Republicans Push Bill Requiring Tech Companies To Help Access Encrypted Data (cnet.com) 182
New submitter feross shares a report: A group of Senate Republicans is looking to force tech companies to comply with "lawful access" to encrypted information, potentially jeopardizing the technology's security features. On Tuesday, Republican lawmakers introduced the Lawful Access to Encrypted Data Act, which calls for an end to "warrant-proof" encryption that's disrupted criminal investigations. The bill was proposed by Sen. Lindsey Graham, chairman of the Senate Judiciary committee, along with Sens. Tom Cotton and Marsha Blackburn. If passed, the act would require tech companies to help investigators access encrypted data if that assistance would help carry out a warrant. Lawmakers and the US Justice Department have long battled with tech companies over encryption, which is used to encode data.
The Justice Department argues that encryption prevents investigators from getting necessary evidence from suspects' devices and has requested that tech giants provide "lawful access." That could come in many ways, such as providing a key to unlock encryption that's only available for police requests. The FBI made a similar request to Apple in 2016 when it wanted to get data from a dead terrorist's iPhone in a San Bernardino, California, shooting case. Giving access specifically to government agencies when requested is often referred to as an "encryption backdoor," something tech experts and privacy advocates have long argued endangers more people than it helps.
The Justice Department argues that encryption prevents investigators from getting necessary evidence from suspects' devices and has requested that tech giants provide "lawful access." That could come in many ways, such as providing a key to unlock encryption that's only available for police requests. The FBI made a similar request to Apple in 2016 when it wanted to get data from a dead terrorist's iPhone in a San Bernardino, California, shooting case. Giving access specifically to government agencies when requested is often referred to as an "encryption backdoor," something tech experts and privacy advocates have long argued endangers more people than it helps.
They're just trying to free your speech! (Score:4, Funny)
FEW people in government understand technology. (Score:2)
For example, it is possible to send an encrypted message that has 2 messages, one easily found, the other hidden.
Re: (Score:2)
It's soo freaking complicated I know. People have a right to privacy. Oh my gorsh!! rights wat are those? It's 2020 don't you know all we have now is an ability to bow to the latest media trend?
Re: FEW people in government understand technology (Score:2)
Re: (Score:2, Insightful)
They've been in power for the last 200+ years, so it seems like a safe assumption.
Are you operating under the assumption that the two parties are actually in opposition, rather than putting on a dog-and-pony show to keep us distracted with trivialities while they work together to screw us all over?
Re: (Score:3)
Re: They're just trying to free your speech! (Score:5, Insightful)
True, there's always lots of palace intrigue, but if there's one thing history teaches it's that the nobility (by whatever name) can always be counted on to band together to defend and increase the power of the nobility.
Re: (Score:3)
No, they're working against each other to try to screw us in different ways.
Re: (Score:2)
It's yet more of the misguided get-tough-on-crime mentality. Getting tough on crime gets you re-elected, whereas slowing down and being thougtful about what you're doing does not.
Face, meet egg (Score:4, Insightful)
If there's a breach of a required backdoor, the law-makers could end up looking quite foolish. I'm surprised companies are not asking that the law pre-describe compensation if such happens. Essentially the legislation is weakening the security of their products.
Re:Face, meet egg (Score:5, Informative)
the law-makers could end up looking quite foolish
Clearly you've not worked in politics. When it does happens (and not even an if), politicians will wonder why tech companies had acted so recklessly with consumer data. Now many may point out that ... blah blah blah. But that's beside the point when we eventually get there. Remember light touch government! Which is why this is the company's fault not all this non-sense of backdoors. They're suppose to ensure that only law enforcement can use the back door. Something, something ... a series of tubes!!
I'm surprised companies are not asking that the law pre-describe compensation if such happens
Bawahaha!! That's because they already know that a majority of the geriatric Senators behind this will see those companies failing and think "nothing of value was lost." Many of these Senators care more about their last shit than these companies, and they flushed their last shit down the drain.
Essentially the legislation is weakening the security of their products
That's the entire goal. You keep acting like that's a defect of the law and that's actually the entire purpose of it. I mean good luck on trying to explain the importance of all of that to the Senators backing this. I've emailed Blackburn at least ten times on this and the best she's given back is pretty much the default response from the AI in Civilization 6 when they're trying to convert your country's religion. "No, no, this will be better for you. You will see."
