back to article Fine, OK, no backdoors, says Deputy AG. Just keep PLAINTEXT copies of everyone's messages

The US Deputy Attorney General has told business leaders that Uncle Sam won't demand mandatory backdoors in encryption – so long as companies can cough up an unencrypted copy of every message, call, photo or other form of communications they handle. Speaking at the 2017 North American International Cyber Summit in Detroit on …

  1. Doctor Syntax Silver badge

    With loose cannons like this in the US legal system surely the EU have no option but to abandon the Privacy Figleaf forthwith. "Adequate"? Who do you think you're fooling?

    1. Anonymous Coward
      Anonymous Coward

      surely the EU have no option but to abandon the Privacy Figleaf forthwith.

      Why? Germany was once the European bastion of citizens rights, but even they've been backsliding on privacy, and all governments are thinking "wow, how can we get our hands on all our citizen's data?". The UK government love the idea, and are busy scraping all the data they can find already.

      And where's the EU "Privacy Plan B"? There's hardly a series of robust European IT platforms to replace Microsoft, Google, Facebook et al, are there?

      1. ratfox Silver badge
        Meh

        Yep. Short of banning Google, Facebook and Microsoft from operating in Europe, the EU simply cannot guarantee the privacy of its citizens. The privacy shield or whatever they call it is a gigantic waste of time to support the legal fiction that they can enforce their own privacy laws without making the internet illegal.

        1. Anonymous Coward
          Anonymous Coward

          Ban them then. Or rather, make them accountable for their crimes.

        2. Anonymous Coward
          Anonymous Coward

          "Short of banning Google, Facebook and Microsoft from operating in Europe, the EU simply cannot guarantee the privacy of its citizens. "

          Don't worry the EU thought of that. It's why the fines under the GDPR are potentially astronomical. They can hit them where it hurts...

      2. EnviableOne Bronze badge

        If there's a market one will appear, and I think if you look at the combined revenues of Microsoft, Google, Facebook et al that they run through Ireland, there is a market and the issues are not unsurmountable.

        its been done before (i.e. Wiebo, Yandex, baidu, Alibaba etc) and with the mass of professionals in the EU there is likeley to be something wipped up quick.

  2. Jack of Shadows Silver badge

    Ransomware

    So you could easily end up with the circumstance where ransomware encrypts your plaintext that you are required to have to appease the authorities. Talk about Vandals at the gate. A real growth industry here enabled by government.

    1. Adam 1 Silver badge

      Re: Ransomware

      At least with this approach, the law abiding ransomware authors will no longer cause problem.

  3. Anonymous Coward
    Anonymous Coward

    Whats his email address ?

    Maybe we should all (millions of people) BCC him in on inane boring emails just to make sure he gets a copy in plain text.

  4. Throatwarbler Mangrove Silver badge
    Mushroom

    Ahem

    THIS IS NOT BETTER, YOU POINTY-HEADED BUFFOON!

    Sorry, I'll be going now, I seem to be suffering some sort of embolism.

    1. tfewster Silver badge
      Facepalm

      Re: Ahem

      Rosenstein seems ambivalent (or clueless) about encryption:

      ransomware - enycyption with no government backdoor

      botnets – taking advantage of poor security and encryption -

      hackers - could launch devastating attacks against autonomous cars, if they're poorly secured

      1. Anonymous Coward
        Anonymous Coward

        Re: Ahem

        That is typical of all politicians anywhere in the world - it goes with the position. Then you add he is a lawyer to the mix and chaos is rampant.

        1. Mark 85 Silver badge

          Re: Ahem

          I suspect is more that politics is where: a) those who can't walk and chew gum at the same time go; and b) it's the last refuge of the totally clueless. The more I read in the news, the more I realize it's also contagious and spreading rapidly around the world and infecting those in office everywhere.

          1. Rich 11 Silver badge

            Re: Ahem

            Politicians are not necessarily clueless and only a minority are especially dim. When one of them is ambitious and sufficiently ruthless to achieve some of their ambitions, they start to think they really are clever instead of just moderately competent, and that their ideas must be right. Combine that with a strong belief in their own rhetorical brilliance and they think they can give speeches like this one, and convince everyone of the truth of their position.

            Well, it's either that or they know they're talking bollocks but they'll get sacked for embarrassing their boss (and by extension their country) if they don't go out and try. The classic example of this was Colin Powell's speech to the UN outlining the evidence for Iraq's weapons of mass destruction and links to al-Qaeda, when he knew that Bush had already decided to go to war. You could almost see the shame dripping off him.

      2. GBE

        Re: Ahem

        "Rosenstein seems ambivalent (or clueless) about encryption"

        My theory is that the level of cluelessness is pretty much proportional to the frequency of use of the prefix "cyber". The more often somebody says "cyber-<something>", the less credible they are.

