DOJ Continues Its Push For Encryption Backdoors With Even Worse Arguments

from the let-us-save-you-from-your-security dept

Early last week, the Deputy Attorney General (Rod Rosenstein) picked up the recently-departed James Comey’s Torch of Encroaching Darkness +1 and delivered one of the worst speeches against encryption ever delivered outside of the UK.

Rosenstein apparently has decided UK government officials shouldn’t have a monopoly on horrendous anti-encryption arguments. Saddling up his one-trick pony, the DAG dumped out a whole lot of nonsensical words in front of a slightly more receptive audience. Speaking at the Global Cyber Security Summit in London, Rosenstein continued his crusade against encryption using counterintuitive arguments.

After name-dropping his newly-minted term — responsible encryption™ — Rosenstein stepped back to assess the overall cybersecurity situation. In short, it is awful. Worse, perhaps, than Rosenstein’s own arguments. Between the inadvertently NSA-backed WannaCry ransomware, the Kehlios botnet, dozens of ill-mannered state actors, and everything else happening seemingly all at once, the world’s computer users could obviously use all the security they can get.

Encryption is key to security. Rosenstein agrees… up to a point. He wants better security for everyone, unless those everyones are targeted by search warrants. Then they have too much encryption.

Encryption is essential. It is a foundational element of data security and authentication. It is central to the growth and flourishing of the digital economy. We in law enforcement have no desire to undermine encryption.

But “warrant-proof” encryption poses a serious problem.

Well, you can’t really have both secure encryption and law enforcement-friendly encryption. Rosenstein knows this just as surely as Comey knew it. That didn’t stop Comey from pretending it was all about tech company recalcitrance. The same goes for Rosenstein who, early on in his speech, plays a shitty version of Sympathy for the Tech Devil by using the phrase “competitive forces” as a stand-in for “profit seeking” when speaking about the uptick in default encryption.

The underlying message of his last speech was that American tech companies should spurn profits for helping out the government by unwrapping one end of end-to-end encryption. The same pitch is made here, softened slightly in the lede thanks to the presence of UK tech companies in the audience. The language may be less divisive, but the arguments are no less stupid this time around.

In the United States, when crime is afoot, impartial judges are responsible for balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement. The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns. That is how we obtain search warrants for homes and court orders to require witnesses to testify.

Warrant-proof encryption overrides our ability to balance privacy and security. Our society has never had a system where evidence of criminal wrongdoing was impervious to detection by officers acting with a court-authorized warrant. But that is the world that technology companies are creating.

I’m not sure what this “system” is Rosenstein speaks about, but there has always been evidence that’s eluded the grasp of law enforcement. Prior to common telephone use, people still communicated criminal plans but no one insisted citizens hold every conversation within earshot of law enforcement. Even in a digital world, evidence production isn’t guaranteed, even when encryption isn’t a factor.

Going on from there, the rest of speech is pretty much identical to his earlier one. In other words: really, really bad and really, really wrong.

Rosenstein believes the government should be able to place its finger on the privacy/security scale without being questioned or stymied by lowly citizens or private companies. Even if he’s right about that (he isn’t), he’s wrong about the balance. This isn’t privacy vs. security. This is security vs. insecurity. For a speech so front-loaded with tales of security breaches and malicious hacking, the back end is nothing more than bad arguments for weakened encryption — something the government may benefit from, but will do nothing to protect people from malicious hackers or malicious governments.

All the complaints about a skewed balance are being presented by an entity that’s hardly a victim. Electronic devices — particularly cellphones — generate an enormous amount of data that’s not locked behind encryption. The government can — without a warrant — track your movements, either post-facto, or with some creative paperwork, in real time. Tons of other “smart” devices are generating a wealth of records only a third party and a subpoena away. And that’s just the things citizens own. This says nothing about the wealth of surveillance options already deployed by the government and those waiting in the wings for the next sell off of civil liberties

It also should be noted Rosenstein is trying to make “responsible encryption” a thing. He obviously wants the word “backdoor” erased from the debate. While it’s tempting to sympathize with Rosenstein’s desire to take a loaded word out of the encryption debate lexicon, the one he’s replacing it with is worse. As Rob Graham at Errata Security points out, the new term is loaded language itself, especially when attached to Rosenstein’s bullshit metric: “measuring success in prevented crimes and saved lives.”

