CIA Director John Brennan Says Non-US Encryption Is 'Theoretical'
from the central-ignorance-agency? dept
You would think that someone in charge of the Central Intelligence Agency would have some knowledge about what he’s discussing while at a Senate Hearing on intelligence. Perhaps not so much. CIA Director John Brennan completely incorrectly said last week that non-US encryption was “theoretical” despite there actually being hundreds of such products on the market.
This happened during an open Senate Intelligence Committee hearing, where Senator Ron Wyden got to ask Brennan a couple of questions. The first was about whether anyone at the CIA was being held accountable for failures during the CIA torture program, and the second was on the future of Section 702 of the FISA Amendments Act. Specifically, he asked whether or not the CIA could live without being able to do “backdoor searches” on 702 data — basically asking what would happen if the CIA had to get a warrant to search that data. Director Brennan more or less dodged both questions, promising to get back to Wyden later and/or “in a different setting” (i.e., a classified one). However, as part of the preamble before asking questions, Wyden briefly touched on the issue of requiring US companies to backdoor encryption — the plan put forth by Senators Burr and Feinstein (Feinstein is sitting right next to Wyden while discussing this) — saying that it won’t work and is dangerous. He points out that putting restrictions on US companies won’t much matter, because those who wish to do us harm will just use non-US encryption. Despite no question being asked on that topic, Brennan decided to weigh in anyway. You can see the exchange here:
Here’s what Brennan says:
I respectfully disagree with your opening comments. First of all, US companies dominate the international market as for… as encryption technologies that are available through these various apps. And I think we will continue to dominate them. So although you’re right that there’s the theoretical ability of foreign companies to be able to have those encryption capabilities that’ll be available to others, I do believe that this country and this private sector is integral to addressing these issues. And I encourage this committee to continue to work on it.
Beyond being a bit jumbled, the idea that the issue is “theoretical” is flat out wrong. A recent paper by the Open Technology Institute looked at the 9 top encryption products recommended as “safe” to use by ISIS and pointed out that only one would be impacted by US regulation.
And then there was the second study, done by the Berkman Center and led by Bruce Schneier, that was a worldwide study of encryption products and noted that there are 865 encryption products worldwide from 55 different countries — and 546 of those products are non-US. It’s true that the US has the most, but there’s a pretty wide variety of other options. And the foreign products cover all different kinds of encryption. They found: “47 file encryption products, 68 e-mail encryption products, 104 message encryption products, 35 voice encryption products, and found 61 virtual private networking products.”
To argue that this is somehow “theoretical” is beyond ridiculous. Even if it were true (and it doesn’t appear to be) that those planning to do us harm currently use US products, it’s pretty obvious that they would quickly move to foreign-based products if it became clear that the US products were required to provide a backdoor to law enforcement. Again, the only end result would be to make those who use the encryption for lawful purposes less safe.
Filed Under: cia, encryption, encryption backdoors, going dark, john brennan, non-us encryption, ron wyden
Comments on “CIA Director John Brennan Says Non-US Encryption Is 'Theoretical'”
Idiot or liar
I’d say it’s pretty likely he upheld the time-honored tradition of making a ‘least untruthful statement’ to congress, as the alternative, that he’s really so clueless that despite his position, and despite what he’s arguing about he honestly doesn’t know about non-US encryption alternatives is I’d say extremely unlikely.
Or put simply, he knows full well that what he’s supporting would be both dangerous and useless at it’s stated purpose, but he’s willing to lie to defend it anyway.
Re: Idiot or liar
As long as the lying keeps working…
Re: Re: Idiot or liar
It has been working for Hillary and really the whole Obama administration for 7 years now.
Re: Re: Re: Idiot or liar
You mean it’s been working for every administration for at least 50 years?
Re: Idiot or liar
Maybe he is confused.
Maybe he is thinking of Google, Apple, Facebook, Twitter, Microsoft and doesn’t really understand those complicated words like:
* encryption
* technologies
* apps
* think
Re: Re: Idiot or liar
forgot to add…
* ethical
As I recall, the USA has tried this before. In the 1980s, encryption was covered under the same export laws as munitions, and export of high strength (>40 bit keys) encryption was banned. The result? Since importing full strength encryption was legal, almost all encryption development moved offshore.
If the USA starts to require backdoored encryption, the exact same thing will happen again.
Re: Re:
But the other nations will just require backdoors too.
The new game will be hunting and pecking for the next unbroken encryption that will likely become illegal in each nation, unless you are using theirs.
Yep, it will become a shit show. We are likely going to begin seeing more “Information Freedom” uprisings in the future, which is inevitable anyways. Greedy interests will always seek to artificially control markets.
