
Attorney General Barr and Encryption - hsnewman
https://www.schneier.com/blog/archives/2019/08/attorney_genera.html
======
oxfordmale
> Nor are we necessarily talking about the customized encryption used by large
> business enterprises to protect their operations. We are talking about
> consumer products and services such as messaging, smart phones, e-mail, and
> voice and data applications.

This is very naive. Just assume the scenario where a CEO or politician has a
certain fetish that he/she rather would not like to be splattered over the
front page of a national news paper. This person is likely going to use his
personal email, phone, voice and data applications to indulge in this fetish.
If there is a backdoor, it is almost guaranteed China, Russia or any other
country will eventually break it and potentially use it for blackmail to get
their hands on corporate or national secrets.

~~~
techntoke
Not just China, could be any country really.

~~~
wonderwonder
Including their own. How soon before the government is utilizing its security
apparatus to blackmail its own wealthy and powerful?

~~~
bilbo0s
I think that ship likely sailed long ago.

~~~
mandelbrotwurst
The fact that something has gone wrong before (even if repeatedly!) does not
imply that we should not attempt to prevent it from happening again, or that
it's no longer possible to take steps that would move us in that direction.

------
korethr
As Schneier says, it's better than the "nerd harder" attitude exhibited
previously.

However, I take issue with this part:

> After all, we are not talking about protecting the Nation's nuclear launch
> codes. Nor are we necessarily talking about the customized encryption used
> by large business enterprises to protect their operations. We are talking
> about consumer products and services such as messaging, smart phones,
> e-mail, and voice and data applications.

I think he is intending to argue that the quality of the encryption should be
tiered, that "consumer" comm crypto should be weaker than business operations
crypto should be weaker than gov't crypto. If so, I think this is a bad
policy.

I just got through a security audit by one of our customers at work. One of
the points that their security team made was that they want us to do more to
protect the mobile devices used at our company. Even though said mobile
devices do not, and will never have, access to the customer's sensitive data,
the customer argued that a mobile device being breached gives an attacker a
foothold, and allows said attacker to move closer to getting access to their
data.

I think the same principle applies to this notion of lower-tier crypto for the
peasants. Lower-security systems interact with higher security ones, and if
those lower security systems are breached because their security was
artificially lowered, they become threats to the higher security systems with
which they interact.

I don't doubt that if crypto for Not-Government were kept artificially weak,
that China or Russia would leverage that to their advantage, moreso than they
already are. I think it would also make things easier for not just state
actors, but lower-tier criminals, as well. If Barr wants to have an easier
time catching bad guys, he should probably not make it easier for bad guys to
do bad things.

~~~
dtech
> I think he is intending to argue that the quality of the encryption should
> be tiered, that "consumer" comm crypto should be weaker than business
> operations crypto should be weaker than gov't crypto. If so, I think this is
> a bad policy.

I don't think this is strange, since this is how it works in physical. A home
has a simple lock, a business a few better ones and a security system, and a
military base has 24/7 armed soldiers on guard.

Impossible to do right now for encryption of course.

~~~
feanaro
> I don't think this is strange, since this is how it works in physical. A
> home has a simple lock, a business a few better ones and a security system,
> and a military base has 24/7 armed soldiers on guard.

Yes, but this is not how it works in cryptography and there's no reason it has
to. Should we deliberately weaken crypto systems so that they work similarly
to some other arbitrary system? The question seems to answer itself.

~~~
Nullabillity
That does seem to be the policy for copyright..

------
Veelox
I have found that the best way to educate people on the importance of no
government backdoors in encryption is to use the example of TSA approved
locks.

Everyone knows when they put a TSA lock on their luggage it does almost
nothing to improve the security of their luggage. Any serious criminal has a
key to TSA locks.

Adding backdoors is like putting a TSA lock on your bank password. It keeps
honest people from seeing it but doesn't do much else.

~~~
SamuelAdams
Actually you can 3-D print a set of TSA keys now.

[https://github.com/Xyl2k/TSA-Travel-Sentry-master-
keys](https://github.com/Xyl2k/TSA-Travel-Sentry-master-keys)

~~~
lostlogin
> Actually you can 3-D print a set of TSA keys now.

Unless that repo is backdoored and the code has been altered.

~~~
diminoten
The point though is why would anyone even bother, since no one uses TSA locks
as anything resembling legitimate security anyway.

~~~
icedchai
I've never bothered locking my luggage. I figured it would cause more problems
than it solves.

~~~
rahimnathwani
I use TSA-approved locks that have a little red indicator that pops up if the
lock is opened with a key. You can reset the indicator only if you know the
combination.

So, when I collect my bags, I can tell whether they've been opened since I
last saw them.

~~~
SAI_Peregrinus
Decoding the combinations (and thus resetting the indicators) on those is
surprisingly easy. They're actually great for locksport beginners, the key
lock is really easy to pick and the combination is easy to decode, AND they're
cheap!

------
danesparza
" As computers continue to permeate every aspect of our lives, society, and
critical infrastructure, it is much more important to ensure that they are
secure from everybody -- even at the cost of law enforcement access­ -- than
it is to allow access at the cost of security."

This.

I love that Schneier weighed in on this.

~~~
DerSaidin
Nice quote.