        1. Anonymous Coward
          Anonymous Coward

          Re: Ahem

          With apologies to the Monty Python Spam Sketch...

          Cyber IoT cyber cyber Web Scale cyber tomato and cyber

  5. ThaumaTechnician

    Who's to say whether the plaintext matches the cryptoed text?

    The actual nonce/encryption key used should/must be different each time some plaintext is encrypted, no?

    Then how can someone disprove that stored plaintext is actually what was sent?

    1. jelabarre59 Silver badge

      Re: Who's to say whether the plaintext matches the cryptoed text?

      Then how can someone disprove that stored plaintext is actually what was sent?

      SSShhhhh... What the dimwits don't know doesn't hurt *us*.

    2. InfiniteApathy
      Black Helicopters

      Re: Who's to say whether the plaintext matches the cryptoed text?

      > Then we can be confident that the stored plaintext is actually what was sent

      You're absolutely correct ThaumaTechnician, thank you for your feedback.

    3. Anonymous Coward
      Angel

      Re: Who's to say whether the plaintext matches the cryptoed text?

      @ InfiniteApathy

      I don't think the guy would think that deep. He comes across as yet another clueless in a high place.

      In Canada's de facto federal gov't, the people appointed to set up computer systems do not even have to know how to turn one on, some of them even admit they - to all intents and purposes - can't, but they do have to be fluently bilingual (Quebecois) French. Oh, that's the important thing!

      I was dumbfounded when I listened to the broken English of the guy who oversaw the now defunct gun registry database. It was originally going to cost ninety million but turn into hundreds of millions then into what some estimate into the billions of dollars (approx. 2,000,000,000.00). He admitted he knew nothing of computers - but hey - he was fluently bilingual French, which is all that matters to the Canadian de facto fed. gov't these days. There are only 10 million rifles in Canada, so that's $2000.00 per gun to register them in a database. A database that, it turned out, wasn't really reliable and didn't meet police expectations. 'So, then it got scrapped. Wow.

      1. drone2903 in Kanuckistant

        Re: Who's to say whether the plaintext matches the cryptoed text?

        @Stephen Battleware

        Yes I am sure that was the problem.

        Not the fact the scope was badly define by the fed's procuration, changed countless times while the basic system was build, the govt sponsor was replaced after 4 months, the new one (political appointment) rejected everything that was done because could not understand it, rebaselined on his own definition of what should be delivered and change the main supplier ( and that happened 3 times: new sponsor, baseline and main supplier in 14 months, while the grunts were still developping with the old specs) and the mainframe specs were also modified after delivery (twice).

        Yes, I do have some inside info about that mess, should you ask.

        Merci

        1. This post has been deleted by its author

      2. Pen-y-gors Silver badge

        Re: Who's to say whether the plaintext matches the cryptoed text?

        @Stephen Battleware

        "I was dumbfounded when I listened to the broken English of the guy who oversaw the now defunct gun registry database."

        You may well be right in this specific instance, but ability to speak fluent English is not a pre-requisite for knowing anything about technology, and vice-versa. I suspect many of the top Russian, Chinese and Nork hackers may well be less than fluent in English, but it doesn't impact on their technical skills

        1. Muscleguy Silver badge

          Re: Who's to say whether the plaintext matches the cryptoed text?

          Exhibit A: All your base are bilong to us!

      3. Hans 1 Silver badge

        Re: Who's to say whether the plaintext matches the cryptoed text?

        @Stephen

        Situation: Bloke employed by gov to set up computer systems does not know how to set them up. Bloke comes from the French-speaking part of the country.

        Your interpretation: Bloke got the job thanks to his fluency in French.

        Well, maybe, maybe not ... there are more than enough highly trained computer professionals that master Canadian French in Canada.

        More like, he got the job because, well, he must be somebody's mate, cousin, neighbour or something ... Shit, read the article again, here we have another guy who does not know what he is talking about ... A gov generally employs the alcoholics or nietsnut (Dutch, google is your friend) that have "connections" and that private enterprise has deemed useless, even for top brass positions.

        1. Anonymous Coward
          Anonymous Coward

          Re: Who's to say whether the plaintext matches the cryptoed text?

          Since fluency in French is a requirement for most such Federal Jobs being educated and trained in the expertise required makes Stephen's interpretation more likely to be correct.

          For non-Canadians, and those many Canadians willfully ignorant of Canada, less than 20% of Canadians are French speaking. Outside of one province French is spoken less than many other languages. Languages in more use by Canadians in other provinces include Chinese languages, German, Tagalog and Punjabi. In BC over 8% speak Chinese fluently or at home, less than 2% speak French.

          Yet it is those few French that hold special status when it comes to federal jobs.

