Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
You’re From The Government? Come In!
“Encryption” generally conjures up images of clandestine communication between spies, saboteurs, hackers, and the mildly paranoid, often typing away furiously on a keyboard in a dark room until someone says “I’m in!”
The truth, however, is far more mundane. Almost everyone in the West — and certainly everyone reading this — uses some kind of encryption technology on a weekly, if not daily, basis. You may not be aware that you’re using it, but you’re using it nonetheless. If you like buying things on Amazon, doing your banking from home, or paying your bills from your computer, you rely on ubiquitous, relatively inexpensive, and strong encryption. Companies also use it in a myriad of other, equally mundane, ways that are essential to their business. Encryption makes the world go ’round.
Unfortunately, it’s also useful to those trying to make the world stop. That, understandably, has FBI Director James Comey worried. In order to help fight criminals and terrorists, Comey has been calling for greater cooperation between industry and the government on encryption. Specifically, Comey wants industry to design its encryption technologies to be quickly accessible to law enforcement and national security. Just last week, Comey testified before congress to that effect (from the NYT):
A spokesman for the F.B.I. declined to comment ahead of Mr. Comey’s appearance before the Senate Judiciary Committee hearings on Wednesday. Mr. Comey recently told CNN, “Our job is to find needles in a nationwide haystack, needles that are increasingly invisible to us because of end-to-end encryption.”
A Justice Department official, who spoke on the condition of anonymity before the hearing, said that the agency supported strong encryption, but that certain uses of the technology — notably end-to-end encryption that forces law enforcement to go directly to the target rather than to technology companies for passwords and communications — interfered with the government’s wiretap authority and created public safety risks.
It takes little imagination to see how such access could be incredibly useful in foiling criminals and terrorists. But, as Patrick G. Eddington points out via the Cato Daily Podcast, any means that allow the government to gain access to encrypted information also make it easier for malefactors to access as well. Adding an extra door to your house — no matter how well-locked — always makes it easier for someone unwanted to break in. As such, the government’s request for back-door access is not merely costly to encryption, but fundamentally at odds with its purpose.
If you go back to that NYT piece, you’ll see that industry figures are arguing forcibly that, if Comey’s requests are met, their businesses won’t work. Basically, their argument is that his desire to protect us from the malicious use of encryption — i.e., Islamic State or al Qaeda members sending each other coded messages about attacks, etc. — risks destroying innocuous-but-important use of the same technology for the rest of us.
So here’s the question: putting aside the legal matters for a moment — i.e., let’s just assume that it’s all constitutional — is it good policy for our law enforcement and national security agencies to have back-door access to all encrypted material? Put another way, should all commercial encryptors be legally required to share their methodologies with the government?
Published in General, Science & Technology
Can’t put aside Constitutionality, except in the narrowest, most legalist sense. The things are too closely intertwined.
It’s not only that leaving holes like Comey wants in our encrytion technology opens the doors and windows wide for any hacker or thief. It also opens those same doors and windows wide for government, no matter how noble the intentions of the present government men. Maybe not today, maybe not tomorrow, but soon and for the rest of our lives, government will abuse the access.
Of course, Comey knows this full well. That, from a government man, alone demands that our encryption be as air- (and cyber-) tight as we can make and keep it–today, tomorrow, soon, and for the rest of our lives.
Government wants to read my mail, listen to my conversations? Loretta Lynch can read the Constitution, and then she can get a warrant. Or, she can ask me nicely, up front, and I might even give her access to the specific items voluntarily.
Eric Hines
Emails and password-protected conversations are more like sealed letters than postcards. If a mailman opens a letter, that is illegal.
So should any interception of deliberately private information be illegal, including phone calls.
That I’m communicating privately by means of public facilities shouldn’t matter any more than driving on a public road grants police access to search my car.
That’s a myth generated by a Supreme Court ruling. The only difficulty in correcting this is a political barrier, not a real one (albeit the political can seem real enough).
Eric Hines
I trust the AES process, which was very open and had the top private people in the field engaged. I was rooting for Twofish, but Rijndael is a fine cipher.
So there’s competence in one area, then? What a relief!
How many areas of potential incompetence does that leave us with, then?…
I don’t see unencrypted emails as being anything like a sealed letter. It’s a plaintext file that is saved on multiple public servers as it travels from you to the recipient.
plain text email = postcard.
Encrypted email = sealed envelope.
Encrypted email providers = Out of Business due to Government Intervention.
I’d click “like” on that comment, but I don’t like that such services have been shuttered by regulatory fiat and harassment.
The government had gotten a bad rap during DES standardization and didn’t want a replay.
