Manhattan DA's Office Serves Up Craptastic White Paper Asking For A Ban On Encryption

from the and-just-a-couple-of-backdoors,-maybe-FOR-SAFETY! dept

Manhattan DA Cyrus Vance may not know what the fuck he’s talking about when he discusses encryption, the internet and other tech-related issues. But that’s certainly not going to keep him from talking about them.

A just-published “white paper” from the Manhattan DA’s office (h/t Matthew Green) offers up all sorts of stupidity in its attempt to justify anti-encryption legislation.

It starts with lofty ideals…

This Report is intended to:

1) Summarize the smartphone encryption debate for those unfamiliar with the issue;
2) Explain the importance of evidence stored on smartphones to public safety;
3) Dispel certain misconceptions that many privacy advocates hold about law enforcement’s position related to encryption, including the myth that we support a “backdoor” or government-held “key;”
4) Encourage an open discussion with technology companies, privacy advocates, and lawmakers; and
5) Propose a solution that protects privacy and safety.

… before throwing most of these out completely, starting with the “open discussion” with the affected stakeholders.

Vance’s office doesn’t want to burden the nation’s tech companies with “golden keys” or “good guy-only” backdoors. The paper admits such a “solution” would be complicated and expensive. (But not impossible, notably.)

His solution? Something that doesn’t burden tech companies, but simply leaves their customers unprotected. No backdoors will be needed because there will be nowhere to install one.

The federal legislation would provide in substance that any smartphone manufactured, leased, or sold in the U.S. must be able to be unlocked, or its data accessed, by the operating system designer. Compliance with such a statute would not require new technology or costly adjustments. It would require, simply, that designers and makers of operating systems not design or build them to be impregnable to lawful governmental searches.

That’s the big idea: a ban on encryption, presented disingenously as “Not A Ban.” For all the paper’s supposed “discussion” of the issues and contemplation of concerns expressed by companies and their customers, this is the DA’s office’s brilliant cure-all: federal legislation that would prevent companies from deploying encryption — at least not without holding onto a set of keys for government use.

Offered in support of these arguments are the horrendous laws being contemplated/passed in other countries like the UK and France. If they can do it, we can do it! Vance’s office argues any resulting harm to human rights civil liberties will be minimal. Undiscussed is the resulting harm to innocent users whose phones’ contents are no longer encrypted.

The paper also discusses various workarounds that have been suggested, like accessing the unencrypted contents of cloud storage services connected to users’ phones. The DA’s office says that just isn’t good enough. For one thing, not every user utilizes the cloud services offered by Google and Apple. The office’s argument against seeking other routes to communications and data is astoundingly terrible.

[S]martphone users are not required to set up a cloud account or back up to the cloud, and therefore, many device users will not have data stored in the cloud. Even minimally sophisticated wrongdoers who use their devices to perpetrate crimes and who have cloud accounts will likely take the relatively simple steps necessary to avoid backing up those devices, or data of interest, to the cloud. In most instances, only one or two selections must be made in the device’s settings to turn off the back-up function or to remove certain types of content from the back up.

There’s a huge problem with this paragraph. It makes the assertion that criminals are more likely to avoid utilizing cloud backup services while simultaneously noting that this process is entirely optional and will not be used by most people. Using this logic, an average user may also be a “minimally sophisticated wrongdoer,” at least as far as law enforcement can tell from what it finds stored in the cloud.

The underlying point is that lots of data and communications still reside within the phone itself and law enforcement will not be able to access this without Apple or Google leaving a door open for it.

The office does further damage to its own arguments for banning encryption by highlighting a string of successful prosecutions utilizing evidence recovered from cell phones. It uses this list to highlight the amount of “probative evidence” obtained from cell phones while simultaneously (and inadvertently) pointing out that law enforcement really hasn’t been stymied by encryption, despite Vance’s FUD-filled imaginations to the contrary.

And, finally, let’s take a look at one more bogus analogy made by Vance’s office, in which he tries to equate phones with houses.

