UK Home Secretary Calls Tech Leaders 'Patronizing' For Refusing To Believe Her 'Safe Backdoors' Spiels

from the if-you-don't-want-to-be-treated-like-a-petulant-child... dept

It appears we’re headed towards some sort of encryption showdown in the UK. The only question is: what sort of weapons will everyone be bringing to the brawl?

Home Secretary Amber Rudd is giving off the vibe the UK government may soon be wielding mandates and legislation, if not literal slings and arrows. The more Rudd (and other top UK politicians) argue for encryption backdoors they insist aren’t backdoors, the more they’re running into opposition from those expected to create the backdoors.

Rudd’s finding out ignorance isn’t bliss.

Asked by an audience member if she understood how end-to-end encryption actually worked, she said: “It’s so easy to be patronised in this business. We will do our best to understand it.

“We will take advice from other people but I do feel that there is a sea of criticism for any of us who try and legislate in new areas, who will automatically be sneered at and laughed at for not getting it right.”

She added: “I don’t need to understand how encryption works to understand how it’s helping – end-to-end encryption – the criminals.

“I will engage with the security services to find the best way to combat that.”

To be sure, Rudd is taking additional criticism. But it’s not for her ignorance. It’s for her obstinance. Her ignorance of encryption fundamentals allows her to continue claiming there’s such a thing as a secure backdoor. She may understand what end-to-end encryption means, but insists it can be subverted without destroying it.

Understandably, tech companies have attempted to set the record straight repeatedly, using actual facts. That’s what Rudd views as “patronising.” Facts. And people who do understand encryption attempting to explain the facts to someone who views facts as inconvenient barriers to lawful access.

Rudd does know this: terrorists are using encrypted apps to communicate. What’s not being considered is the security of millions of non-terrorists using the same encrypted apps. So, she’s obviously frustrated and lashing out at those companies she views as taking the side of terrorists.

But what she wants are things tech companies can’t provide without sacrificing the security of millions of non-terrorists..

She insisted she does not want “back doors” installed in encryption codes, something the industry has warned will weaken security for all users, nor did she want to ban encryption, just to allow easier access by police and the security services.

If she’s angry, the tech companies she refuses to listen to are just as fed up. That’s when the snark kicks in: when all other more reasonable lines of communication have been ignored.

At this point, it’s gone beyond simple facts and science. The war on encryption has shifted to a religious crusade.

She told the meeting Silicon Valley had a “moral” obligation to do more to help the fight against crime and terrorism.

Counterpoint: the government has lots of moral obligations as well, but seldom lives up to those. But beyond that, no company has a “moral” obligation to cave to government demands for weakened user security. Companies are doing what they can to assist law enforcement and are heavily engaged in moderating content uploaded to their platforms. Insisting this is a “moral” issue warps the conversation, taking it past a discussion of what is or isn’t possible and into the realm of wonders and miracles.

If Rudd doesn’t like being talked down to by tech leaders, perhaps she should start listening to what they’re saying. More importantly, she needs to start accepting their answers.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “UK Home Secretary Calls Tech Leaders 'Patronizing' For Refusing To Believe Her 'Safe Backdoors' Spiels”

Subscribe: RSS Leave a comment
135 Comments
Ninja (profile) says:

“just to allow easier access by police and the security services.”

And how does she think it can be done? I mean, she’s asking the experts and they are saying there’s no way of doing this so what does she propose? Does she have some super-hyper-experts that can do better than actual experts from all around (read: magicians) and are hiding it? Ask her that question.

“Ms Rudd, despite having created awesome security systems and/or companies that are worth hundreds of billions we don’t know how to provide encryption that’s easier to access by law enforcement that won’t be as easier to the crooks. We are dumbasses so please enlighten us from the top of your marvelous wisdom!”

No seriously. Throw the ball in her lap. If she actually takes it and manages to give birth to some system then quickly compromise it to show her she is an idiot. Sure a lot of taxpaying money will be wasted but at the very least you drive the point home: there’s no such a thing as ‘encryption that can be more easily accessed by law enforcement’ that isn’t effectively ‘no encryption at all’.

Mason Wheeler (profile) says:

Understandably, tech companies have attempted to set the record straight repeatedly, using actual facts. That’s what Rudd views as "patronising." Facts.

Yes, that is generally how the term is deployed these days, sadly enough.

Proper response: "we’ll create an encryption backdoor that can only be used by legitimate authorities to target bad guys the day after you create a gun that operates on those same principles."

That One Guy (profile) says:

Re: Re: Re: Re:

Well that’s easy enough, just need to fiddle with a few laws and definitions such that anyone shot by one of those guns operated by an authorized user is, by definition and by the law, a ‘bad guy’.

