US Congress locks and loads three anti-encryption bullets US Congress is preparing no fewer than three new bills over the ongoing encryption debate: one banning end-to-end encryption, one setting up a commission to review the issue, and a third to make sure that it is Congress that gets to decide what happens next. Leading member of the Senate Intelligence Committee Dianne Feinstein …
Let me fix that for ya'
The bill to grant the Congress sole rights to an encryption solution is likely to face opposition from Congressmen the U.S. Constitution with a strong states-rights philosophy.
a.k.a. The Tenth Amendment
Hmm, you've got the Tenth Amendment but they've got the commerce clause. Historically we know which side the Supremes tend to favor but let's take it a step further, we typically don't know if any given message will cross state lines but we do know that most computers will have crossed state lines. Consider a computer that was made in Taiwan, imported through California shipped to an online sales company in Kentucky and ultimately used in Nebraska to tally medical billing data for clients around the country. Do you want some yeehaa in Nebraska to mandate that your medical and financial information be kept and transmitted in clear text? Hell, I don't want the Feds to be able to do that.
I'll agree that the Tenth Amendment should take precedence on the issue but only if we get to use the part of it that says the powers are reserved to the people.
There's a huge elephant in the room being ignored not only by the US Congress, but also by the author of this article - if we're going to cripple encryption to allow "lawful" access, then who gets the keys? US Congress assumes of course that the NSA and US law enforcement would be given powers to intercept communications by everyone, including by foreign companies and nationals, but once that were enabled, what POSSIBLE excuse would there be for not allowing the equivalent bodies of other sovereign states such as Russia or China to have the same "lawful" access to the communications of US businesses and citizens?
Don't forget the Post Office ;-)
Point is that Norks/Ruskies/sovreignenemyoftheday aren't going to use a system with holes, so the people you're spying on are your own population, not the 'baddies'.
It's like that ludicrous 30 second FBI warning at the start of a DVD which penalises people who bought the disc whilst pirate copies simply didn't force users to sit through that. It's all theatre, smoke, mirrors and distraction without being any practical positive use, and encourages people to use 'dark' versions instead.
I think there are about a dozen TLAs missing from that list, but right now I can't be asked to complete the list. Heck, they'll probably invent another one soon that will be in charge of controlling and handling the backdoor keys.
That we should just as the biggest brains in the world to stop all these mechanical weapons being made. I mean, your paid billions and the industry is massive. It just needs more laws placed down and more money thrown at it.
Though less sarcastic a reply, things can be done, but we have to ask for the possible.
Not at all; you just need to make guns that will only fire if a good person is aiming at a bad person. How much more simple could it be?
At least a little more simple: make bullets that only hurt bad people.
Hey, it (or a variation thereof) worked for Susan Sto-Helit. Being related to an anthropomorphic manifestation of a cosmic principle1 is just an implementation detail to be ironed out.
1Also, curiously, a cosmic principal, in this case.
The Feinstein Bill (along with the author) should just be tossed in wastebin of history.
The Encrypt Act seems good on the surface, otherwise we'd have some states banning and others allowing and a massive headache for users and ISP's. There should be some uniformity otherwise a person living in an "encrypted" state would have issues communicating with someone in an "unencrypted" state. Plus companies would flee states based on the encryption issue.
The McCaul Bill might be the best. Tie this stuff up in a committee for eternity with no decision ever being reached. The marketplace will find it's center. Meantime, the TLA's will be beside themselves and beyond pissed off. Win-Win since many times, the best action is "no action".
"The McCaul Bill might be the best. Tie this stuff up in a committee for eternity with no decision ever being reached."
Love it! That kind of thinking is exactly why I vote for independents and minority parties for both Senate and Lower House here in Australia and encourage others to do the same... not because I support what the independents or minority parties stand for, but because collectively they form an obstructive power block against the major parties whenever either tries to push through more draconian legislation.