I mean look at the three names on this. These people are not the paragons of logic here.
Re: (Score:3)
Since there are no security regulations noticibly different from "you'd better do a good job", which translates into a fine and an agreement every time a hack comes out, that becomes a new quasi-regulation, you can rely on this.
Re: (Score:2)
I'm sure the politicians know this. I bet they're just waiting for the tech companies to offer up some lobbying dollars so they'll amend it with blanket immunity for any/all data breaches.
Re: (Score:2)
Re: (Score:2)
I guarantee the lawmakers never thought that far down the road. In fact, I would be surprised if they were ever breached on the idea that the "tech companies" may or may not actually be able to do what is being required here, as they may not have the encryption keys themselves. At least, in any legit system, they would not.
Once again, Congress critters think they can legislate math. They are wrong.
For the hundred and first time... (Score:5, Insightful)
...you can't create an encryption that only the "good guys" can break. If law enforcement can break it, then everyone can.
Re:For the hundred and first time... (Score:5, Insightful)
...you can't create an encryption that only the "good guys" can break. If law enforcement can break it, then everyone can.
This is the wrong way to respond, because anyone with a clue will recognize that the response is disingenuous.
It absolutely is possible to create cryptographic schemes which encrypt to a "law enforcement access" (LEA) key, as well as to the intended recipients, and there's no reason to expect that "everyone" will be any more able to break the LEA key than they will be able to break the encryption for the intended recipients. It doesn't even add much complexity.
The problem isn't with the encryption, the problem is with key management -- and with the futility of the whole attempt (more on that below). What we don't know how to do is to build a key management system that both (a) allows law enforcement to execute hundreds of warrants every day and get decryptions for valid, court-approved reasons and (b) prevent law enforcement from using this access to abuse the system and decrypt messages they shouldn't be able to access.
And then, of course, there's the "futility" point. Supposing all of the major platforms that encrypt by default did provide LEA, what would be the obvious response of criminals? To use an app that doesn't provide LEA. Strong cryptography is universally and trivially available to everyone. You can't put that cat back into the bag.
Re: (Score:2)
Right. *Everyone* won't be able to break it, only all the shadowy intelligence agencies and criminal organizations that you *really* don't want to be able to. That's much better.
Re: (Score:2)
As for stealing the keys, that's an easy problem to solve; keep them only in HSMs with appropriate physical and logical security around them.
Easy to say. In practice I wouldn't put any money on those HSMs remaining physically secure for long—not when they hold the master keys to decrypt any encrypted message sent through any commercial communication service. And of course there won't be just one copy of the master decoding key; any backups will also be vulnerable.
The really hard part is dealing with the fact that these services are global and every government is going to want their own independent back door. How comfortable is the U.S. gov
Re: (Score:2)
My point regarding "physical security" was that an attacker could just steal the HSM itself. The HSM's design is irrelevant at that point. You don't need to extract the key from the HSM, just make it work for you. The social route, i.e. compromising an intermediary with the authority to use the HSM, would also work. The design of the HSM is not going to be the weakest link.
... design it with jurisdictional diversity, so that you have to get the cooperation of multiple mutually-adversarial countries to decrypt any message.
That's a nice idea but I doubt you'd get any country to agree to that, much less all of them. They aren't going to leave the effectivene
Re: (Score:2)
My point regarding "physical security" was that an attacker could just steal the HSM itself.
And my qualification that the HSM has to have appropriate physical and logical security is to ensure that it cannot be stolen.
The social route, i.e. compromising an intermediary with the authority to use the HSM, would also work.
Yes, this is the big risk, as I stated in my first post. It's an enormous access control problem, and unless the keys are only used in very rare cases it quickly becomes an impossible one.
That's a nice idea but I doubt you'd get any country to agree to that, much less all of them.
Yes, it's impractical. It's how I'd want to do it, though.
And it only takes one "lawful access" interface with weak security to compromise the entire system.
Well, the idea with the jurisdictional diversity scheme is that unless you were able to compromise all of them you get no data.
Re: (Score:2)
Unless the HSM is physically the size of a small office building you don't have that assurance.
When I was a young man I spent many, many hours walking circles around nuclear weapon storage facilities, toting an M-16 and 210 rounds of ammunition, behind layers of fences, minefields, alarm systems, backed up by an Alert Response Team of a dozen more soldiers (in addition to the several who were within sight of me at all times), in an area with access restricted through manned entry points with man traps, dual badge confirmation systems, etc., etc., etc.