------
kelnos
I don't like to be the tin-foil hat guy, but I'm getting tired of the gov't
rhetoric around how this is "to catch criminals". No, it's not. It's to
protect and further enable passive mass surveillance. And nothing good comes
from that. I don't trust anyone with that power not to break the rules and do
bad things sometimes.

~~~
snarf21
Exactly. So the police and government were never able to catch criminals
before 1990? Terrorism or kiddie porn are just red herrings to scale people
into giving up control. When someone asks for this kind of backdoor, I want to
ask them to hand me their unlocked phone. "But you have nothing to hide,
right? You aren't breaking any laws, right? I _promise_ not to share this
information with anyone!"

------
wil421
Barr seems intelligent despite all the news and politics we have going on
right now. I agree with Schneier’s assessment about have a policy discussion.

Let’s pretend the Big Tech companies build something robust and unbreakable
(impossible) for the US govt. Now the EU and former English colonies want the
same.

Now Syria wants the same access and full history of anyone in Syria. China
would like the same for Hong Kong.

It’s slippery slope that goes down hill very fast. The line between criminal
investigations and persecution are blurred.

~~~
mfer
It's more complicated than that. Let's say the US adds back doors. What is to
stop China, Russia, or some other nation state from using it in the US to
intercept the communications of lawmakers, CEOs, and others? These are policy
implications worth raising and discussing. Do many realize implications like
this?

~~~
sq_
I think most of us around here on HN and "tech people" in general understand
that particular set of issues around encryption backdoors.

It seems to me that certain lawmakers and people like Barr either don't put
the time in to understand or are willfully ignorant to further their own
goals.

~~~
korethr
Supposedly Upton Sinclair said, "It is difficult to get a man to understand
something, when his salary depends on his not understanding it."

I think that applies here.

------
azinman2
> “ Here, some argue that, to achieve at best a slight incremental improvement
> in security, it is worth imposing a massive cost on society in the form of
> degraded safety. This is untenable.“

I’d suggest if they really want to push this line of reasoning, then we should
also abolish the 2nd amendment. It is there in order to revolt against the
government. But it’s place also degrades the security of the country, as
evidenced by the constant shooting and mass shootings that occur in American
life.

Encryption is much the same way. It protects individuals against government
spying, whatever their situation may be. And these products exist not just for
the US, but are made by Americans for export with the American ideal of
individual liberty in mind. If we remove that, it’ll get moved for China,
Burma, Russia, etc.

It’s quite a price to pay for society.

~~~
velosol
The 2A and crypto have been linked for a long time. The original crypto fight
in the 90s was over exportable encryption (because it was listed along with
munitions and other ITAR-restricted items).

One idea I saw floated around the time of the San Bernadino iPhone was arguing
that encryption is protected by the second amendment as a means to not having
to fight against backdoored encryption every few years. I don't have the case
law familiarity with the 2A & encryption to say if it would go well but I did
find it a fun idea.

Edit: I should add that this would be in addition to the clear 1A protection
code and therefore encryption has.

------
gesman
Bad guys will certainly know that given phones includes backdoor access and
they’ll figure out devices that does not.

Law enforcement will end up spying on regular citizens and catching small fish
while big fish and bad hackers will laugh watching.

~~~
roywiggins
> they’ll figure out devices that does not

Just owning one of them could then become probable cause for a search of
everything else you have, and then you'll be held in contempt and jailed until
you hand over the password.

Or it could just be made illegal to own one at all. Anyone with a secure
smartphone could probably be tracked just by traces it leaves when it connects
to a cellular network.

~~~
vageli
> > they’ll figure out devices that does not

> Just owning one of them could then become probable cause for a search of
> everything else you have, and then you'll be held in contempt and jailed
> until you hand over the password.

Could you explain your reasoning? Just owning a safe in my trunk doesn't give
people probable cause to search my trunk, so it's not clear how you came to
that conclusion.

~~~
sgarman
Check this out: [https://www.nytimes.com/2019/03/30/us/politics/dea-money-
cou...](https://www.nytimes.com/2019/03/30/us/politics/dea-money-counter-
records.html)

DEA was looking though records of who bought money counters.

------
nixpulvis
I liked this comment from below the article.

> I prefer to live in a free but insecure world than in a perfectly safe but
> not free world.

Which I interpret to mean, we're free to use whatever protections we see fit.
But institutionally we can't promise security, since bad actors will always
exist.

~~~
zAy0LfpBZLC8mAC
I don't like it because it suggests that freedom and security are somehow at
odds with each other, which is already an authoritarian framing of the
situation, and really just nonsense. I want to live in a perfectly secure
world. I don't think that that is actually achievable, but there is absolutely
nothing wrong with that goal.

But: There is no such thing as "security" in and off itself, security is
always relative to something that you value that you try to protect. So, if
you value freedom, you can not achieve security through limiting freedom,
because that would mean destroying what you value, supposedly in order to
protect it ... but that would obviously be a total failure at achieving that
goal.

The point is: Part of living in a world that is as close as possible to
perfectly secure is that you have to mitigate the risk of concentration of
power in the hands of authoritarians and corrupt people. Limiting the power of
the state is a security mechanism, and authoritarians who want to obtain more
and more power by calling their power "security" are simply lying.

If you accept that authoritarians dismantling security mechanisms is somehow
an increase in security, you have already fallen for their propaganda.

~~~
sonusario
> I don't like it because it suggests that freedom and security are somehow at
> odds with each other, which is already an authoritarian framing of the
> situation, and really just nonsense.

