
Don't Panic: Seeking Points of Agreement on the “Going Dark” Debate - finnn
https://cyber.law.harvard.edu/pubrelease/dont-panic/
======
CapitalistCartr
This fake crisis of "Going Dark" as if we haven't been that way for all of
time before the Internet is dangerous. The "scary" notion that the police
won't be able to read everything about everyone is being recast by the Feds as
if it really is national crisis. Benjamin Wittes suggests on Lawfare we make
Common Carrier Immunity conditional on the company being able to make all data
available in the clear to the government. This is dangerous ground.

[https://www.lawfareblog.com/out-box-approach-going-dark-
prob...](https://www.lawfareblog.com/out-box-approach-going-dark-problem)

~~~
rayiner
While I oppose things like encryption backdoors, I think it's disingenuous to
say this is a "fake crisis." The 4th amendment has always required balancing
security and privacy--that's why the distinction between "unreasonable
searches" and reasonable ones appears right there in the text. And society has
always balanced those two interests with a simple mechanism: the police can
only search with a warrant, but once they have a warrant their power to search
is nearly limitless.

Thus, the government has always had a way to search the long-distance
communications mechanisms of its day. Wiretapping telegraph or telephone lines
was not deemed a violation of the 4th amendment until 1967. Even after that, a
wiretap was authorized with a warrant.

Now, you have a pervasive mechanism of long-distance communications, and it's
increasingly opaque to the government, _even with a warrant_. That's an
unprecedented state of affairs.

~~~
JoshTriplett
Prior to the Internet, cipher schemes existed that could delay or foil the
best government analysts, and that took significant government efforts to even
attempt to crack. It was never illegal to use such a code and transmit the
result on a letter, postcard, or phone. And a government warrant would not
compel the decipherment of such a scheme, unless someone had possession of a
physical key usable for decipherment.

The two differences now: we've made that technology available to non-experts,
and we _hope_ that no amount of government effort can crack the scheme (as
opposed to obtaining the key).

I agree with your comment that it's not a "fake crisis", though. It's one with
only one right answer, but it's a "crisis" in the sense that no possible path
forward will make both parties happy, so we fundamentally need the government
to either realize they're wrong or to lose. Government positions don't change
easily, and governments do not like to lose.

While it bothers me to see terms like "common ground" used, as they imply that
both positions have grounds worth considering, I do think one of the few paths
that has a hope of success is to convince the government that there exists a
position they can adopt that doesn't _look_ like it goes back on their current
stance.

~~~
rayiner
It's mostly not about banning encryption though. The debate mostly centers on
regulating the products and services companies can provide to facilitate such
communications. If there was a precursor to companies promising to make it
easy for regular joe criminal to encrypt his postal mail, it's conceivable
that the government would have fracked down on those companies.

> It's one with only one right answer, but it's a "crisis" in the sense that
> no possible path forward will make both parties happy, so we fundamentally
> need the government to either realize they're wrong or to lose. Government
> positions don't change easily, and governments do not like to lose.

It's not the "government" versus "the people." It's a small group of people
who strongly support surveillance, a small group who strongly oppose it, and a
mushy middle that tends to lean towards whatever makes them feel safe. People
in each group are represented within government, though for obvious reason
people in the first group tend to gravitate toward positions involving
national security or defense.

~~~
AnthonyMouse
> The debate mostly centers on regulating the products and services companies
> can provide to facilitate such communications.

You're calling them products but the relevant thing they want to regulate is
still more speech.

If you want to communicate with your friends in code then you first have to
communicate the code itself. In this context the code is _code_ , but code is
speech.

~~~
rayiner
Code is not speech any more than electronic circuits are speech. That is to
say that in unique contexts when the code is itself a means of expression code
may be speech,[1] but not when it is used to _build something_ that enables
communication.

[1] Bricks can also be expression in unique contexts. That doesn't mean that
bricks are speech.

~~~
AnthonyMouse
A brick or electronic circuit is speech when being used as a medium of
expression. Code is speech all the time because it can't be anything else.
It's pure information. You can't email someone a brick.

It happens we have machines that will turn that information into action, but
the code isn't the machine or the action. It's just a type of speech that
machines can understand too.

People are always wanting to regulate speech by combining it with a machine,
but the machine and the speech are separate. They don't have any specific
relationship. Apple makes a) a general purpose computer and b) computer
software. But (modulo DRM/copyright) you could run that software on _any_
general purpose computer and use that general purpose computer to run _any_
software.