Like magic you’ve got a gun that can only be used by ‘Good Guys’, and that only shoots ‘Bad Guys’.

TheResidentSkeptic (profile) says:

Not a good track record on locking/breaking

TSA Locks – suitcases broken by TSA agents who weren’t trained to use the TSA keys;

Facial Recognition: Broken with a photograph;

Denuvo “uncrackable” DRM: Broken in Months, then Weeks, then Days, now Hours;

User-Only Gun – Broken with a Magnet;

High-Security bike lock – Broken with a Bic Pen barrel;

So, I predict:

“Government Only Backdoor” – Broken prior to arrival.

Anonymous Coward says:

Rudd is making her case at an emotional level. (“Tech companies knowingly aiding/abetting terrorists”)

Tech companies are making their case at a rational/intellectual level. (“math doesn’t work that way….”)

Basic psychology says that Rudd _will_ win eventually, unless the Tech companies can come up with an equally compelling emotional argument.

This is pretty much the same tactic that put Trump in the White House.

That One Guy (profile) says:

Re: Re:

‘The encryption that criminals and terrorists can use to hide their activity is the very encryption that protects the personal and private data of members of the public from criminals and terrorists, similar to how the ability to hold a private conversation can be used to plan a crime or hold a personal conversation that you don’t want people to listen in to for reasons that have nothing to do with the legality of the topic.

Undermining encryption use by terrorists is undermining encryption used by the public, and with vastly more people in the latter category than the former, the public will suffer far more than any terrorist by such a drastic attack on safety and security.’

Or the tl;dr version:

‘Politicians who are calling for ‘back-doors’ in encryption, or anything along those lines, are politicians calling for the undermining of public privacy and security, and claiming that they are doing so in order to protect privacy and security. They are either lying and/or willfully ignorant in their attempts to do so and should be soundly mocked for putting forth such dangerous ideas and their demands refused.’

Anonymous Coward says:

Re: Re: Re:

Mansplaining = a man explaining a subject to a woman with the assumption that she is less capable of understanding it than he is because she is a woman.

The prototypical example is the case brought up by [Rebecca Solnit] (http://articles.latimes.com/2008/apr/13/opinion/op-solnit13) (although she did not use the term), of a man who tried to explain the content of a book to her, ignoring her repeated protest that she didn’t need the book explained to her as she was its author.

Anonymous Coward says:

Re: Re: Re: Re:

sadly (or maybe not), this phenomenon isn’t limited to men “explaining” to women.

This is the patronizing attitude that people in power can slip into when dealing with those from a circle of less influence.

I’ve been the victim of the “mansplain” a few times, sometimes by a woman, always someone who felt they were talking from a position of superiority. Usually I’d just play dumb and then ask them a question based on the concepts they had so plainly failed to grasp. That’s left a few floundering, and once or twice this was completely missed by the splainer — at which point I know that having any sort of a meaningful conversation or learning experience is totally impossible.

Anonymous Coward says:

Re: Re: Re:2 Re:

There’s no denying that Dunning-Kruger syndrome is prevalent among everyone, regardless of gender. Everyone has had something condescendingly explained to them, and most people have tried to explain something to the best of their knowledge, but have then been overruled by someone with actual professional knowledge of the subject.

The idea of “mansplaining” is that there’s a certain subcategory of men that believe that women are intrinsically less competent, and thus this behaviour happens more often when a man is trying to explain something to a woman rather than in any other kind of interaction.

I’m a man myself, and thus can’t speak directly to how often it happens to women, but given how I’ve seen and heard other men talk, write, etc. about women, I’m sure that subcategory exists, and I have little problem believing that it’s as large as women claim that it is.

Anonymous Coward says:

Re: Re: Re: Re:

What a sexist assumption that the comments are all from men. Not to mention the word itself is sexist.

arrogant, assuming, big-headed, bossy, cocky, conceited, domineering, egotistic, haughty, hubristic, imperious, know-it-all, overbearing, pompous, presumptuous, pretentious, smug, vain.

Wendy Cockcroft (user link) says:

Re: Re: Re:2 Re:

As a woman I’d be patronizing Rudd myself. What an awful, awful, awful woman! She’s so bloody thick!

Nobody should be above being ‘splained or indeed derided for being proud of being ignorant.

Let me tell you, I know sod all about encryption except for what I pick up here on TD and Ars Technica so if someone kindly takes the time to explain it to me I am grateful that they made the effort. Amber Rudd would be wise to do the same.

Anonymous Coward says:

Re: Re:

Was it also mansplaining when Techdirt was condescending of Max Hill, Christopher Wray and James Comey, George Brandis and Malcolm Turnbull, and many others (mostly men) for not listening to tech experts about this exact same issue?

