Deputy AG Pitches New Form Of Backdoor: 'Responsible Encryption'
from the laugh-and-the-world-laughs-with;-pull-this-crap-and-you're-on-your-own dept
The DOJ is apparently going to pick up where the ousted FBI boss James Comey left off. While Attorney General Jeff Sessions continues building his drug enforcement time machine, Deputy AG Rod Rosenstein is keeping the light on for Comey’s prophesies of coming darkness.
Rosenstein recently gave a speech at the US Naval Academy on the subject of encryption. It was… well, it was pretty damn terrible. Once again, a prominent law enforcement official is claiming to love encryption while simultaneously extolling the virtues of fake encryption with law enforcement-ready holes in it.
The whole thing is filled with inadvertently hilarious assertions, like the following:
Encryption is a foundational element of data security and authentication. It is essential to the growth and flourishing of the digital economy, and we in law enforcement have no desire to undermine it.
Actually, Rosenstein has plenty of desire to do that, which will be amply demonstrated below, using his own words.
But the advent of “warrant-proof” encryption is a serious problem. Under our Constitution, when crime is afoot, impartial judges are charged with balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement. The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns.
The law indeed recognizes this and provides law enforcement access to communications, documents, etc. with the proper paperwork. What the law cannot do is ensure the evidence is intact, accessible, or exactly what law enforcement is looking for.
Rosenstein is disingenuously reframing the argument as lawful access v. personal privacy, when it’s really about law enforcement’s desires v. user security. The latter group — users — includes a large percentage of people who’ve never been suspected of criminal activity, much less put under investigation. Weakened encryption affects everyone, not just criminal suspects.
Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, especially when officers obtain a court-authorized warrant. But that is the world that technology companies are creating.
Our society has had plenty of systems where evidence was “impervious to detection.” Calls, text messages, emails, personal conversations, passed notes, dead drops, coded transmissions, etc. have existed for years without law enforcement complaining about everything getting so damn dark. Law enforcement has never had 100% access to means of communications even with the proper paperwork in hand. And yet, police departments and investigative agencies routinely solved crimes, even without access to vast amounts of personal communications.
Rosenstein follows this loop a few times, always arriving at the same mistaken conclusion: law enforcement should be able to access whatever it wants so long it has a warrant. Why? Because it always used to be able to. Except for all those times when it didn’t.
Since Rosenstein isn’t willing to handle the encryption conversation with any more intellectual honesty than the departed James Comey, he’s forced to come up with new euphemisms for encryption backdoors. Here’s Rosenstein’s new term for non-backdoor encryption backdoors.
Responsible encryption is achievable. Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization.
At worst, this means some sort of built-in backdoor, sort of what Blackberry uses for its non-enterprise customers. Nearly just as bad, this possibly means key escrow. These are the solutions Rosenstein wants, but he doesn’t even have the spine to take ownership of them. Not only does the Deputy AG want tech companies to implement whatever the fuck “responsible encryption” is, he wants them to bear all expenses, cope with customers fleeing the market for more secure options, and be the focal point for the inevitable criticism.
Such a proposal would not require every company to implement the same type of solution. The government need not require the use of a particular chip or algorithm, or require any particular key management technique or escrow. The law need not mandate any particular means in order to achieve the crucial end: when a court issues a search warrant or wiretap order to collect evidence of crime, the provider should be able to help.
In other words, the private sector needs to build the doors and hold the keys. All the government needs to do is obtain warrants.
Rosenstein just keeps piling it on. He admits the law enforcement hasn’t been able to guilt tech companies into backdooring their encryption. That’s the old way. Going forward, the talking points will apparently portray tech companies as more interested in profits than public safety.
The approach taken in the recent past — negotiating with technology companies and hoping that they eventually will assist law enforcement out of a sense of civic duty — is unlikely to work. Technology companies operate in a highly competitive environment. Even companies that really want to help must consider the consequences. Competitors will always try to attract customers by promising stronger encryption.