Physical security of extremely high-value items
Re: (Score:2)
Giving law enforcement a spcial key will last as long as they can keep the key secret, which I figure an optimistic estimate would be about six months.
Re: (Score:2)
Giving law enforcement a spcial key will last as long as they can keep the key secret, which I figure an optimistic estimate would be about six months.
That's a fairly easy problem to solve. Generate the keys in HSMs that will never give it up, and put appropriate physical and logical security around them. Keeping the keys secret is easy. Appropriately controlling the ability to use the keys is the hard part.
Re: (Score:2)
Can you help me understand what we are talking about here?
Alice wants to communicate to Bob over a chat app of some sort:
1. Confirm for me that none of this discussion applies to end-to-end encryption. Alice and Bob use something like a a diffie-hellman key exchange and there's no 3rd LEA key nor a place to escrow it.
2. I think we are talking about this using some server-based non end-to-end thing. Alice calls Bob using a 3rd-party server. Alice has TLS to the server, Bob has TLS to the server. There's
Re: (Score:3)
1. Confirm for me that none of this discussion applies to end-to-end encryption. Alice and Bob use something like a a diffie-hellman key exchange and there's no 3rd LEA key nor a place to escrow it.
There would have to be an LEA key in either Bob's machine, or Alice's... or more likely both. They'd need to encrypt a copy of the session key and send it to a server.
However, I think this is mostly about data at rest, not data in transit. Alice's device keeps an encrypted copy of the chat log. It's encrypted with (say) a symmetric key that's stored locally in some secure way, e.g. in a TPM. The TPM encrypts an extra copy of the key with the LEA key and that encrypted blob gets stored along with the enc
Re: (Score:2)
The technical security problems around prevention of key leakage, etc., can be solved, adequately, ...
In theory, yes. Most things perfectly in theory. But you assume that TPTB are sufficiently motivated to solve these security problems.
Economic issues (cost vs. benefit for the attacker) and properly aligned incentives are at least a much a part of any decent security system as the hardware, software, and key management. The technical security measures you're describing are relatively routine, but this situation is far from routine. Normally you're protecting only your own data, or perhaps that of your custo
Re: (Score:2)
The proposal doesn't really apply to some little chat app, but rather the major infrastructure both software and hardware.
The big companies who make the bulk of the infrastructure -- Cisco, Juniper, HP, Facebook, Google, Microsoft -- will have to comply or the gov't will fine them out of existence and block them from doing business.
Once they have all the network switches, routers, cell phones, and major chat tools like WebEx, Teams, Skype, Facebook Messenger, etc. they have 95% of who they're looking for.
Re: (Score:3)
Physical security is hardly a protection for such an incredibly valuable key. This is doubly true if it's not just available to the top law enforcement agencies (ex. just the FBI), but available more widely to other police agencies.
There was a story a little while back about how a South African bank had its master key stolen and used by the thieves to take everyone's accounts for a ride. Most of the initial comments were about how they should have used HSMs, but then it turned out that they had used HSMs an
Re: (Score:2)
There was a story a little while back about how a South African bank had its master key stolen and used by the thieves to take everyone's accounts for a ride. Most of the initial comments were about how they should have used HSMs, but then it turned out that they had used HSMs and otherwise done everything right, but the thieves were insiders.
Keep in mind that banks have lousy security in general. I used to do security consulting in the financial industry and I could tell you some stories....
There's no doubt in my mind that China, Russia, and many others would pour massive resources into getting their hands on these keys, and them being in physical HSMs will not be a particular deterrent to these kinds of state actors,
Meh. The military has lots of experience with securing extremely high-value objects and secrets. This can all be done.
The kind of master key (or set of master keys) that would be valuable to law enforcement would be baked into pretty much all of our firmware and software (maybe even hardware too so it can't be easily circumvented) nationwide.
Even if the key(s) are only available to the FBI and only brought out occasionally, it would be near impossible to keep the keys secure due to the intense spy efforts devoted to stealing them. It might last a few years if they do a really good job at securing it, but it'll get out and cause massive devastation within a few years. If the keys are available to local police, then forget about it. No matter what technical wizardry and legal enforcement you throw at the problem, it's basically just going to lead to wave after wave of breach.
