
FBI Wants It to Be Impractical to Deploy Strong Encryption Without Key Escrow - rietta
https://rietta.com/blog/2016/03/16/its-not-just-one-iphone/
======
makecheck
Remember how New York’s (physical) master keys became easily accessible[1]
despite the fact that they were supposedly so carefully managed? All that
effort, all that trouble, and now not only is there essentially no security at
all but the master keys _created a security hole_ that did not need to exist.

The security of encryption is similarly proportional to the security of keys.
The fewer things you have to secure, the easier it is to keep them secret. The
“master key” concept in New York only served to create something of great
value that people wanted to acquire, and massively increased the risk when
that fell into the wrong hands. _Obviously_ the same thing could happen with
an encryption key, except it is worse because you don’t even have to be in the
same country as the source of the key to acquire it or use it.

[1] [http://www.nydailynews.com/new-york/pols-public-outraged-
sho...](http://www.nydailynews.com/new-york/pols-public-outraged-shocking-
master-key-security-breach-subways-article-1.167499)

~~~
krzrak
Interesting article. I find amusing this (quite popular) type of
argumentation:

> "This is a serious security breach," said Councilman Peter Vallone
> (D-Queens), who heads the Council's Public Safety Committee. "We know
> terrorists are planning to attack our subways, and the MTA and NYPD better
> find these magical morons quickly, and then make them disappear for a year
> in jail."

Like the only thing between terrorists and the subway platforms is that they
can't afford ticket, so they have to go through the staff gate.

~~~
anexprogrammer
But that is _so_ revealing of the mindset.

    
    
      * We can have strong encryption just for the good guys
      * We can have master keys that only approved staff will use
      * We can block all the bad things on the internet and it'll be like they don't exist
      * If we have a back door into an encrypted device, only the good guys will use it
    

It's like no politician ever read about crime. Staff can't be blackmailed or
bribed. No one working for the govt ever used resources for their own ends. No
govt agency ever tried to blackmail an inconvenient public figure. Because a
terrorist once made a terrible attempt at a bomb in his trainers, quick, we'd
better make millions of people remove their shoes at airports. Clearly no
terrorist has the wit to try a different approach.

The list is so damn long, yet people who really should know better get it
wrong with depressing regularity. Are most politicians _really_ that stupid?
What are their advisers advising FFS?

~~~
ThrustVectoring
It's a huge lack of systems thinking. It's like they believe that the universe
somehow cares about what they were trying to accomplish.

* If we reward schools for increasing student test scores, then we'll have better schools.

* If we fund a "war on drugs", we'll reduce the damage drugs do.

* If we enact rent controls and mandate the construction of below-market rate housing units, it'll help people afford housing.

This belief - that "having a goal and doing something that pattern-matches to
helping" works - is incredibly dangerous in policy-makers. It's also
incredibly difficult to fix, since the incentives for politicians are to make
rationalizations that are convincing to voters, and that kind of reasoning is
much easier to convey.

~~~
duaneb
> If we enact rent controls and mandate the construction of below-market rate
> housing units, it'll help people afford housing.

To be fair, this does in fact help many people afford housing. It just doesn't
fix the endemic issue.

~~~
ThrustVectoring
These are political favors to local interest groups. It actively hurts the
ability to find housing for everyone not blessed by the powers that be.

Dense housing _is_ affordable housing. When there's an empty apartment that
you're moving into, where do you think the old resident moved to? There's only
a few options - a new place got built that they moved into, the old resident
died, the old resident moved out of the housing area, or the recursive option
that cashes out into one of the previous ones. If you stop building units
("affordable housing" mandates) or arbitrarily keep low-income residents from
making housing bids (rent-control), the only bids for housing are going to be
from tech workers and market-rate housing gets ridiculous.

Fundamentally, the problem is that there's X people who want to live in the
area, and only Y housing units. The price is going to go up until the market
clears. Handing out political favors so that the people who vote for you don't
feel this reality isn't solving the problem: only building more housing will.

~~~
duaneb
> the problem is that there's X people who want to live in the area, and only
> Y housing units

I don't think this is the same problem you would address by rent control.

> Handing out political favors so that the people who vote for you don't feel
> this reality isn't solving the problem: only building more housing will.

And yet, there are many people living in rent-controlled housing who would
disagree with you. The person and problems you're painting do not exist
outside your head.

~~~
ThrustVectoring
>I don't think this is the same problem you would address by rent control.

Of course not. Rent control is fundamentally a tool for getting political
benefits at the expense of economic ones. It explicitly creates winners in the
voting district that implements it at the cost of losers everywhere else. It's
in the same moral class as dumping toxic waste into a river.

>And yet, there are many people living in rent-controlled housing who would
disagree with you.

I'm not at all surprised that the beneficiaries of political favors support
handing out those favors.

~~~
duaneb
> Rent control is fundamentally a tool for getting political benefits at the
> expense of economic ones. It explicitly creates winners in the voting
> district that implements it at the cost of losers everywhere else. It's in
> the same moral class as dumping toxic waste into a river.

