US Politicians tell DEF CON it'll take Congress ages to sort out how to regulate crypto It’s going to be at least a year or so, and probably a lot longer, before the United States Congress gets around to ruling on the second war on encryption, two members of the US House of Representatives told the DEF CON event. Alex Stamos, chief security officer (CSO) of Facebook, hosted a panel with Representatives Eric …
This post has been deleted by its author
Congress already has the power to regulate interstate commerce, and most data traveling over the internet is interstate. Even for stuff that isn't like say an iMessage conversation with someone across town, while the actual text of your conversation is point to point and may not cross state lines, each of your phones can only find each other to begin the conversation thanks to Apple's servers.
Even if this conversation happened in California, they could be doing maintenance on their servers there and you connect to the new datacenter in North Carolina instead. The courts have always given congress very wide latitude in what is considered "interstate" commerce, so I don't think the legality of regulating just about every possible use of encryption to communicate with someone by almost any electronic means would be a problem for the government.
The issue for those wanting regulation isn't that encryption can't be regulated, it is that congress has chosen not to act. Which basically means they can't agree on the correct course of action. Some would probably support making it illegal to use any form of encryption the government couldn't break, others would want a law specifically barring the FBI from doing what they tried to do to Apple, and the majority would be at various points in between.
The government tried with Clipper in the 90s, which was fortunately shot down, and lucky for us no one thought to try to do this in the panic of all the bad legislation post 9/11 like the Patriot ACT. I guess we're fortunate that encryption was used so infrequently at the time that the illegal warrantless wiretapping was able to get enough to keep them satisfied.
Backdoors do not solve the problem the doughnut eaters and their shyster cronies in the DAs office need: real evidence of a crime. At best, good intelligence can help them focus on more likely threats and monitor the activities of known criminals. But at some point they need to get of the doughnut shop and pound the pavement for real evidence. Electronic communications, even still encrypted, can tell one a lot about who is talking to whom and when; the command and control structure. Monitoring the ebb and flow of communications can give clues as to where and approximately when something is going to happen.
Backdoors are a panacea for the lazy and incompetent.
Agreed, there should always be real evidence, not just a phone's contents (which could be planted if the phone is hacked or insecure by default). In Scotland there has always been (I'm simplifying a bit, and this might change though..) a requirement for corroborating evidence, i.e. a second aspect that is necessary for a trial to proceed, let alone to secure a conviction.
The problem with asking a policeman what they want is they will ask for whatever makes their job easier. That is basic human nature. And given most of them are honestly trying to solve crimes, they usually dismiss suggestions it can and will be misused because they (i.e. the one you are asking) is not planning on doing that.
Sadly though not all police are honest and trustworthy and once politicians are involved you are dealing with a proverbial moral slime-pit of self interest and dodgy dealings, and of course there are criminals out there as well.
That is why I am in favour of decent end-to-end encryption by default, everywhere, because you just can't trust people, of any profession or any reputation, to not fuck up deliberately or unintentionally and use whatever powers they have wrongly. They can already get the metadata of who talked to who, etc, and that should be enough for a proper investigation of the suspects in the old way of getting out there and gathering physical evidence.
@Paul - I remember watching a true crime story about an armed robbery gone bad in the in the 70s. The rookie detective tracked down were an item of evidence had been sold and went to the store. The store owner remembered the sale and let him look through the sales receipts. The sales receipts were literally in show boxes and he to sort through and check each paper receipt. It took a few hours and he found the receipt with the perps name and address on it. The detective noted that to do good police work you have literally follow the leads and being willing to dig through piles of extraneous stuff. True in then and even true now.
"That is why I am in favour of decent end-to-end encryption by default, everywhere, because you just can't trust people, of any profession or any reputation, to not fuck up deliberately or unintentionally and use whatever powers they have wrongly."
The only problem is that a DTA attitude is basically an anarchist attitude. Trust is required for civilization to function, yet you claim you can't trust anyone enough to let it happen.
"Trust is only required between private citizens within the culture, NOT between the citizens and their government."
Um, people within the government COME from the private citizens within the culture. Plus consider the web factor. Trusting someone also implies trusting everyone that person knows, INCLUDING the people you DON'T know. That's what makes Facebook so insidious. Even if you never personally go on it, if someone you know starts posting info on you, which in turn allows other people to make connections to you, there goes your privacy!
It's basically all or nothing.
"Trust is required for civilization to function, yet you claim you can't trust anyone enough to let it happen."
