Hacker News new | comments | ask | show | jobs | submit login
China passes law requiring tech firms to hand over encryption keys (betanews.com)
265 points by DiabloD3 on Dec 28, 2015 | hide | past | web | favorite | 112 comments

"This rule accords with the actual work need of fighting terrorism and is basically the same as what other major countries in the world do."

"When changes in technology hinder law enforcement’s ability to exercise investigative tools and follow critical leads, we may not be able to identify and stop terrorists who are using social media to recruit, plan, and execute an attack in our country."

One of the above is from Li Shouwei, the deputy head of the Chinese parliament's criminal law division. The other is from the US FBI director.

"One of the above is from Li Shouwei, the deputy head of the Chinese parliament's criminal law division. The other is from the US FBI director."

... who have more in common with each other than they do with any of their constituents.

Yeah, but that's not the point. It's that the reasoning is equally appalling, and the outcome is dangerously close to being equally horrific.

No offense, but this feels like a nice but meaningless soundbite, and a bit of 'whataboutism'.

The important part of any internet law, and any country's level of freedom/privacy on the internet isn't measured by the bland statements policy makers make to the press, but in the content of the laws that actually get passed. I'm sure you could find two statements from Hitler and JFK about how they love kids - doesn't mean they are equivalent.

I do think there's some value to pointing out the irony though; two men from two cultures that couldn't be more distinct, with titles that could be synonyms, using what is essentially the same scripted prose to control and appease the media/populace.

Personally I find it disheartening. I think the Chinese are copying key aspects of the American Media/propaganda model because it's been demonstrated as so damn effective...

It is not meaningless. There is a push in the west for the same kind of laws. In the US and UK particularly, not whataboutism at all.

In no world should this be surprising. Law enforcement officials have always wanted all power possible to do their jobs. The job of the government is not to give into every demand that law enforcement puts on the table.

The second one is merely an observation of fact.

This is purely anecdotal, but countries that haven't actually been touched by terrorism seem to be a lot more terrified of terrorists than countries that have been. It's a lot more of a boogeyman when it's those-people-over-there-doing-crazy-things

I remember in Poland and Croatia people were so scared that a common sentiment was basically wanting to ban all muslims.. you know.. just-to-be-on-the-safe-side

So while yes, this is a scapegoat, people in China are actually scared of the terrorists.. it's bizarre

I think you don't follow Chinese news very much. They are heavily effected by terrorist attacks, low and high tech.

Also, I don't think China's position has anything to do with the peoples "fear" this is related to the governments position of trying to maintain it's power by staying on the right side of the information asymmetry the internet affords.

China has it's own definition of terrorism.

I think "heavily affected" is a matter of opinion. It's been mostly some rather unorganized and heavily suppressed unrest in Xinjiang...

As far as we know the country isn't infiltrated by Al Qaeda or the IS (like Europe and maybe the US)

As for your second point, sure - a perfect climate to clamp down on the internet some more without upsetting anyone.

Wait, are you saying that China hasn't experienced terrorism? That's definitely untrue. Terrorist attacks by Uyghur separatist groups is not an infrequent occurence. There was a highly publicized attack in Kunming in 2014.

China actually has problems with terrorism. In particular within Xinjiang province.

Wikipedia: Recent incidents include the 1992 Urumqi bombings,[9] the 1997 Ürümqi bus bombings,[7] the 2010 Aksu bombing,[10] the 2011 Hotan attack,[11] 2011 Kashgar attacks[12] and the 2014 Ürümqi attack.[13]

Yeah - you're definitely remembering wrong or you have your countries mixed up.

Croatia was actually the only (border-) EU country that allowed passage to all refugees (I'm guessing thats what you're referring to) and there was definitely no anti-muslim sentiment or any sort of call to ban all muslims.

Don't think anybody ever thought about anything like that at all in Croatia - people still remember their own armed conflict a decade or so ago.

You probably mean the countries from the Visegrad group (Czech Republic, Hungary, Poland and Slovakia) - where some parts of the government (in especially Slovakia) were proposing to only accept Catholic refugees (which is also not the same as saying they'd ban all muslims).