I’m generally sympathetic to suggestions that when a woman is talked down to, some of that condescension may be due to sexism. However, I think that the general tenor of this post (and previous Techdirt coverage of the "Going Dark" issue) tends to be "Tech advisors are becoming increasingly condescending because politicians aren’t listening to them, simply because the answers they’re giving don’t line up with what the politicians want to hear," rather than "Tech advisors are becoming increasingly condescending to women because they think that tech is too much of a men’s issue that women can’t understand."

If I’m wrong, please, tell me: show me where this post says that the secretary’s inability to understand has anything to do with her gender, or, by comparing this post to any of the other "Going Dark" posts listed above, show me how Ms Rudd is being treated any differently then the men making similar assertions have been.

Women shouldn’t be thought of as being less capable of understanding any given issue than a man would be, but they no one, regardless of gender, should be given a free pass from criticism when they clearly don’t understand that issue.

Anonymous Coward says:

Re: Re:

“Isn’t surprising that both the author and comments here mansplain. We get it, women just can’t understand this because its hard.”

Except that it appears, as was noted in the tfa, that Rudd is willfully ignorant, and revels in that ignorance as it gives her free reign to demand impossible things, without the pain of the headache that would cause to someone that actually understands the subject. She flatly refuses to educate herself, on the basis that no matter what she learns, she will still “believe” that slightly compromised encryption is ok, when everyone that knows anything about encryption is shouting at her that there is NO SUCH THING as slightly compromised encryption.

Anonymous Coward says:

The other thing she does not get is that almost unbreakable open source encryption exists, and forcing a back door into it will immediately give it to the bad guys, while they avoid using the compromised version. So all she will achieve is compromising the communications of people who follow the law, while leaving those who don’t with secure communications.

Not only is the encryption genie out of the bottle, but the bottle is broken so it cannot be captured again.

Anonymous Coward says:

Re: Re:

That’s okay. It doesn’t have to be perfect. If they can decrypt most of what they want, that’s going to be good enough. It’s basically the same standard that they apply to telecom companies that must include intercept capabilities in their networks.

Just because bad guys can use scramblers to encrypt voice calls placed over landlines to foil eavesdroppers doesn’t mean wiretaps have no value to law enforcement.

Anonymous Coward says:

crypto fans are being disingenuous

She isn’t necessarily asking tech companies to change mathematics. Much of what the government wants can be accomplished with policy changes.

For example, when you use Messages on an iPhone, you are trusting Apple to add only keys for the parties in the conversation. It would be easy for them to insert an additional key. No mathematics are violated and the encryption isn’t weakened. Adding another key isn’t a backdoor, it’s an additional front door.

The government can demand telecom companies provide access to law enforcement. It’s not a huge stretch to say handset makers should do the same.

Anonymous Coward says:

Re: crypto fans are being disingenuous

For example, when you use Messages on an iPhone, you are trusting Apple to add only keys for the parties in the conversation. It would be easy for them to insert an additional key. No mathematics are violated and the encryption isn’t weakened. Adding another key isn’t a backdoor, it’s an additional front door.

Everyone (with the required technical acumen) acknowledges that what you describe can easily be done.

However, this is still considered to be weakening encryption, because all it takes is one bad actor to get a hold of that "additional key" and every iPhone Message ever sent with that key is now compromised. And, given the number of requests there will be for that key, and therefore the number of people who would lay eyes on the key, it would inevitably be leaked. "Three can keep a secret if two are dead," and all that.

MDT (profile) says:

Re: crypto fans are being disingenuous

Right, just add another key.

Who has that key? The government? Which government? The UK government? China? Iran? North Korea?

The answer is, all of the above.

Ooh, Ooh, I can hear it now, ooh ooh, each government gets their own key!

Which means that if ANY government leaks their key, anyone can access any communication.

What you’re positing is the TSA Key, which they leaked in a freaking photograph on the front page of a national freaking paper. What happens when they leak the key in a photo because it’s written on a black board in the background at a security conference?

Go sit in a corner and think about how stupid that suggestion is.

Anonymous Coward says:

Re: Re: crypto fans are being disingenuous

You wouldn’t do one key per government. You would do one key per message or maybe one key per user but you would expire it quickly.

If the government loses control of that key (like they did with the physical TSA key), then that message (or messages) from that one user can now be decrypted. Every other message sent by that user and all other users is still protected.

It’s not much different than when they put a wiretap on a landline. They could lose those tapes, but all the other conversations are still private.

Anonymous Coward says:

Re: Re: Re: crypto fans are being disingenuous

You would do one key per message or maybe one key per user but you would expire it quickly.

Average number of iMessages sent per year: 63,000,000,000,000,000.

Current secure key storage size: 2048 bits (256 bytes)

That’s 1,600,000,000,000,000 bytes of information per year.

