Hacker News new | past | comments | ask | show | jobs | submit login
Encryption, Privacy Are Larger Issues Than Fighting Terrorism (npr.org)
647 points by Osiris30 on Mar 15, 2016 | hide | past | web | favorite | 177 comments



> No, David. If I were in the job now, I would have simply told the FBI to call Fort Meade, the headquarters of the National Security Agency, and NSA would have solved this problem for them. They're not as interested in solving the problem as they are in getting a legal precedent.

That's quite the quote, especially given his history of employment.

The weirdest thing about this whole cell-phone saga to me is that the perps are dead, did not appear to be part of some organized group and that very little could be done to them that hasn't been done already based on evidence found on the phone.

Then there is the bit that a lot of the information that is on the phone is also already in the log files of the carriers. It's as if that phone somehow magically is going to yield an entirely new class of information that may not even exist in the first place.

To me it has been evident from day one that this is not about this phone or the data that's on it but just about the legal precedent, getting it in black-and-white from the former head of counter terrorism is quite an indictment of his successors.


And IIRC the phone in question is the perp's work phone, they also had personal phones which they destroyed, so the perps themselves knew phones could hold valuable data but saw no value in the the phone the FBI wants unlocked.


I think the FBI already acknowledged very early on that they didn't expect to find anything useful on the phone for these very reasons.


I imagine there's a Venn diagram of overlap between what a nutjob thinks is worth hiding and what would be of interest to law enforcement organisations. For example I doubt many of these extremists would both trying to hide information that could be used for psychological profiling of future attackers


The psychological profiling of future attackers has nothing to do with getting away with this push to access that particular phone. That's simply not even on the radar at this point, the FBI would be laughed out of any court they went to if they presented that as the reason why they want access. Their fig-leaf is that the phone may contain valuable information regarding this particular crime.


Criticising the example of psychological profiling doesn't address my actual point.


> the perps are dead, did not appear to be part of some organized group

A reasonable reason for inquiry here is to actually try to make sure if they were part of some organized group. "Appear not to be" is not quite enough.

This is a valid reason to investigate even if they are dead. How did they get radicalized, etc.

Not that it is a good enough reason to enforce breaking of encryption in the way proposed, but in a murder inquiry, privacy of the perps has to give way.


A reasonable reason for inquiry here is to actually try to make sure if they were part of some organized group. "Appear not to be" is not quite enough.

For a country that kills based on metadata[1], it seems quite far-fetched that they couldn't map out potentially interesting connections using just metadata.

Also, it would be pretty dumb to put any revealing data on a work phone with iCloud backups enabled (which is just not accessible due to the FBI's mistakes).

At any rate, this discussion is quite besides the point. Permitting this phone to be unlocked (or the hundred or so other phones mentioned) will open the floodgates for questionable regimes and a hunt for Apple's private key (more automation to handle requests will reduce security).

[1] http://www.nybooks.com/daily/2014/05/10/we-kill-people-based...


If this was really about the privacy of the perps; an NSL would've been enough and we'd never know about it. This is about setting precedent, and as publicly as possible.

If the feds get their way the entire idea of encryption is weakened, and not just for the lawful citizens. I suspect the reason for having this battle so publicly is propaganda based, just as it was with Zimmermann in the 90's.


Since you brought up NSL....

The legality of the NSL (which does not require oversight- the FBI can self-sign them) hinges on the idea that the persons on whom the information is being gathered have/had "no reasonable expectation" of privacy of the information.

That said, if these back doors were to be instituted, could the argument then be made that we now have "no reasonable expectation" of privacy of anything on our cell phones? Could this set a precedent of unholy proportions?


Absolutely, and as terrifying as that possibility is I personally think they didn't go the NSL route because Apple is big enough to finally prove or disprove the constitutionality of NSL's; even bring the process to mainstream attention. That's something the DOJ would never want to see happen, because then everyone can come out of the shadows and tell their story.


From other intel they know that he did not use his work phone much and saw no need to destroy it. He did destroy his private phone, so I think its quite clear that their is nothing on that phone.

I think its reasonable for the FBI to want to access it, but lets not have any illusions, the change that their is any evidence on the phone is basically 0%.


> "Appear not to be" is not quite enough.

