Encryption Working Group Releases Paper To 'Move The Conversation Forward'

from the what-conversation? dept

One of the frustrating aspects of the "debate" (if you can call it that) over encryption and whether or not law enforcement should be able to have any kind of "access" is that it's been no debate at all. You have people who understand encryption who keep pointing out that what is being asked of them is impossible to do without jeopardizing some fairly fundamental security principles, and then a bunch of folks who respond with "well, just nerd harder." There have been a few people who have suggested, at the very least, that "a conversation" was necessary between the different viewpoints, but mostly when that's brought up it has meant non-technical law enforcement folks lecturing tech folks on why "lawful access" to encryption is necessary.

However, it appears that the folks at the Carnegie Endowment put together an actual working group of experts with very varying viewpoints to see if there was any sort of consensus or any way to move an actual conversation forward. I know or have met nearly everyone on the working group, and it's an impressive group of very smart, and thoughtful people -- even those I frequently disagree with. It's a really good group and the paper they've now come out with is well worth reading. I don't know that it actually moves the conversation "forward" because, again, I'm not sure there is any conversation to move forward. But I do appreciate that it got past the usual talking points. The paper kicks off by saying that it's going to "reject two straw men," which are basically the two positions frequently stated regarding law enforcement access to encrypted communication:

First of all, we reject two straw men—absolutist positions not actually held by serious participants, but sometimes used as caricatures of opponents—(1) that we should stop seeking approaches to enable access to encrypted information; or (2) that law enforcement will be unable to protect the public unless it can obtain access to all encrypted data through lawful process. We believe it is time to abandon these and other such straw men.

And... that's fine, in that the first of those statements is not actually the position those who support strong encryption actually hold. I mean, there have been multiple reports detailing how we're actually in the "golden age of surveillance", and that law enforcement has so much greater access to basically every bit of communications possible, and that there are plenty of tools and ways to get information that is otherwise encrypted. Yes, it's true that some information might remain encrypted, but no one has said that law enforcement shouldn't do their basic detective work in trying to access information. The argument is just that they shouldn't undermine the basic encryption that protects us all to do so.

Where the paper gets perhaps more interesting is that it suggests that any debate about access to encrypted data should focus on "data at rest" (i.e., data that is encrypted on a device) rather than "data in motion" which is the data that is being transferred across a network or between devices in some form. The paper does not say that we should poke holes in encryption that protects data at rest, and says, explicitly:

We have not concluded that any existing proposal in this area is viable, that any future such proposals will ultimately prove viable, or that policy changes are advisable at this time

However, it does note that if there is a fruitful conversation on this topic, it's likely to be around data at rest, rather than elsewhere. And, from there it notes that any discussion of proposals for accessing such data at rest must take into account both the costs and the benefits of such access to determine if it is viable. While some of us strongly believe that there is unlikely to ever be a proposal where the costs don't massively outweigh the benefits, this is the correct framework for analyzing theses things. And it should be noted that, too often, these debates involve one group only talking about the benefits and another only talking about the costs. Having a fruitful discussion requires being willing to measure both.

From there, the group sets up a framework for how to weigh those costs and benefits -- including setting up a bunch of use cases against which any proposal should be tested. Again, this seems like the right approach to systematically exploring and stress testing any idea brought forth that claims it will "solve" the "problem" that some in law enforcement insist encryption has created for them. I am extremely skeptical that any such proposal can pass such a stress test in a manner that suggests that the benefits outweigh the costs -- but if those pushing to undermine encryption require a "conversation" and want people to explore the few proposals that have been brought up, this is the proper, and rigorous, way to do so.

The question, though, remains as to whether or not this will actually "move the conversation forward." I have my doubts on that, in part because those who keep pressing for undermining encryption have never appeared to have much interest in actually having this type of conversation. They have mostly only seemed interested in the "nerd harder, nerds" approach to this, that assumes smart techies will give them their magic key without undermining everything else that keeps us secure. I fully expect that it won't be long before a Willam Barr or Chris Wray or a Richard Burr or a Cy Vance starts talking nonsense again about "going dark" or "responsible encryption" and ignores the framework set out by this working group.

That's not so say this wasn't a useful exercise. It likely was, if only to be able to point to it the next time one of the folks listed above spout off again as if there are no tradeoffs and as if it's somehow easy to solve the "encryption problem" as they see it.

Filed Under: data at rest, encryption, going dark, law enforcement, nerd harder, responsible encryption


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 12 Sep 2019 @ 3:54pm

    We need to get https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573 SEO'd into the results common to LEOs and policy makers searching for solutions. IMO, this really is the missing piece, as nobody is going to shift their position on the "make this work / that's impossible" "debate" but this at least gives people the tools to understand WHY the floated proposals aren't tenable.

    reply to this | link to this | view in thread ]

  2. icon
    Stephen T. Stone (profile), 12 Sep 2019 @ 4:25pm

    Yes, we should find a way to bump https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573 up in the Google search rankings.

