New Attorney General Loves Him Some Encryption Backdoors, Which Should Pair Up Nicely With FBI Director's Plans For The Future

from the you-make-it,-you-break-it dept

It looks as though this administration may be the Decrypto Party. Trump’s pick for Attorney General has already made it clear he thinks asset forfeiture is a damn good thing for the American public, even if it often deprives the public of their property without evidence of criminal wrongdoing or providing a valid avenue of recourse.

Now, he’s (once again) confirmed encryption shouldn’t keep law enforcement from accessing devices. The EFF reports that Sessions strongly hinted he’s in favor of encryption backdoors during his confirmation hearing.

Question: Do you agree with NSA Director Rogers, Secretary of Defense Carter, and other national security experts that strong encryption helps protect this country from cyberattack and is beneficial to the American people’s’ digital security?

Response: Encryption serves many valuable and important purposes. It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations.

This dim view of the public’s use of encryption is nothing new for Jeff Sessions. While still a senator, Sessions made it clear he feels law enforcement’s “needs” should come before the general security of phone users. During the battle over access to the San Bernardino shooter’s iPhone, Sessions offered his support of an anti-encryption bill.

Republican Senator Jeff Sessions of Alabama questioned Cook’s position. “Coming from a law enforcement background, I believe this is a more serious issue than Tim Cook understands,” Sessions said. He said accessing phones is critical to law enforcement.

“In a criminal case, or could be a life and death terrorist case, accessing a phone means the case is over. Time and time again, that kind of information results in an immediate guilty plea, case over,” Sessions said. He added that the ability for government to access a phone should not be abused.

Well, yeah… “should not be abused.” That should go without saying. But would it be abused? Probably. Law enforcement used to search phones all the time without warrants until the Supreme Court put a stop to that. FBI plug-and-play kiosks allow LEOs to perform forensic searches at their convenience. Presumably the proper paperwork is in play, but it’s not as though the FBI’s going to frisk cops on the way to the FORENS-O-MATIC.

Add a backdoor and no phone is secure — not from the government and not from anyone who steals the device.

Sessions and backdooring encryption go back even further than last year’s iPhone battle. When Dianne Feinstein decided consumer devices had too much security, Sessions was there to pitch leading softballs and confirm her radicalization-via-Playstation Network fears.

I suspect what happened in the aftermath of Snowden, particularly Europe got very conservative with respect to encryption. And companies back away. Now, that’s changing with Paris and God forbid what might happen in the future. I think the world is really changing in terms of people wanting the protection and wanting law enforcement, if there is conspiracy going on over the internet, that encryption ought to be able to be pierced.

Well, Sessions was wrong about what the world wanted. Governments still remain reluctant to mandate encryption backdoors — despite law enforcement’s continual pleas and ongoing attacks in European nations. But being wrong never stopped anyone from exploiting tragedies to push agendas — even when Sessions’ view of the public mindset contradicts the public’s actual mindset

Adding to the mix is the federal government’s own Donnie Darko, FBI Director James Comey. Comey has yet to switch up talking points on encryption and continues to point to an impending criminal apocalypse that can only be thwarted by

a.) smart people making impossible things happen

b.) smart people being told what’s what by legislation mandating decryption/backdoors.

Comey now has a very sympathetic AG watching over his agency and his office. Very little good can come of that.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “New Attorney General Loves Him Some Encryption Backdoors, Which Should Pair Up Nicely With FBI Director's Plans For The Future”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

You first

As always, anyone advocating for crippling security and making the public less secure should either put up or shut up. If crippled encryption is ‘safe enough’ then let their data, all of it, from bank info to medical records, personal emails and everything else be protected by deliberately flawed security, so they can show the public just how ‘safe’ it is.

Of course I don’t expect they’d ever do any such thing, because while they love the idea of screwing over the public and handing over the public to criminals everywhere in the process, they’d never put their own privacy and security on the line, hypocrites that they are.

Aaron Walkhouse (profile) says:

Re: The only argument that shuts these guys up is this:

Weaken encryption in the U.S. and all exports of software
and network-related technology “made in U.S.A.”will dry up.
Everybody, Americans included, will shop elsewhere for tech.

That’s trillions of dollars in new trade deficits, hundreds
of billions in lost profits to tech industries and tens of
billions in lost taxes every year until a new administration
undoes the damage and stops the bleeding.

Arguing about security and rights of the American people has
no effect on these clowns because they hold the public in
contempt, and always will. ‌ Show them what effect their dumb-
ass meddling will do to their billionaire friends and corporate
backers and they’ll quietly let the issue die off without ever
having to admit why it was a stupid idea to start with.