Yes, as I said, appropriately controlling access to use the keys is the hard part. And the more frequently the keys are used, the harder it is.
I'll also point out that you're thinking about some pieces of this wrong. It would be foolish
Re: (Score:2)
So kinda curious.
When Huawei sells a phone in China with Android loaded, that the Feds want access to, since this bill places the blame for that squarely on Google, how do you think Google is going to deal with this?
I don't mean legit Android using Google services in a licensed way, a situation Google could potentially work with in a technical way. I mean using Android completely on their own from sources, no connection back to Google services.
Currently Google is OK because they don't provide services to Huawei which they are barred from providing them. It's enough to not sell product/services to Huawei.
But since this bill explicitly puts the legal responsibility on Google as the software *maker*, irregardless to that software being used illegally or not, does this mean we will have to look forward to backdoors embedded deep in the OS? Will Android be going closed source to prevent us from removing that code and using it anyway, since Google would be legally responsible when someone does that?
It seems to me that when illegal use of software isn't a protection in law against the crimes that illegally obtained software is used for anymore, most all open source software will be a huge liability.
Excellent points!
Re: (Score:2)
It absolutely is possible to create cryptographic schemes which encrypt to a "law enforcement access" (LEA) key, as well as to the intended recipients, and there's no reason to expect that "everyone" will be any more able to break the LEA key than they will be able to break the encryption for the intended recipients. It doesn't even add much complexity.
Hmm. Just noticed there's one caveat I should add: Much online encryption today provides Perfect Forward Secrecy, and with LEA we'd lose that property, by definition, though only in a limited way. But PFS isn't even possible with encryption of data at rest, which is what they're mostly interested in. For now, at least.
Re: (Score:2)
Assuming each LEA key is specific for a single device/account, companies can just rubber stamp most requests with warrants and spot check a couple of the warrants afterwards.
Judges won't look kindly on someone fraudulently claiming their authority ... if police really was tempted to do so, judges would quickly dissuade them.
Re: (Score:2)
PS. obviously they'd need some system to invalidate the LEA key once the warrant expires, implementation is not altogether trivial ... but the law seems to acknowledge that.
Re: (Score:2)
It's the judges which sign the no knock warrants as such.
Re: (Score:2)
Re: For the hundred and first time... (Score:4, Insightful)
Re: (Score:2)
And all of that presupposes that there will never be anyone with 'legitimate' access to this master key who, illicitly, gives out the key to someone who should never have access to it, who then makes illicit decryption available to whoever wants to pay for it.
Well, it should not be possible for anyone to give the key to anyone at all. The keys should be held in HSMs that are physically and logically secured and will never divulge the secrets they hold. However, if you recast your comment a little, it is a good one: Will anyone who has legitimate ability to use the key ever do so for someone who shouldn't have the ability to use the key? 100% guaranteed that will happen.
Re: For the hundred and first time... (Score:4, Interesting)
Historically, government prying into your private info, is the big problem.
We have politicians whining about crimes, when the gigantic hypercrimes of dictatorship are using these backdoors to monitor domestic rabble rousers.
If you don't build the dictator's 3 wood for his golf bag, he can't misuse it to begin with.
Re: (Score:2)
I think the correct response is there is no good guy, nor bad guy: only people looking out for their own interests.
I agree with this argument, but I don't think it will get far. Most people do trust the courts to make decisions in the public interest.
Re: (Score:3)
Let's do it the other way around.
Let's build a secure end-to-end encrypted communication transmission and storage system with a backdoor. Now let's give that system to the National Archives and mandate that the federal government use it for all communication. All of it. A Senator texts an intern for a blowjob with a dick pic. That's in there. That $3,000 hammer contract with the DoD. That's in there.
And then we make the backdoor public. Heck let's even make an API and put access terminals in public l
Re: (Score:2)
Re:For the hundred and first time... (Score:5, Insightful)
This isn't about breaking the encryption, nor even about demanding a backdoor which they can open themselves AFAICS. They want the company to have a backdoor, which they can present the personalized key of when presented with a legal warrant.
And if FISA courts were any more of an in-you-face indicator, this isn't about demanding access to encrypted data through a legal warrant. It's not even about ensuring due process for the accused. This is just another channel demanding to be opened for massive abuse.
The encryption will be just a secure, the key security will be slightly compromised, but at least there won't be a single point of failure with the government. The point of failure will be the information security at the companies.