It has to be, because there is no perfect. Everything is a numbers game between ever-more unlikely hypothetical evidence that might yield a valuable unknown, and the cost of collecting it.

By such completist thinking, we should examine every image and video in the world because they might show up in the background of a birthday party video or vacation selfie, giving us another clue. Similarly, we should interview everyone in cities they've been known to be in...

But in reality, unlike in a game or a movie, there is no 100% complete. The phone isn't one of a finite list of clues to examine whereby you will know everything you need to know. By fixating on the phone, or any few issues, you miss the larger point.

There's very little likelihood of learning anything of value here, and are far richer leads elsewhere.

This is just our security industry grandstanding for more money.


There is no perfect, but I think that by ordinary police standards in any developed country, not trying to investigate this kind of perp's phones would be too imperfect. It would be sloppy police work and any police officer deciding not to try to inspect the phone would be vulnerable to accusations of misconduct.

That doesn't mean that I agree that Apple should be forced to break the encryption. It means the police really have a duty to investigate.


I'm not saying they shouldn't be interested... What if, instead of simply being locked, the phone was eaten by a pelican that flew out over the ocean and died. Gone. Should we dredge the ocean to find the phone? It's a duty to do so, right?

The FBI have tried, and failed. How much more should they dredge before we stop harping on about this one piece of potential evidence?

In this case they have the phone physically in hand so they feel blocked and powerless, but from a cost-benefit point of view it might as well be at the bottom of the ocean.

Doesn't their duty compel them to investigate the most-likely to payout leads, not play political games over high-profile issues?


Alas, FBI's chances of breaking the encryption here (with support conscripted from Apple) are far higher than finding that pelican. By many orders of magnitude.


Their chance of beating a confession out of someone is pretty high too.

And when you consider the chance of there being worthwhile, actionable, data months later after their failures, finding the pelican is the safe part of the bet.


"Appear not to be" is often enough. The government is required to have probable cause to conduct a search.


I think it's all an act to make people think apple phones are more secure than they actually are.


From comments around the case, the government operates like any other black hat.

Which is to say they absolutely have vulnerabilities that work against certain versions of iOS, but probably not others. And the NSA likely has more than a few zero days, simply because it's a far cheaper way for them to do their job than any alternatives.

Just like with any piece of software, there is no "secret vulnerability that works all the time forever": it's discover, exploit, patch, repeat.

(Which, incidentally, is also the argument against key escrow schemes. Whereas it would be discover, exploit all devices that implement the key escrow code, wait until the government develops a new patch, wait until all device manufacturers incorporate the patch... repeat.)


It's worth listening to the audio to hear how surprised David is with this blunt charge. Clearly unexpected.

Also: parallel construction (i.e.: the NSA doesn't want to reveal it has already done this)


No the weirdest thing is that Apple is standing up to the government. Isn't that just wrong? You, the people choose the government, so in effect Apple is standing up to the people of America and saying 'no'. If you the people didn't want the FBI to be bullish then choose a different government.

It feels to me (an outsider) that it's the government that is out of control and is not accountable to the people.


It seems like the country is 50-50 divided on this. But more importantly, individual liberty is more important than majority rule. When the founding fathers created this country, they cared deeply about individual liberty, and worried about a tyranny of the majority. Even if a super-majority wants to deprive an individual or a minority group of its rights, they should not be allowed to.

A free country's first commitment is to personal liberty, and only secondly to democracy.


"A free country's first commitment is to personal liberty"

Excellent.


by definition a democracy is a tyranny of majority.... i think you mean secondary to the republic


No, it's to the Republic to make sure the ideals of true democracy take a secondary place to individual liberty for the very reason that true democracy can be tyrannical. That's why the Republic comes before the democracy.


"50/50 divided" means "nobody knows"


That's the one-testicle, one-breast, average-person fallacy.

There's more than one issue concurrently, and many people are actually dumb and wrong.


Wish I could upvote this twice.


No. That's what a republic is: the government is not above law, and it is possible to push back against it.

Let me quote this piece of an anarchist pamphlet: "Governments are instituted among Men, deriving their just powers from the consent of the governed" - this means, amongst other things, that the governed do have the option to say "this is not okay anymore, stop."

