Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Efforts To Regulate Encryption Have Been Flawed, Government Report Finds (theguardian.com)

Posted by BeauHD on from the click-here-to-learn-more dept.

An anonymous reader writes from a report via The Guardian: U.S. Republican congressional staff said in a report released Wednesday that previous efforts to regulate privacy technology were flawed and that lawmakers need to learn more about technology before trying to regulate it. The 25-page white paper is entitled Going Dark, Going Forward: A Primer on the Encryption Debate and it does not provide any solution to the encryption fight. However, it is notable for its criticism of other lawmakers who have tried to legislate their way out of the encryption debate. It also sets a new starting point for Congress as it mulls whether to legislate on encryption during the Clinton or Trump administration. "Lawmakers need to develop a far deeper understanding of this complex issue before they attempt a legislative fix," the committee staff wrote in their report. The committee calls for more dialogue on the topic and for more interviews with experts, even though they claim to have already held more than 100 such briefings, some of which are classified. The report says in the first line that public interest in encryption has surged once it was revealed that terrorists behind the Paris and San Bernardino attacks "used encrypted communications to evade detection." Congressman Ted Lieu is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients.

36 of 110 comments (clear)

  1. FUCK YOU DORKS by Anonymous Coward · · Score: 5, Funny

    Stop insisting on unbreakable encryption. You're just helping terrorists and criminals while you hurt Americans. If you dorks didn't have anything illegal to hide, you wouldn't use unbreakable encryption. And no, I'm not worried about identity theft. I use Lifelock and, therefore, am immune from this.

    1. Re:FUCK YOU DORKS by Ronin+Developer · · Score: 2

      Lifelock? Immune? Mod the parent to +5 funny.

    2. Re:FUCK YOU DORKS by Ihlosi · · Score: 3, Insightful
      Stop insisting on unbreakable encryption

      No one wants unbreakable encryption. We just want encryption to work like copyright - it's completely breakable on a completely impractical timescale (heat death of the universe + 2 billion years should be ok).

    3. Re:FUCK YOU DORKS by Anonymous Coward · · Score: 3, Funny

      You damn encryption fanatics. Copyright is only death + 75 years, and the copyright of large corporations is far more important than your personal information. So we should compromise, heat death of the universe + 10 years.

      Think of the children!

    4. Re:FUCK YOU DORKS by NatasRevol · · Score: 2

      I'm pretty sure most anyone in government disagrees with this line of thought.

      Most individuals, however, don't.

      --
      There are two types of people in the world: Those who crave closure
    5. Re:FUCK YOU DORKS by Salgak1 · · Score: 2

      Actually, back in the (the 1980s) we used portable hard drives, called "Data Transfer Unit Cartridges", or "DTUC", to hold navigational data in B-52 Bombers. No clue on the capacity, but when we pulled a bird off alert, we did EXACTLY that: Overwrite with zeros, then random characters. 10 cycles of this. At that point, the DTUC was considered clean enough of highly classified data, that it could be removed from the secure perimeter, and sent off to the Bomb/Nav shop.

      If it was good enough for SAC in 1985, it should be good for America. . . .and elsewhere. . . in 2016. . . .

  2. Develop a far deeper understanding by RabidReindeer · · Score: 5, Insightful

    If legislators ever bothered to try and understand anything before passing laws about it, government as we know it would cease to exist.

    1. Re:Develop a far deeper understanding by pr0t0 · · Score: 3, Interesting

      "lawmakers need to learn more about [insert topic] before trying to regulate it"

      I was going to type up a lengthy missive on how unsurprised, yet blind with rage I am about the above phrase. But I just do not care any more. I have no faith left in the U.S. government, and at my age, I will not waste the time on meaningless scorn. Congress can bicker back and forth on whether plants crave electrolytes all they want.

      Perhaps some very distant day, hundreds or thousands of years in the future, we (as a species) will have some system of government where experts in their field are the ones who decide how best to regulate that field, with appropriate checks and balances in place of course.

      --
      I'm sorry, but your opinion seems to be wrong.
    2. Re:Develop a far deeper understanding by PopeRatzo · · Score: 5, Insightful

      we (as a species) will have some system of government where experts in their field are the ones who decide how best to regulate that field

      That's what we have in the financial industry now. Almost all of our financial regulations have been written by people who make their living in the field.

      Don't assume that expertise means caring what's best for society. It just means you know what's best for you. Technocracy can be an express train to dystopia.

      --
      You are welcome on my lawn.
  3. Cross-advertising by LichtSpektren · · Score: 4, Insightful

    Please Slashdot editors, stop with the cross-story promotion. It makes sense if the two stories are directly related, not when the two stories hang in the same genre.

  4. FTA: by rmdingler · · Score: 2, Insightful

    Apple CEO Tim Cook, along with executives from Google and Facebook, have argued that if Washington starts ordering them to build universal key features into their encryption software, it will create vulnerabilities that both the “good guys” (western governments, in this case) and “bad guys” (other governments and hackers) can exploit.

    Sadly, the lines are a little more blurry than this.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:FTA: by Jason+Levine · · Score: 5, Informative

      They are more blurry than "Western Governments are good guys/other governments and hackers are bad guys", but the overall point is that even if you COULD trust all western governments to never abuse their encryption backdoor (a huge assumption), the mere presence of a backdoor would lead to hackers exploiting it. And, walking back the assumption, let's say you (for some reason) trust the current administration with an encryption backdoor. Do you trust the next one with it? What about the one after that? How long until an administration comes along that abuses the backdoor (whether Nixon-Whitewater level abuse or slowly encroaching on what is acceptable abuse)?

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    2. Re:FTA: by nine-times · · Score: 3, Insightful

      the mere presence of a backdoor would lead to hackers exploiting it.

      Well, it would lead to hackers exploiting the encryption used by regular, law abiding people. Criminals and terrorists could still encrypt things with other schemes that don't include a back door.

    3. Re:FTA: by Jason+Levine · · Score: 2

      That's the other reason this debate is pointless. Even if the US government could, tomorrow, declare all non-backdoored encryption illegal AND every company complied immediately (a turn of events that would make me looking for airborne S. Domesticus), there would still be open-source, non-backdoored encryption hosted in other countries. How would the US force all websites in every country into backdooring all of their encryption? And why wouldn't any hypothetical terrorist use this non-backdoored encryption instead of using the official, US Government approved encryption?

      The people that are in favor of US government backdoors in encryption either don't know how encryption works or are merely making a power play. Or both.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  5. Re:Classifed? Well, there's your problem by Opportunist · · Score: 2

    If "not knowing enough about something to make that kind of decision" is any indicator as to whether you should or should not make a decision, congress can't really make a lot of laws anymore.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. right hand doesn't know what the left hand is doin by Thud457 · · Score: 5, Informative

    Once the FBI started subverting TOR (developed by the Naval Research Lab to promote FREEDOM), hacking people's computers without warrents and demanding user data from ISPs without warrants, the US became a bad internet citizen and a de facto rogue state.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  7. Title by Yvan256 · · Score: 3, Funny

    The 25-page white paper is entitled Going Dark, Going Forward: A Primer on the Encryption Debate and it does not provide any solution to the encryption fight.

    "Going Dark, Going Forward: A Primer on the Encryption Debate and it does not provide any solution to the encryption fight" is a bit long for a title, isn't it?

  8. I'd like to... by EmeraldBot · · Score: 4, Insightful

    Some perspective, people; we've had encryption in use for over 40 years, and the actual amount of people using it to escape prosecution is almost none. Furthermore, if we put in a backdoor, it's inevitably going to be discovered by the rest of the world, and we will wind up with a situation where anybody in the world can read traffic made by American citizens, but they can't read the rest of the worlds. How does it improve national security if the US's banking details are all in plaintext while the rest of the world's isn't? Not only doesn't it improve it, but it dramatically weakens it - if the US really winds up in a war against China or Russia or whatever, and they've figured out the secret, they can effectively spy on any data in the US, read any file. We all know there's no way people are going to upgrade after, so how exciting will it be when the entire infrastructure is easily hackable and no citizen's data will be secure?

    Second off, I'd like to point out this isn't going to yield us much benefit. If criminals can't communicate securely with computers, then they'll... use encryption anyway. If they constantly switch WiFi hot spots, use different computers and phones, only send brief messages, and use it for dead drops when they're not around, they have absolutely no possible risk, and the data remains unreadable anyways. And if even that is somehow, magically and impossibly, fixed, then they'll simply do it the old fashioned way; rely on (physical) coded messages, talk person to person, or use stenography or other measures to evade detection. They'll still successfully escape oversight, and it'll be even easier because now they'll be needles in a 300 million pound haystack.

    Finally, let's consider the kind of data they're after. They're probably going to want messages, personal videos, etc. from people - stuff that's actual communication. If the data is not stored on the phone, or the phone is destroyed, then... where is it? I know that I don't send the same email back and forth to a person for 30 days, and if neither of us have a copy, there'll be non-left anyways. Oh sure, maybe the server you say, but if we assume a criminal or spy willing to use advanced encryption, why exactly wouldn't they securely delete their messages after they've been read? We did it with burning papers, and once that message is gone, it's gone, encryption or not. Unless, of course, you propose to store every single message, video, and photograph that crosses US internet lines, and that is impossible with how much data there is. Also, how much crime is committed with just the internet? Law enforcement has access to criminal records, on seen evidence, bank records, security footage, witnesses, talking to family, and all manners of power; why would this hamper them? If the criminal is caught with his face bare on a security cam, we's convicted; if a spy blatantly and repeatedly does erratic things and snoops around, he's going to be caught also. Every country did it perfectly fine back in the 80's. Computers are (theoretically) a nice thing to have for this sort of purpose, but they don't contribute that much in the grand scheme. They simply make the inevitable a little quicker.

    In short, we have absolutely nothing to gain really, unless you want to go after the 2 or 3 people who used it, and we have the world to lose; people will lose confidence in our IT market, businesses will move to a place where they can store encrypted data legally, the US will become completely unsafe for sensitive records, the government can easily turn into an Orwellian tolitarian state, all of our information becomes accessible to an enemy in the event of a war, and everybody who's smart will find loopholes around this provision anyway. We are going to suffer if we ban encryption or require it to have a backdoor, we are going to suffer a lot, and if you've seen the results of humanity's past, irrational fear and hatred tend to produce pretty poor choices.

    --
    "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
    1. Re:I'd like to... by h4ck7h3p14n37 · · Score: 5, Informative

      Some perspective, people; we've had encryption in use for over 40 years, and the actual amount of people using it to escape prosecution is almost none.

      Encryption has been around for much longer than 40 years!

      "The earliest known text containing components of cryptography originates in the Egyptian town Menet Khufu on the tomb of nobleman Khnumhotep II nearly 4,000 years ago."
      -- "Past, Present, and Future Methods of Cryptography ", http://www.eng.utah.edu/~nmcdo...

    2. Re:I'd like to... by StormReaver · · Score: 4, Insightful

      ...lots of reasoned arguments clipped...

      None of that matters. Not one bit. You are making the wrong arguments, regardless of how logical and well reasoned they are. It's just irrelevant.

      What matters is how you can push people's emotional buttons. The enemies of freedom (the FBI, CIA, GCHQ, etc.) are successfully pushing the "encryption equals terrorism" emotional lie onto an ignorant populace. Emotional lies trump reasoned truths every time.

      Emotional lies can be effectively countered with emotional truths, but cannot be countered with logical reasoning. Most people are not logical. For example, "The FBI's fight against freedom will expose your children to pedophiles" or, "GCHQ's war on privacy will make you a target of terrorists" will be more effective than debating within the TLAs' frameworks.

  9. Re:Classifed? Well, there's your problem by INT_QRK · · Score: 4, Insightful

    Why not a moratorium on laws? Require a current law to drop for every new law passed? I'm only half joking here. Seriously, how long can we go on passing new laws every day of every year until every human activity is either against the law, or mandated by law? Freedom loses all meaning. We're essentially approaching an era of legal "whitelist" tyranny; all actions implicitly denied except those mandated. Then, just in order to live our lives we'll always be in violation of some laws, and "the law" will have no meaning beyond a pretext for enforcing political control.

  10. Re:Wait, What? by Bob+the+Super+Hamste · · Score: 3, Interesting

    Well it isn't as bad as I thought but it is biased in that it does have the "Something must be done" theme in it. The document could have been worse but it could have been a lot better. As someone involved in security and encryption it felt very patronizing to me but then I'm not the target audience. There is a lot of space dedicated to explaining the productive uses of encryption but then there is about the same explaining why it makes life difficult for law enforcement. Then there is a big section showing what restrictions other countries have or what laws governing encryption other countries have tried to pass. They still push the idea that encryption caused them problems in the Paris attack yet ignoring the fact that the mastermind of it was featured as pig fucker of the month in Daesh's monthly magazine. They also bring up the San Bernardino cellphone but fail to mention that the government at all levels screw the pooch at every turn there. Yes I actually did read it.

    --
    Time to offend someone
  11. Off export regulations by mu51c10rd · · Score: 3, Insightful

    I've never understood why the restrictions on exporting encryption outside the US. That seems to operate under the premise that non-Americans are unable to develop their own cryptography...which is certainly not the case. Can anyone explain why the US government tried to govern something that is inherently ungovernable?

    1. Re:Off export regulations by jeff4747 · · Score: 3, Informative

      Because for a time, the US did have better encryption than other countries - DES was good back when it was new.

      That is no longer the case, but laws move much slower than technology.

    2. Re:Off export regulations by Darinbob · · Score: 2

      If they just went back to declaring that encryption was a munition, then encryption would receive 2nd amendment protection! Then Charlton Heston could claim "you can have my passphrase when you pry it out of my cold dead hands."

  12. Re:Classifed? Well, there's your problem by Ihlosi · · Score: 2
    until every human activity is either against the law, or mandated by law

    You make it sound like those two choices are mutually exclusive.

  13. Re:Classifed? Well, there's your problem by Archangel+Michael · · Score: 3, Funny

    But but but ... there ought to be a law!

    We must do something, this is something, therefore we MUST DO IT!!!!

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  14. But the Paris attackers DIDNT use encryption by LordWabbit2 · · Score: 5, Informative

    The Paris attackers did NOT use encryption!
    They used burner phones.
    The TLA's just tried to use encryption as the reason why their spy machines didn't detect squat, and to try force new encryption laws down peoples throats.

    --
    There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
    1. Re:But the Paris attackers DIDNT use encryption by Jason+Levine · · Score: 5, Insightful

      I was going to say that but you beat me to it. The Paris attackers used burner phones and SMS. Unencrypted SMS. If worldwide police agencies can't detect the digital equivalent of postcards being sent through the mail, what makes them think that a) terrorists will care enough to go through the trouble to encrypt their communications and b) they could even find the supposedly encrypted messages when they're just tossing more hay on the pile while searching for the same needle.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    2. Re:But the Paris attackers DIDNT use encryption by MobyDisk · · Score: 3, Insightful

      Yes! And, the link provided in the summary to support the statement is not about the Paris attacks. This is like me saying "Scientists have reported that neutrinos do not change flavor." (The link is to an article confirming that they do change flavor.)

  15. Ya Think?!?!? by QuietLagoon · · Score: 4, Insightful

    ...lawmakers need to learn more about technology before trying to regulate it...

  16. Ain't gonna happen... by seven+of+five · · Score: 4, Insightful

    With congress members already struggling to understand basic science issues such as the age of the earth and AGW, something like cryptography lies largely and forever out of their grasp...

  17. Really? No kidding! by bravecanadian · · Score: 5, Funny

    Good luck regulating math, morons.

  18. Link about Paris and San Bernardino inadequate by Shadow+IT+Ninja · · Score: 4, Informative

    The link supporting the assertion that terrorists behind the Paris and San Bernardino attacks "used encrypted communications to evade detection." is not supported by the linked article. In the first place, the article is only about San Bernardino, not Paris. Second, it only says that authorities were trying to get access to encrypted data. In the San Bernardino case, there was encrypted data because the iPhone encrypts by default but there was no evidence released that the encrypted data contained anything relevant to the case. No article is linked about Paris. My understanding there was that French officials basically said that the terrorists must have encrypted there communication because they didn't detect anything. They offered no proof that encryption had been used. The assertion was like the one in San Bernardino - the suspects had used some encryption in the course of their regular use of technology, as most people do, but there was no definite statement that the encrypted communication had actually been used to plot attacks. Ars Technica reports no evidence of encryption being used.

  19. Translation by TsuruchiBrian · · Score: 4, Insightful

    lawmakers need to learn more about technology before trying to regulate it.

    Translation: We need to fire these idiots and elect lawmakers that know more about the things they intend to regulate

  20. Re:So does this mean they will stop demonizing it by matbury · · Score: 3, Informative

    The Paris attackers didn't use encryption. They used unencrypted "burner" phones, which they changed frequently, and then during the attack, they took phones from their victims and used those.