Companies which can already get all your data simply by pushing a compromised system/app upgrade in the first place of course, they have the ultimate backdoor in that regard already.
When you're on the wrong end of a legal accusation, it's too late to be worried about encryption backdoors. You're too busy trying to figure out how you're going to avoid prison and afford a lawyer that can't defend against shit like parallel construction.
Re:For the hundred and first time... (Score:5, Informative)
(in case I'm not the only one who had to Google that)
Re: (Score:2)
Even the with the broad interpretation of FISA jurisdiction endorsed by the Obama administration they still couldn't do fishing expeditions for content data, which is what is relevant here. FISA would only be relevant for suspected foreign spies.
Re: (Score:2)
Unless you're the actual recipient of a National Security Letter, you wouldn't know. And if you do know, you can't talk about it.
Re:For the hundred and first time... (Score:4, Insightful)
Re: (Score:2)
AFAICS it doesn't have to be the government keeping the backdoor secure. It would be the company keeping the backdoor secure, with the keys they give out for a given warrant only be useful for a limited set of devices/accounts.
You already rely on Microsoft/Apple/Google to keep the keys they sign updates with secure ... one manipulated update can take all the data from your device.
Re: (Score:2)
That’s a worse and even more shortsighted solution. It effectively shifts all the responsibility and administration to someone else without addressing the problem that access cannot be truly secure. Here’s the problem with that: Whatever access the US government wants is exactly what the Chinese, Russian, Iranian, etc governments want. China want to spy the US Ambassador’s Android phone when he’s in China. Is Google allowed to say no?
Your argument that companies already use encryptio
Re: For the hundred and first time... (Score:2)
They can already demand it now, only thing which would change is that it would become diplomatically very hard to refuse in foreign countries if they did it openly in the US.
Also I doubt Google/Apple have never pushed a compromised update for a specific device.
Re: For the hundred and first time... (Score:2)
The difference is they don't rely on CAs for the important stuff, CAs are for little people.
Re: (Score:3)
If a company can break their own encryption so can other people. That is the whole point of using encryption so that you are in control of the data while using a product created by someone else. You cannot have a backdoor for the manufacturer in the encryption standard, which compromising the key does, without opening a door for everyone. We've seen hundreds of keys leaked even from organizations like the NSA. If the NSA can't keep this stuff secure what on earth makes you think Apple can?
I can tell you r
Re: (Score:2)
Meh, it's the same exact thing as passwords. You give a 3rd party a secret to keep and it's up to them to hash and salt and store it properly so that if/when it leaks, it is useless to the attacker. Some companies will do it well and others won't.
Instead of passwords it will be encryption keys. Every device or account or whatever will have a unique key for that device. Not a global back door, just a key that law enforcement can request which will only unlock that one account or device or whatever it is.
Re: (Score:3)
Except for the issue that a company backdoor is still a backdoor. Even if it's multi-key encryption that remains secure so long as the company keeps their master key secret... you now have a single point of failure that will give access to all the data they possess.
That makes that master key a hugely attractive target for crackers since they know there's one key that will give them access to everything, dramatically increasing the payoff for uncovering it. Whether that means spending years brute-forcing t
Re: (Score:2)
Like the certificates they secure and sign updates with?
Most the devices and apps for which this would be relevant are both regularly updated and nearly everyone automatically follows updates. Those giant single points of failures are already there.
Re: (Score:2)
will be slightly compromised
You mean exactly the way it was before end-to-end encryption became a thing. No coincidence that it came in an era of warrant canaries and suspicions on which tech companies have received National Security Letters.
Clipper-chip redux? Still a bad idea (Score:3)
The clipper chip was a bad idea then and it's a worse idea now since we've put far more data online and on our devices than in 199x.
Who cares! (Score:2)
The un informed will use the government mandated breakable crypto and be robbed blind. Criminals will use good crypto like everyone else and be somewhat safe.
The government is just whining and hoping they get something for it.
Just my 2 cents
All companies become sole proprietor (Score:2)
A group of Senate Republicans is looking to force tech companies to comply with "lawful access" to encrypted information
Solution: stop being a "tech company", and become a sole proprietor. Problem solved. It's genius.