I'm not mixing up my countries, passage was granted b/c no one was concerned that they would stay in Croatia and they were just dumping the problem on to the next neighboring country. Everyone knows they're trying to go to Germany and the Nordic countries. The countries that border Austria/Germany obvious were a bit more concerned that they refugees wouldn't be let in and so they'd end up with all these people on their border.

When the gov't agreed to accept several thousand refugees several people told me they thought it was a horrible idea and that they don't need these communities in Croatia.

Oh ok - thought you had your countries mixed up but now you're just trying to dig yourself out of the gutter. You need to check your facts on multiple things you've written.

Its true that most refugees are trying to make it to Germany - but if Germany closes its doors, they wouldn't get stuck in the immediate neighbouring countries - they'd get returned to the point of where they were first registered in the EU. Since Greece is not doing that at all - this would for most of them now be Croatia. Which is for example what Slovenia is preparing for (google "border razor wire slovenia") under the pretence of "defending" the Schengen border (even though its just something like 70km through Slovenian territory from Croatia to Austria). So granting passage for Croatia is not an easy decision to make.

You dismiss granting passage as something any country could do - yet Croatia is the only willing/open corridor now since Hungary has closed it doors completely and they're clearly not welcome in Czech Republic, Poland, and Slovakia who openly oppose any EU quotas. No word on any of that in Croatia - who has already started building shelters for the EU quotas and has indeed already accepted refugees wanting to stay there (even though most of them want to continue on to Germany).

None of these have anything to do with your original claim that "Croatia wanted to ban all muslim". In addition to what I wrote I'd go as far as to say that Muslims as a religion are not such an oddity in Croatia - yes, its a predominantly Christian country but it does have a small and thriving muslim community inherited from its close ties with the neighbouring (predominantly muslim) Bosnia (made even closer by the fact that Bosnia and Croatia were mostly fighting on the same side in the last Balkans war against ex-Yu/Serbia).

"Several people told me" is just not a credible reference. Whereas its easy to google and confirm what I've tried to correct you with - again I think you're confusing Croatia with Slovakia (google Slovakia in relation to accepting only Christian refugees).

okay, first of all you're getting awfully defensive and I did qualify my first reply with "This is purely anecdotal..."

So I'm open to being wrong about Croatia's attitude to having a immigrant community of muslims - it's just not what I saw.

"Its true that most refugees are trying to make it to Germany - but if Germany closes its doors, they wouldn't get stuck in the immediate neighbouring countries "

No, the Germans would never close the door per se, they'd just stall and delay things till the bordering countries end up having huge camps while the famous EU bureaucracy does it's thing. Macedonia was clever and quickly managed to get them all across the country and dump it off on the next guy. Croatia pulled off something similar.

And ofcourse Croatians aren't painting all muslims with the same brush - sorry if I gave that impression. But one group, the one they seemingly don't want, comes from a land of boogeymen full of religious extremism Al Qaeda and the IS while the other is their war-buddies/neighbors (and as far as I know hasn't yielded a single terrorist - though with all the money coming from Saudi and Turkey that may change..)

We all know this is not about terrorism. Terrorism the excuse given to justify the end of privacy, just like "think about the kids" is used as a blanked principle to exert censorship.

China is actually threatened by terrorism and also the world! That terrorist is called the U.S.

The Verge (referencing WSJ) says firms are not required to handover encryption keys.


It requires the OS/product vendor to enable key escrow though. Apple used to have a mechanism for this. Microsoft has a mechanism for this. And presumably all of them will escrow encryption keys for any products they sell in China.

GCHQ wants this too. So if tech companies comply with China's law, why wouldn't they comply with the U.K.'s? And if they comply with the U.K. law, why couldn't there be one in the U.S.?

Do you have a cite for that? If Apple has to turn on / enable key escrow that's a very huge freaking deal.

I think the point is that Apple no longer has "backdoor" keys for encryption any longer so that they have no keys to give the government when they come knocking. I'm basing this conclusion off a quote from the article: "While the government insists that there will be no requirement for companies to install backdoor", as well as an interview with Tim Cook off 60 Minutes where he stated they won't be going the backdoor route anymore. I believe there are more quotes available from him if you google "apple encryption backdoor".

