Senate Given The Go-Ahead To Use Encrypted Messaging App Signal

from the feinstein,-burr-will-continue-to-use-AOL-chatrooms dept

Certain senators have repeatedly pushed for encryption bans or encryption backdoors, sacrificing personal security for national security in a move that will definitively result in less of both. Former FBI Director James Comey's incessant beating of his "Going Dark" drum didn't help. Several legislators always managed to get sucked in by his narrative of thousands of unsearched phones presumably being tied to thousands of unsolved crimes and free-roaming criminals.

It will be interesting if the anti-encryption narratives advanced by Sens. Feinstein and Burr (in particular -- although others equally sympathetic) continue now that senators can officially begin using an encrypted messaging system for their own communications.

Without any fanfare, the Senate Sergeant at Arms recently told Senate staffers that Signal, widely considered by security researchers and experts to be the most secure encrypted messaging app, has been approved for use.

The news was revealed in a letter Tuesday by Sen. Ron Wyden (D-OR), a staunch privacy and encryption advocate, who recognized the effort to allow the encrypted messaging app as one of many "important defensive cybersecurity" measures introduced in the chamber.

ZDNet has learned the policy change went into effect in March.

If this isn't the end of CryptoWar 2.0, then it's at least a significant ceasefire. Senators are going to find it very hard to argue against encrypted communications when they're allowed to use encrypted messaging apps. It's not that legislators are above hypocrisy. It's just that they usually allow a certain amount of time to pass before they commence openly-hypocritical activity.

This doesn't mean the rest of the government is allowed to use encrypted chat apps for official communications. Federal agencies fall under a different set of rules -- ones that provide for more comprehensive retention of communications under FOIA law. Congressional communications, however, generally can't be FOIA'ed. It usually takes a backdoor search at federal agencies to cut these loose. So, members of Congress using an encrypted chat app with self-destructing messages may seem like the perfect way to avoid transparency, but it's the law itself that provides most of the opacity.

If encryption's good for the Senate, it's good for the public. There's no other way to spin this. Even Trump's pro-law enforcement enthusiasm is unlikely to be enough to sell Congress on encryption backdoors. With this power in the palm of their hands, they're more apt to see the benefits of leaving encryption un-fucked with.

Filed Under: encryption, end to end encryption, messaging, senate, signal

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    The Wanderer (profile), 25 May 2017 @ 4:21am

    Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Why do people believe that AES is secure?

    "Security by obscurity is not very good security at all, it might stop pimple faced kids in mommies basement but it will not stop knowledgeable and motivated personnel." (from another post in this article)

    Obscurity being "a thing that is unclear or difficult to understand".

    No - in this context, "obscurity" means "being little-known". I.e., if your security relies on not many people knowing about you, you're not really very secure.

    It's the difference between "everyone knows there's a combination lock here, but not many people know the combination, and it's hard to figure out and "the combination to this lock is easy to figure out, but not very many people know that this combination lock exists in the first place". The latter is "security by obscurity"; the former is not.

    In simple analogy, an encryption algorithm is like a lock, and an encryption key is like the combination to that lock. Keeping the combination secret is not security by obscurity; keeping the algorithm secret is.

    Both can increase security, technically (just as having a hidden combination lock with a hard-to-figure-out combination is technically more secure than a non-hidden lock with the same combination) - but keeping the algorithm secret is short-term security at best (just as the hidden combination lock will eventually be discovered), and because of all the ways a privately-devised encryption algorithm could have unknown weaknesses, is more likely to reduce net security (vs. using a known and well-studied one) than increase it.

    You can think of every component of your encryption machine being an attack surface. The more you expose, the more opportunity you give the attacker.

    That depends on what you mean by "expose".

    If you mean "put in a place which is accessible to be attacked", then sure; that's true of any software. However, if there's a hole somewhere else in the software, you may unexpectedly find that an interface which you thought was internal-only may suddenly be reachable by an external attacker - and is therefore exposed, for this purpose.

    If you mean "make known to the attacker", then no - because you cannot guarantee that the attacker will never know a given detail; even in the absolute best-case scenario, much less a real-world plausible scenario, binary disassembly and decompilation are things which exist.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.