Re: (Score:2)
2A argument totally applies (Score:2)
and if you ban unbreakable encryption, then only the criminals will have unbreakable encryption
but to me this plus the totally uncontested laws in various localities against people having Tasers or mace or carrying swords proves that the powerful 2A lobby isn't actually about the right of citizens to defend themselves but to protect the interests of the firearm industry because if the NRA actually cared about citizen defense they'd be at the top of the list of groups crying out against this plan
Re: (Score:2)
While it varies from state to state, largely, if it is a free 2A state, you can not only purchase and own firearms freely, you can also own and carry most knives, including swords and tasers, etc.
Many states have repealed the old knife laws and it is getting much easier out there to carry the tools
Re: (Score:2)
Re: (Score:2)
and if you ban unbreakable encryption, then only the criminals will have unbreakable encryption
but to me this plus the totally uncontested laws in various localities against people having Tasers or mace or carrying swords proves that the powerful 2A lobby isn't actually about the right of citizens to defend themselves but to protect the interests of the firearm industry because if the NRA actually cared about citizen defense they'd be at the top of the list of groups crying out against this plan
Let me preface what I'm about to say that I am entirely against the proposed law in question, and think backdoors are stupid. I also see a potential 2nd amendment issue related to encryption technology (after all, the government has helpfully categorized it as a munition in the past for export control reasons)
The above said, you're a loon who cannot make a cogent argument, and thinks their non-sequitur is a reasonable attack against a platform they obviously disagree with.
We're on it guys (Score:2)
We started the decryption program and in only 25000 years you'll get the result.
why on EARTH ... (Score:2)
or anywhere else, would this seem like a good idea.
Once upon a time people lived in houses made of stone, what you did in your house was your business.
Then people started living in glass houses so , big brothers started thinking it was ok to look into things that they could never see before.
THEN people started putting up curtains and painting the walls. Big brother is angry they can't peak and want to be able to force you to open the curtain if they want to look.
We need to go the opposite way. There should
This is not a threat (Score:4, Insightful)
Remember, everybody: the only reason that "tech companies" can even possibly be coerced by government on this, is because they're already doing crypto wrong. If you implement things competently, then no matter how many loaded guns are pointed at your face, no matter how many of your children they threaten to torture to death, you can't crack your users' crypto any better than anyone else. Because you simply don't have the user's key.
Phil Zimmerman can't read your PGP-encrypted email. Get it? Do you understand why PRZ can't break PGP but Facebook can effortlessly break their messaging app? And here we are, decades later, settling for less than 20th century tech! WTF?!
The only companies that are possibly threatened by these Republicans, are ones that are already lying to you about how your shit is "secure." It's not secure if a a service provider has the key, due to their desires to inject ads or build ad profiles, monitor usage for ToS violations, etc.
No legitimate company's crypto is threatened by government thugs demanding access to an already-existing key which compromises it, only scam companies are being threatened with having their already-existing weakness exposed. I look forward to all the developers who expose their own bullshit by complaining that their weak crypto is going to be made to look weak by this. Good. I want everyone to know your shit never worked right. These evil-meaning Republicans are actually doing us all a favor, and I hope they get their bill (intended to reduce privacy) passed because it will actually provide incentive to improve our privacy.
Re: (Score:2)
No, this is a threat, it will force tech companies to eg. deliver a signed package of a messenger to your mobile phone that pretends to encrypt but exfiltrates your messages to agencies.
Re: (Score:2)
> Phil Zimmerman can't read your PGP-encrypted email.
I'm sorry, but you misunderstand. The law proposes to force PGP (et al) to use a scheme whereby Mr Zimmerman (or law enforcement) COULD read your encrypted email. Did you somehow fail to see where in the bill they were ordering folks to install backdoors (without specifying how to do that)?
> The only companies that are possibly threatened by these Republicans, are ones that are already lying to you about how your shit is "secure." It's not secure
Re: (Score:2)
Remember, everybody: the only reason that "tech companies" can even possibly be coerced by government on this, is because they're already doing crypto wrong.
Actually Android, at least, already gets this right, and I strongly suspect that iOS has made changes to get it right, too, since the San Bernardino incident. And iOS actually did get it mostly right even before: remember that what the FBI asked Apple to do was to provide alternate firmware that removed the delays and reboots caused by entering too many bad passwords, so the FBI could brute force the password. They wanted that because the actual key material was stored deep in secure hardware where no one,
We've gone full circle (Score:5, Informative)
Giving the government backdoor access to basically all communications is akin to asking the fox to behave while in the hen house :|
Given the governments absolutely stellar history in the trustworthy category, I'm curious why anyone would believe they wouldn't abuse
said abilities the moment they're handed the keys.