If the government is effectively hamstrung by faction fighting, power squabbles and ineffective committees then maybe they'll leave the rest of us alone. This is why no Prime Minister has lasted a full term in office since Howard. I still remember with a shudder the shit that got passed in this country when that bastard had control of both Upper and Lower Houses. If I learned anything from the Howard years, it's that an impotent, hamstrung Government endlessly fighting a hostile Senate is the best way to preserve our freedoms and civil liberties!
I still don't think that Congress understands what is end-to-end encryption.
When I connect to my online bank via a web browser, the encryption is end-to-end.
There is no intermediary, at least in theory.
What would they propose to replace that then? That all encrypted communications have to go via an encryption middleman at the NSA and they broker all encrypted comms between two parties?
Despite the obvious big brother ramifications which are horrific in themselves, do they really have the sheer computing power to do this?
Congress critters seem to have a very narrow view as to what Internet encrypted comms cover, such as Facebook, Twitter and Google brokered services.
The fact is that peer to peer encrypted comms are becoming pretty mainstream and are easily accessible by the criminals. Just install a Tox client, run it up and you're good to go once you have exchanged ToxIds.
Far easier to do that than sign up for Google or Twitter.
I think they mean that the NSA (and police, etc) hold a 'magic key' and can use that to decrypt any message they feel they ought to, for the detection of lawbreaking and safety of citizens of course.
Instead of calling on Silicon Valley to "do something", perhaps they should call on the NSA to "do something". After all, the NSA has experience in this area.
I have just had an amazing thought that :
- does not conform to normal standards of conformity (snigger)
- threatens the future of the current political/industrial alliance
- doesn't pay tax to the IRS
- is just plain smutty
(choose one or more of the above)
I haven't mentioned any of the detail of this to anyone.
How long do you think that this will be in contravention of the American right to know everything about anything (in order to fight the war on Tourism) even though I don't live in the US and have no intention of visiting there ever again.?
This is what happens when you let politicians think they run the country.
I have to disagree with that. What the authorities DON'T want is for investigators to say "sorry we couldn't snoop on so-and-so because they're using encrypted communications". Once they've decided to investigate someone they want to know what they're up to. They want that badly. It's the collateral damage of such power that they don't understand.
I think the reality is likely to be much worse.
I would say that the congressmen currently engaged in this media feeding trough likely care not a whit for the issues. There's an election in the offing. It matters not what the spectacle is, just that you're involved and seen to be involved.
Alas, I suspect you're right. A thing to belch on about instead of policies. Over here in UK it's all 'migrants' (despite most of those migrants being people in exile seeking shelter whilst maniacs kill their families and destroy their homes, jobs and worlds). Easier to talk about than the real issues.
The bill to grant the Congress sole rights to an encryption solution is likely to face opposition from Congressmen with a strong states-rights philosophy. Plus its constitutionality would almost certainly be challenged by the states.
I'm sure the states'-righties would challenge it, but they'd likely lose. Article 1, Section 8 of the Constitution gives Congress the right to regulate "interstate commerce", and the SCOTUS has consistently (and recently) agreed. The leading proponent of that would be Tony Scalia. The only trick pony in this show is whether end-to-end encryption can be considered "interstate commerce". IANAL, but given that end-to-end encryption would be used in the continuance of interstate commerce, it seems rather a short putt to be found that Congress can indeed regulate the stuff.
(Remember, it was Tony himself that said that growing marijuana in your back yard for personal consumption was interstate commerce, and that even if the "commerce" is illegal, i's still commerce, and can therefore still be regulated by Congress.)
The Commerce clause has been used, with some frequency, with the best intentions, of course, in ways that sometimes seem strained, to put it mildly. A rather old example was its use to justify law requiring racial integration at local diners in the South, where diner operator purchase of goods, services, or materials that may have crossed state lines was deemed sufficient to apply federal law. Another, more recent, was a Northeast Ohio case in which an ornery Amish bishop and some of his family assaulted other Amish over religious differences and family disputes. The assaults, in the form of hair and beard cutting, were prosecuted as federal hate crimes (because a religious dispute was involved) with federal jurisdiction based on the fact use of clippers that had crossed state lines. The bishop, aged 67, received a 15 year federal prison sentence; others received shorter sentences.
