Former Homeland Security Advisor: Tech Companies Have The Burden Of Proving Harm Of Backdoored Encryption

from the FORTUNES-READ-AND-IGNORED---$5 dept

Last week's one-sided "hearing" on encryption -- hosted by an irritated John McCain, who kept interrupting things to complain that Apple hadn't showed up to field false accusations and his general disdain -- presented three sides of the same coin. Manhattan DA Cyrus Vance again argued that the only way through this supposed impasse was legislation forcing companies to decrypt communications for the government. The other two offering testimony were former Homeland Security Advisor Ken Wainstein and former NSA Deputy Director Chris Inglis.

Not much was said in defense of protections for cellphone users. Much was made of the supposed wrongness of law enforcement not being able to access content and communications presumed to be full of culpatory evidence.

But one of the more surprising assertions was delivered by a former government official. Wainstein's testimony [PDF] -- like Vance's -- suggested the government and phone makers start "working together." "Working together" is nothing more than a euphemism for "make heavy concessions to the government and prepare to deliver the impossible," as Patrick Tucker of Defense One points out. Wainstein says phone manufacturers must do more than theorize that weakened encryption would harm them or their companies. They must hand over "hard data" on things that haven't happened yet.

Kenneth L. Wainstein, a former assistant attorney general for national security at the Department of Justice, told lawmakers that the burden is on technology companies and privacy advocates to show how backdoors would harm user security, rather than on law enforcement to prove that altering the encryption scheme would be safe.

“For the tech industry and civil liberties groups, this means laying out technically specific support for the contention that a government accommodation would undermine the integrity of default encryption. They should provide hard data that demonstrates exactly how—and how much—each possible type of accommodation would impact their encryption systems. It is only when Congress receives that data that it can knowledgeably perform its deliberative function and balance the potential cybersecurity dangers posed by a government accommodation against the national security and law enforcement benefits of having such an accommodation in place,” he said.

The only thing harder than proving a negative is proving how badly things might go if backdoors are inserted or companies are required to retain encryption keys.

As usual, the "smart guys" are ahead of the curve on this bizarre demand. Last year, multiple encryption experts collaborated on a research paper [PDF] that laid out the problems that would result from government-mandated access.

In this report, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates. We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today's Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today's Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws.

So, if Wanstein is looking for answers, he already has them. So does James Comey. So does Cyrus Vance. (Although, to be fair, Vance hasn't really feigned much concern for tech companies or their customers.) They just don't like the answers they've received. This is why they continue to claim that a perfectly safe, government-mandated encryption backdoor is just a "smart guy" breakthrough away. Any day now, someone at Apple or Google will shout "Eureka" and hand over the unicorn Comey, et al insist must exist.

Filed Under: chris inglis, crypto wars, cy vance, encryption, homeland security, john mccain, ken wainstein


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 22 Jul 2016 @ 12:03pm

    This is incredibly easy to prove.

    Give these people encrypted devices with backdoors, then give the backdoor key to China and tell them to have fun.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Jul 2016 @ 12:11pm

      Re:

      The government (and its employees) would be exempted, of course.

      So what you do is announce mandatory adoption of a proof-of-concept deployment for the immediate family members of government employees.

      No need to provide the backdoor key to China.

      Just make it publicly known that the backdoor exists in the proof-of-concept system.

      It'll be secure, after all, so having their family members on the new code wouldn't be an issue, right?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Jul 2016 @ 12:36pm

        Re: Re:

        You don't even have to go that far: the mandatory adoption would be for all PRIVATE accounts of government employees -- the cell phones, private email servers, etc. that aren't under government control. After all, the government has a responsibility to be able to see the communications NOT going through their servers, right?

        reply to this | link to this | view in chronology ]

      • icon
        madasahatter (profile), 22 Jul 2016 @ 1:51pm

        Re: Re:

        Knowing a backdoor exists is painting a bullseye on the OS. Hackers will come-a-lookin' and who knows what else they will find.

        reply to this | link to this | view in chronology ]

    • icon
      Machin Shin (profile), 22 Jul 2016 @ 1:31pm

      Re:

      Really sad part is you can actually show proof from the last time we had this debate. I can't remember all the details but there was a vulnerability in browsers that was found recently but was a holdover from last time we had this debate.

