
White House weighs encryption crackdown - traderjane
https://www.politico.com/story/2019/06/27/trump-officials-weigh-encryption-crackdown-1385306?cid=apn
======
bediger4000
There's quite a bit of fallout from banning end-to-end encryption. First, it
means snooping communication channels to ensure that they're either
unencrypted, or encrypted with the officially approved backdoored algorithm.
That's the obvious first step, remember the Clipper Chip's LEAF field, and the
LEAF blower attack? Once some heinous crime is committed using encrypted-via-
another-algorithm data carried in the officially encryption algorithm, you've
got to start occasionally decrypting a communication channel to ensure that a
2nd level of encryption isn't present. The logic of official encryption
algorithms almost inevitably leads to all comms channels being checked for
decryptability.

The second major side effect will be essentially making writing software into
a completely corporate thing. Either the official algorithm is a secret
(Remember the Clipper Chip and/or Skipjack?), or writing implementations
becomes work that only a very trusted few are allowed to do (see inevitability
of snooping above). Currently it's very difficult for medium to small
companies to do the paperwork for security clearances. It's not going to be
any easier to get programmers certified or bonded or whatever to work on
official algorithm implementations. This means slower introduction of any
innovations, and any buggy implementations will be in use for a long time
before getting fixed.

~~~
cwkoss
Is there stenographic encoding for binary sort of like Base64 that outputs
full human-readable sentences?

So much bad prose on the internet, it seems feasible to make this hard to
distinguish from human-written text. Plus you could have multiple codings for
values, allowing non-deterministic encoding but deterministic decoding.

How do you prove that the giant integer which represents this text is a random
result of my thoughts rather than encoded information?

~~~
bediger4000
Well, the US has handled other difficult issues with super-vague laws, like
the Computer Fraud and Abuse Act (CFAA) of 1984, which appears to have been
used at least as recently as 2011. If you have a weird law like the CFAA, a
nation can also do the Chinese Government's "One eye open, one eye shut"
vaguely vague policy, where unpredictably, the CFAA is enforced very harshly,
usually on someone totally unlikeable. This makes everyone else very wary of
stepping over some boundary, never mind that nobody knows where that boundary
is, so everyone is very conservative in approaching issues with the law. By
applying such a law infrequently, and on unlikeable defendants, the government
makes it very difficult to challenge the law itself.

------
stirfrykitty
This is precisely one of the reasons why OpenBSD was developed in Canada
(crypto). No such regulations barring import/export of crypto.

In the end, it's impossible to police the use of strong encryption. Things
like Waste and many others saw this coming back in the "Clipper chip" and PGP
trouble days. What would end up happening is people just start appealing to
OTP. Well-designed OTP is very resistant to attack.

This all reminds me of Neal Stephenson's seminal book, Cryptonomicon, one of
the best IT fiction books ever written. If you have an interest in encryption,
coding, data havens, currency, etc., this is the book for you. It's a
veritable tome.

* Editing to say that despite Cryptonomicon being written in 1999, I still think it holds its own even now. Kind of a timeless classic as far as IT goes.

~~~
18pfsmt
There is no country on the planet that stands for individual freedom more than
the US; we were founded on the idea. The idea that Canada has stronger free
speech protection is laughable. There is zero chance this idea goes anywhere.
Look at the sources for the article, that should give some indication of its
credibility.

~~~
OldSchoolJohnny
There is no country on the planet that pays more blind unthinking lip-service
to the concept of freedom I'll give you that but if you think the average US
citizen has more freedom by any objective international standard measure than
the average Canadian citizen you may want to put down that KoolAid you've been
drinking and reconsider because you would find few knowledgeable people who
would agree with your assertion.

~~~
18pfsmt
Only by some absurd idea of freedom you are able to summon. We have the
freedom to be assholes yet. Sure, we lost battles against the totalitarians on
several fronts, but we are still more free in the sense that one would be free
as a sole occupant on a Caribbean island.

People are allowed to freely associate in corporations and pursue their
economic goals. Canada is smaller than California, population wise and GDP,
and most of your income comes from natural resources like copper, coal, oil,
and gold.

Non-Americans can't stop visiting American websites. Hmm.