That One Guy (profile) says:

Re: Re: You first

Oh if such idiocy becomes law it won’t directly affect the ones pushing for it in the least, as you can be absolutely sure they won’t be using the Government Approved Encryption(with magical Unicorn Gates), but will of course continue to use encryption that actually works, because their privacy and personal data is of course a matter of National Security.

Sasparilla says:

Re: Just reclassify encryption as a munition

Just reclassify it as a munition.

Also issue national security based directives from the President with associate gag orders to smartphone, pc and software vendors to put the back doors in smartphones, PC’s and OS’s without announcing it. Most vendors would gladly roll over for this (Apple and maybe Google wouldn’t but would have their hands tied legally with the secret gag order) – and nearly all would want to keep it secret after its done so their sales don’t crater if word got out. I wouldn’t be surprised (after all we’ve seen) if we find out Apple was secretly ordered to do this last year and its already happened.

DannyB (profile) says:

Re: Re:

Violating the constitution is the new tactic.

A president can ensure that his own agencies won’t sue over it.

Private money and years of time must be expended to litigate against things unconstitutional. Depending on the subject matter, a successful litigation may be irrelevant by the time it is achieved through legal process.

What’s not to love? Violating the constitution, as long as it’s done at a high enough level is a win-win tactic.

Bamboo Harvester (profile) says:

Re: Re:

“but we still have to pretend we live in a democracy, no?”

One of the major failings of the public school system in the US.

US government is at NO level a “democracy”, no matter how much the left whines and pouts. Never has been, and hopefully never will be.

Google “Representative Republic” and find out for yourself what how the US governmental system works.

Roger Strong (profile) says:

Re: Re: Re:

Nonsense. The US is absolutely a democracy. It’s also a republic. The two terms are not mutually exclusive.

“Republic” just means that you don’t have a monarch.

“Representative Republic” means that you don’t vote directly on laws, but instead democratically vote in a representative who aligns with your views. Also equally known as “Representative Democracy”, it’s how most democracies work.

Anonymous Coward says:

Re: Re: Re: Re:

Yea, we know already…

Butchering the meaning of democracy to mean what you want it to mean. Sadly if you just check the “definition” you might find that you are fucking wrong… but don’t let me get in the way of you being stupid, its fun when you do it on the internet… amiright?

In fact here is the page on Wikipedia where you can go and edit the form of US Government it states that it is.

here is the CIA web page on what form the US is, you might not be able to edit it though.

You know so fucking much so go and tell the world! Don’t let the rest of us cock holes tell you what facts are mkay?

Roger Strong (profile) says:

Re: Re: Re:2 Re:

From your first link:

The United States is the world’s oldest surviving federation. It is a constitutional republic and representative democracy

And before you move the goal posts, the minority rights protected by law and the system of checks and balances defined by a constitution are a standard feature of democracies. There’s nothing particularly "republican" about them.

Grow up.

Anonymous Coward says:

Re: Re: Re:3 Re:

You need to grow up, idiot. It is tiresome to have to correct fellow citizens that should know these things.

Representative Democracy is a descriptive analogy of how people are elected into office, but in no way describes how the system of government itself operates.

You are direct reason why this nation will continue to fail. You think you know, but you you don’t understand anything. You don’t know your own head from a hole in the ground and continue to refer to things inappropriately while you have the actual information directly at your disposal.

That is the mark of a fool, data handy, yet no desire to understand it! The reason people like to mistakenly call this is a democracy is because like a Freudian slip, that is what they WANT it to be. Well, you might get your wish if you keep shitting this misinformation because it is well established that is you keep telling a lie often enough or create a lie based on some element of truth then they become pretty fucking effective lies.

The reason why things like the electoral college was created was to keep tools like you in check. You are exactly what the founding fathers hoped would not happen to America.

“There is a story, often told, that upon exiting the Constitutional Convention Benjamin Franklin was approached by a group of citizens asking what sort of government the delegates had created. His answer was: “A republic, if you can keep it.”

Now excuse me if I take a founders words over yours… no wait… how about you go and fuck yourself instead?

Roger Strong (profile) says:

Re: Re: Re:4 Re:

"Republic" just means that you don’t have a monarch. Your quote, in context:

A Mrs. Powel of Philadelphia asked Benjamin Franklin, “Well, Doctor, what have we got, a republic or a monarchy?” With no hesitation whatsoever, Franklin responded, “A republic, if you can keep it.”

