Senator John McCain Weighs In On 'Going Dark' Debate -- Insists That He Understands Cryptography Better Than Cryptographers

from the maverick dept

Who knew that Senator John McCain understood encryption better than actual cryptographers? Late last week, he wrote an op-ed for Bloomberg View, in which he trots out all the usual talking points on how Silicon Valley just needs to nerd harder to solve the "Going Dark" problem. There's lots of cluelessness in the piece, but let's focus on the big one:
Top cryptologists have reasonably cautioned that “new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws,” but this is not the end of the analysis. We recognize there may be risks to requiring such access, but we know there are risks to doing nothing.
Actually, it kind of is "the end of the analysis" because the core element of that analysis is the fact that any attempt to backdoor encryption doesn't just make security weaker, it puts basically everyone at much greater risk. It introduces cataclysmic problems for any system that stores information that needs to be kept secure and private.

The following sentence is equally inane, in which he tries to place the "risks" of backdooring encryption on the same plane as the risk of ISIS using encryption. Let's be clear here: the risk of backdooring encryption isn't just significantly larger than the risk of ISIS using encryption, they're not even in the same universe. Even worse, by backdooring encryption, you are almost certainly increasing the risk of ISIS as well, by giving them a massive vulnerability to attack and exploit. Trying to suggest that this is an "on the one hand, on the other hand" situation is so ridiculously ignorant, one wonders who the hell is advising Senator McCain on this topic.

The fact is that there are always some risks. Tens of thousand of people die in car accidents in the US every year, yet you don't hear Senator McCain weighing the risks of driving versus the risks of banning cars. And that's a much more reasonable position to stake out, because banning cars would actually reduce automobile deaths — but it would also cripple the economy. But here's the thing: backdooring encryption has the potential to do much more damage to the economy than banning automobiles, because it would create vulnerabilities that could really completely shut down our economy. So, for McCain to pretend that there are somewhat equal risks on either side isn't just ignorant and meaningless, it's dangerous.
Some technologists and Silicon Valley executives argue that any efforts by the government to ensure law-enforcement access to encrypted information will undermine users’ privacy and make them less secure. This position is ideologically motivated and profit-driven, though not without merit. But, by speaking in absolute terms about privacy rights, they bring the discussion to a halt, while the security threat evolves.
Honestly, this is not true. I know that Comey's favorite line these days is that using strong encryption is a "business model decision," but Silicon Valley's interest in strong encryption doesn't appear to be driven by their own bottom lines, frankly. If it was, they would have adopted it much earlier. Strong encryption actually undermines some companies' business models, in that it makes it more difficult for them to collect the data that many of them rely on. The move towards stronger encryption has mostly been the result of a few things: (1) the fact that the NSA broke into their data centers and put their legitimate users at risk, (2) a better understanding of the wider risks from malicious attackers of what happens when you have weak encryption and (3) user demands for privacy. The last one may have indirect business model benefits in that it keeps users happier, but to argue that keeping users happy is somehow a purely money-driven decision, and frame it as somehow a bad thing, is pretty damn ridiculous.

And, honestly, while there are some activists who speak in absolute terms about "privacy rights," you rarely hear that from Silicon Valley companies. In fact, those who have absolute views on privacy tend to be the most critical of Silicon Valley companies for taking a much less principled view on "privacy rights." McCain pretending that this is driven by some sort of "privacy rights" advocacy suggests he's (again) woefully misinformed on this issue.
To be clear, encryption is often a very good thing. It increases the security of our online activities, provides the confidence necessary for economic growth through the Internet, and protects our privacy by securing some of our most important personal information, such as financial data and health records. Yet as with many technological tools, terrorist organizations are using encryption with alarming success.
Actually, they're not using encryption with "alarming success." There are very, very, very, very few examples of terrorists using encryption successfully. The Paris attackers? Unencrypted SMS. San Bernardino? Unencrypted social media communication.
The jihadists' followers and adherents use encryption to hide their communications within the U.S. FBI Director James Comey recently testified that the attackers in last year's Garland, Texas, shootings exchanged more than 100 text messages with an overseas terrorist, but law enforcement is still blinded to the content of those texts because they were encrypted.
Notice that this is the only example that comes up in these discussions. That's because it's the only example. And it's not even a very good one. Because, as with most encrypted communication, the metadata was still perfectly accessible. That's why they know that the attackers exchanged messages with a terrorist. Sure, they may not be able to understand the direct contents of the message, but the same thing would have been true if the attacker and the people he communicated with had worked out a code before hand. Or, you know, if they had met and talked in person. Is McCain going to ban talking in person too?

