Slashdot Mirror
US Government Will Not Force Companies To Decode Encrypted Data... For Now (washingtonpost.com)
Mark Wilson writes: The Obama administration has announced it will not require companies to decrypt encrypted messages for law enforcement agencies. This is being hailed as a "partial victory" by the Electronic Frontier Foundation; partial because, as reported by the Washington Post, the government "will not — for now — call for [such] legislation." This means companies will not be forced to build backdoors into their products, but there is no guarantee it won't happen further down the line. The government wants to continue talks with the technology industry to find a solution, but leaving things in limbo for the time being will create a sense of unease on both sides of the debate.
The EFF has also compiled a report showing where the major tech companies stand on encryption.
Let's be very clear, the moment they require the ability to get into my device is the moment I encrypt everything and everything with user space tools you don't have access to.
Get your PostgreSQL here: http://www.commandprompt.com/
Encryption is either secure, or it's not. And no-one wants to use insecure encryption.
Isn't every single possible state of affairs currently in existence, by definition, "for now"?
Why the unnecessary qualifier?
We accept for now there is public pushback against our planned fascism, for now we will back off on this, but in the future we reserve the right to proceed further with the fascism.
I'm sorry, but if the US government is essentially just saying "fascism is only temporarily on hold", the US is already fucked.
You have nothing to fear if you have nothing to hide; give us your papers please, comrade.
Lost at C:>. Found at C.
Based on the track record of this administration, this means they are pushing full speed ahead on weak and backdoored encryption, but want the spotlight taken off of it. This will probably be a "SURPRISE" executive order.
The pattern for Obama-- and many other politicians-- is this:
1. Voice opposition to X.
2. Announce s/he will engage in discussion with Y, which is a group that is clearly in favor of X.
3. Come back months to years later, claiming s/he doesn't see any reason why X can't be implemented.
4. If Congress doesn't implement it, reminds us s/he has a phone and a pen, and mostly implements it through executive regulation and taxation.
5. Bonus step for Obama: if you oppose X, you're now racist/prejudiced even though you agreed with Obama at step 1.
Gamingmuseum.com: Give your 3D accelerator a rest.
I had all the hash keys printed out in this paper file.
Hmm.
Dang, guess it's missing.
-- Tigger warning: This post may contain tiggers! --
And two former DIRNSAs agree.
So does ADM Rogers -- except that every interpretation of various US officials' arguments on encryption wildly conflate multiple issues (such as domestic law enforcement, which can and does sometimes have a foreign intelligence connection, and foreign signals intelligence purposes), or utterly misunderstand the purpose, function, and targets of foreign intelligence.
Yes, I know you (not OP, the "royal you") think you know it all, because you have taken things you think of as "proof" utterly out-of-context with zero understanding about things like foreign SIGINT actually works, and have seen 3-4 unrelated pieces of a 1000 piece puzzle, with some of those pieces actually parts of different puzzles, and believe you have the full picture.
People continually and willfully seem to want to forget or ignore that actual, no-shit foreign intelligence targets also -- gasp! -- use things like iPhones, Gmail, Hotmail, WhatsApp, and so on. And, when foreign intelligence targets use these modes of communication, amazingly, we actually want to target them.
If you're an American (or frankly, any innocent person) anywhere in the world who isn't an active member of a foreign terrorist organization or an agent of a foreign power, the Intelligence Community DOES NOT CARE ABOUT and actually DOES NOT WANT your data. Sounds crazy and bizarre for foreign intelligence agencies to care about things like foreign intelligence, I know, but it's true. Weird!
I guess it's easier to believe that functioning democracies* all are constantly looking for ways to illegally spy on their own citizens who have done nothing wrong, rather than to believe that intelligence work in the digital age where the only distinction is no longer the physical location or even the technology used, but simply the target -- the person at the other end, is actually extremely complicated, and not fun.
* If you don't think the Western liberal democracies of the world are worth a shit, or laugh at the term "functioning democracies" when used in reference to the US, warts and all, that simply means you have lost all perspective of reality, and are part of the problem. And it will be to our peril, because there actually are governments in the world who do spy on their own citizens, and wherein the people don't have anywhere NEAR the level of freedoms we have, no matter how terrible you think we are. And guess what? It's our national security and intelligence apparatus that we use to defend ourselves. If you're now so jaded that you don't actually believe the US and its allies, and their principles, are something worth defending and fighting for, then everything I have said here means nothing to you anyway. Just be advised that your perception of history and reality is fatally skewed.
The Obama administration has announced it will not require companies to decrypt encrypted messages for law enforcement agencies.
Translation: Because the ones that are important to us already have backdoors.
I guess this works in the same way as the University of Woolamaloo's Rule 2?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Encryption is either secure, or it's not. And no-one wants to use insecure encryption.