Would you care to put up the cash for the 1.6 petabytes of storage that your suggestion would take (not counting the necessary metadata needed to tie the key to the message)?

Oh, and don’t forget that you have just shifted the one thing you would need to decrypt all messages from "the master decryption key" to "access to the database of decryption keys." Unless you really trust Apple to keep those keys secure (as much as you’d trust, say, Yahoo!, Equifax, eBay, Target, Evernote, FriendFinder, SnapChat, the Turkish government…)

Stephen T. Stone (profile) says:

Re: Re: Re: crypto fans are being disingenuous

Who would get to define how quick that new key lasts—the device manufacturer, the software developer, the end user, or the government?

What assurances can any of those entities offer that those keys could not be intercepted and used to eventually crack the encryption?

What makes having two keys and two doors—two methods for potentially cracking encryption—safer than one?

Anonymous Coward says:

Re: Re: Re:2 crypto fans are being disingenuous

What makes having two keys and two doors—two methods for potentially cracking encryption—safer than one?

It isn’t safer than one. It’s not significantly less safe though either.

As I understand it, the actual message is typically encrypted with a symmetric cypher. The symmetric key is (asymmetrically) encrypted with the public key for each recipient. So if you are doing a group chat with four people, the symmetric key is encrypted with each person’s public key.

When you receive the message, use your private key to get the symmetric key and use that to decrypt the message.

Anonymous Coward says:

Re: Re: Re:4 crypto fans are being disingenuous

I think that’s why this discussion is so hard for people to have. It isn’t a collect everything or collect nothing dichotomy. We want to give up nothing and the government wants everything and that’s pretty much how negotiations have to start.

If we aren’t willing to give up anything, we are going to lose everything. With no input from tech companies, the government will pass some overreaching legislation like log-everything-for-seven-years. Arguing that some scheme isn’t perfect isn’t helpful either. Wiretapping voice lines isn’t perfect (voice scramblers exist) but that doesn’t mean it isn’t useful.

So we have to think about what can be done to serve legitimate law enforcement needs and how does that impact users? Everybody agrees that users not being investigated shouldn’t be impacted at all. Blanket gather-everything orders shouldn’t be possible.

What should be possible is highly targeted surveillance against a legitimate court order. By highly targeted I mean it should apply to an individual account beginning on some date and ending on some small number of days in the future. Basically the same as wiretap orders.

Anonymous Coward says:

Re: Re: Re:5 crypto fans are being disingenuous

So we have to think about what can be done to serve legitimate law enforcement needs and how does that impact users?

Pre_Internet, law enforcement and security services carried out their function without access to the Information that they are now demanding. Indeed much of the Information they now want to collect was not available because much of it was carried out by face to face, or via phone conversation which were not available because it was recorded at the time.

Now Government are demanding not only that they are party to all electronic conversation, but they are also risking everybody security and privacy, which includes conversations with your bank, doctor lawyer etc. Because they will overuse the ability that they demand to be made available, critical keys will leak to the bad guys, and they will no do anything to help you repair things like a trashed credit rating.

Stephen T. Stone (profile) says:

Re: Re: Re:5 crypto fans are being disingenuous

You are still arguing that someone—whether it be the tech companies or the government—should have an open backdoor to read encrypted communications. Having two doors is more dangerous than having just one; keeping open at least one of those two doors all but invites hackers in.

Asking for what you want is like keeping your backdoor open all day: It stands a huge chance of letting in people and things you wanted to keep out. Encryption with a backdoor—no matter how temporary or limited as you think it could or should be—is encryption that, sooner or later, the “bad guys” will crack. If you have a way of resolving that issue without a focus on fantastical thinking (e.g., “The nerds can totally make a backdoor that only the good guys can get through!”), you have not yet shared it.

Anonymous Coward says:

Re: Re: Re:6 crypto fans are being disingenuous

sooner or later, the “bad guys” will crack

That’s a pretty fatalist viewpoint. If you are going to subscribe to it, then we have already lost because we (in the general sense) are trusting Google, Apple, and other messaging operators to keep our secrets. Since they control the hardware, software, and firmware on our phones and computers, eventually the bad guys will penetrate their defenses making all of the efforts to protect our communications useless. So none of this discussion matters, right?

I’m a lot more optimistic than that. I think Apple, Google, and others are deserving of our trust. I also think there are legitimate reasons for law enforcement to want to gain access to the communications that pass through these company’s servers. It’s often possible for these companies to “tap” that data stream in the same way phone and VOIP companies do.

If we ask the same from these messaging companies that we do from telecom companies, then I think that’s reasonable. That means they can be ordered to provide access in the future to the data, not the past (ie no dragnet orders). Phone wiretap orders apply to specific numbers over a specific period and so should messaging interception orders.

