My Question To Deputy Attorney General Rod Rosenstein On Encryption Backdoors
from the golden-key-and-databreach dept
Never mind all the other reasons Deputy Attorney General Rod Rosenstein’s name has been in the news lately… this post is about his comments at the State of the Net conference in DC on Monday. In particular: his comments on encryption backdoors.
As he and so many other government officials have before, he continued to press for encryption backdoors, as if it were possible to have a backdoor and a functioning encryption system. He allowed that the government would not itself need to have the backdoor key; it could simply be a company holding onto it, he said, as if this qualification would lay all concerns to rest.
But it does not, and so near the end of his talk I asked the question, “What is a company to do if it suffers a data breach and the only thing compromised is the encryption key it was holding onto?”
There were several concerns reflected in this question. One relates to what the poor company is to do. It’s bad enough when they experience a data breach and user information is compromised. Not only does a data breach undermine a company’s relationship with its users, but, recognizing how serious this problem is, authorities are increasingly developing policy instructing companies on how they are to respond to such a situation, and it can expose the company to significant legal liability if it does not comport with these requirements.
But if an encryption key is taken it is so much more than basic user information, financial details, or even the pool of potentially rich and varied data related to the user’s interactions with the company that is at risk. Rather, it is every single bit of information the user has ever depended on the encryption system to secure that stands to be compromised. What is the appropriate response of a company whose data breach has now stripped its users of all the protection they depended on for all this data? How can it even begin to try to mitigate the resulting harm? Just what would government officials, who required the company to keep this backdoor key, now propose it do? Particularly if the government is going to force companies to be in this position of holding onto these keys, these answers are something they are going to need to know if they are going to be able to afford to be in the encryption business at all.
Which leads to the other idea I was hoping the question would capture: that encryption policy and cybersecurity policy are not two distinct subjects. They interrelate. So when government officials worry about what bad actors do, as Rosenstein’s comments reflected, it can’t lead to the reflexive demand that encryption be weakened simply because, as they reason, bad actors use encryption. Not when the same officials are also worried about bad actors breaching systems, because this sort of weakened encryption so significantly raises the cost of these breaches (as well as potentially makes them easier).
Unfortunately Rosenstein had no good answer. There was lots of equivocation punctuated with the assertion that experts had assured him that it was feasible to create backdoors and keep them safe. Time ran out before anyone could ask the follow-up question of exactly who were these mysterious experts giving him this assurance, especially in light of so many other experts agreeing that such a solution is not possible, but perhaps this answer is something Senator Wyden can find out…
Filed Under: cybersecurity, encryption backdoors, going dark, responsible encryption, rod rosenstein
Comments on “My Question To Deputy Attorney General Rod Rosenstein On Encryption Backdoors”
Everything's easy when you don't have to do it
I believe I can save time and reading by providing the tl;dr version of the response to such questions posed to those pushing broken encryption:
‘Nerd harder.’
Re: Everything's easy when you don't have to do it
Re: Everything's easy when you don't have to do it
I don’t think there’s a techdirt reader (or even Ron Wyden, who has already asked who Rosenstein’s nonexistent experts might be in a letter) who thinks the response will be anything other than “nerd harder” accompanied by lots of shrill obfuscation.
I’m wondering just what it’s gonna take to communicate with the man who doesn’t seem to understand that computers are rapidly becoming very bad at keeping secrets from much of anyone.
Re: Re: Everything's easy when you don't have to do it
I’m wondering just what it’s gonna take to communicate with the man who doesn’t seem to understand that computers are rapidly becoming very bad at keeping secrets from much of anyone.
At this point I suspect that’s a lost cause, such that it would take replacing them with someone who isn’t willing to throw the public under the bus in order to sate their voyeuristic fetish.
This far into the ‘discussion’ I no longer give the benefit of the doubt to those pushing broken encryption, such that the default assumption if someone in a major position is pushing for crippled encryption is to assume that they know it’s a bad idea and simply do not care.
Re: Re: Re: Everything's easy when you don't have to do it
I’ve talked with a middle manager from MITRE before who wanted to backdoor encryption.
She thought the purpose of encryption was to keep the NSA and FBI out while letting foreign adversaries in. She was surprised when I explained to her that encryption is meant to keep everyone out other than the intended recipient(s).
There’s still significant ignorance within the government about encryption. Not everyone actually understands the basics.
Re: Re: Re:2 Everything's easy when you don't have to do it
‘Major position’ is a little lose, but in general I mean someone like say, the head of the FBI, or the Deputy Attorney General. Someone that high up the chain has no excuse when it comes to not knowing what a disaster broken encryption is, especially this late in the game.
Re: Re: Everything's easy when you don't have to do it
Rosenstein’s Experts
Re: Re: Re: Everything's easy when you don't have to do it
Woo, woo, woo, woo.
To answer part of the question
The following statement is not to say that I endorse, or even think that encryption backdoors are a good thing or even feasible.
If a company did build a backdoor and kept it on a system that was connected to anything else, it would display a level of incompetence and negligence that should turn 150% of their assets over to their customers without any attorneys involved.
