Deputy AG Claims There's No Market For Better Security While Complaining About Encryption At A Cybercrime Conference

from the an-actual-thing-that-happened dept

The FBI still hasn't updated its bogus "uncrackable phones" total yet, but that isn't stopping the DOJ from continuing its push for holes in encryption. Deputy AG Rod Rosenstein visited Georgetown University to give a keynote speech at its Cybercrime 2020 Conference. In it, Rosenstein again expressed his belief that tech companies are to blame for the exaggerated woes of law enforcement.

Pedophiles teach each other how to evade detection on darknet message boards. Gangs plan murders using social media apps. And extortionists deliver their demands via email. So, it is important for those of us in law enforcement to raise the alarm and put the public on notice about technological barriers to obtaining electronic evidence.

One example of such a barrier is “warrant-proof” encryption, where tech companies design their products or services in such a way that they claim it is impossible for them to assist in the execution of a court-authorized warrant. These barriers are having a dramatic impact on our cases, to the significant detriment of public safety. Technology makers share a duty to comply with the law and to support public safety, not just user privacy.

Rosenstein says this has resulted in a "significant detriment [to] public safety," but can't point to any data or evidence to back that claim up. The FBI's count of devices it can't access is off by at least a few thousand devices, by most people's estimates. In terms of this number alone, the "public safety" problem is, at best, only half as bad as the DOJ has led us to believe.

Going beyond that, crime rates remain at historic lows in most places in the country, strongly suggesting no crime wave has been touched off by the advent of default encryption. Law enforcement agencies aren't complaining about cases they haven't cleared -- if you exclude encryption alarmist/Manhattan DA Cyrus Vance. (Anyone hoping to have an honest conversation about encryption certainly should.)

Somehow, Rosenstein believes the public would experience a net safety gain by making their devices and personal info more easily accessed by criminals. Holes in encryption can be marked "law enforcement only," much like private property owners can hang "no trespassing" signs. But neither is actually a deterrent to determined criminals.

Rosenstein goes on to tout "responsible encryption" -- a fairy tale he created that revolves around the premise tech companies can break/unbreak encryption at the drop of a warrant. But broken encryption can't be unbroken, not even with some form of key escrow. The attack vector may change, but it still exists.

That Rosenstein is advocating inferior encryption during a cybercrime conference speaks volumes about what the DOJ actually considers to be worth protecting. It's not businesses and their customers. It's law enforcement's access. He spends half the run time talking about security breaches involving tech companies and follows it up by suggesting they take less care securing all this info they collect.

He even goes so far as to claim better security is something customers don't want and is bad for tech companies' bottom lines.

Building secure devices requires additional testing and validation—which slows production times — and costs more money. Moreover, enhanced security can sometimes result in less user-friendly products. It is inconvenient to type your zip code when you use a credit card at the gas station, or type a password into your smartphone.

Creating more secure devices risks building a product that will be later to market, costlier, and harder to use. That is a fundamental misalignment of economic incentives and security.

The implicit statement Rosenstein's making is that ramped-up security -- including default encryption -- is nothing more than companies screwing shareholders just so they can stick it to The Man. Following this bizarre line of thought is to buy into Rosenstein's conspiracy theory: one that views tech companies as a powerful cabal capable of rendering US law enforcement impotent.

And as much as Rosenstein hammers tech companies for security breaches that have exposed the wealth of personal data they collect, he ignores the question his encryption backdoor/side door advocacy raises. This question was posed in an excellent post by Cathy Gellis at the beginning of this year:

"What is a company to do if it suffers a data breach and the only thing compromised is the encryption key it was holding onto?"

We're headed into 2019 and no one in the DOJ or FBI is willing to honestly discuss the side effects of their proposals. Rosenstein clings to his "responsible encryption" myth and the director of the FBI wants to do nothing more than make it the problem of "smart people" at tech companies he's seeking to bend to his will. No one in the government wants to take responsibility for the adverse outcomes of weakened encryption, but they're more than willing to blame everyone else any time their access to evidence seems threatened.

Rosenstein's unwavering stance on the issue makes this statement, made at the closing of his remarks, ring super-hollow.

We should not let ideology or dogma stand in the way of constructive academic engagement.