Apple can certainly read iMessage conversations and provide that data to goverments. They don't have the private keys, but they run the directory server that distributes the public keys used to encrypt to. So they can very easily provide you with the wrong public key for your recipient, decrypt that data and store/forward, and then re-encrypt on their end with the correct key and forward to the actual recipient.

"Secure" communications systems that rely on a trusted central third party to vouch for keys are no more secure than allowing that same third-party to implement key escrow.

You want a cite for what? China now has a law requiring encryption keys on demand. What does that mean, what does it refer to? It could refer to the symmetric key (DEK) for disk encryption, and if so Microsoft already escrows that and Apple used to offer to do it. Does it refer to either the private key from these companies used for establishing TLS connections to their services? Or the private key generated on device for services using end to end encryption? I'd say the device private key is a huge freaking deal but still plausible they'd want that and get it upon request, more plausible than Apple, Google, whoever, saying no to China. The company's private key? I'd say no way they'd do that, they'd sooner use a cert issued by China for this purpose.

Google has been known to say no to China before. Going so far as to pull most of their operations out. Whether they will say no now remains to be seen. I'd wait to see what happens before assuming what is plausible here.

Well if I wait to see what happens, it's no longer necessary to assume, is it? These are for profit companies, and in theory they're amoral. So any sense of morality of giving up user keys on demand is very plausibly demoted in comparison to profits.

If profits from the rest of the world would increase for any company saying no to China, then companies might do so. But if it'll obviously cost them more, then they'll roll over.

Credit Suisse this year determined China has a bigger middle class than America, and it's growing faster. So I think Apple, Google, etc will roll over. If China actually thought these tech companies would say no, they wouldn't have actually enacted this law, they'd have continued to have conversations. The conversation is basically over.

It's silly to disregard a companies previous actions when determining what they might do. In theory Google may be amoral but in reality they have shown themselves to act morally in certain situations. Disregarding that historical data means your assumptions are poor.

Thanks for that!

Mods / admins can we get a more representative title here?

My wife, a current citizen of China, has a uniform response to these kinds of stories. "Well what do they expect!? If you do business in China, of course that's what you get. If they don't like it they can get out."

Her point being that no one should be surprised when an authoritarian government exerts its authority. Also, water is wet.

No offense, but it sounds like she's trying to justify authoritarianism by shifting the blame to its victims for not "getting out".

I read it somewhat differently. From my limited interaction with Chinese citizen as a resident of Singapore, many think more pragmatically.

"We do what it takes to get a billion people to first world middle class standard of living. Yes, there's a bit of collateral damage but you guys' industrial revolution was not all roses, read some Dickens. We can have the luxury of rights when we're there. You're telling me to eat cake since we ran out of bread."

In other words the majority of Chinese citizen (that I know - YMMV, selection bias, etc.) think that the government is doing an alright job considering its constraints, and don't feel particularly oppressed - the authoritarianism is population-sanctioned. Just like the new French anti-terrorism measures.

crdb: are you my separated-at-birth twin? I've been looking for you all my life.

These are my thoughts exactly, down to my favorite Dickensian analogy.

Everybody's favorite pastime, pointing fingers on China on everything from "freedoms" to the environment, is really more of a reflection on the commentators' astonishing lack of historical perspective.

There's no shortage of fifty-year-olds around China today (say, about a population of Sweden's worth) that will tell you how they were plucked out of the university and sent to work the fields for years during the Cultural Revolution, and point out the exact level -- somewhere between knee- and waist-deep in shit -- that the country was at prior to Deng Xiaoping. I'm sure anybody that witnessed the change from then to now would have a richer and more nuanced opinion on China's government.

> We can have the luxury of rights when we're there. You're telling me to eat cake since we ran out of bread

The majority of economists would disagree. More economic and political freedom would accelerate economic progress, not hold it back. Check out Why Nations Fail by Daron Acemoglu for an in depth discussion of this in relation to China.

The chicken-egg problem has been solved and nobody told me? my, my.

All I'm saying is that more freedom causes economic growth, which is not a controversial statement. I think you're saying that economic growth will lead to more freedom. I'm sure that's true to some degree, but there are counterexamples. The Soviet Union experienced dramatic economic growth, but freedom never improved, and eventually the economy stagnated, as will China's (I predict).

In any case, surely more freedom in China would not be a bad thing.