AND
Before anyone jumps on the " OMG Trump " or "OMG Republicans " bandwagon which is the norm around here these days, I invite those
of you who are too young to have experienced it, to read what the Clipper Chip debacle was. ( https://en.wikipedia.org/wiki/... [wikipedia.org] )
Do make note of which administration was pushing for this and realize that it doesn't matter if it's Team Red or Team Blue. They're both
trying to screw us all while playing us against each other.
Not the same (Score:4, Interesting)
Back then, it was new and computers were still very new to the politicians who are far behind the curve; some so far behind we are still making fun of their ignorance of things that are 30 years old.
The police state was freaking out imagining being unable to do anything not realizing most users wouldn't encrypt anything or knowing there would be a couple generations who voluntarily put out all their private information to social media companies for easy access.
At this point, there is no excuse for them to not know better and plenty of reason to distrust the gov handling of such power. Today it is pandering to certain interest groups and any I can think of would know it's empty pandering. WHY bother? Would a Russian interest not realize? certainly they would love this... Is Trump for it?
It's basically been tried before... (Score:4, Insightful)
The idea that encryption has to have a method where the government can at will reverse it defies logic. There is no magic formula to make it so only a responsible government need can decrypt something and deny access from third parties or even unwarranted government intrusion. If you can't guarantee that the data stays safe then it really serves no purpose.
It is a dangerous unworkable idea and will cost commerce billions and even flies in the face of the 1st Amendment.
Don't screw Billions to catch 2 criminals (Score:3)
Sorry but the welfare of the 6 Billion people who use computers or phones don't need to be compromised to catch a DEAD criminal once every 5 years.
Not just no (Score:3)
FUCK NO!!!!!
Sorry, encryption protects everyone's privacy, even criminals.
This kind of nonsense is a slap in the face to a free people
Do they understand anything? (Score:2)
Do they not get that the entire PURPOSE of encryption is controlled access to information?
I, for one, welcome the death of Silicon Valley (Score:2)
This would cause all silicon valley companies to either pack up and move overnight or quickly become uncompetitive, making way for foreign competitors. This would massively reduce geographic income concentration and the political power of today's tech industry while improving competitiveness.
Partisan (Score:4, Informative)
Surrender (Score:2)
Fighting crime is a never-ending war, everyone gets that, but to believe such a law would really give access to precious data is naive and is a surrender in this war. Criminals, terrorists and the innocent, but tech-savvy kid will switch to backdoor-free encryption, while uniformed and unsuspecting citizens get caught in the crossfire. Law enforcement is going to tug itself in with the warm belief to finally have the skeleton key to the cookie jar, only to then find the jar to be empty.
Like Dogs Chasing Motorcycles (Score:2)
- If they require U.S. companies to include backdoored encryption, U.S. citizens will switch to apps developed in other countries
- If they make it illegal to use apps without backdoored encryption, U.S. citizens will just wrap their communications inside a layer of encryption that doesn't have a back door before the data is sent through the app
- If they make it illegal to use any encr
Santayana was right... (Score:2)
"Those who cannot remember the past are condemned to repeat it."
This is the exact same debate that happened with the Clipper Chip [wikipedia.org].
They don't care about you (Score:2)
I am sure they have staffers who know exactly why we cannot have security and backdoors at the same time. And it is not a stretch to assume they do not care.
Do you believe the politicians will continue to use "civilian" applications from now on? They will have apps specifically developed for them with actual encryption. They will cite reasons like national security, while you and me, and even leaders of industry will be unable to access these. And do not forget the sweet government contracts that will be en
I want an same as China for apple and other who ma (Score:2)
I want an same as China for apple and other who make stuff there.
If China get's an way then the USA better or they can move the factory to the usa and not have any back doors.
FFS, you tech illiterates, learn it finally (Score:2)
There is no such thing as a government-only backdoor.
The only way this can be done is by artificially introducing a known weakness in the encryption algorithm. And knowing your track record with keeping shit secret and not leaking it worse than a non-housebroken puppy, before you even receive your government-only key, it will be in the hands of Iran, North Korea and pretty much any foreign corporation interested in breaking into US government and corporate trade secrets.