I feel for Rosenstein, because the term “backdoor” does have a pejorative connotation, which can be considered unfair. But that’s like saying the word “murder” is a pejorative term for killing people, or “torture” is a pejorative term for torture. The bad connotation exists because we don’t like government surveillance. I mean, honestly calling this feature “government surveillance feature” is likewise pejorative, and likewise exactly what it is that we are talking about.

Then there’s the problem with Rosenstein deploying rhetorical dodges in his discussions about encryption, which presumably include a number of government officials. Alex Gaynor, who worked for the United States Digital Service and participated in the Obama Administration’s discussion of potential encryption backdoors, points out Rosenstein’s abuse of his position.

Mr. Rosenstein plainly wants to reopen the “going dark” debate that began under the previously administration, spearheaded by FBI Director Jim Comey. While I disagree vehemently with him, it’s a valid policy position – and I have every reason to believe him that there are investigations in which encryption does hamper the Justice Department and FBI’s ability to investigate. However, he is not entitled to mislead the public in order to make that point. And make no mistake. Attempting to use the spectre of familiar computer security challenges in order to make the argument that his policy is necessary, even though his policy has nothing to do with these challenges, is the height of intellectual dishonesty.

There’s an endgame to Rosenstein’s dishonest rhetoric. And it won’t be tech companies being guilted into participating in his “responsible encryption” charade. It will be backdoors. And they will be legislated.

The Deputy Attorney General says that he is interested in “frank discussion”. However, his actual remarks demonstrate he is interested in anything but — his goal is to secure legislation akin to CALEA for your cellphone, and he doesn’t care who he has to mislead to accomplish this. Mr. Deputy Attorney General, I expect better.

This is what the DOJ wants. But Rosenstein is too weak-willed to say it out loud. So he spouts this contradictory, misleading, wholly asinine garbage to whatever audience will have him. Rosenstein is obtuse enough to be dangerous. Fortunately, most legislators (so far) seem unwilling to sacrifice the security of citizens on the altar of lawful access.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “DOJ Continues Its Push For Encryption Backdoors With Even Worse Arguments”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

No need to pull punches

But Rosenstein is too weak-willed to say it out loud.

No, he’s too dishonest.

Were he honest he’d flat out admit that he is against any form of encryption that he can’t break on demand, in other words any encryption that works.

He would admit that he knows that broken encryption would be an absolute gold-mine to the very criminals he claims to want to stop, but that he considers that a price he’s willing to have the public pay. That he considers the harm that will result from weakening encryption an acceptable trade for any gains he might achieve.

He would stop trying to blame the companies for fighting to keep the ‘responsible (read: working) encryption’ they have in place, stop trying to make them out to be holding their ground purely for monetary purposes while the poor, beleaguered government only wants broken encryption for the very best of purposes.

It’s not a ‘weak will’ that keeps him from admitting to these things, it’s a lack of honesty and a clear willingness to lie and mislead if it achieves his aims.

hij (profile) says:

Responsible encryption would be great

After name-dropping his newly-minted term — "responsible encryption™

Actually, this idea is not so new. Many people have been discussing this for a quite a while, most notably folks like Bruce Schneier. There are responsible ways to implement encryption, and the notion that this term is being hijacked to mean exactly the opposite of what it currently means is a bit frightening. Changing the meaning of important terms is the modus operandi of important people who want to openly lie and deceive.

aerinai says:

Can someone give me an example???

For too long; us techies have had to listen to this drivel come out of the mouths of Rosenstein & Co. I think it is high time we demand from them a working copy of their so-called ‘responsible encryption’. Show me one real life example of this working and secure.

Oh wait… it doesn’t exist? Hmmm… fancy that.

Side Note: Just today there was another example of RSA encryption falling apart on public key generation since 2012 that opened up vulnerabilities. Some of the most talented people in the world are working on this stuff and they still aren’t perfect 100% of the time when guarding one door. Good luck guarding a second (or 3rd, 4th, and 5th once other countries demand the same).

Rich Kulawiec (profile) says:

Re: Can someone give me an example???

I’ll second this. One of the principles that underpins the IETF is that we (collectively) believe in rough consensus and running code.

So if Rosenstein (or anybody else) want to persuade us to take them seriously, then they need to put a reference implementation of their proposed cryptographic standard on the table for study and discussion.

Put up or shut up.

DaveinCanada (profile) says:


I like that your article got me to read more…CALEA came about in ’94 (Clinton) and two sentences in the Wiki article struck me.

“In the years since CALEA was passed it has been greatly expanded to include all VoIP and broadband Internet traffic. From 2004 to 2007 there was a 62 percent growth in the number of wiretaps performed under CALEA – and more than 3,000 percent growth in interception of Internet data such as email.”

just another, earlier example of mission creep.

Anonymous Coward says:

When governments follow their own freedom of infomation laws, it might be possible to discuss government requirement to access citizens data. But otherwise all they are doing is creating an infomation disparity where they have all the information they need to control the citizens, while keeping the data the citizens need to control the government hidden behind official secrets and state security concerns, despite FOI laws.

Anonymous Coward says:

Re: Re:

“When governments follow their own freedom of infomation laws, it might be possible to discuss government requirement to access citizens data.”

Non Sequitur.

There is no requirement to pilfer thru everyone’s stuff on some sort of highfalutin fishing expedition – but there is a requirement to keep the government “honest” … (smirk)

Roger Strong (profile) says:

Re: Re:

It’s not just the DOJ. It’s every other government agency in every other country that will demand the backdoor. And make no mistake; it the US government has a backdoor, other governments will demand it too.

Consider the Stinger cell phone mass surveillance devices, intended for intelligence and anti-terrorism work. Now more than a dozen federal agencies have them. And many state and local police forces in the US in Canada, Britain and elsewhere. There’s a large list of private companies who will sell them to any totalitarian government who wants them.

You won’t just have to trust the DOJ; you’ll have to trust ALL of the other agencies in ALL the other countries to keep that backdoor password a secret.

ThatDevilTech (profile) says:

Here's a thought

For all of the idiots that say “just do it” let’s do it and put it on THEIR bank accounts and see how long before the accounts are wiped out. Encryption is important for so many day-to-day transactions and duties. Let’s give them what they want but test it on their accounts first.

Of course, when it fails, they’ll say it wasn’t done “right” but it was done exactly how they asked it to be done. They got what they wanted, but didn’t like the results. Imagine that…

Todd Shore (profile) says:

Poor Security from the Government

I think it is important that the government be upfront on the real risks that they are facing. The “why” of why they are doing this. Countries are at real risk from outside influence and coordinated attack by outside state and possibly private actors. Effectively, the physical borders are gone and attach can happen at any level.
I agree that responsible encryption is important. The responsibility is to thwart attack. The problem is that being blind to traffic is not the biggest threat to the government, it is penetration.
If they expect that can work to a state where they can view all traffic, those days have gone. They need to focus on penetration and hardening and help companies, state and local governments, and citizens to harden openings in their communications such as firewalls, tunnels, and encryption as well as secure ways to harden accessing of those communications such as sandboxing and process filtering so that penetration isn’t compromised by receipt of communications.
That is the government’s responsibility to the country, whatever country it may be. Ours isn’t doing very well.
It just allowed its key system to be compromised with the Equifax hack of the security through obscurity SSN method of identification. How long is that going to take to remediate
vs. Esontia?
If the US government feels the need to get with business to talk about encryption, it should always keep an eye to ensuring it is unbreakable and public. Public scrutiny is important for rooting out flaws.

Dave Cortright (profile) says:

I'll be in your base killing your dudes

If you have a known back door, anyone who really wants to is going to get through it. So only the ill-informed or lazy would ever use it.

Meanwhile, the rest of the world—which last I checked the US still does not control—will continue to use the real thing. So the US would essentially be putting themselves at a huge disadvantage.


boomslang says:

Larger issue

“Allow me to conclude with this thought: There is no constitutional right to sell warrant-proof encryption.”

USA citizens live in a country where anything that is not forbidden by law is legal. We do not live in a country where we may only act in ways the law prescribes. This is so fundamental to the values of our country that no one who believes otherwise should be allowed to hold the post of deputy attoney general.

JeffR says:

Just mandate the use of the Infineon libraries...

All they need to do is mandate that everyone use the Infineon library to generate their keys.. like include it in a standard that you have to use to sell to government.. like say.. FIPS-140-2

Oh, wait..

David says:

Oh, it fits.

Well, you can’t really have both secure encryption and law enforcement-friendly encryption.

But that does not preclude you from getting a budget for it. Putting a round peg in a square hole just requires a big enough hydraulic press. Of course, afterwards neither the peg will be round nor the hole will be square. But that does not preclude you from writing a success report.