Fair enough, Rod. You go first.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Christenson, 30 Nov 2018 @ 9:44am

    But (white-collar and cyber-) crime is at historic highs

    At least, I have that impression...from the appointment of Mr Whitaker as acting AG, from the rapid approach of Mr Mueller to "Person 1".

    Too bad I have no numbers, except that IRS enforcement funding is at historic lows.

    And I am a data-driven arguments guy! lol

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Nov 2018 @ 9:54am

    If the FBI get the capability of breaking encryption, so do the TSA, and they can stop people flying after they arrive at the airport if they do not like the reason they are flying according to their phone.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Nov 2018 @ 10:34am

      Re:

      Wikileaks' Vault 7 document dump showed that the CIA had a stockpile of 'zero-day' exploits that could compromise just about any computer or internet device out there, but it's not known if any of these hacking tools were ever shared with any other federal agency such as the FBI.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 3 Dec 2018 @ 6:17am

        for your eyes only

        NSA develops/finds them and gives (some of) them to the CIA, who gives them to nobody.

        Especially not the FBI who the CIA think are incompetent reproductive organs.

        reply to this | link to this | view in chronology ]

  • icon
    stderric (profile), 30 Nov 2018 @ 10:02am

    I was wondering how anyone could get away with spewing such nonsense during his keynote address without the crowd driving him away from the podium with deafening, riotous laughter and a barrage of random objects, but then I noticed that the conference was co-sponsored by the DoJ.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 30 Nov 2018 @ 11:13am

      Re:

      'Nice conference you got there, sure would be a shame if any inappropriate laughter were to occur when one of our guys were speaking. Why, that sort of thing might lead us to reevaluate whether or not we want to be sponsor such events in the future...'

      reply to this | link to this | view in chronology ]

  • icon
    Gary (profile), 30 Nov 2018 @ 10:08am

    Secure

    Building secure devices requires additional testing and validation—which slows production times — and costs more money. Moreover, enhanced security can sometimes result in less user-friendly products. It is inconvenient to type your zip code when you use a credit card at the gas station, or type a password into your smartphone.

    So he is also against minor security precautions to keep our credit cards safer? I bet he cheered the security gaffe of not requiring "Chip and PIN" on the new systems.

    reply to this | link to this | view in chronology ]

  • identicon
    Agammamon, 30 Nov 2018 @ 10:30am

    There are three different types of 'unbreakable phones) that make up the FBI's stat.

    1. Phones that the FBI thinks may (though they may not) have evidence on. But they just want to take a peek to make sure.

    2. Phones that have evidence that may be *useful* to prosecutors but not necessary.

    3. Phones that have evidence that is absolutely key to the prosecution's case.

    If the FBI has gotten to the point of arresting a suspect and seizing their phone, frankly, you'd think they'd have a sufficiently good case that it wouldn't hinge on evidence that is solely contained on it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Nov 2018 @ 10:35am

      Re:

      If the FBI has gotten to the point of arresting a suspect and seizing their phone, frankly, you'd think they'd have a sufficiently good case that it wouldn't hinge on evidence that is solely contained on it.

      However getting into the phone will likely show things they did not know about but which make railroading the suspect into a plea bargain much easier.

      reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 30 Nov 2018 @ 10:50am

    Secrets..

    "Pedophiles teach each other how to evade detection on darknet message boards."

    Umm, no..
    The old ways work and are the best..No matter what they say, the only privacy to be had, is when 2 person travel together..A car going down the road isnt easy to monitor.

    For some reason.. this sounds like ALLOT of other persons bitching about Tech/internet/advances..
    People Who dont know it, never learned it, Dont want to learn it...
    And only know a few subjects..
    And want the EASY way out..
    And knowing our CORP/Capitalist system..IF you pay enough, someone will make you a tool..
    But, because of how cellphones are, and WHO OWNS them..The person who makes the tool, Will probably be SHOT..Every copyright he bypasses will be at his door.

    OR:
    they already have a way to do it, and this is grandstanding.. Making everyone think they are SAFE, and ARNT..

    Also,
    To be a Pedophile of note...
    you REALLY need money.
    Even to kidnap a person take money/security/safety..
    and unless you Murder everyone of them, Which goes beyond Pedo,you will repeat this over and over, and that is a pattern that wont be missed easily..
    Or is our Police agencies MORE stupid then we think??

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 30 Nov 2018 @ 11:29am

    '... and don't even get me started on door locks!'