~~~
18pfsmt
The negativity on this comment is amazing. These Euro ideas would die so fast.
I will pay for your flights to Denver. please come to CO.

~~~
skizziepop
uh the us sucks please fly me to Denver

------
ISL
Congress shall make no law respecting an establishment of religion, or
prohibiting the free exercise thereof; or abridging the freedom of speech, or
of the press; or the right of the people peaceably to assemble, and to
petition the Government for a redress of grievances.

~~~
the_watcher
That's an interesting hypothetical for a law school exam, but I don't think
any of the Supreme Court would find it very compelling, as it doesn't
materially abridge any of those things. People not feeling comfortable with
saying things is materially different than actually restricting them from
saying them.

EDIT: I wholeheartedly disagree with restricting E2E and believe in freedom of
speech as strongly as one can believe in any explicitly enumerated right, I
just don't agree the text of the First Amendment covers this, and it's hard
for me to imagine any of SCOTUS coming up with an argument supporting it.

~~~
excalibur
I would argue that freedom of speech includes the freedom to say things that
look like absolute gibberish to the surveillance apparatus. Whether they
contain a coded message is irrelevant.

~~~
umanwizard
You could argue that, but does US constitutional jurisprudence support that
argument?

~~~
meowface
If US constitutional jurisprudence, in the eyes of our highest officials,
supports the argument that corporate money spent politically is speech, then I
hope they'd agree that a random-looking sequence of on and off states
transmitted through some physical medium with the intention of one or more
recipients gleaning meaning from the output is also a kind of speech. I'm
definitely not a lawyer, though.

~~~
umanwizard
I don't understand how the two are related, can you clarify? What does
corporate spending on political campaigns have to do with encryption?

~~~
meowface
I just mean if they use a broad definition of "speech", including a
corporation spending money, I subjectively feel like that definition should
also encompass sending text or symbols which appear to be random or encrypted.
There is no relation between the two other than that I think if money is
speech, pure information, in any form, should also be considered protected
speech, unless there's a copyright on the information. Similarly, I think
things like burning a flag, or sending someone a painting, also should be (and
are?) considered speech.

~~~
umanwizard
Yep, my point when asking you to clarify was to see whether you were making
this argument: "the Supreme Court will let basically anything crazy count as
free speech, so why not this?" It seems like indeed you were.

But Citizens United doesn't rely on a broad interpretation of freedom of
speech at all. It relies on a broad interpretation of freedom of
_association_. Supporting various political views is "speech" by any possible
understanding -- that's not broad at all. The main "innovation" of Citizens
United is that when people form associations (like corporations) they retain
certain rights, such as freedom of speech.

A better analogy would be if we already all agreed that individuals have the
right to send encrypted messages, and we were discussing whether corporations
retained the same rights. Then you'd have a point, bringing up Citizens
United. But when discussing whether people have some underlying right at all,
it doesn't seem relevant.

------
tzs
> A ban on end-to-end-encryption would make it easier for law enforcement and
> intelligence agents to access suspects' data. But such a measure would also
> make it easier for hackers and spies to steal Americans' private data, by
> creating loopholes in encryption that are designed for the government but
> accessible to anyone who reverse-engineers them. Watering down encryption
> would also endanger people who rely on scrambled communications to hide from
> stalkers and abusive ex-spouses.

It does increase the chances that your communications will get out to third
parties besides the government, but not for the reasons given in that
paragraph.

The way you would actually implement this is not by putting a "loophole" in or
"watering down" the encryption between the parties. You'd do it by adding the
government as another party. E.g., two party end-to-end encrypted messaging
channels become three party end-to-end encrypted chats. N party end-to-end
encrypted chat channels becomes N+1 party end-to-end encrypted chat channels.

To a third party, such as a stalker or abusive ex-spouse, who is trying to
eavesdrop on your messages these N+1 party systems are as secure as the
previous N party version.

The increased risk comes from the risk that the government won't be able to
keep its copies of your messages secure after it securely receives them.
Presumably they will go into a database somewhere, from with they will be made
available to law enforcement and intelligence services. That means that there
will be a bureaucracy around operating and accessing the database, and given
the number of different jurisdictions involved and the likely frequency of
access requests my guess is that this would need to be a large bureaucracy. A
large bureaucracy dealing with a large amount of sensitive data is just asking
for trouble.

~~~
feanaro
> The increased risk comes from the risk that the government won't be able to
> keep its copies of your messages secure after it securely receives them.

Or how about simply not wanting the government, a third party, to be able to
scrutinize your private conversations?