          The Federal Government estimates that more than 40% of positions in the federal public service require French Language skills and increasingly, fluency in French. Bilingualism has become an obvious plan to further concentrate power in the hands of those in the East, particularly those in Quebec and most importantly those French in Ottawa the Federal capital.

          Canada has three branches of government, the Court, the Senate, and the House. Of those only the House is elected, the rest are filled by appointment, most often by a Prime Minister from a single province, you guessed it, French Quebec. The single province of Quebec is disproportionately represented in Federal systems. With 22% of the population has 33% of the seats on the Court and is pushing for all other members of the Court to be fluent in French or educated in French. It is an obvious attempt to further concentrate power into the hands of the French Elite in Canada.

          Canada has many languages but one minority language is being used to disenfranchise the majority of bilingual Canadians who are not French.

          Which is why Stephens observation is far more likely to be correct than any claims suggesting Federal jobs and contracts are awarded based first on ability and second the applicant being French. Even the Federal government makes it clear that being French is the first requirement, both in the application process and in their many statements on bilingualism in Canada.

          1. TheVogon Silver badge

            Re: Who's to say whether the plaintext matches the cryptoed text?

            "Since fluency in French is a requirement for most such Federal Jobs "

            I expect that will be dropped eventually:

            https://www.youtube.com/watch?v=hawRbECNX8o

  6. Dazed and Confused Silver badge

    what part of end to end doesn't he understand

    > so long as companies can cough up an unencrypted copy of every message, call, photo or other form of communications they handle.

    Ere, the whole point of end to end encryption is that it's encrypted at the senders end and it's decrypted at the receiving end. Those pesky companies in the middle don't get a look in. That's the whole point.

    1. Adam 1 Silver badge

      Re: what part of end to end doesn't he understand

      --- BEGIN DECRYPTION ---

      Please find attached the latest results of my coin toss hobby. 0=Head, 1=Tails

      00101111011100001101111100010000........

      --- END DECRYPTION ---

      1. Rich 11 Silver badge
        Black Helicopters

        Re: what part of end to end doesn't he understand

        00101111011100001101111100010000

        ...decryption software initialised...

        K I L L T H E M A L L

        "Stand up and place your hands against the wall, citizen."

        1. Sir Runcible Spoon Silver badge
          Coat

          Re: what part of end to end doesn't he understand

          What did The Mall ever do to you?

          1. Adam 1 Silver badge

            Re: what part of end to end doesn't he understand

            Dammit, my evil plans to change the word mall to shops in all signage has been foiled. And I would have gotten away with it if not for you pesky kids.

        2. ThaumaTechnician

          Re: what part of end to end doesn't he understand

          "K I L L T H E M A L L

          "Stand up and place your hands against the wall, citizen." "

          Shouldn't the Mall Cops be taking care of this?

      2. EnviableOne Bronze badge

        Re: what part of end to end doesn't he understand

        love the encrypted byte stream embeded in the message

    2. Field Commander A9

      Re: what part of end to end doesn't he understand

      Technically possible: just make the client covertly CC everything it sends to the mothership.

    3. Hans 1 Silver badge
      Happy

      Re: what part of end to end doesn't he understand

      Ere, the whole point of end to end encryption is that it's encrypted at the senders end and it's decrypted at the receiving end. Those pesky companies in the middle don't get a look in. That's the whole point.

      Ere, the whole point of end to end encryption is that it's encrypted at the senders end and it's decrypted at the receiving end. Those pesky companies in the middle don't get a look in. That WAS the whole point BEFORE.

      TFTFY

      The whole point now is to store some text that idiots will think is the decrypted message, for every encrypted message sent. So, in essence, extracts from "Persian Letters" should do, I think ...

  7. TrumpSlurp the Troll Silver badge
    Facepalm

    One good thing

    Possession of both the encrypted text and the matching plain text should help them work out the encryption key.

    For whatever good that would do them (since they already have the plain text).

    Did he just say that it is fine to lock the front door as long as you leave all the windows open?

    Not the back door, obviously. He knows that would be wrong.

    1. David Knapman

      Re: One good thing

      Modern crypto systems should not be known to be susceptible to Known-Plaintext Attacks.

      https://en.wikipedia.org/wiki/Known-plaintext_attack

      Basically, Plaintext + Ciphertext = Key hasn't been true for a long time.

      1. Sir Runcible Spoon Silver badge

        Re: One good thing

        Especially if the plain-text is made up :)

    2. Vector

      Re: One good thing

      "Did he just say that it is fine to lock the front door as long as you leave all the windows open?"

      No, what he's really saying is the locksmith must hand over copies of all keys made with annotations as to the location of each lock.