It's like trying to regulate what information you can print in a newspaper by
claiming you're regulating the printing press.

~~~
harryh
A piece of encryption software is clearly both.

It is speech. If you wanted to you could even go find the source code and
translate it into english in such a way that a relatively competent programmer
could turn it back into code ("If the first bit in the byte is 1 then do ....
other wise do ....").

But it's clearly also a tool. I've never read the source code to the software
I use to encrypt my hard drive. It's unlikely that I ever will. I just care
that it does the job I want it to.

Trying to say that it's either one or the other is silly. It's both.

But just because it's speech doesn't mean that the government might not have
an interest in regulating it. The first amendment is not absolute. I can
imagine a great many prima facie arguments supporting the idea of regulating
encryption software. The fact that code is speech is not, in and of itself, a
defense against any of them.

As with most cases of constitutional law, it comes down to weighing competing
interests. Failing to acknowledge these varying interests fails to acknowledge
the actual question at hand.

~~~
AnthonyMouse
> Trying to say that it's either one or the other is silly. It's both.

I'm not trying to say that it's one or the other. I'm trying to say that there
is no part of it that _isn 't_ speech. There is not a part which is a tool and
a distinct part which is speech. The whole of it is speech. All you're saying
is that it's possible to use pure speech as a tool. But what of it?

You can't win by talking about balancing because encryption software is meta.
You can use it to distribute it. If people who are breaking no law have the
right to be able to communicate without government surveillance then the
government would have to violate that right _universally_ to enforce any rule
restricting the distribution of software, because distributing software over a
secure channel is indistinguishable from any other communication of the same
size. It's hard to imagine anything that could justify that level of
intrusion, and certainly not anything that has been proposed as a
countervailing interest in this context.

------
cubano
Something learned in my 30y career as low level felon and spending fairly
significant amounts of time (to me at least...a week in jail is no picnic!)
locked up in both jail and prisons...

95% of cases are made via informants and not CSI-type investigations, so the
whole "going dark" thing, I feel, isn't going to affect law enforcement the
way a lot of people think it might.

I did notice, however, my last time through the system last year, that the
State is now making a bunch of cases using cell tower information to put the
defendants near the crime scene during the approx time of the situation.

Just FYI.

~~~
LordKano
Going dark has a significant effect on law enforcement. It'll force them to
rely on active investigations instead of passively collecting data that they
can review at their leisure.

I think this will reduce their ability to target people for political reasons.

------
Absentinsomniac
My kneejerk reaction to this is to panic about the opposite of what the
concern here seems to be. Seems to me like ubiquitous surveillance via any and
all available technology is a bigger threat than "going dark" would be. I know
encryption can provide an obstacle for law enforcement but my inclination is
to worry about privacy in society over potential lawbreakers.

~~~
jeanetienne
This ^

It seems to me that all this report is saying is: "Hey government, don't worry
about tech 'going dark', we will still have the ability to spy on people
through their poorly implemented Internet of Things devices, services that
won't use end to end encryption, metadata, and because software is still
fragmented."

But they don't seem to even slightly condemn the simple fact that governments
are turning into surveillance machines...

------
jcr
The submitted berklett "Don't Panic" article has a "Bruce Schneier" link to
his "Security or Surveillance?" article on lawfareblog.com. It's also good
reading.

[1] [https://lawfareblog.com/security-or-
surveillance](https://lawfareblog.com/security-or-surveillance)

~~~
kmonsen
This is what the debate is all about. The government wants to have
surveillance of its citizens, but wants to call it something else.

------
mmaunder
If we could only make them understand that forcing the good guys to not
encrypt doesn't take encryption away from the bad guys. Legislators don't
understand that encryption doesn't have to be made by Apple for the bad guys
to have encryption. A shared key and XOR gives you unbreakable encryption. A
high school comp sci. kid could implement that.

~~~
fleitz
Incorrect, if the key is shared the encryption is breakable. If you're just
doing one round of XOR it's pretty easy to break the key given a known
plaintext, in the same way that AES is very breakable in ECB mode.

For unbreakable encryption, I'd suggest XORing with the contents of
/dev/random (assuming /dev/random is unknowable). Of course decryption may be
an issue.

~~~
schoen
In context, I'm sure the parent commenter meant "a random key the same length
as the plaintext", not a repeating key or a reused key.

~~~
fleitz
Some people when faced with an encryption problem think 'I know, I'll use a
non-repeating random text to XOR against the plain text', now they have two
encryption problems.

~~~
mmaunder
Three if you count entropy.

------
defenestration
To summarize: end-to-end encryption is making online surveillance harder.
However, standards for end-to-end encryption are still fragmented and
companies have incentives to not adopt it. Besides that, connected sensors,
'the internet of things' and unencrypted metadata give new surveillance
possibilities.

------
its2complicated
"legitimate government interests" should be enough to scare everyone. It's not
for criminals, just like gun control is not about criminals. Think the worst,
'cause it don't get any better!

------
voodootrucker
Why do we need to agree? That's how this works. You compromise a bit, and they
don't budge. Then you compromise again. Repeat the process until all liberties
are gone.

Also, why is this framed as "going dark"? That's the ignorant people's
wording. Why doesn't the author call it what it is: key escrow, or back-
dooring? Use the terms of the industry you are talking about.

------
mmaunder
If you want to beat it, brand it. Obamacare, The Surge, War on Terror. Going
Dark is just the latest. Expect letsnotencrypt.gov any day now.