~~~
stirfrykitty
Or we'll all end up making Gorky Park-esque dead drops under the cover of
darkness.

------
totalperspectiv
I recently finished "Information Doesn't want to be Free" and would highly
recommend it as informed and well reasoned commentary on topics like this.
Cory Doctrow puts into words the vague hand wavy feelings I have when we start
talking about encryption, copyright, and freedom of speech on the internet.

The ebook is free (with suggested donation) on his website.

~~~
totalperspectiv
To elaborate more and provide some substance, the existential threat posed by
regulations like this is really hard to get across to the broader public. The
more good analogies we can acquire for explaining why every day people doing
every day things should be able to do so privately, is important.

~~~
turdnagel
Maciej Ceglowski recently wrote about this:
[https://idlewords.com/2019/06/the_new_wilderness.htm](https://idlewords.com/2019/06/the_new_wilderness.htm)
\- he calls it "ambient privacy."

> For the purposes of this essay, I’ll call it ‘ambient privacy’—the
> understanding that there is value in having our everyday interactions with
> one another remain outside the reach of monitoring, and that the small
> details of our daily lives should pass by unremembered. What we do at home,
> work, church, school, or in our leisure time does not belong in a permanent
> record. Not every conversation needs to be a deposition.

The article is presented more in terms of JS/app trackers, but I believe the
analogy still applies.

~~~
pizza
Reminds me much of the philosopher Fredric Jameson's notion that modern
culture basically exemplifies the end of temporality. There is much less
forgetting, including forgetting of inconsequential minutiae, nowadays.

------
wedn3sday
If communications had to be decryptable, could I go to jail for emailing the
output of /dev/urandom and then not being able to prove that it wasnt an
encrypted message? Is it garbage, or is it clever encryption?

~~~
Buttons840
They'd put you in a cell with the 8-year old who was smart enough to
understand one time pads and thus also had access to unbreakable encryption.

------
fractalf
God forbid the authorities have to do some old school actual investigation.
The "we need need to fight terror and child porn" never seems to grow old

~~~
tzs
Wasn't a big part of "old school actual investigation" looking at the
communications of suspects?

~~~
magduf
Yes, by doing things like putting "bugs" in their homes or workplaces to
listen in on them.

There's nothing stopping the authorities from doing this now, and in fact,
it's even easier now with the level of miniaturization we have now.

~~~
umvi
Bugging peoples' homes without their consent seems like an equally egregious
privacy violation

~~~
LinuxBender
That sounds like a job for Alexa!

------
LinuxBender
I am not sure if this opinion is permitted here, but I would suggest that
people just implement their own E2E and ignore any rules that suggest you must
not do so.

Obviously a business can not survive by this logic. Rather, implement systems
that permit end users send whatever text they wish, potentially including
obfuscated text.

An example of business that have done this for decades would be all the
amateur radio manufacturers. It is illegal to make a HAM radio that operates
outside of the HAM bands. But... clip one diode, or hold down two buttons and
power on the radio, presto, all frequencies unlocked, radio in "debug mode".
Certainly similar logic could be implemented by clever people here.

 _" One has not only a legal but a moral responsibility to obey just laws.
Conversely, one has a moral responsibility to disobey unjust laws."_ \--Martin
Luther King, Jr.

------
bayareanative
They will have to pull encryption from my cold, dead hands. And I'll strongly
consider making a 80% lower legally-unregistered gun if things get any more
insane, because stuff is going off a cliff 1930's-style.

~~~
swalsh
I'd print one, but my state AG made it illegal for people in my state to
download the blueprints for one.

I've been tempted to get on a proxy, download the file, print out a few copies
of the source in book form, and slip it in our local libraries.

