and the unsolvable security problems we know they have.

    We suffer these attacks because we don’t give a flying f___ at a rolling doughnut. I’m sorry to push the CoC twice in one day, but you are in my wheelhouse now, and I’m pissed off.

    • #28
  29. Midget Faded Rattlesnake Contributor
    Midget Faded Rattlesnake
    @Midge

    Misthiocracy:

    Midget Faded Rattlesnake:

    Misthiocracy:We don’t require that everybody hand over to police an extra set of keys to their hours. That doesn’t stop police from smashing the door open.

    Are lock companies required to teach police how to pick their locks?

    This strikes me as the right precedent. Just because something is technologically new doesn’t make it functionally old. Similarly, I believe there’s a legal analogy between owning a self-driving car and owning an animal – does it really matter that one is an electronic “beast with a mind of its own” while the other is organic?

    You want to make it illegal to beat your car?

    ;-)

    I was thinking more of the duty beast-owners had under common law to exercise reasonable oversight to keep their beasts from harming other people. There’d be no need to outlaw car-beating that I can tell.

    • #29
  30. Midget Faded Rattlesnake Contributor
    Midget Faded Rattlesnake
    @Midge

    Great Ghost of Gödel: I’m sorry to push the CoC twice in one day, but you are in my wheelhouse now, and I’m pissed off.

    Should I point out that [CoC] makes a fairly decent CoC-compliant expletive all on its own?

    • #30

Comments are closed because this post is more than six months old. Please write a new post if you would like to continue this conversation.