I'd love to hear the argument for this. Again, many people living in rent-
controlled houses would disagree. Just because people are poor you cannot
write them off as votes.

~~~
ThrustVectoring
[http://www.econlib.org/library/Enc/RentControl.html](http://www.econlib.org/library/Enc/RentControl.html)

>Economists are virtually unanimous in concluding that rent controls are
destructive. In a 1990 poll of 464 economists published in the May 1992 issue
of the American Economic Review, 93 percent of U.S. respondents agreed, either
completely or with provisos, that “a ceiling on rents reduces the quantity and
quality of housing available.”

~~~
duaneb
Ok, so economists agree that "a ceiling on rents reduces the quantity and
quality of housing available". Thankfully, economists don't run our country.
How does this support the statement "Rent control is fundamentally a tool for
getting political benefits at the expense of economic ones."? Quantity and
quality of housing are arguably much less important than ensuring there is a
viable working class—just see how terrible a place SF or Manhattan is to live.

~~~
ThrustVectoring
There's two different questions that policies should answer - what sort of
stuff do we get out of it, and who gets that stuff. These are often referred
to as allocative and distributive, though I'm remembering the precise
technical wording from memory so I could be wrong on that.

That's the distinction that drove me to make the political versus economic
benefits distinction. Rent control as a whole makes things worse - there's
less housing, it's of worse quality, and it drives up the cost of market rate
housing. On the whole, it's a bad allocation of resources: we'd much rather
have cities with more housing that's of higher quality (because people are
more than willing to pay for it). The problem is that this sort of policy
creates winners and losers, and the losers are often the ones who get to set
local policy.

There's two solutions - have a ban on rent control at a higher jurisdictional
level (Washington State does this), or bribe current residents to lift rent
control. The latter should make everyone better off - we pay for keeping the
working class viable with the overall economic gains made by lifting rent
controls.

Anyhow, my overall point is that we should hand out the who-benefits stuff
without making society worse off as a whole, simply because the locals who
happen to live in an area are able to hold overall policy hostage.

~~~
thatcat
>pay for keeping the working class viable with the overall economic gains made
by lifting rent controls

The economic gains from lifting rent control are going to go to slumlords, not
just get dispersed to everyone. Also, housing isn't an elastic supply market.
when rent goes up it doesn't necessarily mean the quantity of housing will
increase as a result since housing is often limited by zoning, drainage, and
many other things than profitability of rentals. Also when you consider the
destabilizing effect of people having to move every few years due to rental
price fluctuation, it's not really a clear cut benefit to "bribe current
residents to lift rent control" if that were even an option.

>we should hand out the who-benefits stuff without making society worse off as
a whole, simply because the locals who happen to live in an area are able to
hold overall policy hostage

but this is how democratic communities work... local communities decide what
is 'making society worse' where they live; as they should, since it obviously
effects them the most.

~~~
ThrustVectoring
>local communities decide what is 'making society worse' where they live; as
they should, since it obviously effects them the most.

Local optimization is not the best strategy, even according to the those doing
the local optimizations. Both participants in a Prisoner's Dilemma are better
off if they hand their decision-making over to a third party, conditional on
the other person also doing so. The Bay Area as a whole wants affordable
housing, they just don't want to make the Bay as a whole better off by making
unfair sacrifices in their neighborhood.

It's a classic coordination problem, caused in large part because decision-
making is too local compared to the regional benefits of housing construction.

------
taf2
So... the FBI is essentially arguing we should all keep our doors unlocked
because they have had to do some investigations in the past where they came to
a home that was locked and it was hard for them to enter the home.

~~~
onion2k
The FBI want to have a giant warehouse that houses a copy of every house key
but we don't need to worry because no one will ever manage to break in to the
warehouse.

~~~
Benjammer
And everyone with legitimate access to the warehouse will be 100% trustworthy
no matter what for the entire span of time they are granted access, and nobody
without legitimate access will ever be allowed in, even someone like a co-
worker of someone with access, and even under the full supervision of someone
with legitimate access.

~~~
f00b4r123
An even stronger guarantee: That the definition of trustworthy and "good guy"
are unchanging, and even in a dystopian future where a rogue actor is in
control of government, those keys are safe because they understand the
morality of the people who created them.

~~~
ethbro
I'd say something to invoke Godwin's law, but it seems pretty clear that
genocidal governments that sweep into power love having access to copious
amounts of detailed records.

~~~
AngrySkillzz
They don't even have to be genocidal; they could just be Richard Nixon.

~~~
r00fus
Or Donald Trump.

------
jpgvm
I wonder if anyone has explained to them there is this thing called open-
source software. Sure you may be able to convince/force Apple to give you some
sort of key escrow system but do you think you can convince the GPG
developers?

If you implement key escrow and it's public knowledge that encryption systems
that implement it are useless then people that actually want to hide stuff
will simply use GPG and other uncompromised systems.

The only thing this sort of system is good for is enhancing the reach of the
surveillance apparatus. That is, spying on innocent people. As for why they
want to do this.. no-one knows but it's awfully concerning.