What you seem to be saying is "you have a right to choose, once, and then just shut up and deal with it, the govt can do anything it wishes in the meantime." You're describing a dictatorship - "the State is always Right, by definition".


"The people" do not have a unified will. There's always a pro-totalitarian faction in any society, and they tend to come to the front at times of percieved instability and threat. Part of the problem is that a significant fraction of voters support violence being used against people with unpopular opinions, minority religions, different skin colours, etc.


Apple is in many countries, with governments who'd all like this kind of access. If you give FBI the tools, you also have to accept Russia, China and the whole gang having access to your phone.


Well that is up to Apple, they don't have to make one phone. They could make a US version and a rest of the world version.


And then build that fence all along the border so that no world-version phones get in (see how well it worked for other illegal imports). Plus, you haven't solved the problem at all: you just say "okay, let's make only US phones vulnerable to foreign hacking." Should I enumerate why that's a bad thing?


And if the FBI wanted to open a rest of the world version? Or another government wanted to open a US version?


> Or another government wanted to open a US version?

There's a good point. And who knows what limits they'd go to, to force Apple's hand? (Kidnapping, etc.)

Apple is really only safe if they actually can't break their own encryption. Anything less makes them a target.


The U.S. government is responsive to the people. But there's a lot of lag--decades in some cases.

The government is empowered to take action on behalf of the public. If it does something that people like, then great--keep doing it. If it does something that the public doesn't like, then there are multiple ways for the public to change how the government works.

What's happening right now is actually how it is supposed to work. Innovation results in new technology, the government tries what it thinks is best, and then there's a huge national public conversation about it.

This is the 2nd time we've had this particular conversation; the first was in the 1990s. And we'll keep on having it, basically forever. That's how government by the people works.


> You, the people choose the government

From among two choices, already bought by special interests, and already so habituated to our intelligence and law enforcement communities that they have zero scepticism about these kinds of travesties.


Its not 'the government' that is doing anything, its the FBI wanting to open one specific phone based on a legal construct that does not apply. Any person has the right to challange a legal order.

The founders and many other people have worked hard to creat a system that protects the people from government action. For this reason they implented and evolved a legal system.


>You, the people choose the government

We do not. Simple as that.


Before you comment, please consider whether you'd prefer to vent your frustration in online message boards with like-minded people, or spend that potential energy in other ways:

"What you can do about it:

-- You can contact the Obama White House online to comment on strong encryption.

https://www.whitehouse.gov/webform/share-your-thoughts-onstr...

-- You can contact your state Senators and Representatives via the contact information supplied by ContactingTheCongress.org.

http://www.contactingthecongress.org/

-- You can specifically contact Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA) to express concerns about their bill intended to force companies to weaken or work around encryption under court orders.

http://www.contactingthecongress.org/cgi-bin/newseek.cgi?sit...

http://www.contactingthecongress.org/cgi-bin/newseek.cgi?sit...

http://appleinsider.com/articles/16/03/09/proposed-senate-bi...

Express yourself with the honesty and clarity that the government's charm offensive is lacking."

http://appleinsider.com/articles/16/03/14/take-a-stand-again...


A few more resources along the same lines:

* Tracking Congressional bills, Congressional representatives and voting history:

https://www.govtrack.us/

* General resource on local, state and federal elections:

https://ballotpedia.org

* Data on lobbying and political contributions:

https://www.opensecrets.org/

* Voting history, policy positions and public statement transcripts of politicians and political organizations:

http://votesmart.org/


"Strong encryption is a cornerstone of freedom of the press, privacy, health care, banking, and commerce to name a few only a few of our national interests. Any erosion to this bedrock of modern society harms us all. Once back doors exist they cannot be kept secret. To quote a common adage, "security by obscurity is not security". Similarly, outlawing strong crypto technology only keeps it out of the hands of law abiding American citizens and companies. Since encryption is based on mathematical concepts that once understood can be somewhat trivially implemented in code, it is impossible to put back in pandora's box. The US government cannot stop foreign nationals from writing crypto software or publishing math papers. Harming cryptography in the name of security would simply serve undermine our own economic and civil interests, while doing nothing to stop "terror.""


And what about the rest of the world? Can we do anything other than just trusting the US citizens to get their government to do the right thing?


