Former NSA Lawyer Says Reason Blackberry Failed Was 'Too Much Encryption' Warns Google/Apple Not To Make Same Mistake

from the give-it-a-rest,-stew dept

There are times that I wonder if former NSA General Counsel Stewart Baker is just trolling with his various comments, because they’re so frequently out of touch with reality, even though he’s clearly an intelligent guy. His latest is to join in with the misguided attacks on Apple and Google making mobile encryption the default on iOS and Android devices, with an especially bizarre argument: protecting the privacy of your users is bad for business. Oh really? Specifically, Baker engages in some hysterically wrong historical revisionism concerning the rise and fall of RIM/Blackberry:

Baker said encrypting user data had been a bad business model for Blackberry, which has had to dramatically downsize its business and refocus on business customers. ?Blackberry pioneered the same business model that Google and Apple are doing now – that has not ended well for Blackberry,? said Baker.

He claimed that by encrypting user data Blackberry had limited its business in countries that demand oversight of communication data, such as India and the UAE and got a bad reception in China and Russia. ?They restricted their own ability to sell. We have a tendency to think that once the cyberwar is won in the US that that is the end of it – but that is the easiest war to swim.?

While it’s true that some countries, like India, demanded the right to spy on Blackberry devices, the idea that this was the reason for the company’s downfall is ludicrous. First of all, RIM gave in to some of those demands anyway. But, more importantly, the reason that Blackberry failed was because the company just couldn’t keep up from an innovation standpoint — and that’s because early on it made the decision to focus onenforcing patents, rather than truly innovating. RIM got fat and lazy by getting an early lead and then focusing on protecting it, rather than keeping up with the market. And… one of the reasons it got that early lead was because companies were willing to buy into the Blackberry in part because of its strong encryption.

The idea that encryption was bad for business because China and Russia couldn’t spy on people is not only ridiculous and silly, but it appears to be Baker supporting authoritarian states spying on its citizenry. What the hell, Stewart?

Beyond that, Baker insists that, really, the public doesn’t want encryption anyway, and if people only knew what was really going on with the “bad guys,” we’d all be willing to give up our privacy:

Baker said the market for absolute encryption was very small, and that few companies wanted all their employees? data to be completely protected. ?There?s a very comfortable techno-libertarian culture where you think you?re doing the right thing,? said Baker.

?But I?ve worked with these companies and as soon as they get a law enforcement request no matter how liberal or enlightened they think they are, sooner to later they find some crime that is so loathsome they will do anything to find that person and identify them so they can be punished.

Right. And that’s what basic police and detective work is for. It doesn’t mean that you need to weaken the security and privacy of everyone else. Anyway, let’s see if Baker goes out and shorts Apple and Google’s stock now that he believes encryption and protecting the privacy of their users is really so bad for business.

Filed Under: , , , , , , , ,
Companies: apple, blackberry, google, rim

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Former NSA Lawyer Says Reason Blackberry Failed Was 'Too Much Encryption' Warns Google/Apple Not To Make Same Mistake”

Subscribe: RSS Leave a comment
77 Comments
Ninja (profile) says:

Unless you intentionally mislead the average Joe into thinking that encryption is only used for criminal activities nobody will agree with anything being said here. Encryption is both essential and desirable.

I used “mislead” and “only” in italics because that’s precisely the strategy I began to see here and it’s spreading throughout the world (I’ve seen clueless news here parroting the same bullshit). I think it’s about time we unite and start explaining what encryption is and why these morons from law enforcement advocating against it are so wrong.

Rabbit80 (profile) says:

I’m not actually all that bothered about encryption on my phone – I don’t keep much on it anyway and I can remotely wipe / disable / back up / track it anyway.

