Senate Given The Go-Ahead To Use Encrypted Messaging App Signal

from the feinstein,-burr-will-continue-to-use-AOL-chatrooms dept

Certain senators have repeatedly pushed for encryption bans or encryption backdoors, sacrificing personal security for national security in a move that will definitively result in less of both. Former FBI Director James Comey's incessant beating of his "Going Dark" drum didn't help. Several legislators always managed to get sucked in by his narrative of thousands of unsearched phones presumably being tied to thousands of unsolved crimes and free-roaming criminals.

It will be interesting if the anti-encryption narratives advanced by Sens. Feinstein and Burr (in particular -- although others equally sympathetic) continue now that senators can officially begin using an encrypted messaging system for their own communications.

Without any fanfare, the Senate Sergeant at Arms recently told Senate staffers that Signal, widely considered by security researchers and experts to be the most secure encrypted messaging app, has been approved for use.

The news was revealed in a letter Tuesday by Sen. Ron Wyden (D-OR), a staunch privacy and encryption advocate, who recognized the effort to allow the encrypted messaging app as one of many "important defensive cybersecurity" measures introduced in the chamber.

ZDNet has learned the policy change went into effect in March.

If this isn't the end of CryptoWar 2.0, then it's at least a significant ceasefire. Senators are going to find it very hard to argue against encrypted communications when they're allowed to use encrypted messaging apps. It's not that legislators are above hypocrisy. It's just that they usually allow a certain amount of time to pass before they commence openly-hypocritical activity.

This doesn't mean the rest of the government is allowed to use encrypted chat apps for official communications. Federal agencies fall under a different set of rules -- ones that provide for more comprehensive retention of communications under FOIA law. Congressional communications, however, generally can't be FOIA'ed. It usually takes a backdoor search at federal agencies to cut these loose. So, members of Congress using an encrypted chat app with self-destructing messages may seem like the perfect way to avoid transparency, but it's the law itself that provides most of the opacity.

If encryption's good for the Senate, it's good for the public. There's no other way to spin this. Even Trump's pro-law enforcement enthusiasm is unlikely to be enough to sell Congress on encryption backdoors. With this power in the palm of their hands, they're more apt to see the benefits of leaving encryption un-fucked with.

Filed Under: encryption, end to end encryption, messaging, senate, signal


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    The Wanderer (profile), 24 May 2017 @ 4:12am

    Re: Re: Re: Re: Re: Re: Re: Re: Why do people believe that AES is secure?

    My point was that "open source" encryption systems (especially widely used ones) can be broken once, and then there is an automated way to uncover the messages of everyone who uses them. Open Source AES, for example, one break, and everyone is compromised. Closed source encryption systems, especially UNIQUE closed source systems (closed to the attacker, not the user) do not suffer this vulnerability.

    Eh? That doesn't make sense.

    Whether the system is open or closed, once a way to break in through it has been found, anyone using the now-broken system is vulnerable.

    Assuming the fact of the vulnerability isn't disclosed somehow, the odds of its being found by the people who have ability and access to fix it would presumably correspond roughly to the number of such people who exist - which probably would mean that the edge would go to the open system.

    Once the vulnerability is known, the odds of a fix actually being created depend on how many people with the ability and access to fix it actually care to do so. There are different factors affecting that in open and closed contexts, so this one could be argued case-by-case, and may be a wash.

    But once a fix has been created, it has to be gotten out to the users.

    With open software, the users can (generally speaking) get the fix for free, the same way they (generally speaking) got the original software. That means there's little obstacle to their getting it.

    With closed software, the users may very well need to pay to get the fix - especially if "being paid" is one of the reasons the providers of the closed software bothered to create a fix in the first place. That means there is an obstacle in the way, which makes users less likely to actually get the fixed version.

    Even if the providers of the closed software make the fix available for free to anyone who already has the unfixed software (including people who pirated it?), there may still be other obstacles; consider the number of people who turn off Windows Update because they don't trust Microsoft not to break things they like, much less the number of organizations which turn it off because they know updating will break things. The same consideration does apply with open software to some extent, but IMO less so, since in the worst case the users can still avoid any undesired changes by forking.

    Imagine, for example, an automated encryption service that produces a private encryption system. Pay some small fee, and bango, you get a UNIQUE encryption JUST FOR YOU. This is not hard, and can easily be layered ON TOP OF (not INSTEAD OF) an existing system, like AES. So, you get all the benefits of the public review, but none of the weakness of a system used by ANYONE else.

    This does not necessarily hold. Although I do not fully understand the details or recall my source for this just offhand, I am given to understand that in some cases, adding additional mathematical manipulation to the math which constitutes a given form of encryption can actually make it easier to reverse the process and extract the original cleartext from the ciphertext.

    (Using the same data twice in the process is one thing which can have this result; for example, while using the cleartext itself as the seed for your RNG to produce an encryption key might seem like a good idea, it means that the number which the cleartext represents has been used twice in producing the ciphertext, and that in turn may make the net mathematical transformation less complex.)


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.