In other words, if you plan to shoot
Re:Naah, just roll you own .... (Score:5, Interesting)
It already exists. Download gpg.
What we have gotten away from but may be returning to is a distributed system of key management. Where there is no longer a central repository of encryption keys held by a tech company who will hand them over to the authorities upon receipt of a warrant. You will hold your own keys and when some TLA wants to snoop around your communications, they will have to serve you with the warrant.
Re: (Score:2)
If they have keys, they will hand it over not to just valid warrants, but to dictatorships using it for the reason we have warrant requirements: to stop the investigation of political enemies.
To catch a few crooks, we are throwing billions around the world into a deeper well of dictatorship.
Remember this the next time some fool politician or FBI exec decries the horrid crimes he's seen. His sob stories stand next to a god of dictatorship, the top of his head at the god's anklebone*.
* Thanks, Mark Twain, t
Re: (Score:2)
If they have keys
Which is why you move to a solution where there is no 'they' that have your key other than yourself. End to end pubic key cryptography is old tech. It just hasn't been implemented very widely because it prevents the service in the middle from reading and monetizing your communications.
Re: (Score:3, Interesting)
Shouting about hypocrisy in political parties is like complaining that rain is wet.
THEY ALL DO IT
Re:But the close their eyes to Trump's treason (Score:4, Insightful)
They all do it!
That somehow makes it okay? We're just supposed to accept it as 'normal' and move on?
Re: (Score:2)
The problem is tribalism, no one wants to clean up their own act until the other side cleans up their act first. Leading to a contest to see who can go the longest without bathing.
Re: (Score:2)
It's not new. You can find that kind of sentiment at least dating back to when the New Testament of the Bible was written. There's that part about 'who is without sin cast the first stone'.
That doesn't make it a valid argument. It's still a fallacy if used as a counter for almost every situation (except maybe sel
Re: But the close their eyes to Trump's treason (Score:2)
Whataboutism is not a good counterargument. Imagine a defense attorney offering that argument in court for why his client, accused of murder, shouldn't be convicted. "Other people murder all the time...". Laughable. The illegal or immoral activity of one person, or group of people, does not excuse the same behavior of another person or group.
Re: (Score:3)
Let's see if the other party, which holds a majority in the House of Representatives, follows along with these evil Republicans or if they vote this legislation down. Then we will know for sure which party harbors the most traitors, racists and thieves.
Re: (Score:2)
Re: (Score:2)
Only a TrueScore(r) of 4, huh?
Confidence in yourself is waining.
Save your breath (Score:2)
Save your breath. If you think anything other than actual votes will get the attention of any politician these days you are mistaken.
Re: (Score:2)
If 10,000 people jam their phone lines and email inboxes telling them "leave encryption alone or there won't BE any encryption worth a damn!" and they ignore it, then yes they don't deserve to be re-elected, but do you really believe they're just going to ignore that?
very thread, slack_justyb reports writing to Marsha Blackburn repeatedly about this very issue, and getting nothing more than, "It's for your own good," in response. Do you think that experience is unique? Far from it. Even when an entire letter writing campaign is organized, it gets ignored unless the Congresscritter is already ideologically aligned with the purpose of the campaign.
The US Congress believes that a simple majority of a remarkably small minority of its constituents constitutes a full-throa
Re: (Score:2)
If 10,000 people jam their phone lines and email inboxes telling them "leave encryption alone or there won't BE any encryption worth a damn!" and they ignore it, then yes they don't deserve to be re-elected, but do you really believe they're just going to ignore that?
Think? We know it for a fact. This already happens routinely. Or were you under a rock when the Net Neutrality rules were trashed? In this very thread [slashdot.org], slack_justyb reports writing to Marsha Blackburn repeatedly about this very issue, and getting nothing more than, "It's for your own good," in response. Do you think that experience is unique? Far from it. Even when an entire letter writing campaign is organized, it gets ignored unless the Congresscritter is already ideologically aligned with the purp
Re: (Score:2)
Re: (Score:2)
The very page you linked to as "the bill's more formal description" specifically says that this bill "would bring an end to warrant-proof encryption in devices, platforms, and systems", where "warrant-proof encryption" means any encryption which cannot be circumvented on request. Service providers and device manufacturers would be required not only to provide whatever assistance they can after a warrant is issued but also to report on their ability to comply with the government's requests and to implement s