On my computer however, things are a little different. I use bitlocker to ensure it is all encrypted (Using both a TPM and a USB key which I carry around with me) – not to stop law enforcement (although they would have to have a very convincing warrant for me to give up the keys), but because I use it to run an offsite backup of works servers – which, as we are a scanning bureau, contain over 400GB of data, most of which consists of legal files for criminal cases, personal data, accountancy data etc. It would probably be criminal for me to NOT keep this kind of information encrypted!

Anonymous Coward says:

Re: Re: Re: Re:

That’s only for desktop users. If you run your own Active Directory, you can store keys in the server and nothing touches Microsoft. Same is also true for Apple’s FileVault. With the death of TrueCrypt, and CipherShed still not fully vetted, alternatives are still sort of limited. Though I would probably trust CipherShed more than Symantec/McAfee at this point.

Also you can use Bitlocker without ever signing into a Microsoft account on account creation, thus no OneDrive to upload to. The same is true for Apple’s FileVault.
As far as security, they’ve both pretty well have been vetted, even Bruce Schneier’s blog says that they are not bad.
BitLocker
FileVault2

What half of the idiots don’t realize is that FDE is only good when the device is turned off, and even then with enough time and effort pretty much anything is vulnerable if they have the hardware.

Anonymous Coward says:

Re: Re: Re:2 Re:

… with enough time and effort pretty much anything is vulnerable…

AES ?

I am informed that the Earth is believed to be about 4 1/2 billion years old. The best guesses for the age of the universe, I think, are about three times that.

There are also energy considerations. Via Schneier:

Or read what I wrote about symmetric key lengths in 1996, in Applied Cryptography (pp. 157–8):

One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. To record a single bit by changing the state of a system requires an amount of energy no less than kT, where T is the absolute temperature of the system and k is the Boltzman constant. (Stick with me; the physics lesson is almost over.)

 . . . .

New Mexico Mark says:

Re: Re: Re:5 Re:

And of course, encryption is not meant to withstand any attack forever. It is intended to exceed the resources (time, money, focus, constraints, etc.) an attacker would reasonably bring to bear to gain access through the encryption layer vs. obtaining that data via other methods. Essentially, it is cost/benefit analysis.

We also act in faith to a certain extent that the assumptions behind a particular method of encryption haven’t changed. (I.e. a mathematically efficient way to reverse a one-way function or a weakness in “random” number generation has not secretly discovered.)

The “my data is encrypted using xyz method and you will never be able to get to it. Never! Bwahahahaha!” is unrealistic. Methods to protect data are business decisions as well as technical ones, so using commercial tools in a way that reduces the likelihood of preinstalled backdoors is reasonable.

One might presume the reason the NSA screams so loudly about large shifts toward even moderately strong encryption is not because they can never decrypt any particular communication, but rather because they can’t easily intercept/store the vast majority of communication (and have a much narrower field of “interesting” encrypted traffic). In other words, the cost/benefit ratio has been shifted dramatically.

After all, if a government really wants my data and is not constrained by law, there are extremely efficient decryption solutions available today that can defeat any known methods of encryption I may have employed.

https://xkcd.com/538/

John Fenderson (profile) says:

Re: Re: Re:3 Re:

“… with enough time and effort pretty much anything is vulnerable…”

With a single change, this assertion is correct. The change is to remove the words “pretty much”.

Even AES. All of those claims about how it would take longer than the lifespan of the universe to break are based on brute-force attacks, which is not how breaking them is done in the real world.

Ignoring quantum encryption (which is still purely experimental and largely theoretical) and excepting one-time pads (which are very difficult — although certainly not impossible — to do properly), there is no encryption scheme which is unbreakable.

The value of encryption is not to keep something a secret forever. If you need to do that, then you’re better off using different methods. The value is to make breaking so time-consuming and expensive that by the time it has been accomplished, the data that was encrypted is not so critical anymore.

Anonymous Coward says:

Re: Re: Re:4 Re:

there is no encryption scheme which is unbreakable

Do you have a proof of that?

To prove:

Every encryption scheme which cannot be broken with less effort than brute force is necessarily equivalent to a Vernam cipher.

