Hacker News new | past | comments | ask | show | jobs | submit login
Congress finally showed it's willing to fight the FBI on encryption (theguardian.com)
366 points by magoghm on March 2, 2016 | hide | past | favorite | 73 comments



I watched most of the hearing (can be viewed here http://www.youtube.com/watch?v=g1GgnbN9oNw), this article seems like a pretty accurate characterization. Comey's parsing of words in his response to the question of whether any gov't agency can access the phone reminded me of Clapper's "least untruthful" answer (ie his lie about NSA data collection).


I also watched most of the hearing[1], and Comey was very practiced at sticking to his story. However, one bit in particular stood out as something I haven't heard before: he seemed to criticize Apple for trying to protect people. He went off on a brief tangent at one point where he said things like[2]:

"It's not Apple's job to protect the American people."

"They sell phones, they don't sell public safety. That's our business to worry about."

He spent a minute or two saying things like that. This almost sounds like Comey sees this as some sort of turf war, with Apple infringing on his responsibilities. I'm not sure how to interpret that - isn't it the job of any manufacturer to make sure their product is safe? Wouldn't any kind of courier have a duty to protect what that which they carry?

[1] side note: I'm actually very impressed by most of Representatives understanding of the issue and the fairness of their questions.

[2] These may not be exact quotes! This is what I remember, I'll see if I can find the spot in the video later.


I'm delighted to see Congress taking a stand for's right here, and I hope politicians finally realised they do have a personal stake in the matter.

They do have secrets, like most of us and effects of revealing these secrets would have far worse consequences for them and their careers than for most "ordinary citizens", which makes them high-profile targets. Easy targets, too, if (or when) FBI/NSA/CIA allies with some party in domestic political struggle.

Given surveillance powers these guys want, it won't be too long before they decide that next order of business is to find more effective ways to steer political discourse in the favourable direction.

I can see how "ordinary people" would think they "aren't important enough" when it comes to surveillance, but it amazes me that ambitious politicians wouldn't see themselves as "important enough".


Given surveillance powers these guys want, it won't be too long before they decide that next order of business is to find more effective ways to steer political discourse in the favourable direction.

This has likely happened already with NSA. FBI are jealous because NSA don't share. Congress already know what a pain it is to deal with NSA; they're not eager to create another effectively ungovernable agency.


If you want to go all the way down that rabbit hole, the NSA could be leveraging its power over politicians to prevent the FBI from gaining power, since power of this sort is relative, not absolute (the FBI's gain would be the NSA's loss).

To be clear, I don't really subscribe to that narrative.


It's very well known historically that these agencies have been fighting with each other since their originations. They fight each other over intel, budgets, turf, governance, talent, technology, etc.

I don't think there's anything to subscribe to or not. It's established fact, widely written about for decades.


I was more referring to the NSA leveraging power over our congressmen and senators due to their knowledge of secrets those politicians may not want exposed. That's a very dangerous game to play, and all it takes is one person not willing to play for it to all come tumbling down for the NSA. So, I don't really subscribe to that narrative.


I'm skeptical that the NSA would do that so explicitly (although given that Snowden's entire set of revelations consisted of "they wouldn't do that ..... oh they did" perhaps I should have less confidence).

I think a far more plausible and subtle form of mental pressure is simply manipulating secrecy and technical bullshit. You don't have to know a Congressman's porn preference to manipulate him if you can instead say, "we are tracking dangerous terrorists and if you don't do exactly what we want, they will win and it'd be an awful shame if an angry analyst leaked to the press the fact that YOU, CONGRESSMAN JONES, prevented us from doing our jobs".

Whether the terrorists really exist or not doesn't matter when you are effectively unauditable, and can easily imply that anyone who gets in your way is directly responsible for the deaths of innocents.


That's exactly it, but it's even simpler than that; when you control the reports that the political leaders are relying on for information, you control the set of options they can select from. Some things never get reported, others get reported such that there is an "obvious correct" choice. Coercive measures are possible, but they shouldn't be necessary in most cases.

Jacob Appelbaum describes this process very well in an interview[1] where talks about the time the CSE[2] tried to recruit him. It's hilarious... and scary for several reasons, including the suggestion that the CSE has to get NSA approval for the people they hire.