Make your own country less corrupt, more free, and better for the economically-worst-off, so that your own entrepreneurs may eventually overtake the authoritarian superpowers?


Make your own country independent of deep-state interlocking intelligence services. Part of the problem is that the US will set the tone for dozens of countries where it has cultivated linkages that often override the will of the people.

I'm looking at you, Sweden.


>and better for the economically-worst-off,

Not that I disagree with this, but how is this supposed to help entrepreneurs? If anything, it will just increase the tax burden of running a business.


If you do stuff like building infrastructure, creating efficient health care systems (because you can do stuff for all the people lowering the price and having a bigger positive effect on overall health) you actually make it better for startups, cause they can use the infrastructure, need to pay lower wages (because health care and infrastructure are cheaper/taken care of).

If you use tax money on education you also have a positive effect for both startups and poor people.

You also even out the divide between new and and established companies, established companies having non innovative advantages, such as brand names, maybe their own "infrastructure". So you even get rid of companies that try to keep status quo and have innovation stall.

The sad thing is that currently some governments/parties/politicians create inhuman, even counter productive productive competition between humans while at the same time have companies be cartels and monopolies and more importantly create counter productive anti-competition laws such as intellectual property, to a degree really awful patent systems, brand protection stuff, etc.

It's kind of destructive in regards of innovation and progress.


All good points. Thanks for the well-reasoned response.


Or lower the barrier to entry to the marketplace for economically disadvantaged people with their own ideas and talents....


You're not going to be a very successful entrepreneur if your customers are broke.


You can't create wealth out of thin air. The government can't make people un-broke without someone else paying for it. Either you're losing money to taxes or some of your customer base is losing to taxes. Either way, no benefit (unless your company targets the poor in particular).


You can create wealth out of thin air. The economy is not a zero sum game.


Ok, that's fair, there are several mechanisms (increased resource extraction, new tech, etc.) that can create wealth. However, taking money from one group and giving it to another does not create wealth. There is also an administrative overhead associated with such mechanisms, which could have been put towards more productive activities.


I'm wondering how myopia is going to help anything, including running a business.

EDIT:

I find it somewhat irritating that this needs to be stated, but helping the economically disadvantaged doesn't mean just raising taxes and giving everyone a welfare check. The narrative has been so well framed.

It could (and should IMO) mean creating a more just economic system while providing a real safety net. Ultimately, this would involve people being educated and able to obtain jobs that pay a decent wage.

There's some tax money involved in that, but I don't think we necessarily need to _raise_ taxes. Perhaps we just need to reallocate a bit from the war chest.


Your response was neither useful nor insightful.

>It could (and should IMO) mean creating a more just economic system

What exactly does this mean? Don't just give me platitudes about better education.


decreases the risk of failure and makes it less important who your parents were.


paying for a stable and educated society increases the size of the talent pool you can draw from.


You can donate to the EFF or support open source encryption technology like Signal and GPG.


I feel like that White House petition is a honeypot.


This thread is a honeypot. Also buying any iPhone made after 2015.


are you being sarcastic? otherwise can you elaborate?




>PRESIDENT BARACK OBAMA: If, technologically, it is possible to make an impenetrable device or system where the encryption is so strong that there's no key - there's no door at all - then how do we apprehend the child pornographer? How do we solve or disrupt a terrorist plot?

It's so disappointing to me to hear a quote like that from the President.


Turn it around: when all communications are compromised to the FBI, how can anyone do any politics that is considered the slightest bit fringe?

Always remember that the FBI was against the civil rights movement and MLK. And consider that one of the leading presidential candidates is getting into the habit of inciting violence: http://talkingpointsmemo.com/edblog/the-rage-and-the-derp--2


Government/police types trend heavily Republican, though.

I assume many of them are voting for Trump.


Actually, either far left or far right lean control freak.

Hitler and his Fascist ally, Mussolini, were both far-right contol freaks. Josef Stalin and his predecessors were far left control freaks.

People in power like control, contrary to what they might say. Power corrupts, absolute power corrupts absolutely. People want to be elected because of their egos. Full stop. There is no other reason. No one does it because "they love America". They want to latch onto the gravy train and collect a check all the while dictating terms and or furthering an agenda. It's patently obvious to all.


