
Republicans Push Bill Requiring Tech Companies Give Encrypted Data - andy_herbert
https://www.cnet.com/news/republicans-push-bill-requiring-tech-companies-to-help-access-encrypted-data/
======
hn_throwaway_99
I think politicians must win prizes or something for showing who is the
stupidest:

> The bill also allows the attorney general to create a competition with a
> prize for anyone who can come up with a way to access encrypted data while
> protecting privacy and security. Security experts have long noted that this
> is an impossible request.

Why they're at in, why don't they push a bill for permanent rainbows.

Also, the article states "The proposed legislation stops short of requiring
tech companies to create a backdoor", so if end-to-end encryption is still
available, this legislation does nothing. And if lawmakers try to _ban_ end-
to-end encryption, well then "banning math" should be the name of this
legislation (yes, I realize politicians have tried to do that before). Sure,
large companies may comply and average joes may get less E2E encryption, but
anyone who knows anything about tech will be able to get access to E2E
encrypted messengers.

~~~
chrisshroba
Serious question (about practicality, not ethics): people always say that it's
impossible to provide government access to encrypted data without opening a
huge security hole for hackers to exploit. Why couldn't an encryption scheme
be used that, for decryption, requires either a) the user's private key (a
usual), or b) some sort of combination of private keys of all the relevant
government entities required to authorize accessing the user's data? So that
something like the combination of a judicial private key and an fbi private
key were required to access the data?

Of course the data would still be hackable if a bad actor were to get their
hands on both of those keys, but security could be increased by, for example,
increasing the number of parties needed to authorize the access.

(Please don't critique the ethical premise here - I make no claim that this is
the "right" thing to do, just that it could be plausible)

~~~
free_rms
That's exactly it, it's very possible, but all the eggs would be in one
basket.

Scheme: multiple copies of symmetric key followed by symmetrically encrypted
body (pgp-style). One copy of the symmetric key is secured by user's private
key, another is wrapped in an onion of all required "side" keys.

The issue is that the government-held keys only need to be exposed once, and
then someone has a key to all of everything, everywhere.

~~~
slg
They mentioned having multiple keys with different government organizations.
What if there are 12 keys and you need 6 keys to decrypt the data. The user
has 6 keys. The company that created the device or service has 2 keys, the
judicial branch has 2 keys, and the executive branch has 2 keys. All of the
non-user keys are required to be in different systems. The compromise of any
one system still requires cooperation from the non-user groups to decrypt. You
couple that with some system that allows the data to be decrypted and
reencrypted with new keys in the case of a breech of keys. You can add as many
keys to this scenario as you want until you feel like a breech of the
necessary number of keys is not going to happen. Are we sure a system along
these lines is impossible?

~~~
dwheeler
Unfortunately, each key will be poorly protected, because each group will
rationalize that "it would be impossible for someone to get all those keys"
while someone gets all the keys.

The US government couldn't even keep the most sensitive information about its
personnel secret, see the OPM breach:
[https://en.wikipedia.org/wiki/Office_of_Personnel_Management...](https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach)
The Inspector General had warned Congress of "persistent deficiencies in OPM's
information system security program" and nothing was done. This resulted in
some really sensitive data being exfiltrated, probably some good blackmail
info. The US government has not done a great job even protecting its own
employees.

The biggest problem here, though, is incentives. A government cannot be sued,
or suffer any other negative impact, if it accidentally loses keys that lead
to others' death, blackmail, or job loss. Too bad, so sad. If tomorrow it
becomes illegal or unacceptable to do something that today is legal, a
government can retroactively punish those who engaged in it. In short, the
government has no strong incentive to protect the keys, only you do.

~~~
slg
It sounds like we have already moved from _this is an impossible request_ to
_this is a difficult and impractical request_. Setting up a government
competition with a prize to solve a hard problem seems reasonable.

~~~
unionpivo
> It sounds like we have already moved from this is an impossible request to
> this is a difficult and impractical request.