    Building secure devices requires additional testing and validation—which slows production times — and costs more money. Moreover, enhanced security can sometimes result in less user-friendly products. It is inconvenient to type your zip code when you use a credit card at the gas station, or type a password into your smartphone.

    Creating more secure devices risks building a product that will be later to market, costlier, and harder to use. That is a fundamental misalignment of economic incentives and security.

    I think it's safe to assume that if he's speaking at a security conference he's knowledgeable enough on the subject to know that as arguments go this one is not just wrong it's monumentally stupid, to the point that the organizers of the event should have made it crystal clear that he is not welcome at any future conferences as he's demonstrated either gross ignorance of the field, or positively stunning levels of intellectual dishonesty.

    I mean really, saying that making sure that devices are secure such that mere possession of it is not enough to gain access adds just too much design work and creates unnecessary delays is so monumentally stupid it boggles the mind that he was able to say it with a straight face, and that the audience was able to refrain from busting out laughing.

    What next, is he going to whine about how making sure that the airbags and seatbelts in a new car design work properly is just unneeded busywork because it's a 'fundamental misalignment of economic incentives and security'?

    When the groups and individuals trying to undermine public safety and security are making arguments this boneheaded and dishonest, I'd say it's a pretty good indicator of how laughably weak their position really is.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Nov 2018 @ 1:49pm

      Re: '... and don't even get me started on door locks!'

      And window blinds! You know, those things that terrorists, pedophiles and other criminals like to hide behind.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Nov 2018 @ 12:25pm

    Creating more secure devices risks building a product that will be later to market, costlier, and harder to use.

    The very fact that he is announcing this brilliant insight at a conference is sufficient evidence that it's a lie. If it was actually true he would have no time to speak at conferences, since he'd be out there becoming insanely rich and famous by starting dozens of technology companies which are "superior" to all the existing options.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Nov 2018 @ 1:28pm

    "Building secure devices ... costs more money."

    Rosenstein is a poster child apologist for the IOT security shit show. Thanks, Rod!

    reply to this | link to this | view in chronology ]

  • identicon
    IsRosensteinABadPerson, 30 Nov 2018 @ 2:15pm

    Is Rosenstein a bad person?

    Yo! Rosenstein, how is it that you are so familiar with how pedophiles hide traffic, and gangs hide plans for violence? Are you somehow part of both sets of people?

    Sure seems like that could be the case, what with how familiar you seem to be about how they do all their planning and hiding and shit.

    I'm not pointing fingers here, but it sure seems kind of "suspicious" to me.

    And since we're supposed to "say something" when we "see something", I think we should all be "saying" something about the in-depth knowledge Rosenstein seems to have with all these "bad things" being done by "bad actors".

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Nov 2018 @ 3:23pm

    > Somehow, Rosenstein believes the public would experience a net safety gain by making their devices and personal info more easily accessed by criminals. Holes in encryption can be marked "law enforcement only," much like private property owners can hang "no trespassing" signs. But neither is actually a deterrent to determined criminals.

    For years, fire departments had little boxes mounted on multi-tenant buildings; the fire department held the key to the box (the key to all the boxes in the city was the same) and inside was a master key to the building. The idea was that this way, the fire department could easily access all suites in case of an emergency.

    Unfortunately, some kid discovered that the bic pen trick used for unlocking the old-style U-bolt bike locks also worked on the fire department keyboxes. Meaning anyone with a bic pen could gain full access to any multi-tenant suite in any building in any city that used these boxes.

    In my city, around a decade ago, the fire department went around and removed the face plate off of all these boxes and returned the keys inside to the building managers.


    What these people in law enforcement are requesting is essentially a digital version of the FD key boxes. And like the key boxes, even if every person who has access to the master key is trustworthy, you're also trusting that nobody will ever be able to circumvent what is now essentially one lock to the city.

    reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 1 Dec 2018 @ 3:14pm

    Deputy AG Claims There's No Market For Better Security While Complaining About Encryption At A Cybercrime Conference

    What he meant is "no legitimate market." Since, in his view, the only people interested in protecting their privacy through encryption are pedophiles, extortionists, drug dealers, terrorists, and other "detriments to public safety."

    Note that this implicitly pigeonholes anyone who desires privacy through encryption as a "detriment to public safety." Because, as has been so often stated, everyone not in that category has "nothing to hide."

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.