Slashdot Mirror
US Efforts To Regulate Encryption Have Been Flawed, Government Report Finds (theguardian.com)
An anonymous reader writes from a report via The Guardian: U.S. Republican congressional staff said in a report released Wednesday that previous efforts to regulate privacy technology were flawed and that lawmakers need to learn more about technology before trying to regulate it. The 25-page white paper is entitled Going Dark, Going Forward: A Primer on the Encryption Debate and it does not provide any solution to the encryption fight. However, it is notable for its criticism of other lawmakers who have tried to legislate their way out of the encryption debate. It also sets a new starting point for Congress as it mulls whether to legislate on encryption during the Clinton or Trump administration. "Lawmakers need to develop a far deeper understanding of this complex issue before they attempt a legislative fix," the committee staff wrote in their report. The committee calls for more dialogue on the topic and for more interviews with experts, even though they claim to have already held more than 100 such briefings, some of which are classified. The report says in the first line that public interest in encryption has surged once it was revealed that terrorists behind the Paris and San Bernardino attacks "used encrypted communications to evade detection." Congressman Ted Lieu is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients.
Stop insisting on unbreakable encryption. You're just helping terrorists and criminals while you hurt Americans. If you dorks didn't have anything illegal to hide, you wouldn't use unbreakable encryption. And no, I'm not worried about identity theft. I use Lifelock and, therefore, am immune from this.
If legislators ever bothered to try and understand anything before passing laws about it, government as we know it would cease to exist.
Please Slashdot editors, stop with the cross-story promotion. It makes sense if the two stories are directly related, not when the two stories hang in the same genre.
Apple CEO Tim Cook, along with executives from Google and Facebook, have argued that if Washington starts ordering them to build universal key features into their encryption software, it will create vulnerabilities that both the “good guys” (western governments, in this case) and “bad guys” (other governments and hackers) can exploit.
Sadly, the lines are a little more blurry than this.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
If "not knowing enough about something to make that kind of decision" is any indicator as to whether you should or should not make a decision, congress can't really make a lot of laws anymore.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So does this mean that they will stop trying to demonize encryption now. Or are they going to look to explain key escrow to the general public and mandate that. I find that a lot of the general public doesn't understand encryption and believe it is possible to have crypto that can only be broken by the government. Then there is the comment, you don't know what kind of computers the NSA has so they can probably break it. I do wonder if the report mentions that they shouldn't announce their plans like they did when the FBI or CIA siad it would take a major attach were encryption was used before they could get people to give up strong encryption and then a while later (weeks maybe a couple of months) there was the Paris terror attacks and there was tons of coverage on the terrorists using encryption. Then there was the stupid iPhone incident where the government screwed the pooch at every turn.
Time to offend someone
Once the FBI started subverting TOR (developed by the Naval Research Lab to promote FREEDOM), hacking people's computers without warrents and demanding user data from ISPs without warrants, the US became a bad internet citizen and a de facto rogue state.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
U.S. Republican congressional staff said in a report released Wednesday that previous efforts to regulate privacy technology were flawed and that lawmakers need to learn more about technology before trying to regulate it.
*Republicans* are creating and authorizing the publication of reports critical of government-mandated encryption 'backdoors'?
We keep being lectured by those on the Left that the Democrats are the ones that protect the "regular Joe" and the Republicans are the ones that want to crush the rights/privacy of the "regular Joe".
This is unpossible!
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
"Going Dark, Going Forward: A Primer on the Encryption Debate and it does not provide any solution to the encryption fight" is a bit long for a title, isn't it?
Some perspective, people; we've had encryption in use for over 40 years, and the actual amount of people using it to escape prosecution is almost none. Furthermore, if we put in a backdoor, it's inevitably going to be discovered by the rest of the world, and we will wind up with a situation where anybody in the world can read traffic made by American citizens, but they can't read the rest of the worlds. How does it improve national security if the US's banking details are all in plaintext while the rest of the world's isn't? Not only doesn't it improve it, but it dramatically weakens it - if the US really winds up in a war against China or Russia or whatever, and they've figured out the secret, they can effectively spy on any data in the US, read any file. We all know there's no way people are going to upgrade after, so how exciting will it be when the entire infrastructure is easily hackable and no citizen's data will be secure?
Second off, I'd like to point out this isn't going to yield us much benefit. If criminals can't communicate securely with computers, then they'll... use encryption anyway. If they constantly switch WiFi hot spots, use different computers and phones, only send brief messages, and use it for dead drops when they're not around, they have absolutely no possible risk, and the data remains unreadable anyways. And if even that is somehow, magically and impossibly, fixed, then they'll simply do it the old fashioned way; rely on (physical) coded messages, talk person to person, or use stenography or other measures to evade detection. They'll still successfully escape oversight, and it'll be even easier because now they'll be needles in a 300 million pound haystack.