> All I'm saying is that more freedom causes economic growth

What about Russia in '90s?

Nope, she's describing the only reasonable way of operating under conditions you can't change.

So far as Chinese companies are concerned, the government has just standardized and formalized rules already in place. So far as foreign companies are concerned, they planned for this possibility and can now proceed accordingly. If there's any international company that doesn't have their Chinese infrastructure in a silo, their friends and loved ones should take away their keys RIGHT NOW because they're a danger for themselves.

This brings back memories -- back when they were making lots of money, RIM had a row with Indian government over the same issue. They did a little "we're outraged" dance and promptly forked over the keys -- they'd be idiots not to (and idiots with a lawsuit for breach of fiduciary duty on their hands).

This is also far better for the users, although a lot more work, than pulling out of the country entirely, as some companies have done in the past. The world is a complicated and hairy place, and you can either pretend otherwise or be a global company.

For instance, I suspect that it might be more than a coincidence that large telecom companies that have any presence in emerging markets tend not to have any presence in the US (someone had a bright idea to pass a law that gives US courts jurisdiction to punish companies with presence in the US for "engaging in corruption" abroad). I'd suspect everyone else goes out of their way to create a wide moat between the mother corp and their offspring (Nestle India comes to mind, which trades independently on NSE)

A friend of mine has a startup in China. He told me a year ago that the law already required his company to talk with government officials every month. They also needed to create a backdoor API according to a well-written specification for the government to access all the information in the database.

well-written specification

That may very well be the defining difference between the Chinese and Western-governments.

"The United States is a nation of laws: badly written and randomly enforced." - Frank Zappa

I think "selectively enforced" is a better way to put it.

No, Frank Zappa had it best. Your words may be more accurate but his words are better.

The point he was making was right. It's not randomly enforced at all, it's enforced only when it pleases the government.

But the government is not a single actor with agency, from the outside it might as well be random. +1 Zappa.

Salutary neglect is as old as the colonies, boy.

Lawful interception( https://en.wikipedia.org/wiki/Lawful_interception) : "Almost all countries have LI capability requirements and have implemented them using global LI requirements and standards developed by the European Telecommunications Standards Institute (ETSI)"

Lawful intercept does not provide encryption keys. The two are much different.

just for the "well-written specification" by timguoqk ,the Lawful interception alse include," If the data are not obtained in real-time, the activity is referred to as access to retained data (RD)", by the way,according the link cited by others(http://www.theverge.com/2015/12/27/10670346/china-passes-law...),“the new law does not require that companies operating in China hand over encryption keys” why all the guys just believe what they want to believe?

Well, HOPEFULLY, the western governments pushing for exactly the same thing might think twice now. Any breach in the Chinese system would also be beneficial in highlighting even more flaws in the concept.

They won't think twice, but I'm getting the popcorn to see the kind of PR acrobatics they think of around this.

Pushing? Lol, they've pushed it long time ago https://en.wikipedia.org/wiki/Key_disclosure_law

From that page: "there is currently no law regarding key disclosure in the United States" (nor is there in plenty other countries).

This an area under very heavy active debate at the legal and political levels and that fact might change in a year. There have also been numerous cases where the lack of such law hasn't prevented agencies for requesting the decrypted data itself, in lieu of the keys. But it's not quite a done thing just yet. So if you oppose key disclosure, there are still plenty of chances to fight it at the political level in many countries.

Er, why would this give them pause?

If anything, the fact that China is doing it is evidence that we need to do it as well to maintain national security.

Sure most of us disagree with what "fucking_tragedy" is saying, he doesn't offer evidence, and it stems from a weak line of reasoning. But we shouldn't bury it just because we disagree with it.

Even though I side with encryption, I think it's worth at least exploring the other side's argument.

Does access to encryption give increased capability to China in such a way that it "profits" in matters of national security / finance / etc. Or will such a move ultimately "cost" China due to the side effects of weaker technological infrastructure, privacy, etc?

Will it be a detriment to the United States (assuming current government snooping laws remain the same)?

I think the answers to these, while they can be theorized and predicted, will best be fleshed out in due time, hopefully influencing US politicians to make the right decision.

I'm glad that you're arguing with that particular interpretation of my comment in good faith. It is refreshing to see.

