
House Judiciary Committee Encryption Working Group Year-End Report [pdf] - BuuQu9hu
https://judiciary.house.gov/wp-content/uploads/2016/12/20161220EWGFINALReport.pdf
======
gred
The good:

> Congress should not weaken this vital technology [encryption] because doing
> so works against the national interest.

The bad:

> Metadata may not completely replace the loss of encrypted content, but
> metadata analysis could play a role in filling in the gap. The technology
> community leverages this information every day to improve services and
> target advertisements. There appears to be an opportunity for law
> enforcement to better leverage this information in criminal investigations.

The ugly:

> Although much of the debate has focused on requiring third party companies
> to decrypt information for the government, an alternative approach might
> involve compelling decryption by the individual consumers of these products.
> On a case-by-case basis, with proper court process, requiring an individual
> to provide a passcode or thumbprint to unlock a device could assist law
> enforcement in obtaining critical evidence without undermining the security
> or privacy of the broader population.

> With respect to the Fifth Amendment, is there a substantive or legal
> difference between unlocking a device with a passcode and unlocking the
> device with a biometric identifier? Is entering a passcode a “testimonial
> act,” as some courts have held? Is a fingerprint different in any way?

> Are there other circumstances that would enable the government to compel
> production of a passcode without undermining the Fifth Amendment?

~~~
UnoriginalGuy
How is that "ugly?"

\- Case by case basis (i.e. not a giant dragnet).

\- Proper court process (i.e. warrants).

\- Likely not done in complete secret and with normal regularity oversight.

That's the gold standard to me, not the ugly. I WANT courts to issue warrants
against individuals based on a real concrete criminal case.

~~~
tuna-piano
Exactly. If you think the government should be able to gain access to your
house, filing cabinet, etc- with a warrant, why not your phone as well?

The issue with the Snowden revelations and similiar programs is that there is
no warrant or court process.

~~~
JoshTriplett
> If you think the government should be able to gain access to your house,
> filing cabinet, etc- with a warrant, why not your phone as well?

They can gain physical access to the phone, just like they can gain physical
access to a safe; they can also compel the production of physical keys or
security tokens, if any. They can't compel you to provide information from
your mind, such as the passphrase to a phone.

~~~
nightcracker
"Tell us where the body is buried, or we'll hold you in contempt of court."

Being compelled to produce any information from your mind to incriminate
yourself is not acceptable.

~~~
JoshTriplett
I think we're in complete agreement here.

------
ramblenode
> Congress should not weaken this vital technology because doing so works
> against the national interest.

One of the most surprising and encouraging statements to come out of Congress
in a while.

~~~
tanderson92
It's not entirely encouraging because the "national interest" is separate and
distinct from civil liberties. That is, if there were a way to do this while
keeping the national security intact and trampling over civil rights they'd be
all for it.

~~~
gizmo686
What is the "civil liberties" you are talking about. It is already well
established that the government has a right to (under certain conditions)
search through your documents and belongings.

You could also be talking about a civil liberty to be able to run what
software you want. However, the hypothetical laws that are covered by this
report include ones that only restrict what major companies do; and we already
accept limitations on what companies can do. (For example, no one's civil
liberties were violated when Microsoft was forbidden from preferentially
bundling IE with Windows).

You could also be talking about the civil liberties associated with dragnet
surveillance. However, those violations are not a result of the use
technology; but rather the surveillance program. They should be regarded in
the same fashion as an old fashioned surveillance program.

The only civil liberty that I can make a convincing argument for being
directly relevant is the right to bear arms. [0] Interestingly, in my
experience, support for encryption is anti-correlated with support for gun
rights (myself included).

[0] Is cryptography still classified as a munition?

~~~
tanderson92
For one: I'm talking about the freedom to do what I describe here:
[https://news.ycombinator.com/item?id=13253207](https://news.ycombinator.com/item?id=13253207)
Without cracking down on the ability to do that, they've achieved nothing on
the search warrant front.

~~~
gizmo686
They would only need to show that the software they are asking you to unlock
does not have the behaviour you describe; which will be easy in the common
case of you using default software. If you are using plausibly deniable
software, then they could still compel your peers to surrender their passwords
unless everyone involved was using plausibly deniable software.

This would put us back to the pre-dark world where the government had access
to all digital records that were not maintained by people with super-human op-
sec practices.

Further, even if you do have amazing op-sec, they could still attempt to prove
beyond a reasonable doubt that the data is an encrypted message through non
technical means. For example, if they can show that you accessed the alleged
data the week before.

Even if there are some cases where, through technical means, one prevents the
government access to the data, the number of such cases is still smaller than
the number of cases that would be prevented by default encryption.