Finally, let's consider the kind of data they're after. They're probably going to want messages, personal videos, etc. from people - stuff that's actual communication. If the data is not stored on the phone, or the phone is destroyed, then... where is it? I know that I don't send the same email back and forth to a person for 30 days, and if neither of us have a copy, there'll be non-left anyways. Oh sure, maybe the server you say, but if we assume a criminal or spy willing to use advanced encryption, why exactly wouldn't they securely delete their messages after they've been read? We did it with burning papers, and once that message is gone, it's gone, encryption or not. Unless, of course, you propose to store every single message, video, and photograph that crosses US internet lines, and that is impossible with how much data there is. Also, how much crime is committed with just the internet? Law enforcement has access to criminal records, on seen evidence, bank records, security footage, witnesses, talking to family, and all manners of power; why would this hamper them? If the criminal is caught with his face bare on a security cam, we's convicted; if a spy blatantly and repeatedly does erratic things and snoops around, he's going to be caught also. Every country did it perfectly fine back in the 80's. Computers are (theoretically) a nice thing to have for this sort of purpose, but they don't contribute that much in the grand scheme. They simply make the inevitable a little quicker.
In short, we have absolutely nothing to gain really, unless you want to go after the 2 or 3 people who used it, and we have the world to lose; people will lose confidence in our IT market, businesses will move to a place where they can store encrypted data legally, the US will become completely unsafe for sensitive records, the government can easily turn into an Orwellian tolitarian state, all of our information becomes accessible to an enemy in the event of a war, and everybody who's smart will find loopholes around this provision anyway. We are going to suffer if we ban encryption or require it to have a backdoor, we are going to suffer a lot, and if you've seen the results of humanity's past, irrational fear and hatred tend to produce pretty poor choices.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
Why not a moratorium on laws? Require a current law to drop for every new law passed? I'm only half joking here. Seriously, how long can we go on passing new laws every day of every year until every human activity is either against the law, or mandated by law? Freedom loses all meaning. We're essentially approaching an era of legal "whitelist" tyranny; all actions implicitly denied except those mandated. Then, just in order to live our lives we'll always be in violation of some laws, and "the law" will have no meaning beyond a pretext for enforcing political control.
Below the article it says:
Congressman Ted Lieu is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients.
What has that got to do with this story? I believe that belongs to the previous one: https://yro.slashdot.org/story/16/06/30/0340220/congressman-wants-ransomware-attacks-to-trigger-breach-notifications. I think it's not the first misplacement I saw today. Something wrong with the content generator?
I've never understood why the restrictions on exporting encryption outside the US. That seems to operate under the premise that non-Americans are unable to develop their own cryptography...which is certainly not the case. Can anyone explain why the US government tried to govern something that is inherently ungovernable?
You make it sound like those two choices are mutually exclusive.
But but but ... there ought to be a law!
We must do something, this is something, therefore we MUST DO IT!!!!
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
> "public interest in encryption has surged"
Yup. But my gut feeling is that it hasn't been because
> "terrorists behind the Paris and San Bernardino attacks "used encrypted communications to evade detection"
since they mainly didn't, at least in any way which anyone locking their smartphone doesn't also use. Didn't this surge start with Snowden's revelations?
I could very well be wrong. Remember that this is the same kind of public which, on the day after a referendum on leaving the EU, made the second most popular search on Google "What is the EU"....
The Paris attackers did NOT use encryption!
They used burner phones.
The TLA's just tried to use encryption as the reason why their spy machines didn't detect squat, and to try force new encryption laws down peoples throats.
There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
I only read the introduction and the seven conclusions so far, but this actually reads like a document that recognizes both sides of the issue, privacy versus legitimate needs of law enforcement. While I strongly lean towards privacy should win every time and twice on Sunday and would love to see a report that recognizes the reality that trading a little privacy is like trying to be a little pregnant, I'm actually heartened by the level of genuine intelligence that seems to have gone into this report. It is not just, "OMG! We're goings dark! Force government backdoors now!"
CAPTCHA: congress :)
previous efforts to regulate privacy technology were flawed and that lawmakers need to learn more about technology
Translation: we need to spend yet even more tax money so that we can expand our power over the people yet again.
...lawmakers need to learn more about technology before trying to regulate it...
With congress members already struggling to understand basic science issues such as the age of the earth and AGW, something like cryptography lies largely and forever out of their grasp...
No.
The story here is that anything behind closed doors does not represent the will of the people, and ignorance is no excuse.
Roll your own encryption, share it only with friends.
Use it to pass encrypted copies of banned books, how-to-books, and amateur novels...
Send these encrypted things to members of congress...
Make then come and ASK for the keys.
Then explain why they have to ask.