      That is my biggest gripe in all of this. Law enforcement really wants to circumvent due process by serving warrants on the manufacturers and service providers instead of the target of their investigations. Data stored on my device (encrypted or not) is mine and any attempt to access it should come through me!

  8. Ken Moorhouse Silver badge

    He's been talking to Microsoft...

    Dumb bug of the week: Outlook staples your encrypted emails to, er, plaintext copies when sending messages

    https://www.theregister.co.uk/2017/10/11/outlook_smime_bug/

  9. a_yank_lurker Silver badge

    Synonym

    Shyster must a synonym for idiot. Depending on when the encryption occurs there may never be a plain text version handled by the ISP, etc.

  10. John Smith 19 Gold badge
    Gimp

    Let's be clear. Data fetishists do not give a f**k about your privacy or security

    He may be ignorant.

    He may understand the situation.

    But he does not give a flying f**k as his "Right to know" (Your business) trumps everything else.

  11. dan1980

    "I simply maintain that companies should retain the capability to provide the government unencrypted copies of communications and data stored on devices, when a court orders them to do so."

    So what does this really mean?

    For the moment, let's ignore companies and individuals storing their own information on their own equipment and focus on what these proposals are focussed on: online 'cloud' providers and mobile device/software vendors which store and transmit data on behalf of end users.

    The upshot is that Rosenstein's proposal would prevent such companies from offering real 'zero knowledge' encryption either in transit or at rest.

    Rosenstein (and the rest of the mob around the world) know full well that asking companies to store the plaintext copies is unacceptable and I am sure they know why that is the case. This is not a serious proposal: it is simply a doubling-down on their stance: they demand access to plaintext so if the providers won't agree to facilitate decryption, they must store data in such a way that it doesn't require decryption.

    It is not a clueless attempt at a compromise: it is an ultimatum.

    1. Anonymous Coward
      Anonymous Coward

      Not only do I think you're right, I think it's similar to the reason the UK Government kept harping on about not making end-to-end encryption illegal.

      They weren't making it illegal - they were planning on making end-to-end encryption impractical instead. (i.e. the first time any of the authorities asked for a decrypted version of a message and they couldn't provide it, they'd be prosecuted. Which isn't the same thing as making it illegal)

      1. dan1980

        Absolutely.

        They (all of them) know that there has been - at least this time - enough of a stigma built up around the concept of a 'back door' and at least some education on the utility, necessity and ubiquity of encryption for day-to-day processes.

        Thus, they are reframing the conversation by focusing on discussion of obtaining information legally authorised via a valid warrant. No 'snooping' you see? Nothing nefarious or clandestine. Nothing to abuse or worry about: just familiar, uncontroversial warrants to help catch pedos and terrorists and murders and drug barons and rapists.

        The public knows warrants - those are the things the trustworthy officers and agents on The Bill or CSI arrive with in the denouement when the forces of good triumph over the villain.

        That's all our governments want: to allow those always upright exemplars of civil service to enforce the law and protect us. But the tech companies don't care about protecting us, you see; they are trying to protect the terrorists and the paedophiles instead!

        Those men and women in blue know who the bad people are and they know what they've done but Apple and Microsoft and the rest won't let them bring the dangerous criminals to justice.

        Our politicians have learnt their lesson. They avoid talking about the process of getting the data they want and instead plead the case of the data itself, claiming agnosticism about the technical issues.

        They are doing an end-run around all the complaints and consequences.

  12. unwarranted triumphalism

    Lots of criminals in here

    Trying to hide something?

    1. Doctor Syntax Silver badge

      Re: Lots of criminals in here

      OK, unwanted triumphalism. Please post here, in plain text, all your banking details: bank name, account number, login credentials, same for any Amazon, eBay, PayPal and any other financial or trading accounts you have. Also, if you log into any work computers, post your login names and passwords. And also for Twatter, Farcebook and anything else.

      After all, you're not a criminal and YOU HAVE NOTHING TO HIDE. But first, go and read the T&Cs of all those accounts and also read up on what the https:// in the forum (inter alia) URL means.

      1. unwarranted triumphalism

        Re: Lots of criminals in here

        My password is hunter2.

        I have nothing to hide, unlike the angry teenage edgelords on the other side of this argument.

        1. Aladdin Sane Silver badge

          Re: Lots of criminals in here

          Cool. Mind if we use that to snoop at the personal messages between your and your significant other? Oh, and all the correspondence between you and your doctor(s)? And your lawyer?

        2. Sir Runcible Spoon Silver badge
          FAIL

          Re: Lots of criminals in here

          unlike the angry teenage edgelords on the other side of this argument

          Must troll harder. C-

          Caring about the future and not wanting it to be full of boots on my face, forever, does not make one an 'edgelord'. Methinks thou doth protest too much.