However, what I meant to convey is this: despite the obvious problems with such a program, the government sees value in control and centralization of the country's secure communications. If we ignore the obvious problems with "We have all the keys" & "Secure communication" and look to recent initiatives and programs with similar contradictory goals, we've been told by politicians that they were implemented because everyone else is doing it and it's necessary for national security.

I see how nonsensical this is, but if a similar program is pushed, this is how it would be pitched to the public.

I read it more generously as:

> If anything, the fact that China is doing will be evidence that we'll need to do it as well to maintain national security.

Never attribute to stupidity that which is adequately explained by cynicism?


It's the reason given to the public for having given the reins of our communication and technology infrastructure to intelligence and security agencies.

There are obvious reasons why the government would want to implement such a program, many of them having little to do with national security. Based on previous propaganda that's been fed to us over the past few years, this is the likely conclusion to be drawn.

f-ing_tragedy, unless you are deliberately going for low karma you need to be a bit less subtle with your irony.

There is no irony here. We've beefed up our security state and when asked why, the reason has been 1) Everyone else is doing it 2) National security.

I don't agree with it.

No one outside of IT should have access to crypto keys for any reason. Dinosaur government institutions need to get with it or go away.

Now that I'm done with that this is a critical issue. Mass surveillance is one of the many issues of our time. Time to get to work and time to throw some money at this.

Crypto is too easy. Yes, too easy. Its too easy to make a single master key for a government to demand or someone to steal that unlocks everything.

In 1915 when a discovery subpoena goes out for all records relating to dumping dioxanes in a river, the company legitimately unlocks the filing cabinet and hands the files over. They don't get a key to the executive washroom or the telegram private code directory (unless that was in the subpoena) or the complete customer list or really pretty much anything but the paper files relating to dumping dioxanes in the river.

In 2015 when a discovery subpoena goes out for all records relating to dumping dioxanes in a river, the company freaks out because if they hand out "the" public key then both the .gov and any .com they're affiliated with and probably individual theives will pown every VPN they ever had and ever will, and all their records of every sort so "oh no we can't hand over keys never to no one".

When you look at it from that point of view, the abject failure of IT and IT companies to properly handle encryption is by no means any reason for the judicial legal system to be inconvenienced. In 1915 no judge would have tolerated a response like "Well we can't give you the dioxane pollution paper files and telegrams because then criminals would pown our company because we're incompetent at IT"

The other part is sociological. You may hold that phone in your hand, but its not yours, and using it is as dangerous as talking to a police officer or government official or hacker. Its not your phone, never has been, and any illusion to the contrary will result in tears. Ditto a site on the internet. Government protection of privacy assumes the privacy ever existed in the first place, which it doesn't.

The existance of "the" key is not an inherent problem in situations like this. Instead, it speaks to poor key management practices by the people responsible for implementing cryptography for an organization.

Consider, as an analogy, the (poor) practice of using shared passwords. What do you do when you fire someone who had legitimate access to this password? You have to change everything or risk a compromise of all the systems sharing this password. Hence, the need for tools like sudo that separate authentication (what password / auth key) and access control (what rights).

With encryption, it's similarly possible to break one big risk domain into lots of smaller ones using things like separate trust anchors (for authentication) or encryption keys (for access control). For example, If your org gets served a subpeona for your financial records you can give them your tape backups for the relevant time periods plus the necessary decryption key, but withold the decryption key for the backups of your R&D data and the signing key for your VPN.

It's China. It's not a free democratic country, it never has been, and it's not going to be any time soon.

Not that it's not worth working towards, but encryption is just a tiny corner of the problem there. Nothing that threaten the stability of the ruling party is going tobe allowed.

People, there is a war. Are you willing to do you part?

Mhmm… nothing like a good old fashion "crypto c̶i̶r̶c̶u̶s̶ war"[0]:

"Kill metadata and other crypto-issue-overdone diversions.

Metadata and other crypto-workarounds resulted from the crypto wars of the 1990s which were bragged to be won rather than faked out.

The fake-out was orchestrated by some of the very same crypto warriors claiming to be against gov-controlled crypto.