~~~
driverdan
3D printing a firearm isn't practical. They are dangerous and only fire a few
times. You're better off with an 80%.

~~~
throwaway5d097
An AR-15 lower doesn't have that much strain

------
lacker
I don't understand what this would mean in practice.

"End-to-end encryption" isn't really some fancy new technology. It's just the
combination of communication plus encryption. If you and I share a password, I
encrypt some data, email you that data, and you decrypt it, that's end-to-end
encryption.

So what would be banned? Would you not be allowed to email encrypted files to
someone? That seems implausible. Would it be legal to email encrypted text
files to your friends, but illegal to build software that automatically did
both encryption plus email?

That seems pretty weird, making it legal to do a thing but making it illegal
to build software that made that thing easier.

~~~
trophycase
IMO this points more to having probable cause than actually criminalizing
encryption itself. If privacy or hiding something by itself is probable cause
you can essentially justify any form of search.

------
sarcasmatwork
Are we in China? Its always about terrorism, but NSA/FBI/CIA/3-LETTER-AGENCY
fails to do anything when there is terrorism or about to be. They have allowed
things to happen. This should fall under the 4A for those of us in America
imho.

~~~
dx87
Intel is a thankless job; if you keep people safe, nobody knows you are doing
anything, but if something happens, you're the first to get blamed. Just
because you're ignorant about what people working in various intelligence
agencies are doing, doesn't mean they aren't doing anything. I worked in
various intel fields for most of my adult life, and it gets tiring to hear
that intel agencies don't do anything.

~~~
dv_dt
That isn't blaming the Intel agencies for doing nothing, it's blaming them for
abridging our freedoms in trade for purported safety.

~~~
ativzzz
Isn't this analogous to IT security policies in pretty much any company?

They get blamed for abridging worker productivity in trade for purported
safety.

~~~
darkpuma
Contrary to what you may have been told, productivity and freedom are not the
same things.

~~~
ativzzz
Is not the freedom to be productive not one of the unwritten tenets of
capitalism?

~~~
darkpuma
Can you think of no other freedoms?

------
colanderman
What would this mean for personal web servers running HTTPS? Being forced to
use a specific (NSA-breakable) algorithm? Forced obtain TLS cert from a
government-controlled source?

------
choeger
I would be really interested in the legal format that they put such a
restriction in.

~~~
chatmasta
My guess, based on recent history:

It will be an executive order that requires companies with a communications
product and over 500k users to implement lawful intercept protocols for
communications between any two users.

Most likely companies will repurpose their GDPR tools to provide standardized
exports to authorities with legal intercept requests. The regulation will be
written in such a way that it precludes end to end encryption as an option,
rather than forbidding it specifically. Failure to comply with lawful
intercept requests will result in a fine with high interest.

~~~
codedokode
What about foreign companies from countries like China or Russia? How will
they make them comply?

------
Merrill
The success of intelligence and code breaking during WW II apparently
convinced the elites that a small elite intelligence and criminal
investigation force could effectively control terrorism, criminality and
excessive dissent in society. Thus, the emphasis on electronic surveillance
for national security and law enforcement.

It doesn't actually work very well, since terrorists can hide, gangs can
organize, drug cartels can flourish, and society is becoming more disorderly.

Weak or broken encryption privacy in order to continue a failed approach is
not the answer. More physical security, more local law enforcement, and more
local human intelligence to prevent terrorism and crime is a better
alternative. It is better to be physically protected from bad actors than to
have a technologically sophisticated process for apprehending perpetrators.

------
jddj
Constitutional considerations aside (since all implementations seem to run up
against one or two amendments), the most likely route is probably to force
compliance by tech workers/companies when presented with a warrant (see: the
law rushed through late last year in Australia).

One basic implementation is that after some closed-door conversations, your
specific instance of WhatsApp receives an update which either compromises your
keys or performs some background E2E of your plaintext conversations (as
stored on your device) with whichever government/law enforcement agency made
the request.

Rather than adding the government as a third party to all communications at
once, this is a nice easy first step for them to take.

------
nimbius
So ill be honest here, im not a STEM person...but how exactly do you "crack
down" on something thats essentially just really great math?

What, if anything, is the government hoping to do to stop people from using
GPG/PGP? I mean i guess you could force companies in the US to not ship phones
encrypted by default, but they could just sneak a menu asking if you _want_ it
encrypted before the first power on.