~~~
mike_hearn
I see this objection raised so frequently, and I feel it really misses the
point badly.

The tech community tells itself that it won the first "crypto wars". You
cannot win "wars" against governments in that sort of sense and the first
crypto war was never actually won at all. I think in light of events in recent
years we need to reinterpret the events of the 90's in a new light - the tech
industry didn't win, rather, after realising how awful and worthless the
software the cypherpunks produced really was, the government simply got bored
of playing.

Nobody, and I mean nobody, gives one tiny shit about GPG. GPG is so bad, such
truly unusable software, that terrorists would literally rather die or risk
lifetime imprisonment than use it:

    
    
       http://privacy-pc.com/articles/how-terrorists-encrypt-threatscape-overview.html
    

Governments don't care about GPG now, they don't care about some theoretical
open source program that you could install from abroad, they only care about
the encryption their adversaries actually use which - given that 99.9% of the
FBI's adversaries are not crypto experts - turns out to be whatever ordinary
people are using automatically thanks to tech companies switching it on.

This is especially true because often people don't meticulously plan crimes
out ahead of time: they either commit crimes of passion, or they make basic
mistakes. So if you have to plan ahead and convince not only yourself, but all
your accomplices, all to install some exotic and awkward to use piece of
technology ... well, a lot of bad guys won't do it.

So. If the FBI succeeds in breaking the encryption used by Apple, Google,
Microsoft, Twitter, Facebook and a few other big names, then they've got 99%
of the guys they want.

~~~
jpgvm
GPG was just an example. Other end-to-end open-source systems are more widely
used like Signal are the same, not exactly easy to insert a backdoor into a
system that is a) open and b) completely distributed with no central key
authority.

Maybe it still misses the point because the FBI doesn't actually care about
hitting hard targets. If that is the case that is pretty sad.

Average crimes can be solved with average tools, we shouldn't be authorising
access to phones and other electronic intercepts or access without crimes that
go beyond average.

You could argue the San Bernadino case was beyond average, and you would
probably be right. But the perps knew that too, that is why they destroyed the
phones after they were done, chances are they took other measures too but no
one will know as they destroyed the devices.

What is clear is not that these laws wouldn't make their jobs easier - they
almost certainly would. But they aren't needed and that implementing them
would have 0 effect on the actually hard targets that they in theory would be
useful for neutralising.

~~~
JoshTriplett
> Other end-to-end open-source systems are more widely used like Signal are
> the same, not exactly easy to insert a backdoor into a system that is a)
> open and b) completely distributed with no central key authority.

If Signal weren't available from any of the major app stores, such that it
didn't work on iOS at all and didn't work on Android devices without turning
on the intimidating option to allow non-Play-Store apps, how much usage do you
think it would get compared to today?

Making real security hard to get would cause far fewer people to actually use
it.

------
kylehotchkiss
Sort of a bummer that lawmakers don't have a better understanding of
encryption in general and what it protects. They'd condemn hackers breaking
into phones/accounts and stealing important notes/pictures, but turn around
and condemn the very technology preventing that from happening to _everybody_

Anybody here want to run for office and be a voice for tech rights?

~~~
mc32
It's only a dichotomy if you see it from the angle where data is sacrosanct
and its beset on all sides by evil trying to do it in.

The better way to approach this issue, long term, is from a legal point of
view with an interim state where encryption holds us over. That is the law
decides who may or may not own or access a certain type of data with penalties
upon tort or criminality. And we develop civil protocols for days governance
between people and between people and governments.

Like trademark. You could have it so trademark, i.e. authentication, is
protected by mathematics, or you can have it protected legally.

Personally I don't believe the answer to data theft or surveillance is more
mathematics in the form of encryption, but sensible laws regulating data its,
use and access with penalties for transgressing. Obviously this would require
international cooperation and would be a long way off and in the interim we'd
need encryption to protect against unauthorized access until we reach that
state of data governance. But ultimately the answer is not "make everything s
black hole".

We don't protect against thieves by building impenetrable houses, we rely on
legal instruments to dissuade burglary.

~~~
AnthonyMouse
Thieves can't traditionally steal your stuff on a mass scale without you ever
knowing about it and then cost effectively use it to economically and
psychologically manipulate entire populations.

Once someone has your data, you don't know what they're doing with it and
neither does the government. Which means they have to be prevented from
getting it in the first place, which means encryption and laws that encourage
and facilitate encryption.

~~~
mc32
Then the problem is putting so much meaning to data. Why should my ID (or SSN)
have so much value? Why should my medical records have so much value? Medical
records have value mainly because it can lead to discrimination, so the
solution to that is remove the value of discrimination (job, medical care
costs, etc.) based on medical conditions.

~~~
AnthonyMouse
> Why should my ID (or SSN) have so much value?