[1] https://www.youtube.com/watch?v=Vt7XloDNcm4#t=805

[2] Communications Security Establishment (Canadian SIGINT agency)


Easy targets, too, if (or when) FBI/NSA/CIA allies with some party in domestic political struggle.

I think part of this might be that members of Congress remember the news breaking that the NSA and CIA were spying even on American allies like Chancellor Angela Merkel and got a taste of "is nothing safe?" in their mouths.

So yeah, I'm with you on that nugget.


There's a reason that video rentals are among the more well-legally-protected bits of personal information...


Yes, I think you're right and I think the FTC would also disagree with Comey on that one. Companies have a duty of care to take reasonable and appropriate measures to maintain the privacy of customer data in their care, commensurate with the scale and sensitivity of the data, and the cost and availability of the tools and technology to protect it.

By that definition it's precisely the Apples and Googles of the world who have the greatest responsibility to design their products to be secure.

In what strange world would we expect the FBI to design TouchID or TrueCrypt or ChaCha20? If anything history has shown us we can't trust NIST or IETF to get it right, or even not to be secretly subverted to get it wrong!


Agreed.

By Comey's argument, manufacturers shouldn't put authentication in the devices as that's the FBI's responsibility?


It is a turf war because times are changing. This is actually a central theme in the newest James Bond movies, and one that Marshall Mcluhan wrote about back in the 70's:

>Man Hunter and Sleuth: Posture and Imposture

>In one of Sherlock Holmes's adventures his quarry demurs when Holmes declares that he had seen him at a particular spot. The quarry retorts that "I saw nobody follow me there." And Holmes comments, "That is what you may expect to see when I follow you."

>Half the world today is engaged in keeping the other half "under surveillance." This, in fact, is the hang-up of the age of "software" and information. In the preceding "hardware" age the "haves" of the world had kept the "have-nots" under "surveillance." This old beat for flatfoots has now been relegated to the world of popular entertainment. The police state is now a work of art, a bureaucratic ballet of undulating sirens. That is a way of saying that the espionage activities of our multitudinous man hunters and "crediting" agencies are not only archaic, but redundant and irrelevant.

-Marshall McLuhan, Take Today: The Executive as Dropout


> "They sell phones, they don't sell public safety. That's our business to worry about."

He is absolutely right! But its also true that FBI and Gov et al failed miserably at keeping us safe. Heck, they even failed multiple times at keeping our information safe behind their supposedly unbreakable walls. So no wonder things took this turn!

Any given day, I would rather go with Apple's security attempts, even if "not their business", than accepting FBI's crack on it.


Actually I'm not sure he's right. (Completely at least.) It's definitely the FBI's job to worry about public safety. But I don't think it isn't Apple's job to sell public safety. As I see it, they sell whatever they choose to sell, as any business does, in the interest of making a profit. These days privacy has becoming a much bigger issue, and something that consumers will pay for. And from the way Apple pitches their products, it seems that they do sell safety.


FBI is LEO not PSO...

Heck, their acronym expands to Investigation not mall cop public safety...


> FBI is LEO

Not anymore. They dropped “law enforcement” from their primary mission, changing it to “national security”.

http://www.msnbc.com/the-last-word/fbis-main-mission-now-not...


That's clearly when it all started to go wrong.


Yup Comey did say that,

https://youtu.be/g1GgnbN9oNw?t=3h16m18s

It's ridiculous to argue that the DOJ is the sole provider of public safety.


"It's not Apple's job to protect the American people."

Perhaps not, Mr. Comey. It is, however, their job to protect their customers.


> They sell phones, they don't sell public safety

No, they don't, but they sell personal data safety.


> It's not Apple's job to protect the American people

They're not only protecting Americans.


True. What Comey might not see here is that Apple is fighting to keep its credit on the international market, and so should all US companies do.


> This almost sounds like Comey sees this as some sort of turf war, with Apple infringing on his responsibilities. I'm not sure how to interpret that

On the contrary, he showed a good deal of respect for Apple and praised them as a company on numerous occassions. The article characterises it as a "conciliatory tone" which is the correct interpration. I believe this is the best way forward for the FBI and the government.

