Deputy AG Pitches New Form Of Backdoor: 'Responsible Encryption'
from the laugh-and-the-world-laughs-with;-pull-this-crap-and-you're-on-your-own dept
The DOJ is apparently going to pick up where the ousted FBI boss James Comey left off. While Attorney General Jeff Sessions continues building his drug enforcement time machine, Deputy AG Rod Rosenstein is keeping the light on for Comey’s prophesies of coming darkness.
Rosenstein recently gave a speech at the US Naval Academy on the subject of encryption. It was… well, it was pretty damn terrible. Once again, a prominent law enforcement official is claiming to love encryption while simultaneously extolling the virtues of fake encryption with law enforcement-ready holes in it.
The whole thing is filled with inadvertently hilarious assertions, like the following:
Encryption is a foundational element of data security and authentication. It is essential to the growth and flourishing of the digital economy, and we in law enforcement have no desire to undermine it.
Actually, Rosenstein has plenty of desire to do that, which will be amply demonstrated below, using his own words.
But the advent of “warrant-proof” encryption is a serious problem. Under our Constitution, when crime is afoot, impartial judges are charged with balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement. The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns.
The law indeed recognizes this and provides law enforcement access to communications, documents, etc. with the proper paperwork. What the law cannot do is ensure the evidence is intact, accessible, or exactly what law enforcement is looking for.
Rosenstein is disingenuously reframing the argument as lawful access v. personal privacy, when it’s really about law enforcement’s desires v. user security. The latter group — users — includes a large percentage of people who’ve never been suspected of criminal activity, much less put under investigation. Weakened encryption affects everyone, not just criminal suspects.
Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, especially when officers obtain a court-authorized warrant. But that is the world that technology companies are creating.
Our society has had plenty of systems where evidence was “impervious to detection.” Calls, text messages, emails, personal conversations, passed notes, dead drops, coded transmissions, etc. have existed for years without law enforcement complaining about everything getting so damn dark. Law enforcement has never had 100% access to means of communications even with the proper paperwork in hand. And yet, police departments and investigative agencies routinely solved crimes, even without access to vast amounts of personal communications.
Rosenstein follows this loop a few times, always arriving at the same mistaken conclusion: law enforcement should be able to access whatever it wants so long it has a warrant. Why? Because it always used to be able to. Except for all those times when it didn’t.
Since Rosenstein isn’t willing to handle the encryption conversation with any more intellectual honesty than the departed James Comey, he’s forced to come up with new euphemisms for encryption backdoors. Here’s Rosenstein’s new term for non-backdoor encryption backdoors.
Responsible encryption is achievable. Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization.
At worst, this means some sort of built-in backdoor, sort of what Blackberry uses for its non-enterprise customers. Nearly just as bad, this possibly means key escrow. These are the solutions Rosenstein wants, but he doesn’t even have the spine to take ownership of them. Not only does the Deputy AG want tech companies to implement whatever the fuck “responsible encryption” is, he wants them to bear all expenses, cope with customers fleeing the market for more secure options, and be the focal point for the inevitable criticism.
Such a proposal would not require every company to implement the same type of solution. The government need not require the use of a particular chip or algorithm, or require any particular key management technique or escrow. The law need not mandate any particular means in order to achieve the crucial end: when a court issues a search warrant or wiretap order to collect evidence of crime, the provider should be able to help.
In other words, the private sector needs to build the doors and hold the keys. All the government needs to do is obtain warrants.
Rosenstein just keeps piling it on. He admits the law enforcement hasn’t been able to guilt tech companies into backdooring their encryption. That’s the old way. Going forward, the talking points will apparently portray tech companies as more interested in profits than public safety.
The approach taken in the recent past — negotiating with technology companies and hoping that they eventually will assist law enforcement out of a sense of civic duty — is unlikely to work. Technology companies operate in a highly competitive environment. Even companies that really want to help must consider the consequences. Competitors will always try to attract customers by promising stronger encryption.
That explains why the government’s efforts to engage with technology giants on encryption generally do not bear fruit. Company leaders may be willing to meet, but often they respond by criticizing the government and promising stronger encryption.
Of course they do. They are in the business of selling products and making money.
In other words, tech companies are doing it for the clicks. This is a super-lazy argument often used to belittle things someone disagrees with. (A phrase that has since been supplanted by “fake news.”) This sort of belittling is deployed by (and created for) the swaying of the smallest of minds.
Having painted the tech industry as selfish, Rosenstein airlifts himself to the highest horse in the immediate area.
We use a different measure of success. We are in the business of preventing crime and saving lives.
The Deputy AG makes a better point when he calls out US tech companies for acquiescing to ridiculous censorship demands from foreign governments. If companies are willing to oblige foreign governments with questionable human rights records, why can’t they help out the US of A?
It’s still not a very strong point, at least not in this context. But it is something we’ve warned against for years here at Techdirt: you humor enough stupid demands from foreign governments and pretty soon all of them — including your own — are going to start asking for favors.
It would be a much better argument if it wasn’t tied to the encryption war Rosenstein’s fighting here. Comparing censorship efforts and VPN blocking to the complexities of encryption isn’t an apples-to-apples comparison. Blocking or deleting content is not nearly the same thing as opening up all users to heightened security risks because the government can’t get at a few communications.
Whatever it is Rosenstein’s looking for, he’s 100% sure tech companies can not only provide it, but should also bear all liability for anything that might go wrong.
We know from experience that the largest companies have the resources to do what is necessary to promote cybersecurity while protecting public safety. A major hardware provider, for example, reportedly maintains private keys that it can use to sign software updates for each of its devices. That would present a huge potential security problem, if those keys were to leak. But they do not leak, because the company knows how to protect what is important. Companies can protect their ability to respond to lawful court orders with equal diligence.
It’s that last sentence that’s a killer. This is Rosenstein summing up his portrayal of tech companies as callous, profit-seeking nihilists with a statement letting everyone know the DOJ will pin all the blame for any future security breaches on the same companies who got on board with the feds’ “nerd harder” demands.
This is a gutless, stupid, dishonest speech — one that deliberately misconstrues the issues and lays all the blame, along with all the culpability on companies unwilling to sacrifice users’ security just because the government feels it’s owed access in perpetuity.