Obama edges toward full support for encryption – but does he understand what that means? The Obama Administration is weighing whether to come out in full support of unfettered encryption, something that would be a huge blow to the Feds, who have been pushing for compulsory backdoors in all new tech. But there's something in the President's proposals that aren't quite right. A leaked memo [PDF] from the National …
That's a really good question. I have NSA guidelines going back some twenty years over on my array (not worth looking up the first one) and it's not just Windows. It would be really interesting to see what they'd come up with. Then again looking at it from their perspective, would they really want an absolutely (or some approximation thereof) kernel and/or OS? If the guvment had one you just know that the techies would take it home.
NSA v. CYBERCOM dilemma again.
They might do this...(the memo about encryption and backdoors) but if there's just one declared terrorist attack or attempted attack, the panic (media frenzy) will force backdoors and no encryption for "your protection". Kind of reminds me of those toilet seat covers.... "provided by xxxx for your protection".
So what is the timetable ? Obama's memo is published next month, legislation next year, before the Senate in late May ... but there is a terrorist attack mid May, lots of destruction a couple of people killed, the NSA says ''if only we had been able to read ...'', Senate and Congress both vote for mandatory back doors.
Five years time, Snowdon Mk II reveals that the FBI black ops department was responsible for the attack at the behest of the NSA.
Encryption is not the be all/end all of security; it is only one of many tools. Furthermore, it is not up to the US alone, as the allegedly leaked memo of uncertain provenance notes, to make all decisions about legal constraints on encryption or requirements for back doors or key escrow systems. The NSA and the world's other SigInt agencies will be happy if any major government requires authorized government access to encrypted data and communication streams.
In fact, though, these agencies will not care enormously about government constraints or requirements governing encryption and encryption standards, because the weak points of nearly all encryption systems are the people who use them and the hardware and software systems that implement them and on which they operate.
It has not been clear to me since the early 1990s, when the US government was going after Philip Zimmerman, restricting export of strong encryption products, and developing the Clipper and Capstone chips, just why any government would entertain the notion that they would be able to prevent criminals from encrypting communications if they chose to do so. Before PGP source code was available, before Bruce Schneier's first book on cryptography was published, the essential secrets of good encryption were available to enough smart and clever people outside government that hope of preventing its criminal use was squashed. That apparently intelligent people continue even to think about it, let alone talk about it in public, boggles the mind.
In the US, law enforcement authorities have and will continue to have substantial power to compel disclosure of encrypted data. It will not matter that the manufacturers or communication providers do not have the key and therefore cannot assist them effectively. With properly issued warrants they have the full power of the local, state, or federal government, to direct whoever does possess the decryption key to either give it up or use it to reveal the message. That is the same power they now have to compel disclosure of information encoded by procedures not implemented using computers. Some who are gulity will not be prosecuted and some who are will not be convicted as a result, although the number of cases in which encryption is at issue is small and likely to remain so. That always has been true, and it has not brought us down as much as excessive criminal legislation, prosecutor overreach, overconviction, and oversentencing.
"It has not been clear to me since the early 1990s [...] just why any government would entertain the notion that they would be able to prevent criminals from encrypting communications if they chose to do so."
It's because they didn't understand what was going on then and so didn't learn the lessons and so don't understand now, either.
Quite right about encryption not being A&O. The reality is that there will be very few, if any, cases where an agency with the resources of a Western state behind them will need a backdoor, key escrow or some other method of breaking mathematically sound encryption. Even if one ignores rubber-hose cryptography and its legally-sanctioned cousins (RIPA Pt. 3, etc.), there are so many ways of circumventing a particular user's cryptography, from using one of your stockpiled zero-days (or, since most people probably don't have everything updated all the time, any one of literally millions of known vulnerabilities for the most common systems) to breaking in to the target's home and installing a physical keylogger. And then there's the whole wonderful world of Van Eck and its kin. When Cameron said that there should not be a message that the security service should not be able to read, I'd hope that this was what he meant - that *a* message should be readable, not *every* message.