Because it existed before the invention of public key cryptography and is now
permanently entrenched. If you think you can fix that, go do it and then make
this argument after nobody is using SSNs anymore. Also, your argument for not
deploying cryptography is "we should solve that problem cryptography would
solve if it was more widely deployed"?

> Why should my medical records have so much value? Medical records have value
> mainly because it can lead to discrimination, so the solution to that is
> remove the value of discrimination (job, medical care costs, etc.) based on
> medical conditions.

You say "the solution" like all we have to do is snap our fingers and people
will stop discriminating based on medical conditions even though doing so is
highly profitable. The way the laws against that type of discrimination work
is by _preventing the discriminating party from obtaining that information._

Also, good luck passing or enforcing a law that says prospective mates can't
discriminate against you based on your medical or mental health records. To
say nothing of the outright violence that would result if the names of women
who get abortions became known to the wrong people.

------
stegosaurus
Here is the source code for the Linux Kernel including dm-crypt:
[https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux....](https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/)

Here is the source code for cryptsetup:
[https://gitlab.com/cryptsetup/cryptsetup](https://gitlab.com/cryptsetup/cryptsetup)

Here is the source code for GnuPG: [http://git.gnupg.org/cgi-
bin/gitweb.cgi](http://git.gnupg.org/cgi-bin/gitweb.cgi)

I have these files on my hard drive.

There are probably cryptographers that can recite the RSA/AES algorithms from
memory.

We have the Internet and general purpose computers.

The only way you're getting rid of encryption is destroying all of that. I
don't know why people feel the need to resort to arguments about economic
damage, civil rights, whatever.

This is the fucking _Internet_ we're talking about. This isn't some biscuit
tin with a particular pattern that Uncle George really, really likes. It's the
god damn Internet.

You want to destroy one of the most beautiful creations humanity has ever
seen, in the name of what? Stopping a few marathons being bombed?

Is the entire government clinically insane? Would they turn the sky green if
it gave them more power? Am I still living in reality?

~~~
kenshaw
What most people probably don't realize is even if the government was somehow
able to successfully outlaw cryptography and eliminated it completely from the
face of the earth, it would do absolutely nothing to prevent future marathon
bombings. The two simply aren't related, and there is nothing on this phone
that is going to magically help the FBI, NSA, or any other TLA find and stop
terrorists from acting.

------
tshtf
In the future, the few years following Snowden's revealations may be viewed as
the golden years of strong cryptography: A time when service providers and
application developers began taking these issues seriously.

We're moving into a new era now. All it may take is a single attack in the US
to drive the legislative and judicial branches to roll back all the fantastic
improvements we've seen over the past few years.

~~~
graycat
They can "roll back" for mass marketed products but not for some simple, open
source software in standard C that someone runs on an old PC with PC/DOS, no
hard disk and no network connection. So, when turn the power off, the PC
forgets everything about the de/encryption. The only non-volatile storage is
on diskette. If worried, then just burn those. With the encryption done, the
output is just a base 64 file of gibberish safe to mail to the NYT, FBI, CIA,
NSA, etc. And with no attempts at security, can use products from Apple,
Google, and Microsoft can send such data with no problem.

The little command line programs on PC/DOS? Easy enough for middle school
students to use; when that was state of the art computing, middle school
students did use it.

~~~
tjgq
And then they will outlaw the possession of said standard C software, as well
as of computer hardware that does not comply with government-mandated
eavesdropping. And then they will pass laws that force you to give up the
encryption key to that Base64 data or face imprisonment. Even if the Base64
data is just a sequence of completely random bits - because who would keep
sequences of random bits around, unless they're a terrorist trying to hide
something?

I'm sorry, but I don't think pushing encryption down into the underworld is a
viable solution to the problem. There's no limit to the bad laws that the
government can pass. The only real long-term solution is to recognize
encryption as a right, otherwise we'll only keep seeing these repeated
attempts to outlaw it.

~~~
graycat
> And then they will pass laws that force you to give up the encryption key to
> that Base64 data or face imprisonment.

IMNAL, but my understanding is that such a law would run into rock solid,
granite hard, iron clad parts of a little issue called the US Constitution.
E.g., if the cops ask you a question, then you don't have to answer. The
person's lawyer can just tell the cops that "My client has no idea what that
base 64 gibberish is."

For encryption as a recognized right, no, that's asking a bit much of the US
political system.

BTW, for the person receiving the base 64 code (that's the way JPGs, etc. are
sent in e-mail), first go through base 64 decoding and, then, apply the
receiver's private key to that to decode back to the secret message, e.g.,
where and when the boy and his girlfriend are going to meet and carve their
initials on a tree.

Base 64 is in the internet standard for e-mail and there is called MIME for
multi-media internet mail extensions. So, the idea of MIME is to permit
sending pictures, audio, movies, etc.

So, in arithmetic, base 10 has digits 0-9, that is, 10 digits. Base 16 has,
right, 16 digits, 0-9-A-F. Base 2 has, you guessed it, 2 digits, 0-1. Well,
presto, bingo, base 64 has 64 digits, 0-9, a-z, etc., all simple, ordinary
printable characters such as e-mail had been sending right along.