I think the axes that the political compass (authoritarian-libertarian and economic left/economic right has are, while imperfect, a better way to think about it.


I feel the need to correct that mistake every time I see it: Hitler and Mussolini were both far-left.

This is not a coincidence that Hitler's political party (NSDAP) was called National Socialists. Hitler himself was the fan of Karl Marx.

It is worth remembering that effectively ALL totalitarian systems of 20th century were leftist.



Government workers are almost always left. The left is very sympathetic to government workers, unions, ect. Its in their best interest to be left.


To that statement I'd immediately ask, "what did we do before there were smartphones? Did we not investigate crimes? Can't we do that now?"

Criminals have always tried to hide their activities and keep secrets. Sure with strong encryption maybe some information is hard to search, but that was always the case. (Did they ever find Jimmy Hoffa's body?)

I mostly agree with the idea that we have a lot more to lose by inserting backdoors than we would ever gain.


The moment you mention "child pornography" as justification I consider that you have lost the argument.

This is simply Godwin's Law for the modern era.


It's also a horribly counter-productive argument. This is obviously a politically charged subject, but let's try to be rational for a moment.

It seems likely that by far the most prolific creators of child pornography today are... children. What today's parent and grandparent generations used to do in relative privacy behind the metaphorical bike shed, surely today's teenagers are doing with their phones and laptops, perhaps unaware of how insecure and non-private their communications might be.

There are all sorts of difficult ethical questions about how that kind of behaviour should in itself be treated in law, but let's ignore those for now. In any case, if kids are carrying around that kind of material or sending it to each other, surely the best way to protect them is to make sure it stays as private as it should be? That means making everything as secure and safely encrypted as possible. Arguing for weaknesses in encryption or creating backdoor vulnerabilities has exactly the opposite effect.


While I agree that privacy and secure communications are the best means to protect kids in the first world, there are still enough horrible people in the world who rape children and take pictures, as well, there is child sex trafficking. We shouldn't forget that these things exist and reduce child porn to snapchat and selfies.


The availability of strong encryption does not enable or disable child rape or human trafficking. This will happen behind traditional closed doors and guarded with guns and/or money unless other aspects of society and human nature change.


We shouldn't forget that these things exist and reduce child porn to snapchat and selfies.

No, of course we shouldn't. There really are bad people in the world, and some of them really do do very evil things, and there really are good reasons to have police and security services, and they really do need reasonable powers to enable them to do their jobs and deal with the bad people.

But what we should do is keep these things in perspective and ideally set public policy based on evidence and rational arguments. Creating security loopholes that might help the authorities to find and stop a small number of genuinely evil people but might also create millions of new vulnerabilities to be targeted by other evil people (or even the same ones) isn't necessarily a good trade-off.


> there are still enough horrible people in the world who [emotion instead of substance]

What's the evidence that we need [abusive bill of the day] to fix that?

Why do we think the potential harm averted is greater than the harm we know comes from overreaching laws and abusive governments?

Human trafficking at all, sex or otherwise, is horrible, common, and relatively easily stopped without new laws - at least for the victims of the moment - so go spend time and effort helping rather than beating the panic drum as you are now.


I think you're reading a little more into my comment than was there. I didn't agree with what the parent comment said about child porn. I'm very much in favor of secure communication channels and privacy.


Lovejoy's Law - "would somebody please think of the children"


Why is that?

If certain tales of the dark net are to be believed, it has enabled an unprecedented level of communication between abusers of children. Seems like an obvious "con" of widely-available secure communication.

If you believe the "pros" outweigh it, say so, but don't pretend it isn't relevant.


Because it is an argument that people fall back on when rational arguments are failing.

In addition, the "child pornography" that people want to use as justification is REALLY RARE. The biggest kiddie porn bust in the history of the US was Operation Delego which had 600 members worldwide. Most of whom were busted with good, old fashioned police work.

Now, let's talk about the common "child pornography"--Suzie has naked selfies on her phone. Do you really think that Johnny won't go to a dodgy Chinese site to get the iPhone crack to let him see those?

Relevant Dilbert: http://dilbert.com/strip/1996-01-24


Because the story is essentially a lie. The numbers, and the financial complicity, and the crypto-capabilities. There's no pedo-mafia.