~~~
tanderson92
Right, the idea is you build and distribute a system, such as Signal, built
around this concept.

You haven't addressed the civil liberties angle though: should the government
be able to make this software illegal? If not, crypto people can design such a
system.

Existing warrant processes already get you to the system that you describe, so
I don't know why the House would talk about it as some future innovation and
change needed, if their goal wasn't to make the system I describe less
permitted.

~~~
gizmo686
The question is not if the government can make the software you describe
illegal. The question is if the government can forbid Apple/Google/Microsoft
from making it the default.

Existing warrant processes do not get you to the system I describe, because it
is not settled law yet whether or not the government can legally compel you to
surrender your key, even in cases where there is no dispute that there is a
key.

The fact that there exists hypothetical software that would allow someone to
plausibly dispute the existence of the key is not relevant to the above
question.

------
azernik
Note that this is not purely a House Judiciary Committee working group; as the
page header says, it is a joint Judiciary Committee and Energy and Commerce
Committee working group.

This is an encouraging sign, as it indicates that interests other than those
of law enforcement are being represented.

------
libeclipse
Will an American explain what the House judiciary committee is, what power
they have, and if this paper by them has any impact.

~~~
azernik
A committee in either house (House of Representatives, usually "The House",
and the Senate) is the body that writes laws and sends them to the full
chamber for a vote. In doing so, they also research the issues involved, and
can conduct investigations and can summon people (including government
officials) to testify.

A paper by them does not have any legal force, but it often shapes the views
of other members of congress, and reflects the views of those members who have
the most interest in the issues at stake (ie the members of the committee).

In this case, both the Judiciary (dealing with both the court system and law
enforcement) and Energy and Commerce (dealing with economic issues in a fairly
broad sense) committees have a combined working group on encryption, since it
affects both their subject areas.

------
dmix
Could they even find a single expert who thought it _was_ possible?

~~~
JoshTriplett
At the risk of invoking the No True Scotsman fallacy: anyone who said it was
possible wouldn't be an expert.

(I don't think the fallacy applies here, since the property _does_ correlate,
and wasn't arbitrarily selected to redraw the boundary.)

~~~
Neliquat
Ehh, while most would agree, I have met biologists who deny evolution.
Membership to a club of belief is a powerful source of cognitive dissonance.

~~~
mjevans
I believe it /technically/ possible that the world could be initialized in
such a state that it appears as if evolution occurred when it had instead
merely been made to exist in such a state.

That is probably astronomically unlikely, but you don't even really need a
'god' to produce such an outcome. Imagine if an alien race wanted to run a
simulation of some sort that was only possible in reality. So they go to the
trouble of setting up an entire solar system and planet as their staging
ground. It isn't conceptually beyond any possibility, but the effort required
is likely beyond my capacity to accurately imagine.

It's so highly unlikely that I don't believe it actually happened, but I
cannot say for absolute certain that it didn't.

Given the history of everything, even war-time level efforts to keep secrets,
I don't believe anyone could creditably say that any level of over-ride key
wouldn't be impossible to leak from /somewhere/.

~~~
thyrsus
An omnipotent entity could have initialized the universe (including everyone's
memories) one femtosecond ago; one does not obtain actionable information from
picking an arbitrary point (e.g., 6000 years ago) for this to have happened.

------
hkt
Merry Christmas, American crypto tinfoil hats. From the summaries I've seen,
your govt's attitude to crypto is considerably more enlightened than that of
the UK's.

Mind you, aren't most of your state level adversaries in the US above the law
anyway? What difference does legislation make when it isn't enforced? Does
this report contain any suggestion of penalties for organisations or
individuals involved in say, global dragnet surveillance? What provision for
oversight is there?

------
known
Govt can always demand your private key;

------
i_feel_great
That really smart person, Trump, will make it work. If not, he get help from
Putin and make it work.