A way to identify them is to note who rose to prominence and wealth in crypto com-edu-org. Still at it, ratcheting up the need for ever more crypto, acknowledging the workarounds but, but, but: Let's Encrypt, HTTPS-HTS everywhere, secure drops, freedom of the press and courage foundations, Snowden talks and tweets, FISC amicus curiea, POTUS and TLA advisories, industry lobbyists, dual hats riding the crypto gravy train and more likely, the subway out of sight.

The money and prestige to be gained by working all sides of the crypto phony war is, as Greenwald crows of Omidyar's $250M bribe, irresistable."

[0] https://cpunks.org/pipermail/cypherpunks/2015-December/01125...

So basically any device manufactured in China and sold abroad should be assumed to be rooted by the Chinese government?

And any company related to the Chinese government, which is basically all of them. So if you make tractors and use Chinese computers to make tractors, your Chinese competitor who makes tractors can be assumed to have full access to your computer systems, for all practical purposes.

[citation needed]

Not OP, but "capitalism" in China isn't like it is in the west. The government literally runs everything, and can demand literally anything they want from companies. If China's government wanted Lenavo to start making blow up dolls, that's exactly what they would do. China's government has absolute authority and total control. People like to compare the U.S government to China's, but these people are fedora wearing neckbeards who almost never leave their parents basement. As someone who has lived in China for a brief stint, expecting any device built, designed and manufactured in China not to have some sort of back door is like expecting the U.S not to spy. At this stage in the game, it's understood and expected.

If they're requiring backdoors on technology imported into the country (source: http://www.theregister.co.uk/2015/03/05/obama_criticises_chi... ), why wouldn't they require them on their own technology that they build themselves? It doesn't make sense from a purely logical standpoint. Of course they're not going to come out and admit it, but we're also starting to see evidence of it:

Example 1: http://www.zdnet.com/article/former-pentagon-analyst-china-h...

Example 2: http://www.geek.com/chips/spy-agencies-shun-lenovo-finding-b...

Example 3: http://www.computerworld.com/article/2860742/chinese-android...

Is it really so hard to believe? Especially when the indirect evidence and logic is so overwhelming? I'm no tin-foil hat wearing conspiracy nut, but come on here... It's China.

>Not OP, but "capitalism" in China isn't like it is in the west. The government literally runs everything, and can demand literally anything they want from companies.

Well, in China the government controls the companies, in the west the companies control the government. Sort of the same end result, with the two being in bed with each other.

>Is it really so hard to believe? Especially when the indirect evidence and logic is so overwhelming?

Well, haven't seen anything "overwhelming" in the list. E.g. the Chinese government had Huawei and ZTE add backdoors to their stuff. But we know that Cisco has done the same in the west -- and the government asked other companies to do the same thing, pressuring Apple etc. So isn't "overwhelming" a kind of a double standard?

> Sort of the same end result, with the two being in bed with each other.

No, not really the same at all. When the companies have all the political power, they do what's best for their shareholders - their bottom line. Whatever helps them acquire more profit and revenue. Here, it's all about the money.

When the government controls the companies (As it is in China), the government does what's best for the people in power (the government). And that usually means doing whatever helps them hold onto or increase their power by way of strict authoritarian rules & laws, censorship and all the indirectly related things that go along with it.

Their goal is to keep the population under control because that means they get to stay in power. China's biggest fear is a revolution or an uprising which is why they're so strict when it comes to public demonstrations, censoring things like Tienanmen square, and cracking brutally hard on rights activists and the leaders of these "change-bringers" (Source: http://world.time.com/2011/02/26/chinas-fear-of-a-jasmine-re...). The last and absolute worst thing that could happen to China is a revolution. They will commit atrocities like you can't even begin to imagine to keep that from happening.

In the west, you don't have to worry about that. Why? Because it's bad for business. Not good for profits and not good for revenue. The best environment for capitalism and for businesses to make the most amount of money is one of peace (Source: http://www.theguardian.com/politics/2003/jan/22/iraq.economy)

>No, not really the same at all. When the companies have all the political power, they do what's best for their shareholders - their bottom line. Whatever helps them acquire more profit and revenue. Here, it's all about the money. When the government controls the companies (As it is in China), the government does what's best for the people in power (the government).

