Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
You’re From The Government? Come In!
“Encryption” generally conjures up images of clandestine communication between spies, saboteurs, hackers, and the mildly paranoid, often typing away furiously on a keyboard in a dark room until someone says “I’m in!”
The truth, however, is far more mundane. Almost everyone in the West — and certainly everyone reading this — uses some kind of encryption technology on a weekly, if not daily, basis. You may not be aware that you’re using it, but you’re using it nonetheless. If you like buying things on Amazon, doing your banking from home, or paying your bills from your computer, you rely on ubiquitous, relatively inexpensive, and strong encryption. Companies also use it in a myriad of other, equally mundane, ways that are essential to their business. Encryption makes the world go ’round.
Unfortunately, it’s also useful to those trying to make the world stop. That, understandably, has FBI Director James Comey worried. In order to help fight criminals and terrorists, Comey has been calling for greater cooperation between industry and the government on encryption. Specifically, Comey wants industry to design its encryption technologies to be quickly accessible to law enforcement and national security. Just last week, Comey testified before congress to that effect (from the NYT):
A spokesman for the F.B.I. declined to comment ahead of Mr. Comey’s appearance before the Senate Judiciary Committee hearings on Wednesday. Mr. Comey recently told CNN, “Our job is to find needles in a nationwide haystack, needles that are increasingly invisible to us because of end-to-end encryption.”
A Justice Department official, who spoke on the condition of anonymity before the hearing, said that the agency supported strong encryption, but that certain uses of the technology — notably end-to-end encryption that forces law enforcement to go directly to the target rather than to technology companies for passwords and communications — interfered with the government’s wiretap authority and created public safety risks.
It takes little imagination to see how such access could be incredibly useful in foiling criminals and terrorists. But, as Patrick G. Eddington points out via the Cato Daily Podcast, any means that allow the government to gain access to encrypted information also make it easier for malefactors to access as well. Adding an extra door to your house — no matter how well-locked — always makes it easier for someone unwanted to break in. As such, the government’s request for back-door access is not merely costly to encryption, but fundamentally at odds with its purpose.
If you go back to that NYT piece, you’ll see that industry figures are arguing forcibly that, if Comey’s requests are met, their businesses won’t work. Basically, their argument is that his desire to protect us from the malicious use of encryption — i.e., Islamic State or al Qaeda members sending each other coded messages about attacks, etc. — risks destroying innocuous-but-important use of the same technology for the rest of us.
So here’s the question: putting aside the legal matters for a moment — i.e., let’s just assume that it’s all constitutional — is it good policy for our law enforcement and national security agencies to have back-door access to all encrypted material? Put another way, should all commercial encryptors be legally required to share their methodologies with the government?
Published in General, Science & Technology
I’m in favor of the government trying to find ways to overcome encryption. I’m against them building back doors that make it easier for our enemies.
Whenever this topic has come up on the law talk podcast, both John and Richard haven’t addressed this problem. I hope Troy brings this up to them the next time the topic is brought up.
My bigger concern is that in creating a back-door for government, we will also be creating the same back-door for even more nefarious malefactors. You’ll note of late the ability of the government to keep its own data safe, right?
Having a ‘back door’ and sharing methodologies is not the same thing.
But if you mean giving them a back door in (because they already have the methodologies), the answer is ‘No’.
The Clinton Administration tried this same ploy with the same reasoning. Would that have been correct? No.
Let see. An organization that brought you the OPM data breach of 2015, the postal data breach of 2014, the rainbow (white) house data breach of 2014, the state department data breach of 2014, the Clinton email scandal, the IRS lost emails, Snowden, etc. Wants the secret backdoor keys to everybody’s data that it promises nobody else will get? I have my doubts about their ability to secure these backdoor keys but less how they will use them.
There are three problems, each of which is insurmountable by itself:
No. Hell, no. F___ no. Not even once.
To amplify Tom’s point, look at the URL for this post: you’re connecting to Ricochet using the HTTPS protocol, which encrypts communication between your browser and the web server.
That means no one can read your messages–especially those posts you made about President Obama and the Choom Gang last summer….
No! Moral reasons aside (and there are many), if I were a crook and this policy were in place, then, as SPare also notes, I’d know just where to look to get my crook on.
I hope they don’t.
Listening to Richard talk about technology makes my head hurt. To hear such a distinguished and smart person talking authoritatively about a subject they have such a poor grasp on is frustrating. A person should know their limitations. It is obvious to anybody that is the least bit tech savvy that Richard on the subject of technology is lost.
Apart from that whole Google index thing, that is.
HTTPS means there’s a reduced chance someone can maliciously alter your communication in transit. Sounds like too much work to me. I’d concentrate on hacking into Ricochet itself and adding code that would mirror all posts to my state department server in my bedroom via hidden Tor services.
You’re welcome.
We don’t require that everybody hand over to police an extra set of keys to their house. That doesn’t stop police from smashing the door open.
Are lock companies required to teach police how to pick their locks?
No, but that is because the government is more a brute force kinda operation.
Stated better than I can, but I’ll try for a synopsis:
No. You can’t be trusted.
I was just a wee slip of a girl in some summer camp for geeks when the scary grad student in charge of us, black Byronic locks aflame and skin milk-white from lack of sun, gathered us all around a computer terminal to show us this:
Wikipedia goes on to say that “The small key-space of DES, and relatively high computational costs of Triple DES resulted in its replacement by AES as a Federal standard, effective May 26, 2002,” but since then, it’s been hard to shake the expectation that government security will always be at least one step behind.