          PS Assuming that is your real password, which I doubt, you've probably broken this sites' T's&C's.

          1. unwarranted triumphalism

            Re: Lots of criminals in here

            > PS Assuming that is your real password, which I doubt, you've probably broken this sites' T's&C's.

            http://bash.org/?244321

            Do try and keep up.

            1. Sir Runcible Spoon Silver badge

              Re: Lots of criminals in here

              Oddly enough, the company proxy prevents me getting to that site to see what I'm not keeping up on.

              I'm going to take a wild guess at: not much.

              Edit: With a meme that old is it any wonder I'm not dedicating any memory to it.

        3. Jeffrey Nonken Silver badge

          Re: Lots of criminals in here

          "I have nothing to hide, unlike the angry teenage edgelords on the other side of this argument."

          How about us tired sexagenarian cynics?

          And I don't believe you have nothing to hide.

          1. unwarranted triumphalism

            Re: Lots of criminals in here

            > sexagenarian

            It's an attitude, not necessarily a physical age. Some people refuse to grow up and accept the world as it is.

            1. Doctor Syntax Silver badge

              Re: Lots of criminals in here

              > sexagenarian

              It's an attitude, not necessarily a physical age. Some people refuse to grow up and accept the world as it is.

              Some of us seem to have seen rather more of the world as it is than yourself.

              1. dan1980

                Re: Lots of criminals in here

                Whether you've got something to hide or not really revolves around a big question: "from whom?"

                There is information about me that I am happy for the government to have; it is necessary and I think it helps keep everything working well. They need to know my financial and employment details to asses my tax obligations, for example.

                Likewise my doctor knowing my medical information. It is to my benefit that he knows my medical history (though I strongly believe this should be 100% in the patient's control, should they wish it) and I am likely to get a more accurate diagnosis and more relevant, effective care if I provide it.

                That doesn't mean, however, that I am happy to have any of that information stored in plaintext and (more) vulnerable to being stolen because, while I don't want to "hide" it from the those who need it, I most certainly want to "hide" it from spammers and scammers and identity thieves.

                That said, there is PLENTY I want to "hide" from the government because it is, quite simply, absolutely none of their business and I shouldn't have to justify my right to privacy.

            2. mr_souter_Working

              Re: Lots of criminals in here

              "Some people refuse to grow up and accept the world as it is." - sounds like a pretty accurate description of all the government wonks that want bloody idiotic things like secure end to end encryption for users, and plaintext copies of everything those users send/receive.

              1. Aladdin Sane Silver badge

                Re: accept the world as it is

                Why should we? We should with anger and fury as to how the world is, compared to how it should be.

                Tomorrow's World promised me a hover car!

        4. Doctor Syntax Silver badge

          Re: Lots of criminals in here

          "I have nothing to hide"

          You must have given that one password is no information at all. Either that or you make no use of online facilities at all.

          It's also possible that you haven't read the T&Cs of any online services you use because unless they were written by teenagers they'll forbid you from disclosing log-on credentials. Even if you don't see the significance of hiding stuff yourself you'll find yourself contractually bound to hide it nonetheless and bound by people who do see that significance. You will actually be helped in this, in spite of yourself, by the fact that these days any competently provided remote log-in will use an encrypted link.

          Finally, you should reflect that some of us have spent years investigating crimes and really don't see why TPTB should facilitate the commission of crimes by having sensitive material flying around in plaintext. We're also well aware that those who are already intending to break laws are not going to be inconvenienced by being provided with more laws to break when they choose some non-govt-sanctioned communication system.

    2. Aladdin Sane Silver badge

      Re: Trying to hide something

      Yes, things which are nobody else's fucking business.

      1. Sir Runcible Spoon Silver badge

        Re: Trying to hide something

        If only criminals want to hide anything, then can we just send the government directly to jail?

    3. 0laf Silver badge
      Big Brother

      Re: Lots of criminals in here

      My usual questions in reply to that sort or nonsense is -

      Do you have a lock on your bathroom door? Do you have curtains (drapes) or blinds on your home windows?

      Why? what are you doing in there that needs to be covered up.

      If I've a legitimate right to take a shit in peace or walk around my own house bollock naked with the curtain drawn then I've a right to send an electronic letter with some confidence that it won't be opened.

      Police and government have laws and methods to circumvent my bog door and curtains when they have a legitimate interest in doing so. As they do with electronic communications.

      This is just an effort to bypass the checks and balanced they have to go through for traditional surveillance to try to treat electronic as something different.

  13. Keef

    Compression.

    I can compress one paragraph in to one word.

    "I simply maintain that companies should retain the capability to provide the government unencrypted copies of communications and data stored on devices, when a court orders them to do so."