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, 12 Sep 2019 @ 5:00pm

    It’s like the good ol’ days

    Remember when the police would get a copy of everyones keys?

    reply to this | link to this | view in thread ]

  4. icon
    James Burkhardt (profile), 12 Sep 2019 @ 5:19pm

    Re:

    I agree. What should we do to bump https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573 up in the Google search rankings?

    reply to this | link to this | view in thread ]

  5. icon
    Anonymous Anonymous Coward (profile), 12 Sep 2019 @ 5:51pm

    Re: Re:

    You guys wouldn't be suggesting that repeated listings of this https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573 URL would actually do something in Googles rankings, would you?

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, 12 Sep 2019 @ 6:34pm

    Re: It’s like the good ol’ days

    Remember when the police would get a copy of everyones keys?

    In the old days, people used poor-quality locks or no locks on their doors. Nowadays, police have so much military gear they can get in just as easily. So, let's rephrase for the real difference:

    Remember when police could get a listing of everywhere you went over the past years, everyone you talked to, what you said, what you read, your likes and dislikes, your sexual preferences, your political affiliations?

    (No, because that used to require months of covert and intensive police work: stakeouts, informants, etc.)

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, 12 Sep 2019 @ 8:45pm

    Re: moving-encryption-policy-conversation-forward-pub-79573

    So if we really, really nerd HARDER, we can not only make pi exactly equal to 3, but we might raise the search rankings of https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573

    Nex t up, NP-hard in 2 lines of code.

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 12 Sep 2019 @ 11:23pm

    Re: It’s like the good ol’ days

    We can learn about neither the history nor the myths of real-world police-public interfaces from an excellent paper like https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573 , but we should encourage all policy stakeholders to read and understand it anyway.

    reply to this | link to this | view in thread ]

  9. identicon
    oliver, 13 Sep 2019 @ 2:10am

    Sorry for the copy-paste-job here:
    So if we really, really nerd HARDER, we can not only make pi exactly equal to 3, but we might raise the search rankings of https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573

    Nex t up, NP-hard in 2 lines of code.

    reply to this | link to this | view in thread ]

  10. identicon
    Anonymous Coward, 13 Sep 2019 @ 5:34am

    Re:

    WTF?

    reply to this | link to this | view in thread ]

  11. icon
    Gary (profile), 13 Sep 2019 @ 5:45am

    Re: It’s like the good ol’ days

    Remember when there were "Master Keys" that would give access to every single lock in a building? Or only handfull of different skeleton keys for every single piece of luggage in the country?

    reply to this | link to this | view in thread ]

  12. icon
    That One Guy (profile), 13 Sep 2019 @ 7:16am

    'Just gonna ignore that, now, about that conversation...'

    The question, though, remains as to whether or not this will actually "move the conversation forward." I have my doubts on that, in part because those who keep pressing for undermining encryption have never appeared to have much interest in actually having this type of conversation.

    Given those who continue to push for cripple encryption have shown zero interest in an actual honest conversation, and are only interested in people agreeing with them, I suspect that they'll simply ignore the study and go right back to parroting the same old lies and other rubbish fearmongering.

    reply to this | link to this | view in thread ]

  13. identicon
    Anonymous Coward, 13 Sep 2019 @ 8:06am

    Re: Re: moving-encryption-policy-conversation-forward-pub-79573

    Did somebody say [Thunderfury, Blessed Blade of the Windseeker]... er, I mean, https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573 ?

    reply to this | link to this | view in thread ]

  14. identicon
    bshock, 13 Sep 2019 @ 9:42am

    Aside from the fact that the "encryption debate" has always been more of a fiat than a debate, I consider the problem to be purely political, rather than technical: fascists and proto-fascists want our data to maintain and extend their control.

    They like to frame their version of encryption as something that can only be unlocked by the intended users and by the "good guys" of intelligence and law enforcement. The obvious contradiction is that intelligence and law enforcement are only "good guys" to intelligence and law enforcement. To the rest of us, they're the tools that the wealthy use to maintain their property and suppress the unruly masses who might threaten that property.

    reply to this | link to this | view in thread ]

  15. identicon
    Anonymous Coward, 13 Sep 2019 @ 11:46am

    Re: Re: It’s like the good ol’ days

    Remember when some kid found that the same trick used in U-style bike locks (bic pen, insert and twist) worked on the majority of Knox Boxes?

    reply to this | link to this | view in thread ]

  16. identicon
    Anonymous Coward, 13 Sep 2019 @ 11:47am

    Re: Re:

    He's re-responding to my comment:

    We need to get https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573 SEO'd into the results common to LEOs and policy makers searching for solutions. IMO, this really is the missing piece, as nobody is going to shift their position on the "make this work / that's impossible" "debate" but this at least gives people the tools to understand WHY the floated proposals aren't tenable.

    reply to this | link to this | view in thread ]

  17. identicon
    Anonymous Coward, 13 Sep 2019 @ 11:52am

    Re: Re: Re: moving-encryption-policy-conversation-forward-pub-79

    Looking at top level keywords, https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573 and this article now show up at the top of search results.