Re: Re:
You recall correctly.
I remember in the late 90’s using openSSH/OpenBSD with all its crypto developed outside of the USA because of the US crypto export laws.
Had me scratching my head wondering why the land of the free was forced to import free software from other countries just to be secure.
Crypto "domination"
Brennan said
In saying this, he is either ignorant of or deliberately misrepresenting history.
Back when it was illegal for the US to export effective crypto, the effect was that outside of the government itself there was almost no serious crypto development being done in the US at all. The reason was obvious: if you developed it in the US, you couldn’t sell it outside the US. If you developed it outside the US, however, the world was your oyster.
The result was that the US fell behind in crypto (Israel was the top dog in that realm instead).
The only reason that crypto development returned to the US in later years was the elimination of that law. However, excellent crypto development continues across the entire world as well.
If the US were to make effective crypto illegal by mandating back doors, there is no question what the effect would be: individuals will simply use imported crypto, and crypto development in the US will once again grind to an effective halt.
Re: Crypto "domination"
“Israel was the top dog in that realm instead”
They really only need to tour their own racks to verify this. My guess is they will still find Checkpoint being used in a wide number of critical systems infrastructure applications, and still being patched regularly without source code audits.
Ransomware says he's wrong
Ransomware, especially when it affects our own police departments, is a good way to tell that foreign encryption is sometimes viable. To say that cloud-based backups are unnecessary and that the data cannot be made unrecoverable is very dangerous.
What about the software that has been cracked?
It may very well be that Brennan has no clue. But when he runs his own numbers, he’s not counting the ones the NSA has cracked. The implication is that the U.S. has cracked a significant majority, if not all, of the non-U.S. products in discussion here.
If there is a ‘preferred list of products’ put out by the terrorists, our government would have put the effort into cracking those first.
Hey, he's not being that unreasonable.
He’s used to dealing with “Theoreticals” all the time. Like LEO knowledge of laws, government agency adherence to applicable laws, CIA “intelligence”.
Damn, I need to take a techdirt break, I didn’t use to be so cynical…
Re: Hey, he's not being that unreasonable.
Try infowars.
Their obvious bias makes for a good laugh
Then there's the venerable Blackberry
You know, that Canadian company, from a country north of the U.S.?
Re: Then there's the venerable Blackberry
You mean the one that breaks your encryption when asked?
Technically, he’s not wrong. I mean, a2+b2=c2 is not the Pythagorean law. (sorry, couldn’t figure out superscript.)
Re: Re:
No, Technically, Philosophically, & Ethically he is wrong, very wrong, and damaging to the US Economy wrong.
It’s kinda hard to be more wrong! He is wrong cubed!
Re: Re: Re:
He is, dare I say, not even wrong.
Re: superscript
Alt 253
It’s amusing to see these people thinking they can make things happen anywhere through laws and tolls that are only valid in their own territory. I mean, obviously Americans should be fighting such idiocy tooth an nail but as an outsider, I’d love to see these things being passed then watch tech companies flee and avoid the US like the plague.
Re: Re:
No man, we Americans LOVE our idiots. Once you put an R or a D on someone A drove of fucking fundies are at beck and call.
And the locals… if a corrupt politicain gets shit for their locals they are not going anywhere.
The first sign of a corrupt politician is one that says vote for me and I will provide welfare!
John Brennan’s “theoretical” makes it very possible that US based encryption becomes theoretical.
“Wyden 2020!” said clearly-not-campaign-manager Masnick.
Re: Wyden 20202
Sure, right now Wyden has solid support in Oregon. let me remind you that Mark Udall had pretty solid support right up until the 2014 Senate race in Colorado. Russ Feingold was solid in Wisconsin until 2010. We’ll have to see how he does this year.
My point is that every Senator that’s tried to cope with the “Intelligence Community” in the last 5-10 years has ended up going down in flames at their next re-election. Senators who cozy up to the IC have done a lot better. Is this coincidence? I think not. We’ll never know, but I bet there’s “Intelligence Community” interference in elections.
Re: Re: Wyden 20202
Oregon may be relatively unique. Wyden has been going after these issues for years now, and it continues to bolster his popularity there.
Re: Re:
You are one fucked up fuck, you know that?
why are we as a people allowing them not to answer. they believe they are outside and above the law. that is where a line should be drawn.
Lets say the U.S. Got it’s way and demanded back doors. Do you think other countries would want or allow U.S. created phones sold in their country where the U.S. Government had backdoor access to citizens phones?
The U.S. government wised up back in the 90’s when they wanted to force company’s to install the Clipper Chip into everything to gain backdoor access. Of course later it was hacked. But the point was, it would have made American’s insecure’s and who would want to buy American Products?