Indeed it is, but we have seen over and over again that we can't trust anyone really. Take Dundee City council as an example, they spend far, far more on surveillance than any other (and bigger) councils in Scotland:
https://theferret.scot/scottish-councils-critcised-surveillance-failings/
So while closing schools and having serious crimes like drug-dealing, etc, to worry about, they are allegedly diverting resources to spying for petty neighbourly disputes over garden use, etc.
article said: "had to take into account the needs of law enforcement to track suspects and bring them to justice."
and you said:"Backdoors are a panacea for the lazy and incompetent."
EXACTLY! *REAL* police work does NOT need a "back door". You know, the "old fashioned" kind, like photos, surveilance in public areas, yotta yotta, plus "get a warrant" types of stuff.
If Con-Grab had EVER argued that they wanted SKELETON/MASTER KEYS for EVERY LOCK, so they *might* be able to collect locked up evidence on bad guys, they'd have been laughed *AND* voted out of office. Yet, in our modern 'generation of [p-word referring to CATS]' (as Mr. Eastwood might say), filled with clueless 4" content consumers that wouldn't understand the difference between symmetric and asymmetric encryption, this "back door" idea is either being brushed off as 'nothing', or is even DESIRED, with the mistaken concept that "it's for our own good" or something...
Consider the 'master key' problem with airline luggage - what was it called again? The master keys have been published for 3D printers, rendering the locks *WORTHLESS*. Same for crypto, if it ever gets a BACK DOOR. And *ONLY* the BAD GUYS will have REAL need of them.
besides, what's to stop BAD GUYS from using home-grown no-back-door encryption, when the rest of us HONEST people have been left with flawed "back door" encryption only? It's just SILLY to think law breakers will obey any encryption standard requirements.
"besides, what's to stop BAD GUYS from using home-grown no-back-door encryption, when the rest of us HONEST people have been left with flawed "back door" encryption only?"
The fact that GOOD, hard-to-crack encryption is in fact HARD, with the knowledge to do it right pretty limited, actually. Most homebrews are in fact quite flawed and easily negotiated by cryptanalysts.
Random noise into a pair of TB-class SSDs. A lifetime supply of one-time pad for text communications.
Yes, there's the secure shipping problem. But that's hardly insurmountable for the sorts of nasty folks that the authorities are after. They can ship the SSD back, sealed, via the same network that brought in tonnes of drugs. Agreed, one-time pads are not suitable for online shopping. So?
Hopeless. Might as well get over it.
You are missing the point - we don't generally need "unbreakable" encryption, just hard enough to make mass surveillance impossibly expensive, and difficult enough so that targeted use has to be prioritised to serious crime.
Sure if you are a state whistle-blower then you may need something better, but if it takes the courts £5k and several weeks of disassembling to get the contents of a phone they will start to use that power sparingly.
AC, spot-on!
A pragmatic view of protection of information leads to the position that "protection needs to be good enough to ensure a reasonable semblance of privacy, while simultaneously not requiring backdoors or keys lodged with government/other 3rd parties".
Making casual (read "lazy") interrogation of protected information too expensive for use as a default cop-out strikes me as making quite a lot of sense.
As one ot two others have commented, if you truly are An Evil Genius Bent On World Domination, you will give the Feds the slip one way or another ... and if you are a lesser grade of the same, the Feds will be able to nail you in any event. Probably.
Sorry ... my bit turned in to a mini-ramble, but as said at the start AC, your comment is spot-on!
"You are missing the point - we don't generally need "unbreakable" encryption, just hard enough to make mass surveillance impossibly expensive, and difficult enough so that targeted use has to be prioritised to serious crime."
But the thing is encryption is in the end useless because we can't decrypt the stuff in our brains (if we did, we'd be in Ghost in the Shell territory). And since the stuff MUST be decrypted at some point to use, the plods will simply target points "outside the envelope".
Sure the plods will simply target points "outside the envelope" but that takes significant effort to do so. For example hacking a phone, or installing listening devices in cars, etc.
All are possible and known spy/surveillance technologies and I don't worry too much about that because it is expensive and time-consuming to do, that alone means it has to be targeted at important stuff. A far cry from the abuse of easily intercepted stuff we see done by spy agencies, councils, border control, etc, etc.
"All are possible and known spy/surveillance technologies and I don't worry too much about that because it is expensive and time-consuming to do, that alone means it has to be targeted at important stuff."
No, the costs are FALLING because it's a whole lot easier than investing vast computing power into cracking encryption algorithms. That's a job best left to sovereign powers for whom money is less an object.
We don't trust them and that's the problem and why on earth should we given their behaviour to date?
Fight them at every turn.