Of course they would need back ups, so I would think they would keep the data on several portable hard drives located in vaults in different locations. Sound proofed vaults that contain nothing else.
Then they would need to write a procedure that would insure the safety of the software with multiple people cross checking each other after having been strip searched, which would take place after the receipt of a court order. Law enforcement could observe through windows, but not enter the room where the data extraction was taking place, and only the extracted data would be turned over to law enforcement. Continuity of evidence is important.
I don’t see any of that happening, and I fully expect that if a backdoor was built, it would be handled in exactly the same careless manner with which other data and software has been treated in the past, and likely the present, and probably the future.
Re: To answer part of the question
On the plus side, I imagine such a setup would be higher security than the NSA, FBI or DOJ typically employ(given how often they seem to ‘misplace’ data and/or suffer data breaches).
On the downside, I can all but guarantee that they would find such a process ‘unreasonably time-consuming’ and would quickly insist that companies move to a quicker, and therefore less secure, system, in which case blaming companies for the inevitable loss of the key would very much be blaming the wrong party.
Re: Re: Thought Experiment
Suppose we built an electronic master key that turned all the otherwise meaningless noise into a company’s data and was trustworthy…how, exactly, were you intending to connect it with the data itself from the internet?
Re: To answer part of the question
There is a potential hole in your proposal, and that is the device whose data is to be decrypted, as it can be a vector for extricating the key, after a previous device introduced the software to compromise the secure system if that was needed. Also, with the ability of law enforcement to look into the room, you have a hole via which data can be ex-filtrated by flashing a led or pixels on a device
t should be assumed that law enforcement will be trying to do that, as they do not like checks and balances that get in the way of them going fishing whenever, and on whatever device they want to search.
Re: Re: To answer part of the question
Getting their hands on the decryption software would likely be one of their priorities. Then they could engage their ‘evidence laundering’ procedures, and likely a bit of blackmail, without ‘courts knowing about it.
Getting their hands on a decrypted copy of everything on a device would not prevent them from their fishing.
One thing I have long wondered about is that when a search warrant is issued for some specific targets(s) when searching a device, what prevents them from searching everything anyway? That things are not presented as evidence (within the confines of the warrant) doesn’t mean they didn’t see everything.
Re: To answer part of the question
The real problem is that the LEO would show up with their warrant and say, “I have a warrant for this other device, but I left it in my other pants.” Being lazy, both devices would be decrypted.
Most of the technical problems could be worked around. It is possible to build something with enough processes and procedures to prevent a mass breach.
The problem is that people will take short cuts. Consider BP. Massive oil spill along the Alaska Pipeline because BP skimped on required maintenance to save a few dollars. Ditto with the Deepwater Horizon.
Anyone entrusted to access the keys will either not follow protocol to save money, or not follow protocol because they are lazy and don’t care. So then at a minimum the government will effectively access any of the keys they want without safeguards.
That’s not even considering what a high value target any key storehouse would be.
FBI
We have an FBI security guy talk to a bunch of us auditors and I asked him about back door and how it doesn’t jive with what every single IT person tells the FBI and he looked terrible after basically not answering it
And people wonder why people don’t inherently respect law enforcement.
Corruption
Are there any top level law enforcement agents that aren’t totally ignorant of technology AND not corrupt?
Re: Corruption
No, part of the requirement now to reach those levels means you had to have played ball for “the team”.
I don’t think Americans fully understand how corrupt it is now. But this is the end result when the only thing you trust are “the experts”. The first step to taking control is to put a system in place that can be used to believable discredit someone. Sure the idea is to really be a benefit, but it is just a tool, and tools can be use for good or bad.
Experts
“…experts had assured him that it was feasible to create backdoors and keep them safe.”
“We’ve got top men working on it right now!”
“Who?”
“Top men.”
Re: Experts
This means one of two things. Either:
1. That’s exactly what these people told him and we need to ensure that these experts are exposed and never work in computer security again,
or
2. These experts told him something along the lines of “yes, it’s feasible to create backdoors, or it’s feasible to keep the data safe, but not both” and he used selective hearing/speaking to turn it into what he wanted.
or
3. We’re reading that sentence wrong, and what he really meant was that experts assured him thatit was feasible to create backdoors and keep the experts safe.
Re: Experts
Unicorn ranchers.
The problem with creating a doomsday weapon...
…is that someone may be crazy enough to use it.
An encryption backdoor is just that: it facilitates the total destruction of security and privacy for everything on the other side of it. There’s no fixing it. There’s no mitigating it. There’s no compensating for it.
Just as we accept that the price of not creating a doomsday weapon is that we might lose a military conflict, we need to accept that the price of not creating encryption backdoors is that we might lose evidence. (Although precious little proof of that has been forthcoming. And such extraordinary claims do require extraordinary proof.)
I think that both of those are acceptable prices to pay in order to preserve the core principles that are the foundation of this Republic. We are not so fearful or weak that we cannot or will not pay them when required.
Re: The problem with creating a doomsday weapon...