His statement means one thing: The US is not a monarchy.

If there’s some difference other than the monarchy thing, then why don’t you tell us rather than acting like a six-year-old who just learned to swear?

(Again, electing representatives to vote on laws or vote in a President / Prime Minister is done in non-republican democracies too.)

Dingledore the Mildly Uncomfortable When Seated says:

Re: Re: Re:4 Re:

Outside of your tiresome and infantile insults, the crux of your argument is patently bollocks.

Yes, the Framers referred to a “pure democracy” in places, and the USA doesn’t have that. But you’re determinedly ignoring 3 things.

Firstly, the USA could not be run on a “pure democracy” because it would take too long to do anything and be too prone to fraud.

Secondly, and more significant to your florid yet poorly argued position, is that the Framers also referred to “representative democracy”, and did so with frequency.

Thirdly, the Framers did not invent democracy. Democracy in all it’s forms has been around for centuries. I suggest that the Romans would be in a particularly strong position to futuo off.

Next thing you’ll be saying is that someone doesn’t have a cat because they don’t have a “ginger cat”.


Anonymous Coward says:

Re: Re: Re:3 Re:

As long as those representative are allowed to be ignorant jackasses, who have magical friends that require we “teach the controversy,” we’re going to have to wrestle to keep from being entirely fucked. Anti-science, magical thinking has never been ideal, but, in a modern, high-technology civilization, it’s a recipe for socio-political disaster.

Cowardly Lion says:

Re: Re: Re: Re:

“…but instead democratically vote in a representative…”

I never considered that voting every 4 years for one of two or three guys was very “democratic”. At the height of the Cold War it always seemed to me that the US was perhaps at best as democratic as the old Soviets, depending on how difficult it would be to become an influential member of a political organization in either camp.

I always thought that Reagan and Thatcher were being ironic.

PaulT (profile) says:

There’s a couple of troubling things here in my mind.

“He added that the ability for government to access a phone should not be abused.”

But, it will if a backdoor is inserted and compromised by a non-domestic or non-government actor. Which is almost guaranteed over time. It can’t be restated enough – it doesn’t matter how well you hide the door you’re leaving wide open, once it’s located then anyone can use it, authorised or not.

“Time and time again, that kind of information results in an immediate guilty plea, case over”

…meaning that the case never makes it to trial. So, we never know if they actually found something incriminating or if they’re just able to use the phone as leverage to make the accused believe that a guilty plea is the thing to do whether or not they’re actually guilty. Call me paranoid, but “we regularly leverage access to a phone to bypass the need for a trial” is not a point in their favour.

“I think the world is really changing in terms of people wanting the protection and wanting law enforcement…”

…to be accountable for their actions and not bypass the law whenever they feel like it. Especially in light of the abuses of power that have led to the ordinary public wishing to use encryption in the first place, something that was never a priority until people found out how bad the abuses were. I somehow think that’s not what he was thinking though.

Ninja (profile) says:

Re: Re:

I’m pretty much a law abiding citizen and even copyright infringement for personal use is not even a civil issue here (I have ‘unauthorized’ music on my phone). Technically I have nothing to hide in my phone. Technically. Even then I don’t want somebody scrolling through my pictures, my private conversations and so on because they can. I want it locked shut behind encryption and good encryption while at it. I don’t want cops browsing through the nudes I exchange for my privacy and for the other parties involved privacy. I don’t want cops meddling with pictures from my family, reading conversations with my doctors and so on. There’s plenty of reasons why a law abiding citizen would want strong privacy protections.

timmaguire42 (profile) says:

The problematic legal aspect of asset forfeiture is not that the Attorney General thinks it’s ok (I don’t care what the AG’s position on it is, except perhaps tangentially as an aspect of his overall world view), but that the Supreme Court thinks it’s ok.

It’s obviously unconstitutional (not even a close call) and deeply troubling that freedom’s last resort has turned its back on the fourth amendment.

Anonymous Coward says:

However, encryption providers, such as VPNs, outside the United States, are not subject to American laws.

That is why this will never work, and why China’s crackdown on encryption and privacy tools will never work.

A VPN, or other privacy service, only has to obey the laws of the countries where the servers are. So China and the USA will never be able to enforce any kind of restrictions on encryption against offshore companies.

Anonymous Coward says:

Re: Re: Re:

The firewall might not work, if California, Oregon, and Washington vote to become the Republic Of Pacifica.

A wireless ISP could set up shop in South Lake Tahoe, and provide services in Stateline, Nevada, on the US side of the the border,the US government would no jurisdiction over a Pacifican ISP.