Everyone can decrypt.
It doesn't matter who the first Eve is, very soon it is all.
I have a great idea. We give the keys to a member of Congress.
They will soon be kidnapped, tortured and murdered, by a miscreant who really wants those keys.
Then we change the keys and give them to another member of Congress.
We keep doing this until we run out of politicians who want to hold the keys, then we canforget the whole idea and go back to living in the real world, where only Alice and Bob have keys.
The problem solves itself. It's quite elegant.
"They will soon be kidnapped, tortured and murdered, by a miscreant who really wants those keys."
Erm, These are politicians we are talking about here.
They will just sell access to the keys under the counter, quash any investigations using their influence, then brazen it out should it become public.
Actually, the idea that there would be a problem because of the "states rights" issue is probably not there. The federal government is granted control over inter-state commerce by the constitution. State laws that control what abilities cell phones have in that state and ban them if they allow "illegal functions" would almost certainly fall under the federal governments inter-state commerce jurisdiction. The federal government has used the commerce clause for much less obvious issues. Actually the federal government routinely uses the commerce clause as an end-run around other constitutional restrictions.
And remind them that:
A) Weakening encryption endangers U.S. government data. The Office of Personnel Management hack and the Sony Pictures hacks being an excellent examples.
B) Weakening encryption endangers sensitive financial/healthcare data and personal/political communications between people both in the U.S. and abroad who's economic security and freedom of expression our country is supposedly trying to encourage.
C) Hackers, foreign intelligence agencies, organized criminals and corporate/intellectual property spies will all pay big bucks to gain access to any backdoor that is inserted. Eventually they will turn vulnerable intelligence or law enforcement agents, with serious economic, national security and law enforcement implications stemming from that breach.
D) Right now, the IT security and web services/social media industries are dominated by U.S. firms. Forcing these firms to compromise their customers' security will give international rivals a competitive entry that will reduce American jobs and tax revenues and increasingly move these industries offshore to jurisdictions that may be outright hostile to the U.S. and its allies.
E) The amount of data on your average smart phone is vastly greater than what was carried by your rotary or cell phones of just 20 years ago. Asking for access to all that data is a vastly greater intrusion than asking for wire-tapping authority was in the 1980s and 1990s.
F) Our intelligence and law enforcement agencies' commitment to transparency and self-discipline in the use of these bulk data collection powers is not good.
G) If the U.S. demands that these backdoors be introduced, there is nothing to prevent China/Russia/other countries from doing the same, with consequences that will be dangerous to the U.S. economically, politically and strategically.
Unfortunately, that blinkered hag Feinstein is one of my Senators, and she's a lost cause, but perhaps some reasonable people will listen.
Go a bit more personal...
1) Remind them that because Hillary didn't encrypt, there's factions that believe she belongs behind bars because they read her emails. So it's a case for and against encryption depending on your party.
2) Point out to them, that without encryption, their activities can be monitored. If they have nothing to hide, then they too have nothing to fear.
Make it even simpler. Say if they insist on backdoors, they'll be conceding World War III to China, Russia, or whomever. Make it a direct and existential threat. If that doesn't make them jump, NOTHING will and we're already doomed and should be looking for the exit.
"A) Weakening encryption endangers U.S. government data. The Office of Personnel Management hack and the Sony Pictures hacks being an excellent examples."
Your second example isn't government data. So make that "government and business data" just to remind them that their commercial backers might be watching how they vote.
"Sadly, none of them address the core issue at the heart of the debate: how can you give law enforcement access to encrypted comms without introducing a backdoor that others can use?"
Huh?
Since when was that the core issue of this debate? Sure, it might be the main challenge being posed by anyone with the barest understanding of how cryptography works but neither those people nor their opinions and proofs and experience are part of this debate.
That the law enforcement and spy agencies and their eager mouthpieces in government keep this alive in the face of those objections is proof enough of that.