While bad things happen, that’s a tiny percentage of people, to the millions that would be screwed because of weak security. If you gain backdoor access, how does that STOP anything? Looking at a device after the fact stopped something. It’s really simple to destroy phones before you do anything, if there was anything on the phone to begin with that would have been any help.
The police, FBI, whoever NEVER get 100% of the info they want. We have these things call Paper Shredders. Do those company’s have to piece together documents for the FBI if they want something? Good luck with that one.
I the end, anyone with half a brain and wanted to do criminal things, maybe wouldn’t trust a American Company and encryption anyway. You would install your own Encryption software, maybe something open sourced and vetted. Cheap Android phones you can toss, destroy at any time with your own Encryption software installed would be the smart move.
Re: Re:
“You would install your own Encryption software, maybe something open sourced and vetted.”
Which, honestly, is what everyone should have been doing already.
Re: I'd be curious...
…how our officials and representatives would respond if it turned out that China was installing pre-backdoored OSes on the smartphones they exported to the US.
I suspect they’d have a conniption right there.
And yet they are incapable of seeing that scenario, or how this one is comparable to that one from the eyes of the rest of the world.
Re: Re: I'd be curious...
Which is what I said above. What country would allow U.S. made products sold in their country when there’s a U.S. created backdoor program in all those devices? They don’t want the U.S. Government spying on their Citizen’s. China being one of them. In fact for Apple to sell the iPhone in China they got to sit is a room with Apple and check out the source Code to make sure there was no such back door in iOS.
Putting a backdoor into something means at some point someone will hack it. In the end the only people it hurts is Most of the Population of normal, everyday users, just trying to mind their own business. The Criminals with install any number of 3rd party Encryption software created outside of the U.S. and there’s not a single thing the U.S. Government could ever do to stop it.
We are a Global Economy. These Governments trying to get their ways to spy on people and using the same weak excuse of Terrorists or Child Molesters. If that works for you, you might as well throw whatever rights you have left right out the window. It’s such a TINY part of the General population and yet screws over the 99.9% of everyone else.
Re: Re: Re: I'd be curious...
Those countries who have signed trade treaties with ISDS clause included.
Slight Mistake Here
I need to lead by saying I am not fan of these collection programs and I believe strongly they should be ended and the data destroyed.
That out of the way, there is a slight mistake in this rebuttal to Mr Brennan’s comments. Mr Brennan is not arguing these foreign and open source products are not out there. He is arguing that even though all these other products exist, it’s the US products like gmail and hotmail, US equipment like Cisco, and US software like MS Windows, Apple iOS, or Google Android, that everyone actually uses. These platforms “dominate the international market”. Requiring these services to backdoor their encryption WOULD open up a lot of people to government and other searches. Pointing out all those other services is just knocking over your own straw man.
A much stronger argument that we should not do this comes in two parts:
1) That undermining encryption from these services may push users away from American business to foreign and open source options, ultimately hurting the American economy and driving users to even less-accessible options.
2) For the most part, terrorists can already use the foreign and more-strongly-encrypted services. Pushing mainstream users into those services increases the noise side of the signal/noise problem, making it harder to identify actionable intelligence when it’s there.
Re: Slight Mistake Here
Both of your points are made regularly here.
Re: Re: Slight Mistake Here
I actually read him as saying something different even from that.
When he says that
I read him as saying not that the programs, etc., which people use for encrypted communication, are made in the US, but that the “encryption technologies” which underlie those programs are made in and/or come out of the US.
And to the extent that worldwide encryption technologies are based on accepted standards, which were standardized in the US (and, in at least some prominent cases, which were developed into standards in cooperation with and/or with input from the NSA), he may even be right.
Re: Re: Re: If that's what he's saying it doesn't support his argument.
Maybe, but the argument he’s making is that we can just change those standards like poof.
Suppose for a second you are a Brazilian developer working with some Italians on a Russian app that allows the user to encrypt his phone data.
Do you use the AES version 2009 which is pretty much unbreakable with current technologies?
Or do you use the AES version 2017 which the US government has backdoored?
Both are available to you. The 2009 version is free and open source.
Re: Re: Re:2 If that's what he's saying it doesn't support his argument.
Unless the 2009 version is already backdoored, just not publicly so… which may seem unlikely at the moment (for multiple reasons), but which we can’t entirely rule out.
Mind, I’m not saying that this is the case, just looking for ways to parse what he said such that it could make sense and be accurate (even if misleadingly so)…
Re: Re: Re: Slight Mistake Here
Most of of crypto technologies in use today were either developed entirely or partially outside the US.