Finally, McCain's "solution" to all of this is to make a law telling Silicon Valley to nerd harder and solve the problem... or else:
As part of this effort, Congress should consider legislation that would require U.S. telecommunications companies to adopt technological alternatives that allow them to comply with lawful requests for access to content, but that would not prescribe what those systems should look like. This would allow companies to retain flexibility to design their technologies to meet both their business needs and our national security interests.
In other words, despite the fact that all of the best cryptographers in the world have said that what you're asking for is basically impossible and would make everyone less safe, just do it anyway -- and do it in a way that when it falls apart and everyone is made more vulnerable, Congressional leaders like John McCain can spin around and blame the companies rather than themselves.
We have to encourage companies and individuals who rely on encryption to recognize that our security is threatened, not encouraged, by technologies that place vital information outside the reach of law enforcement. Developing technologies that aid terrorists like Islamic State is not only harmful to our security, but it is ultimately an unwise business model.
Does John McCain seriously not employ a single knowledgeable staffer who could point out to him that basically every encrypted technology that ISIS uses is not made by an American company? Seriously, look at the list of ISIS's preferred encryption technologies:
So who, exactly, is developing technologies that "aid terrorists like Islamic State" and need their encryption undermined?

Meanwhile, we haven't even touched on the biggest issue, as was highlighted in that big paper from Harvard last week. And it's this: the whole Going Dark thing is a total myth, because for the tiny, tiny, tiny bit of information that is now blocked out by strong encryption, there's a mountain of other data that is now accessible to law enforcement and the intelligence community. Things have been getting lighter and lighter and lighter for decades.

Shouldn't a sitting Senator understand these basic facts?

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 9 Feb 2016 @ 8:31am

    if ever a politician needed to be taken to task over his comments, this idiot does!!

    reply to this | link to this | view in chronology ]

  • icon
    Johan (profile), 9 Feb 2016 @ 8:49am

    Taste your own medicine

    If it is really that easy to develop a safe "golden key" why doesn't the government develop its own encryption standard and implement across the board?

    It will either prove good enough for the NSA's own use or fall nicely flat on its face.

    reply to this | link to this | view in chronology ]

    • icon
      Machin Shin (profile), 9 Feb 2016 @ 8:58am

      Re: Taste your own medicine

      I really think this kind of thing needs to be put in place for several topics. Someone running around saying "It is only meta-data" should be required to make all of their "meta-data" public, and anyone claiming they want a backdoor should be required to only use systems with a backdoor.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Feb 2016 @ 9:25am

      Re: Taste your own medicine

      The problem isn't really technological, it's about policy and politics. Multikey cryptography is a solved problem. The unsolved problem is how to manage the keys and when access should be granted and by whom and under what conditions.

      You say the government should develop its own encryption standard. I'd be careful what you ask for. The encryption standards already exist, only the policy is missing and that's one thing the government likes to do. It would be very easy for them to mandate all phones sold in the US must be decryptable. Yes, hackers might be able to remove that capability, but most people wouldn't and that's probably good enough.

      reply to this | link to this | view in chronology ]

      • icon
        Almost Anonymous (profile), 9 Feb 2016 @ 2:08pm

        Re: Re: Taste your own medicine

        All of this has already happened. The NSA developed a backdoored encryption algorithm and then pushed ANSI, ISO, and the National Institute of Standards and Technology to adopt it as a formal standard. The NSA also paid off several companies to utilize it as a basis in their encryption products. The fact that the everyday American doesn't know anything about this makes me a sad panda.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 9 Feb 2016 @ 2:24pm

          Re: Re: Re: Taste your own medicine

          That's not what I was talking about. If you want to find a parallel, it would be closer to the Clipper chip.

          Backdoored crypto is an entirely different beast than multi-keyed crypto.

          reply to this | link to this | view in chronology ]

    • identicon
      Joshua Honeycutt, 9 Feb 2016 @ 10:45am

      Re: Taste your own medicine

      The government already tried implementing weaker crypto standards. These were pushed aside when people realized the crypto was being sabotaged by the NSA.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2016 @ 9:08am

    All this talk of a golden key is actually just a golden shower.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2016 @ 9:19am

    It's seems logical then that we would all be much safer if we made it technologically impossible to wiretap telephone lines.

    reply to this | link to this | view in chronology ]

  • identicon
    mcinsand, 9 Feb 2016 @ 9:50am

    the risks of doing nothing

    I facepalm whenever someone tries to pull this on me because usually they're arguing for doing something questionable because 'we can't just do nothing.' Actually, we can and we need to do nothing if our only choices are between doing something self-destructively stupid and nothing.