      The issue is that you can show these guys actual hard proof of the damage they are trying to cause and they will just wave it off. They are messing with systems they don't understand and they choose intentionally to not understand.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Jul 2016 @ 9:14am

      PROVE you don't have a unicorn!

      Go ahead.

      reply to this | link to this | view in chronology ]

  • icon
    lars626 (profile), 22 Jul 2016 @ 12:07pm

    Homeland insecurity

    Nobody ever seems to ask these bozos the obvious question.
    Why don't they get the NSA to design this magical system?
    It would have to be open source so that anyone can implement and rigorously test it but that is not hard.

    The NSA has a Lot of very smart people. Why can't they 'nerd harder'?

    Or maybe it's not really that easy.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Jul 2016 @ 12:13pm

      Re: Homeland insecurity

      Why don't they get the NSA to design this magical system?

      It's a bad assumption that the NSA _hasn't_ designed and implemented such a system.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Jul 2016 @ 12:50pm

        Re: Re: Homeland insecurity

        huh? you didn't grok anything.

        what is being proposed is impossible to accomplish.

        the NSA may have tried, but they would not have succeeded. They are asking for the impossible, using a well understood and known truth as a false and than asking for proof on something that has already been proven time and fucking again!

        They are deflecting, a classic government maneuver that works too fucking well and too fucking much!

        Politician A makes proposition.
        Politician B gives alter proposition.
        Politician A runs to media and said no one gave them any alternatives so we HAVE to go with A, when it reality A just did not like B's proposition.

        Therefore we ALL treat B like he never even happened. There is more than enough fucking proof on this subject and the Government is just sticking it fucking fingers in their ears and screaming la la la la la... and trying to say do it anyway.

        reply to this | link to this | view in chronology ]

      • identicon
        SpaceLifeForm, 22 Jul 2016 @ 1:47pm

        Re: Re: Homeland insecurity

        It is called RSA. This is all about
        retro-cover for future lawsuits
        against the government. The pattern
        has been the same since y2k.

        reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 22 Jul 2016 @ 12:20pm

      Re: Homeland insecurity

      Because if they did that, when the NSA failed to provide the impossible the tech companies could point to that and say 'Look, a government funded agency filled with smart people couldn't do it with a budget we could only dream about, what makes you think we could do it with less?'

      At this point they have no excuse not to have familiarized themselves with the facts of the matter, which means unless the one making the claim is so colossally incompetent that they aren't fit to run a gorram lemonade stand they know they are asking for the impossible, and they don't want to provide a clear example of their own 'smart people' failing to achieve the impossible that could then be used against their idiotic claims by the companies they're trying to pressure.

      reply to this | link to this | view in chronology ]

      • icon
        lars626 (profile), 22 Jul 2016 @ 1:17pm

        Re: Re: Homeland insecurity

        The possibility that the ARE 'colossally incompetent' should not be ruled out.

        reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 22 Jul 2016 @ 1:29pm

          Re: Re: Re: Homeland insecurity

          Given we're talking about people who are theoretically employed to protect the public insisting on deliberately crippling security and making the public less safe, colossally incompetent in the general sense is pretty much a given, as they are showing that they seriously suck at their jobs.

          Rather the distinction I was trying to make was between 'Intentionally lacking in knowledge' and 'Knows better and lying'. Stupid or dishonest essentially, one or even both is possible, but at this point 'neither' isn't.

          reply to this | link to this | view in chronology ]

    • icon
      beltorak (profile), 22 Jul 2016 @ 5:31pm

      Re: Homeland insecurity

      They already have tried. It was about to be foisted on us all. I think the only reason no one has bothered to fully break it was because nobody was insane enough to mandate its use. If it had been required on all telecommunications, you bet there would be cracks against the implementations (and possibly the algorithm itself) by now. Of course it's also quite likely that only criminals would know about it.