Also, someone with a cell phone could sign up with a cell phone provider on the Pacifican side of the border and get 3G/4G wireless internet. A Pacifcan cell phone provider, in this scenario, would not not subject to United States laws. The US government would not be able to stop a Stateline resident from going accross the border into Pacifica, walking into a cell phone store in South Lake Tahoe, and signing up for service with a Pacifican cell phone service provide.

Roger Strong (profile) says:

Re: Re: Re:

The problem is that the "country" status is usually just fantasy.

Sealand was built by the British government and sits within inside British waters. As Wikipedia states:

The United Kingdom is one of 165 parties to the United Nations Convention on the Law of the Sea (in force since 1994), which states in Part V, Article 60, that: ‘Artificial islands, installations and structures do not possess the status of islands. They have no territorial sea of their own, and their presence does not affect the delimitation of the territorial sea, the exclusive economic zone or the continental shelf’.

In the opinion of law academic John Gibson, there is little chance that Sealand would be recognised as a nation because it is a man-made structure.

At best it’s "privately owned by British citizens" who still live in Britain and collect the benefits of being British citizens. It’s essentially elaborate LARPing.

Anonymous Coward says:

Re: Re: Re: Re:

‘Artificial islands, installations and structures do not possess the status of islands. They have no territorial sea of their own, and their presence does not affect the delimitation of the territorial sea, the exclusive economic zone or the continental shelf’.

Tell that to the Chinese. The difference is the Chinese are a nuclear power. Sealand isn’t. If you don’t have nukes, you ain’t shit.

Anonymous Coward says:

Re: Re: Re:3 Re:

And yes, people ARE "telling that to the Chinese."

To which the Chinese are replying "Oh yeah? What you gonna do about it?"

It’s strictly a case of "might makes right."

Which was exactly the point. Sealand doesn’t have the might. If Sealand had, for example, a fleet of nuclear submarines with ICBM nukes cruising around the oceans, nobody would mess with them, "Law of the Sea" or not.

Anonymous Coward says:

Re: Re: Re: Re:

Sealand was built by the British government and sits within inside British waters.

That’s a little misleading. The platform on which Sealand rests was constructed in international waters and then abandoned by the British. International law allowed it to then be claimed by others. It was only after Sealand declared its sovereignty that Britain extended its territorial waters claim to include Sealand.

Anonymous Coward says:

SSL can already be cracked. The previous owners of one Taco Bell franchise where I live used to have extreme filtering, and I founnd that if I logged onto the SSL proxy on my home computer, they could still detect that I was accessing a filtered site and block it.

The current owners of that franchise have dialed down the filtering quite a bit. You can now access YouTube, and Live 365 was unblocked, before they went dark in January of last year.

Somehow the previous owners of that Taco Bell franchise were able to crack and sniff SSL. I was using a port 443 SSL connection using SoftEther is my server.

Roger Strong (profile) says:

Re: Re:

Commercial and even some home firewall appliances do a man-in-the-middle attack on HTTPS traffic, so that they can scan for malware and block sites as specified.

For example:

When you select the Enable Content Inspection check box, the Firebox can decrypt HTTPS traffic, examine the content, then encrypt the traffic again with a new certificate.


When your device scans an HTTPS connection, the HTTPS Proxy intercepts the HTTPS request, and initiates its own connection to the destination HTTPS server. The HTTPS Proxy on your device presents its own resigning certificate to the originating client and connects with the destination HTTPS server on the client’s behalf. The resigning certificate can be either the Default Proxy Authority Certificate or an imported CA Certificate.

Their home use firewall appliances can do this, as can the big corporate models for Fortune 500 companies and ISPs. The difference is the throughput of the different models – how much traffic they can scan at once.

Any time you connect to the internet, even if not through a company firewall, assume that your ISP has this capability.

DannyB (profile) says:

Re: Re: Re:

If you use HTTPS (eg, TLS) how can anyone do an MiTM attack?

The MiTM doesn’t have the private key for the certificate. So it is unable to negotiate a private session key with the end user browser.

I understand how the MiTM can pretend to be the browser and establish a connection to But I would surely like to know how the MiTM can impersonate without Amazon’s private key.

In short, while MiTMs are theoretically possible. And somewhat possible on a corporate network, it can be detected, and it is not likely to be impossible on your home ISP on your home computer. (Unless you install a trusty CD ROM into your computer provided by your ISP.)