That explains why the government’s efforts to engage with technology giants on encryption generally do not bear fruit. Company leaders may be willing to meet, but often they respond by criticizing the government and promising stronger encryption.
Of course they do. They are in the business of selling products and making money.
In other words, tech companies are doing it for the clicks. This is a super-lazy argument often used to belittle things someone disagrees with. (A phrase that has since been supplanted by “fake news.”) This sort of belittling is deployed by (and created for) the swaying of the smallest of minds.
Having painted the tech industry as selfish, Rosenstein airlifts himself to the highest horse in the immediate area.
We use a different measure of success. We are in the business of preventing crime and saving lives.
The Deputy AG makes a better point when he calls out US tech companies for acquiescing to ridiculous censorship demands from foreign governments. If companies are willing to oblige foreign governments with questionable human rights records, why can’t they help out the US of A?
It’s still not a very strong point, at least not in this context. But it is something we’ve warned against for years here at Techdirt: you humor enough stupid demands from foreign governments and pretty soon all of them — including your own — are going to start asking for favors.
It would be a much better argument if it wasn’t tied to the encryption war Rosenstein’s fighting here. Comparing censorship efforts and VPN blocking to the complexities of encryption isn’t an apples-to-apples comparison. Blocking or deleting content is not nearly the same thing as opening up all users to heightened security risks because the government can’t get at a few communications.
Whatever it is Rosenstein’s looking for, he’s 100% sure tech companies can not only provide it, but should also bear all liability for anything that might go wrong.
We know from experience that the largest companies have the resources to do what is necessary to promote cybersecurity while protecting public safety. A major hardware provider, for example, reportedly maintains private keys that it can use to sign software updates for each of its devices. That would present a huge potential security problem, if those keys were to leak. But they do not leak, because the company knows how to protect what is important. Companies can protect their ability to respond to lawful court orders with equal diligence.
It’s that last sentence that’s a killer. This is Rosenstein summing up his portrayal of tech companies as callous, profit-seeking nihilists with a statement letting everyone know the DOJ will pin all the blame for any future security breaches on the same companies who got on board with the feds’ “nerd harder” demands.
This is a gutless, stupid, dishonest speech — one that deliberately misconstrues the issues and lays all the blame, along with all the culpability on companies unwilling to sacrifice users’ security just because the government feels it’s owed access in perpetuity.
Filed Under: doj, encryption, going dark, moral panic, nerd harder, responsible encryption, rod rosenstein
Comments on “Deputy AG Pitches New Form Of Backdoor: 'Responsible Encryption'”
Well, come on, now… we’re all adults here. I mean, there’s “encryption”, and then there’s encryption. (wink-wink)
Re: Re:
We just need the next version. Because you know what comes after encryption? Oh!-cryption.
“But they do not leak”
But they do. And when it happens things go to hell and people get their stuff exposed. Companies that know their shit don’t hold the keys so when things leak the only ones at risk are users that do security wrong (or their threat model says they don’t need to go further, who knows?). And these companies cannot control their users. I use Google Drive for storage. All the files are encrypted prior to upload in my hard drive and Google can’t do a thing about it. As the attacks on privacy and security continue people are getting more and more aware of the issue and will act accordingly. Good luck controlling open source encryption.
Re: Re:
You must be thinking of user keys. That reference was to code-signing keys, which also leak. Ignore the bad headline—nothing was "stolen", and "certificates" are public. But people are finding and copying private code-signing keys, and using them to sign malware. The article gives several examples.
Companies have to hold code-signing keys. Unless they want to outsource that to "the cloud", which is a horrible idea. Doing this securely requires an expensive and complicated setup which small companies aren’t likely to do, and aren’t likely to reconsider once they become large.
Re: Re:
Create a corporate web site or app these days with ASP.NET, and Microsoft wants you to use OAuth to authenticate users. "They’ll be logged in automatically if they’re already logged into FaceBook or Twitter! Account information is automatically shared with other sites!" They even removed the old authentication tools from Visual Studio to force developers in this direction.
I just picked up a spherical image camera. Ricoh will host those images for you, complete with scripting and other technologies that will let the viewer pan around the images with their mobile and desktop browsers.