Anonymous Coward says:

I think there is a misunderstanding of what is going on here. If encryption and strong security become widespread, and criminals are unable to steal from citizens then why would we need to send millions of dollars to the FBI to fight computer crime?

After all, if the criminals can’t get in then there would be no need, and when money is involved you can bet there will be disingenuous arguments to keep the flow going…

christenson says:

Re: Where to put the money

IMHO, the place to put the millions is on how to return ownership of computers to their physical possessors…

That is, research into how to make things like stuxnet impossible by design by bounding the behavior of software.

Right now, God only knows where else this comment went besides just Techdirt!

boomslang says:

Re: Re:

Don’t forget about criminal entities trying to break into secured system. These are the real adversaries. I don’t care what inflammatory things people say in TechDirt comments, but you’re probably not being assigned a special FBI task force. You’re more likely to be popped by a criminal than by law enforcement. The problem is that the latter scenario can be a bit more terrifying.

bshock says:

This “warrant-proof encryption” nonsense reminds me of Traitor Diane Feinstein’s insistence that no one had the right to keep any secrets from law enforcement. This in turn reminded me of how in the state Feinstein mis-represents (California, where I live) it’s actually illegal to own bullet resistant clothing. So not only do the authoritarians believe that you should have no right to privacy, they also believe you have no right to continued existence. I can’t help remembering that silly David Lynch version of “Dune,” where everyone on the planet of the evil Harkonnen regime have heart-plug implants, apparently so that the authorities could rip them out to kill you on the slightest hint of transgression.

Maybe the future U.S. will be gentler — maybe they’ll just require all of us to have “stun chip” implants, so our betters can press a button and stop us in our tracks if we become inconvenient.

Groaker (profile) says:

Robert Heinlein once bespoke an apocryphal tale about the development of a flying horse. Line up all the horses, and push them over a cliff. Perhaps one will eventually fly.

Our government is on a similar track with backdoors. Give a mathematician, computer scientist or other tech a week to come up with a backdoor, and should the individual fail, execute him. Perhaps one will eventually find a backdoor that only lets nice people in.

Tin-Foil-Hat says:


There have always been obstacles and systems that prevented law enforcement obtaining information. For example, DNA analysis is a relatively recent technology for identifying and excluding suspects. Criminals are being brought to justice in cases decades old because of it. But what about the criminal that won’t reveal the location of the drugs, money or body? Sticks, carrots and warrants are useless without cooperation. Although technology has provided a indispensable tool to crime fighters, like all technology it sometimes creates an obstacle. Does the constitution allow the government or its agents to use any means to their end? Does it allow preemptive access to the insides of our persons, homes and papers, lest one of us commit a crime in the future? What they are asking for not only provides access to current information but potentially years of cumulative information. These issues need to be addressed. The stakes are higher for the millions of law abiding citizens who are being asked to trade their privacy just in case one of them commits or is even suspected of committing a crime.

Personanongrata says:

Trust Me Not

DOJ Continues Its Push For Encryption Backdoors With Even Worse Arguments

Is this the same US government that can’t even keep the data it has already been entrusted with secure?

U.S. Office of Personnel Management in June 2015 with 21.5 million person data exposed for potential exploit.

U.S. Department of Veteran Affairs in May 2006 with 26.5 million veterans data exposed.

National Archives and Records Administration in October 2009 with 76 million persons data potentially exposed.

U.S. Voter Database December 2015 with 191 million persons data potentially exposed

Or the same US government (boondoggles R’ US) that is repeatedly exploited every time it contracts building a new network or data base.

Social Security spent $300M on ‘IT boondoggle’

The FBI’s Upgrade That Wasn’t

IRS spends millions to upgrade to outdated version of Windows

Aaron Walkhouse (profile) says:

The only argument that shuts these guys up is this:

Weaken encryption in the U.S. and all exports of software
and network-related technology “made in U.S.A.”will dry up.
Everybody, Americans included, will shop elsewhere for tech.

That’s trillions of dollars in new trade deficits, hundreds
of billions in lost profits to tech industries and tens of
billions in lost taxes every year until a new administration
undoes the damage and stops the bleeding.

Arguing about security and rights of the American people has
no effect on these clowns because they hold the public in
contempt, and always will. ‌ Show them what effect their dumb-
ass meddling will do to their billionaire friends and corporate
backers and they’ll quietly let the issue die off without ever
having to admit why it was a stupid idea to start with.

[Yes, I’ve said it before; and I’ll say it again every time. ;]

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...