Agreed. I think part of the issue stems from how people define freedom,
seemingly thinking that freedom means "no rules".

For example: If having rules is intrinsically against freedom, then why would
anyone who desires freedom play sports, where rules define the game. If you
eliminate the rules, you eliminate the game _and your freedom_ to actually be
able to play it.

~~~
nybble41
Freedom means you get to pick the rules; they can't be imposed on you by
others. The thing is, you can't pick one set of rules for yourself and a
different set for everyone else. Whatever rules you choose to live by must
apply equally to everyone. Don't like private property? Fine, but you can't
object when others retaliate by seizing the fruits of _your_ labor. Think
kidnapping for ransom is harmless fun? Locking you up in prison is essentially
the same thing.

The problem is when certain people want others to live by _their_ rules and
are willing to apply disproportionate force to get their way. Capital
punishment for theft, fines and imprisonment for copyright infringement,
penalties for refusing to aid an official investigation, etc.

------
fencepost
Mandatory government access to all communications ( _including saved encrypted
communications_ ) is not compatible with systems where the government or
control of the government changes.

The thing that I don't really see discussed in this is the question of who do
you trust to have the keys?

Personally I can't imagine entrusting decryption keys to anyone appointed by
or simply hired by the Trump Administration given its history of choosing
people for sensitive positions. I guarantee that there are a ton of people who
think that Hillary should be locked up that would feel _exactly_ the same way
about security keys under the control of any Democratic Administration. What's
more, unless the policy becomes that all communication must go to the United
States government to then be retransmitted onto a final destination then
security keys would be vulnerable to disclosure by anyone from a former
Administration who had access to them, and it only takes a limited number of
compromised or dishonest individuals to compromise the entire system.

Don't discuss whether people are comfortable with the FBI or Department of
Justice or William Barr having the authority to get to all of their
Communications. Discuss whether they'd be fine with Barack Obama or Hillary
Clinton or Eric Holder or whoever ends up being the Democratic nominee having
that access.

Edit: moved last paragraph to first.

------
squirrelicus
I for one look forward to our federal overlords thinking they have any clue
what kinds of transmissions deserve security /s.

Seriously though, the legal tradition just hasn't caught up to the idea that
somebody can possess information outside their person that can't be forced
into the eye of the law.

I've thought about this a lot and my best conclusion so far is "give up the
encryption keys in exchange for immunity against legal cases that aren't yet
open that the secured data might reveal, or you're guilty by default". Seems
like the kind of thing prosecutors might think twice about, and it gives them
a trump card in extraordinary circumstances. I don't love it, but all the
other ideas i can come up with leave one party so heavily favored that either
freedom dies or the government won't stop whining.

------
rolltiide
Subpoena individuals and do investigative work. Identified individuals can
choose to comply and reveal their digital artifacts that are specifically
identified as being part of a crime or be held in contempt of the court order.
If they don't use locks or use easily bypassable biometrics then the court
order already allows latitude for that.

Just give up on being able to image and examine people's encrypted artifacts,
and just give up on trying to tap a firehose of data from the providers now
that they have an interest in encrypting what they store.

The state had a good 30 years of unprotected digital artifacts being
available, and now it is just going back to the heuristic analysis of the days
before, a level of accepted intrusion that government is built around.

~~~
nybble41
> Identified individuals can choose to comply and reveal their digital
> artifacts that are specifically identified as being part of a crime or be
> held in contempt of the court order.

Abuse of "contempt of court" to compel third parties not accused of any other
crime to assist in an investigation is _also_ a problem. The court can ask for
the data, of course, but one ought to have the legal right to refuse; refusal
to provide the requested data, on its own, should not be considered evidence
of guilt or probable cause to conduct a search.

~~~
rolltiide
Agreed. The point is that is a separate issue and the tools for investigation
are already here.

------
iambateman
To empathize with Barr, I can see how he doesn’t draw much distinction between
his experience at Verizon and the question of encryption.

He experienced the pain and consternation of regulation, and now feels erudite
calling BS on “his old industry” as the defender of All Things Right.

But of course, when Hacker News is called upon to “nerd harder” we always rise
to the challenge. Except when the difference is, in fact, fundamental.

Back doors have a way of becoming front doors for the wrong people. And
absolute power corrupts absolutely.

All of that was true before. It’s just that now getting the wrong set of keys
could now open a billion locks at once.

------
zelon88
99% is good enough?

If 1% of all secure public data transmissions were compromised there would
practically be no point in trying to secure anything.

And who is Barr to decide what's worth encrypting on a societal level? I'll
put my photo album through 5 different algorithms if I want to. Such is my
right.

Go ahead Barr, make laws for corporations to follow and watch as all that data
you're trying to capture disintegrate from the networks where you gave
yourself access and reappears on even more secure smaller scale distributed
systems.

What will happen is instead of Google hosting your data for you they'll just
create devices that let you store your data at home, offline while only
beaming back the telemetry and meta.

------
hedora
There is also a false dichotomy based on the idea that law enforcement are the
“good guys”. In the Bay Area, traffic officers routinely get caught
blackmailing women. Federal prosecutors routinely use “alternative
reconstruction” where they keep the real evidence secret, and just lie to
courts about the facts. US government computers are routinely breached by
government employees, contractors, and foreign governments, and the results
are then used to blackmail our politicians, influence elections, etc.

Barr should know about that last one, since he’s in the middle of the current
impeachment proceedings, and Trump has also been routinely calling for the
prosecution of his political opponents for doing some of the things I just
listed.

It is clear that even Barr is uncomfortable with giving these surveillance
powers to the executive branch while a Democrat is serving as president.

------
SamuelAdams
>If one already has an effective level of security say, by way of
illustration, one that protects against 99 percent of foreseeable threats --
is it reasonable to incur massive further costs to move slightly closer to
optimality and attain a 99.5 percent level of protection?

Except that's not the case. Encryption is mathematically proven to be 100%
secure. Assuming the application was coded / implemented correctly, the only
thing capable of unlocking encrypted secrets is the secret key.

AG Barr wants to move it from 100% secure to "99.5% secure". Not the other way
around.