I haven’t kept up on my cryptography, so maybe I’m missing something. Nonetheless…
As technology enables ever faster, broader, and deeper access to information, our police and defense agencies argue that all of this information should be at their fingertips.
The assumption seems to be that any information that is available is necessary for adequate security. What was not available yesterday is a minimum requirement today.
In other words, Americans are not content today with the level of security they accepted a decade ago. We demand ever more security. That of course comes with costs to freedom.
Security and freedom are both admirable goals, but we should prefer freedom. This ratcheting of standards needs to end.
Why is the government of less concern to you than other nefarious malefactors?
I’ve got a problem with all the recent conversations and commentary about encryption, and more broadly about what to do about cyber warfare: It’s all defensive. That is, it’s all intended to block further attacks.
But these attacks aren’t a natural phenomenon, like some virus that’s escaped from a pig farm in China and mutated. There are individuals, and government, behind these attacks.
After Pearl Harbor we didn’t just tighten up our air defenses in Los Angeles and San Francisco; we went on the offensive against those who’d attacked us.
I understand the need to tighten our defenses against all sorts of cyber attacks. But please, just once, can we talk about going on the offense? Imagine if we told those geniuses in Beijing that we’ve just formed a team of American programmers — specifically including three 15-year-olds — and told them to have some fun with China. If one night the lights go out in Shanghai, or Beijing, let’s see how China’s leaders handle history’s most stupendous traffic jam….
Well, you get the idea…..let’s fight back.
NO NO NO NO NO NO NO!
Geez, but we’ve been having this silly argument for 20+ years now. Anyone here remember when Netscape and IE got embroiled with ITAR because they offered a 128 bit encryption browser? For a while you could only legally download those browsers if you were in the US.
It’s the same utterly stupid mendacious argument that you should give the local cops the keys to your home just in case they “needed” to get in. The only time this is even rational is for allowing your local fire department to put in a Knox Box (a locked box where only the local fire chief has access, where you put a spare key) at your business.
An historical example of encryption:
I think the solution is AI. AI powerful and complex enough to asses if the “seeker” is “virtuous” or not. That way, Government or no government, only the virtuous can access the decryption key (because any backdoor to modern encryption is essentially the key).
But then there is the entire complication of making sure the AI is virtuous and does not decide to kill us all after spending 5 minutes with us… So, in essence we would be replacing an incompetent Government with an AI of dubious intent.
No backdoor for government!
As technology and economic progress enabled more and more people to own their own home, it did not necessitate that police and defense agencies be given instant access to everybody’s domicile.
This strikes me as the right precedent. Just because something is technologically new doesn’t make it functionally old. Similarly, I believe there’s a legal analogy between owning a self-driving car and owning an animal – does it really matter that one is an electronic “beast with a mind of its own” while the other is organic?
My cousin handles cyber security for the state of Florida. Unfortunately, I can’t get him to participate on an online forum like this because he trusts so few sites with his information. Go figure.
No, but we allow them SWAT raids and no-knock warrants….
The idea that we all must all live transparent lives just to survive is silly and must be dispensed of.
You want to make it illegal to beat your car?
…and by that very same token I say governments should be perfectly able to try and decrypt transmissions on their own. There’s no need to give them a key.
As Misthiocracy implies, a different standard seems to be applied to remote access than is applied to physical searches and seizures.
Should it matter whether the information is acquired by unlocking doors or by hacking computers?
Well, yes, as a matter of fact. There is a difference.
If a police officer picks my lock and rummages through my belongings, that’s clearly an unconstitutional search.
By contrast, if a law enforcement agency is able to decrypt my transmission on its own, I do not believe that would be unconstitutional. Any transmission I send out over public airwaves and/or the wired Internet (i.e. information I electronically publish) is no longer private in any way shape or form. Pretty much anybody can intercept it and save a copy for themselves.
It’s like a postcard. If I sent someone a postcard and wrote the message in code I wouldn’t expect it to be illegal for some postal worker to try to read it.
However, forcing everybody to provide the government with a key to their encrypted transmissions would be an unconstitutional seizure. The key is my private property. I didn’t transmit the key over public airwaves or wires. Therefore the government has no right to it. IMHO.
Not realistically, no.
First of all, because these thing take time, energy, etc. that has better uses for the US. Cyberwarfare is a loser’s game: you can do it when you can’t afford, e.g. aircraft carriers. Relatedly: the US’ brightest and best do not work, and cannot be coerced into working, for the government. Not true in China, North Korea…
Secondly: we really shouldn’t have to. What we should be like is Neo at the end of The Matrix, lazily swatting agents away while not even bothering to look directly at them and thinking about something else—most likely his PVC-clad girlfriend. That a lot of people consider this goal cybersecurity fantasy tells me they’re unfamiliar with KeyKOS, EROS, seL4, etc. Basically anything other than Windows and UNIX and the unsolvable security problems we know they have.
We suffer these attacks because we don’t give a flying f___ at a rolling doughnut. I’m sorry to push the CoC twice in one day, but you are in my wheelhouse now, and I’m pissed off.
;-)
I was thinking more of the duty beast-owners had under common law to exercise reasonable oversight to keep their beasts from harming other people. There’d be no need to outlaw car-beating that I can tell.
Should I point out that [CoC] makes a fairly decent CoC-compliant expletive all on its own?