Just look all at the times they've gagged people/organisations from telling the horrible truth about their indiscretions, crimes, suppressed and pressured the press to save their asses from public ridicule and worse.
From a Brit point of view, Cyril Smith and Jimmy Saville springs to mind.
Consider North Korea, Russia, Turkey, several sub-Sahara countries and many others.
The population demonstrably cannot trust these governments to act in their best interest, because they are either corrupt or dictatorships - perhaps both.
Once a thing is done it cannot be easily undone. Perhaps you trust the entirety of the current US Government. Perhaps you believe, despite all the incontrovertible evidence to the contrary, 100% of them are absolutely perfect and would never, ever under any circumstances do anything whatsoever to make any innocent person's life difficult in any way.
How long can that situation last? What if a lunatic with a bad toupee became President? What if a power-mad guy became director of an intelligence agency?
Unless you can be certain that there will never, ever, under any circumstances, for the entire future history of the USA be anyone who would ever be tempted to abuse such powers, you cannot ever allow these powers to exist.
"f you don't trust government, you don't trust ANYONE and that makes you an anarchist..."
And what is wrong with that? Experience tells us that you should never take on trust anything anyone tells you. Especially politicians with hidden ulterior motives.
I.E. Feathering their own nest at someone else's expense
Amen to that. What's wrong with having a bit of anarchy in you? Oh wait.. you won't follow orders, show your papers, and salute properly. Or maybe it's cheer with sufficient exuberance during speeches....
Sorry, I didn't spend 4 years in the Marines and time in a combat zone to willingly give up my rights, nor to let others give up theirs. I agree with Hurd, that law enforcement really needs to focus on the actual investigation standards. Not some pie in the sky magic wand of watching everyone and everything. If government can get to the actual data, so can the bad guys.
"I agree with Hurd, that law enforcement really needs to focus on the actual investigation standards."
Oh? Even the best investigations turn cold pretty damn often, which is why most police have pretty sizable Cold Case divisions. Most of them will remain cold forever unless one tiny little thing appears to warm it up again. In such a world, you're trying to glean the slightest signal from the static, and that requires A LOT of grist to mill.
"And what is wrong with that? Experience tells us that you should never take on trust anything anyone tells you. Especially politicians with hidden ulterior motives."
Because in the long-term it's either-or: we constantly gravitate towards one or the other end. You're either under the thumb of the police state or stuck in the maelstrom of fighting tooth and nail every waking minute.
If you don't trust government, you don't trust ANYONE and that makes you an anarchist...
Even setting aside the flawed logic, you say that like it's a bad thing to be an anarchist.
You may need a refresher on political theory. Including your own politics, if it has any allowance whatsoever for freedom of expression.
It IS a bad thing. It's against human instinct. Routine is comfortable. Anarchy makes that practically impossible because you're now in Law of the Jungle mode: constantly living with the Sword of Damocles over your head. I'm pretty sure you've seen enough wild animal shows to see how that works...
PS. As for Freedom of expression, Facebook, Twitter and the like tell me that it can be pretty dangerous: in fact damn near close to an existential threat because it's somewhat akin to letting all the sheep have a vote but a disguised, charismatic wolf is in the mix. Frankly, the greatest threat to modern civilization are a mob of stupid people with the vote.
"...you don't trust ANYONE and that makes you an anarchist..."
"People should not be afraid of their governments. Governments should be afraid of the people"
- V for Vendetta
Or, if you prefer:
"When the people fear their government, there is tyranny; when the government fears the people, there is liberty."
- Thomas Jefferson
"...introduce protectionist policies that are hurting American companies..."
Or it could be the Europeans are trying to protect the privacy of their citizens from the free for all that seems to be the attitude in the US to other people's private data.
Just because Europeans are "protectionist" doesn't make them anti competition. Just a bit more careful of what the likes of Google and MS hoover up for their own benefit.
I do not look forward the the attitude of the British government now we are about to lose the protection of the EU from such data grabs.
There are good arguments against encryption laws of any kind. However, bashing law enforcement officers/agents isn't the way to make a point. It's a lazy and childish means of crying. It sure doesn't make people take you seriously.
You'd like to think most people who comment here don't interject emotion, but rather are smart enough
to look at this logically and objectively. Unfortunately, this isn't the case... apparently.
If you believe those who investigate crimes (and these aren't your street cops, duh), are merely always pinning their hopes on electronic means of evidence, then you're the lazy one. Too lazy to actually realize what needs to be done in order to bring a case to a prosecutor.
...and if you think you can do a better job, that the law enforcement community is so battered, broken and riddled with corruption... join up, show everyone how it's done.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