    = Fuckwit

    Not sure I'll make much money out of that particular algorithm, but I'm sure it could be worth incorporating in to compression systems as it seems to crop up quite frequently.

    1. Anonymous Coward
      Anonymous Coward

      Re: Magic?

      Too many of these requests seem outright impossible... do people realise? But then again, someone convinced everyone to build the Pyramids... so versions of possible, but with great consequences, are still valid. :(

  14. fidodogbreath Silver badge

    "When you are up against the military or intelligence services of a foreign nation-state, you should have our federal government in your corner," he said

    Yeah, let's get those crack data security experts from IRS and OPM on the case.

  15. gerdesj Silver badge
    Childcatcher

    Metadata -> Data

    So, assuming that agency X request details, only having metadata and approach A: Alice's IP connected to port 25 at Bob's IP and sent a stream of TLS encrypted stuff.

    OK so port 25 should imply email (SMTP) and X gives a precise date and time and A keeps logs and mail archives and keeps precise time.

    There are at least six assumptions in the above short paragraph, each of which needs to be proven to ensure that the data provided really matches the request. I can make the example really complicated without even sweating. I wonder why key escrow or (state sanctioned) direct cracking etc are considered more desirable as routine policy by .gov?

  16. Long John Brass Silver badge
    Big Brother

    OFFS

    "I simply maintain that companies should retain the capability to provide the government unencrypted copies of communications and data stored on devices, when a court orders them to do so."
    When passed through google translate
    I want a pony, I want a pony ... waaaaaaaaaa ... I want a pony
    I think it's time to seriously re-frame this debate for the average meat sack in the street; Something that they will understand.
    Deputy Attorney General Rod Rosenstein; US Deputy Voyeur demands that the US govt is granted even more powers to peek into the bedrooms of all citizens, to record everything going on and keep those recording forever.

    1. This post has been deleted by its author

    2. Adam 1 Silver badge

      Re: OFFS

      Wow. I hadn't realised just how far Google translate had come. Impressive.

    3. Yet Another Anonymous coward Silver badge

      Re: OFFS

      Not the US govt. he wants the authorities to have the plain text.

      So if the message goes through a cable in international water - every govt get a copy.

      The Russians, the Cubans, the Iranians, the Belgians ....

  17. veti Silver badge

    Let's look at that quote again:

    "I simply maintain that companies should retain the capability to provide the government unencrypted copies of communications and data stored on devices, when a court orders them to do so."

    I don't see any demand there to store the plaintext. Merely "the capability" to produce plaintext on demand. I.e. the encryption key.

    A lot depends on what he means by "companies". If he's talking about ISPs or hosting companies, then - yes, he's an idiot and we've made only slight progress. But if he simply means that if an employee of "XYZ Inc", acting in their official capacity and using company channels, sends an encrypted email, then a court should be able to demand a decrypted version from the company - that doesn't seem unreasonable to me.

    1. dan1980

      @veti

      That's the problem - he is OF COURSE talking about (and specifically about) hosting companies and ISPs and also mobile vendors and developers.

      That has always been the focus: the data transmitted, hosted and controlled by these third parties. It's never been about the data stored on a random person's home laptop or a corporation's e-mail server.

      Accessing that data requires the authorities to actually approach the owner of the data because the owner controls where and how it is stored.

      Accessing data a user stores in Dropbox or Gmail is different, however, in that this data may, in theory, be accessed remotely without the knowledge of the subject. It can be collected en masse and sifted for relevance post hoc.

      THIS is what they want and has more in common with 'tapping a phone' than executing a search warrant. With a search warrant, the authorities have to actually go and obtain the data (or at least the hardware) physically while tapping a phone allows them to eavesdrop - to spy on - the target unknown.

      What these agencies are asking for is actually even MORE than tapping a phone because the stored data and communications of the digital world are frequently historic and so one can sift through for previous wrong-doings.

      Will this help them catch criminals and threats? Quite possibly. Is it proportionate? I don't believe so. It's open to MASSIVE abuse, MASSIVE oversteps and puts EVERYONE - man woman and child - at significant risk due to the inevitability of weaknesses in process, technology and execution, not to mention the weakness inherent in those in charge of it all.

      If the justification is that it will make everyone a bit safer from the terropedos then why stop there? Install cameras and microphones in everyone's houses and cars and offices, all fed back to the government.

      1. Hans 1 Silver badge
        Facepalm

        @dan1780

        It can be collected en masse and sifted for relevance post hoc.

        It is collected en masse and sifted for relevance post hoc.