You can buy an encrypting telephone and that would make wiretaps useless. The equivalent for messaging would be encrypting your messages before handing them off to the messaging company to deliver. That’s okay that these workarounds exist. Any solution only has to be good, not perfect.

Stephen T. Stone (profile) says:

Re: Re: Re:7 crypto fans are being disingenuous

That’s a pretty fatalist viewpoint.

“On a long enough timeline, the survival rate for everyone drops to zero.” Replace “everyone” with “everything” and you can accurately sum up my viewpoint.

Everyone wants to claim that they have unhackable, unbreakable, undefeatable encryption. And right now, maybe they do. But on a long enough timeline, anything can be hacked, any system broken, any enemy defeated. Just ask Denuvo about how long it took their system to be hacked—then ask about how quick the hacking happens nowadays. All it took was one crack and the walls came tumbling down.

You could craft a form of encryption that takes years—decades!—to break. It would be an amazing accomplishment, to be sure. And as soon as one person cracks it, that accomplishment becomes meaningless. Giving that person more chances to crack it via backdoors will only hasten the process.

If we ask the same from these messaging companies that we do from telecom companies, then I think that’s reasonable.

This line of thinking assumes that telephone communications work the exact same way as encrypted VOIP calls or encrypted text messages. It also assumes that tech companies could break end-to-end encryption and place a “wiretap” on encrypted communications without also compromising the safety and effectiveness of the entire encryption system. As much as you might wish these things were true, they are not. You may want to re-examine these assumptions of yours; they are flawed at best and a sign of magical “nerd harder” thinking at worst.

Anonymous Coward says:

Re: Re: Re:7 crypto fans are being disingenuous

If we ask the same from these messaging companies that we do from telecom companies, then I think that’s reasonable

The problem is that the government are asking for much more, like requiring companies keep years worth of data, and make it available to the government on demand. That is they have switched from asking that selected people are brought under surveillance, to wanting a full history of anybodies activities being kept, just in case they come to the attention of the authorities in the future. They also classify those who organize protests against any action that they propose as low level terrorists, which give the security services an excuse to examine the activists life in great detail, in the hope that they can find something to attack them with.

Anonymous Coward says:

Re: Re: Re: crypto fans are being disingenuous

Holy crow, do you even understand what you are suggesting? A new unique key for each interested party generated for each unique message for each unique user? Can you not see how useless that is?

Govt A: I want to decrypt this message.

Apple: <dumps a quintillion keys labeled “Govt A” on the floor> Here ya go, good luck.

Govt A: …

Anonymous Coward says:

Re: Re: Re: crypto fans are being disingenuous

You wouldn’t do one key per government. You would do one key per message or maybe one key per user but you would expire it quickly.

That would mean acquiring keys from or sending to a central key registry. Also, that means tagging the message with an identifier for the government key. That registry would be a very valuable target for the bad guys and other governments to compromise. Such an approach also destroys perfect forward secrecy, because a key that can decrypt messages is kept beyond the life of the messages. (Hint, such keys are useless unless available to government when they want them, and they need to know which key to use).

Also note that if governments get their way, you will not be able to have private electronic communication with you doctor, lawyer, minister, priest or analyst. Also you will not be able to have private online discussion about politics, or the means or desirability of protesting governments actions.

Anonymous Coward says:

Re: Re: Re:3 crypto fans are being disingenuous

There is a difference between can, if they get a warrant from a court, otherwise their is no recording of the conversation, (unless you or the person you are speaking to records it,) and the keep a record of all conversation, and the necessary key to decrypt them just in case we want to look at them days, weeks, months or years after the conversation took place.

Stephen T. Stone (profile) says:

Re: Re: Re:5 crypto fans are being disingenuous

In bulk or in particular, the collection of encrypted information would still require tech companies to compromise end-to-end encryption in some way. If they create that compromise themselves, they help open the door to a far more public compromise of encryption. Why this idea does not frighten you is beyond my understanding.

Anonymous Coward says:

Re: crypto fans are being disingenuous

And this is why those of us who actually understand security look down on ignorant newbies like you with sneering contempt. It’s bad enough that you’re obviously stupid. It’s bad enough that you’re obviously uneducated. It’s bad enough that you haven’t been paying attention. It’s bad enough that you have failed to grasp even the mere rudiments of the problem, let alone the subtleties.

But then you had to open your huge, ignorant mouth and speak nonsense while expecting us to pay attention to you.

Sit down. Shut up. And learn, if you can manage that — which I doubt — from those who are superior to you. If you can’t or won’t learn, then at least stay seated and silent so that you don’t contaminate our discourse with your filth.

SteveMB (profile) says:

Re: crypto fans are being disingenuous

Much of what the government wants can be accomplished with policy changes.

Well, yes, what the government actually wants (an end to effective privacy) can be accomplished with policy changes.