But to create and log into your account, you MUST use a FaceBook or Twitter account. And hand over your login credentials to Ricoh.
It’s as though the industry has looked at security breaches from Target to Equifax and asked, "How can we top that?"
Re: Re: Re:
It’s as though the industry has looked at security breaches from Target to Equifax and asked, “How can we top that?”
You mean? How can we “monetize that”? They don’t give a shit about the consequences until the first lawsuit or legal charge arrives.
Re: Re: Re:
You are not “handing over login credentials” with OAuth. That is the POINT of using it. The credentials stay with the login provider ie: Facebook or Twitter. Someone you already have an account with.
Re: Re: Re: Re:
OK… I checked again. You enter your FaceBook credentials into the Ricoh Windows app. But, it looks like they’re hosting a browser window within the app showing the FaceBook login screen.
Re: Re: Re:2 Re:
When a browser window is hosted within an application, or a remote login screen is embedded in an iframe, it’s difficult or impossible for users to determine whether that’s secure. It could embed Facebook’s login screen today and a lookalike tomorrow. A secure way to do this would involve the user logging in normally and requesting or adding some kind of token.
Responsible Encryption is REAL encryption.
“The government need not require the use of a particular chip or algorithm… ” — Is he really going there? Did he literally just allude to the Clipper chip of the 1990’s?
Not a great allusion to bring up when you are talking about adding a backdoor into security!
Side Note: TD Staff, I expect a new T-shirt!
Re: Responsible Encryption is REAL encryption.
Why not? Most internet users have never heard of it, and no court ever ruled on it (it failed in the marketplace, in favor of totally unencrypted traffic). It wouldn’t even be that bad if people had to use the Clipper chip—the backdoor is totally broken, after all: "A brute-force attack would quickly produce another LEAF value that would give the same hash but not yield the correct keys after the escrow attempt. This would allow the Clipper chip to be used as an encryption device, while disabling the key escrow capability." (The key length is weak by modern standards, but nobody’s been able to break the full cipher.)
Re: IRRESPONSIBLE encryption
We need to be spreading the “Irresponsible Encryption” label as much as possible.
How you use language is important.
History Repeating
Haven’t they done this very thing in the past and don’t end up being a disaster?
Re: History Repeating
They did, that’s why this time they’re trying to dump the entire thing on the companies in question, so that when it fails to work they can look shocked, shocked I say, that the magical unicorn gates they are sure is possible didn’t work, obviously because the companies didn’t really try, or really care enough about the public.
It still galls me how these people talk out of both sides of their mouths like this. They go on and on about how the Constitution provides for a "lawful access" through a judge and warrant, while also fighting tooth and nail against those who say that the laundry list of things they get their hands on without a warrant (the whole "third-party" process) should be subject to judicial review as well.
If these agencies hadn’t gone so far in the scope of what they demand in those contexts—in other words, if they had gone and gotten a warrant—then maybe, just maybe, the landscape would be a little different today.
People need this translated to the physical world.
Would you support a local law where you had to submit a house key to be kept in the police station? And what if there were a history of the keepers of the keys using them for personal gain, or just outright losing them?
Nobody in their right mind would support such a law, but that’s almost exactly what the DOJ is proposing now.
Re: Wrong analogy
What if you didn’t have to submit a house key to the police station.
What if the government mandated that house locks can’t be made to be “too secure”. And call it Responsible Security.
Re: Re:
A better analogy would be the government requiring all citizens, except for the ruling class, to wear a helmet that records everything you think, do and say.
Re: Re:
How about the requirement to submit a key to each and every gun safe to the local police?
What I don’t understand is why it’s companies who have to invent this mythical safely backdoor-able encryption scheme only the ‘good guys’ can access?
Isn’t this the job of the NSA, GCHQ, et-al? They are the supposed experts in this stuff. Is it because even they know it is impossible?
Interestingly two blockchain based schemes invented by the NSA have been rejected by ISO because they are thought to be backdoored.
Everyone seems to know what these idiot politicians is asking for is impossible.