~~~
roywiggins
> Encryption is mathematically proven to be 100% secure

Well... no. We're pretty sure that factoring large primes is intractable, but
nobody has actually proven it. And we know it's not that hard for a quantum
computer. Modern cryptography is certainly not 100% secure for all time.

------
CryptoPunk
>>Yes, adding a backdoor increases our collective security because it allows
law enforcement to eavesdrop on the bad guys. But adding that backdoor also
decreases our collective security because the bad guys can eavesdrop on
everyone.

And the bad guys can be the state. People need to acknowledge the phenomenon
of systemic failure. People at large can know that the system is deeply
flawed, yet not be able to fix it, because the problem is too complex to fix.

One could argue that situations where members of Congress see their
compensation increase by an average of 1,800 percent when they leave office
and become lobbyists, where fewer than 3 teachers in an entire state are fired
in a year due to sweetheart collective bargaining agreements, where police
unions protect officers from facing disciplinary action for miscondict, where
the wage gap between federal employees and private sector workers has
increased significantly since 1950, where more than half of the 20 wealthiest
counties in the US are suburbs of Washington DC, where intelligence agents are
known to use the state's surveillance apparatus to spy on lovers and exes
through a practiced coined LOVEINT, where there are approximately 1 million
federal regulations which hold potential criminal convictions for breaching,
and where the prison population is 1 percent of the total population, are all
examples of systemic failure, and the frequency of such failures requires us
to check government power by enshrining legal principles like the right to
privacy.

Information is power and centralizing information in the hands of a small
government elite through mass surveillance leads to power asymmetry that is
dangerous to society.

------
closeparen
Keep in mind, while you cheer on ending the tech industry's free reign and
bringing in adult supervision and regulation, that this is what it means.

~~~
aviraldg
Can someone help me understand why technologists and entrepreneurs on HN cheer
on "ending the tech industry's free reign", when they are part of the very
same tech industry?

~~~
rocqua
Because those closest to a thing can see the bad things it does. If you then
conclude that doing the bad thing is game-theoretically rational, then
regulation is needed. Hence, you cheer on adding regulation.

~~~
closeparen
One of the problems with the regulation debate framed in terms of "more vs.
less" is that it's easy to assume increased regulation will fix what you
consider bad and preserve what you consider good, or that deregulation will
only cut pointless bureaucracy.

It's distressing that the support is for more regulation in general (which can
be easily coopted to support stuff like this), rather than specific policies
or outcomes.

~~~
rocqua
It's a response to the conservative voice saying 'deregulate everything'. You
first need to argue for regulation per se before you can argue for specific
regulations. The nuanced position of 'regulation isn't inherently good, but
this specific policy is' is blown away in the public debate by 'REGULATION
BAD'.

------
IfOnlyYouKnew
Just as the government has been pretending that backdoors are possible without
a loss of privacy, the tech community has been pretending that backdoors are
indistinguishable from a complete loss of the benefits of encryption.

Don't get me wrong: I'm totally against backdoors, and I do consider them a
significant weakening of any encryption.

But it's just disingenuous to insist that, for example, a system with the same
sort of requirements as exist for search warrants is entirely equivalent to a
system without those. Or that one-out-of-two encryption schemes do not exist.
Or that it is totally impossible for an agency to keep a keyfile secure.

As but one example for the last: SSL certificate authorities are already
entrusted with keys whose loss has just about the same sort of security
implications as breaking messaging encryption might have. And that system is
working somewhat decently, including in cases where those keys were breached
and certificates had to be revoked.

~~~
cesarb
> SSL certificate authorities are already entrusted with keys whose loss has
> just about the same sort of security implications as breaking messaging
> encryption might have.

A leak of the private key for a SSL certificate authority (or even for the
server itself with modern TLS) doesn't allow decrypting past messages, while
these backdoor proposals aim to allow precisely that.

------
dbg31415
Relevant.

* Honest Government Ad | Anti Encryption Law - YouTube || [https://www.youtube.com/watch?v=eW-OMR-iWOE](https://www.youtube.com/watch?v=eW-OMR-iWOE)

Also worth noting that Australia already went ahead with their anti-encryption
laws. Feels inevitable that we'll lose encryption to the nanny state. Really
sucks, but I haven't got a clue how to convince the grandmothers out there why
the cops shouldn't be trusted here. It's so frustrating.

* Government Surveillance: Last Week Tonight with John Oliver (HBO) - YouTube || [https://www.youtube.com/watch?v=XEVlyP4_11M](https://www.youtube.com/watch?v=XEVlyP4_11M)

I think it'll be one of those things that society won't wake up to needing
until it's long gone. Depressing as fuck.

------
duxup
I feel like it is inevitable that any back door you legislate ... will get
more use out of enemies of that given state than the state itself.

Any state with strong individual rights and courts will be limited in their
usage to some extent. Outside actors, unlimited.

------
djsumdog
I guess it should be illegal for Ransomware providers to generate encryption
without government backdoors too, eh?

On a side note, with the new Australian laws, is it now illegal to use tools
like LUKS and Veracrypt there?

------
etherealG
“Yes, adding a backdoor increases our collective security because it allows
law enforcement to eavesdrop on the bad guys.“ No it does not. By definition
if the backdoor exists the bad guys won’t use it. This is clearly an excuse
for monitoring all people not just the bad guys, and has little to do with
security and everything to do with control. Please stop accepting the argument
that collective security is improved with eavesdropping, it really really
isn’t.

------
shmerl
Why would anyone listen to Attorney General Barr regarding information
security issues instead of actual experts?

 _> This is exactly the policy debate we should be having_

Why is this debate needed? It's beating the same dead horse since this debate
already happened in the past. It was made clear, that backdoors are not an
option.