I am not sure how you got this from conversation above. Still sounds
impossible to me.

Problem as stated is, that if skeleton keys are broken, then everything
everywhere gets broken.

The fact that government has bad initiatives to keep keys secret, just means
it will be easier for bad actors to steal them. But that is just a side
argument.

~~~
slg
>I am not sure how you got this from conversation above. Still sounds
impossible to me.

When discussing encryption, many people say that this is an impossible problem
to solve because of math. This conversation has shifted to being a problem
about incentives. Math is impossible to change. Incentives are changeable. If
the only problems here are the specifics of the scheme and the incentives of
people involved, those are solvable.

>Problem as stated is, that if skeleton keys are broken, then everything
everywhere gets broken.

Which is why you build redundancy into the system that would require multiple
independent breaches and a system to reencrypt data in the event of a breach.

~~~
unionpivo
> When discussing encryption, many people say that this is an impossible
> problem to solve because of math. This conversation has shifted to being a
> problem about incentives. > Math is impossible to change. Incentives are
> changeable. If the only problems here are the specifics of the scheme and
> the incentives of people involved, those are solvable.

It's still a math problem in the end.

Today if you want to break into someones encrypted data, you either have to
break encryption algorithm (which is hard and by hard I mean even stuff we
consider insecure like 3ple DES are still not broken) or you have to break
each data individually.

With skeleton keys that changes. Suddenly all the world secrets are one* key
away. That is the big difference. Doesn't matter how you do it, it
fundamentally changes the equation

And you open up HUGE attack vector, by enabling bad actors to bribe/coerce
people with access to skeleton keys.

* Doesn't matter if you split it up, have different org have parts of keys etc.

------
rudolph9
Here is the senate page on the Bill
[https://www.judiciary.senate.gov/press/rep/releases/graham-c...](https://www.judiciary.senate.gov/press/rep/releases/graham-
cotton-blackburn-introduce-balanced-solution-to-bolster-national-security-end-
use-of-warrant-proof-encryption-that-shields-criminal-activity)

> Bad actors exploit warrant-proof encryption to shield dangerous and illegal
> activity —including terrorism, child sexual abuse, and international drug
> trafficking — from authorities.

Bad actors also exploit warrant proof use of their voice to send sound waves
directly at other bad actors ears to shield dangerous and illegal activity
—including terrorism, child sexual abuse, and international drug trafficking —
from authorities.

I realize that end-to-end vs speaking verbally is a bit of a leap but bills
like this make it seem like they don’t want US citizens to have a voice.

~~~
AdmiralAsshat
Dang, they were so close to mentioning all four:

[https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalyp...](https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalypse)

I guess money-launderers are no longer on the target list. Too much of a
white-collar crime, these days.

~~~
season2episode3
Money launderers are in command of the Justice Dept at this point.

------
triceratops
We in tech have to stop thinking that these politicians don't understand or
know what they're proposing. Or that they would change their minds " _if only
we could explain it right_ ". It's not a problem of information.

The fact of the matter is some parties (by which I mean groups, not political
parties) have an abiding interest in keeping strong encryption and privacy out
of the hands of the population at large. Banning E2E encryption either
outright, or through the backdoor (EARN IT act) from major Internet platforms
will accomplish this. Therefore, arguments like "You can't ban math" or "The
real criminals will just move to platforms that use E2E encryption" don't
work.

What's worse, they try and pass these laws using Think of the Children[1].
It's tested, and effective. It works because it's an emotional appeal and most
voters are emotional creatures (including me, and you). Like a popular
Internet meme says "You can't reason someone out of an opinion they didn't
reason themselves into."

Fortunately we can (honestly) use Think of the Children to fight back.
Literally every child in the US uses the Internet to chat with their friends
and send pictures, write their journal, do their homework, get their grades,
and communicate with their doctors or therapists. Weakening encryption
therefore endangers _every child_ , risking exposing their innermost thoughts
and conversations to the worst sort of people online.