As to accepted standards, I’m not sure of the point. There is no need for people to adhere to the accepted standards unless they want other existing software to be able to decrypt it.
If those standards are backdoored (as some are found to be from time to time), what happens is that everyone stops using them, standard or not. Even if, for some reason, that didn’t happen, that’s still only a minor irritation. Everyone can still use nonstandardized crypto for their own needs — they’d just have to supply the decryption code to anyone else who they want to be able to decrypt it.
If they don’t want anyone else to be able to decrypt it, then there’s not even that minor problem.
I’d try to post a funny response, but Director Brennan has already moved beyond farce.
hey, can brennan help it if the cia definition for theoretical is slightly different from that of the rest of the known universe and all recorded history?
slightly might not mean what you think it does either.
It might be good for society
When the boss of the CIA wants to move encryption out of his sphere of influence, civilians will end up more secure.
Scientific theory?
Maybe by theoretical ability Brennan was suggesting that it was scientifically proven. Otherwise he would have suggested a hypothetical ability
Regardless, it doesn’t matter even if the US had a total monopoly on world encryption, backdooring it would still open communications up to hackers (among uncountable other unintended consequences).
Re: Scientific theory?
It’s an amusing thought, but I wouldn’t at all be surprised if he wasn’t aware of the difference between a theory and a hypothesis. Because of the (radically wrong) slang use of the term “theory”, shockingly few people are.
Re: Re: Scientific theory?
These days even Creationist apologists know what a scientific theory is, and are advised that using the only a theory argument only makes one look super-ignorant.
I’d have hoped that would have bled out to the rest of the public. Guess not.
Re: Re: Re: Scientific theory?
Have you heard of the flat earth society?
Re: Re: Re:2 flat earth society
Yes, but there are also support groups for alien abductees. I don’t expect that members of any of these groups would get into office.
Re: Re: Re:3 flat earth society
They have a better chance than anyone who would represent their electorate, as the ability to ignore actual evidence, and what most people are saying, seems to be a prime requirement for being a politician.
I think everybody is taking this too seriously.
I mean why actually go to any of your I.T. guys and actually ask them how this shit works, when you can invite your pals at the ministry of bullshit over so you can both get free booze and B.J.’s from the lobbyists in the hall?
I read the ‘theoretical’ comment as a tacit admission that the non-US products were already under attack or had been attacked by US agencies in order to undermine them, whether the people running those products are aware of it or not.
Two possible definitions:
“Theoretical” means that other companies are LA LA LA NOT LISTENING!
Or: Americans use encryption, non-Americans use… something else. We don’t know what it is, but it’s bad and we should probably ban it.
This guy is an amateur
To quote Donald Rumsfeld
“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones”
And the best Brennan could come up with is to label something “theoretical”. Lazy FUD is lazy.
Bennan just did you all over.
Your all arguing about whether he is right or not. It simply doesnt matter.
He doesnt care about external surveillance. He wants backdoors for internal purposes.
“Look over here, the US dominates worldwide encryption”. And everyone scrambles to prove him wrong. Then what? How is proving that going to stop Congress from mandating domestic backdoors?
Re: Re:
Your all arguing about whether he is right or not. It simply doesnt matter.
You may be correct that it doesn’t matter, though that’s a symptom of a much larger systematic failure… but who is arguing about Brennan being right?
As for “everyone scrambl[ing] to prove him wrong”, that’s not happening. Everyone is merely pointing out that Brennan has ALREADY been proven wrong. The work was done months ago, because everyone knew that this kind of lie was inevitable and wanted to have the data ready to prove it.
Do you have any suggestions for how better to fight against Congress pushing bad mandates other than pushing back on invalid assertions?
Re: Re:
I’m not sure how what you’re saying means that he “did us all over”. It’s not like this has distracted us from the many other aspects of this — especially the one you point out. Can you explain?
CIA John Brennan
Close your eyes, and take a deep breath, What you can not see do not exist. No invention or technologies outside US, dose not exist. If you are in any doubt, take your dark company glasses on, and every thing disappear. CIA never lies, we just can not see it. Opps Or OPS Europe suddenly disappeared. If every one take on the glasses ISIS will disappear too, come on every one, Close your eyes, and take a deep breath. The world do not exist.
As Hector Martin said: “Non US encryption is theoretical.” Meanwhile, AES and SHA-3 were designed by Belgians. CIA: pants on fire.
He just thinks that because the firewall at CIA headquarters blocks the app store. Shh no one tell him about apps.
Of oourse he’s going to gloss over alternative encryption methods when duping Congress. To the extent Congress appreciates the reality of it all, they have less incentive to pass legislation preventing people from using encryption and allowing intel agencies to insert backdoors.