Re: Re:
It is simple. They can’t try to bully things out of the NSA without mysterious leaks of their dirty laundry.
Re: Re:
No you are way off… It is because we sent a man to the moon.
Re: Re:
Because if they did that then when it was proven to be impossible it would be much more difficult for them to turn around and insist that private companies, who don’t have the resources of major government agencies to throw around, can do what they cannot.
legitimate law enforcement needs
Therefore we need to do something about the problem of windows "going dark". Yes, I’m talking about opaque window blinds, curtains and other coverings. Note that I’m not suggesting that people should not have window coverings, but just that they should be "responsible coverings" with holes big enough to let law enforcement see everything going on inside. Of course, law enforcement will be told to look away when they pass by windows unless they a warrant. That should take care of any legitimate privacy concerns.
Now I’m sure some people will object to this modest proposal, but remember, law enforcement needs outweigh personal privacy concerns.
Re: legitimate law enforcement needs
… unless they have a warrant.
Re: Re: legitimate law enforcement needs
window manufacturers of course should make special holes that only the police officers can see through.. That goes without saying
Quis custodiet ipsos custodes?
Who oversees the keepers of the masterkey?
Who are the ‘good guys’?
Because, as a non-US-citizen, I sure as hell don’t trust the USA Government to do it.
Maybe we should give these to the International Court of Justice in The Hague.
(And you Americans can play along if you join the program… all of it)
Re: Quis custodiet ipsos custodes?
EVERY government will demand a copy of the keys. Then every branch – FBI, CIA, NSA, TSA, FDA etc… and their counterparts in every government. You can bet that the NYPD and City of London Police will demand them too.
Think of the StingRay cellphone surveillance devices. Originally for counter-terrorism and national security users. Now operated in the US alone by over a dozen federal departments and in widespread use by state and local police. And by local police forces in other countries including Canada and the UK. With 12 private companies in the UK alone exporting them Saudi Arabia, UAE, and Turkey and elsewhere.
Those keys will be shared far and wide.
Right, because trusting these keys wouldn’t be used maliciously or “hacked” is a good idea…
https://en.wikipedia.org/wiki/List_of_data_breaches
That’s quite a list of companies…Including various departments of the US Government.
Quit Horsing Around
Don’t you mean "highest unicorn"?
Re: Quit Horsing Around
“We know from experience that the largest companies have the unicorns.”
Al this evidence that he wants to access has only existed between the widespread adoption of the Internet and strong encryption being implemented. All strong encryption is doing is restoring some of the privacy that existed before the Internet.
“Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection,”
Oh, this has bullshit written all over it. Remember those gangster movies where they turned the radio way up in the backroom and then spoke softly … yeah – that was only a movie and did not/does not actually happen … or anything remotely similar.
Re: Re:
And evidence from actual crimes is destroyed all the time, purposely or not. Just because i have a warrant to search for a gun or a stack of documents or proceeds of a crime does not mean they will be where i am looking for them. Things could be burned or in a landfill or in the bottom of the ocean or sold five times and long gone. But somehow fishing expeditions for internet communications are different because i said so.
Encryption backdoors are the equivalent of the good old rubber hose. Whether or not they get evidence using it, they get what they want.
Re: Re:
Also the content of our minds. Also doctor/patient and attorney/client confidentiality.
Re: Re: Re:
That’s next. The argument will be "if you don’t want people to know what you’re thinking, maybe you shouldn’t be thinking it."
Re: Re: Re: Re:
That’s next.
No, that’s now. With more than zero courts holding that forcing someone to provide a password to decrypt/unlock a device is not a violation of their rights in a very real sense it is legal to force someone to provide the contents of their mind(and punish them for refusing to do so), at least as it extends to particular facts.
Let us imagine the impossible...
For a sliver of a moment, let us say that this mythical beast that is “Backdoors Open to Goodguy United States” (or BOGUS for short)isn’t a completely impossible task and imagine that someone found a way.