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 22 Jul 2016 @ 8:08pm

        Re: Re: Homeland insecurity

        One of the reasons that the Clipper chip (which used SkipJack) was abandoned was that someone had broken it pretty much immediately.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jul 2016 @ 12:14pm

    Anyone with half a brain understands that compromised encryption is harmful to everyone that uses it. But no matter how much proof you give guys like Wanstein or Comey they will never believe it because it's never been about security to them, it's about them having easy access to all our info and communications.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Jul 2016 @ 12:19pm

      Re:

      As a general rule, the split seems (by my informal assessment) to come down along the lines of education.

      For the congress critters with a background in law, the "problem" is a lack of willingness on the part of the tech companies to comply.

      The congress critters with math/science/engineering backgrounds seem to come down on the "wtf, no, that's not how math works, this is a bad idea" side of the argument.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Jul 2016 @ 2:17pm

        Re: Re:

        As a general rule, the split seems (by my informal assessment) to come down along the lines of education.

        Not really! While true this does have "some" play, the logic involved in this problem requires no education to understand!

        The problem is nothing more than fundamental mental dissonance because someone needs an excuse to TAKE more power, nothing more. It is nothing ever more, in fact you should view about 100% of ALL government activity to work in this direction at all times and in all places. Even when they make it look like they are helping, it's only because they gained a power they can use to crush with it.

        And to never ever view the benevolence of one agent of the state as any benevolence of the state itself! The state has only 1 mode, malevolence and it must be rigorously controlled! This encryption debate is pure proof of that malevolence. The snarky comments about education, ignorance, stupidity, and other jokes on sanity are ill fitting of these times and do nothing to reveal the truth about government corruption.

        reply to this | link to this | view in chronology ]

  • identicon
    Stosh, 22 Jul 2016 @ 12:15pm

    Are these the same people that were handling the security on Hillary's server?

    reply to this | link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 22 Jul 2016 @ 12:30pm

    Ha. no, it's up to these dancing monkeys to prove they need any such thing in the first place. What it really boils down to is giving law enforcement another way to intimidate and harass people. You know that any decryption scheme is just going to end up as some sort of general use tool that every nut who likes to rifle through people's phones for no reason other than voyeurism will have. Because emergencies. Too complicated and time-critical to need to get a warrant or take it to some theoretically more tightly controlled decryption office.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 22 Jul 2016 @ 12:33pm

    Taking idiocy to it's (il)logical heights

    Kenneth L. Wainstein, a former assistant attorney general for national security at the Department of Justice, told lawmakers that the burden is on technology companies and privacy advocates to show how backdoors would harm user security, rather than on law enforcement to prove that altering the encryption scheme would be safe.

    While he's at it he should demand that companies that create and sell locks provide hard evidence showing how easily picked or bypassed locks would be harmful to security, so he can ignore that too.

    I know by this point that the anti-encryption crowd does't actually have any good arguments to make but they could at least try to avoid the insanely stupid ones like 'Provide evidence about how crippling security would present a threat to security'.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Jul 2016 @ 12:56pm

      Re: Taking idiocy to it's (il)logical heights

      Mechanical locks have ANSI grades that describe their physical characteristics.

      For example, ANSI 156.2, "Bored and Preassembled Locks and Latches", Establishes performance requirements for bored and preassembled locks and latches, and includes cycle tests, strength tests, operational tests, security tests, material evaluation tests, finish tests, and dimensional criteria.

      Similar criteria are available for safes, etc.

      If you know the specs the physical lock was made to withstand, you know what's required to break it.

      _This_ is probably what non-technical legislators are thinking of when they're saying "make crypto accessible"

      To be fair, crypto also has ratings that are somewhat analogous to physical locks - key sizes, ciphers, hashes, etc.

      Where locks and crypto differ, however, is in how they can be accessed. Assuming I live in the US, a hacker physically located china is going to have an exceedingly difficult time using a crowbar to pry open my front door.

