Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Republicans Encryption United States

Republicans Push Bill Requiring Tech Companies To Help Access Encrypted Data (cnet.com) 182

New submitter feross shares a report: A group of Senate Republicans is looking to force tech companies to comply with "lawful access" to encrypted information, potentially jeopardizing the technology's security features. On Tuesday, Republican lawmakers introduced the Lawful Access to Encrypted Data Act, which calls for an end to "warrant-proof" encryption that's disrupted criminal investigations. The bill was proposed by Sen. Lindsey Graham, chairman of the Senate Judiciary committee, along with Sens. Tom Cotton and Marsha Blackburn. If passed, the act would require tech companies to help investigators access encrypted data if that assistance would help carry out a warrant. Lawmakers and the US Justice Department have long battled with tech companies over encryption, which is used to encode data.

The Justice Department argues that encryption prevents investigators from getting necessary evidence from suspects' devices and has requested that tech giants provide "lawful access." That could come in many ways, such as providing a key to unlock encryption that's only available for police requests. The FBI made a similar request to Apple in 2016 when it wanted to get data from a dead terrorist's iPhone in a San Bernardino, California, shooting case. Giving access specifically to government agencies when requested is often referred to as an "encryption backdoor," something tech experts and privacy advocates have long argued endangers more people than it helps.

This discussion has been archived. No new comments can be posted.

Republicans Push Bill Requiring Tech Companies To Help Access Encrypted Data

Comments Filter:
  • by pyrrho ( 167252 ) on Wednesday June 24, 2020 @10:32AM (#60222016) Journal
    Because America!
    • It's important to realize that VERY FEW people in government understand the technical issues. Maybe none.

      For example, it is possible to send an encrypted message that has 2 messages, one easily found, the other hidden.
      • by ebyrob ( 165903 )

        It's soo freaking complicated I know. People have a right to privacy. Oh my gorsh!! rights wat are those? It's 2020 don't you know all we have now is an ability to bow to the latest media trend?

      • 2 notes:. Very few people in POWER know about tech issues. There are people in the background who do. Some of them don't care if it hurts most of america as long as it helps their power, though, like probably many managers at the nsa. And second, the fact that they don't isn't the main problem. No person can be an expert in anything. It is the complete lack of effort or even interest on both parties (more Republicans, due to their weird science hate, but both nonetheless) to get someone to HELP them wi
  • Face, meet egg (Score:4, Insightful)

    by Tablizer ( 95088 ) on Wednesday June 24, 2020 @10:39AM (#60222058) Journal

    If there's a breach of a required backdoor, the law-makers could end up looking quite foolish. I'm surprised companies are not asking that the law pre-describe compensation if such happens. Essentially the legislation is weakening the security of their products.

    • Re:Face, meet egg (Score:5, Informative)

      by slack_justyb ( 862874 ) on Wednesday June 24, 2020 @11:15AM (#60222252)

      the law-makers could end up looking quite foolish

      Clearly you've not worked in politics. When it does happens (and not even an if), politicians will wonder why tech companies had acted so recklessly with consumer data. Now many may point out that ... blah blah blah. But that's beside the point when we eventually get there. Remember light touch government! Which is why this is the company's fault not all this non-sense of backdoors. They're suppose to ensure that only law enforcement can use the back door. Something, something ... a series of tubes!!

      I'm surprised companies are not asking that the law pre-describe compensation if such happens

      Bawahaha!! That's because they already know that a majority of the geriatric Senators behind this will see those companies failing and think "nothing of value was lost." Many of these Senators care more about their last shit than these companies, and they flushed their last shit down the drain.

      Essentially the legislation is weakening the security of their products

      That's the entire goal. You keep acting like that's a defect of the law and that's actually the entire purpose of it. I mean good luck on trying to explain the importance of all of that to the Senators backing this. I've emailed Blackburn at least ten times on this and the best she's given back is pretty much the default response from the AI in Civilization 6 when they're trying to convert your country's religion. "No, no, this will be better for you. You will see."

      I mean look at the three names on this. These people are not the paragons of logic here.

      • Since there are no security regulations noticibly different from "you'd better do a good job", which translates into a fine and an agreement every time a hack comes out, that becomes a new quasi-regulation, you can rely on this.

    • I'm sure the politicians know this. I bet they're just waiting for the tech companies to offer up some lobbying dollars so they'll amend it with blanket immunity for any/all data breaches.

    • What do mean by "if"? Based on recent history that scenario is more "when"
    • I guarantee the lawmakers never thought that far down the road. In fact, I would be surprised if they were ever breached on the idea that the "tech companies" may or may not actually be able to do what is being required here, as they may not have the encryption keys themselves. At least, in any legit system, they would not.