Also that and there are so many more successful ways to catch molestation that we aren't taking.

It's not that molestation and exploitation isn't bad, but when you see someone ranting about it you can be pretty sure they're just doing it to push a political goal. It's an obvious call for censorship and more agency funding.

If the list of relevant things could only be five-thousand items long, this wouldn't even be on it.

And then we get to the cons, many of which are potentially Orwellian.


Because it's usually used to emotionally manipulate people.

https://en.wikipedia.org/wiki/Think_of_the_children


In a society where most followed your approach, would there be any point in child pornography even being illegal?


The creation of it certainly remains illegal, and its existence is a violation of individuals right to privacy (these images are never taken with consent, because the victims cannot consent). In the same way you could consider it a violation of your privacy for someone you do not want there taking your picture in private, child porn violates the same principle.

So child porn can be perfectly illegal without having an explicit law saying "Child Porn is illegal". Its creation violates so many fundamentals and its distribution violates a subset of those.

But the reason for the illegality is as important as the legality in the first place. Some of the most horrible nations commit acts we deem moral in consequence but often do them for still vile reasons (ie, you don't execute the mafia boss for rampant murder and robbery, but because hes threatening your own power).


Its fine though, because if you make something illegal then criminals won't use it.


The thing is: if encryption is illegal and you encrypt your illegal material so law enforcement can't convict you for it, they can still convict you for using encryption.


Which is such a great idea, because proper encryption is undistinguishable from random data: so, if you have a drive, any drive, good luck convincing anyone that it does not contain any encrypted content, and that whatever is in the empty sectors is just garbage. Guilty until proven innocent.


Enjoy your entropy while it lasts.[1]

[1] https://www.google.com.br/search?q=appelbaum+right+to+be+ent...


This is not even about deniable encryption (which is apparently a part of the threat model?): this is a nightstick to beat anybody who's inconvenient in any minor way. "Prove to me that your song collection contains no secret message, else you're guilty." There's no way to do that! For anything I could come up with, the universal response "well maybe it's hidden even better" holds.

In other words, introducing "guilty until proven otherwise" introduces witch-trials pretty much by definition: if she floats, she's a witch (so far, so good; yay it works); if she drowns (or dies in notprisonnosirnotatall after years of not confessing nonexistent secrets), she was innocent. Of course, there is absolutely no way this might be abused, and certainly not for personal vengeance.

Welcome to Salem, MA.


So, get rid of all laws?


Imagine if he had said "If it is possible to make an impenetrable safebox so strong that there's no key - there's no door at all - then how do we apprehend the money or gold inside it? How do we save the economy?"

That is the next frontier. A backdoor into your bank account. There is already precedent inside and outside the US.


The irony here is that we are arguing about encryption options being included (not enabled) by default. Any criminal with half a brain will be able to find a wide selection of free 3rd party encryption tools. Undermining default encryption mostly just weakens the security of average, every day, law abiding citizens.


What if the terrorist or pedo has things in his mind, that means all people's minds should be monitored at all times... Otherwise there is a chance that they might think thoughts to do evil things and then they might carry them out. I uhh want to emphasize that we should think of the uhh children.


To answer his question, we don't. I am so sick of them using this as a justification for stripping away all rights that I'm ready to apply first amendment protections to all digital data to stop this Trojan horse.

Yes, there are bad people doing bad things. But we are enabling much worse people to do much worse things trying to stop the bad people (also, if you make it so the low handing fruit of people who only possess digital data can no longer be used to score political points and to give the appearance of helping, it could force law enforcement to dedicate even more resources to the producers, thus being a win for both freedom and for the innocents needing protection).


Disappointing with regards to the rest of his track records? re: Guantanamo, reining in Wall Street, cracking down on whistleblowers, widespread use of drones to perform extra-judicial assassination?

If after 8 years you still think Obama is the Nobel peace prize wielding progressive philanthropist you've been fooled into thinking he is, joke's on you tbh.


While I agree with you, I also think this isn't the appropriate place for that discussion. I imagine that explains the downvotes you're getting.


Parent comment expresses incredulity at Obama's comment on the topic being discussed in the thread.

I point out said comment is perfectly in line with the policies implemented by Obama and his administration during his two terms and OP's incredulity is unwarranted.