We have to start couching this issue in terms that regular people understand.

"Would you lock your backyard gate, where your children play, with a TSA
lock?"

"What if your pediatrician's office told you their doors and file cabinets
have a TSA lock on them? Anyone can just buy a key on Amazon, walk in, and
rifle through everything they have."

I honestly worry about a future where my children have no privacy. Where any
online predator can potentially access everything they say, send, post, or do
online. That makes me anxious and frankly, a little angry.

1\.
[https://en.wikipedia.org/wiki/Think_of_the_children](https://en.wikipedia.org/wiki/Think_of_the_children)

~~~
nickff
As the Wikipedia article demonstrates, 'think of the children' is not usually
a motivating factor, it is a way of stymieing criticism by implying the
opponent is sociopathic and doesn't care about children. It is similar to
accusing someone of racism or sexism, in an effort to shut them down. These
tactics are all very effective in our currently sociopolitical climate.

Unfortunately, it is almost impossible to use this tactic to advocate in favor
of something (rather than against it).

I wish I had a suggestion for how to parry the accusation, but I don't.

~~~
triceratops
I think we have to go on the offensive. We can use Think of the Children to
promote legislation that mandates strong encryption on online platforms. It
can also prohibit any legislation that tries to incentivize companies to
weaken encryption, like the EARN IT act. Maybe the latter will require a
constitutional amendment, I'm not sure.

Without a law like this, we're just going to keep fighting the same battle
every 4-6 years. They only have to win once, we have to win every time. It's
not a fair fight.

~~~
nickff
I strongly favor end-to-end encryption, but I just don't see 'think of the
children' working as an effective message in favor of anything.

I happen to believe that it was protected by the first, fourth, and ninth
amendments, but I am not sure it is possible to erect permanent legal bulwarks
against ever-expanding federal powers. As an example, the second amendment
specifically enumerates gun rights, yet it is under constant assault. The only
way I can see to protect this type of individual liberty would be to radically
de-scope the federal government, but I don't think that's going to happen.

Again, I really wish I could be more optimistic, but I just don't see any
realistic hope.

------
ilstormcloud
I'm an African. I've lived through fantastically corrupt, despotic,
authoritarian rule riddled with nepotism and kleptocracy. I find GOP politics
to be disturbingly familiar. And it reeks of regulatory and state capture.

~~~
dfsegoat
I don't really think it is that cut and dry.

Case in point, a similar bill (as I understand it) - The EARN IT Act was
spearheaded by the same people as this bill, plus Dianne Feinstein (Democraft
of CA):

 _" The EARN IT Act was introduced by Sen. Lindsey Graham (Republican of South
Carolina) and Sen. Richard Blumenthal (Democrat of Connecticut), along with
Sen. Josh Hawley (Republican of Missouri) and Sen. Dianne Feinstein (Democrat
of California) on March 5."_

[https://www.theverge.com/interface/2020/3/12/21174815/earn-i...](https://www.theverge.com/interface/2020/3/12/21174815/earn-
it-act-encryption-killer-lindsay-graham-match-group)

Also:

[https://www.wsws.org/en/articles/2020/03/17/earn-m17.html](https://www.wsws.org/en/articles/2020/03/17/earn-m17.html)

~~~
TulliusCicero
Feinstein is widely despised by progressives for, among other things, being a
hawk. That she would also be anti-freedom here is not a huge surprise.

~~~
throwaway0a5e
There's plenty of others like her. Neither party seems to have many in
congress who want the government to have less dragnets and power to
micromanage.

~~~
TulliusCicero
I think there's quite a few Democrats like that, actually, but certainly not
all.

~~~
nickff
There are a bunch of Republicans too.[1]

[1]
[https://en.wikipedia.org/wiki/Liberty_Caucus](https://en.wikipedia.org/wiki/Liberty_Caucus)

------
staplers
We've all been shown recently how law enforcement only protects certain
segments of society. This will only get worse with draconian surveillance.