      Once again, Congress critters think they can legislate math. They are wrong.

  • by Chris Mattern ( 191822 ) on Wednesday June 24, 2020 @10:41AM (#60222064)

    ...you can't create an encryption that only the "good guys" can break. If law enforcement can break it, then everyone can.

    • by swillden ( 191260 ) <shawn-ds@willden.org> on Wednesday June 24, 2020 @11:00AM (#60222176) Journal

      ...you can't create an encryption that only the "good guys" can break. If law enforcement can break it, then everyone can.

      This is the wrong way to respond, because anyone with a clue will recognize that the response is disingenuous.

      It absolutely is possible to create cryptographic schemes which encrypt to a "law enforcement access" (LEA) key, as well as to the intended recipients, and there's no reason to expect that "everyone" will be any more able to break the LEA key than they will be able to break the encryption for the intended recipients. It doesn't even add much complexity.

      The problem isn't with the encryption, the problem is with key management -- and with the futility of the whole attempt (more on that below). What we don't know how to do is to build a key management system that both (a) allows law enforcement to execute hundreds of warrants every day and get decryptions for valid, court-approved reasons and (b) prevent law enforcement from using this access to abuse the system and decrypt messages they shouldn't be able to access.

      And then, of course, there's the "futility" point. Supposing all of the major platforms that encrypt by default did provide LEA, what would be the obvious response of criminals? To use an app that doesn't provide LEA. Strong cryptography is universally and trivially available to everyone. You can't put that cat back into the bag.

      • Right. *Everyone* won't be able to break it, only all the shadowy intelligence agencies and criminal organizations that you *really* don't want to be able to. That's much better.

      • Giving law enforcement a spcial key will last as long as they can keep the key secret, which I figure an optimistic estimate would be about six months.

        • Giving law enforcement a spcial key will last as long as they can keep the key secret, which I figure an optimistic estimate would be about six months.

          That's a fairly easy problem to solve. Generate the keys in HSMs that will never give it up, and put appropriate physical and logical security around them. Keeping the keys secret is easy. Appropriately controlling the ability to use the keys is the hard part.

          • by MobyDisk ( 75490 )

            Can you help me understand what we are talking about here?

            Alice wants to communicate to Bob over a chat app of some sort:

            1. Confirm for me that none of this discussion applies to end-to-end encryption. Alice and Bob use something like a a diffie-hellman key exchange and there's no 3rd LEA key nor a place to escrow it.
            2. I think we are talking about this using some server-based non end-to-end thing. Alice calls Bob using a 3rd-party server. Alice has TLS to the server, Bob has TLS to the server. There's

            • 1. Confirm for me that none of this discussion applies to end-to-end encryption. Alice and Bob use something like a a diffie-hellman key exchange and there's no 3rd LEA key nor a place to escrow it.

              There would have to be an LEA key in either Bob's machine, or Alice's... or more likely both. They'd need to encrypt a copy of the session key and send it to a server.

              However, I think this is mostly about data at rest, not data in transit. Alice's device keeps an encrypted copy of the chat log. It's encrypted with (say) a symmetric key that's stored locally in some secure way, e.g. in a TPM. The TPM encrypts an extra copy of the key with the LEA key and that encrypted blob gets stored along with the enc

              • The technical security problems around prevention of key leakage, etc., can be solved, adequately, ...

                In theory, yes. Most things perfectly in theory. But you assume that TPTB are sufficiently motivated to solve these security problems.

                Economic issues (cost vs. benefit for the attacker) and properly aligned incentives are at least a much a part of any decent security system as the hardware, software, and key management. The technical security measures you're describing are relatively routine, but this situation is far from routine. Normally you're protecting only your own data, or perhaps that of your custo

            • by chill ( 34294 )

              The proposal doesn't really apply to some little chat app, but rather the major infrastructure both software and hardware.

              The big companies who make the bulk of the infrastructure -- Cisco, Juniper, HP, Facebook, Google, Microsoft -- will have to comply or the gov't will fine them out of existence and block them from doing business.

              Once they have all the network switches, routers, cell phones, and major chat tools like WebEx, Teams, Skype, Facebook Messenger, etc. they have 95% of who they're looking for.

          • by urusan ( 1755332 )

            Physical security is hardly a protection for such an incredibly valuable key. This is doubly true if it's not just available to the top law enforcement agencies (ex. just the FBI), but available more widely to other police agencies.