Not really. Encryption becomes more secure or more reliably secure as you do more correct things to it--extend key length, salt hashes where used, audit code, improve algorithms, etc... and less secure as other changes are made: faster machines, better algorithms, backdoors, quantum computing, etc...
Nobody wants and few educated people trust the government to read their mail or *preserve the security* of a backdoor, so it gets more resistance in tech circles.
Painting it as black and white is a useful communications tool, but also largely wrong--kind of like the government's position of "you can trust us to do this right!"
"Adobe has not built ‘backdoors’ for any government—foreign or domestic—into our products or services. "
Wrong. Adobe has built *lots* of backdoors - for government and others. Just not on purpose.
I actually looked at the report that a link was supplied to (sorry, I know that isn't usually done around here). All I can take from it is that everyone reported on is trying to play nice. If I were to believe it, even Microsoft. It is interesting to see the names that are not mentioned (such as Cisco and Google). But I was expected a much more open and honest report from EFF. Both to name the bad actors and to point out where companies who make blanket statements about their embracing of user privacy may not be living up to those statements. Just quoting what nice things some companies want to say about themselves is not a "report".
I'm an American. I love this country and the freedoms that we used to have.
What exactly is the problem[sic] they're trying to solve?
Twinstiq, game news
I'd use a Chinese encryption system with a back door before I'd use an American one with a back door. Simply put Chinese laws have no jurisdiction where I live and American laws do. That being said, I'd prefer that China read my email over America. I think that the govt. realizes this. Hypothetically speaking, if you were an American and you could pick that either the Chinese or American govt. could decrypt your email that shows tax cheating, which one would you prefer have access?
The last I heard there was a pen register standing order in effect for ALL cell phone metadata for all the major US carriers. It was only recently renewed in September. Unless there was an active exception for "Dave Schroeder, NSA apologist" I would say your argument falls apart. If they "DOES NOT WANT" my data, maybe they shouldn't be asking for it. Or retroactively changing laws to make what was illegal when it was secret, to be legal now that everyone knows.
Phone calls fine, But my location when I made that call? Because I certainly did not provide that to any third party.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Thing is, I don't trust the intelligence agencies. We know that some LOVEINT was going on at the NSA, but not how much (I'm not naive enough to think that the problem was accurately reported). We know that the FBI has infiltrated perfectly innocent organization, so the three-letter entities aren't limiting themselves to the probable guilty.
Also, if there's a backdoor the government can use, there's a backdoor that someone else can discover and use against me.
As far as WWII codebreakers go, I seem to remember they were cracking Japanese, German, and Italian cryptosystems. Not US or UK.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
This may have been true at one time. Since the USA PATRIOT Act, with its relaxation on sharing of information between intelligence and law enforcement agencies, it is no longer true if it ever was. We have intelligence information used for drug busts, and then that fact covered up through "parallel construction". That pretty much blows your claim out of the water. This is not individual abuse; this is official practice.
Now any time I hear about a criminal caught due to an "anonymous tip" or through some supposed routine process, I have to wonder -- is that really a story invented to cover up the use of intelligence data for law enforcement purposes? And some of the time, it will be.
Actually, with triangulation, you probably did. Albeit not willfully or knowingly for most people.
Do not misconstrue this as my accepting or advocating these policies of data collection. I do not like them, not one bit. I'm simply responding to point out that you probably did, in fact, provide that information even if you didn't want to. GPS data may even be appended - I don't know. If it is then they should make that clear as I am sure there are situations where you're not actually able to be triangulated such as in my home area where there are only two towers and, further out, but a single tower within reach.
"So long and thanks for all the fish."
Suppose they had decided the other way. Just what company would have been required to crack GnuPG? The Coca Cola company? Chevrolet? The New York Times? Point guns at whatever innocent peoples' faces that you want to, and you're still not going to magically give them the ability to bruteforce AES.
Now suppose they approach someone (again, with gun in hand: "obey me or else I will murder you") and ordered them to produce a fork of GnuPG with a backdoor. Ok, that might work. But what incentive does everyone have, to use that fork? You can produce all the crippled crapware that you want, but even the people who bother to install it, just do it by mistake.
The issue isn't going to be revisited; it's a permanent victory because there's no reasonably plausible way that things can go any other way.
"Believe me!" -- Donald Trump
I see you're trying to make a funny. Would you like some help with that?
"So long and thanks for all the fish."
So, practically speaking, what does that mean? If we're all in agreement that the intelligence community doesn't want access to my data, but they do want the tools to be able to read the data of foreigners who use the same types of systems I use, some practical problems fall out of that:
1) It means that anybody who isn't a member of the US Intelligence Community who does want my data would likely have access to it through the same channels.