------
jeffdavis
Sometimes I imagine a secret meeting that happened some decades ago between
Republicans and Democrats, dividing up the Bill of Rights.

"Well, we have to at least _look_ like we're fighting for them. If we all just
agree to protect the Bill of Rights, then we aren't really _working_ for them.
How about Democrats get 4, 5, 7, 8, and 9; and Republicans get 1, 2, 3, 6, and
10?"

"Hey, why do we get the Third Amendment?"

"It was our idea."

(This comment is not meant to be taken literally and I'm sure that others will
have a different mapping between Amendment numbers and parties.)

~~~
Reedx
Basically everything is neatly divided between the two political tribes now.
If one says they're for X, the other is automatically against X. It's become
comically predictable.

The people endlessly fight amongst themselves as the rich get richer.

Divide and rule.

------
ideals
They can't catch domestic terrorists who are in the USAF using their existing
overreaching surveillance on non-encrypted traffic.

How does breaking encryption get them closer?

[https://www.washingtonpost.com/nation/2020/06/17/boogaloo-
st...](https://www.washingtonpost.com/nation/2020/06/17/boogaloo-steven-
carrillo/)

~~~
api
Easy: it's a bad faith argument.

Most of the stories I've read about terrorists and mass shooters report that
they were using bog standard instant messaging, unencrypted e-mail, and social
media. Most of these people are not highly technical and do not practice good
opsec. Hell Dread Pirate Roberts _was_ pretty technical and still got busted
because of bad/lazy opsec, not (as far as anyone knows) because encryption or
Tor were broken.

The child porn thing is a bad faith argument too. Child sexual abuse is under-
investigated and under-prosecuted already even when the information is there
or when actual reports are made. (Adult rape is under-prosecuted too.) They
don't do enough to go after child predators using existing tools, so why would
more tools matter?

~~~
suizi
There are some bad fallacies on their part too.

Large amounts of child porn detected equals platform being used on similar
scale for producing it / distributing new content / grooming. By playing with
equivalence, you can push for tougher policy.

It is under-prosecuted for frankly embarrassing reasons. Tech companies can't
submit it on the spot. They have to wait for them to come to them, and have to
delete it if they take too long.

------
jeffdavis
"If passed, the act would require tech companies to help investigators access
encrypted data if that assistance would help carry out a warrant."

Isn't that already required? If someone shows up with a warrant (presumably
signed by a judge and listing the particular things being searched), then
basically you need to do everything you can to help them (as you should).
Subpoenas are a little different and there's more room to argue about them,
but are also important in general. Regardless, if it's encrypted and you don't
have the key, then it's a dead end and that's the way things go.

So what is this law _really_ doing? My guess is that it's actually asking tech
companies to do something in advance of any specific criminal act, that would
somehow preserve private information or prepare it so that it's easier to
comply with hypothetical warrants that might be issued in the future against
anyone on the platform. That's really a different kind of thing than just
assisting in carrying out a warrant.

~~~
xxpor
It's much worse than the article describes. From the press release:

"Senate Judiciary Committee Chairman Lindsey Graham (R-South Carolina) and
U.S. Senators Tom Cotton (R-Arkansas) and Marsha Blackburn (R-Tennessee) today
introduced the Lawful Access to Encrypted Data Act, a bill to bolster national
security interests and better protect communities across the country by ending
the use of “warrant-proof” encrypted technology by terrorists and other bad
actors to conceal illicit behavior."

[https://www.judiciary.senate.gov/press/rep/releases/graham-c...](https://www.judiciary.senate.gov/press/rep/releases/graham-
cotton-blackburn-introduce-balanced-solution-to-bolster-national-security-end-
use-of-warrant-proof-encryption-that-shields-criminal-activity)

I haven't read the exact text, but to me 'ending the use of “warrant-proof”
encrypted technology' means banning end-to-end encryption, not just "requiring
the assistance" of technology companies.