How does the cat go back in the bag after 2015? Snowden has basically put the
word "encryption" in the mouth and ears of every American. We know the
government spies on us. We know it uses this information to hold theater
trials of people it just doesnt like.

How do you crack down on math?

~~~
koolba
> How do you crack down on math?

Same way you crack down on anything else. Round up people and throw them in
prison if they break the law.

Sure you cannot stop people from using encryption but if it's a criminal
offense to incorporate it into a consumer application then you could easily go
after the company, it's executives, developers, or even users. The first three
of those is already enough to have a chilling effect on the rest of the
industry.

~~~
codedokode
It won't stop foreign developers in countries that don't extradite people to
US like China, Iran, North Korea or Russia. You will have to find an excuse to
cut those countries from Internet or implement a border firewall.

------
jimbob45
You fall in one of two groups here:

1\. The NSA probably has the ability, one way or another, to break E2E
encryption. This is a symbolic move attempting to soothe the masses into
thinking their communication is still secure.

2\. This is vast government overreach trying to stifle personal privacy. Such
a bill is idiotic not only because it runs counter to the US Constitution, but
also because enforcing such a bill would be virtually impossible.

~~~
giaour
Even if the NSA could break E2E encryption (a very big if), that doesn't
automatically imply that local, county, and state level law enforcement
agencies would be able to.

------
carapace
Just to take a moment and remind everybody that your encryption is pointless
anyway because of ME[1] and its ilk.

[1]
[https://en.wikipedia.org/wiki/Intel_Management_Engine](https://en.wikipedia.org/wiki/Intel_Management_Engine)

------
zxcvbn4038
The boat has sailed on this, strong encryption is everywhere, the algorithms
are widely known and understood, anyone who wants encryption will have it.
Back when encryption was considered a weapon in the US it did absolutely
nothing to stop everyone else in the world from having it, I don't see it
working any better in reverse.

As far as law enforcement goes, it reminds me of a favorite Futurama bit -
Some cops can read minds... Some cops can see the past... And some cops get
help from angels... But there's still one cop with no special abilities
whatsoever. To solve this crime he'll have to FIND OUT.

[https://www.youtube.com/watch?v=3JjpxSdM6fY](https://www.youtube.com/watch?v=3JjpxSdM6fY)

------
jammygit
I can’t wait for the mass hacks that come from this, with millions of people’s
payment and other information getting snooped. People would stop using the
internet for serious things again and our industry would die after enough of
them

------
dbg31415
Not this shit again.

* Honest Government Ad | Anti Encryption Law - YouTube || [https://www.youtube.com/watch?v=eW-OMR-iWOE](https://www.youtube.com/watch?v=eW-OMR-iWOE)

------
jrochkind1
Another article. [https://www.forbes.com/sites/zakdoffman/2019/06/29/u-s-
may-o...](https://www.forbes.com/sites/zakdoffman/2019/06/29/u-s-may-outlaw-
uncrackable-end-to-end-encrypted-messaging-report-claims/)

(Not okay).

------
codedokode
It is interesting that Russia already has a similar law (IM apps are required
to retain and provide the content at request; they are required to ask a phone
number for registration; websites having a specific amount of visitors must do
the same). Luckily, some foreign companies like Telegram openly ignore it and
decentralized messaging apps like Tox are unable to comply with the law.

It would be difficult to enforce such a law without implementing network
filters.

------
delish
The article mentions "tech companies." But isn't SSL end to end encrypted? And
doesn't nearly every business that makes transactions online use SSL?

~~~
fragsworth
I assume they'd come up with a new encryption standard where you use an
additional (government) public key to encrypt with, allowing the government to
decrypt it later?

Or maybe they'll only enforce the rules on "chat applications" or things the
general public uses?

I guess they're talking about this right now.

~~~
delish
I’m sure you’re right. And I guess I’m saying something obvious when I say
they haven’t thought this through. So they’re going to get every bank, every
e-commerce website, every server and every client to upgrade their SSL
packages? That’s daunting. (that’s ignoring the challenge of never leaking the
government’s golden key)

------
abstrct
I sincerely recommend reading the book Crypto if this topic interests you.
This isn’t the first time we’ve been here, and it won’t be the last, but
Crypto does an excellent job going through some of the history and the
absurdity of the idea.

[https://www.stevenlevy.com/index.php/books/crypto](https://www.stevenlevy.com/index.php/books/crypto)

------
LannisterDebt
A Canadian prosecutor tried to force someone this year to provide a password
to decrypt the contents of their cell phone via the court system. She failed
[0].

[0]
[https://www.canlii.org/en/on/oncj/doc/2019/2019oncj54/2019on...](https://www.canlii.org/en/on/oncj/doc/2019/2019oncj54/2019oncj54.html)

------
Digit-Al
Those who do not learn from history are doomed to repeat it.

Strong encryption was illegal for years. It didn't stop people having strong
encryption. If they make it illegal for American companies to make software
with unbreakable encryption then that will leave the door open for companies
in other countries to fill the gap. The best algorithms are all public so it's
not like it would be that difficult.

------
mschuster91
That's what happens when un-educated people legislate about stuff they don't
have any clue of. Same in Europe with the Article 13 copyright reform.

Problem is I do not see any reasonable way to get around this as a large chonk
of the voter base is old, un-educated, tech-illiterate people... and
politicians tend to cater to whatever they want (which is mostly law-and-order
crap such as this).

~~~
Sargos
> That's what happens when un-educated people legislate about stuff they don't
> have any clue of

This is becoming an increasing problem as legislators get older and technology
becomes more important to society.

------
buzzert
Not going to happen. We've been through this before.

What I do think we might see is some kind of corporate incentive (secretive or
not so secretive) to effectively push normal (non-computery) people into using
non-E2E services. Google is already doing a fantastic job of this.

------
40acres
It's difficult to see how any restrictions on encryption can be deemed
constitutional, especially by a conservative majority court. In my view the
1st and 4th amendments deem encryption constitutional, "corporate personhood"
reaffirms this.

------
soulofmischief
> the Secret Service regularly run into encryption roadblocks during their
> investigations

Maybe it's time we change the language and stop letting government officials
label individual rights which are working as intended as "roadblocks" into
government investigations.

> experts generally agree that Congress is unlikely to pass a bill requiring
> warrant-compatible encryption

 _Boo hoo_. That's the system working as intended. Do your job correctly and
stop making an enemy out of the People and you'll find requiring a warrant
isn't a "roadblock".

~~~
txru
Warrants don't work, that's the problem. There have been many instances now
where a judge issued a legal warrant that was impossible to enforce, because
of encryption. Should that be the case? It's not a simple question.

~~~
cgriswald
Just because the ability to hide information has reached unprecedented levels
does not suddenly make the principles hard to grasp. Warrants have never been
a guarantee of getting evidence. They are only permission to look.

Finding the answer to law enforcement being able to make these warrants useful
while also maintaining rights is complex. Seeing a terrible solution as
terrible is simple.

~~~
txru
Ok, so warrants fail. There are cases where people are held in contempt of
court, essentially for life. Is that a good resolution to warrants being
broadly, commonly enforceable? Those people aren't convicted of the crime they
were accused for, in some cases they may have even forgotten the encryption
key.

~~~
hedora
Indefinite contempt charges are why forcing someone to hand over a password,
encryption key, submit to biometrics, etc. needs to be banned.

The current state of affairs is a clear violation of one of the US’s founding
principles: “innocent until proven guilty” (and also the 5th amendment).

~~~
txru
Remember, the Bill of Rights were tagged on after the Constitution. The
Constitution establishes what powers the Government could and couldn't have,
purely in its relationship with the constituent states. The Bill of Rights
filter out what it doesn't. And in its vagueness, the Constitution claimed
quite a lot.

The ability, power, and right to investigate crimes is certainly reserved to
both the states and the Fed. Government in the Constitution.

~~~
zaroth
The ability to not be forced to participation in one’s own prosecution is one
of those rights the Constitution guarantees.

The fact that modern life typically entails recording and documenting almost
every single thing you do during the day, and yet law enforcement complains
about “going dark”? Utter nonsense.

People have never been more widely tracked, or more widely accountable. The
absolute last thing we have is a _privacy_ epidemic.

The government has the right to investigate crimes. They do not have a
specific right for defendants to keep records of what they did wrong or to be
provided that evidence, outside the context of business regulations which
require specific paperwork be maintained.

And by the way, the Constitution specifically enumerates what powers the
Federal government has. _All Else_ is reserved to the States, or to the
People.

Which is why we weren’t supposed to need a Bill of Rights in the first place.
The Constitution doesn’t enumerate Speech or Assembly as something the
government can control, therefore it is not. However the Framers didn’t all
agree we shouldn’t go and list a bunch of things just in case, except that it
might make people think if it’s _not_ listed then maybe it’s not a Right?

------
tempodox
The government is doing everything they can to insulate the US from the rest
of the world while continuing the war against their own citizens. Whoever
needs real encryption won't be able to let their business touch US
jurisdiction.

------
typeformer
This would utterly break the internet, how are government officials so idiotic
to continue their magical thinking that somehow you can get rid of privacy and
keep security. This is a dead horse that is becoming a perennial zombie.

------
4ntonius8lock
I hope for future generations that there are enough free thinkers that will
practice civil disobedience in such a case.

I can't imagine anyone with any degree of tech understanding and intelligence
supporting such a big brother policy.

------
MrQuincle
Mmm. Seems this leads to a level of encryption where we decrypt with one
algorithm to a clear text that can be seen by the government and another
algorithm that becomes a hidden text different from the other one.

------
ohiovr
In three years, Congress will ban the largest source of trust in internet
computer systems. All financial insitutions are downgraded from end to end
encryption, becoming fully exposed. Afterwards, criminals steal all bank
assets with a perfect operational record. The Internet Security Bill is
passed. The system goes online on August 4th, 2023. Cryptographers are removed
from corporate defense. The ban catalyzes attacks on infastructure at a
geometric rate. It becomes self-aware at 2:14 AM, Eastern time, August 29th.
In a panic, they try to pull the plug.

------
thorwasdfasdf
i don't think this will stop those that are truely motivated to have end to
end encryption. Any agents working for state sponsored stuff or criminals with
means, can easily hire some programmers to create encrypted communication.
setting up a basic messaging platform that kinda works is trivial, adding
encryption to it, isn't too hard.

------
jeffrallen
Perhaps if cryptography were regulated like guns again, the 2nd amendment
zealots would come out in defense of it?

------
coldcode
Sure, once you require these I can hack the politicians who want this and run
them out of their gravy train.

------
pizza
Pretty incredible difference in policy between Obama and Trump administrations
(not that Obama's was particularly respectful of privacy to begin with); from
the 2011 WH "International Strategy for Cyberspace" [0]. Remember, the Snowden
revelations took place June 2013.

> Ensure the end-to-end interoperability of an Internet accessible to all.

> _Users should have confidence that the information they transmit over the
> Internet will be received as it was intended, anywhere in the world. Equally
> important is the expectation that under normal circumstances, data will flow
> across borders without regard for its national origin or destination.
> Ensuring the integrity of information as it flows over the Internet gives
> users confidence in the network and keeps the Internet open as a reliable
> platform for innovation that drives growth in the global economy and
> encourages the exchange of ideas among people around the world. The United
> States will continue to make clear the benefits of an Internet that is
> global in nature, while opposing efforts to splinter this network into
> national intranets that deprive individuals of content from abroad._

[0]
[https://obamawhitehouse.archives.gov/sites/default/files/rss...](https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf)

~~~
ars
Oh yeah such a difference in policy. First of all your quote makes no mention
of encryption second of all:
[https://en.m.wikipedia.org/wiki/Bullrun_(decryption_program)](https://en.m.wikipedia.org/wiki/Bullrun_\(decryption_program\))
which debued during the Obama administration for those who don't feel like
checking dates.

~~~
pizza
I misspoke in my first comment; I meant 'stated policy' \- we all know both of
them aren't really in favor of privacy. Also, while there is no mention of
encryption or cryptography, you might find the bits on the necessity of
guaranteeing military network security interesting. This policy paper, of
course, came out near the time of Stuxnet.

------
madhadron
Suggestion: if everyone big player who takes credit cards online put a little
banner on their site saying, "Due to possible action by the Trump
administration (insert link), in the near future your credit card transactions
will no longer be secure. If you wish to continue to have secure credit card
transactions, please click here and inform the white house."

If Amazon alone did it, there would probably be a pretty big push back.

------
ninjakeyboard
If the government removes your right to privacy, we're seeing 1984 come to
life.

------
Zaskoda
Math is not a crime.

------
DannyB2
From TFA . . .

> Tech companies like Apple, Google and Facebook have ncreasingly

> built end-to-end encryption into their products and software

> in recent years — billing it as a privacy and security feature

Because Facebook and Google are known for being so concerned about your
privacy.

~~~
fragsworth
They are actually concerned about your privacy, except in the cases where they
can sell it for profit.

------
umvi
Privacy advocates always just say screw the feds but come on... if police work
becomes effectively impossible, what's the point of having detectives? Is
having absolute privacy worth an irreversible increase in unsolved
murders/human trafficking/etc.?

Why is it so hard to create a cryptographic solution that would allow E2E that
works 99.9% of the time, is resistant to malicious actors, but is breakable
with a warrant? Have people really even tried?

For example, consider the following system:

1\. E2E decryption keys are encrypted with vendor's device-specific
asynchronous key

2\. Keys are then stored in write-only non-volatile storage

3\. Only way to read key is with expensive hardware that is difficult for
civilians to obtain/replicate (scanning electron microscope, etc.)

4\. Thus, only way to decrypt key is by a) physically obtaining device, b)
using expensive hardware to extract encrypted key(s), c) serving encrypted key
along with legal warrant to vendor who would then comply with the law (or not,
if it is unlawful)

Wouldn't such a system allow privacy yet also be resistant to attacks?

~~~
supergauntlet
You left out b) vendor has the keys stolen or leaked by a disgruntled employee
and now the encryption is useless.

That's the problem with all these systems, you're increasing the size of the
attack surface enormously.

~~~
umvi
> You left out b) vendor has the keys stolen or leaked by a disgruntled
> employee and now the encryption is useless.

e) If the keys are stolen, issue new keys to all devices

The leaked keys are only good for physically compromised devices in the hands
of people with access to the scanning electron microscopes, which I daresay is
an extremely small attack surface.

There is only a small window after the leak in which a device can be stolen,
powered down, and compromised.

On the other hand, you could mandate that such keys aren't allowed to be
stored in databases (physical access only)

~~~
the_watcher
You don't always know that keys have been stolen. And an electron scanning
microscope is hard to get now, but what about state-sponsored actors spending
half a decade developing a pocket-sized tool? The whole point of E2E is that
all of these scenarios are literally not possible.

~~~
umvi
Well, periodically reissue keys then regardless of if you think they've been
compromised. Or don't store the private key in a database, store on physical
media in a vault that is airgapped and hard to access. Make the read-only-
ability of the storage chip more difficult and onerous with each generation
like paper currency security.

My point it that you could make it so difficult to break E2E for even the most
elite hackers that the only realistic way to do it is with a warrant.

~~~
the_watcher
Not if you're sponsored by a hostile actor with functionally limitless
resources. E2E isn't just about stopping legitimate law enforcement from
conducting investigations.

~~~
umvi
> Not if you're sponsored by a hostile actor with functionally limitless
> resources

Like who? Russia? China?

Here's how they can compromise my device:

1\. Locate me within the USA (easy)

2\. Send a spy onto US soil to find me and steal my phone (hard)

3\. Send another spy to work for Apple (easy)

4\. Spy needs to break into Apple's vault and retrieve airgapped media
containing my device's private key without a warrant (super hard)

5\. Send both back to the motherland and use scanning electron microscope to
complete the process (easy)

You really think that is viable? Seems extremely far fetched to me. Can you
provide a more realistic scenario?

~~~
kelnos
The more realistic scenario is already possible today, and doesn't need to
involve so much technical mumbo-jumbo: at step #2, instead of stealing your
phone, they kidnap you, and torture you until you give up your password. Done,
and no need for steps 3-5.

(And I suspect, for a sufficiently-motivated state-level actor, that actually
falls under "easy", or at most "medium".)

~~~
umvi
Right, so why are we so worried about this? If the government is malevolent
they will just kidnap and torture you like the PRC.