Before laws are passed that hamstring US companies, back doors are required, secret deals are a given, and the whole damn thing is compromised. Whether or not US citizens or anyone else is put at risk is irrelevant. Whether or not US businesses are put at a disadvantage in the world economy is irrelevant too. Whether or not all the information gathered makes the US safer or not is also irrelevant. The US has an insatiable appetite for gathering every shred of information, regardless of its usefulness, and there is absolutely no laws domestic or foreign that will force it to do otherwise.
Would any other country really be able to resist the temptation to do the same if they had the ability to do so as the US does right now? I doubt it. But that doesn't make the US right in doing it.
What a shame. All that creativity, all that computing power, all that potential for doing good in the world, set aside to be the equivalent of a neighborhood bully.
What's puzzling is that those in charge are going to be cutting their own throats. They won't have secure transactions either. They probably think they'll be able to exempt themselves or something equally absurd.
It's just indicative of the idiots that run for office. I personally don't think we have any choice about electing idiots, because all of them are, regardless of party. Just look at the bunch running for president.
I suggest we use ROT-13 for the normal population, and 2ROT-13 (must be more secure, right?) for those wishing to exempt themselves.
The thing with encryption is, though, that a proper one time pad system is unbreakable. Not hard to break, not backdoorable, literally unbreakable. A cyphertext contains EVERY plaintext message, just depending on the key. Literally, mathematically unbreakable.
What we're discussing is how to exchange one time pads discretely without a prior relationship, and the answer is that we make it hard but cannot make it impossible to do. The lack of prior relationship means it has to all happen out in the open, initiated by one side or the other.
It's all moot if there's any other way to exchange a one time pad, and luckily for the bad guys, there are many tens of thousands of ways to smuggle it undetected. Print a daily sudoku, smuggle it in a can of baked beans, tattooed on a goat, strap it to a carrier pigeon, etc. With a one time pad (or its electronic analogue, a microSD card, for instance) exchanged, you may as well send the cyphertext message loud and proud, and that's exactly what happened during the cold war, messages sent over short wave radio (look up 'number stations', there are some chilling examples on YouTube) right in the enemies faces.
So all this nonsense is a smokescreen - 'baddies' can encrypt perfectly, friendly domestic users can be surveiled easily, glad we had the help of politicians to solve that problem, eh?
Except for two problems:
First, the "no prior relationship" bit. That's the First Contact problem: an intractable one in matters of security because, no matter how you try to set it up, there's always a way for Mallory to intervene in the contact phase, usually by impersonating Alice or Bob. And since they've never met before, there's no way to prove each one's identity to the other. Even the use of a third party (Trent) can be subverted, recursively, ad nauseum. And a State is the ultimate adversary: money and resources are practically no object to a determined State adversary.
Second, the matter of passing and securing the pad. That represents security questions in itself because the very act of exchanging the pad can itself be incriminating. It can also be intercepted. A paranoid state actor could just outright ban any and all encryption that can't be cracked by the state, making any effective encryption stand out like a sore thumb, plus there are ways to sanitize the media to make steganography extremely difficult.
Without the text of the bills, only one of which is reported to have been introduced, sensible reaction and comment is not easy. Congressman Lieu's bill would preempt states in the matter of establishing encryption limits and probably is a good thing. It is likely both to be open to enactment and supportable in court under the commerce clause. As for the others, it clearly is too soon to tell.
Contrary statements notwithstanding, it is not clear that any US government spokesperson has genuinely advocated for a functional capability much beyond what presently is in the law (Communications Assistance for Law Enforcement Act (CALEA) of 1994), modified to cover the case of encrypted communication, together with a similar capability to support access to encrypted data at rest, all under warrants or other appropriate court orders.