~~~
SpicyLemonZest
Because AG Barr is the expert on law enforcement capability, which is being
weighed against security. Nobody including Barr himself denies that his
proposal would weaken security.

~~~
shmerl
I meant in the context of "it's worthwhile to weaken information security".
This debate is over and he is just beating the dead horse.

------
codesushi42
DES was built to be brute forced by govt computers.

Don't trust any cryptographic standard put forth by the NSA, ever. They have
always been about backdoors.

~~~
gowld
Source? Wikipedia says exactly the opposite:
[https://en.m.wikipedia.org/wiki/Data_Encryption_Standard](https://en.m.wikipedia.org/wiki/Data_Encryption_Standard)

NSA made DES more resistant.

~~~
codesushi42
No they didn't.

They reduced the key space down to 56 bits. Which was small enough for
government computers to hack even decades ago. The original proposal by IBM
was for 128 bits IIRC.

[https://en.m.wikipedia.org/wiki/56-bit_encryption](https://en.m.wikipedia.org/wiki/56-bit_encryption)

That is interesting that the Wikipedia page you linked claims the contrary and
makes me suspect tampering.

Because this story has been told over and over again, even in textbooks. See
Springer's Understanding Cryptography chapter on DES for instance.

EDIT: In fact, the Wikipedia page you linked states

 _DES, as stated above, is insecure. This is mainly due to the 56-bit key size
being too small._

So where is this nonsense about the NSA making DES more secure?

~~~
thombat
From
[https://www.schneier.com/blog/archives/2004/10/the_legacy_of...](https://www.schneier.com/blog/archives/2004/10/the_legacy_of_d.html)

"It took the academic community two decades to figure out that the NSA
"tweaks" actually improved the security of DES. This means that back in the
'70s, the National Security Agency was two decades ahead of the state of the
art."

~~~
codesushi42
Talk about cherry picking info. From TFA, if you had bothered to read it:

 _By the mid-1990s, it became widely believed that the NSA was able to break
DES by trying every possible key. This ability was demonstrated in 1998, when
a $220,000 machine was built that could brute-force a DES key in a few days_

~~~
thombat
Two NSA issues are getting conflated:

(1) Keeping the key size within brute-forcing range. Agreed, they did that and
surely wittingly. By the mid-90s nobody doubted they had the computational
strength for it; the 1998 demonstration was that any modestly-funded
organisation could too.

(2) Improving the resistance to differential analysis by changing the S-boxes.
This is what the Schneier quote is about: the NSA making a change and refusing
to disclose the basis, causing suspicion that this installed a backdoor for
them, whereas in fact it was (as far as any public cryptographer has
disclosed) strengthening it against a cryptanalytic technique that the NSA
didn't want to reveal.

------
csours
Let's not pretend that Law Enforcement (aka The Government) is asking for
these powers in a vacuum. Every time a terrorist event happens, or pedophile
ring is broken up the public asks why it was not prevented or stopped sooner.

The argument of data security vs physical security needs to take place with
your neighbors and not just your Senators.

