Obama Administration Explored Ways To Bypass Smartphone Encryption

An anonymous reader writes: According to a story at The Washington Post, an Obama Administration working group considered four backdoors that tech companies could adopt to allow the government to break encrypted communications stored on phones of suspected terrorists or criminals. The group concluded that the solutions were "technically feasible," but they group feared blowback. "Any proposed solution almost certainly would quickly become a focal point for attacks. Rather than sparking more discussion, government-proposed technical approaches would almost certainly be perceived as proposals to introduce 'backdoors' or vulnerabilities in technology products and services and increase tensions rather [than] build cooperation," said the unclassified memo. You can read the draft paper on technical options here.

I predict the future of a government API

[DigiShaman]

So what will happen is this: The US Government will mandate all phones be PRISM compliant, or at the least have the master encryption key to the data. Apple, and perhaps Google if I recall, took an engineering route to make it physically impossible to respond to an FBI request. Primarily because Apple doesn't want the liability, and secondly it costs money to staff an entire department of warm bodies to fulfill said requests.

Now comes the fun part. China is basically mandating that the top Silicon Valley CEOs fly to China and agree working with the government at backdoor access to all user accounts and data with regards to its own citizens. The US, as does EU and Australia want something similar. At some point, there will be a treaty among all major nations to mandate a Government API written into all software and cloud based services. This way, each Government can plug right into the application layer and pull data upon request.

Welcome to a period of darkness!!!!!

Re:I predict the future of a government API

[rahvin112]

The paper covers this with a caveat that most encryption software is open source, freely available and has no central authority that can be compelled. The result of this is that even is some key recovery system is mandated users could simply encrypt their own data underneath the compromised encryption and render the device inaccessible and defeat the entire purpose of the law and international accords.

This caveat is actually on the first page of the document as a "technological limitation".

One of the "example" solutions

[rahvin112]

One of the example solutions in the document is to force the device provider to update the device with a malicious update the decrypts the device. Talk about a way to encourage people to allow the device update to run! They even acknowledge this. It's quite humorous, people should read it. The paper discusses how even if a solution is implemented device owners could simply layer their own encryption on and make all data inaccessible. So if that's the case, exactly what is the point in the paper or the working group? They acknowledge right at the start that whatever you propose could easily be defeated by the consumer simply encrypting things themselves. So if the entire thing is technologically unfeasible why on earth would you even study it?

The one thing I haven't seen covered in the paper at all is that IF the US were to implement these requirements that all business involved in encryption would simply move off shore and destroy a thriving US business ecosystem. The paper's assumption is that any US developed protocol would then be exported world wide. This is profoundly illogical on many fronts. There would be numerous countries that would simply not participate in some US encryption compromising ring.

Re:Obama is All About Transparency!

[ClickOnThis]

Read TFS again. They explored the idea, and then abandoned it.

And now we know about it. You were saying something about transparency?

practically true. Interesting theory $10 million b

[raymorris]

For purposes of making policy, we should absolutely assume that if the government can get in, so can the bad guys. (Ignoring the fact that sometimes the government IS the bad guys).

Having said that, it's an interesting intellectual exercise to consider that's not NECESSARILY true. For example, each year the encryption could be increased with a longer key, such that at any given time it costs about $1 million in computer time to decrypt a phone. The government could easily spend a million, or ten million, to decrypt Bin Laden's laptop, but nobody is going to spend a million or ten million to decrypt yours or mine.

I'm not suggesting that's actually a good idea in terms of policy , just an interesting puzzle to think about.

Also, years ago we thought it was impossible for you and, who have never met before, to publicly post messages to each other in such a way that nobody else could decrypt them - without ever talking privately to share an encryption key. Now, we use Diffie-Hellman every day to do exactly that, as part of https. We thought it was impossible to share a secret on a public forum (or network) without everyone else on the forum being able to read the secret, but we were wrong. Diffie and Hellman invented a way. Theoretically, it's entirely possible to invent something that allows access only to authorized individuals, with a public audit trail. We haven't invented it yet. Block chains like Bitcoin uses suggest that encryption can be tied to a publicly accessible log, so we know whose data they decrypted, or at least how many they did.