Washington Post's Clueless Editorial On Phone Encryption: No Backdoors, But How About A Magical 'Golden Key'?

from the golden-key-cryptography dept

The Washington Post editorial board has weighed in on the recent “controversy” over Apple and Google’s smart decision to start encrypting mobile devices by default. The “controversy” itself seems pretty hyped up by law enforcement types who are either lying or clueless about the technology. Throwing a bunch of technically ignorant newspaper editors into the mix probably wasn’t the wisest of decisions.

Much of the editorial engages in hand-wringing about what law enforcement is going to do when they need the info on your phone (answer: same thing they did for years before smartphones, and most of the time with smartphones as well, which is regular detective work). It even repeats the bogus use of the phrase “above the law” that FBI director James Comey bizarrely keeps repeating (hint: putting a lock on your stuff isn’t making you above the law). But the real kicker is the final paragraph:

How to resolve this? A police ?back door? for all smartphones is undesirable ? a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant. Ultimately, Congress could act and force the issue, but we?d rather see it resolved in law enforcement collaboration with the manufacturers and in a way that protects all three of the forces at work: technology, privacy and rule of law.

Did you get that? No “back door,” but rather a “golden key.” Now, I’m not sure which members of the Washington Post editorial board is engaged in mythical “golden key” cryptography studies, but to most folks who have even the slightest understanding of technology, they ought to have recognized that what they basically said is: “a back door is a bad idea, so how about creating a magic back door?” A “golden key” is a backdoor and a “backdoor” is a “golden key.” The two are indistinguishable and the Post’s first point is the only accurate one: it “can and will be exploited by bad guys, too.” That’s why Apple and Google are doing this. To protect users from bad guys.

In the meantime, just watch, and we’ll start to see ignorant politicians and law enforcement start to echo this proposal as well, talking down “backdoors” and talking up “golden keys.” The fact that we already had this debate in the 1990s, when the “golden key” was called “key escrow” and when having the government lose that was was fairly important in allowing the internet to become so useful, will apparently be lost on the talking heads.

Still, a small request for the Washington Post Editorial Board: before weighing in on a subject like this, where it’s fairly clear that none of you have the slightest clue, perhaps try asking a security expert first?

Filed Under: , , , , , ,
Companies: washington post

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Washington Post's Clueless Editorial On Phone Encryption: No Backdoors, But How About A Magical 'Golden Key'?”

Subscribe: RSS Leave a comment
55 Comments
antidirt (profile) says:

Still, a small request for the Washington Post Editorial Board: before weighing in on a subject like this, where it’s fairly clear that none of you have the slightest clue, perhaps try asking a security expert first?

I love how you hold others to such a high standard when you yourself don’t meet that standard. Recent example: your silly post about how a design patent is invalid even though you demonstrated no such thing: https://www.techdirt.com/articles/20141003/06500028716/design-patent-granted-toothpick.shtml Do as you say, not as you do, right?

antidirt (profile) says:

Re: Re: Re:

I love how you do exactly the same you criticize.

How is that linked-to comment an example of me doing the same thing? At least that person acknowledged that it’s the “ordinary observer” test–something Mike didn’t even do. Mike didn’t give us any legal analysis before reaching his legal conclusion. He just posted a picture of toothpicks that had three grooves with the implication that they’re substantially similar to ones that have two painted-on stripes. My point is that the IP reporting on Techdirt is often laughable–such as that post. It’s not just Mike. His flunkies are guilty of shoddy IP reporting even more so than he is. It’s just funny that he criticizes others so much when his own house isn’t in order.

Ninja (profile) says:

However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant.

Really, why are we reading some ignorant piece of crap like WP when not happy with being clueless they display said lack of clue in all its glory by treating science as wizardry?

Perhaps they could actually study what they call wizardry and notice it’s highly complex science and that they just proposed exactly what they said it’s not desirable?

Anonymous Coward says:

Re: Re: Re:2 Future Shock

I don’t know if that’s completely fair. With the rate of growth and progress for technology, I do think that there are some people who would love to know more, but have no clue where to start. The solution of course is to ask for help, but if you have no clue where to start, then how do you even know what to ask?

I’m not saying that there aren’t bad actors. However, we should also consider that in less than a decade we went from moble phones to a universe of powerful internet-connected devices capable of storing and doing so much more than that.

I think today that there is a valid argument for the growth of an excluded middle between the clued-in, and the willfully ignorant, and thanks to Alvin Toffler there’s a name for the cause – Future Shock.

Edward Teach says:

This is Magical Golden Journalism

Personally, this kind of crap is why I read the papers.

I mean, “David Brooks”? C’mon, he’s no better than that Krauthammer moron, or Thomas Sowell. They’re just low blood pressure medicine.