Don't get too mad when Law Enforcement does what your neighbors ask.

~~~
stephen_g
I see this trope a lot around these kinds of discussions, but don't really see
this going on as much when such events actually happen. Sure, it happens to
some extent but I really wonder whether this claim (saying that large numbers
of people basically demand more and more surveillance whenever any major crime
happens) is instead hugely exaggerated and pushed by those very people trying
to push more and more surveillance...

------
jecxjo
The thing I have never heard anyone talk about is what the repercussions
should be for those asking for a back door when the door is used by malicious
actors. We have seen companies like Wells Fargo commit company wide bank
fraud...no one goes to jail. We have seen companies like Equifax lose millions
of people's worth of personal and financial information...no one goes to jail.

When Barr and Trump push through legislation that requires back doors put into
all our security, who is going to do jail time when all our personal
information is leaked again? I try to put the least amount of info out there
but when I do I use crypto that I know works, that I know who and how it was
designed, who and how it was audited. When the government comes in and some
intern loses a USB stick with keys to the back doors I wanna know who's head
is gonna roll for it.

------
godelski
I see this as fundamentally un-American. To quote Benjamin Franklin

* Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.*

Additionally I think there is a fundamental misunderstanding, or lack of
understanding, of Pareto[0] and fundamental statistics. At this point we are
scraping the bottom of the barrel for safety. We are in the safest time in
world history. We are in one of the safest times in American history too^.
Certainly in the last couple decades. Yet for some reason we are treating
issues of safety as if they are worse than the 90's. And if we can make a
statement that is only 99% secure then we're pretty much screwed. 1% of
attacks/opponents/people being protected (whatever that measurement of
"threats" means) is really low. If it's attacks, well give it a few minutes
(that'd be consistent with previous back door implementations). If it's
opponents, then really anyone we actually care about is going to happen access
(there are far more than 100 countries with computers). If it's people being
protected, well there are 350m Americans. That leaves 3m Americans vulnerable.
Any of these cases are unacceptably low and I'd argue actually set us back.

The other thing is that even implementing mass surveillance wouldn't help us.
In many ways it has more potential to harm us. Like many in the thread have
said, it isn't just personal privacy at hand. Politicians, high profile
business people, etc can easily be blackmailed. It doesn't even have to be
some kink (as others have suggested). Just something like sending nudes to a
partner or a charged joke that is taken out of context (how many of you have
dark humor or use jokes to illustrate a point?). Nation States will definitely
gain access to these backdoors. It's highly likely hackers will as well.
Additionally everyone does have something to hide. Banking passwords,
sensitive information, personal thoughts and feelings^^.

So we are going to give up a fair amount of liberty for a minute amount of
security? (Possibly negative security!) This does not sound like a good deal
for anyone involved. I don't think it even helps law enforcement. They already
can't handle the information that they have. We've seen that with data they
have, or could easily obtain, that things are obvious in post hoc (like
someone on 4chan saying they are going to shoot up a school).

How does this help us as American people? That needs to be honestly answered.
Otherwise all I see this as a ploy on fear and overreach. We used to fear Big
Brother. I'm not sure why or how we have come to embrace him.

[0]
[https://en.m.wikipedia.org/wiki/Pareto_principle](https://en.m.wikipedia.org/wiki/Pareto_principle)

^ the issues at hand I do not believe would be solved in any way by monitoring
because monitoring does not fix the root causes, which are clearly solvable.

^^ lack of being able to share these will only increase our problems.

------
EGreg
I wanted to write a post about how the encryption would interact with free
speech, especially given the leaked memo to censor the Internet.

Let me start by stating my views on free speech and rights in general, and
then how they are shaped by these events. I think that human rights and
freedoms are just that: personal freedoms. Freedom of religion is about
personal religious observance without harming others. These freedoms
philosophically should not mean entitlement to unlimited exercise thereof. The
right to bear arms doesn’t mean you should be able able to stockpile unlimited
amounts of ammunition and incendiary devices etc.

Similarly, FREEDOM of speech to me is a PERSONAL human freedom. You can say
what you want, and not be punished by the government for it. You can say it in
a car, you can say it in a bar, you can say it very far, you can wish upon a
star. But there are limits to how many people can hear you. Maybe 10 or 100
people at an event.

Once you get into situations where 5,000,000 people can hear a tweet, that’s
clearly not about FREEDOM of speech in its strict sense. It is about
entitlement to use a PLATFORM, maintained by an ORGANIZATION that involves
many people, to broadcast arbitrary, unfiltered one-to-many messages to
everyone.

I think this latter thing is toxic, in both directions. Society listening to
tweets of celebrities cheapens public discussion and civic thought. And being
reachable by the whole world using email (rather than through networks of
shared invited/capabilities) leads to constant spam and papparazzi for
celebrities. What happened here is an ORGANIZATION put on a show or movie and
catapulted this celebrity into the limelight and carefully maintains their
stature, along with their own publicists, social media team on twitter, etc.
This is the society we live in, where we have heroes. But entitlement to
unlimited unfiltered megaphones is NOT the same as freedom of speech, any more
than being a leader if a paramilitary group of unlimited size is the same as
the right to bear arms. So, freedoms and rights have limits. Where those
limits lie is the heap paradox - as you take away grains, when is a heap no
longer a heap? etc. So what is the alternative to this type of misnamed “free
speech” aka megaphones run by organizations, super PACs, mainstream media, and
so on? It is COLLABORATION.

    
    
      Look at Wikipedia.
      Look at peer reviewed journals and science.
      Look at large open source projects
    

There, individual contributions are filtered and often butt up against
changes, revisions, etc. The result is that when the general public sees
something, it is the result of a collaborative process of filtering and
refining the presentation of information, citing sources, etc. There are no
heroes on wikipedia, and only a few in science and open source. Most
contributions are filtered by a community of experts, not state governments or
platforms employing boiler rooms of low paid workers to determine what’s true.
I would like to see more of that COLLABORATION and less of COMPETITION.

I would like to see a patentleft movement in drug research, instead of big
pharma. I would like to see news reported like Wikipedia with footage
submitted by everyday people on the ground instead of “intrepid reporters in a
warzone”. CNN used to have a motto that they have “no celebrities”. News
agencies tried to stay lukewarm and neutral. FOX News changed the game, lots
of people copied the model. The Internet eliminated newspapers and
classifieds. News had to adapt because capitalism and cutthroat competition
for the same ad dollars means MORE clickbait and MORE lockin to one type of
audience. For-profit Social networks further use this content to herd us into
echo chambers of outrage, because that’s what drives the most engagement,
which the social networks need to monetize. They send notifications in an
increasingly desperate attempt to grab your attention in a tragedy of the
commons where the commons is our attention.

This has had a corrosive effect on society. The capitalist (competition based)
news has made us more polarized and outraged, while the capitalist
(competition based) social networks have made us more addicted to our
notification slot machine, with smaller attention spans and self control,
responding to that stranger on the internet over that latest outrage.

THIS is the culture that leads to more mass shootings. The fact that we have
giant platforms instead of peer to peer is another problem. By banning
extremist people from platforms, a platform can pop up which attracts the
worst extremists, and feeds them. This platform should ABSOLUTELY be a
honeypot for the FBI to watch these people. In our world of centralized
platforms, Platforms like this should be RUN by the FBI. Instead, our
government takes the wrong approach. They shut down the Craigslist and
Backpage hookers sections instead of using them to entrap and catch
traffickers. Then they threaten large platforms with SESTA (2018) when they
should be the ones catching the people who are out there. The platforms should
be honeypots!

Anyway. So although I feel my stance is correct, and beneficial to society,
there are three practical problems with it:

1\. First Amendment is not interpreted as I do. In fact Citizens United even
allowed our politics to be run by PACs with huge money and megaphones
(although nonprofits could have always done that). So legally my literal
understanding of limits of freedoms is not matching the traditional ones
(slander, yelling fire etc.)

2\. This may be the more serious one. As we have more end to end encryption
and better personal technology, all well-meaning ideas about limits of freedom
of speech and arms melt away. Imagine Alex Jones on SAFE Network with
1,000,000 people subscribed to his encrypted feed. Or imagine 3d printed guns
from illegally shared 3d models, stored in 10% of the homes in NYC. Can’t stop
people using a turing complete language to turn out banned material.

3\. Even with numerical limits on each person’s audience, a hateful message
can attract people who make plans to use technology to asymetrically
perpetrate criminal acts. And end-to-end encryption means we won’t know what
they’re saying. However, I believe that if we took the freedoms in the way I
defined them, and moved to collaborative platforms instead of competitive
ones, our society’s health would measurably improve.

------
feanaro
> Nor are we necessarily talking about the customized encryption used by large
> business enterprises to protect their operations. We are talking about
> consumer products and services such as messaging, smart phones, e-mail, and
> voice and data applications.

This very American attitude of separating "business enterprises" from
"consumers", which to me sounds like separating the noble and important from
peasants or cattle, is utterly sickening. I am not a "consumer", I am a person
and I deserve and _demand_ more privacy and freedom than a corporation.

We are not consumers, we are people.