I’ve never seen that proof.

No more than I’ve ever seen a proof that P != NP.

Anonymous Coward says:

Re: Re: Re:5 Re:

there is no encryption scheme which is unbreakable

Immediate prior clause from the post

and excepting one-time pads (which are very difficult — although certainly not impossible — to do properly),

A one time pad, done properly is theoretically unbreakable. Because it uses a pure random key, it is possible to generate a key, of the same length as the message, to translate (decrypt) it into any string of the same length; which includes all meaningful strings of the message length, including padded strings, in all languages that can be represented in the coding scheme that could be represented by the encrypted message. Hence, providing a key that produces a meaningful message is not proof that that is what was sent.

JP Jones (profile) says:

Re: Re: Re:5 Re:

Oh, you’d like my passord. Happy to oblige.

And where do you store this password? I’m willing to bet you don’t have it memorized.

The nature of passwords is that the harder it is to crack, the harder it is for humans to remember. If the password becomes too difficult to remember, and must be stored, it’s now worthless (because the password to store the complex password will need to be easy enough to remember…which defeats the purpose of the complex password).

Either way, the point is that it’s much easier to crack a password than the encryption it protects. Computers have gotten powerful enough that even standard computers using a graphics card can test an insane amount of passwords per second. A specialized computer, such as EFF’s Deep Crack, would break your hash in under a month.

Passwords are like a door lock. They’ll stop someone from easily breaking in, but even the toughest door or most complex lock is only going to buy you time. A determined attacker is getting in.

Anonymous Coward says:

Re: Re: Re:3 Re:

AES is an algorithm, not an implementation. Bitlocker is an implementation, and it includes parts that significantly weaken the potential security in ways that are not trivially verifiable.

Most AES implementations used in today’s products are seriously flawed, and do not adhere to the theoretical mean time required to brute force the theoretical model.

Anonymous Coward says:

Beyond that, Baker insists that, really, the public doesn’t want encryption anyway, and if people only knew what was really going on with the “bad guys,” we’d all be willing to give up our privacy:

Given that governments are looking more and more like the bad guys, it is strong encryption, or out with the pitchforks, and I doubt that he would like where the latter would be applied.

Anonymous Coward says:

Re: Re:

Just so. Very few – if any – of these public-facing government apologists have come out and said “Gosh, maybe all this encryption talk is because we got caught hoovering up everything in sight.”

And, implying that “bad guys” don’t already use encryption or some other sort of obfuscation leads to two premises: one, the government is only capable of catching profoundly stupid criminals; and two, they really, really don’t want average citizens to become opaque to mass surveillance.

Anonymous Coward says:

Re: Re: Re:

Actually it is a pseudo-issue: As soon as you start discussing encryption at all, the bad guys not encrypting will already be more likely to encrypt.
The clever thing from a law enforcement perspective with raising this specific debate, is the highlighting of some encryptions not being valuable. Therefore, as soon as they stop talking about encryption as the death of the world, the bad guys will feel uncomfortable. The lack of discussion would be worse than getting hammered in public opinion on this issue…

Anonymous Coward says:

” “But I’ve worked with these companies and as soon as they get a law enforcement request no matter how liberal or enlightened they think they are, sooner to later they find some crime that is so loathsome they will do anything to find that person and identify them so they can be punished.

“loathsome” crimes? Well…

We’ve been trying, but — as amply documented here at TD and elsewhere — the CIA insists on redacting the names of torturers and their accomplices.

Anonymous Coward says:

But I’ve worked with these companies and as soon as they get a law enforcement request no matter how liberal or enlightened they think they are, sooner to later they find some crime that is so loathsome they will do anything to find that person and identify them so they can be punished.

Sounds just like the usual trolls here, claiming to work for tons of artists who all apparently demand DRM on every disc and a fine for every customer.

Don’t count on either to prove their credentials, of course.