In many cases, equipment or service providers will have a reasonable defense* against orders served on them, in the form of technical inability to execute the court order because they do not have the key data. A law might be proposed to make it unlawful for them to provide such a capability, but is relatively unlikely to be enacted and in any case will not prevent customers from using their own encryption, not under the provider's control. A company providing an encrypted service might be argued to be subject to CALEA even now; that question might have to be settled in court. Apple texting and Google End-to-End seem possibe test cases. The first may well be susceptible to some degree, in that Apple seems involved in handling the keys and may be technically capable of enabling a tap. That also seems likely to have been a problem with Lavabit. Google End-to-end is based on straightforward PGP and is likely immune to effective tapping.
* Although stranger things have happened, a provider probably would not be punished for failing to do something it cannot.
If all the law abiding people and companies stop using end to end encryption, or introduce back doors or whatever, it would then only be criminals using encryption.
So, the NSA (and any interested criminals) would end up with massive amounts of accessible private data, but wouldn't be able to peer into the activities of the people they're supposedly targeting - criminals.
So, all in all, what is the point of this?
...would be far more productive if applied to the problem of law-making.
I hate to appear to push an agenda here, but Silicon Valley is actually stuffed full of people who are experts in the field of "actual consequences, both intended and otherwise, of enforcing particular rulesets on particular situations". On paper, that's exactly the sort of person we need drafting laws.
OK; so the political brainstrust insist on a backdoor key of some sort.
Then some bright spark modifies The Galaxy Zoo or Internet Prime distributed search tools to lock for the backdoor key. How long would it take for a couple of billion devices, desktops tablets phones etc to crack it? Or would our Lords and misfits make running such a program an offence too.?
The Great Internet BackDoor Hunt
Free the Key
Crack the Crypt ....
Which is exactly what will happen if governments pass a law allowing them to decrypt whatever they want whenever they want. That master key will be very quickly discovered and then disseminated through the internet.
And once that can of worms has been opened it will be impossible to put the genie back in the bottle.
It has to be assumed that the very people that 'they' say 'they' want to snoop on (the naughty terrorists) are the very ones that will ignore any rules on encryption and will communicate using layers of encryption at each end in an attempt to circumvent 'their' ability to read it. Therefore the conclusion has to be that 'they' just want to snoop on legal, law-abiding commercial and private activities for economic and/or political reasons ...
This isn't anything to do with 'terrorism', just political opposition and state-sponsored commercial espionage. It could be considered the latest digital variant of the McCarthyist witch hunts, the desperate push of the political classes to keep their noses in the trough whilst holding on to power ...
The State vs. Corporations vs. The People.
Usually, the people come a very poor third in that particular dynamic, but they are also the catalyst for change in balancing the powers of the other two.
For example, whilst we can only ever vote in politicians, we can play on their insecurities and power grubbing desires by threatening to oust them if they disobey us for too long.
As for corporations, we can withhold our money from buying their products if they piss us off too much.
Of course, it will come as no surprise to anyone reading El Reg. that this dynamic can only work if the people are:
1. Aware of what is happening
2. Not totally brainwashed already
3. Are prepared to forgo the usual promises/bribes by the politicians/companies
4. Are intelligent enough to know that the above 3 points even exist
So, in general, we're pretty screwed without people like Snowden to throw this murky world into relief for the great unwashed to actually notice.
Therefore, any attempt by The State or Corporations to limit the ability of The People to disseminate the dirty laundry of the aforementioned should be interpreted as a direct attack on our ability to act as a catalyst and have any control whatsoever over anything that is happening to us.
The logical extension of which is 'attempted slavery' by anyone attempting to suppress the ability of the public to communicate freely*.
*(irrespective of the 'cost' that these people tell us we will have to pay to have this freedom. They aren't actually saying "here is a choice - freedom or security - they are saying "you must sacrifice your freedom in order to be secure")
Loosely translated, "Will someone PLEASE b*tchslap these f*ckwits?" Given that the CIA and NSA have, all by their wee little selves, discovered that widespread blanket surveillance of EVERYONE:
1.) Produces ZERO actionable intel. ZERO.