And according to Eric Geller, who is one of the main cybersec reporters at
Politico, it DOES require backdoors:

[https://twitter.com/ericgeller/status/1275813434123186177](https://twitter.com/ericgeller/status/1275813434123186177)

"shall ensure the manufacturer has the ability to provide the assistance"

------
indigochill
So... the legislators seem to be targeting "warrant-proof" encryption. Now...
correct me if I'm wrong, but law enforcement can use due process to obtain
access to a suspect's phone, and that phone will then decrypt the
communication for them, right (even if the service provides true end-to-end
encryption, which most don't)? So what's the problem?

~~~
slaymaker1907
Often not if the phone is password protected, though increasingly popular
biometrics provide no such protections. The idea is that providing a password
is equivalent to providing testimony and is thus protected. The law on this is
not fully settled yet and varies by jurisdiction.

~~~
indigochill
Are there issues with removing that protection from providing passwords?
Intuitively, it feels to me like if police can compel an individual to let
them search a house with a warrant, the same should be true of a computer
(there may be incriminating evidence on it, but there may be incriminating
evidence in the house, too, so I don't see this as being any more or less
self-incriminating than textbook warrants). Moreover, if this didn't introduce
glaring problems I'm overlooking, it would be a great way to cut out the legs
from the "let's just backdoor everything" agenda.

The key thing being the law enforcement agent has to present their warrant to
the suspect.

~~~
chillacy
Searching your phone might be more like searching your mind, as phone usage is
almost an extension of your mind: containing notes, photos, messages, etc.
That it's protected with a password which would require compelling self
incriminating speech for makes it even more troublesome to acquire.

~~~
indigochill
I've seen that argument while reading up on the current state supreme court
cases, but I disagree that it's more like searching your mind than searching
ahouse is. To mirror your examples, a house may have handwritten notes,
photos, and voicemail messages (well, if it still has a landline) all of which
can potentially contain incriminating evidence. Yet we compel people to grant
entry to an officer with a search warrant.

As to the protection afforded by a password, a house is protected with a lock
and ordinarily someone cannot compel you to grant them access, which is what
the warrant is for, stating that they have reason to believe there is evidence
on the premises.

If we want to say, "But unlocking a door doesn't require speech while telling
someone your password does" then fine, silently punch that password into the
device.

Mainly I'm looking for problems with this in the vein of "If we install
backdoors into our software, that compromises security for everyone and grants
unprecedented surveillance power to the government". A hand-delivered court-
issued warrant to the owner of an individual device seems like a promising
compromise to let law enforcement get on with investigating specific crimes
without broadly crippling everyone's security in the process.

------
DoubleGlazing
If they get such a law enacted, then people who really care about end to end
encryption will simply "opt out".

There are so many open source crypto tools out there with no backdoors that
anyone savvy enough to find them and use them will do so.

Of course the average user probably wouldn't care enough to do that, but maybe
a few privacy scandals could change all that.

~~~
hundchenkatze
I agree, but I also think that, if successful, the law could have the knock-on
effect of criminalizing all unsanctioned (read functional) crypto tools.

edit: *leading to arguments like "Oh, you have Signal on your phone, only
criminals use Signal."

~~~
dane-pgp
Unfortunately such arguments are very likely to be made, given that Chief
Justice Roberts already suggested in 2014 that a person carrying two cell
phones might reasonably be suspected of dealing drugs:

[https://www.techdirt.com/articles/20140501/01194327086/supre...](https://www.techdirt.com/articles/20140501/01194327086/supreme-
courts-real-technology-problem-it-thinks-carrying-2-phones-means-youre-drug-
dealer.shtml)

------
jeffdavis
Sometimes I wonder if politicians are trying to get us to not vote for them.

Like, what problem is this solving? Are there tons of criminals that are
running wild, and if only we had their secret correspondence we could catch
them?

And is social media not already some huge gift to law enforcement? Forget
about tapping an encrypted line, just follow them on twitter.