    When it comes to encryption, we can pick three choices right now: backdoors, doing nothing, or start requiring broader use of strong encryption. The middle choice leaves our risk constant, the last choice reduces risk by making it harder for 'the bad guys' to gain useful information, or we could increase risk by undermining encryption.

    reply to this | link to this | view in chronology ]

    • icon
      Almost Anonymous (profile), 9 Feb 2016 @ 2:00pm

      Re: the risks of doing nothing

      You make a really good point actually. The fear of being seen to do "nothing" does seem to be a real thing for politicians. Even though nothing is what they've been accomplishing lately with all of their partisan bickering.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2016 @ 9:55am

    The politicians should be the beta testers.

    All government agencies and officials should be the beta testers for all the crap they are trying to put the population thru.

    All of them should use airport security and be subjected to the TSA and coach seats.

    All of them and their staff should have use ‘law enforcement accessible’ encryption.

    All of them should be subjected to the NSA surveillance before allowing laws to be enacted that the citizens of the United States are subjected to.

    Let them lead by example or get out of the way.

    While I’m at it, all lobbyists engaged in talking to government officials or their staff must be done with full public disclosure. Any lobbyist materials must be made public and all political donations to PACS must be made transparent.

    We also need term limits for senators and congressman.
    Government of the people, by the people, for the people – we should not fear the government, we should control it.

    Self-governance is the basis of the United States Constitution.

    We need to stop being sheeple and reclaim what is ours!

    WAKE UP and Stop the B.S.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Feb 2016 @ 3:09pm

      Re:

      > Government of the people, by the people, for the people

      ... that would be the Gettysburg Address, rather than the constitution.

      > Self-governance is the basis of the United States Constitution.

      ... if by self-governance, you mean "a government over its own people", which England was not, then yep. If you're thinking of a "pure democracy", well... you might want to read the document again.

      reply to this | link to this | view in chronology ]

  • identicon
    Headmaster, 9 Feb 2016 @ 10:17am

    how do you expect to get your pudding

    These people are like children told they can't have something totally ridiculous to ask for in the first place and then pitching a bloody fit when they are turned down.

    I can see the lot of them yelling and screaming, between bouts of holding their breath until they turn blue (not a bad idea,) as they writhe around on the supermarket floor.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2016 @ 10:18am

    Here is the most stupid part...

    If they backdoor encryption and advertise that fact as they have been, then the terrorists will use other encryption that hasn't been developed and backdoored by governments. So the sheeple will be freely hacked by the worlds criminal element and the terrorists will still have gone "dark".

    I think the only thing being backdoored here are the sheeple.

    reply to this | link to this | view in chronology ]

  • icon
    Black Art (profile), 9 Feb 2016 @ 10:25am

    Of course McCain understands cryptography

    He had to learn how to decrypt Sarah Palin's speeches.

    reply to this | link to this | view in chronology ]

  • identicon
    Jason, 9 Feb 2016 @ 10:30am

    Shouldn't a sitting Senator understand these basic facts?
    I feel like you're leaving one enormous can of worms sitting open with that statement...

    reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      annonymouse, 9 Feb 2016 @ 10:42am

      Response to: Jason on Feb 9th, 2016 @ 10:30am

      I don't know if the senator has worms but sitting to long on the can will restrict blood flow to the nethers - most have wobbly legs though I take it on authority that political types get increased brain damage.

      reply to this | link to this | view in chronology ]

  • icon
    Mike Acker (profile), 9 Feb 2016 @ 10:53am

    homework

    anyone who thinks surveillance is about fighting terrorism and protecting the people needs to do their home work.

    suggested start

    http://www.newsmax.com/Newsfront/dhs-isis-destroy-records/2016/02/06/id/713047/

    the control of information has always been about protecting the organization -- whether that be a corporation or a government. the real target is unwanted exposure. in the case of government this refers to dissidents .

    reply to this | link to this | view in chronology ]

  • icon
    Miles Barnett (profile), 9 Feb 2016 @ 11:19am

    Their argument comes down to this:

    You must leave your doors unlocked in case law enforcement need to enter. If someone comes in and steals your stuff, that's just the price we have to pay as a society to make our job easier.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2016 @ 11:39am

    30,000 FBI and DHS employees might be having second thoughts about data security today... Security benefits everyone, lack of it is equally problematic.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2016 @ 11:54am

    Just how many ISIS terrorists are buying their phones in the USA?

    reply to this | link to this | view in chronology ]

  • icon
    Wyrm (profile), 9 Feb 2016 @ 12:39pm

    I tell you, McCain, developers and cryptographers will try to make your golden key and even deliver it on a unicorn riding a rainbow... after you manage to pass and enforce as law stating that ISIS can only use US-approved communication and encryption solutions.