DigDug says:

Lies, damned Lies and even more Damned Lies

BlackBerry opened the back door to the encryption for India to steal everything going through them.

This is more likely the reason why they died, the inability to trust the encryption to prevent government snooping.

India’s laws are also why jobs outsourced to India never actually receive the data, only video feeds from terminal servers located outside of India to get around the “We must see all data coming in and going out of our country”.

Call me Al says:

Re: Lies, damned Lies and even more Damned Lies

As a Blackberry user for my work phone I can confirm that the main reason I want to give it up is because it is rubbish… not because the government can spy on it. I tend to assume they could spy on whatever phone I have anyway.

Sadly I have no control on the choice of phone.

David says:

Quite the opposite

I should think that the reason Democrats failed in Congress was far too much undermining of encryption, privacy, and accountability.

In contrast to phones, sadly there is no convincing “sucks less” alternative from the market leaders.

The Nobel Peace Prize winning product announcement from the Democrats last time round has been a thundering disappointment, and now the battery is dead with the contract running for another two years.

It’s not clear who will be producing the successor model, but it’s pretty clear that it will deserve the name watchU.

Anonymous Coward says:

Re: Quite the opposite

I suspect you’re right. If the Democrats had actually delivered — let’s say, on robust investigation and vigorous prosecution of Wall Street — then they could have easily carried the day. But they didn’t, and as a result, they failed to distinguish themselves from the Republicans. And thus there was simply no motivating reason for Democratic-leaning voters to get out to the polls.

Mid-term elections are (almost) always about turnout and that won’t go in favor of any political party unless their base has a cause (or two or three) to rally behind. The Democratic Party has made the strategic political mistake of trying to be “centrist” when in fact no such political position exists any more in the United States. (I don’t say that because I approve of the situation, I say that because it’s true.) By moving farther and farther right (in an attempt to catch moving and mythical goalposts) they’ve lost far more support than they’ve gained. And now they’re paying for it.

Pragmatic says:

Re: Re: Re: Quite the opposite

Now that the Republicans have control of both Houses, who are you going to blame when the economy goes belly up again, encryption is still considered a terrorist/criminal act, and we’re still ass-deep in surveillance?

Just askin’.

‘Cause you can stop blaming Obama for whatever happens till the next election NOW.

John Fenderson (profile) says:

Re: Quite the opposite

Indeed. The decline of Blackberry began when they weakened their security in order to operate in certain repressive regimes. Blackberry was already behind the curve in terms of features and usability at that point, and the primary reason people and companies gave for sticking with them was that it was the most secure option.

When that was no longer true, there was no reason for people to stick with it.

PaulT (profile) says:

““Blackberry pioneered the same business model that Google and Apple are doing now – that has not ended well for Blackberry”

The same can be said for Nokia. Was that an encryption problem too?

“They restricted their own ability to sell.”

Yeah, I remember once I got into the market for a smartphone, the Blackberry’s dated UI was a turn-off compared to competitors and in business terms the requirement for BES subscriptions for certain features was something of a turn-off when considering new options. In both cases I rejected them and went with competitors. That trend has continues as friends and colleagues have rejected them in favour of iPhones and Samsungs even if they preferred the physical keyboard, which was one of the Blackberry’s major attractions. WhatsApp and similar cross-platform apps pretty much killed Blackberry as an option for many once they got away from needing it to use BIM. only its cheap price seemed to keep many interested, and even that market’s gone once cheaper Androids became ubiquitous. If only they hadn’t restricted their own ability to sell by not keeping up with the demands of their market.

Oh wait, this is about *encryption*? Oh, whichever scapegoat you prefer, I suppose…

Anonymous Coward says:

the only ones worried about too much encryption on devices are the security forces! they are supposed to be ensuring our safety in the first place, being unable to read and listen to everything that everyone says and writes stops them from doing that? i very much doubt it!! it may mean those security people have to do a little more work, like they did prior to the internet and mobile devices, but throwing all surveillance eggs into one basket and saying that is stopping them from finding those pesky criminals seems rather OTT!!