      The same cannot be said of internet-connected devices.

      reply to this | link to this | view in chronology ]

      • icon
        Ninja (profile), 25 Jul 2016 @ 9:14am

        Re: Re: Taking idiocy to it's (il)logical heights

        Now you've done it. You added "on the internet" to the crowbar and made it very, very lengthy. We'll have two problems now: politicians trying to legislate over "opening door with crowbar on the internet" and the courts swearing it's a duck. The chaos.

        reply to this | link to this | view in chronology ]

  • icon
    wshuff (profile), 22 Jul 2016 @ 12:35pm

    This reminds me of the episode of The Big Bang Theory where Leonard's bully comes up with the idea for a device that makes every movie 3D or whatever, and then expects Leonard to figure out how to make it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jul 2016 @ 12:36pm

    Backdoors are safe I tell you!

    Backdoors are 100% safe. I've never seen a burglar use a backdoor, they always break a window to gain entry!

    reply to this | link to this | view in chronology ]

  • icon
    PlagueSD (profile), 22 Jul 2016 @ 12:58pm

    Sure. Make encryption with a back-door and give the NSA the key. We all know how good they are about data security. If we did this I'd give them about 2-3 months before the encryption key is useless.

    Case in point. DRM (a form of anti-copy "encryption") Usually only takes a few days to circumvent.

    reply to this | link to this | view in chronology ]

  • identicon
    mcinsand, 22 Jul 2016 @ 1:08pm

    weaknesses are a problem even when not added intentionally

    Vance might have a semitheoretical point if not for the hard fact that software has weaknesses even when those weaknesses are unintentional. This is merely a matter of entropy; as the software become more complex and more developed, security becomes more difficult. Determined people find software weaknesses every day that were not added intentionally. People that think an intentionally-added weakness would somehow escape notice really aren't qualified for this discussion.

    We need for Vance et al to be ready to put their money where their ignorance is; are they willing to take personal responsibility when a software weakness (backdoor) falls into the wrong hands and puts citizens at risk? They have received multiple warning that undermining security puts citizens at risk and they have ignored those warnings. Do they have the backbone and sense of responsibility to allow themselves to be treated as accomplices when the exploit they want to introduce puts people in harm's way?

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 22 Jul 2016 @ 1:23pm

      'Put your money where your mouth is' in a more literal sense

      At this point I'd love to see someone call their bluff by demanding that if they really don't think crippled encryption is that big of a deal they should match actions to words by having all of their personal data protected by deliberately crippled encryption. Medical, bank, personal email... all of it should be 'protected' by the very same level of security that they are insisting should be acceptable for anyone else.

      They'd hire someone, or someone would volunteer(and I imagine there would be many volunteers for something like this) to intentionally create crippled encryption with a unicorn door, with the key to be held in a 'secure' location that is as accessible as a major company could manage. Once that's done all their personal data would be 'protected' by the encryption, and the public would be informed that it exists, though given no other details beyond that.

      They'd never do it of course, because while they're incredibly dishonest I doubt any of them are that stupid, but it would be nice watching them squirm for a bit and try to explain how crippled encryption is plenty to protect the public, but not enough for public servants like themselves.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Jul 2016 @ 3:37pm

        Re: 'Put your money where your mouth is' in a more literal sense

        I'm sure you will still get a few politicians to do it.

        reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 22 Jul 2016 @ 6:25pm

          Re: Re: 'Put your money where your mouth is' in a more literal sense

          I would be greatly surprised if any of them did, but schadenfreude alone would certainly be enough to make me want to be proven wrong in that case.

          reply to this | link to this | view in chronology ]

        • icon
          Lord Lidl of Cheem (profile), 25 Jul 2016 @ 4:32am

          Re: Re: 'Put your money where your mouth is' in a more literal sense

          I think Hilary might have been put up to take part in the '#PeasantSecurityChallenge' - it didn't end well...

          reply to this | link to this | view in chronology ]

      • identicon
        Norahc, 22 Jul 2016 @ 4:43pm

        Re: 'Put your money where your mouth is' in a more literal sense

        Even if they did do this, they'd just charge whoever hacked the data with violations of the anti-circumvent provisions of the Copyright Act, and throw in the CFAA charges along with a few others.

        That way nobody could prove how dangerous encryption backdoors are without getting arrested and charged.

        reply to this | link to this | view in chronology ]

  • identicon
    Jim B., 22 Jul 2016 @ 1:16pm

    The burden is always on the government.