    However, for terms like "going dark" and "encryption debate" it's still nowhere in sight.

    It's terms like going dark and encryption debate that we need closely associated with https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573

    reply to this | link to this | view in thread ]

  18. identicon
    Anonymous Coward, 13 Sep 2019 @ 11:56am

    Re: 'Just gonna ignore that, now, about that conversation...'

    Given those who continue to push for cripple encryption have shown zero interest in an actual honest conversation, and are only interested in people agreeing with them, I suspect that they'll simply ignore the study and go right back to parroting the same old lies and other rubbish fearmongering.

    This is why we need to ensure that every time these people do an internet search for "going dark" or "encryption debate" they end up looking at this study. Possibly we need to include search terms like "data exfiltration" and "iPhone cracking" as well. Anyone got other common search terms used by people who want full legal access to currently encrypted data?

    reply to this | link to this | view in thread ]

  19. identicon
    Max, 13 Sep 2019 @ 12:35pm

    Re: It’s like the good ol’ days

    Funnily enough, nothing to "remember" about that. Apparently in certain unfathomably #$!^% places that is exactly what the police, sorry, firefighters do - apparently code requires you to affix your key next to your door protected only by a single master key that can access absolutely everyone's keys (and so can you, if you procure a copy - or 3D-print your own). Just look up "knox box" and its ilk (then the Defcon talk about how a 18yr old can easily break it). That this exists at all is sufficient proof that in the particular universe we live in any talk about security is absolutely and utterly pointless because sanity has long left for some other part of the multiverse.

    reply to this | link to this | view in thread ]

  20. identicon
    Anonymous Coward, 13 Sep 2019 @ 12:54pm

    Re: Re: Re: It’s like the good ol’ days

    Oh, tubular cores...so impressionable. Thankfully, most of today's U-locks run either a slider-sidebar (cheap) or a disc detainer (NICE!) core, and Knox Boxes have moved on to things like Medecos that at least aren't going to fall over like a wet dishrag to a low-skill, improvised-tooling attack, but apparently a bunch of other folks haven't gotten the message. (FEO-K1, I'm looking at you)

    reply to this | link to this | view in thread ]

  21. identicon
    Anonymous Coward, 13 Sep 2019 @ 12:56pm

    Re: Re: It’s like the good ol’ days

    Maybe physical key escrow isn't such a great idea after all? (How to handle the getting the FD in the door in a hurry problem, though, is a good question. Not populating the Knox Box with a current key can and has gotten people killed; for one, FD access difficulties were a contributing factor to the Silver Spring gas explosion...)

    reply to this | link to this | view in thread ]

  22. identicon
    Bobvious, 13 Sep 2019 @ 3:10pm

    Re: nerd harder and delicious pi

    reply to this | link to this | view in thread ]

  23. icon
    Not an Electronic Rodent (profile), 14 Sep 2019 @ 1:47am

    People are always the problem

    ...whether or not this will actually "move the conversation forward. [snip] They have mostly only seemed interested in the [snip] approach to this, that assumes smart techies will give them their magic key without undermining everything else that keeps us secure.

    I don't think this'll "move the conversation forward" either, because I also think the above assumption is wrong. It's politics now, and therefore basically an article of faith.

    I think the problem it is that the (essentially) political calls for "the end of encryption" or "backdoors in encryption" who have no knowledge of how it actually works simply assume that "the other side" (i.e. technical experts) are lying about the consequences to block them because it's what they'd do in that position. The problem is that we have become fact-optional societies.

    reply to this | link to this | view in thread ]

  24. icon
    nasch (profile), 14 Sep 2019 @ 10:27am

    Re: Re: It’s like the good ol’ days

    Nowadays, police have so much military gear they can get in just as easily.

    Like sledge hammers? It doesn't take military gear to get through a locked door. And his point was that police have never had access to all your private stuff, so why should they start now?

    reply to this | link to this | view in thread ]

  25. icon
    nasch (profile), 14 Sep 2019 @ 10:31am

    Re: Re: Re: It’s like the good ol’ days

    The fire department have axes, rams, hydraulic cutting equipment, probably chain saws... they can get in.

    "After prying the door partially open and not detecting gas, she said, firefighters left."

    Clearly if they had really found it important to get into the room they would have, though not as quickly as desirable. Also worth noting this was an equipment room, not someone's residence.

    https://www.washingtonpost.com/local/maryland-news/faulty-vent-responsible-in-deadly-silv er-spring-explosion-federal-investigators-say/2019/04/23/c3d1f53a-6530-11e9-82ba-fcfeff232e8f_story. html

    reply to this | link to this | view in thread ]

  26. icon
    nasch (profile), 14 Sep 2019 @ 10:34am

    There is no forward

    The status quo is that strong encryption is legal, including end to end encryption, and law enforcement need not be given access. This is the appropriate state of things, so the conversation cannot be moved "forward". The only possible change is regressive, toward authoritarianism and erosion of personal rights.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.