
Feinstein-Burr 2.0: The Crypto Backdoor Bill Lives On - hackuser
https://www.justsecurity.org/32818/feinstein-burr-2-0-crypto-backdoor-bill-lives/
======
tptacek
The stated intention of these bills is unachievable. I don't mean
technologically - key escrow is certainly possible. I mean as a practical
matter, given the makeup of the commercial sector in the US. The capability to
render plaintext to authorities on request is incompatible with how large
companies handle information security.

That being the case, why is this bill still being pursued, given that it's a
dead letter?

1\. By continuing the kabuki dance, legislators and regulators may hope to
spook companies like Apple into self-regulating, to avoid public regulation.
Good luck with that.

2\. Legislators might be doing this mostly for show.

3\. Legislators might keep pushing the bill until all the meaningful bits have
been planed off (an option compatible with (2)), and further might not realize
that their resulting product is toothless.

 _NB: I am talking my book a little here, since I 'm a party to several bets
that meaningful crypto regulation in the US will never happen._

~~~
elif
Why would the government want to make practical and common practices illegal
even though compliance is infeasible?

Why are speed limits set so low? Why is tax code so full of questionable loop
holes?

It provides a mechanism to target whoever you want to target for other,
unrelated reasons.

------
pasbesoin
The budget figures surrounding these repeated, "whack-a-mole" efforts should
be forcibly transparent to the public. And reported.

If the public could readily see how much of their tax dollars (and, as well,
what percentage of public employees' schedules / work hours) were being poured
into _trying the same thing -- already just decided -- over and over again..._

Well, it's the only thing I can think of. Make this self-serving, lobby-
machine-service activity and expense as transparent as possible.

Preferably with criminal penalties for hiding it from public examination and
accounting.

------
hackuser
I found it interesting that intelligence and terrorism investigations would no
longer be covered by the bill. You read that right - what seems like the
primary justification is no longer covered. As the article's author says, it
_seems particularly odd given that the bill’s sponsors are, after all, members
of their respective chambers’_ intelligence _committees_ :

 _A second change would eliminate section (B) under the bill’s definition of
“court order,” which obligated recipients to comply with decryption orders
issued for investigations related to “foreign intelligence, espionage, and
terrorism.” The bill would then be strictly about law enforcement
investigations into a variety of serious crimes, including federal drug crimes
and their state equivalents._

The article author makes a few guesses about why that would be: 1) A
_concession in a recurring jurisdictional turf war with the judiciary
committees_ ; I understand turf wars and concessions; though I don't quite
understand how this change fits that description, I'll take his word for it.
2) Intelligence agencies have opposed back doors; and 3) major tech companies
are worried about a high volume of requests from intelligence agencies.

But what about this possibility: Intelligence agencies and/or tech companies
don't want intelligence investigations to be codified and legalized, giving
all parties laws that can be broken. Better to be in a legal gray area. (I
don't know what already is codified or how much gray area there is.)

~~~
idlewords
My take is that this law would force companies to structure their services in
a way that made plaintext recoverable. And then intelligence agencies could
continue to use National Security Letters and their special secret court to
get the material they wanted. Or do their fancy hacking.

In other words, a side-effect of the law is to outlaw NSA-hard security
design, and that's enough for them.

------
DougN7
This is an interesting case. What if a law is passed that is impossible to
comply with? For example, what happens if all CEOs are required to flap their
arms and fly to the moon to sign something? How does that get overturned?

------
20yrs_no_equity
This is a line too far for me. I will not comply. I think we should all insist
that we build systems where the encryption is open source, out of our control
and we never have access to the keys.

It's time to get rid of passwords too. Start, step by step, getting users used
to keys, and used to being responsible for them. IT won't happen overnight.

Doing this takes care of a whole lot of social engineering problems too where
hackers could call your customer support reps and get access to an account via
an out of band password reset.

It's not just about not trusting the government, it's about not trusting
yourself. Your company could make mistakes procedurally, your employees can
make mistakes via human weakness or trickery, and as a society we need the
trust that comes with real security.