    As the title says.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jul 2016 @ 1:25pm

    Sure

    The government can have this evidence as far as I'm concerned...right after they produce the evidence establishing with 100% verifiable proof that no hacker or government employee at the local, state, or federal level has EVER seen any information in the government's possession on a US citizen without following a publicly defined procedure establishing a clear business need.

    I'm waiting. Until that evidence is produced don't even think of messing with my encryption.

    In the interest of protecting taxpayers money, I suggest that the government start gathering their evidence by googling "OPM hack"

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jul 2016 @ 1:57pm

    To play devil's advocate: Non-encryption-based security has been a cornerstone of societal security for centuries. If law enforcement and national security types have access to what encrypted info is protecting, they'll have a greater likelihood of tracking down and catching bad people.

    Problem is that they can't be everywhere at once. Tracking down bad people after-the-fact of a crime rings hollow if that crime could've been prevented with use of unbreakable encryption.

    This is a security (successfully responding to crime/espionage) vs. security (successfully preventing crime/espionage) issue. No amount of resources given to law enforcement and national security types could equal the security benefits to society that unbreakable encryption provides.

    reply to this | link to this | view in chronology ]

  • identicon
    USA IS DEAD, 22 Jul 2016 @ 2:04pm

    EASY ....

    This is easy just hire me the hacker and ill prove all the things i can steal form all the people that i'll find out about the back dooring and then how much of an economic and personal loss it will be .....

    FUCK YOU USA GOVT , your full on retard now....
    second thought DONT CALL ME FUCK HELPING STUPID

    reply to this | link to this | view in chronology ]

  • identicon
    stupid govt, 22 Jul 2016 @ 2:07pm

    @ 22

    however i am ...i saw your inside pentagon for 7 years....a lot of us did....the ones that get caught are the ones that did not do it right....

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jul 2016 @ 2:08pm

    They just need to ask The Expert. He will know what to do.

    https://www.youtube.com/watch?v=BKorP55Aqvg

    reply to this | link to this | view in chronology ]

  • icon
    Tim R (profile), 22 Jul 2016 @ 3:12pm

    Senate Hearing

    Senator McCain: Call to order. We finally have an expert witness from the tech field here with us, who's going to use his weak arguments and failed analysis to try and tell us why weakened security is a bad thing.

    Industry Nerd: Thank you senator for your time. I'll be brief, I only have one exhibit. This is what happens when security is weakened.

    (boots up a ten-year-old Windows computer with no updates)

    (picks up mic off stand, drops it on the floor, and walks out)

    reply to this | link to this | view in chronology ]

    • icon
      PlagueSD (profile), 22 Jul 2016 @ 3:34pm

      Re: Senate Hearing

      Until you connect said windows computer to a network, it's still pretty secure (provided you can limit physical access to the machine.) Once you connect it to a network, all bets are off.

      reply to this | link to this | view in chronology ]

  • identicon
    Personanongrata, 22 Jul 2016 @ 3:39pm

    Know Nothing Nincompoops and You

    Kenneth L. Wainstein, a former assistant attorney general for national security at the Department of Justice may have had a nice officious sounding title while suckling the public teat at DoJ (haha) he is still a know nothing nincompoop.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jul 2016 @ 5:07pm

    Former Catholic priest: Scientists have the burden of proving that God exists.

    reply to this | link to this | view in chronology ]

  • identicon
    J. R., 22 Jul 2016 @ 5:11pm

    As soon as they mandate backdoored encryption, I cancel my Amazon account, stop buying anything online, quit online banking, and stop paying bills on line. I've spent 1-2K$ online in the last 6 months, a fair amount today. But that will be over when the gov't takes over security. Lamers. Comey and McCain are retarded.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jul 2016 @ 5:41pm

    Whoops, they just slipped my fingers, good thing I have another pair.