~~~
dang
Please don't post unsubstantive comments to HN, and especially not indignant
riler-uppers. Those lead to noticeably worse discussion, and we're trying to
drive in the other direction.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
feanaro
Noted, but in what way was this not substantive? I'm expressing my opinion on
a particular subpoint which is quite relevant to this discussion. If Barr was
was not pushing for an artificial separation between the corporations and
consumers, there wouldn't be any discussion to have, since taking encryption
away from corporations is a non-starter.

Just as a disclaimer, I've read the guidelines and know them well.

~~~
dang
If I take out the nationalistic slight ("This very American attitude"), the
sarcastic rhetoric ("separating the noble and important from peasants or
cattle"), the denunciatory venting ("utterly sickening") and megaphone
language (" _demand_ "), it's not clear to me what information is left. What
is the comment really saying? Something about how businesses aren't people? To
me it reads like an angry reaction to some shallowly triggering phrasing in
the article. Angry reactivity is the opposite of thoughtful reflection, which
is what we're hoping for here.

It's also off topic. Whimsical off-topic digressions can be interesting, but
generic rhetorical ones are never interesting. Those discussions have been
repeated countless times already, thus are predictable, thus are tedious, so
we ask people to avoid them. The more generic a subject, the more shallow its
discussion—and when it's angry as well, that's much worse. Angry plus shallow
equals riler-upper, which is close to flamebait.

~~~
feanaro
You're right, I was a bit angry when I read this. It's rather hard not to get
angry given the topic. I agree I could have phrased it more tactically.

I understood your point and I'm not trying to prolong the discussion. However,
I consider the implication that my comment was entirely devoid of a point a
bit unfair, so I'll try to rephrase.

I think there is no good argument to be made for stripping away the privacy of
citizens, with the implication that it's okay since they are somehow less
important than businesses. The fact that this is now getting somewhat
regularly proposed is scary and a danger to liberty. To me, Barr's statement
reads as a long-winded way of saying "it's not too bad if we punch holes in
your encryption because your systems weren't secure to begin with and you're
also not that important since you are just consumers". My point was to call
this out explicitly and try to invalidate it as an argument for breaking
encryption.

~~~
dang
If you had posted that last paragraph originally it would have been a fine way
to make your point. That's the basic idea here.

------
rosybox
I actually appreciate Barr's point. Honestly given the cost of not saving
lives that could have been saved, abducted children, potential active
shooters, terrorist threats all surrendered for the benefit of me getting end
to end encryption to ask my wife what kind of drink she wants me to buy from
Starbucks. I, speaking only for myself, find _lawful_ access to such personal
messaging, given probable cause of a crime being committed and a warrant
signed by a judge, tolerable and reasonable.

I also get the sentiment that people have more of a problem with the idea of
government access to private communications than with weakening the encryption
to allow it. I see a lot of the conversation being all about privacy, and not
about encryption.

In discussion of the latter I don't have a lot to add, but in the former, the
courts have decided many times over that law enforcement and the state can
access information about you if they have probable cause that you're
committing a crime. If you enjoy living in a society governed by laws and
don't tend towards libertarian extremes of personal freedom it's something
worth accepting and the discussion on the highest level of whether we should
or shouldn't do this doesn't even consider this side of the argument, despite
it filling up 90% of the user generated discussion about this topic whenever
it comes up.