            There was a story a little while back about how a South African bank had its master key stolen and used by the thieves to take everyone's accounts for a ride. Most of the initial comments were about how they should have used HSMs, but then it turned out that they had used HSMs an

            • There was a story a little while back about how a South African bank had its master key stolen and used by the thieves to take everyone's accounts for a ride. Most of the initial comments were about how they should have used HSMs, but then it turned out that they had used HSMs and otherwise done everything right, but the thieves were insiders.

              Keep in mind that banks have lousy security in general. I used to do security consulting in the financial industry and I could tell you some stories....

              There's no doubt in my mind that China, Russia, and many others would pour massive resources into getting their hands on these keys, and them being in physical HSMs will not be a particular deterrent to these kinds of state actors,

              Meh. The military has lots of experience with securing extremely high-value objects and secrets. This can all be done.

              The kind of master key (or set of master keys) that would be valuable to law enforcement would be baked into pretty much all of our firmware and software (maybe even hardware too so it can't be easily circumvented) nationwide.

              Even if the key(s) are only available to the FBI and only brought out occasionally, it would be near impossible to keep the keys secure due to the intense spy efforts devoted to stealing them. It might last a few years if they do a really good job at securing it, but it'll get out and cause massive devastation within a few years. If the keys are available to local police, then forget about it. No matter what technical wizardry and legal enforcement you throw at the problem, it's basically just going to lead to wave after wave of breach.

              Yes, as I said, appropriately controlling access to use the keys is the hard part. And the more frequently the keys are used, the harder it is.

              I'll also point out that you're thinking about some pieces of this wrong. It would be foolish

      • It absolutely is possible to create cryptographic schemes which encrypt to a "law enforcement access" (LEA) key, as well as to the intended recipients, and there's no reason to expect that "everyone" will be any more able to break the LEA key than they will be able to break the encryption for the intended recipients. It doesn't even add much complexity.

        Hmm. Just noticed there's one caveat I should add: Much online encryption today provides Perfect Forward Secrecy, and with LEA we'd lose that property, by definition, though only in a limited way. But PFS isn't even possible with encryption of data at rest, which is what they're mostly interested in. For now, at least.

      • Assuming each LEA key is specific for a single device/account, companies can just rubber stamp most requests with warrants and spot check a couple of the warrants afterwards.

        Judges won't look kindly on someone fraudulently claiming their authority ... if police really was tempted to do so, judges would quickly dissuade them.

      • I mean, if I were doing something illegal that I absolutely couldn't have people snooping on, you'd be your ass I wouldn't be using any of the off-the-shelf products out there, and would instead rely solely on my own servers, running FOSS software (that I've personally vetted the source code of to ensure no backdoors exist), using keys that only I would have access to, locked aware securely.
    • Let's do it the other way around.

      Let's build a secure end-to-end encrypted communication transmission and storage system with a backdoor. Now let's give that system to the National Archives and mandate that the federal government use it for all communication. All of it. A Senator texts an intern for a blowjob with a dick pic. That's in there. That $3,000 hammer contract with the DoD. That's in there.

      And then we make the backdoor public. Heck let's even make an API and put access terminals in public l

    • They may as well ask for guns that "Only shoot bad people".
  • by schwit1 ( 797399 ) on Wednesday June 24, 2020 @10:45AM (#60222092)

    The clipper chip was a bad idea then and it's a worse idea now since we've put far more data online and on our devices than in 199x.

  • If government believes this, everyone should be required to remove the front doors from their houses/apts. Because if your not doing anything illegal the cops strolling through when they want to should not be a problem.

    The un informed will use the government mandated breakable crypto and be robbed blind. Criminals will use good crypto like everyone else and be somewhat safe.

    The government is just whining and hoping they get something for it.

    Just my 2 cents ;)
  • A group of Senate Republicans is looking to force tech companies to comply with "lawful access" to encrypted information

    Solution: stop being a "tech company", and become a sole proprietor. Problem solved. It's genius.

  • and if you ban unbreakable encryption, then only the criminals will have unbreakable encryption

    but to me this plus the totally uncontested laws in various localities against people having Tasers or mace or carrying swords proves that the powerful 2A lobby isn't actually about the right of citizens to defend themselves but to protect the interests of the firearm industry because if the NRA actually cared about citizen defense they'd be at the top of the list of groups crying out against this plan

    • plus the totally uncontested laws in various localities against people having Tasers or mace or carrying swords proves that the powerful 2A lobby isn't actually about the right of citizens to defend themselves

      While it varies from state to state, largely, if it is a free 2A state, you can not only purchase and own firearms freely, you can also own and carry most knives, including swords and tasers, etc.