I live for the inane mistakes, like when the text of an article includes the literals “START ITAL” and “END ITAL”. Or some half-drunk city desk guy gets to opine about Magic Golden Keys. It’s priceless, i tell you. You give a sinus-clearing snort, and resign yourself once again to a newspaper written and edited by posturing pieces of wood, and you laugh and get on with life.

Anonymous Coward says:

Playing devil's advocate

A “golden key” is a backdoor, but a backdoor might not necessarily be a “golden key”.

A “golden key” implies a key, contrasting with other kinds of backdoor which do not use a key.

For instance, a backdoor where turning on the phone while shorting a couple of test points in its main board were enough to bypass the phone encryption would not be a “golden key”.

Anonymous Coward says:

You do realize that what is proposed is actually supported in both Microsoft BitLocker and Apple FileVault. It just simply storing your private key with the company or on your own server. Replace “Magic” with “Private” and you don’t have unicorns and rainbows anymore, but irl they should give the end-user’s the choice as they do currently.

Apple File Vault 2: http://support.apple.com/kb/ht4790

For Microsoft in a business situation: http://technet.microsoft.com/en-us/library/dd875531%28v=ws.10%29.aspx

For Microsoft in a home situation: http://windows.microsoft.com/en-us/windows-8/bitlocker-recovery-keys-faq

John Fenderson (profile) says:

Re: Re:

“Replace “Magic” with “Private” and you don’t have unicorns and rainbows anymore”

Yes you do. If a third party is holding your private key, then it isn’t private anymore. Functionally, doing so is exactly the same as having a universal key and it has all the same problems and all the same unicorns and rainbows.

Anonymous Coward says:

Re: Re: Re:

John,

I hate to tell you, but almost every FDE product out there has something like this. I used Apple and Microsoft as examples, but CheckPoint uses an EndPoint Policy Manager. Do you think the average consumer is going to have a server to backup the private keys to? Most that I know will end up using DropBox, iCloud, OneDrive, et al which is basically the same thing. You can’t store the private key for decryption on the same device for recovery, so it’s either purchase a server to run your own and make sure you have backups or lease cloud space which basically makes the key public to someone else.

Actually, this whole argument sounds like a good KickStarter project, some cheap Arduino boards to basically do a password/key manager and I would integrate OAuth with a mini lcd display.

John Fenderson (profile) says:

Re: Re: Re: Re:

“almost every FDE product out there has something like this”

I’m not sure what you’re talking about here. I’ve used several FDE solutions for Windows and Linux, and have yet to be required to store my keys on a server of any sort, let alone a third party server.

“You can’t store the private key for decryption on the same device for recovery, so it’s either purchase a server to run your own and make sure you have backups or lease cloud space”

Or do what I do: store the keys on a memory stick. They’ll also fit on floppies if you are really old-school.

Anonymous Coward says:

Didn’t RSA build a “Golden Key” into the it’s elliptical curve random number generator. Then NIST made this golden key the default encryption option.

Where has the Washington Post been for the last year? I’m sure China’s gonna want it’s own “Golden Key” too, so they can crack down on all the unruly young people protesting in Hong Kong.

The Washington Post is advocating for repression and tyranny. Shame on them.

John Fenderson (profile) says:

Re: Re:

“Didn’t RSA build a “Golden Key” into the it’s elliptical curve random number generator.”

Not quite. The ECC problem was not a golden key, it was an intentional weakening of the random number generator. This by itself did not remove or bypass encryption. It made it possible to break the encryption, but doing so still took nontrivial effort.

Corky Boyd (profile) says:

Encryption security

It is comforting that there is this reaction to Apple’s encryption system. Seems it is highly resistant to prying eyes. Most important it encrypted all the way through which means there is no clear text or voice in the server’s hands that can be read with only a subpoena.

Intercepting US mail and reading it requires a court order. The public should expect no less for private phone conversations. Unfortunately official snoopers consider all communications their business even without probable cause. Justice prevails.

John Fenderson (profile) says:

Re: Encryption security

“Most important it encrypted all the way through which means there is no clear text or voice in the server’s hands that can be read with only a subpoena.”

Perhaps I misunderstood what Apple & Google have done here, but my understanding is that they’re encrypting the contents of the phone itself and not keeping a key for themselves. This has nothing to do with whether or not the data is encrypted outside the phone (is the server’s hands).

Anonymous Coward says:

Re: Re: Encryption security

As someone well versed in this, from an end user perspective, my understanding is the same as yours.

They are encrypting by default the contents of what is on a phone itself, with only the end user/owner being able to decrypt it.

Anything outside the phone (text messages, call logs, emails, etc.) is still subject to subpoena through a proper warrant. And that’s what really drives home the point about the lack of understanding on the part of many complaining about the encryption coming to these devices pretty soon. That data is still legally accessible through the proper channels. All this means is you can’t just grab a phone and go through it down the line.