It's not a turf war. It's just a characterization of the two. Apple employees come into work and think about usability, product design, security and similar problems. FBI employees come into work thinking about counter-terrorism, public safety and intelligence.

Painting Apple as unpatriotic will result in a consumer backlash and make this an Apple vs FBI debate and pit them head-to-head against the most powerful brands in the world. The debate is shifting to "public security vs privacy" instead of Apple vs FBI, which is how a lot of the consumers and Apple fans see this right now.

I rather enjoyed hearing Comey's responses and found Bruce Sewell to lack the same maturity and preparedness. However, I do not empathize with any of Comey's views (interpretation of All Writs Act, privacy vs public security) and neither should anyone else.


> The debate is shifting to "public security vs privacy" instead of Apple vs FBI, which is how a lot of the consumers and Apple fans see this right now

Actually Apple is painting it as a "security vs. security" debate [1] [2]. They point out that every iPhone user's security is put at risk if they are forced to sign software that weakens the iPhone's security.

> I rather enjoyed hearing Comey's responses and found Bruce Sewell to lack the same maturity and preparedness

I thought Sewell performed well. He was given some tough questions he could not have anticipated. Sewell was the one on the hot seat here. Comey did not face as much pressure.

[1] https://youtu.be/g1GgnbN9oNw?t=3h11m46s

[2] https://youtu.be/g1GgnbN9oNw?t=3h19m39s


This almost sounds like Comey sees this as some sort of turf war, with Apple infringing on his responsibilities.

He is saying the FBI should have veto power over computer security features.


To this day, I find to hard to call Clapper's response anything but a direct and intentional lie. I do hope in a post-Snowden world, officials will be more careful not to lie under oath to Congress.


Clapper came to my school to talk and I asked him "to speak about the allegations of perjury". He was not amused, and repeated the line about having forgotten about the PATRIOT Act.


All the CIA does lying, day in day out. That's literally their job, besides extra juridical killings. And they usually don't care about Congress or White House. So it's not unexpected that he got caught. He certainly does not care, as he is more powerful than Obama or Congress.


Why would they? Clapper has not been charged with perjury, or faced any serious consequences.


He faced consequences... of a promotion.

http://www.dailykos.com/story/2013/8/2/1228321/-Classic-Gove...


I'll open the champagne when Congress actually votes on some legislation to prevent the FBI's request from happening. The congressional committee does not represent all of congress, and I don't know how many congressmen would still rally behind the "No privacy ever because TERRORISM" cry if it came to a vote. This is, unfortunately, not a clear-cut partisan issue, and it's difficult to predict how a vote would go.


This will probably be decided, like most constitutional issues, by a Judge that will be forced to interpret the 4th/5th amendment, in the ever changing light of 'reasonableness', as it applies to the case at hand.

It will then become precedent, adding to the long list of very important judicial decisions that must decide how to apply a law with very loosely defined vocabulary. How a normal citizen is expected to remain apprised of every single law, every interpretation of the law, and every precedent set by a judge ruling on the law, is beyond me.

If the original laws (in this case, the Bill of Rights) were defined as well as many judicial rulings are, we likely wouldn't be arguing if what is being asked of Apple is 'reasonable' -- as what constitutes 'reasonable' would be defined by the law itself.


This doesn't need to become a constitutional argument. Congress can pass a law forbidding the government from forcing a manufacturer to build a back door. Simple as that.


Apple argues (correctly IMO) that Congress already did that in the language of CALEA.


> This is, unfortunately, not a clear-cut partisan issue.

I think that's great, because it means there's a chance it actually gets addressed.


But what has happens is weakening their position.

Remember - they went to judge - judge said no - they suggest congress - no congress is giving them no as well - going back to the judge(s) will definitely get them annoyed.


Isn't it amazing when corporate interests actually align with American peoples' interests?


What's more interesting in the Apple case is that protecting citizens' 4th amendment rights is contingent on protecting corporation's 1st amendment rights. Apple claimed that since code is speech, being forced to create and digitally sign the backdoor code is forced speech.

The Citizens United decision from 2010 guarantees a corporation's 1st amendment rights, but I wonder if Apple could still use this defense if that decision was overturned.