    Any key that can be lost, can be found by another.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jul 2016 @ 7:53pm

    Record labels have burden proving harm of reduced copyright lengths.

    reply to this | link to this | view in chronology ]

  • identicon
    Manok, 23 Jul 2016 @ 1:48am

    Since internet... mobile phones... are being used world wide, that means that ALL governments get access to these backdoors, right? And that NOT meaning, they can do a request to the U.S. to help them gain access, but they can access the backdoor themselves.

    Why would Europe, Russia, and China want to use such non-encryption? Spy-encryption? Why would non-U.S. companies want to implement such schemes, except if they really really want to get access to that market?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jul 2016 @ 10:02am

    "Working together"

    History shows that this expression is a very thinly veiled threat that major sanctions will be levied against all who fail to bend the knee to the new demands.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jul 2016 @ 11:42am

    The question that first comes to mind is:

    Where does this guy presume to derive the jurisdiction to compel so much as clenching an elevator fart?

    On further reflection I suspect his intention is to bait people in the tech sector into take a position that is empirically correct but politically untenable. He wants to create a bullshit debate so he can go McCarthy on them and start locking the commi's up for doing science, again.

    Crypto is classified as a munition. If consumers use it and no harm is intrinsic to it's use, material posession of it is protected by the second amendment. The action of using it is protected by the 4th amendment. The institutional subversion of it, is a violation of the 3rd amendment.

    But before you even GET to any of those arguments, the institutional surveillance infrastructure that is currently in place is corrosive to the first amendment, and a violation of the third amendment WITHOUT encryption even being a factor.

    So if there is anyone that needs to be brought to heal in terms of proving their patriotism, it sure as fuck isn't anyone in the scientific community.

    It isn't just that these guys are wrong scientifically. They are wrong scientifically AND wrong legally. The burden of jurisdiction, precedes the burden of proof. In this case, once the former is served, the latter becomes irrelevant.

    If truth has already been conceded for political expediency, then the continuation of debate is futile. Which would likely be why Apple didn't show up in the first place.

    reply to this | link to this | view in chronology ]

    • identicon
      Avior, 23 Jul 2016 @ 12:04pm

      Re: The question that first comes to mind is:

      Crypto is classified as a munition.

      Knowledge is a classified munition.

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 23 Jul 2016 @ 3:02pm

      Re: The question that first comes to mind is:

      "Crypto is classified as a munition."

      This is misleading. Crypto is not considered a munition by any US law.

      It is considered a munition by ITAR (International Traffic in Arms regulations), but that only comes into play when in imports and exports. It has nothing to do with what US citizens can possess and use.

      Also, the ITAR restrictions themselves were relaxed years ago, but certainly not eliminated. To the best of my knowledge, there has been only a single instance of someone being sanctioned under ITAR in over a decade: http://www.bis.doc.gov/index.php/about-bis/newsroom/press-releases/107-about-bis/newsroom/press-rele ases/press-release-2014/763-intel-subsidiary-agrees-to-750-000-penalty-for-unauthorized-encryption-e xports

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 23 Jul 2016 @ 4:27pm

        Re: Re: The question that first comes to mind is:

        "This is misleading."

        If they've taken punitive action based on it, then it is recognized law. Absent more specific interpretations, stare decisis should apply, should it not?

        Which is my whole point. They have already decided WHAT cryptography is. What they are trying to do now, is manufacturing a basis of bullshit to deprive citizens of the benefits of it.

        This entire issue is a "separate but equal" law, where an aristocracy reaps the benefits of the labors produced by a technological labor class, while formally depriving that class of the product of it's own labor.

        This isn't about national security, it never has been. It is about blackbirding the domestic technician population. The same motive has been behind the demonization of computer technicians across modern pop culture. It is about preserving power in a market that is consistently finding people "too sophisticated" to be bothered with computers, less valuable.

        They are unconcerned for the offense they give. Perhaps even unaware of it. So were the Romans to the Visigoths.

        reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 24 Jul 2016 @ 7:07am

          Re: Re: Re: The question that first comes to mind is:

          "If they've taken punitive action based on it, then it is recognized law."

          Fair enough. I was drawing a distinction between regulations and law that isn't really relevant in this situation.