------
slaymaker1907
Luckily they seem to have no concept of timing. Why they think they can get
away with something like this when trust of the police and authorities is so
low is beyond me.

~~~
suizi
They're hoping we're distracted by the virus / riots / rhetoric of spooky
criminals.

------
pengaru
Can't companies already be compelled to push updates to select devices adding
a decrypted sidechannel to "e2e encrypted" apps, effectively providing a
wiretap when a warrant is in hand?

There's no need to weaken the encryption at all when end-users don't actually
control the software they run day-to-day. Just replace the software while
they're asleep.

~~~
jonny_eh
> Can't companies already be compelled to push updates to select devices

Nope. Can you link to an example?

~~~
dane-pgp
That may be the case in Australia at least. From [0]:

"if an agency were undertaking an investigation into an act of terrorism and a
provider was capable of removing encryption from the device of a terrorism
suspect without weakening other devices in the market then the provider could
be compelled under a technical assistance notice to provide help to the agency
by removing the electronic protection"

As for the US, I wouldn't be surprised if the government has sought to achieve
something like this using the All Writs Act[1]. However, in the recent case of
Facebook helping the FBI with a targeted use of a vulnerability[2], it seems
that they cooperated voluntarily, even paying a third party contractor to
help.

[0] [https://www.computerworld.com/article/3460071/encryption-
has...](https://www.computerworld.com/article/3460071/encryption-has-the-
government-stuck-to-its-no-backdoors-pledge.html)

[1]
[https://en.wikipedia.org/wiki/All_Writs_Act#Application_to_e...](https://en.wikipedia.org/wiki/All_Writs_Act#Application_to_electronic_devices)

[2] [https://gizmodo.com/report-facebook-helped-the-fbi-
exploit-v...](https://gizmodo.com/report-facebook-helped-the-fbi-exploit-
vulnerability-i-1843988377)

------
oh-4-fucks-sake
GOV: Is it true that your servers hold encrypted data.

AWS: Yes.

GOV: Decrypt it, please.

AWS: Lol all we have is the public keys, bruh.

GOV: Use the public key to decrypt, please.

AWS: Uhh...

------
suizi
A criminal could use a service provider which isn't located in the U.S. or
peer-to-peer communications. Only stupid criminals and the general public will
be hit by this.

Is this a last ditch effort for a Law & Order Bill prior to the election?

~~~
tempodox
I suspect so. Never mind that it wouldn't really work – politics is a game
where scammers get away with impunity.

------
jeffdavis
The original "warrant proof" evidence was just saying something. Whoever was
within 30 feet heard you, but otherwise, it was just gone.

~~~
dane-pgp
Exactly. Encrypted phones are "warrant proof" in the same way that past spoken
conversations, or suspects' brains are "warrant proof".

If memory-enhancing brain implants are developed in the future, it will be
interesting to see whether data stored on them will be subject to subpoenas.

------
threatofrain
What's the tally on support? Otherwise it's difficult to know whether this
bill is symbolic or serious.

------
dang
Also posted yesterday:
[https://news.ycombinator.com/item?id=23622169](https://news.ycombinator.com/item?id=23622169)

------
shmerl
How often will this stupidity come up? Looks like some never learn.

------
Gollapalli
Do these dolts not realize that their supporters also use encrypted platforms
(like signal and telegram) to communicate, especially things that are
considered fringe or dissident. One might expect such cluelessness from
someone like Lindsey Graham, who is a neocon's neocon, but from Tom Cotton,
who is on the Right-wing's preferred side on immigration? Especially, when
that position is the sort of position that can get you fired these days?

Madness. I wonder what would happen if the NRA started defending encryption as
a second amendment issue, as encryption technology has historically fallen
under munitions export control legislation.

------
mjparrott
[https://www.youtube.com/watch?v=UMDXdxQc4SU](https://www.youtube.com/watch?v=UMDXdxQc4SU)

~~~
dane-pgp
I hope I'm not spoiling the joke, but the title of the video above is:

"Tale As Old As Time - Lyrics - Celine Dion and Peabo Bryson"