What the government claims to want (a good-guys-only access point that does not otherwise compromise privacy) cannot.

Since the government cannot, for obvious reasons, admit to the former as their real agenda in public, they are forced to make asses of themselves by pretending that the latter can be accomplished by nerding harder.

TKnarr (profile) says:

Re: crypto fans are being disingenuous

This was already tried. Look up the history of the Clipper chip. It used your proposed mechanism: encrypting the message with an additional key that was escrowed with the government. The entire mechanism was so vulnerable that the Clipper chip was abandoned only 3 years after it was introduced.

You can find one of the papers analyzing the architectural (not implementation-dependent) vulnerabilities here: https://academiccommons.columbia.edu/catalog/ac%3A127127

Anonymous Coward says:

Re: Re: crypto fans are being disingenuous

come up with a workable scheme

It’s right there in the comment you replied to.

If wiretapping of phone calls wasn’t already a thing and the governments of the world started to demand the ability to record calls, we would be making the same arguments. But somehow wiretaps exist and hackers don’t have access to every single voice call made.

Anonymous Coward says:

Re: Re: Re: crypto fans are being disingenuous

That is because not every phone call, indeed very few phone calls are recorded. Therefore they are not available in some massive database for hackers to steal.

There is a difference from targeted recording of selected peoples phone calls and requiring that all electronic communications are kept just so the government can look at them should they take an interest in you or anybody you have ever communicated with.

Cowardly Lion says:

Re: Re: Re: Disingenuous comparisons

I love how you’re comparing encrypted internet communications to phones. Besides having been around for nearly 150 years and having it’s history well and truly planted in the physical realm, it’s still a rare thing for telephone calls, including cellular calls, to be encrypted.

Non of your arguments are persuasive; you may as well make your comparison against using steam to open paper envelopes.

Anonymous Coward says:

Re: Re: crypto fans are being disingenuous

No.

I’m proposing that, for the case of Apple Messages, if given a court order to collect messages from a user for the next 90 days (for example), they would generate a new key and add that to the list of keys that are encrypting messages to or from that user. Apple does key management for their users so this is possible. The additional key would be unique and not reused. If the corresponding private key were leaked, only that set of messages would be compromised.

Stephen T. Stone (profile) says:

Re: Re: Re: crypto fans are being disingenuous

If that key leaks and eventually leads to a much larger cracking of that encryption, what then will you say to the people whose devices come under attack, whose personal and private communications are leaked, whose lives may be upended by what is on a device they thought was secure until Apple made it insecure?

Encryption should not have backdoors. No one can guarantee that only “the right people” can and will ever use them; you are no exception.

Anonymous Coward says:

Re: Re: Re: crypto fans are being disingenuous

That is not what the government want. They want the ability to be able to get that court order after the event, and be able to read historic messages. To do the latter requires that the keys are built in from the start.

Governments will never accept that the can get historic messages and not be able to read them, indeed almost all the evidence that they offer about encryption hindering investigations are that they have these messages, or have these devices, and cannot read the contents.

Richard (profile) says:

Re: crypto fans are being disingenuous

you are trusting Apple to add only keys for the parties in the conversation. It would be easy for them to insert an additional key.

No -it is not easy it is impossible. There are only two keys in play here. You can’t change that without changing the algorithm completely.

As things stand at present the key that is used to decrypt the data never leaves the device belonging to the recipient.

The key used to encrypt the data cannot be used to decrypt the data.

Anonymous Coward says:

Re: Re: crypto fans are being disingenuous

There are only two keys in play here

That’s not true. The message itself is encrypted with a symmetric cipher and the key to the symmetric cipher is encrypted with each participants public key. The weakness in Apple’s Messages app is that you have to trust Apple to manage all the public keys.

If there were only two keys, you could never do secure group chats.

Richard (profile) says:

Re: Re: Re: crypto fans are being disingenuous

I am perfectly well aaware that the actual system uses a symmetric cipher to encrypt the actual message, the public keys being used to encrypt the key for that cipher. However when this system is correctly deployed the effect is the same as encrypting the message itself using the public key cipher. If this were not the case then there would be no point in using the public key cipher at all.

Anonymous Coward says:

you’ll never teach a member of a government anything. there is enough of this going on here. what is worse is where there isn’t room for common sense, let alone anything more complicated, you cant put it! as with just about every government member and politician in general, all they see is what they want to see and that is the thing they think will make them more popular with voters, either just after or just before they fuck(ed) up completely!!

Anonymous Coward says:

Almost agree with you, Tim

Tim, I agree with you on most points. Where we differ comes from your assessment of Ms. Rudd’s intelligence.