2.) Magnifies the workload exponentially of sorting and assessing all that Data
3.) Creates an enormous barrier to cooperation and data sharing between Countries
AND
4.) It's a HELL of lot more fun to watch, listen to and record Dianne Feinstein, John McCain and the rest of Congress than it ever was watching the rest of us, even on a Good Day,
I would expect those "backdoors" will certainly come back to bite the very schmucks who insisted on them in the first place. Oh, Dianne! Don't worry- just "wipe it with a cloth!" Whatever "it" might be - we really just don't want to know...ewwww...
When a technician says that something is impossible they usually mean that the laws of physics and mathematics won't allow it.
When a bureaucrat says that something is impossible they usually mean that it too expensive.
I have seen some monumental stuff ups that have resulted from that different interpretation of "impossible" since each group interprets the word in their own way.
This is why telling a politician that something is impossible will just result in them asking you to spend more on getting to the solution.
Interestingly, the advances in technology just reinforce the view that anything is possible if you spend enough on it.
Agreed.
Worked on a project once.
Very badly managed, wasn't progressing well and was becoming super expensive.
Management solution:
The whole team was taken to see a private showing of Apollo13 at the movies.
Afterwards we were told to make the project 'a successful failure'.
True.
This is not like some business negotiation where there can be any middle ground. This is a mathematical function that provides for one specific purpose. We can either ban encryption or allow it. Otherwise we are left with a whole lot of useless, wasted computational power with a backdoor that defeats the purpose of the function in the first place.
Which presents an intractable problem to civilization as we know it. Ban encryption and the government becomes corrupt enough to destroy it from within. Allow it, and outside agents can destroy the government from without with no way to prevent or retaliate. Either way, civilization loses...
I think I need to form a research institute, request the US government for a few million dollars of seed capital to start the research, milk the research budgets of the TLAs for the next 20 years and retire on the money that falls through the cracks.
The institute will hire researchers to publish progress papers along the way indicating that we are progressing but need more input (money, ideas) from industry, academia, the public and security agencies.
At the end of the it will project publish a paper that summarises hundreds of manyears of effort into a single page indicating that we have a promising solution but it is not computable in finite time and finite space. The solution, of course, would be highly classified so could not be released to any one or be published on any system that could not prove to be 100% secure.
How about allowing encryption, but it HAS to be signed by the author using a signature known by the state.
The law enforcement can then sue the author for the original, taking whatever inference they may if the author can't or won't
Carriers can refuse to transmit unsigned encrypted messages
I know there are lots of but-ifs in this, As there are with banned encryption or freedom to encrypt
"declaring that only Congress is allowed to make such laws."
I seem to recall part of the U.S. Constitution that says any power not granted to the federal government by our constitution is reserved to the states and to the people. Oh yes, it's the 10th Amendment.
I don't care what any of them in congress think they can do in this regard, it's null and void.
In addition, if they even attempt to implement such restrictions, the hacker community will likely respond with a public domain SUPER ENCRYPTION protocol that will be not be traced to an author and won't be able to be decrypted even by a trillion quantum computers, and such code would likely be obfuscated and provide free to the entire planet.
Don't fuck with the people.
It is really sad that Feinstein, who is a long term Senator, does not have the basic mental capacity to understand that a decryptable encryption unfortunately also means an unreliable encryption. And that she cannot be bothered to engage with, and listen to, experts who can explain that to her.
I am firmly on the Snowden side of things wrt to mass surveillance. Still, I understand, and sympathize to an extent, with the concerns of law enforcement that encryption might provide safe harbor for indicted criminals. As long as warrants are used, I support a fair bit of law enforcement access.
Unfortunately, while it would be better if all people everywhere were nice, unicorns were rampant and Kathy Perry could actually sing, wishing so does not make those things come true.
Flawed encryption, with our society's reliance on telecoms and digital record-keeping, would put so many people at risk of very severe financial hacks that it is hard to imagine what kind of terrorist or criminal endeavor could match the aggregate human misery resulting from the implementation of such a fundamentally flawed idea as Feinstein's.
Never mind that any Dick or Jane terrorist could just download and use crypto from a country with more intelligent politicians. Or that, failing that approach, they could just revert to not storing and communicating this info digitally.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