      Many states have repealed the old knife laws and it is getting much easier out there to carry the tools

      • NY's stun gun ban got overturned, and mace has been allowed. Swords might still be problematic (in public), but at least the "gravity knife" nightmare is over.
    • by Zak3056 ( 69287 )

      and if you ban unbreakable encryption, then only the criminals will have unbreakable encryption

      but to me this plus the totally uncontested laws in various localities against people having Tasers or mace or carrying swords proves that the powerful 2A lobby isn't actually about the right of citizens to defend themselves but to protect the interests of the firearm industry because if the NRA actually cared about citizen defense they'd be at the top of the list of groups crying out against this plan

      Let me preface what I'm about to say that I am entirely against the proposed law in question, and think backdoors are stupid. I also see a potential 2nd amendment issue related to encryption technology (after all, the government has helpfully categorized it as a munition in the past for export control reasons)

      The above said, you're a loon who cannot make a cogent argument, and thinks their non-sequitur is a reasonable attack against a platform they obviously disagree with.

  • We started the decryption program and in only 25000 years you'll get the result.

  • or anywhere else, would this seem like a good idea.
    Once upon a time people lived in houses made of stone, what you did in your house was your business.
    Then people started living in glass houses so , big brothers started thinking it was ok to look into things that they could never see before.
    THEN people started putting up curtains and painting the walls. Big brother is angry they can't peak and want to be able to force you to open the curtain if they want to look.

    We need to go the opposite way. There should

  • by Sloppy ( 14984 ) on Wednesday June 24, 2020 @11:02AM (#60222186) Homepage Journal

    Remember, everybody: the only reason that "tech companies" can even possibly be coerced by government on this, is because they're already doing crypto wrong. If you implement things competently, then no matter how many loaded guns are pointed at your face, no matter how many of your children they threaten to torture to death, you can't crack your users' crypto any better than anyone else. Because you simply don't have the user's key.

    Phil Zimmerman can't read your PGP-encrypted email. Get it? Do you understand why PRZ can't break PGP but Facebook can effortlessly break their messaging app? And here we are, decades later, settling for less than 20th century tech! WTF?!

    The only companies that are possibly threatened by these Republicans, are ones that are already lying to you about how your shit is "secure." It's not secure if a a service provider has the key, due to their desires to inject ads or build ad profiles, monitor usage for ToS violations, etc.

    No legitimate company's crypto is threatened by government thugs demanding access to an already-existing key which compromises it, only scam companies are being threatened with having their already-existing weakness exposed. I look forward to all the developers who expose their own bullshit by complaining that their weak crypto is going to be made to look weak by this. Good. I want everyone to know your shit never worked right. These evil-meaning Republicans are actually doing us all a favor, and I hope they get their bill (intended to reduce privacy) passed because it will actually provide incentive to improve our privacy.

    • by k2r ( 255754 )

      No, this is a threat, it will force tech companies to eg. deliver a signed package of a messenger to your mobile phone that pretends to encrypt but exfiltrates your messages to agencies.

    • > Phil Zimmerman can't read your PGP-encrypted email.

      I'm sorry, but you misunderstand. The law proposes to force PGP (et al) to use a scheme whereby Mr Zimmerman (or law enforcement) COULD read your encrypted email. Did you somehow fail to see where in the bill they were ordering folks to install backdoors (without specifying how to do that)?

      > The only companies that are possibly threatened by these Republicans, are ones that are already lying to you about how your shit is "secure." It's not secure

    • Remember, everybody: the only reason that "tech companies" can even possibly be coerced by government on this, is because they're already doing crypto wrong.

      Actually Android, at least, already gets this right, and I strongly suspect that iOS has made changes to get it right, too, since the San Bernardino incident. And iOS actually did get it mostly right even before: remember that what the FBI asked Apple to do was to provide alternate firmware that removed the delays and reboots caused by entering too many bad passwords, so the FBI could brute force the password. They wanted that because the actual key material was stored deep in secure hardware where no one,

  • by nehumanuscrede ( 624750 ) on Wednesday June 24, 2020 @11:03AM (#60222198)

    Giving the government backdoor access to basically all communications is akin to asking the fox to behave while in the hen house :|

    Given the governments absolutely stellar history in the trustworthy category, I'm curious why anyone would believe they wouldn't abuse
    said abilities the moment they're handed the keys.

    AND

    Before anyone jumps on the " OMG Trump " or "OMG Republicans " bandwagon which is the norm around here these days, I invite those
    of you who are too young to have experienced it, to read what the Clipper Chip debacle was. ( https://en.wikipedia.org/wiki/... [wikipedia.org] )

    Do make note of which administration was pushing for this and realize that it doesn't matter if it's Team Red or Team Blue. They're both
    trying to screw us all while playing us against each other.