Well, with 6 bits, can count from 0 to 63, that is, have 64 different
patterns. So, given a stream of bits, can replace each 6 of them with one of
the base 64 digits. And there is a simple solution for what to do with any few
bits left over. So, that is how to take any stream of bits and 'encode' it to
just printable characters easy to send via e-mail.

A huge fraction of all Internet data is sent as base 64. So, base 64 data
alone is nothing suspicious.

~~~
Sacho
> IMNAL, but my understanding is that such a law would run into rock solid,
> granite hard, iron clad parts of a little issue called the US Constitution.
> E.g., if the cops ask you a question, then you don't have to answer. The
> person's lawyer can just tell the cops that "My client has no idea what that
> base 64 gibberish is."

"And here our intelligence network shows proof that your client has talked
about this base64 gibberish in the past with other people, so let's add
perjury to your charges".

But your point is valid, you have a right to not incriminate yourself in the
US. The case with Apple, however, is that a third party you've trusted is
being asked to breach that trust. The 5th does not apply at all.

Not to worry, however, as long as you don't communicate with anyone, you're
safe. The moment you do communicate with someone though, you'd have to put
your trust in them. And then the FBI could demand, __from them __, the
conversations you 've had. And then the 5th has no value.

------
Tepix
If all US crypto is backdoored, the rest of the world and the criminals will
use non-US crypto.

The FBI also wants to infiltrate communities of human rights activists. There
are many reasons not to overly trust them.

~~~
ex3ndr
Our Project (actor.im) already started to adopt russian encryption.

~~~
Tepix
Open source encryption should do the trick, if a backdoor gets added, just
fork it.

------
chatmasta
The FBI can whine about this all they want. I hope that the lawmakers
interpret it as the FBI spitting in their face, because that's exactly what's
happening. We have had this debate already -- in the 1990s -- and this was the
result:

"A telecommunications carrier shall not be responsible for decrypting, or
ensuring the government’s ability to decrypt, any communication encrypted by a
subscriber or customer, unless the encryption was provided by the carrier and
the carrier possesses the information necessary to decrypt the communication."
[0]

The FBI can lobby to change that, but that's not what they're doing. They're
lobbying that OTHER laws (e.g. the All Writs Act) enable what they want.
Frankly, that's absurd... how can a 1789 law overrule a 1994 law when you're
talking about modern technology?

Ironically, the FBI is creating incentives for new tech startups to
incorporate outside of the USA. If you're building a product which depends on
reliable encryption in order to be valuable, why the fuck would you
incorporate in the USA?!? You would alienate foreign customers who are
suspicious of the US legal/surveillance apparatus. And you would be entering a
murky legal landscape where it seems increasingly likely that, if your startup
ever becomes big enough to be a target, the government will require some kind
of key escrow or it will shut down your business or even jail you.

In the face of that much uncertainty, it seems like it would be _asinine_ to
incorporate in the USA.

Maybe there is space in the market for a business to commoditize offshore
incorporation. Make setting up a Seychelles corporation as easy as setting up
a US LLC. Build in as many legal protection mechanisms as possible, e.g.
owning the corporation via a trust that you are the sole executioner of.

[0]
[http://www.law.cornell.edu/uscode/47/usc_sec_47_00001002----...](http://www.law.cornell.edu/uscode/47/usc_sec_47_00001002
----000-.html)

~~~
likeatlas
_Maybe there is space in the market for a business to commoditize offshore
incorporation._

Like [https://stripe.com/atlas](https://stripe.com/atlas) except outside the
US.

------
nske
Scary that something so important will be determined by the perception of the
vast majority of the public, who has no understanding of what's at stake.

To most people arguments like "it will help us find terrorists and pedophiles"
and flawed analogies with doors and keys are much more appealing, only because
they are easy to understand, while the opposite arguments sound philosophical,
alien or carry less weight because they contradict what "the experts" (i.e.
the FBI) claim.

But they shouldn't sound so: what's happening is wrong not just because of the
practical fallacies of the pro-restrictions arguments -in which most
discussions focus currently- it is wrong because the only way for government
monitoring to be effective in the end, is to outright criminalise secure
encryption by everyone. It should be blatantly obvious that the most dangerous
of their claimed target group, wouldn't be dissuaded by the inconvenience of
using custom/non-friendly software/hardware, so any lesser measure would be
just useless.

And on that premise, how can many people not see how wrong it would be if one
day we are called criminals for exchanging a truly private message with
someone? In what words and with what simple examples can you make non-
technical people see how bad this reality would be and how far it can stretch
to things that they do care about? And that even if it didn't, it would still
be fundamentally wrong...

Not a rhetorical question by the way, I've tried to participate in such
discussions and failed miserably to be convincing -so any tips are
appreciated.

------
CiPHPerCoder
So we've moved from the clipper chip to, prospectively in the near future, the
Clapper chip. History is trying to repeat itself, but this time we have legal
precedent.