She talks about “tech companies” (presumably companies like Microsoft, Facebook, Apple, etc.). What she fails to understand is that NONE of the so-called “tech companies” roll their own encryption. They used tried and trusted methods and code developed by cryptographers. The “tech companies” have no more ability to modify — in a secure way — the encryption they are using than anyone else would.

The real hoot is that the “tech companies” are prevented from using anything other than tried and trusted encryption because, if they did, they wouldn’t qualify for FIPS certification which means they couldn’t sell it to the government — the U.S. as well as all others.

Tim, with all due respect, I submit to you that Ms. Rudd is a moron (note: I said that, not Rex Tillerson).

That One Guy (profile) says:

Re: Almost agree with you, Tim

Tim, with all due respect, I submit to you that Ms. Rudd is a moron (note: I said that, not Rex Tillerson).

Were this early on in the Crypto Wars 2.0 I might agree that she’s simply being an idiot, however at this point there really is no valid excuse for a major politician not to have done enough research on the subject to understand that what they are asking for is simply not possible, and that the experts in the field are telling the truth when they attempt to explain this.

As such I’d disagree with you that those that are still making the demands are idiots. They may or may not be idiots in general, but on this topic they are much more likely to be extremely dishonest, or at the very least willfully ignorant(which I suppose would fall under the category of ‘dishonest’).

Ryunosuke (profile) says:

lets put it this way. say there is a backdoor to Parliament, and someone either obtains a key or brute forces the door open, that door is no longer secure. Now lets say that back door leads to financial records, or other sensitive information of Parliament. What then? They have fucked up by putting a back door into the secure records of Parliament and thinking no one but “authorized” personnel has access to it. Meanwhile, the door doesn’t care if you have proper authorization or not, it is there for one purpose, to let people in and out.

Anomalous Cowherd says:

Reminds me of

Charles Babbage:

“On two occasions I have been asked, ‘Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?’ I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question.”

Arthur C. Clarke:

“Any sufficiently advanced technology is indistinguishable from magic.”

Anonymous Coward says:

"We will take advice from other people but I do feel that there is a sea of criticism for any of us who try and legislate in new areas, who will automatically be sneered at and laughed at for not getting it right."

She added: "I don’t need to understand how encryption works to understand how it’s helping – end-to-end encryption – the criminals.

Yes! YES you need to understand the freaking core of the subject when doing something as potentially destructive as legislation. If you don’t understand the subject – and I know that no politician can be experts on every subject themselves – then listen to the army of people that does have the knowledge.
The patronizing one here is Amber Rudd who is trying to tell us that we don’t know our jobs well enough to protest against a very uninformed and dangerous path. She balks at imagined slights while basically calling us lazy and supporters of terrorists and killers, which is a terrible accusation.
The politicians get an idea in their head and then just tell us to make it happen, but they forgot the most important skill they should need in politics: To listen.
Here is something that I would listen to: If she shows us several respected and knowledgeable people in the field that can present a safe and sustainable proposition to a solution then we could start to talk and hammer it out to something useful. Of course most of us know that is impossible and I suspect very much that Amber Rudd has had many of their own experts tasked with this subject without luck.

That One Guy (profile) says:

Flawed encryption by any other name would still be... flawed encryption

She insisted she does not want "back doors" installed in encryption codes, something the industry has warned will weaken security for all users, nor did she want to ban encryption, just to allow easier access by police and the security services.

Taken into the physical realm, this would be like claiming that the government/police don’t want to make it illegal to have blinds in your house, or hold private conversations, as that would be a huge violation of privacy and allow anyone to peek in, something they are totally against.

No, all they want is devices installed that would allow ‘the proper authorities’ to retract those blinds when they want/’need’ to look in, and mics installed which of course would only ever be turned on by ‘the proper authorities’ acting in ‘legal’ fashion.

Calling a demand for crippled encryption something else does not make it not a demand for crippled encryption.

She told the meeting Silicon Valley had a "moral" obligation to do more to help the fight against crime and terrorism.

I find this line of ‘reasoning’ particularly entertaining because it’s not hard to turn it around on her and make the case that they are upholding that ‘moral obligation’ by refusing to cripple security. Making everyone less secure, which is what her demand would do, would be a massive boon to criminals and terrorists, who would be able to access and exploit vast amounts of sensitive and private data for their own ends, and at the cost of the public.

By refusing to bow to her insane and idiotic demands they are doing more to combat crime and terrorism than she could ever do.

That One Guy (profile) says:

Re: 'Stupid' isn't gender specific

Copy-pasting from another comment:

‘Was it also mansplaining when Techdirt was condescending of Max Hill, Christopher Wray and James Comey, George Brandis and Malcolm Turnbull, and many others (mostly men) for not listening to tech experts about this exact same issue?’