They're too busy raising fund for their next election. Their staff reads the bills and tell them which way to vote. They consider the voters retards and deserves every anal rape they dish out to us.
If they can't be bother to read the bill they're vote on, do you honestly expect them to study the issues and author meaningful bills that actually does something useful for the voters (and not their largest campaign fund contributors) ? Hello?
ELOI, ELOI, LAMA SABACHTHANI!?
That would be for the good of the people then.
There are two types of people in the world: Those who crave closure
Good luck regulating math, morons.
And I was cognizant of that risk, which is why I put the "appropriate checks and balances" at the end.
The financial industry is an excellent example of why subject matter experts cannot be the sole determinant in such things. In that case, it's more like self-regulation than perhaps any other. However, as I was typing that, I was thinking about scientists; who for all their empirical work and impartial judgement, are still just human beings as flawed as the rest of us. Motivations must always be a concern.
I'm sorry, but your opinion seems to be wrong.
The link supporting the assertion that terrorists behind the Paris and San Bernardino attacks "used encrypted communications to evade detection." is not supported by the linked article. In the first place, the article is only about San Bernardino, not Paris. Second, it only says that authorities were trying to get access to encrypted data. In the San Bernardino case, there was encrypted data because the iPhone encrypts by default but there was no evidence released that the encrypted data contained anything relevant to the case. No article is linked about Paris. My understanding there was that French officials basically said that the terrorists must have encrypted there communication because they didn't detect anything. They offered no proof that encryption had been used. The assertion was like the one in San Bernardino - the suspects had used some encryption in the course of their regular use of technology, as most people do, but there was no definite statement that the encrypted communication had actually been used to plot attacks. Ars Technica reports no evidence of encryption being used.
lawmakers need to learn more about technology before trying to regulate it.
Translation: We need to fire these idiots and elect lawmakers that know more about the things they intend to regulate
Dear Congress,
Please make an attempt to understand the way the modern world works before you attempt to control it though legislation.
( Oh, while we're at it, please at least READ the GD legislation before voting on it. No more of the " We have to pass it to know what's in it BS )
We would all sincerely appreciate it.
Hugs and kisses-
Teh Peoples
I'd already be happy if laws had to be reviewed every couple years. Every other year a law has to stand the test of time whether it is still necessary.
What do you say? We have so many laws that this is unfeasible? Well, maybe it's time to get rid of a few that are outdated and useless.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Why not a moratorium on laws? Require a current law to drop for every new law passed?
Unfortunately that would just lead to longer "omnibus" laws. To be effective we would need to limit the total content of the laws, including anything included by reference, not just the number of laws. (For example, the FCC/FAA/FDA/etc. might still come up with the actual regulations but they couldn't take effect until approved by Congress as a replacement for some existing set of laws of equal or greater length.)
I would actually go a bit further and say that as we have far too many laws and regulations already, the rule should be that Congress must repeal at least two units of existing law for every one unit that they pass. We can consider changing that rule to 1:1 replacement at such time as the entire legal code is compact enough to be taught effectively and in full to a typical child by the time they graduate high school such that they can predict with reasonable confidence and accuracy how it will be applied to specific cases.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
I am not clear what you mean by this. Are you referring to secret communication or anonymous communication or both? Encryption works to provide the former and the later is possible though not common; you can secretly communicate anonymously via NNTP for instance although that does not hide that you may be doing so.
"Their wire" = ISP, that single point of failure that will always answer to government demands for tracing, censoring, etc. Yes, the capability of both anonymous and encrypted communication is the goal. That cannot happen under the present circumstances. Until we build a robust ad hoc peer to peer network and dump the DHCP and DNS server/client model, we have no way to circumvent them yet.
“He’s not deformed, he’s just drunk!”
"Their wire" = ISP, that single point of failure that will always answer to government demands for tracing, censoring, etc. Yes, the capability of both anonymous and encrypted communication is the goal. That cannot happen under the present circumstances. Until we build a robust ad hoc peer to peer network and dump the DHCP and DNS server/client model, we have no way to circumvent them yet.
Well, I just pointed out how both anonymous and encrypted communication can be achieved despite cooperation of the ISP with the government short of blocking unapproved communications. The former costs a lot more bandwidth but is achievable. The later is trivial. Both of course are subject to exploits depending on the implementation but that will be the case for anything.
The above is one of the reasons I do not care as much about the protections provided by the 4th amendment and any other rights; the government is going to lie anyway and do what is pleases.
The properly implemented technological measures will ensure privacy despite government actions. If this prevents otherwise lawful interception, well, then it is too bad the government continued to abuse its powers. This point was brought up by one of the NSA working groups who pointed out that discovery of unlawful mass surveillance would result in a backlash and encourage the adoption of ubiquitous encryption to the determent of lawful interception. Well, guess what? They were right. It happened.