John Fenderson (profile) says:

Re: Re: Re: Encryption security

“Anything outside the phone (text messages, call logs, emails, etc.) is still subject to subpoena through a proper warrant”

And we need to keeping pointing out that anything on the phone is also still subject to subpoena. The only change is that the subpoena must be issued to the owner of the phone instead of to Apple or Google.

Anonymous Coward says:

Encryption security

I guess if the owner of the phone refuses to turn over the decryption key … 

Then it’s a self incrimination rather than a privacy issue.

The owner of the phone may be someone else than the person whose name is on the purchase invoice or who pays the monthly bill.

Or the phone may have been shared among a large group of persons or it may have been acquired through second hand sale by the most recent user.

One great reason for officially refusing to hand over any password is that you by admitting knowing the password implicitly convey that you likely are aware of any potentially incriminating contents of the phone including contents planted by the police to frame you.

Loudly refusing gives the government more work and forces the issue into court where the self incrimination argument can be determined.

If asked by the police if you are the sole user of the phone just plead the Fifth and state politely that you only answer questions after assistance of counsel.

Answering that you are the sole user of the phone likely makes knowledge of the password a foregone conclusion and effectively waives any Fifth Amendment protection.

The government should have to work hard to establish that you are the sole user of the phone.

The real problem for the government in using the subpoena power to compel a suspect to turn over a password is proving ownership and the other elements sufficient to make the testimonial implications flowing from disclosure of the password a foregone conclusion.

Subpoenaing the information from a person involved in a crime may be possible, but the government doesn’t like it because it may compromise the secrecy of an ongoing government investigation.

If Bob’s phone is seized by the police, and they can get a subpoena compelling Bob to turn over the password, the investigation is no longer a secret and Bob will be on notice that he is under investigation.

If he is not immediately taken into custody,he can arrange a covert signal with his accomplishes alerting them to the fact that his phone has been seized and that everyone must immediately dispose of their codes.

GEMont (profile) says:

Social Engineering

Its already started and its a pretty big campaign actually.

This morning’s news had a long piece about a cop who “pimped out his wife” and sold drugs, among other crimes, and was caught ONLY because investigators had the use of “the backdoor” to read his incriminating emails.

The spokesman (I missed his name) claimed they “would never have caught the guy” if his cell phone had the new full encryption that was planned to be put in place by Google and Apple and other manufacturers soon.

It really does seem to be that the cops are going to claim repeatedly that lack of encryption is essential to the capture of criminals. I guess before cell phones, criminals had to arrest themselves and confess on paper before the cops could catch them.

You can’t really blame the bad guys in white hats for trying to prevent encryption though. After all, they’ve spent millions of tax payer’s dollars and many years making sure that Americans have the least secure communications on earth.

A step forward for the public is a step backwards for the folks in law enforcement, because then they would have to go back to using barbaric detective work, savage investigation analysis and old fashioned common sense.

Techniques which apparently, never worked and never caught any bad guys.

Anonymous Coward says:

Encryption securityf

No, the Fifth Amendment allows you to refuse to disclose information that may furnish the link in the chain of evidence if the evidence may either incriminate you directly or indirectly lead to incriminating evidence.

The only exception to this rule is if the government already can establish from an independent source that you knows something.

Also remember that the civil contempt power is time limited because it’s not intended to be punitive.

Criminal contempt is an entirely different beast and you can in fact be sentenced to real punishment for criminal contempt.

But criminal contempt requires proof beyond a reasonable doubt.

Laszlo Marai (user link) says:

Not exactly equal

While true that no back door or golden key is needed for a number of reasons (some of them you also mention), the two solutions are not equal.

A back door, while it could mean anything, conventionally would be a feature implemented in the software on the phone, that would allow anyone knowing it get around the encryption. It could be anything like a hidden key on the phone, a software service that would leak a few bits of the encryption key, etc. The point is that all the info is on the phone and thus can be found out by only looking at the phone OS and, once found out, can be utilized by having only the phone.

A golden key, on the other hand, is controlled by the phone manufacturer, so utilizing it means their help. Now true, that by a golden key, the WP authors probably really meant a single key, so if that leaks that would make the two equal. The ‘golden key’, could however be a per phone one (stored or generated on demand at the manufacturers) which would mean that just because the law enforcement guys got hold of a key, they cannot pass it on two the criminals or the other agencies to use it to unlock other phones. Of course, criminals could still steal these from the phone manufacturers which is a real danger.

I agree with you that phones (AND clould storages!) should be encrypted, just saying that the threat level is not 100% equal in both cases.

Also, even if google and apple give in, criminals and privacy aware citizens will still be able to get around this with custom ROMs. At least in the case of android.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...