Two points remain. The first is the use of encryption in what we might call "normal" crime, where there's no national security angle. With a very few exceptions, the police (at least in the UK) don't have the legal powers or the resources to mount the kind of targeted attacks mentioned above on anything other than the most serious of organised crime. The security services only need intelligence; the police need evidence that's admissible in court, with a strong, forensic chain of custody. It is not terribly difficult to conceive of a scenario where decrypting certain messages might provide evidence leading to a conviction, and I can understand why police forces without the means (legal or otherwise) to circumvent encryption might desire a back-door into such messages.
The other point, the big point which isn't really mentioned in the Obama leak, is mass surveillance. The attacks listed above mean that, with the possible exception of actors with the resources of other nation-states behind them, the security services in the UK and the US can monitor any given person. However, those techniques simply cannot be scaled up to cover every single person, which is what, potentially, a state-imposed back-door could provide. This is what the encryption debate is really about. There's never been any question that the TLAs can, in any particular situation, circumvent encryption. For proponents of back-doors to argue that strong encryption is a serious limitation here is either ignorant or malicious, depending on your tolerance for conspiracy theories. The 'problem' is that encryption can hinder the efforts of 'normal' law-enforcement, and can cripple mass surveillance. In my view, the latter is ample compensation for the former.
"We assume by "voluntary cooperation," the President is willing to be told to get lost by the tech giants in November – if they have the strength to do so."
That's over. Google and Apple, and I expect other companies, have already proven their strength to 'Just Say No' when the government demands the impossible, decrypting the encrypted without the keys to do so.
Then add in the fact that anyone can access and use publicly available unbreakable encryption for their files. Unless those encrypted files have a worthless password or someone discovers the keys, they're staying encrypted.
Meanwhile, no doubt the government will continue to use and create new methods of intercepting information before its encrypted or after it's decrypted by an intended receiver.
Let's just hope the US government figures out that they are required to abide by The Fourth Amendment to the US Constitution whether they like it or not. Any evidence collected outside of the mandates of the Fourth Amendment will be judged worthless and thrown out of court, as is currently being proven daily. IOW: Follow the law or your case is sunk. No '1984' scenario is welcome here. Deal with it.
By voluntary cooperation, what is the White House saying?
Given the context of the document (where support for backdoors isn't even an option), and even the paragraph in which the sentence in question appears - the context of aligning others to a policy encouraging encryption and discouraging backdoors - I'd suggest that the memo is speaking of tech companies voluntarily cooperating with implementing strong encryption and discouraging backdoors. Lawd knows there are still enough tech companies which still need to pull their fingers out and encrypt all the things.
So if that's the sole sentence that could be found - in an 11-page memo - which could be construed as objectionable, then I think that's a pretty damned good memo.
My understanding of "voluntary cooperation" is that they will get access to data from companies through the front door, i.e. via a data request through legal channels, rather than trying to break the encryption.
This would obviously only work in cases where the company has access to the data, e.g., emails, social media, and not where there is end to end encryption.
I can't help but notice that this document has leaked during the time when Hillary Clinton seems to be having some problems with her email... is this some internal Democrat politics? That's the first thing that springs to mind for me.
Obviously 'tis a good thing that encryption is being talked about as the sensible option, apparently at high levels of the US govt. Hopefully this could be imposed on others via the TPPA etc... and I am particularly entertained by the language used that supporting encryption "might not be in keeping with our allies" but at the same time "would differentiate us from Evil China/Russia"
Many know about encryption, few understand how it actually works.... Obama is not alone. There are several different types with end-to-end encryption being more and more common these days. If you are interested in understanding it at a high-level there is a good infographic out there at: https://www.chatmap.io/blog/end-to-end-encryption-explained.php
In short, it's a clever way of generating keys that relies on prime numbers. The middle-men operating the service never get the keys, it is only the creator and consumer.
I can see why Obama may not fully understand it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