"We are not so feaful or weak…"
Funny, I’m sure my FBI dossier got a little fatter when I made that very same argument in an email to President Bush, the younger, begging him not to sign USA PATRIOT into law. It appears that I can now claim there are at least two of us willing to water the Tree of Liberty rather than sacrifice our group and individual liberties as citizens on the altar of government expedience in a pretense of enhancing security.
Anyone remember?
Black boxes for telephones?
Combination locks?
The LOCK on your front door?
Flash installed on Every computer device in this world, to control and PASSWORD most of these devices?
For anything created, the KEY has never been the ONLY way to break them..
How about the old hacker movies, based on 1 persons exploits in the computer world??
You can re-program your modem, CMOS, Video controls, ALL of it, IF YOU KNOW HOW..
From Picking the locks on your doors, to Busting it down..THERE IS NO or LITTLE protection to computers and the devices we use.
WHY install a Second DOOR/WAY/FORMAT/PASSWORD in a system that already has Problems?
categorical error, semantics, or false paradigm?
” as if it were possible to have a backdoor and a functioning encryption system.”
That depends on your categorical definition of where encryption security ends and device security/ legitimate authority begins.
Are cryptographers, meant to secure entire devices- including hardware and networks they have no access to? How? This is an unreasonable expectation…and therefor on some level, an unreasonable categorization. You’re right of course, that encryption cannot reliably perform it’s function in the presence of a backdoor.
There is “ring -3 hardware” installed on nearly every post-2011 device. If this hardware is not considered as part of an encryption systems security- as I pointed out, how can it reasonably be when there is NO ACCESS?- then YES you very much CAN have functioning encryption on a backdoored device. It’s categorical error to state otherwise, and a severe misunderstanding of the scope of a cryptographers ability/responsibility.
Ring -3 hardware has been hacked, numerous times- and subsequently patched- which should inform people of the potentials involved here. The update mechanism itself represents a path to targeted infection even if the hardware itself could not technically be described as a backdoor in OEM configurations. The coders who wrote the software might not even realize what it’s being used for- ask Andrew S. Tanenbaum -who recently discovered he’d inadvertently created the most widely deployed OS in the world- Your probably running it right now; Even if not, the servers that delivered this page to you are.
The cellular baseband co-processor is ring -3, with authority granted to the network provider- it has unencumbered access to ram, where encryption keys are kept. Reporting on encryption backdoors, without mentioning these intimately related technical paradigms is, at best, deeply uninformed and negligent.
See Ken Tompsons’ “Reflections on trusting trust” – to begin to get a sense of how difficult and deep running the backdoor problem really is. There is no panacea- but an informed populous is at least a start- as a journalist, that should be your job, not mine. It’s great you’re pushing back against backdoors- but to do that effectively, people need to understand the fundamental nature of what a backdoor is- that is a very nuanced and complicated topic.
@ "What is the appropriate response of a company whose data breach has now stripped its users of all the protection they depended on for all this data?"
That’d be: "Oh, well! — We’re not in least responsible! Read the T&C! — Have a nice day!"
What’s with all the free re-posts this week? Now can’t get even ONE piece a day out of the minions? — I’m betting heavily on February being Techdirt’s last month.
Re: Re:
So for all the bitching you do against corporations, you seem very willing to roll over for the sake of terms and conditions that only lawyers can decipher properly. The same lawyers you wish to be all killed off.
You’re not very good at thinking things through, are you?
Have a DMCA vote.
Re: Re: Broken satire meter!
Your satire meter seems broken; please maintain it with a smile! lol
Re: Re: Re: Broken satire meter!
That wasn’t satire, they’re dead serious when they post rubbish like that.
Re: @ "What is the appropriate response of a company whose data breach has now stripped its users of all the protection they depended on for all this data?"
Yawn…
Don't support terroists
Its pretty clear that there are factions in our society that want the terrorists to win, they have supported them again and again and they now want a backdoor to to your personal papers, you could give it to them trusting them to not create more of the same violence they are responsible for…
Or you could just say no to anything they want again and again until they no longer exist.
There are a couple of silver linings to the Tangerine-Tinged Twit’s feud with the FBI. First, and more obviously, it makes it harder for them to push bad policy objectives like this. Second, by sucking all the oxygen out of the room it impedes their ability to spread a mass-media narrative (i.e. "ONOZ Terraists Will Kill U If We Can’t Spy On U!!1!"), thus effectively amplifying the more sober and intellectual discussions (none of which support the agency’s position).
The only argument that shuts these guys up is this:
Weaken encryption in the U.S. and all exports of software
and network-related technology “made in U.S.A.”will dry up.
Everybody, Americans included, will shop elsewhere for tech.
That’s trillions of dollars in new trade deficits, hundreds
of billions in lost profits to tech industries and tens of
billions in lost taxes every year until a new administration
undoes the damage and stops the bleeding.
Arguing about security and rights of the American people has
no effect on these clowns because they hold the public in
contempt and always will. Show them what effect their dumb-
ass meddling will do to their billionaire friends and corporate
backers and they’ll quietly let the issue die off without ever
having to admit why it was a stupid idea to start with.
[Yes, I’ve said it before; and I’ll say it again every time. ;]