2) I have only the assurances of a group of people who are not particularly transparent that they aren't accessing my data anyway.
An interesting anagram of "BANACH TARSKI" is "BANACH TARSKI BANACH TARSKI"
Yeah, and guess what?
Smith v Maryland (1979) says that phone call records, as "business records" provided to a third party, do not have an expectation of privacy, and are not covered by the Fourth Amendment. And the only data within that haystack that we care about are the foreign intelligence needles. I know that's difficult to comprehend, but it's the law of the land, unless and until SCOTUS reverses that ruling. And they very well may.
Until that happens, "We're pretty aggressive within the law. As a professional, Iâ(TM)m troubled if I'm not using the full authority allowed by law." -- General Michael Hayden
And when the full authority of the law is insufficient to do whatever they want, they will search until they find a creative lawyer to offer a legal opinion to redefine what the law really means and justify whatever they want to do. http://www.newyorker.com/magaz...
You might also want to update your sources, Mr. apologist. The 2nd U.S. Circuit Court of Appeals ruled the law overseeing data collection could not be interpreted to have permitted the NSA to collect a "staggering" amount of phone records, contrary to claims by the Bush and Obama administrations. Lucky for them, Congress amended the law, moving the goalposts in mid game.
https://www.aclu.org/legal-doc...
Hopefully, you will find this as easy to comprehend as the Smith v Maryland case. And before you start wiping the brown off your nose and begin frothing at the mouth with another justification, I know it hasn't made it to the Supreme Court yet. Hopefully, you noticed Governor Jerry Brown signed the California Electronic Communications Privacy Act law yesterday. That should give you a clue that you are on the wrong side of this issue.
Reading the linked list of "company policies", I found a few snakes in the grass. Before anyone jumps and yells "You can't draw conclusions just because they're being vauge!"... YES I can, yes I will, and yes I should. These are major company policy announcements and an opportunity to add significant value to a company's products. If they're being vague here, they're hiding something or they are profoundly stupid. BOTH are good reasons not to do business with them.
Adobe
Adobe has not built 'backdoors' for any governmentâ"foreign or domesticâ"into our products or services.
And thank you very much for that. Although you really don't have that much data on me or any of my information...
Amazon
we oppose legislation mandating or prohibiting security or encryption technologies that would have the effect of weakening the security of products, systems, or services our customers use, whether they be individual consumers or business customers.
Um.... why didn't you have anything to say about whether or not you have back doors? Oh, probably something to do with that gag order. ok then.
Apple
We also refuse to add a backdoor into any of our products because that undermines the protections weâ(TM)ve built in. And we can't unlock your device for anyone because you hold the key â" your unique password. We're committed to using powerful encryption because you should know the data on your device and the information you share with others is protected.
YEAH! That's how you do it. The article author loved that response.
Well said, just what I wanted to hear from you. You're only doing what you legally have to, and aren't just forking my data over to anyone that flashes a badge.
Dropbox
Governments should never install backdoors into online services or compromise infrastructure to obtain user data. We'll continue to work to protect our systems and to change laws to make it clear that this type of activity is illegal.
In other words, we've already given in to the government and have installed back doors, but we're trying to find a legal way to get rid of them.
Microsoft
As we have said before, there are times when law enforcement authorities need to access data to protect the public. However, that access should be governed by the rule of law, and not by mandating backdoors or weakening the security of our products and services used by millions of law-abiding customers. This should concern all of us.
Ditto. We're already doing it to you, but trust us, we don't like doing it, and neither should you.
Pinterest
Pinterest opposes compelled back doors and supports reforms to limit bulk surveillance requests.
Are we seeing a trend yet?
Slack
Slack opposes government-mandated âoeback-doorsâ of any kind but particularly a government-mandated requirement that would compromise data security.
Yes we've heard that from several of you now. I'd really rather hear about your actions than your words.
Snapchat
Privacy and security are core values here at Snapchat and we strongly oppose any initiative that would deliberately weaken the security of our systems.
So do we. Which is why we don't want to do business with you either.
Sonic
Finally, we are stating for the record our position regarding compelled inclusion of back doors, deliberate security weaknesses or disclosure of encryption keys. Sonic does not support these practices.
Um, the government doesn't care WHAT you do or don't support. They tell you do to it and you either take them to court or you say "yes, massa, right away, massa". Looks like another silver-tongued cop-out.
OK this is getting repetative. Here's the rest:
Tumblr ... urg
Wickr
Wordpress
Yahoo
We'll fight the laws that allow them to do so,
We
I work for the Department of Redundancy Department.
It would be nice, but once you build in the weakness that allows the government to do this, you can't keep anyone else from exploiting the same weakness.
"Cursed is he who rises early in the morning..." Isiah 5:11