          Nonetheless, it only applies to imports and exports, and has nothing to do with what citizens can possess and use.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 24 Jul 2016 @ 11:46am

            Re: Re: Re: Re: The question that first comes to mind is:

            "Nonetheless, it only applies to imports and exports, and has nothing to do with what citizens can possess and use."

            Personally I think it would be hard to convince a jury, not to extend second amendment protections to strong crypto. Once you explained to them that strong crypto is currently what protects their financial security, I doubt many would concede to allowing the fed to make crypto it's own exclusive domain.

            I suspect this argument would have come up if Lavabit hadn't had it's right to habeas corpus violated.

            So the fact that the fed is having this argument AT ALL, is likely the result of Constitutional malpractice. They aren't on the slippery slope anymore. Now it is more like careening down the side of a mountain.

            reply to this | link to this | view in chronology ]

            • icon
              John Fenderson (profile), 25 Jul 2016 @ 7:29am

              Re: Re: Re: Re: Re: The question that first comes to mind is:

              There is no Constitutional problem with ITAR that I can think of. What would be the Constitutional argument against it?

              (Just to be clear, I think the ITAR classification of crypto is a really bad thing, but that's different than whether or not there's a Constitutional problem.)

              reply to this | link to this | view in chronology ]

              • identicon
                David, 25 Jul 2016 @ 4:10pm

                Re: Re: Re: Re: Re: Re: The question that first comes to mind is:

                The Constitution is a list of the limited number of things the Federal Government is allowed to do. So the question is what is the Constitutional argument FOR it.

                reply to this | link to this | view in chronology ]

                • icon
                  John Fenderson (profile), 25 Jul 2016 @ 9:21pm

                  Re: Re: Re: Re: Re: Re: Re: The question that first comes to mind is:

                  The Constitution does actually grant the government some powers (it's mostly the Bill of Rights that restricts it). One of those powers is the ability to regulate international trade.

                  ITAR is a set of regulations that falls squarely under that umbrella.

                  reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 24 Jul 2016 @ 4:18pm

            Re: Re: Re: Re: The question that first comes to mind is:

            Fair enough. I was drawing a distinction between regulations and law that isn't really relevant in this situation.

            Regulations backed by law are essentially law, imo.

            reply to this | link to this | view in chronology ]

            • icon
              John Fenderson (profile), 25 Jul 2016 @ 7:30am

              Re: Re: Re: Re: Re: The question that first comes to mind is:

              Yes, regulations have the force of law and considering them to be identical is often a reasonable approximation. However, they are not really the same thing and often the differences can be important.

              reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jul 2016 @ 2:27am

    A false flag operation could make it happen.

    reply to this | link to this | view in chronology ]

  • icon
    my123 (profile), 24 Jul 2016 @ 7:41am

    This is proven

    Golden keys will ALWAYS leak, and they are leaking already :)
    Perfect handling of them is impossible.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jul 2016 @ 10:52am

    Homeland security advisor: Citizens have the burden of proving harm at constitutional violations against them.

    oh wait....

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Jul 2016 @ 2:59am

    A practical demonstration

    Put a well-guarded safe on display in Central Park.
    Put $100,000 in the safe.
    Anyone with a valid key is allowed to open the safe and take the money.
    Set the desktop background of every computer in the NYPD to a picture of the key and instruct the police to keep that picture secret and out of view at all times.

    See how well that works out.

    reply to this | link to this | view in chronology ]

  • identicon
    David, 25 Jul 2016 @ 4:08pm

    What happens when Country #2 wants the key?

    So now the US and China (or Russia, et. al.) have the key to decrypt all the US encryption?

    Then who would provide encryption technology to the US government?

    reply to this | link to this | view in chronology ]

  • identicon
    Beetle Bailey, 26 Jul 2016 @ 9:55pm

    Tyranny and Dictatorship in the making

    This is just another example of how the government feels comfortable in furthering their espionage against it's populous while downgrading the people's personal rights of privacy; advocating that we are all terrorists unless they have the means to prove otherwise.

    No entity is above the law; government or otherwise - unless tyranny and dictatorship follow. And the people are stripped of their legal right to live a free life without government interferences.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.