And hopefully, in the latter case, the people. Because governments, even if not democratic (and I'd wouldn't call that 2-party/donations/gerrymandering system democratic either) have an interested in pleasing the population (e.g. out of fear of revolt etc). Whereas companies mostly in maximizing profit.

>The last and absolute worst thing that could happen to China is a revolution. They will commit atrocities like you can't even begin to imagine to keep that from happening.

Well, the absolute worst thing that could happen to China could actually BE a revolution. It's a huge ancient country, and it has always had its ways of government and its tradition of mandarins/confucianism etc.

Besides, places like Libya and Iraq, where "democracy was restored" are hardly success stories for toppling a stable system of power. China could well become a hell-hole, and have massacres that rival the ones in the "cultural revolution", EVEN if they manage to get rid of the ruling party easily -- the fight for the succeeding situation could make the US Civil War look like a Disney movie.

> expecting any device built, designed and manufactured in China not to have some sort of back door

But then, all laptops and tablets are manufactured in China, right? (even Dell outsources the parts to Chinese companies like FoxConn and sometimes, the assembling too). So, you mean to say each and every Dell laptop has some sort of back door?

> But then, all laptops and tablets are manufactured in China, right?

Nope, we're not (mostly) talking about devices that are just assembled there, but China's own brands (the ones that are designed in China). I'm sure companies like Samsung have strict controls in place to make sure China isn't messing with their products.

The bottom of this article suggests that the requirement to "hand over encryption keys" isn't present in the bill:


Write laws against the dissidence, but call it terrorism. Then you can argue that you are just trying to get the same level of access everybody else is asking for.

So US companies to be forced to put back doors into products that they sell in China. And the Chinese government DOESN'T think that the US government will also have those keys? It's like they're asking for the US to have full access to their sensitive data.

U.S. has asserted that subpoenas for data controlled by a U.S. company are valid, even if the data is stored exclusively out of the country. https://en.wikipedia.org/wiki/Microsoft_Corporation_v._Unite...

So I seriously doubt the Chinese government thinks the U.S. won't have the ability to get those keys. But these are device encryption keys used to encrypt data at rest on the device. This isn't a demand to escrow the private keys used for data in transit for email and messaging; I don't know how that works in China, i.e. the Great Firewall, if that just depends on blacklist/whitelist sites, or if all devices are required to use a Chinese government certificate for such communications.

It's all ok as long as they know we know they know we know.

Many countries require this


UK is a great example and a good place to not store any valuable data.

According to the original text, tech firms are only required to provide necessary technical support in decryption, not simply handing over the keys.


It'll be interesting to see what Apple do in this case, their having said that they would not build backdoors for their products --but it's difficult to see them turn away from one of their largest markets.

I'm guessing they will make concessions for the sake of market, whreas Google, so far, has resisted that temptation.

Well, the thing about Apple's approach is that they can't hand over encryption keys if they don't have them.

Given that impasse, they might be motivated to re-architect their services for the Chinese market.

I think in the most "civilized" countries for the long time already it's that we (as whole communities) agree to the law (and the authority) either because we don't know about it or we believe that we personally (as individuals) will never have to actually follow it.

I wonder if we're far beyond the point when we could actually stop following the law if it becomes bad enough and it's already virtually 1984 but we just didn't really notice. Or if there's still some hope out there, somewhere.

I'm terribly interested in what kind of environment "if it becomes bad enough" specifically refers to, in your comment.

China: We passed the law. Everyone on earth knows we are controlling the internet. U.S.: We support freedom but due to national security, we can control the internet without passing the law. By the way, please help us to hunt Edward Joseph Snowden. He violates our definition of freedom and transparency. Thank you!

First, I can't see this actually working out they way they want especially with open source software designed to thrwart detection from governments using amongst other things a form of encryption.

Second, I'm betting the US Government has enough sway to get special treatment for American companies.

US Government has enough sway to get special treatment for American companies

I don't think they do in this case; this is why Google pulled out and Cisco collaborate with the surveillance.

Although, they do probably have enough sway to get all of China's keys. Perhaps not sway, perhaps just cracking.

Nice of China to create a central repo with everything one could want.

How would the US Government even have a leg to stand on here?

I'm sure there's a secret court somewhere that can make a decision. Of course we would never know.