    Your move now.

    reply to this | link to this | view in chronology ]

  • identicon
    jstanley01, 9 Feb 2016 @ 12:53pm

    Make It So

    Rest assured that this sitting Senator has learned everything he needs to know about all this high falutin high technology by watching every episode of Star Trek the Next Generation.

    Impossible, you say? Not with The Borg bearing down on our starship. When Jon Luc says, "Make it so," your job is not to argue. Your job is to make it so.

    reply to this | link to this | view in chronology ]

  • identicon
    Someone more Intelligent than McCain, 9 Feb 2016 @ 1:25pm

    Back at ya McCain

    Some politicians and government officials argue that any efforts by the public to prevent criminal access to their encrypted information will undermine the governments ability to collect more data and fight terrorism. This position is ideologically motivated and profit-driven, though not without merit. But, by being complete morons about security and cryptography, they bring the discussion to a halt, while the security theater continues.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2016 @ 1:37pm

    The US Military use encryption to hide their communications worldwide. FBI Director James Comey recently testified that if there were backdoors in the encryption our military secrets will be put at risk. But since terrorists use encryption he felt it was better to allow the enemy to decrypt our communications so we can decrypt their communications, leveling the playing field so each side has an equal chance at success!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2016 @ 1:39pm

    Sooo

    Are these the first sign of dementia or just more of the usual uninformed bullshit posturing?

    reply to this | link to this | view in chronology ]

    • icon
      Almost Anonymous (profile), 9 Feb 2016 @ 1:49pm

      Re: Sooo

      Hah, I promise I was typing my comment before I read yours. Glad that I'm not the only one that sees this debate as a form of dementia.

      reply to this | link to this | view in chronology ]

  • icon
    Almost Anonymous (profile), 9 Feb 2016 @ 1:47pm

    Typical BS

    Top cryptologists have reasonably cautioned that “new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws,” but this is not the end of the analysis. We recognize there may be risks to requiring such access, but we know there are risks to doing nothing.
    Typical BS politician statement, "there may be risks to requiring such access"... No, there are *absolutely* risks, no "may" about it, which begins with a very strong possibility, and increases over time to near certainty, that the encryption backdoor will be discovered and used by criminals and other adversaries.

    Why can't they get this through their heads? What dementia affects career politicians that they don't get that OUR ENEMIES will be able to read our most closely guarded secrets if they get their way?

    /rant

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2016 @ 2:09pm

    This is not about finding a good solution...

    The good solution doesn't exist, and they know it. They have been told by countless experts and probably their own people as well.
    What they are after is that by law, they will be able to demand the shitty solution after a while when another way isn't found.
    They don't want a fair deal here... they want everything for nothing, because I will bet everything I own that they won't just go "oh, I guess it really was impossible. We better give up on this fools errand". After a year, at the most, they will complain about how they were forced to use the most crappy solution ever, because the tech companies didn't work hard enough or didn't cooperate.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2016 @ 5:17pm

    McCain reminds of that idiot colonel from Full Metal Jacket, with his 'Why don't you jump on the team and come in for the big win' speech.

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 9 Feb 2016 @ 7:02pm

    Whatever the fuck that means

    Once again McCain is "Goin' Rogue".

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2016 @ 7:03pm

    Seven odd years as a POW in a N. Vietnamese prison camp, I just couldn't bring myself to hand him the football. Much respect for soldiers like him and Bob Dole, but they already paid their dues.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2016 @ 7:46pm

    McCain is yet another dinosaur

    Im really getting tired of all these dinosaurs who have no clue what they are doing, thinking they can continue to speak for the rest of us.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2016 @ 11:20pm

    Maybe because he has access to more and better protection than the average citizen. As well as being in the group of self proclaimed "elites" that are treated as exempt to unjust laws that are associated with this.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.