She’s being an idiot and/or grossly dishonest, but that has nothing to do with her gender, making it irrelevant at best to the discussion. There have been and continue to be plenty of idiotic/dishonest men ‘asking’ for dangerously stupid concession regarding encryption, that she happens to be a woman doesn’t suddenly make her demand for dangerously stupid concessions any better or worse, or her gender relevant to the discussion.

Lawrence D’Oliveiro says:

Please Don’t Try Conflating Encryption With Guns

Those folks in the US, please do not try to bring up gun analogies to try to justify your opinions on encryption, because that’s the last thing we need.

For those having trouble understanding the difference, encryption is a constructive tool with many important uses, while a gun is just a destructive weapon.

Rapnel (profile) says:

Re: Please Don’t Try Conflating Encryption With Guns

Perhaps you could elaborate? Encryption is both defensive and offensive, as are guns. Given the very basest of comparisons I would say that both of these can be categorized as necessary tools in the interests of security, self-preservation and privacy. Dangerous freedom is the preferred state – tenuous grasps of reality are not.

A gun is also a very, very constructive tool when the use of threats, injury or death are required to compel or force a range of various outcomes. That’s why police, thugs, armies and tyrants use them. Defense, in almost any form, is a constructive principle of security.

And try not to tell other people what to do in a condescending and patronizing manner when clearly you have not considered the total shape of the thing.

Rapnel (profile) says:

Re: Re: Re: Defense, in almost any form, is a constructive principle of security.

You’re more than welcome to your dirty logic leaps however I have equal rights to gun ownership and encryption (more so the later than the former simply because math) in the interests of providing for and maintaining my own security.

To your .. point – bad people do bad things. No amount of law or state privilege will ever put a cork in that bottle, ever.

I believe that we have a natural and inherent right to self-preservation to include life, liberty, property and privacy. These are things we, as individuals, must do for ourselves as only we can truly do. I am fully aware of the myriad things that can kill me tomorrow or today. This, necessarily, includes a mad shooter, a fucker with a loaded backpack or an idiot behind the wheel. I, for one, am loath to be ruled or led around by the leash of other peoples fears and false promises.

Richard (profile) says:

Re: Re: Please Don’t Try Conflating Encryption With Guns

Encryption is both defensive and offensive, as are guns.

Guns are only defensive on the principle of attack being the best form of defence.

Bullet proof vests are a better analogy for encryption.

So what Amber Rudd is saying is that all bullet proof vests should be compromised in such a way that a certain type of gun is required to shoot you – and of course ONLY the police will have these guns…..

Lawrence D’Oliveiro says:

The UK Has GCHQ, Like The US Has The NSA

Rather than trying to persuade private companies to do what she wants, has she tried talking to the Government’s own spooks at GCHQ, to see if they can come up with some scheme? Then she could offer that up and say “See? I told you so!”, and have the satisfaction of proving how stupid all the encryption experts are in the unclassified community.

But she won’t do that, can she? Or she has, and they’ve already made it clear it can’t be done.

Anonymous Coward says:

Re: The UK Has GCHQ, Like The US Has The NSA

I am willing to bet that they have been working for years, if not decades, on this “problem” and come up with nothing or a very unsatisfactory solution. Being politicians they are going to make the law first that requires a solution from the tech industry within a time-limit and when that fails to produce anything too, they will force a very bad, very unsafe solution into practice.
They know that this is easy popularity points for them and they know that it is going to require many episodes of hacking and many years to prove that this vulnerability were responsible. Then they are going to shift the blame, deny involvement, and finally just say “that no one could have known”. In the end the politicians responsible will feel no actual punishment for not listening because they will be retired or dead of old age. If all this does somehow happen in their lifetime, they will still feel no actual punishment. How often do we see that they just quit their job and then they are seemingly immune to any of the supposed consequences because “The horror of loosing their position must be punishment enough” – even as they get a lucrative job in the private sector or live the rest of their lives on big pensions paid by the people they screwed over.

Anonymous Coward says:

Heh, heh! Turns out are ALREADY backdoors!

From the Daily Mail: "Secret backdoor in Uber’s app granted by Apple lets the firm record your iPhone’s screen without you knowing"

Headline is enough.

Here’s the obvious implication: all you smarty-pants who believe this can’t be done are considering only mathematics but doesn’t matter if you’re right on that, because API can send the message in parallel, or use a known key, or by any number of tricks give both application and key used.

An operating system provides no security from those who wrote it.

Apple / Google / Microsoft nor any corporation are your friend, they’re man-in-the-middle agencies of the surveillance state. This PR is just announcing current capability.


Intentionally late to have the last laugh.

Shane Killian (profile) says:

Protecting us from kid sisters

Bruce Schneier said in his Applied Cryptography textbook:

There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files.

What she wants to do is to put all of our crypto into the "kid sister" category.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...