DOJ wants Court to re-think Pro-Crypto Ruling

ptevis writes "There's a story over on Wired News about the DOJ asking the Ninth Circuit Court of Appeals to reconsider their decision in May's landamrk crypto case. It's got some interesting info about where the case may go from here and what the government may try to do. " This stems from the lawsuit from the University of Illinois professor who wanted to post one of his programs online. The DOJ/White House is claiming that this will make broadband listening too difficult, and that "this type of regulation is an executive branch policy decision involving 'extraordinarily sensitive' info that's too secret to disclose publicly." However, it seems unlikely that the court will change its' mind.

U of Illinois Prof

[Enry]

To give a touch of context here, that prof is Dan J. Bernstein, the ever-popular author of Qmail

Confusing secrecy with privacy

[Aleatoric]

'extraordinarily sensitive' info that's too secret to disclose publicly

This argument completely misses the point. There is a difference between information that should be kept secret and the method for keeping it secret.

There can be no doubt that any information deemed truly secret by the government will be protected with strong encryption, (at least), even if we disregard the various procedural and physical protocols that are also used.

It is disingenous to argue that the mere existence of strong encryption (and the free dissemination thereof) is, in and of itself, a threat to security.

What the argument really breaks down to is this:

"We (the government) want to be able to easily read any transmission of information under the auspices of protecting ourselves from terrorists and other criminals, and barring the ability to easily read these missives, we want to be able to hold the use of strong encryption itself as a criminal act, so that we can prosecute anyone who uses it, even if we can't prove that they were otherwise engaged in criminal behaviour".

In other words, they want the existence of a strongly encrypted message to remove the presumption of innocence.

As stated in the article, if everyone used strong encryption, they would lose the ability to use strong encryption as a flag to identify potential targets, not to mention that it would be far more difficult (and resource intensive) to attempt to decode all of those messages. What this means is that the government really does want to read your e-mail and intercept your e-commerce, etc., and the idea that they might not be able to really bothers them, despite all their rhetoric about national security and protection.

The free speech qualities of source code in this venue, at least, are clear. It is contradictory to argue that the source code should be restricted while other methods that could be used (printed word, voice communication) would convey the same information, and are already considered protected speech.

I suspect that if it comes before the Supreme Court (likely), they will uphold the decision of the 9th circuit court.

Re:Let them Appeal

[alkali]

Incidentally, re: "despite" -- certain of the Court's more conservative members (Scalia, Rehnquist) aren't "right" in the oft-vilified Christian Right / Moral Majority sense; they're strict constructionists to a degree who have in the past shown disdain for expansive gov't.

Without going off on a rant, this is wildly untrue. Scalia and Thomas in particular are adamantly opposed to rights to abortion or sexual privacy, and have been -- at best -- inconsistent on questions of free speech and court supervision of police conduct. If these are the friends of civil liberties, I'd hate to see the enemies.

I'd classify them roughly as:

Rehnquist, Scalia, Thomas: Fairly strict constructionists; generally, they'll defend the Bill of Rights w/o seeking to expand beyond original intent. For instance, they opposed a recent decision where the following sequence is grounds for suing a district:
1. Girl gets called names by boy.
2. Girl tells administrator/teacher.
3. Boy continues to call names.
4. Girl claims to be "hurt".

Boom, lawsuit -- against the boy AND the school.
This is the scenario that, apparently, Ginsburg (who, IIRC, wrote the majority opinion) has no problems with...
In the interests of intellectual honesty, the reader should know that this is a wild mistatement of the facts of this case, erroneous right down to the identity of the author of the majority opinion (Reagan's nominee, O'Connor). Here's O'Connor's description of the salient allegations in the case:

Petitioner alleges that her daughter was the victim of repeated acts of sexual harassment by G.F. over a 5-month period, and there are allegations in support of the conclusion that G. F.'s misconduct was severe, pervasive, and objectively offensive. The harassment was not only verbal; it included numerous acts of objectively offensive touching, and, indeed, G.F. ultimately pleaded guilty to criminal sexual misconduct. Moreover, the complaint alleges that there were multiple victims who were sufficiently disturbed by G.F.'s misconduct to seek an audience with the school principal. Further, petitioner contends that the harassment had a concrete, negative effect on her daughter's ability to receive an education. The complaint also suggests that petitioner may be able to show both actual knowledge and deliberate indifference on the part of the Board, which made no effort whatsoever either to investigate or to put an end to the harassment.