The Fourth Amendment dictates that search warrants may be issued only when a judge finds probable cause to believe that a crime has been committed and that evidence or proceeds of the crime might be found on the device to be searched. The warrant requirement has been described by the Supreme Court as “[t]he bulwark of Fourth Amendment protection,” and there is no reason to believe that it cannot continue to serve in that role, whether the object that is to be searched is an iPhone or a home.

In fact, what makes full-disk encryption schemes remarkable is that they provide greater protection to one’s phone than one has in one’s home, which, of course, has always been afforded the highest level of privacy protection by courts. Apple and Google should not be able to alter this constitutional balance unilaterally. Every home can be entered with a search warrant. The same should be true of devices.

A more honest analogy would compare phones to computers, which is basically what they are. While a warrant may give cops access to someone’s computer — allowing them to seize it — it does not guarantee they’ll be able to access its contents. Vance wants to compare opening a phone to opening a door, but it’s not a true comparison. If people could make their houses as impregnable as their phones and computers, some very likely would — and not just the theoretical “minimally sophisticated criminals.” A house that cops can’t get into is a house criminals can’t get into. But there’s no way to encrypt a door or window.

The paper tries to portray this as somehow making phones more private than houses in terms of the Fourth Amendment. But encrypted phones have nothing to do with a heightened expectation of privacy. Encryption makes phones more secure than houses, not more private than houses. The Fourth Amendment considerations aren’t being shifted. It’s only the level of instant access that’s being changed. Vance’s office — being part of the law enforcement community — should welcome efforts that make citizens more secure. Instead, all it’s doing is bitching loudly and disingenously about all the power it imagines encryption will strip away from it.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Manhattan DA's Office Serves Up Craptastic White Paper Asking For A Ban On Encryption”

Subscribe: RSS Leave a comment
55 Comments
Anonymous Coward says:

Re: Re:

They’re fucking robots, man. Seriously. If you get a chance to actually talk with one of them, take it. They have zero sense of morality beyond blind faith in their rules and procedures and expanding the reach of those procedures and rules. In their minds, all the procedures and rules are good, so increasing the scope of those procedures and rules is good. Fucking. Robots.

Anonymous Coward says:

what a fucking tool

people always wonder why insurrections are always so full of blood?

This is our answer… after enough fucktards like this spew their considerable bullshit all over the place people are already frothing out of the mouth by the time they come for them, they have already had enough to the point where only ruthless bloody murder will quench their rage.

Almost Anonymous (profile) says:

A more honest analogy would compare phones to computers, which is basically what they are. While a warrant may give cops access to someone’s computer — allowing them to seize it — it does not guarantee they’ll be able to access its contents.

Excellent point. And I suspect strongly that this guy is not as stupid as he seems, he’s probably already got the white paper written for “banning/not banning” PGP and VeraCrypt* from desktop computers. For reasons.

*I still use TrueCrypt 7.1a, by golly.

Jason says:

Apple and Google should not be able to alter this constitutional balance unilaterally.

No. The government should not be able to alter this constitutional balance unilaterally. The problem is, that’s exactly what they’ve done. And then they spun themselves into a frenzy trying to keep anyone from finding out about it.

Anyone in law enforcement with an ounce of integrity ought to be able to recognize the hypocrisy on display with all of this hand-wringing.

crade (profile) says:

“It would require, simply, that designers and makers of operating systems not design or build them to be impregnable to lawful governmental searches.”

So not a ban on encryption, but just a ban on having it installed by default? So the average users can’t have security, but no law against installing it yourself, so the motivated can?

Anonymous Coward says:

a quote by Vance in the ARS article.

“government’s principal responsibility to keep its residents safe”

No. No, man. Shit no man. I believe you get your ass kicked for saying something like that.

the governments principal responsibility is to UPHOLD THE CONSTITUTION at all costs

THIS GUY swore an oath:

“I do solemnly swear (or affirm) that I will support the constitution of the United States, and the constitution of the State of New York, and that I will faithfully discharge the duties of the office of ……, according to the best of my ability;”

https://www.dos.ny.gov/info/constitution/article_13_public_officers.html

That One Guy (profile) says:

Re: Not just wrong, fractally wrong

You actually don’t even need to point out that he’s wrong for that reason, because even assuming he’s correct in his statement he’s still wrong.