[https://en.wikipedia.org/wiki/Bernstein_v._United_States](https://en.wikipedia.org/wiki/Bernstein_v._United_States)

[https://blog.cr.yp.to/20160315-jefferson.html](https://blog.cr.yp.to/20160315-jefferson.html)

All this sort of tactic will do is result in irreparable damage to the tech
sector and the US economy. No murders, rapes, child abductions, terrorist
plots to destroy buildings, or whatever other specters they summon to haunt us
will be prevented.

~~~
wyldfire
> On October 15, 2003, almost nine years after Bernstein first brought the
> case, the judge dismissed it and asked Bernstein to come back when the
> government made a "concrete threat".

I guess the threat's technically not here yet, but seems like it's right
around the corner. djb, pack your bags for the ninth circuit.

------
grandalf
Comey's argument makes sense at first. Why not have a trusted escrow provider
keep keys safe, and also respond to court orders when necessary. It feels
almost like a checks and balances kind of argument, the kind that Americans
find persuasive with our three-branch government.

The problem is that _we now know that the government has the goal of unlawful
surveillance without oversight from courts, the legislature, or the public_.
There is essentially an ongoing "by any means necessary" attack on civil
liberties.

Why should we think that the government is not planning to infiltrate the
escrow services and preemptively capture all keys?

There has been a profound breach of trust (revealed by Snowden) and we must
insist upon the rule of law and basic democratic transparency before we
consent to any further risks.

I try not to be cynical but I am thinking that the trend we are on is leading
to strong crypto being largely criminalized. I am hoping that our
decentralized systems adapt to this threat and offer solutions that cannot be
shut down (like Bitcoin and Ethereum).

Incidentally, if Apple seems likely to lose the battle over a back door, it
ought to offer an Ethereum smart contract that will unlock one phone every
day, require a key provided by each member of congress (with 100% consent
required to unlock a device), and publish all unlock key requests on the
Ethereum blockchain after a 30 day delay in case an investigation is in
progress.

This protects against mass surveillance, but offers a very small back door
with full transparency and no potential for large scale use (or abuse).

~~~
Grishnakh
So what do you do when the "trusted" escrow provider gets hacked, just like
OPM was, and countless US corporations who've had customer records and credit
card numbers stolen?

What's the point of using encryption if you're going to put the keys in the
hands of some unaccountable entity which is easily hacked? You might as well
not use it at all then.

~~~
grandalf
I didn't argue any of those things. I think you missed the subtlety of my
comment.

------
mikekij
It seems as though the tech community (myself included) uniformly agrees that
the FBI's requests are unreasonable.

Is there someone with a sound technological understanding of encryption that
thinks we _should_ have some back door / key escrow / master key? I've seen
that Fred Wilson and other USV partners seem to think the FBI's requests are
reasonable, and usually I trust their analysis. But this whole thing just
seems like such a bad idea.

------
lossolo
Rest of the world will just do encryption in their hardware/software. Good
luck to USA tech companies if this law will be enforced.

------
italophil
This sounds like the equivalent to the TSA approved locks for luggage. Just
decoration and no real protection at all.

~~~
DamnYuppie
The funny thing is that if you transport firearms you CAN'T use TSA locks.
Which I find very funny, it is as if they are saying we don't trust our own
people.

------
Zigurd
Keep an eye on the would-be profiteers. Why would VCs like Fred Wilson land on
the side of the FBI and parrot their position despite certainly knowing
better? Because there are billions of dollars of government investment money
being lined up to implement the wishful thinking key escrow and other back-
door schemes. Even if back-doored encryption is doomed in the market, co-
investors will be rewarded.

~~~
mikekij
As naive as it may be, I had never considered this. I think Fred is a
trustworthy enough guy that he may not consciously be thinking about
profiteering, but I can't figure out any other reason a tech investor would
support back doors.

~~~
Zigurd
Shrewd plays or profiteering from idiocy... call it what you like. Look at the
people on this forum who know a great deal about security. Some like to
portray themselves as thoughtfully open minded - that they are seeking a
solution. They make respectful noises about legal traditions. They know it
boils down to exhuming the corpse of key escrow and rebranding it. But they
are in a position to profit.