One way that I do know, is to subvert the trust of the user agent (eg, your web browser). That can be done in a corporate environment by inserting a new trusted CA certificate into your local trust store. Now the MiTM can instantly issue it’s own certificate, and it will have the private key since it issued the certificate. And your browser will trust it.

That’s a corporate environment. Even then, browsers can discover that the certificate the MiTM is presenting is NOT the certificate it should be. Google, for example, knows who signed its certificates, and its browser knows who signs Google’s certificates, and that signer is not the CA that was added to the local trust store.

You can also run browser plug in apps that watch for changes in the certificates of secure sites you visit.

In an ISP environment, I really can’t see how an ISP can do this. My ISP definitely cannot change the trust store on my browser nor on my OS. So my ISP definitely should not be able to execute an MiTM attack.

Now there is one avenue left. Subvert the entire CA infrastructure. There are a lot of CA certificates in the trust store these days. You could get a certificate issued by Honest Achmed’s Certificate Authority of Tehran Iran. And your browser might trust it. But do you really think a certificate presented that was signed by Honest Achmed’s is real? Do you really think this is where Google purchases certificates from?

Roger Strong (profile) says:

Re: Re: Re: Re:

As I understand it (which is admittedly vague) you install your own trusted CA certificate in the firewall appliance. This could be your own company certificate, which you’d have to install in your browsers.

But it could also be a certificate purchased from a trusted Certificate Authority, the kind most web sites purchase, where the certificate is already built into your browser. You don’t need to install a certificate when you visit those sites.

So when you visit, your browser gets a legitimate certificate from a trusted CA via the firewall. No need to install a new certificate in your browser. sees a legitimate certificate in use, the one it told the browser to use. It doesn’t know that it’s talking to the firewall rather then the browser on the other side.

I may be wrong, of course. It’s not my specialty. But I do know that one way or another it works, and that companies are selling firewall appliances that do it.

DannyB (profile) says:

We've come a long way since the Clipper Chip fiasco

Government tried to mandate “government approved” crypto in the 1990’s. (Clinton)

The absurdity of it became apparent.

They even classified crypto as a munition. They did everything to suppress exporting of good crypto. Because “going dark”, or whatever they called it back then.

So what if you took an excellent crypto textbook (quite thick) across the border? The government didn’t seem to be quite ready to stop people from taking academic textbooks available in any bookstore or library across open borders.

Also, the rest of the world got the message. Actually two messages:
1. Do NOT trust US government mandated crypto
2. Any real research on crypto would move outside the US

Another thing was learned by all. It’s not intuitive. The only good crypto is OPEN crypto. The algorithm must be completely open. Only the keys are secret. If someone is selling you a proprietary or closed crypto, it is snake oil.

Now here we are today well over two decades later, with a lot of lessons learned. And they think they can do this again.

They can pass any laws they want. But they just don’t get it.

When strong cryptography is outlawed only outlaws will have strong cryptography.

Terrorists won’t be detered from strong cryptography. I’m sure they’ll be quaking in their boots that it’s illegal in some countries.

The only people without privacy will be law abiding people.

The back doors of government weak insecure crypto WILL be broken. It’s only a question of when. Then an enemy will have access to a lot of secrets.

Lawrence D’Oliveiro says:

Why Don’t The NSA Do It?

The NSA is supposedly the largest pool of cryptology talent anywhere in the world. And it’s in the pay of the US Federal Government. If anybody can come up with an encryption system that is simultaneously secure against criminals and crackable by law enforcement, why don’t they show us how it’s done? And make the entire unclassified research community look silly into the bargain?

I’m sure they would be champing at the bit to do that, if they could.

Maybe Trump can contribute the pixie dust by issuing another Executive Order…

Anonymous Coward says:

Chew on this, just suppose California, Oregon, and Washington secede and form a new nation, the Republic Of Pacifica

Since Apple would be in Pacifica, they would not have to obey any restrictions on encryption in the remaining United States.

Since Apple’s and Google’s servers would be in the Republic Of Pacifica, if this happened, they would only have to obey Pacifican law, and their services would no longer be subject to United States laws.

If, say, the remaining United States outlawed VPNs, VPN providers in Pacifica could supply VPN services, and Pacifican companies would not be subject to United States laws. They would only have to obey Pacifican laws.

Samet thing if the US passed laws requiring VPNs to log user activity. A VPN service in Pacifica, if the Pacifican nation comes into being, will only have to obey the Pacifican law, regarding their VPN sevice. The remaining United States would have no jurisdicton over Internet services in Pacifica if this happened.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...