I wonder if at some point in the future this will seem like a reasonable request for IS to make?

So how does it apply to e.g. keys to backups of Apple devices if the device was bought out of China and then used in China?

Will Apple have to start escrowing the root key for devices they sell in China?

It will be interesting to see whether they value their principles more than sales in the Chinese marketplace.

hahah good luck with that

It's time to reconsider our irrational (actually inherited) opposition to "security through obscurity" [ * ].

In times when big brother knows you're using AES and forcibly asks you for the keys, it makes sense to not advertise your encryption scheme at all. Steganography.

[ * ] It actually makes more sense to enlarge the search space of an attacker by not providing him the fixed form of a known encryption algorithm/scheme.

The formal name for the concept is Kerckhoffs's principle. And no, it is not time to reconsider it.

It has more to do with defining what the "key" is, and is quite compatible with steganography.

If your method is simply "cipher data", it can never have steganographic properties.. If instead it's "two redundant-looking blobs, one random and one AES", then you've got a leg to stand on.

You are free to stand by your principles.

I'm arguing that "security through obscurity" is not equivalent with the "Kerckhoffs's principle" but with adding more obfuscation layers (on which steganography may be one of them) on top of default schemes.

People who know better don't advertise their internal network topology. Nor do they show off with their encryption schemes (they might use known schemes but they won't tell you they do it).

How those additional layers are defined is quite important as to their effectiveness - do they hold up to scrutiny, or are they merely good enough to trick their designer? Lumping effective crypto along with feel-good ad-hoc schemes into one big category of "obfuscation" is a disservice to analysis.

I'll repeat - Kerckhoffs's principle is more about analysis than design. If you insist on eschewing it, what you're actually doing is making it so the "key" of your system includes the design of the system itself. And while it intuitively seems "more key" should make the system more secure, the net effect is the opposite as that poorly-specified "key" merely functions as a difficult-to-analyze crutch.

Gödel basically guarantees that anybody can make a cryptosystem so secure they themselves cannot break it. Don't be that guy.

Security through obscurity is not steganography.

I've decided I am going to say "tank man" in every China thread so their censors will kill the page.

As horrible as many of things the US has done in the name of its citizens (and on its citizens) one thing you'll never see happen here is internet censorship

(instead one-day some US agency will just record every page you've read, or maybe they will have the UK do it for them, so they are technically not spying on their own citizens)

>As horrible as many of things the US has done in the name of its citizens (and on its citizens) one thing you'll never see happen here is internet censorship

You mean the same place that had the Hays code for movie censorship and that gave free reign to Senator McCarthy to prosecute its citizens political ideals (and stop them from writing and making movies and plays influenced by them), and to E.J. Hoover to do surveillance, blackmail etc in an even larger scale?

Or the place were any crackpot teacher/parent association can get something like The Origin Of Species or A People's History of the United States out of a school's curriculum?

The main reason they don't do direct internet censorship is because nobody cares. There are so many sources, so many confused opinions, and so many conditioned citizens, that anything posted is just a drop in the ocean. They just need to control the "serious" or more mass appeal media, and that they do (from the NYT and WP to FOX).

When the press was really influential and the people were more radicalized (e.g. back in the days of unions or later with student protests etc), not only they did censorship and pressure on journalists as to what to write (plus "character assassinations" a la Hoover), but the government started directly manipulating and dictating what would be written to change public opinion (Operation Mockingbird).

> As horrible as many of things the US has done in the name of its citizens (and on its citizens) one thing you'll never see happen here is internet censorship

Internet censorship happens in the US, though its mostly in the form of government pressure on major internet companies to remove access to disfavored content rather than direct government censorship.

Hmm, it is disfavored or illegal content originating in the US?

Because I've seen US law enforcement takedown US websites that were breaking US laws but I've never heard of law enforcement forcing US isps block foreign content, even if it is breaking US law. I could be wrong though and I'd like to see an example in that case.

Maybe the government making youtube or facebook take down terrorist content, that would be censorship I guess if the content is not technically illegal but that's a pretty extreme example.

They've taken domain names, does that count as blocking?

When it is done because of content, and particularly to suppress content (as opposed to the domain owners rights to particular content), there is a pretty good argument that it is a form of censorship.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact