
Senator asks FBI director to name the cryptographers who support backdoors - enraged_camel
https://gizmodo.com/senator-demands-fbi-director-explain-his-encryption-bac-1822400040
======
cantrevealname
Wouldn't it be better if we adopt the position that unbreakable crypto is a
basic human right? Every time we hear about government demands for backdoors,
we technies, cryptographers, thought-leaders, and journalists respond that
backdoors are a security risk and can't be implemented safely. I feel this
invites endless counter-arguments and new proposals by the authoritarian parts
of government. We've been playing this game forever -- as far back as the
Clipper Chip in early 1990s -- and it never seems to end.

Maybe we should take the high road: the time has come that unbreakable crypto
is to be considered a basic human right; the same as free speech, freedom of
thought, or freedom of religion. In this digital age, a lot of those other
rights can't be guaranteed _without_ strong crypto. Whenever any mention of
backdooring, weakening, disabling, preventing encrypted communication comes
up, our reply should be, "no, you can't do that because crypto is a human
right, the same as free speech, and is necessary to protect other fundamental
rights".

~~~
mi100hael
I get where you're coming from, but I think that argument needs some work.
Currently, none of those rights you mention that are enumerated in the Bill of
Rights are guaranteed through absolute means, they are preserved via checks &
balances among branches of the government. And even if they were more
absolute, there would still be asterisks as things stand today:

\- You have freedom of speech/thought unless it was the motivation behind a
criminal action, in which case you're additionally punished for a hate crime

\- You have freedom to keep & bear arms except not in some states if your
Sheriff doesn't like you

\- You have the right to privacy unless there is probable cause to believe
you're involved in criminal activity, in which case the court can issue a
search warrant

\- etc. etc.

Even if you tried to argue that "crypto is a basic right," that wouldn't
change anyone's mind who is arguing that there should be an asterisk if you're
under criminal investigation.

~~~
cantrevealname
Would it be fair to paraphrase what you saying like this: The U.S. Bill of
Rights are not 100% absolute; therefore, people/courts/whatever are not going
to accept a right to unbreakable crypto that's even stronger than those in the
Bill of Rights?

I don't think that crypto needs to be a _stronger_ right than the Bill of
Rights (confining myself to U.S. laws for the purpose of this discussion).
What I'm saying is that whenever government proposals come up about
restricting or backdooring crypto, we techies (and other thought leaders)
should take the strong position that this is a _right_ and then--maybe--have
discussions about warrants, etc., afterward. What we've been doing for over 20
years is arguing that crypto is necessary for good security and backdooring is
bad for security. That's all true, but it's a technology argument. It would be
much better if we start off with the premise that unbreakable crypto is a
right, that we're allowed to use it, that we don't need permission.

~~~
s73ver_
If you feel you can shift the narrative, more power to you. I just think it
would be incredibly difficult to change the conversation to that.

------
js8
"The problem, according to Wray, is that law enforcement is stymied by phone
encryption, which is now widespread."

Not American, but isn't criminality in the U.S. like at about lowest point in
history? Is there some actual evidence that the lack of ability to do mass
surveillance is somehow making criminal investigations less effective?

~~~
dragonwriter
> Not American, but isn't criminality in the U.S. like at about lowest point
> in history?

It's generally been declining since the trailing edge of the Baby Boomers got
out of the prime criminality age range.

But the demographically (and possibly also lead-exposure) driven “crime wave”
was a boon to political support for law enforcement and authoritarian
politicians, so both have learned that selling the idea of rampant crime is a
good way to get what they want politically.

~~~
cat199
> It's generally been declining since the trailing edge of the Baby Boomers
> got out of the prime criminality age range.

Not sure if you are making a claim, but I don't really think this is
generational other than a coincidence in technological timing - the time you
are talking about is the 90's-2000s, which is when improved surveillance
techniques, information sharing databases, and other deterrents became more
possible and widely used. At that time most of the people on the ground would
be gen-Xers (think 21 jumpstreet, colors, new jack city, boyz n the hood, etc,
usa wise)

Also, timing wise, the cold war ended and so along with it much of the foreign
funny money on all sides for subversive activities, and police spending went
up bigtime in most areas..

~~~
dragonwriter
> Not sure if you are making a claim, but I don't really think this is
> generational other than a coincidence in technological timing - the time you
> are talking about is the 90's-2000s, which is when improved surveillance
> techniques, information sharing databases, and other deterrents became more
> possible and widely used.

As you say, most of that became available in the (mid-to-late-) 1990s and into
the 2000s, the crime peak happened in the early 1990s (violent crime
specifically in 1991.)

There's something of a demographic case to be made (not so much generational
as the fact that the Baby Boom _was_ a boom, and a big demographic bulge going
through that age range has an impact), there's a plausible, and arguably
stronger, lead exposure case to be made (the decline, and the preceding rise,
closely tracks the drop off, and preceding rise, in use of leaded gasoline.)

The variety of intended policy mitigations adopted well _after_ the peak
certainly didn't cause the drop, and probably have no-to-minimal impact.

~~~
jessaustin
Especially since most comparable nations displayed the same drop in crime over
the same period, without the out-of-control enforcement increases we suffered
in USA.

------
benchaney
I have never met anyone who understands what cryptography is, and supports the
FBI. As far as I can tell, the only reason they have any support at all is
because they confuse people and muddy the waters.

Edit: What I meant by "supports the FBI" is "supports the FBI on this issue".
If you understand encryption and support the FBI in a general sense, but think
they are wrong on this issue, then you aren't a counterpoint.

~~~
cvwright
Hi! Nice to meet you.

I think (some of) what the FBI is asking for lately is actually not that
unreasonable -- assuming we could do it right. Chris Wray, like Comey before
him, is _claiming_ that they only need a way to get into a few selected
devices in "exceptional" circumstances for criminal investigations. Whenever
the FBI/DOJ guys argue this point, they also make sure to say nice things
about the value of encryption for protecting the public.

Do they really believe the nice things they say? I have no idea, but for now
I'm willing to take them at their word for the sake of the debate.

Do they really want only a limited ability to access encrypted data? Again, I
don't know.

But suppose we could construct a truly limited mechanism that would give them
the ability to recover only a small amount of encrypted data. Then we could
call their bluff. If they still want more, they'd have to make the case to the
public that they should have the all-seeing power that our community claims
they're trying to get.

We have some early work along these lines. I gave a talk about it at Enigma
last week.
[https://www.usenix.org/conference/enigma2018/presentation/wr...](https://www.usenix.org/conference/enigma2018/presentation/wright)

~~~
iaw
Original poster (emphasis mine):

> I have never met anyone who _understands what cryptography is_ , and
> supports the FBI.

Your reply:

> I think (some of) what the FBI is asking for lately is actually not that
> unreasonable -- assuming we could do it right. ... suppose we could
> construct a truly limited mechanism that would give them the ability to
> recover only a small amount of encrypted data.

One precludes the other...

~~~
cvwright
> One precludes the other...

That's quite insulting.

Personally, I'm getting a bit tired of hearing "lol nerd harder! It's
impossible!" from people who can't even spell IND-CPA. (Not saying that you
are one of those. Just that there are a lot of them around.)

If it's really impossible, then somebody needs to show up with a proof of
impossibility.

~~~
naasking
If it's a matter of a backdoor/special key the FBI must keep secret, it will
leak, period. Then what?

If it's a matter of having the computing resources to crack a key, then
people's computers are too easily compromised to act as bots to solve any such
problem. Our computing infrastructure is simply too vulnerable. To avoid this
scenario, you'd have to secure every operating system in the world in a way
that they could not be compromised, even in principle. That's as close to a
proof as should be needed, unless there's a compelling counterargument to
suspect some assumption is false. I have yet to hear such an argument.

~~~
tptacek
It will leak, period? What's the Dual EC private key?

~~~
naasking
1\. "I'm not aware of it having happened, therefore it has not and will not
happen". I won't even bother listing all the fallacies in that position.

2\. Dual EC isn't protecting anything of value, and hasn't in about 15 years.
If your reply is meant to be pedantic about my phrasing, notice that the
context is about encryption that is actually in use.

~~~
tptacek
It's not protecting anything of value, you mean, besides every VPN session
generated by the most important vendor of hardware VPNs in the industry prior
to 2016?

------
natch
Completely apart from the possibility, more like a fact, that the back door
will be breached by non-law-enforcement black hats, there's another serious
matter here.

Anyone who thinks that a solution to this might be possible should be prepared
to give a good answer the following question:

How does your system protect the rights of people subject to these searches in
cases where law enforcement is evil?

Hint: it doesn't. And that's not a mere trivial inconvenience. It's a fatal
flaw that can corrupt economies, bring down governments, wreak havoc on lives,
destroy cultures, corrode societies, and crush freedom.

There's a reason Thomas Jefferson said "the price of freedom is eternal
vigilance." I don't want to live in a place like today's Venezuela, Syria,
China, North Korea... we should value our rights and our freedoms.

~~~
mschuster91
> How does your system protect the rights of people subject to these searches
> in cases where law enforcement is evil?

And especially: when law enforcement _becomes_ evil or goes rogue. For
example, in 1936 in the Netherlands a census had established a list of all
people - including their religious affiliation. When the Nazis marched in a
couple years later, they had a perfectly validated source of Jews to deport
(per
[https://de.wikipedia.org/wiki/Judenkartei#Niederlande](https://de.wikipedia.org/wiki/Judenkartei#Niederlande)).

While I do not believe that data about religion will be used as a round-them-
up-and-kill-them list ever again, there are other things which we allow
various forms of law enforcements or secret services to access or to do which
may be OK under our current governments but may very well be used _against_ us
in the future. There's a reason why undocumented people have been afraid to
register or interact with the government - what Trump and his cronies did
basically confirmed all their decade-long suspicions.

~~~
news_to_me
> While I do not believe that data about religion will be used as a round-
> them-up-and-kill-them list ever again

This seems to go against centuries of crusade and genocide, but we can always
try our best :)

~~~
mschuster91
> This seems to go against centuries of crusade and genocide, but we can
> always try our best :)

I'm German. I seriously hope for this world that no one will ever again dare
to repeat the atrocities that my ancestors have committed. But then, I am
afraid, the Holocaust and the two World Wars have drifted so far out of living
history that some may at least be tempted to try the latter one again.

~~~
namelost
Unfortunately there are even young Europeans who have been witness to
genocide. The Srebrenica massacre was 22 years ago.

------
sathackr
If silicon valley can just nerd a little harder and make it happen, then
surely the FBI can just try a little harder and eliminate all crime, and then
the problem goes away.

------
prophesi
Here's a link to the Senator's actual letter if you'd like to avoid the
sensationalism:
[https://www.wyden.senate.gov/download/?id=B31DD6FF-98E8-490C...](https://www.wyden.senate.gov/download/?id=B31DD6FF-98E8-490C-B491-7DE6C7559C71&download=1)

~~~
karlshea
What part of the article was sensational? It was mostly background and direct
quotes.

~~~
prophesi
"Senator Demands FBI Director Explain His Encryption Backdoor Bullshit" is the
main culprit.

The article is just a rewording of the letter; even the background information
is just the Senator's first few paragraphs.

------
davidw
Cool - I was pretty sure it was going to be Wyden before even opening the
article. I'm fairly happy with the job he's done as our senator in Oregon.

~~~
trendia
It's too bad the author didn't mention Wyden until the 5th paragraph. The
author puts "Senator" in the title, when "Senator Wyden" would be just _one_
more word.

~~~
joemi
Also, there was zero mention of what state the senator is from. Whatever
happened to the standard "(D-OR)" after first mention of a senator in an
article?

~~~
aeorgnoieang
I almost thought it was a Republican senator given the lack of affiliation!

------
debt
"Wray’s speech undoubtedly spurred frustration in Silicon Valley"

It's an absolutely ridiculous notion that everyone in the Valley is pro-
privacy. It's the exact opposite. Many of the security higher-ups in the
Valley are complicit and working very closely with law enforcement to figure
out a solution.

These companies are trying to figure out how to balance risk; the risk of
providing a secret way to open up someone's phone to the government while
keeping it hidden from everyone and the PR fallout of knowingly providing
backdoors to supposedly secure personal electronic devices.

It's got nothing to do with some high-and-mighty goal that every person is
entitled to privacy(of course the constitution would disagree but that's
irrelevant).

This is a hilarious facade. If they need access to the phone data, they will
get it.

On top of all that, the San Bernardino case illustrated that there is a market
for private security companies to circumvent most security protections anyway.

------
trendia
The US won't be able to force these rules on foreign companies selling outside
the US. e.g. Huawei, Samsung, and Sony are not going to backdoor their phones
for customers in Asia / Europe. So, corporate / governmental customers in
those countries are going to shy away from buying American phones... I can't
see how this is a good thing for American companies.

~~~
dmitrygr
But they will be able to ban sales of phones that do not comply. For God's
sake, they banned tiny circular magnets. Certainly they can ban particular
models of phones.

You're trying to use logic and reason as they apply to the government. The
dirty secret is: they don't. Ever.

~~~
zrth
Never read about "tiny circular magnets". What are you referring to?

~~~
koenigdavidmj
[https://en.wikipedia.org/wiki/Neodymium_magnet_toys](https://en.wikipedia.org/wiki/Neodymium_magnet_toys)

They were banned because if a child swallows two of them, then they'll pull
toward each other, possibly ripping a hole in the intestine.

~~~
cr0sh
Maybe as "toy sets" of magnets; it seems there's a ton of back and forth.

That said, you can get spherical rare-earth magnets here:

[https://www.kjmagnetics.com/products.asp?cat=12](https://www.kjmagnetics.com/products.asp?cat=12)

...though a set of such won't be cheap, depending on the size of the magnets
wanted.

------
gerdesj
Just after I read an article that a US Senator demonstrates that he
understands the risks inherent in backdooring crypto, I read this:
[https://www.theregister.co.uk/2018/01/25/uk_prime_minister_e...](https://www.theregister.co.uk/2018/01/25/uk_prime_minister_encryption/)
"Here we go again... UK Prime Minister urges nerds to come up with magic
crypto backdoors"

I was rather hoping our PM had quietly dropped that nonsense a while back but
it seems not. _sigh_

------
wyldfire
The simplest answer is to ask Congress to put aside a budget for a
Congressional encrypted communications channel with key escrow or some other
great backdoor idea. Then, the executive can do an RFP, get it implemented and
then we just wait until presumed-private-congressional communications are
revealed.

------
jchw
Remember when they spent a million dollars to get data off a phone that
provided them with no evidence?

Yeah, I'm going to say we don't even need the list.

~~~
jstarfish
To be fair, while it looks ridiculous that so much effort is spent trying to
break into phones in criminal cases, given how much of our lives are conducted
through them they are sources ripe with intelligence-- i.e. we can hope to
find out who a terrorist received support from, where a school shooter
obtained their guns, etc.

Sometimes it doesn't pan out, but such is the nature of criminal
investigations.

~~~
vuln
Why would a terrorist destroy their personal devices yet leave their work
phones intact? What kind of criminal would use a work device to commit any
sort of crime? I'm sure the work iPhone was managed by a MDM. The US spent
millions and even tried to force a company to write a backdoor. They tried to
set a precedent, they knew there was nothing on the phone. It wasn't about the
phone it was about using fear to get American citizens to sign over more
rights.

------
redbeard0x0a
Somebody in the Senate with a brain?! This is awesome.

I'm working to try and help get rid of Ted Cruz, we need good people running
the company - we need more like Wyden - asking these kinds of questions!

~~~
vvanders
Oh yeah, Wyden is pretty awesome[1]. I wish he was my senator. He's got a
pretty great record on tech related issues.

[1]
[https://twitter.com/RonWyden/status/896012835448381441](https://twitter.com/RonWyden/status/896012835448381441)

------
JustSomeNobody
>Why can’t they break encryption in a good way while they’re at it?

Thoughts like these always remind me of this[0]:

>On two occasions I have been asked,'Pray, Mr. Babbage, if you put into the
machine wrong figures, will the right answers come out?' I am not able rightly
to apprehend the kind of confusion of ideas that could provoke such a
question.

[0] I know that wasn't a direct quote from Mr. Wray, but it is in keeping with
his thoughts.

------
ilovetux
I keep hearing these arguments and after hundreds of hours of pub talks, the
absolute best idea me and my friends have come up with (it's still a bad idea)
is government issued crypto certificates.

The idea goes that about the same time someone is issued a social security
number they are also issued a cryptographic key pair. The cool thing is that
your key pair can establish identity and in case your private key is
compromised a new one could be issued easily. The government would have to
maintain copies of everyone's private keys.

The only way this would actually work in practice is if a number of new rights
were established and a number of existing rights were updated. I don't want to
enumerate what we came up with in discussions, but they are numerous.

The only real benefit to all of this is that encryption would have a backdoor
which is established before any encrypted communication actually takes place
so the protocols could be made as secure as possible. This also means that the
government would have to establish a monopoly on something that we can do with
a single openssl command.

~~~
csomar
Two things:

1\. That's a disaster waiting to happen. Lots of actors are targeting
governments, not just hackers and criminals (other governments and people from
inside the gov itself).

2\. That doesn't stop terrorists from using secure encryption.

What you are proposing gives government unlimited access to innocent citizens
data while it does nothing about access to malicious parties.

Sorry but this proposal makes no sense! At least the backdoor is a wolf in
disguise for government intervention in citizens everyday life.

~~~
ilovetux
I agree that its a disaster waiting to happen, so theres no need to apologize,
I mention that it's a bad idea in the first paragraph.

To be honest, I don't really know why I even posted it besides the fact that
it's something me and my friends have been discussing on and off for about a
year now because it keeps coming up in the news.

The "bad guy" problem is an inherent problem and while me and my friends have
come up with a few novel work-arounds none of them solves the problem
completely.

Another issue is that multi-layer encryption could disrupt the government's
ability to execute a warrant. If this BAD IDEA were implemented then multi-
layer encryption would need to be made illegal and that starts us down a very
dangerous path.

The only thing I think is a good idea is using a crypto key pair as a
replacement for ssn but only if it's not really used for encryption.

~~~
csomar
The only solution is to make crypto accessible. If it is, there is nothing the
gov can do about it. You can’t simply put half your population in prison.

~~~
ilovetux
It's true that you can't put half of your population in prison but you can
bring prison to the population just look at North Korea and a few other
authoritarian nations around the world.

We need a way to let law enforcement do their job but also balance that with
citizens rights. Backdooring encryption is not the answer, but perhaps there
can be some other answer. The alternative is mass surveilance like we have
today.

Something along the lines of a wiretap (this would technically be a state-
sponsored MITM attack) for electronic communication which would only be
possible with a warrant, but then we would probably end up with a secret court
(a la FISA) issuing these warrants.

The only point I would like to make is that we need to be open to discussing
possible solutions otherwise we might not like what the whistleblowers tell
us.

------
maxxxxx
Has anyone ever brought forward a concrete proposal how this could be
implemented?

~~~
sova
A widespread public backdoor that affects all devices so law enforcement and
anyone with the backdoor key can get in? Yeah, they are all over the place. I
suspect a lot of stuff the NSA pumps out already has excellent backdoors. I
think the only real way a government could encourage its citizenry to use
CLEARNET (unencrypted comms) for everything would be to offer some sort of
benefits if everything you did was easily observable by law enforcement.
Again, the backdoor idea is flaunting arrogance in the face of the Right to
Privacy and Unreasonable Search and Seizure, and I think the Senators have a
lot of emotional issues to work through before they start commanding the tech
sector to do anything. Nobody supports a backdoor, backdoors in software are
not good, end up falling into the wrong hands, and have historically never
prevented a single catastrophe -- I'd be happy if law enforcement revealed a
time when they cracked encryption to find some sort of juicy plot, but alas, I
have yet to read a single instance of the sort. If you add a backdoor to our
software systems, you're effectively adding a spy camera into every device
that uses that chip, and you are not in control of who has the key, despite
your best efforts. "Don't worry, only I know the combination to my suitcase,
it's quite alright if it exchanges 70000 hands" ... said nobody ever. Law
Enforcement and Legislation need to target this realm with a completely
different approach, otherwise we leave the back door to the castle completely
unguarded and defenseless.

------
yodon
Ron Wyden (D) Oregon is the senator who asked the FBI to name any
cryptographers that support backdoors. He’s by far the most tech savvy and
encryption savvy member of the house or Senate.

~~~
tatersolid
No, he’s not. I like him, but there are in fact more “tech savvy” Congress
critters.

Four members of the House have computer science degrees (at least they were
House members back in 2016):

Democrat Ted Lieu of California and Republicans Will Hurd of Texas; Bill
Johnson of Ohio; and Steve Scalise of Louisiana.

~~~
jlgaddis
Why do we never hear from them when this subject comes up?

~~~
tatersolid
Umm... we do, in fact, hear from them.

Example, first of many search engine hits:
[https://www.google.com/amp/s/techcrunch.com/2016/04/28/a-wha...](https://www.google.com/amp/s/techcrunch.com/2016/04/28/a-whatsapp-
chat-with-crypto-loving-congressman-ted-lieu/amp/)

------
aeorgnoieang
> During his January 9th speech at the International Conference on Cyber
> Security in New York, Wray called the prevalence of encryption an “urgent
> public safety issue” and said it had prevented law enforcement from
> accessing some 7,800 devices in the last _fiscal_ year.

[Emphasis is mine.]

~~~
mcguire
That struck me as a little odd, too. What fiscal year do they use? September
to September?

------
rkagerer
If that list ever gets released I would really like to see a follow up post
about it.

------
fny
Cryptography with backdoors means humans with knowledge of said backdoors in
both industry and government. Even if it were theoretically possible, I have
no faith in humans to protect this kind of information.

------
sharemywin
I'm sure the Chinese and Russian Governments could provide a list of willing
companies that would be happy to offer those services to american companies
and our government.

------
mxuribe
That is an awesome letter!

------
shmerl
Are there any that do, besides potential proponents of police state?