        TFTFY

      2. Anonymous Coward
        Anonymous Coward

        too late

        they already have microphones in your home, they are called mobile phones, unless you have a samsung/philips tv then they can watch you siliently on the web cam in the tv , car /offices ditto , mobile phones car kits . It's funny in a way that the tin hats where right all along , whats funnier is that wrapping said phone in said tin hat will prevent the monitoring at least online, nothing to stop them from monitoring and recording to said device until the device is back online to upload it's goodies , perhaps we need to start installing analog switches to webcams/ microphones , not some software mechanism that can be covertly enabled but a physical switch to disconnect said microphone or web cam. then just for good measure scrap windows 10 , total privacy abortion that it is .

    2. Marcus Fil

      @veti

      uh, except that companies have rules about ageing out old data (emails etc.) to prevent future embarrassment in court excessive on-going storage costs.

      Perhaps the answer is for companies to offer goverments an encrypted 'cc' of all traffic, but retain the relevant keys until they see the court order. That way the governments get the bill for working out how to store and retrieve an eye-watering daily deluge of corporate 'HR' messages, dull telecons, bad jokes, links to cat videos, etc.,etc, etc. and then match their 'intelligence' with the right source at the right time to ask, nicely and legally and very specifically, for the right key. Here, Mr Fed, have your monkey back ..and I wonder how long you'll keep it once you know how much it costs to feed and water.

  18. Winkypop Silver badge
    Facepalm

    Just like the school bully

    Thick, but determined.

    1. Rich 11 Silver badge

      Re: Just like the school bully

      And, unfortunately, considerably bigger than you.

      That's why he knows he'll win in the end. All this started with Poindexter's TIA, and regardless of the Snowden revelations they're still trying to get that TIA. They're not going to stop trying.

  19. mark l 2 Silver badge

    Perhaps the post office should be required to open every envelope and parcel and take a photograph of the contents before delivering them to the recipient as well just in case criminals use snail mail for criminal activity.

    1. jimdandy
      Windows

      Wait - you mean the PO doesn't already do that? Along with FedEx, UPS and the rest?

      I just assumed that the late mail deliveries and opened packages were part of the service...

      1. Rich 11 Silver badge

        I like the way they try to frame your neighbour by planting evidence on him, eg chucking a parcel over the wrong hedge and classing it as a delivery.

    2. Anonymous Coward
      Anonymous Coward

      also too late

      they already xray mail and can read the contents of the mail based on the inks, most emit infrared or ultraviolet light via secondary emtions under the right conditions , say the right scanner

  20. Christian Berger Silver badge

    What a wonderfull diversion...

    ... let's all argue about encryption done by proprietary systems to divert from the much more real thread of "metadata".

    The contents of a phone call or a text message are relatively hard to process, and even simple measures like using code words can make the job much harder.

    "Metadata" is much more valuable as it is easy to process by computers. You can easily find out the graphs of interaction and therefore find out social networks.

  21. Anonymous Coward
    Anonymous Coward

    Meanwhile the bad guys are chattering away in plaintext

    but no one's looking.

    After all, that stupid Amazon review where the reviewer wasted precious screen space complaining about the delivery driver rather than the product in question may have been an irritation to you.

    But to Mischa, Pavel, and Abdul, it was confirmation that the goods are in place.

  22. 0laf Silver badge
    Mushroom

    Maybe we should just give the government everything. Every event, every key stroke every opened file and every change in the file. I wonder how much data your average desktop would produce, now scale that up to every PC, laptop, tablet, phone, IOT in the country plus every server, router switch etc.

    Now turn that data fire hose at the government and see how they like it.

    1. Hans 1 Silver badge
      Facepalm

      Now turn that data fire hose at the government and see how they like it.

      They'll love it, RedHat, Suse, Ubuntu, HP, Dell, Lenovo etc will love it also, remember, since gov functions on "tax dollars" (unlimited supply), money TAX PAYERS pay, they will just purchase the required hardware to process the data ... so your income tax (among others) will grow exponentially.

    2. spellucci

      I tried to start a movement once of everyone printing out the call detail records from our phone records and sending them to the NSA so they would have hard copy, and lots of it, but I didn't get very far.

  23. Doctor Syntax Silver badge

    "Many cyberattacks are directed by foreign governments. When you are up against the military or intelligence services of a foreign nation-state, you should have our federal government in your corner,"

    I am not a US citizen or resident. The federal government is a foreign government as far as I'm concerned*. For me this is a cyberattack by a foreign nation-state.

    Freudian slip? I typed cynerattack.

    *This is probably a very difficult concept for any US politician or government lawyer to understand as they don't seem to be aware of their own borders except when they want everywhere in the US to be within 100 miles of them

  24. sitta_europea

    I think I'll just send my plans for world domination by the postal service, using the complete works of Shakespeare as a one-time pad. Something about Dunsinnan.

    1. Anonymous South African Coward Silver badge

      Brain, is that you? Pinky's been looking all over for you, says he've found the original works of Shakespeare.

  25. Big_Boomer

    Agreed

    Agreed, and will be implemented as soon as all government departments including the NSA, MI5, etc. all agree to do the same and to have those unencrypted files available via subpoena to all possible litigants. Oh, don't like that idea? Well, neither do we. Suck on that one!

  26. Anonymous Coward
    Anonymous Coward

    At least us Saffers have one up on the rest of you yoofs, yobs, curmudgels, gherkins and tsar bombas - our details was recently published on a leaked database. Fun.

    So.

    Who's up to write a nice piece of code that'll convert your plaintext copy into goatse art? I'm sure they'll appreciate it a lot as they'll rifle through plaintext copies of your email trying to find out whether you really shagged the Boss's secretary...

  27. Anonymous Coward
    Anonymous Coward

    Say, who have got source code of back orifice? Update it and send it off on its merry way.

  28. gnasher729 Silver badge

    Here is a suggestion: Companies could store this information with breakable encryption. Here’s the message, here’s the code that can decrypt it on some cloud servers at a cost of $250,000. Per message.

    So the government can read messages from terrorists if they want to, it all their money wouldn’t be enough to just read all the spam that I receive.

  29. Walter Bishop Silver badge
    Facepalm

    Ransomware infected computers

    "the FBI warned him ransomware infects more than 100,000 computers a day around the world"

    Lets blame the Google App Store :)

  30. Alistair Silver badge
    Windows

    Key phrase.

    When law enforcement understands the details of an attack ......

    "When Hell Freezes over?"

  31. Walter Bishop Silver badge
    Big Brother

    CEOs reluctant to report hacking attacks

    "He said that some CEOs had told him that they were reluctant to report hacking attacks to the authorities."

    Mr. Rosenstein doesn't appear to be aware of this. Historically such incidents would have been reported to a Computer Emergency Response Team CERT, run out of some university. At least it was until Homeland Security got involved. I mean what's the point of reporting hacking incidents to the Feds, they can't even protect their own stuff.

  32. spellucci
    Facepalm

    Dear Mr. Rosenstein

    Here is what I wrote to Mr. Rosenstein today.

    Dear Deputy Attorney General Rosenstein,

    You made an important case for public/private partnership in your remarks to the 2017 North American International Cyber Summit. At the end of your remarks, however, you undermined the credibility of your message by asserting, without proof, that it is possible to have strong encryption that is both secure and available to law enforcement, and that the challenges involved are simply engineering ones.

    I was taught in school that ignorance of the law is no excuse. Likewise, ignorance of the fundamentals of encryption does not excuse the fallacy in the both-secure-and-available claim. If authorized individuals can access an encrypted message, then so can unauthorized individuals. Please do not set policy based on the false assumption that this issue can be somehow worked around by engineering. This is not an engineering problem and does not have an engineering solution.

  33. elgarak1

    I said it before: Mr. Rosenstein is in denial of the true state of things.

    Here's the fact: Anyone can encrypt their own files with (practically) unbreakable encryption. The tools are out there, sometimes built in OSs, and even if they weren't, the math and algorithms are out there to be used (one can self-teach enough coding in short time. It's not that hard).

    What this means is that one CANNOT catch criminals that are smart enough easier by outlawing encryption – i.e., the planners, the masterminds, the ones who run the show behind the scenes, the ones who you want to catch.

    Because you cannot make "encryption" a criminal act on the same level as the criminal acts those people want to hide – murder, terrorism, child porn etc. To illegally encrypt will always be the lesser crime compared to anything else.

    For us non-criminals, these attempts at stupid lawmaking are easy to fight: Encrypt the hell out of everything. Even the most trivial piece of data.

  34. Ken Mitchell

    Good for the Goose, Good for the Gander

    I support Rosenstein's proposal with two amendments.

    1. Only to be used for terrorism or national defense issues. MANDATORY 10 years in prison for any government official who abuses this.

    2. ALL government officials are subject to the same surveillance in order to detect and deter government corruption.

  35. sloshnmosh

    Blah Blah

    "Rosenstein prefaced his suggestions with dire warnings about the effects of online crime. Since January 1 last year, there has been an average of 4,000 ransomware "attacks" a day, up 300 per cent on the previous year, he claimed, and said the FBI warned him ransomware infects more than 100,000 computers a day around the world.

    In other scary news, Rosenstein warned that botnets – commandeered internet-of-things devices – could end up crashing large chunks of the internet. Speaking of crashing, he also warned that hackers could launch devastating attacks against autonomous cars that could leave passengers injured or killed."

    He forgot to mention:

    Terrorist safe haven Blah Blah

    Think of the children Blah Blah

    We're all going to die Blah Blah

    (I shamelessly stole this comment from another El Reg member on another thread because it fit so well)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019