DOJ Continues Its Push For Encryption Backdoors With Even Worse Arguments
from the let-us-save-you-from-your-security dept
Early last week, the Deputy Attorney General (Rod Rosenstein) picked up the recently-departed James Comey’s Torch of Encroaching Darkness +1 and delivered one of the worst speeches against encryption ever delivered outside of the UK.
Rosenstein apparently has decided UK government officials shouldn’t have a monopoly on horrendous anti-encryption arguments. Saddling up his one-trick pony, the DAG dumped out a whole lot of nonsensical words in front of a slightly more receptive audience. Speaking at the Global Cyber Security Summit in London, Rosenstein continued his crusade against encryption using counterintuitive arguments.
After name-dropping his newly-minted term — responsible encryption™ — Rosenstein stepped back to assess the overall cybersecurity situation. In short, it is awful. Worse, perhaps, than Rosenstein’s own arguments. Between the inadvertently NSA-backed WannaCry ransomware, the Kehlios botnet, dozens of ill-mannered state actors, and everything else happening seemingly all at once, the world’s computer users could obviously use all the security they can get.
Encryption is key to security. Rosenstein agrees… up to a point. He wants better security for everyone, unless those everyones are targeted by search warrants. Then they have too much encryption.
Encryption is essential. It is a foundational element of data security and authentication. It is central to the growth and flourishing of the digital economy. We in law enforcement have no desire to undermine encryption.
But “warrant-proof” encryption poses a serious problem.
Well, you can’t really have both secure encryption and law enforcement-friendly encryption. Rosenstein knows this just as surely as Comey knew it. That didn’t stop Comey from pretending it was all about tech company recalcitrance. The same goes for Rosenstein who, early on in his speech, plays a shitty version of Sympathy for the Tech Devil by using the phrase “competitive forces” as a stand-in for “profit seeking” when speaking about the uptick in default encryption.
The underlying message of his last speech was that American tech companies should spurn profits for helping out the government by unwrapping one end of end-to-end encryption. The same pitch is made here, softened slightly in the lede thanks to the presence of UK tech companies in the audience. The language may be less divisive, but the arguments are no less stupid this time around.
In the United States, when crime is afoot, impartial judges are responsible for balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement. The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns. That is how we obtain search warrants for homes and court orders to require witnesses to testify.
Warrant-proof encryption overrides our ability to balance privacy and security. Our society has never had a system where evidence of criminal wrongdoing was impervious to detection by officers acting with a court-authorized warrant. But that is the world that technology companies are creating.
I’m not sure what this “system” is Rosenstein speaks about, but there has always been evidence that’s eluded the grasp of law enforcement. Prior to common telephone use, people still communicated criminal plans but no one insisted citizens hold every conversation within earshot of law enforcement. Even in a digital world, evidence production isn’t guaranteed, even when encryption isn’t a factor.
Going on from there, the rest of speech is pretty much identical to his earlier one. In other words: really, really bad and really, really wrong.
Rosenstein believes the government should be able to place its finger on the privacy/security scale without being questioned or stymied by lowly citizens or private companies. Even if he’s right about that (he isn’t), he’s wrong about the balance. This isn’t privacy vs. security. This is security vs. insecurity. For a speech so front-loaded with tales of security breaches and malicious hacking, the back end is nothing more than bad arguments for weakened encryption — something the government may benefit from, but will do nothing to protect people from malicious hackers or malicious governments.
All the complaints about a skewed balance are being presented by an entity that’s hardly a victim. Electronic devices — particularly cellphones — generate an enormous amount of data that’s not locked behind encryption. The government can — without a warrant — track your movements, either post-facto, or with some creative paperwork, in real time. Tons of other “smart” devices are generating a wealth of records only a third party and a subpoena away. And that’s just the things citizens own. This says nothing about the wealth of surveillance options already deployed by the government and those waiting in the wings for the next sell off of civil liberties
It also should be noted Rosenstein is trying to make “responsible encryption” a thing. He obviously wants the word “backdoor” erased from the debate. While it’s tempting to sympathize with Rosenstein’s desire to take a loaded word out of the encryption debate lexicon, the one he’s replacing it with is worse. As Rob Graham at Errata Security points out, the new term is loaded language itself, especially when attached to Rosenstein’s bullshit metric: “measuring success in prevented crimes and saved lives.”
I feel for Rosenstein, because the term “backdoor” does have a pejorative connotation, which can be considered unfair. But that’s like saying the word “murder” is a pejorative term for killing people, or “torture” is a pejorative term for torture. The bad connotation exists because we don’t like government surveillance. I mean, honestly calling this feature “government surveillance feature” is likewise pejorative, and likewise exactly what it is that we are talking about.
Then there’s the problem with Rosenstein deploying rhetorical dodges in his discussions about encryption, which presumably include a number of government officials. Alex Gaynor, who worked for the United States Digital Service and participated in the Obama Administration’s discussion of potential encryption backdoors, points out Rosenstein’s abuse of his position.
Mr. Rosenstein plainly wants to reopen the “going dark” debate that began under the previously administration, spearheaded by FBI Director Jim Comey. While I disagree vehemently with him, it’s a valid policy position – and I have every reason to believe him that there are investigations in which encryption does hamper the Justice Department and FBI’s ability to investigate. However, he is not entitled to mislead the public in order to make that point. And make no mistake. Attempting to use the spectre of familiar computer security challenges in order to make the argument that his policy is necessary, even though his policy has nothing to do with these challenges, is the height of intellectual dishonesty.
There’s an endgame to Rosenstein’s dishonest rhetoric. And it won’t be tech companies being guilted into participating in his “responsible encryption” charade. It will be backdoors. And they will be legislated.
The Deputy Attorney General says that he is interested in “frank discussion”. However, his actual remarks demonstrate he is interested in anything but — his goal is to secure legislation akin to CALEA for your cellphone, and he doesn’t care who he has to mislead to accomplish this. Mr. Deputy Attorney General, I expect better.
This is what the DOJ wants. But Rosenstein is too weak-willed to say it out loud. So he spouts this contradictory, misleading, wholly asinine garbage to whatever audience will have him. Rosenstein is obtuse enough to be dangerous. Fortunately, most legislators (so far) seem unwilling to sacrifice the security of citizens on the altar of lawful access.