If the primary responsibility of the government is to keep it’s resident’s safe, then the absolute last thing they should be trying to do is undermine the public’s safety, which destroying encryption absolutely would do. No matter which way you look at it, he’s absolutely wrong.

Anonymous Anonymous Coward says:

It would have made itself more of a white paper if they used white ink* on white paper. It would have been more read able too.

* OK I know there is no such thing as white ink, but they don’t know that. Besides, just distributing blank white paper would be faster, cheaper, and more able to have said whatever they want it to have said after the fact, a prosecutors dream.

DannyB (profile) says:

Let me fix that for you

Manhattan DA’s office:

It would require, simply, that designers and makers of operating systems not design or build them to be impregnable to lawful governmental searches.

Let me fix that for you:

It would require, simply, that designers and makers of operating systems not design or build them to be impregnable to hackers, scammers and thieves.

Kenneth Michaels (profile) says:

Whose devices? Their devices.

The report states: “For the above reasons, were Apple and Google once again to give themselves the ability to decrypt data stored on their devices, there would not be a significant loss of security. This, in combination with the safeguards provided by the Fourth Amendment, means that personal privacy would be successfully protected.”

The report is very confused: the devices belong to the end user, not to Google or Apple.

Anonymous Coward says:

Re: Whose devices? Their devices.

The report is very confused: the devices belong to the end user, not to Google or Apple.

Unfortunately, due to the abomination known as “copyright”, quite a bit of those systems still belong to Google and Apple, not the poor fools who think they actually own the whole thing they paid for.

Abolish copyright.

Anonymous Coward says:

Won't a keylogger/screenlogger be required?

The DA whitepaper wants to unlock & decrypt the data on the phone.

But what if the data was encrypted by an app installed on the phone? It’s unlikely that Apple could decrypt that app’s data.

So is the DA going to *require* that every phone include a keylogger & screenlogger to capture the data going in/out of every app?

So, there would then be a honeypot of keylogger & screenlogger data to attract criminals. These data would include bank account passwords and other bank account data.

These data would then be vulnerable to exfiltration by both physical access and remote access.

The OPM hack compromised 22 million people. The DA’s plan would compromise a billion people.

I’m going to cut this whitepaper into 4″ wide rolls and use it for its intended purpose. I just wish I had printed it out on softer paper.

Anonymous Coward says:

Let me take a guess, Cyrus Vance doesn’t remember the Fappening scandal that was caused by not using encryption? Or perhaps he wants criminals mugging people for phones again? I’m thinking the recent rise of encryption is only because of it has become in and of itself an necessity. These things had nothing to do with Edward Snowden, the NSA, or LEO operations, but I’m sure that will only add more reasons especially when it’s been shown that they don’t follow the laws themselves.

Ben (profile) says:

Impregnable?

It would require, simply, that designers and makers of operating systems not design or build them to be impregnable to lawful governmental searches.

This cannot, by definition, exclude encryption since no encryption is impregnable.

im·preg·na·ble
imˈpreɡnəb(ə)l/
adjective
·(of a fortified position) unable to be captured or broken into.
“an impregnable wall of solid sandstone”
·unable to be defeated or destroyed; unassailable.
“the case against Hastings would have been almost impregnable”

No encryption is impossible to break, just difficult (for large values of “difficult”).

383bigblock (profile) says:

New Product Announcement

We’re in luck, just saw a new ad from Levi’s and the GAP, they are introducing encrypted pockets in all of their jeans. Because, up till now, accessing your pockets is like accessing your home so to afford us new protections there will be adding encryption to the back pocket to protect the POPO from gaining access to your phone.

Is this guy an Asshat or does he just play one in real life.

wereisjessicahyde (profile) says:

Here's a funny thing

I’m a 40+ man from the UK. I remember at least some of what came to be known as “The Troubles” a conflict based in, and around the UK and Ireland. It lasted for at least 30 years but goes back many hundreds of years.