~~~
self-reference
This perspective really bothers me— I’m sure I’m not the only one. It seems to
presume that the current state of affairs, where the police lack some ability
to access some of the evidence which is in principle available, is a novel
situation demanding of a novel response.

But, like, it’s not like the original ratifiers of the Bill of Rights didn’t
understand what they were doing. They _knew_ that by outlawing common law
enforcement practices like arbitrary searches and coerced confessions, they
would be giving up some of their ability to “punish” certain types of
“criminals”. They got that it meant they couldn’t listen in on a man’s
conversation with God. That’s the deal they struck to try to form a country
governed by laws, not by men.

It really seems like it’s not such a new situation, after all; we just have
new values.

~~~
masscrypteria
Founding fathers had no way of knowing of the current state of affairs,
technologically speaking.

Imagine billions of unbreakable safes containing secret messages to and from
anyone globally, instantly transported to anywhere in the world.

Like, dude, anyone with the appropriate security clearance that is aware of
the implications of the encryption status quo isn’t spending time posting
here.

~~~
okmokmz
No wonder you're using a throwaway to post this

~~~
masscrypteria
I can’t downvote you but your response doesn’t add any value to the
conversation.

~~~
okmokmz
I was going to respond, but there is no point arguing with trolls posting pro-
authoritarian opinions from a fake account because they're too scared to have
their thoughts tied to their identity in any way

------
glitchc
As a security researcher, I would like to present a counterpoint to the
general discussion here, unpopular though it may be: Access to the internet is
a privilege, not a right. There is nothing in the US Constitution regarding
the internet. An individual is not required to use the internet to communicate
with another person, this is a matter of convenience, ergo privilege, but not
a right. Along with face to face meetings, letters and phone calls,
individuals are also, through the power of software, allowed to implement
their own encryption over existing communications channels.

The internet has been a force of good, but also a force of evil, in this
world. Rapid dissemination of personal opinion masquerading as fact has lead
to extremism and polarization across the globe, this is undeniable. Some
degree of accountability needs to be introduced into the system for the
internet to reach the next level of maturity. The government is allowed to
access your telephone records. The corporation holds your records to a certain
date as mandated by law, and hands them over when a lawful request (warrant)
is made. Full-on disk encryption and end-to-end encryption make it impossible
for the government to access those records even when a lawful request is made.
Note that the Fourth amendment states _unreasonable_ searchs and seizures.
That does not mean the individual is allowed to be _impervious_ to searches
and seizures. The reasonableness clause protects the interests of the state
and allows courts to decide yay or nay on a case by case basis. That is the
very intent and spirit of the law.

Currently technology, not law, is the gatekeeper, and technology is controlled
by corporations. In a lawful society, this is untenable in the long-term. If
anything, it enables tyranny by corporations, since they are unelected and not
responsible to the public, whereas elected governments, in fact, are. The
history of US is replete with cases where corporations have grown too powerful
and governments required new laws to counter the threat they presented to
society.

~~~
InvaderFizz
> Access to the internet is a privilege, not a right. There is nothing in the
> US Constitution regarding the internet. An individual is not required to use
> the internet to communicate with another person, this is a matter of
> convenience, ergo privilege, but not a right.

I think the recent 8-0 ruling by the Supreme Court completely invalidates this
statement in the context of the government being able to block ones access to
the internet in general.

> Justice Anthony Kennedy began by outlining what he described as a
> “fundamental principle of the First Amendment”: that everyone should “have
> access to places where they can speak and listen, and then, after
> reflection, speak and listen once more.” And even if once it may have been
> hard to determine which places are “the most important” “for the exchange of
> views,” Kennedy concluded, it isn’t hard now. Instead, he reasoned, it is
> “clear” that the Internet and, in particular, social media provide such
> opportunities, with “three times the population of North America” now using
> Facebook. Emphasizing that Packingham’s case “is one of the first this Court
> has taken to address the relationship between the First Amendment and the
> modern Internet,” Kennedy warned that the court should “exercise extreme
> caution before suggesting that the First Amendment provides scant protection
> for access” to ubiquitous social-networking sites like Facebook and Twitter.

Source: [https://www.scotusblog.com/2017/06/opinion-analysis-court-
in...](https://www.scotusblog.com/2017/06/opinion-analysis-court-invalidates-
ban-social-media-sex-offenders/)

~~~
glitchc
That's an excellent ruling, thank you for sharing that. Brings the internet
closer to a "right" for certain, but does not require the government to
provide access to the internet.

And, it may not matter: When making its case, the Justice Department will
disassociate the use of encryption technology from access, arguing that
limiting encryption options on consumer devices does not limit participation
in an online forum.