DES started life as an IBM cipher called Lucifer. At a certain point in the standardization process, the NSA essentially strong-armed the team into changing some of the constants in the cipher, called the S-Box. Explanations were… not forthcoming. Civil libertarians, then as now, screamed about the government building back doors into DES.
We now know that the NSA actually strengthened Lucifer against attack by differential cryptanalysis, a method the NSA discovered independently a decade before there were any published results. In undertaking AES standardization, the government was at great pains to ensure no one had reason to call shenanigans on the process. Interestingly, the team behind Rijndael/AES isn’t even American. I confess that two of the reasons I was rooting for Twofish are that it’s Bruce Schneier’s entry, and that he developed the Solitaire cipher for Neal Stephenson’s Cryptonomicon, presumably at Stephenson’s request.
Essentially all the rest. Cryptanalysis is math. It’s a lot harder to hide your incompetence there.
I absolutely disagree.
When Marconi was first marketing the wireless telegraph, he marketed it as “secure communications”. He was talking utter hipposcat. Anybody with a receiver could (and did) pick up the signal.
(In fact, one of his first public demos was hijacked by a guy with a stronger transceiver who sent out the words, “there was a young fellow of Italy. Who diddled the public quite prettily”.)
Today’s wireless communications is no different. You wouldn’t transmit your credit card number using a CB radio, would you?
Even the wired Internet is little different since any information you transmit is recorded by multiple public servers along the way. Any claim to privacy would be a legal fiction, IMHO, and it is madness to transmit sensitive information via any medium in plaintext.
Keeping communications private is the same now as it was since ancient times. Encryption.
No, but they tout features that induce you, or your landlord, to pay for easily pickable locks. This link focuses on a Kwikset technology, but the other big lockmakers also build back doors into their front door locks.
But of course no government agent would ever do that without a warrant.
If you really care about this stuff and are up for profound depression, attend Defcon.
What I was talking about, which is what I thought you were talking about, was the Court’s ruling that there is no presumption of privacy when we send a signal over the public airwaves, or use third party entities to store some of our private information.
Eric Hines
No.
For exactly the reason mentioned in the OP. It allows evildoers in too. Just creates another vulnerability.
Since when are the Feds not evildoers? You guys are conservatives right?
Those who have mentioned evildoers haven’t wholly excluded the possibility that they may also be federal employees. It’s also reasonable to suppose that not every federal employee is evil. So, even if you assume the best-case scenario – that the feds in charge of this are disproportionately non-evil people, that still isn’t good enough. That may be what we’re trying to express.
Are lock companies compelled by governments to design these “backdoors” into their locks?
I agree with the court. I don’t see how there can be any presumption of privacy for transmissions we make over public (i.e. used by many people, not necessarily government-owned) electronic channels. If you’re publishing information on servers you don’t own, the information ain’t private, and that’s exactly what happens whenever you send an email.
The hue and cry so widely and constantly raised every time a Facebook or a Twitter or Google or a… makes a personal information “error” would argue otherwise on the presumption.
Eric Hines
But this is such a funny scene!
And here I was worrying that I’d get in trouble for not taking the threat seriously enough and weighing things too heavily on the side of privacy. :/
This is one of the things that bugs me so much about this (well, that and the threat of weakening existing encryption). We’re simply not — by the government’s telling — allowed to have private communications over electronic means. That’s offensive at multiple levels.
Can you cite the law?
Eric Hines
The Third Party Doctrine is long standing constitutional precedent.
It’s the effect of a whole series of laws and legal precedents. As Jamie said, if your information passes through a third party, you’re out of luck.
I took your statement to mean no encryption, which is how we get private communications since the Court’s no presumption of privacy ruling. Is that not what you meant, then?
Eric Hines
I’m sorry, but all these references to “federal government” and “backdoor” just remind me of April 15.
Hues and cries are often, if not most often, irrational and/or just plain wrong.
The problem here is terminology. You refer to information “passing through” a third party as if it’s a passive occurrence. I do not see it that way.
Instead, I see it as you actively making the choice to send your information to a series of third parties to be redirected to its final destination, with some sort of uncontracted expectation that they will safeguard your privacy for you. I don’t see how anybody can reasonably expect that level of privacy from service providers with whom you don’t actually have a contract.
Metaphor: If I share a bit of gossip with someone and ask them not to spread it around, and they go ahead and spread it around anyways, I have nobody but myself to blame. Once I gave that person the information, it was no longer solely mine.
The way I see it, the same goes for information transmitted over the Internet, because the information bounces from one server to another belonging to providers with whom you have no contract. This is precisely why ya gotta encrypt it if you want it to remain private.
If I was a bad actor, why would I use a service that had ‘US Govt Approved’ encryption? The result of this policy would be, surely, that only the people who didn’t know they had something to hide would be exposed.