This is still only the first third of the problem… I have heard no mention at all about what they are ever going to do when the rest of the worlds governments are going to require access to the same data. I am guessing that they would try to make it illegal to give access to foreign countries, but that would put every company in a position where they would have to chose between the US market and the rest of the world.
The last third is what they are going do about foreign encryption or self-made encryption? I am guessing that they would try to make that illegal as well, which would mean that all software would have to be approved by the government and then locked down to prevent tampering… bye bye open source.
I might be wrong here because I am not an expert in encryption and how it is implemented but it is surely a loosing battle no matter what they want to call backdoors.
These subjects are often brought up here, but it is the lack of recognition from the politicians of the whole process that I am missing.
Re: Let us imagine the impossible...
That’s another thing: These people in charge of law enforcement and spying are no longer public servants or bureaucrats, they are effectively politicians also.
2 out of 3
For several years now the US Government has combined 2 of the 3 worst lies commonly told… Those 3 being “I’m from the Government and I’m here to help”, “You can trust me!”, and “I promise I won’t come in your mouth”
This is BULLSHIT
Backdoors Using Legal Language Still Have It Taken.
Code-signing versus key-breaking keys
Code-signing keys are extremely dangerous in the wrong hands. For a given provider and given key, they’re also legitimately used very rarely (comparatively speaking): needing it once a week, every week, is probably rare, and most are more in the range of once a month or once every few months. Compare that to the warrant submissions we know about (thus excluding all the gag-order protected warrants), which number in the dozens or hundreds per day. When access is once a week (or less), it’s viable to have some fairly onerous procedures associated with using the key:
Not all companies use all, or even most of these, but at the frequency involved, they could. Now picture trying to use that type of procedure to protect a key that is needed every time the government shows up with a decryption warrant. There’d be no way to process all those warrants in a sufficiently timely manner (using the government’s definition of "sufficient", of course) and still follow the onerous procedure. The only "responsible" way to handle it (again, government’s definition) would be to streamline the process so that decrypting the material is much less onerous. If we streamline away from the onerous security-focused procedure, then we’re no longer securing the master decryption key(s), so the comparison to code-signing keys is no longer appropriate.
Re: Code-signing versus key-breaking keys
Even if the decryption was simple, the sheer volume of warrants that the government can generate would make decryption an onerous process for most companies. That would lead to intense pressure to just hand the keys over to the security services, and next thing you know, the bad guys have them as well.
Re: Code-signing versus key-breaking keys
You mention “the” code-signing key, but it doesn’t have to be just one key. You could require the code to be signed with 5 of 10 keys from a set for example.
Or you can split keys, and recombine them only when needed. Bonus: if using the Merkle signature scheme you’d be safe from quantum computers.
It’s not terribly expensive to make sure the key is offline, and never held in one place. It could be as simple as passphrase-protected keys stored in employee’s cars, with any small subset needed able to sign. You don’t need guards with nuclear-submarine-style key-turning but you do need to plan ahead.
At least this is a case where I think we can chalk this up to stupidity rather than malice. Well, at least stupidity with a hint of power trip.
“We’re not asking for the impossible, we just want you draw 7 invisible lines using red ink that are all perpendicular.”
https://www.youtube.com/watch?v=BKorP55Aqvg
Re: No
No, I am absolutely done giving them the benefit of the doubt on this subject.
Anyone of any notable rank/position calling for compromising encryption at this point should be assumed by default to be either grossly irresponsible in deliberately not researching the subject enough to understand what they are talking about, or grossly dishonest in knowingly asking for something that that they know is impossible and that will have significant negative impacts on the security of the general public.
At this point there is no justification for people of his rank not having done their research on the subject before speaking, so the assumption should be malice and/or willful ignorance by default.
Re: Re: No
You are right: it has gotten so far now that it defies reason. I think that there can only be a selfish intent left as a reason.
1. They are seen as doing “something”. This is of course false since we know that what they are asking for is impossible, so they are just wasting time they could have spent on better issues, but fighting terrorism is all the rage.
2. It is a Win-Win situation. Whatever the outcome, their career or life is not going to be impacted much because they can just blame the tech industry for not coming up with a good enough solution that was broken or for not coming up with a solution at all. They will play the ignorance card because who can expect them to understand the “magic of tech”.
3. They are trying to make it seem like it is a David-vs-Goliath kind of fight. They are the underdog who is fighting the big and bad tech industry. I am quite sure that those of us who are interested in the subject or work in tech see it the other way around.
4. They are trying to use peoples fear of change, where tech is one of the fastest provokers of change, to fuel the fire. Nobody really likes things to change too much and unless you are very aware, changes are easy to see as bad. I work in the industry and it can be frustrating to not being able to keep up and understand the new technology that comes out every day, so I can imagine how everyday Mr. and Ms. Jones feels. Just this point alone is probably the most dangerous because it can drive people to do stupid and dangerous things just to feel like they are in control.
Fantasy: If we get our tech companies to do what we want, we will get all the datas!
Reality: If we get our tech companies to do what we want, people will soon stop using our tech companies.
Sure! Right after you demonstrate ‘Responsible Government.’
Given what we now know… could anyone advocating for back doors be charged with treason, or at the very least sedition?
Speaking of clueless DAs...
…let’s talk about Manhattan DA Cy Vance, who has also put himself squarely in the camp of lazy, incompetent, ignorant, clueless morons calling for weakening of encryption.
It turns out that he’s done quite a good job sabotaging his own cases — when he was well-paid to do so. As has been reported multiple times in the last week, most recently by the Daily Beast, when he was bribed by filth like Donald Trump Jr, Harvey Weinstein, and Ivanka Trump — some of the world’s most vile, disgusting pieces of filth in human form — he let them walk.
See for an introduction: https://www.thedailybeast.com/prosecutor-threw-away-slam-dunk-cases-against-weinstein-and-trump-kids?source=twitter&via=mobile
So any previous and any future comments from Cy Vance on the subject of encryption should be flushed down the toilet, just like he should be.
256 Bit Advanced Encryption Standard for All!
This is a gutless, stupid, dishonest speech — one that deliberately misconstrues the issues and lays all the blame, along with all the culpability on companies unwilling to sacrifice users’ security just because the government feels it’s owed access in perpetuity.
It appears the intellectually bankrupt statist turds (ie Deputy AG Rod Rosenstein) at DoJ (HaHa) also believe unicorns that poop golden eggs exist.
Perhaps the statist turds demanding compromised encryption algorithms should lead by example?
Let these know-nothing idiots put their personal information out into the electronic jungle (ie the intertubes) using the defective data encryption methods they have suggested.
How soon until their personal data has been exploited?
Access to all data at all times is the wet dream of every petty authoritarian tyrant that has ever lived.
"Responsible encryption" is a great term!
I mean, how do the following sound to you?
“I am responsibly in love with you.”
“I’ll keep what you said in responsible confidence.”
“I’ll carry out your orders in responsible manner.”
I mean, it insinuates a second overriding agenda perfectly well. “responsible” is pretty much the definition of “backdoored” or “compromised”, just with a tinge of “by nominally good people”. And, well, that’s sort-of what the government considers itself to be. Or at least entitled to.
They know it’s impossible. All they are doing is making excuses for their own incompetence/corruption (“It’s Facebook’s fault”) and trying to bully the vendors into breaking faith with customers by giving them more, more, more warrantless access to everything that they can.
Clueless Deputy AG
“To use a technological metaphor, the rule of law
is our nation’s operating system.”
Perhaps it’s time for open-source for all components ?
“But increasingly, the tools we use to collect
evidence run up against technology that is designed
to defeat them.” — e.g., *flush toilets* ?
“In 2016, an attack launched against domain name
servers illustrated a significant problem. The
attack made it effectively impossible for many
users to access certain web sites for several hours.”
Bad example; DNS is vulnerable precisely because it
doesn’t use strong encryption; “the grid” is similarly
vulnerable.
Not just wrong, not just fractically wrong, but maliciously fractically wrong
Encryption is a foundational element of data security and authentication. It is essential to the growth and flourishing of the digital economy, and we in law enforcement have no desire to undermine it.
Calling a shit-sandwich anything else does not change what you’re trying to force the public to eat. Blatantly lying like this does not help the credibility of the one doing so.
Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, especially when officers obtain a court-authorized warrant. But that is the world that technology companies are creating.
Why yes as a matter of fact, it has. It’s this pesky thing called ‘Privacy’, where people are allowed to talk and hold conversations that are not recorded, even if those conversations involve criminal activity, and even if they would have made for a guaranteed conviction if recorded.
Police and government agencies have never had access to everything, they have never had a right to everything, and they sure as hell don’t have a right now just because people are increasingly changing how they communicate.
Responsible encryption is achievable. Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization.
In that case do it yourself.
If you want to claim that the companies won’t do it because they care more about profit than security, then surely a government with pools of money available and who does care about the public, and who knows that you can cripple encryption without sacrificing security can put together a magical unicorn gate secured by a leprechaun gold gate key.
That explains why the government’s efforts to engage with technology giants on encryption generally do not bear fruit. Company leaders may be willing to meet, but often they respond by criticizing the government and promising stronger encryption.
No? It’s all on the companies to do it? The same ones that are ‘criticizing’ you for demanding the impossible and idiotic, who have repeatedly pointed out that stronger encryption protects the public better? Yeah, that’s what I figured.
We use a different measure of success. We are in the business of preventing crime and saving lives.
In that case do your damn job and stop trying to make crime easier.
Anyone calling for compromised encryption is flat out lying if they then turn around and claim that they are in the business of preventing crime, or at the very least demonstrating that they are so grossly incompetent at it that they need to be fired immediately and blacklisted for life from ever working at any job involving security.
That would present a huge potential security problem, if those keys were to leak. But they do not leak, because the company knows how to protect what is important. Companies can protect their ability to respond to lawful court orders with equal diligence.
It takes some almost impressive willful blindness to say something like this, after the string of high-profile leaks/hacks of companies and government agencies in the past few years, and that was without companies being forced create and maintain databases filled with security keys that everyone would want to get their hands on.
If they can’t secure their data before having to keep something that valuable, they would have no chance to do so afterwards, but I suppose when you don’t have to do anything, and you have disclaimed any responsibility for any leaks/hacks, then anything is possible.
Talk about irresponsible encryption.
Fake news and now fake encryption.
It’s Like The Unclassified Sector Has A Monopoly On Encryption
If the politicians want to prove that “responsible encryption” can be done, they know what they can do. The UK and US governments have access to pools of the brightest crypto talent in the world, in the form of GCHQ and the NSA respectively. All they have to do is ask those boffins to come up with a workable scheme, then show it to the rest of us and say “I told you so”.
After all, wouldn’t they jump at the chance to prove that the continual insistence by the unclassified research community, that it can’t be done, is just so much hot air?
Re: It’s Like The Unclassified Sector Has A Monopoly On Encryption
Missed a step
All they have to do is ask those boffins to come up with a workable scheme, personally use it long enough to demonstrate it’s security and continue to use it, then show it to the rest of us and say “I told you so”.
If they believed it to be secure enough for their own use, then I might start to think that they’d managed to accomplish the impossible(well, probably not, because the ‘Trust the NSA/GCHQ’ ship has sailed, hit an iceberg, and sank years ago, but it would be a start).
Re: Re: Missed a step
In the words of Bruce Schneier: “Anybody can come up with an encryption system that they can’t break”.
Great… now MyNameHere has another buzzword for when he wants to spout more NSA apologism.
thy're the good guys
What’s the problem. The only people who could access the back door would be the good guys. And of course any bad guys who work for them, and their friends.
But lets just focus on the good guys. They wouldn’t deliberately open the backdoor to the baddies. Although thinking about it they have already shown how little they understand about cyber security.
look the point is they are the good guys, and won’t compromise our security on purpose, and we need to remember that.
Analogy
Responsible encryption is to encryption
AS
Trump is to president
A turd by any other name still smells…