------
coldcode
The FBI director is hanging out on a very long limb and sawing away. Even if
you mandated in the US that everyone only use HTTP and no encryption everyone
will just use it from other countries. Even if one country on earth has one
competent programmer implement one secure framework everyone will use it. This
is beating a dead horse long after its been cremated.

~~~
emodendroket
All you have to do is look at Korean banking to see that Rube Goldberg
machines with questionable security practices can easily become standard with
the "correct" legal apparatus in place.

------
makmanalp
Schenier, Hal Abelson, Adelman (from RSA) already wrote about key escrow
almost 2 decades ago. From the text:

> All key-recovery systems require the existence of a highly sensitive and
> highly-available secret key or collection of keys that must be maintained in
> a secure manner over an extended time period. These systems must make
> decryption information quickly accessible to law enforcement agencies
> without notice to the key owners. These basic requirements make the problem
> of general key recovery difficult and expensive -- and potentially too
> insecure and too costly for many applications and many users.

> Attempts to force the widespread adoption of key-recovery encryption through
> export controls, import or domestic use regulations, or international
> standards should be considered in light of these factors. The public must
> carefully consider the costs and benefits of embracing government-access key
> recovery before imposing the new security risks and spending the huge
> investment required (potentially many billions of dollars, in direct and
> indirect costs) to deploy a global key recovery infrastructure.

[https://www.schneier.com/cryptography/archives/1997/04/the_r...](https://www.schneier.com/cryptography/archives/1997/04/the_risks_of_key_rec.html)

------
malandrew
If the FBI gets its way on this, quite simply the US will no longer deserve
the technology industry it currently has.

I for one would follow companies moving abroad to do the right thing and avoid
these shenanigans entirely.

On top of it being the right thing, it is also in Apple's economic interest to
fight this since the US is but one market. They also happen to have enough
cash to flat out threaten to move all affected products out of the US and have
them built by a non-American subsidiary.

------
skybrian
The problem with these slippery slope arguments is that they start treating
unlocking a phone as the equivalent to breaking network encryption when
technically they're not at all the same. Apparently the FBI wants you to think
they're the same too? If so, don't let them away with it.

Signing a software update with a private key you already have is using crypto
as it was intended. We presume private keys can be kept secure with enough
effort, or public key encryption doesn't work, https doesn't work, software
updates don't work, game over. Any attempts to get private parties to turn
over their private keys should be strongly resisted, but requiring them to
sign something given a search warrant adds a procedural step that acts as a
check on government power (they can verify that the search warrant is valid,
minimize scope of the change, and fight it in court if necessary).

Key escrow is a whole different thing, where they require a whole new system
to be designed to preserve keys that would normally be destroyed. It's hard to
preserve information when the user wants to destroy it (they can block network
traffic and destroy the phone), resulting in all sorts of bad effects on
system design and new vulnerabilities.

------
outworlder
Let's imagine they succeed. So all strong encryption will need to have the
keys stored "safely" somewhere. Perhaps at some government-controlled server,
because we all know they are super secure.

So, what happens once the keys eventually leak? When nation states AND
terrorist organizations get the keys to unlock everyone's encryption?

If "think of terrorists" is the rhetoric here, what happens when THEY have
access to our devices?

------
hackuser
As much as I object in principle, it's an interesting technological puzzle.
I've been wondering about a hardware-based solution:

* A fuse that when broken reduces the cost of cracking the security from 'impossible' to something an organization with large resources, such as the FBI, can do in a day.

* When the fuse is broken, a message is displayed to the user indicating it. At least, the device might not boot, tipping off the user that something is wrong.

_

It would meet these requirements (am I overlooking any important ones)?

* Nobody could mass-crack the devices. To crack it, you would need the device in your possession and a day of significant computing power.

* It would require a significant investment of resources, so it wouldn't be done for trivial issues.

* Users would know when their device has been cracked: It would have to be out of their possession for 24 hours and they would be notified.

_

The question is, could such a thing be implemented in a way that it couldn't
be hacked (without great difficulty)?

~~~
grandalf
See my other comment in this thread for a solution

------
saosebastiao
I think an interesting approach that could be taken by Apple is to concede to
letting the FBI have a master key, so long as they hold an insurance policy
that covers the damages in the case of a key leak, including but not limited
to the potential damage to Apple's brand and market value, and the same
damages to all of Apple's customers that relied on their security.

That would force the FBI to reconcile the costs of maintaining a multi-
trillion dollar insurance policy with the expected value of a potential
reduction in terrorism. When it comes to the US government, money seems to
talk louder than anything else...seems like it could possibly work.

~~~
autotune
I, for one, would gladly enjoy having to pay for the insurance policy in the
form of taxes out of my paycheck to cover the stupidity of having a master key
system in place, not to mention when the premiums skyrocket after said key
gets stolen and all of our iPhones get breached. /s

~~~
saosebastiao
That's exactly the point. Apple agreeing to their demands in exchange for a
reasonable insurance of the potential risks would force the FBI to reconcile
their unreasonable demands with the public.

I would imagine that the biggest cheerleaders of the FBI's side in the general
public are Republicans. Can you imagine them ever supporting this?

------
jkot
Great, 10GB file filled with random data will be illegal in another country.

------
tptacek
They're right to want that, and the public is right to refuse them.

------
mucker
No FBI. Hell, not that long ago I started the work to become an agent. I love
law. I love bad guys being put away. But you have _ZERO_ need for an escrow on
strong encryption. It is perfectly legitimate that citizens don't give up
their secrets. This is why we have discovery, warrants, and the Tenth
Amendment (however riddled with holes it now is). The government has no
compelling interest here.

------
cubano
How is this even news anymore?

It is utterly and completely unsurprising that all the government agencies
involved in law enforcement on all levels will fight a never-ending fight
against _anything_ that impedes their ability to do what they think their job
is.

They don't care about privacy or any of that, and see restrictions to getting
full access to all data as we see bugs in our systems that keep them from
running correctly.

~~~
Gracana
News doesn't have to be surprising to make headlines.

------
greenisland
Nothing stops anyone from developing software that can be installed on mobile
phones to encrypt this or that. This will be a type of Cold War between those
with something to protect and those who want everything transparent.

I will choose to encrypt outside of what they OS does and to hell with every
other idea.

Besides, all one has to do is encrypt, use one-time pads and keys are largely
irrelevant.

------
andrewla
It's not clear to me where this article gets the idea of what the FBI wants. I
haven't seen anything from the FBI or from Comey that indicates that they want
to place limits on future cryptographics systems.

It even seems like Comey is aware that the particular technique he is asking
Apple to use will not apply to future phones made by Apple, and that the
reality is that cryptography will soon reach the point where the FBI will not
be able to rely on decrypting data as part of their investigative approach.

Yes, if Apple creates this exploit, then that exploit will potentially be
available to other state actors and criminal enterprises. But only for iPhones
older than the 5s. Fundamentally, as other commenters have pointed out, this
is not creating a backdoor -- this is using an existing backdoor to install a
bigger backdoor. It is, of course, possible that in the future even newer
iPhones might find themselves vulnerable to unauthorized decryption, but
really, the FBI's ask in this particular case really is narrow in scope,
because it does only apply to older phones.

I don't see the slippery slope here that many people seem to think exists. The
slope begins and ends with a phone released in 2013. All any person (criminal
or otherwise) has to do is buy a newer iPhone, and then this whole discussion
no longer applies.

~~~
chillacy
The issue isn't a technical one as much as a legal one. If the FBI can get the
government to interpret the All Writs Act the way they want (any private
entities must do what the govt says to aid a criminal investigation unless
explicitly forbidden by law) to force Apple to write a custom version of iOS
for them this time, the fear is that they can use the same law to install
backdoors in ongoing versions. Legally there would be precedence for Apple to
have to allow investigators to access other phones as well by means of making
Apple write code to do so, which in the future could mean tracking location,
turning on microphones and cameras, etc.

~~~
andrewla
> the fear is that they can use the same law to install backdoors in ongoing
> versions

There is no reasonable interpretation of the All Writs Act (which regards
subpeonas) that could be interpreted to force Apple to preemptively make their
OS insecure. If they include a backdoor in future versions of the iPhone, or
if the FBI discovers a vulnerability, then it is entirely possible that they
could use the same precedent to force them to open the backdoor for them, or
even give them a metaphorical prybar for the backdoor.

But the point is that Apple is rapidly moving towards (and in their opinion,
has already achieved) a hard stop -- they no longer possess the technical
capability to break a locked iPhone after the 5s. For a specific case, and a
specific subpoena, there is no work that Apple can do to comply with the
subpoena.

And, like I said, it seems clear that Comey understands this, and is not
asking Apple to weaken security in the future, and I see no indications that
he is asking for that.

------
vonklaus
Many people want gun laws to change. For better or worse there will still be
millions of guns on the street. So if you don't want "bad guys" to use guns or
encryption it would be pretty impractical to go back in time and prevent these
technological & regulatory forces that provided the means for them to exist,

------
gPphX
Washington Post published TSA Master Keys

[https://www.schneier.com/blog/archives/2015/09/tsa_master_ke...](https://www.schneier.com/blog/archives/2015/09/tsa_master_keys.html)

------
jacquesm
Ah, the twice-per-decade re-run of the Clipper Chip fiasco. I wasn't aware we
were already due for one.

[https://en.wikipedia.org/wiki/Clipper_chip](https://en.wikipedia.org/wiki/Clipper_chip)

------
gPphX
Is this equivalent to FBI residing in your phone ?

[https://en.wikipedia.org/wiki/Quartering_Acts#Modern_relevan...](https://en.wikipedia.org/wiki/Quartering_Acts#Modern_relevance)

------
SwimAway
Watch the first video under 'further reading'. Many of those congressmen seem
very biased and uneducated while deliberately misconstruing basic knowledge
and law.

Edit: wanted to commend congressmen Mr. Issa, Ms. Lofgren and Mr. Johnson.

------
Animats
We need to have the FBI's entire internal records copied and held by a third
party in the judicial branch, so that they can be examined under court order
when necessary.

------
bcheung
I remember the government making the same arguments when PGP came around.

All this has been ignored before and all this will be ignored again.

------
ionised
I look forward to seeing how the FBI plans to prevent people from all over the
globe using PGP.

------
Jemmeh
Yeah, I bet having to get a warrant to search houses makes their job harder,
too. I:

------
ihsw
Every local police department will be able to break strong encryption at their
own discretion. This is not a conspiracy theory, this is an inevitability.

Let that sink in before we consider the validity of their proposal.

Their escapades will not be limited to criminal investigations, but whatever
they want. There will be no oversight and access will be unlimited.