Citizens United depends on the concept that corporations have 1st Amendment rights. But it did not create that concept.

That has actually been settled law for a long time; it is how newspapers (which are corporations) are able to enjoy freedom of the press--not just the reporters individually.

So Citizens United could be overturned and it would not hurt Apple's case at all.


Umm, newspapers enjoy freedom of the press because the 1st amendment explicitly guarantees freedom of the press.

> Congress shall make no law [...] or abridging the freedom of speech, or of the press


The only reason they align is because Apple wants to maintain or grow it's market share. It's intelligently recognizes that consumers want privacy, so they are fighting for it.


You say "only" as though that's a bad thing. You don't need more than one reason.

You say they want to grow or maintain their market share. As opposed to wanting to go bankrupt and fire 100,000 people. You mean, Apple wants to continue to exist? That's exactly correct. Rational self-interest is a wonderful thing, including Apple responding to their customer demands.


I wonder if most members of congress owning locked/encrypted iPhones with personal information made this issue feel a little closer to home.


> “You have had apparently 70 prior instances where you have not taken the steps available to you,” Judge Orenstein said to Apple’s lawyers during a hearing.

From http://www.nytimes.com/2016/03/01/technology/apple-wins-ruli...


Apple apparently grew a pair.


Except for Trey Gowdy, who continued to display himself as a complete and total idiot.


My first impression of him was recently during Martin Shkreli's hearing and he left a similarly bad taste in my mouth after this one.


I noticed that too. Before Hillary final testimony I had utmost respect for this man. I took time off and microwave some popcorn for the hearing and then such huge disappointment -- he didn't have nothing against Hillary. Came totally unprepared! If anything he really sounded like this people are wasting tax payers money. And true -- arm wrestling Apple lawyer into "lets skip all this and lets save money lets do this and that" -- truly lost my respect.


He looks basically like Draco Malfoy all grown up.


Agreed except for Sensenbrenner and Gowdy.

Sensenbrenner - https://youtu.be/g1GgnbN9oNw?t=3h59m30s

Gowdy - https://youtu.be/g1GgnbN9oNw?t=4h36m35s

Both of these characters basically bullied and badgered Apple's legal counsel, Mr. Sewell, to write and lobby for legislation with which Apple would agree. Neither would consider that perhaps no additional legislation is necessary to protect Apple's rights.

Gowdy also mentioned names of a few of his friends at the end of his questioning who probably think along the same lines he does.


What does Sensenbrenner even mean by "you aren't going to like what we come up with". It sounds like he was pissed off that Apple didn't come with a bill to hand him to do his job for him. And his last part sounds quite like a threat.


It does sound like a threat at the end. He's basically saying, "you don't want to give us a new bill? Okay, we'll write a one-sided one, and you're going to hate it, but too bad because all you wanted to do was debate and discuss the issue".

He sounds like he has already made up his mind, is in a rush, and does not want to engage in debate. He already agrees with the DOJ and nothing is going to change his mind.

It is unreasonable for him to expect Apple to propose legislation before even one congressional hearing on the issue is complete.

Even after one hearing we can't expect the public and Congress expect to be so informed on the implications of curtailing encryption that they should be prepared to legislate on the issue.

Sensenbrenner claims Apple is saying "No no no" but in reality he is the one doing the censure. Apple has repeatedly said they're willing to discuss the issue in public.


Does the NSA have some new found powers?

FTA: "For example, why hasn’t the FBI attempted to get the NSA’s help to get into the phone, since hacking is their job?"

Is it in fact their job? I'd assume there are some ground rules for operations among the executive branch of government but apparently congress thinks this is their charge?


The allegation in the San Bernadino case is that it was international terrorism, so the NSA would reasonably have jurisdiction.


Am I mishearing, or did Comey whisper "god damn it" after the oath @ https://www.youtube.com/watch?v=g1GgnbN9oNw&t=51m0s ?


Only because major U.S. corporations complained, which tells you who owns congress.


It is in fact the other way around. The US Government completely and entirely dominates the private sector economy, controlling nearly every aspect top to bottom. The US is one of the most regulated economies in the G20, with economic regulations continuing to expand rapidly, the government adds thousands of new regulations annually.