Michael (profile) says:

Blackberry had limited its business in countries that demand oversight of communication data, such as India and the UAE and got a bad reception in China and Russia.

So what he is saying is that companies should comply with oppressive regimes that want to monitor all communications because that is a better way of doing business.

Yay for the American way!

Anonymous coward says:

BB failed because it SUCKED! Sure they are uber secure because of their encryption which is very useful in a corporate/enterprise environment. But the “masses” like APPS, we like FUN, we like USEFUL devices in general. We DON’T want to lug around multiple phones. When you become BORING, you lose business. And BB became just that.

Anonymous Coward says:

Since when does he know what the public wants regarding encryption? Based on that presumption, it appears baker knows what the public wants for everything, not just phones. What else can he tell us about ourselves that we don’t know?

Perhaps he can tell me what car I should buy, since he knows what I what. Let me guess, one thatcontinuously transmits a GPS signal and can be remotely shutdown if there’s reasonable suspicion?

connermac725 (profile) says:

In what world

Beyond that, Baker insists that, really, the public doesn’t want encryption anyway, and if people only knew what was really going on with the “bad guys,” we’d all be willing to give up our privacy:

In what world do people not care about their privacy Baker is another fear monger
I encrypted my phone just because of people like him clueless

Pronounce (profile) says:

This Encryption Arms Race Needs a Change of Tactics

As was recently reported in PCWorld Microsofts top legal counsel is calling this an encryption arms race.

I suggest we take a page out of the spook agencies’ handbook and be more aware of who is looking at whom.

The technology to do this readily available and in place, but the funding needed may prevent anything like this from happening.

My vision is to create a system by which standardized honeypots are located in the DMZ of routers and the firmware of mobile devices and then report to a community monitored database that shows who is looking at home in real time.

Using projects like Tomato and DD-WRT and Cyanogenmod to develop an open source honeypot project with standard updates to stay on top of the latest attacks and then each device reporting to a centralized public domain database showing aggregate data that highlights the type of attack and the targets of the attack.

Anonymous Coward says:

appears to be Baker supporting authoritarian states spying on its citizenry

As the years go by, it gets harder and harder to see very much difference between the actions of the US and other 1ˢᵗ world countries. They are all doing the same things and what they are not doing that distinguished them from each other is fading into a blurry undefined border that gets ever more difficult to compare those differences. It’s like everyone is going back to a banana republic.

Now add lawyer + NSA and if that isn’t recipe to hear a lie, it only misses politician in the mix. While I read what is reportedly said here from the NSA, in the back of my mind I always hear, “This is the NSA and it lies all the time”. I now filter all incoming input from that group with that in mind. Nearly nothing do I accept coming from them at face value. It always requires supporting evidence from someone else to have a hint of believability to it. Government does not supply supporting evidence because it too is caught in the same trap. Given that it has lied so much, when it comes time to believe because they need you to have faith, it’s not there now. I won’t take their info at face value. They have squandered the inherent trust and the ability to be taken at face value with things like “We’re the good guys”.

John Fenderson (profile) says:

Re: Make it yourself encryption.

“would it be impossible to think that organized terrorists could make encryption themselves?”

Not impossible at all, but if they do then they’re fools. It’s actually really, really hard to come up with strong homebrew encryption, and it’s even harder to verify that the encryption you have is any good.

Crypto is a highly specialized field of mathematics. If you aren’t an expert in it, you’re begging for trouble by going the DIY route.

John85851 (profile) says:

Slippery slope

… they will do anything to find that person and identify them so they can be punished.
I’m surprised no one picked up on this slippery slope of abusing rights. It starts by doing “anything” to stop a bad guy (terrorist, child molester, etc). Then when the police break some rules, like gathering data without a warrant, and get their man, this will set a precedent so they can continue doing it. “Just this once” to stop a “terrorist” never seems to be just once.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...