Over 3,600 people were killed and thousands more injured. Communities totally destroyed. Kids growing up living in fear. Families wrecked by terrorism on both sides – and it should not be forgotten the Army sent in to control the situation didn’t exactly help.

Anyway, enough of the sad history. My point is that people wanting to do harm to others did it perfectly well without the internet back then. It didn’t even fuckin` exist.

So what is the point of banning encryption? Even if the whole world turned off the entire internet the bad actors would find a way to communicate – just as they did in 1979.

The whole idea is just mental.

Anonymous Coward says:

Cloud users typically don't have informed consent anyway.

“the cloud” is an industry euphemism for: “shit I am not going to explain to you”. Tech industry marketers have been doing this for decades. They manufacture memes that are completely misleading and technically erroneous like: “cable modem”, or “firewall software”. “the cloud”, isn’t a thing. It is a reference to a variety of different kinds of managed data storage services.

Cloud users, 90% of the time, have NO idea what their exposure level is and thus no informed consent. The idea that turning off a cloud account is tantamount to terrorism, is quite inverted. ANY indexing of a cloud account is an act of corporate espionage. Securing that service to automated federal surveillance is a crime against the Constitution.

It is like saying: “Severe Genocide is bad.” Isn’t pretty much ANY genocide bad? You’d like to chalk it off to ignorance, but it probably isn’t.

He’s attempting to validate one evil by making it appear as if it’s already conceded, while arguing for some other evil. It is the same as calling FISC a “court”. (unless there is habeas corpus, there is no court. Using a word doesn’t make it so.) Mainstream journalists fall for this all the time. Fucking English lit majors. I swear they’ll be the death of us all.

As a citizen, I can assure him, these points are most certainly NOT conceded. But I imagine he’s already found that out. Perhaps the paper was written in service of a “leveraged” request, by a particular intelligence agency? Maybe because of something found on HIS cloud account?

Overturn Citizens United. Reinstate Glass Steagall. Bust the Trusts.

TechDescartes (profile) says:

Statewide Organization Openly Advocates Use of Full-Disk Encryption

Is the Manhattan DA aware of the existence of an organization with agents throughout his state openly advocating the effectiveness of encryption?

Encryption is a cryptographic operation that is used to provide confidentiality for sensitive information by transforming readable information (“plaintext”) into unintelligible information (“ciphertext”). Encryption is an effective tool in mitigating the threat of unauthorized access to data.

In fact, the organization takes this so seriously that it requires the use of full-disk encryption for its laptops:

Full disk encryption is required for all State issued laptops that access or contain SE information. Full disk encryption products must use either pre-boot authentication that utilizes the device’s Trusted Platform Module (TPM), or Unified Extensible Firmware Interface (UEFI) Secure Boot.

Yes, you read that correctly: “State issued laptops.”

Source: New York State Information Technology Standard No: NYS-S14-007, IT Standard: Encryption (last accessed Nov. 18, 2015).

That One Guy (profile) says:

Re: Totally different

Of course those in positions of authority and/or power both require and deserve to use the most secure protection available for their private data and communications, given such data is both valuable and a tempting target for hackers and other criminals.

However, members of the public neither need nor deserve protection for their private data and communications, as only criminals try and hide what they say and do. After all, ‘If you’ve done nothing wrong, then you have nothing to hide’.

(If you can read both of the above statements and see no conflict or double-standards, congrats, you have a promising career in politics and/or police work waiting for you)

Mark Wing (user link) says:

There’s plenty of effective means of secret communication that don’t even need a computer. You can do an old school one time pad with just a pen and paper, and communicate effectively over the internet without worrying if there’s a back door, because there’s no algorithm other than “words are numbered and stuff,” which even a brainwashed extremist can remember. You’re not going to catch people like that with just a computer program and a giant data stream. Take all that money and train more Navy SEALs or something productive.

But hey, don’t take my word for it. With a ban on encryption, we would join other proud nations like North Korea and Pakistan in our self-unaware idiocy.

Attention Terrorists: Feel the full power of our denial.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...