That's the conduct a majority found to be "so severe, pervasive, and objectively offensive that it effectively bars the victim's access to an educational opportunity or benefit" in violation of federal law. Disagree with their conclusion if you want, but get the facts straight.

encryption is not the end-all protection.

[Restil]

DOJ and other spooks are worried that encryption will prevent them from monitoring the activity of the terrorists, child pornographers, drug dealers, and other meanaces to society. The simple fact of the matter is, encryption is rarely used in these circumstances. Encryption is used primarily where it is needed, to keep something safe from prying eyes for such a time that by the time the encryption was decoded, the information would no longer be of any value.

Credit card numbers are an important example. It has been proven that 56 bit DES can be cracked in a day, with sufficient computing power. Retrieving an encrypted credit card number off the internet and decoding it a day later would result in a good number. If it took 20 years to decrypt the same number, it would no longer be of any use to the cracker.

People need to know that if they put their credit card number out on the internet, the only entity that will be able to decode it within a significant amount of time will be whoever the credit card number was specifically destined for, in this case, the merchant.

Now we have the government's argument that the loss of a few million/billion/etc worth in credit card numbers is insignificant compared to the child pornographer that they are unable to catch any other way. However, this only goes to display their incompetance.

There is a lot of evidence relating to pornography. Photographs need to be taken, then scanned. At this point, they are in an insecure format. There is at least 2 witnesses to this act. Data at this point could be encrypted while it is being stored and transfered, and original negatives and photographs could be destroyed, leaving no permanant evidence.

However, unless the pornographer is doing this for his own amusement and has no financial interest, there will at least be someone on the other end of the line who will want to see these pictures in a decoded format, as encrypted photographs of any type are not too exciting. And while this individual may also be storing all his information in an encrypted format, he at some point in time needs to decrypt the data to view it.

The government wants to rely on automated computer systems to discover, locate, and trace this data while it is in transit. This takes the job off of them and allows them to spend more time on whatever it is they want to do. The system would now be prepared to simply monitor everything and flag anything suspicious. Obviously, this isn't what they publicly are stating their intentions are, but don't be surprised if 20 years from now, they consider this to be important.

The fact is, there are other ways to obtain evidence beyond the easy decryption of data. For some time now the technology has existed to view the monitor and "listen" to the keyboard with such clarity that you would be able to know which key was being pressed simply by the sound. This technology has existed for decades now, and if someone is suspected of trafficing in pornography, and the warrants are obtained for survaillence, this technology can easily be put to use. You wouldn't NEED easy decryption as you could simply pick up the passwords as they're typed in. Granted, this might be an expensive solution, but that's not really our problem.

Terrorists and drug dealers can be delt with in the same way. Drug dealers who take their job seriously have long since discovered the police scanner, and the police realize this. Law enforcement has long since had the ability to scramble or encrypt their transmissions, and many police departments do, but in big cities, its quite likely that any radio shack scanner will pick up those transmissions. And if the police are coordinating a raid over the scanners and drug dealers get a 5 minute warning because of it, it could easily botch the entire operation.

Which is why the police don't USE their scanners during raids. They use their MDT units in their cars to communicate so nobody gets tipped off early.

It seems to me, that if law enforcement is going to be tracking criminals, they are unlikely to discover the criminal activity through encrypted messages anyways. After all, if they're not allowed to decode them without warrants anyways, how will they even know about the criminal activity unless they get information from some other source. And once they have appropriate survaillence set up, monitoring encrypted data will be unlikely to make or break the case.

-Restil