~~~
dragonwriter
> If you want to beat it, brand it. Obamacare, The Surge, War on Terror.

The Surge and the War On Terror were branded by their supporters. Obamacare
was branded that way by those trying to defeat it, but it hasn't worked. So,
not sure your examples illustrate your point.

~~~
mmaunder
I shall be sure to quote more pertinent examples in future.

~~~
laotzu
>The receptivity of the great masses is very limited, their intelligence is
small, but their power of forgetting is enormous. In consequence of these
facts, all effective propaganda must be limited to a very few points and must
harp on these in slogans until the last member of the public understands what
you want him to understand by your slogan. As soon as you sacrifice this
slogan and try to be many-sided, the effect will piddle away, for the crowd
can neither digest nor retain the material offered. In this way the result is
weakened and in the end entirely cancelled out.

~~~
mmaunder
The subtitled versions of his speeches certainly shed new light on the guy.
You realize how powerful (and potentially dangerous) charisma can be.

------
mirimir
There's an underlying issue that the report dances around, but doesn't address
directly: sovereignty. Understandably enough, US authorities expect US
companies to comply with US law. When foreigners are involved, as users or
counterparties, things get iffy. Diplomatic relationships, treaties,
agreements, etc become dispositive.

For example, the US supports Chinese dissidents, and maybe Thai dissidents,
but for sure not ISIS. And so decrypted ISIS messages would be widely shared,
but decrypted messages from Chinese dissidents would not be shared with China.

Old-school sovereignty just doesn't work on the Internet. If the US pushes
hard enough, some firms will fold. But some may just leave. Consider the
extent to which Apple has already left the US, for tax purposes.

------
hellbanner
Related: Apple's patent for "polluting online social networks with fake
profiles".. based on variants of the real profile.

[http://www.darkreading.com/risk-management/apple-gets-
patent...](http://www.darkreading.com/risk-management/apple-gets-patent-for-
polluting-electronic-profiles/d/d-id/1104952)? (Or google for other articles)

------
unicornporn
Apparently, authorities are not really worried:
[https://theintercept.com/2016/02/01/is-law-enforcement-
going...](https://theintercept.com/2016/02/01/is-law-enforcement-going-dark-
because-of-encryption-hardly-says-new-report/)

------
Zigurd
Regulating strong encryption out of consumer products is functionally the same
as banning it. Using encryption would draw special attention. Encryption needs
to be routine in order to protect the public, outside of special situations.

------
fredgrott
put in proper context

Imagine if its WWII and that they asked for all mail to be un-sealed..Shocking
but did almost happen..as far as they got was asking Military Personnel to
'volunteer' not to seal mail..

~~~
marshray
They forced everyone to turn in their shortwave radios too.

~~~
kwhitefoot
Who? Where? In the UK that would have meant pretty much every radio would have
had to be given up. At least every radio I have seen from the period had LW,
MW, and SW.

~~~
marshray
[http://www.radiomuseum.org/forum/radios_confiscated_in_us_du...](http://www.radiomuseum.org/forum/radios_confiscated_in_us_during_wwii.html)

------
batz
It's not just about tech. The real issue is that government is running up
against scaling limits.

Arguably, a government can only rule over how people relate within boundaries
it can defend and control. Previously the boundaries were physical
geographies, and then regulated channels (mail, PSTN, etc). Now, we have a
kind of fractal boundary of peer-to-peer connections that provide tremendous
freedom to organize and transact on a diminishingly microscopic scale.

Sovereignty is zero sum.

Crypto provides a kind of micro-sovereignty to users, and for a few privileged
or outlying people this is an acceptable risk, but when you have
constituencies of people achieving that micro-sovereignty, it cuts into the
sovereignty of the state at critical level.

Imagine the strategic consequences for U.S. national security if Rhode Island
became it's own country, with an impenetrable laser air shield, with it's own
allies, currency, tax laws, extradition treaties, defense systems, resources,
etc. It would be such a constant threat, it would make more sense to just
invade.

Tor and similar systems could reach that critical mass, where they become a
constant threat to the sovereignty of nations. Tech is naively forcing hard
questions about the conventions that provide "stability."

The feds know they might just have to just outlaw crypto. The technology
exists to detect and round up most people who use it, or enough of them that
it will be hard to find people to use it with. If they have to, they will.

This dance they are doing is political posturing, testing the edges to see
what kind of resistance they get, and how much political capital it is going
to cost.

Like voting and graffiti, if crypto really changed anything, it would be
illegal.

~~~
milesokeefe
Is graffiti not illegal?

~~~
batz
Banksy reference. he tagged, "If graffiti changed anything it would be
illegal."