That blatant government control is why the NSA (US military, executive branch) was able to force Google, Yahoo, Microsoft, Apple, et al. to comply against their will, and often against their attempts to defend themselves. It's also why this is even an issue at all. If Congress were owned by corporations, none of this would be happening, Apple would have dismissed them with a swipe of its hand, given it's the world's richest private corporation.

If corporations owned Congress, the US wouldn't have one of the highest effective corporate tax rates on earth.


What?

"If Congress were owned by corporations, none of this would be happening"--it's almost as if there can be multiple interests influencing / lobbying for power somehow, and not a single corporation owns all of congress...


Why? Has the FBI found a fast way to factor any product of two large prime numbers? Until they do, what the FBI wants is not always what the FBI can get, Congress or not.


You do not need to factor large primes (or more likely, reverse point multiplication on elliptic curves), if you can guess a 4-digit pin code instead.


You need to break the encryption or find the key. In this case the key has 4^9 bits of entropy (262144) which can be cracked in a matter of minutes if they get a copy of iOS that doesn't have a timeout.


Your math is a little off.

Presumably you are assuming a 4-digit numeric PIN, which means log_2(10^4) bits of entropy (13.3).


No. I'm not really talking about, thinking about the current FBI/Apple issue and, instead, am trying to be more fundamental and look ahead one step, say, the next step after the FBI/Apple, uh, maybe call it a pissing match.

So, IMHO, here's where we are, whatever FBI/Apple do: People, and Apple, will want encryption no one knows how to break. Indeed, IIRC, Apple has already announced that they intend to make an iPhone Apple can claim they can't break.

And I suspect that quite broadly and commonly people will just roll back to basic RSA, etc. encryption, say, from little command line programs they can run on an old, not hacked, computer never connected to a network.

Then the issue in practice will be the same one that is fundamental in theory: To break the encryption, need to a fast way to factor a product of two, large prime numbers.

Pass code, 4-digit PINs, etc. -- I just passed over those as by now trivial and irrelevant.


> And I suspect that quite broadly and commonly people will just roll back to basic RSA, etc. encryption, say, from little command line programs they can run on an old, not hacked, computer never connected to a network.

Never gonna happen. I am willing to bet.


Some people, maybe a lot of people want to take encryption seriously.

So, get some little open source, command line programs that run and just squirt out dirt simple flat ASCII files in base 64 encoding. Run the software on some old computer where are fairly sure there are no back doors. Never connect to computer to a network. Move the data from that computer on, say, just old diskettes.

Then somehow have an iPhone read the base 64 and send it.

If the FBI gets the base 64 code, lots of luck making any sense out of it.

Some people will be impressed by that scenario and possibility.


How many is `some'?


Should be everyone with first level programming skills and very interested in solid data security. That's a lot of people, millions.

Maybe they just need to be reminded that they can do it themselves, easily, with no dependence on Apple, Microsoft, the Internet standards and no risk of backdoors, etc.


Seriously. just hack the timeout out of the OS. I bet I could do it in a single day. The FBI is playing at something bigger here - they want to set a dangerous precedent. The battle is not about access to that particular phone (unless they are truly incompetent - which can't be ruled out, unfortunately.)


How would you do this, exactly? As far as I know, you'd have to find an unpatched exploit you can use over USB. That seems like something that would take longer than a day, unless you're amazingly good at this stuff.


iOS is encrypted with AES, not public-private key cryptography. So unless I'm missing something, what would factoring huge numbers do to help?


As in another post in this thread, I'm not really directly considering the current FBI/Apple situation but jumping ahead to the future where, now, due heavily to the current FBI/Apple situation, I anticipate very broad, greatly increased interest in encryption people will want really strong encryption, totally independent of any big companies, totally free of any chances of back doors, etc. So, they will return to simple, open source, command line software, run on an old computer, never connected to a network, that puts out just dirt simple base 64 that move to, say, an iPhone via some, whatever, diskette reader (?) connected via USB. People are going to quit just fooling around, roll back to RSA, and trust a product of two totally obscure prime numbers, oops, really long prime numbers.

Here the FBI has gone a long way to make their job impossible soon and to have Apple make a new iPhone that they solidly claim they just cannot break to replace all the ones they have sold so far.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: