Senator Asks FBI Director To Justify His 'Ill-Informed' Policy Proposal For Encryption

In a speech earlier this month, FBI Director Christopher Wray said the inability of law enforcement authorities to access data from electronic devices due to powerful encryption is an "urgent public safety issue." He proposed that Silicon Valley companies should add a backdoor to their encryption so that they could both "provide data security and permit lawful access with a court order." One person is not amused by Wray's proposal. Senator Ron Wyden criticized Wray on Thursday for not consulting him before going public with the proposal for encryption. Wyden said today, via Gizmodo: Your stated position parrots the same debunked arguments espoused by your predecessors, all of whom ignored the widespread and vocal consensus of cryptographers. For years, these experts have repeatedly stated that what you are asking for is not, in fact, possible. Building secure software is extremely difficult, and vulnerabilities are often introduced inadvertently in the design process. Eliminating these vulnerabilities is a mammoth task, and experts are unified in their opinion that introducing deliberate vulnerabilities would likely create catastrophic unintended consequences that could debilitate software functionality and security entirely.

[...] I would like to learn more about how you arrived at and justify this ill-informed policy proposal. Please provide me with a list of the cryptographers with whom you've personally discussed this topic since our July 2017 meeting and specifically identify those experts who advised you that companies can feasibly design government access features into their products without weakening cybersecurity. Please provide this information by February 23, 2018.

Re:Before anyone blames KKKonervative$

[Gaxx]

Yes - both parties have been pretty bad on the issue. Nice to see that _someone_ is taking it seriously and listening to the experts, though :)

Re:Encryption enables criminals

[jellomizer]

One of the aspects of a free society, is the general concept of innocent until proven guilty. We encrypt in order to protect our information from bad actors. A government is managed by people not all of them trustful, so the government shouldn't get my data, unless absolutely needed say via a warrant. Because I am innocent until proven of a crime, so my encrypted communication shouldn't be considered anything nefarious until I am expected to be up to something concrete.

I expect for 99.99% of all encrypted data it is just information that isn't proof of wrong doing. But lets say this post from Jellomizer connects me to my boss who may disagree with such a position could get me fired, because my Point of view while perfectly legal may not be in sync with the company policy.

coming soon, the Hoover retort

[cas2000]

In a few weeks, an avalanche of dirt (both true and untrue) from "anonymous whistle-blowers" about this Senator Wyden will start mysteriously appearing in news stories all over the country.

They'll continue at least until he resigns in disgrace, is imprisoned due to the absolutely totally not photoshopped(*) donkey-fucking kiddie-porn incest home movies, or commits suicide.

(*) The FBI have access to far better software than photoshop.

Re:Encryption enables criminals

The issue (from the FBI's point of view) is they went and got the warrant, took your phone, and still can't read your data.
They want a backdoor so that once they take your phone they are able to read the data so that when they are allowed to do so they can.

And really that would be possible. The phone manufacturers could include a unique per device override pin that is burned into the secure enclave and works like the user defined pin. Then when the FBI gets the warrant they can also subpoena the override pin form the manufacturer once they have the device and can see it's serial number. This would reduce the time to brute force the pin as there are now two successful results, but that can be mitigated by making pins longer.

This would provided all involved act responsibly work exactly as intended. Individuals have secure communications and law enforcement can get the override and pin they need via existing legal channels when investigating a crime. And having one pin does not extend to opening arbitrary devices.

The problem of coarse, is that the existence of the override pin and the phone manufacturer having the list of them means that if the manufacturer's security is compromised all the phones they have sold are compromised as well. The FBI doesn't care about that because they arn't the one who'd have to deal with the PR nightmare of having to explain their security was breeched or eat the cost of resolving the situation.

what will happen in a month?

[v1]

It looks like the senator gave him a month to dig up an excuse, and left him with very little wiggle room. It's nice to see a tech-savvy representative, and specifically one that knows how to close all the escapes at the same time to speed up the process. I'm sure the director would love to be able to stall for 30 days and then step back up into the light and kick the can down the road another 30 days, but I don't see that happening this time.

He's either going to have to dig up some at least semi-reputable cryptographers to throw under the bus, or admit that he's "pulling a trump" and ignoring all the experts around him in favor of his own opinions on the matter. (though in this case it's almost certainly coming down to just doing specifically what he's been told to do, more of a "trump by proxy" move) It's rather irritating to see we've set things up so that certain people can't make certain rules, but then we go and let them replace the person responsible for that rule with someone that will do whatever they tell them to - it defeats the purpose of the separation.

I'm also a little bit curious why I haven't seen this whole idea get compared with the TSA's baggage locks? Isn't that basically the same idea as this, though on a much more limited scale? Mandating a government back-door, and all the unintended as well as the widely-anticipated problems that you get as a result?

Re:Spot fucking on.

[Tailhook]

thank you Mr. Wyden

I'm much less impressed with this. Wyden has as a premise that a backdoor is legitimate if only the mechanism can be made secure. Wyden does not assert that we are supposedly free people and may use whatever algorithm we wish, but that they should have such a backdoor capability once they can convince him that their backdoor can't be exploited.

encryption is a 2nd Amendment issue

First, just common sense, it is essential to self defense to have reliable encryption.

Second, the fed gov't already treats encryption technology like "arms" in some ways, i.e., export controls.

So NRA, where are you now? Why aren't you protecting our rights?!?!