    • Not the same (Score:4, Interesting)

      by bussdriver ( 620565 ) on Wednesday June 24, 2020 @12:19PM (#60222576)

      Back then, it was new and computers were still very new to the politicians who are far behind the curve; some so far behind we are still making fun of their ignorance of things that are 30 years old.

      The police state was freaking out imagining being unable to do anything not realizing most users wouldn't encrypt anything or knowing there would be a couple generations who voluntarily put out all their private information to social media companies for easy access.

      At this point, there is no excuse for them to not know better and plenty of reason to distrust the gov handling of such power. Today it is pandering to certain interest groups and any I can think of would know it's empty pandering. WHY bother? Would a Russian interest not realize? certainly they would love this... Is Trump for it?

  • by Gription ( 1006467 ) on Wednesday June 24, 2020 @11:08AM (#60222220)
    Hard encryption used to be classified as a munition under the laws from WW2 which was because being able to encode messages was vital to the war effort. That law outlawed exporting any software that had good encryption from the US until the early 90s. That removed the US from the market for good encryption so you saw all the widespread products with good encryption were from outside the US. It in a way it reduced US software companies to second class citizens.

    The idea that encryption has to have a method where the government can at will reverse it defies logic. There is no magic formula to make it so only a responsible government need can decrypt something and deny access from third parties or even unwarranted government intrusion. If you can't guarantee that the data stays safe then it really serves no purpose.

    It is a dangerous unworkable idea and will cost commerce billions and even flies in the face of the 1st Amendment.
  • by omfglearntoplay ( 1163771 ) on Wednesday June 24, 2020 @11:10AM (#60222226)

    Sorry but the welfare of the 6 Billion people who use computers or phones don't need to be compromised to catch a DEAD criminal once every 5 years.

  • by MitchDev ( 2526834 ) on Wednesday June 24, 2020 @11:20AM (#60222282)

    FUCK NO!!!!!

    Sorry, encryption protects everyone's privacy, even criminals.

    This kind of nonsense is a slap in the face to a free people

  • Do they not get that the entire PURPOSE of encryption is controlled access to information?

  • This would cause all silicon valley companies to either pack up and move overnight or quickly become uncompetitive, making way for foreign competitors. This would massively reduce geographic income concentration and the political power of today's tech industry while improving competitiveness.

  • Partisan (Score:4, Informative)

    by cygnusvis ( 6168614 ) on Wednesday June 24, 2020 @12:04PM (#60222498)
    If big tech has no warrant-proof encryption, I will turn to open source that does if that what I need.
  • Fighting crime is a never-ending war, everyone gets that, but to believe such a law would really give access to precious data is naive and is a surrender in this war. Criminals, terrorists and the innocent, but tech-savvy kid will switch to backdoor-free encryption, while uniformed and unsuspecting citizens get caught in the crossfire. Law enforcement is going to tug itself in with the warm belief to finally have the skeleton key to the cookie jar, only to then find the jar to be empty.

  • Do they even know what their end goal is or are they just like dogs chasing motorcycles? Here's how this will play out:

    - If they require U.S. companies to include backdoored encryption, U.S. citizens will switch to apps developed in other countries
    - If they make it illegal to use apps without backdoored encryption, U.S. citizens will just wrap their communications inside a layer of encryption that doesn't have a back door before the data is sent through the app
    - If they make it illegal to use any encr
  • "Those who cannot remember the past are condemned to repeat it."

    This is the exact same debate that happened with the Clipper Chip [wikipedia.org].

  • I am sure they have staffers who know exactly why we cannot have security and backdoors at the same time. And it is not a stretch to assume they do not care.

    Do you believe the politicians will continue to use "civilian" applications from now on? They will have apps specifically developed for them with actual encryption. They will cite reasons like national security, while you and me, and even leaders of industry will be unable to access these. And do not forget the sweet government contracts that will be en

  • I want an same as China for apple and other who make stuff there.
    If China get's an way then the USA better or they can move the factory to the usa and not have any back doors.

  • There is no such thing as a government-only backdoor.

    The only way this can be done is by artificially introducing a known weakness in the encryption algorithm. And knowing your track record with keeping shit secret and not leaking it worse than a non-housebroken puppy, before you even receive your government-only key, it will be in the hands of Iran, North Korea and pretty much any foreign corporation interested in breaking into US government and corporate trade secrets.

    In other words, if you plan to shoot

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...