Not sure how that's OT or inappropriate but furry muff, HN works in mysterious ways.


You would be better off having picked examples that are closer to the topic at hand.

Such as the fact that he voted for retroactive telecom immunity as a senator, supported increases in NSA surveillance as a President, and certainly signed off on the extraordinary measures taken to try and apprehend Snowden.

His stance on surveillance is clear. He has strongly supported it since 2008. (Before he was the Democratic nominee he spoke out against it.)


Fuck HN Moderation. HN mods support government fascists, and absolutely accept the statui quo, will bury Snowden news, and allow government shills to post. Fuck HN mods.


So how DO you disrupt criminal plots, then? Do you allow people to conspire to commit crimes?

You're going to find, that once you think it through, that you'll end up limiting the rights and freedoms of individuals... there's no getting around that.

Life sucks that way. People were never their own little countries. I just feel sorry for the middle-class suckers that thought they had freedom. Poor guys - they never figured out they were the tools of the wealthy and powerful telling them they had freedom, in order to make them work harder against the lower-class.


> So how DO you disrupt criminal plots, then? Do you allow people to conspire to commit crimes?

Suppose they meet in person to conspire. Would you suggest having every citizen carry un-blockeable microphones just in case?

This is not a "my freedom to swing my fist ends where your nose begins" kinda issue, this is "are we willing to build a police state if it reduced the risk of certain crimes by X%? Even at the cost of creating entry points into all of our communications that can be exploited by unauthorized and misauthorized actors alike..." issue. The ability to retrieve past conversations about conspiracies is a new capability here, not the ability to keep past private conversations secret (that was never as hard in pre-internet/pre-electronic times).

The interviewer in the article says:

"GREENE: But can you just explain why you would compare, you know, a company helping the government design a way to unlock an iPhone to something extreme as torture and ankle bracelets? I mean, that sounds like a very extreme jump."

But actually, an ankle bracelet that reports your location and audio might actually be less invasive of your private conversations in today's world that reporting the contents of your phone.


>But actually, an ankle bracelet that reports your location and audio might actually be less invasive of your private conversations in today's world that reporting the contents of your phone.

Not at all. I have the choice to carry / use a phone.


Today you do. This may not be the case in the future.

We have no idea what the political and technical landscapes will look like in 5, 15, or 25 years. It is not inconceivable that your governmental identification "card" will morph from the plastic of today into an embedded device in the phones of tomorrow.


In an argument about a literal "backdoor" - an entry in every person's house - you could also argue that people choose to live in houses instead of under the stars.


You suspect someone of a crime, get a little evidence, get a warrant, then surveil them. If they are using some difficult to monitor communication method you have to get creative. There's good reasons the system developed to be that way.

People TALK about killing far more than ever seriosuly think about or have the personality to actually do. Bad humour, frustration at work or with partner, or even how to make a bomb or commit a terrorist act (oh al quaida are stupid because, it would make more sense to do x, y then z) can all be topics of conversation amongst law abiding people after a few beers.

So are we happy to move the bar to innocent until silly enough to have discussed robbing a bank? Innocent until found to have mentioned the current taboo issue? Plenty of people have found out the hard way that the TSA, Twitter and airports aren't a great mix for jokes.

I say again, there's good reasons the system sought the evidence first, not retrospective police fishing expeditions.

"It is better that ten guilty persons escape than that one innocent suffer". Sir William Blackstone 1765.

I see nothing in the new technologies to fault or change those priciples. The only thing that has changed is scale.


> You suspect someone of a crime, get a little evidence, get a warrant, then surveil them.

Everything the Obama administration has proposed includes all of the above.

For some reason, the libertarians like to ignore the fact that this would all be done under a court order.


That's the thing though: the government has been snooping without a court order for a while. Now they are saying "Oh, no, we'd totally only do this with a warrant or court order. Trust us!"

Why should we believe them?


> Do you allow people to conspire to commit crimes?

What's wrong with conspiring to commit crimes? Also, I would imagine that the US First Ammendment explicitly (if I understand Brandenburg v. Ohio correctly) protects such speech, as long as it doesn't result in "imminent lawless action". So it's OK to conspire to commit crimes, as long as you don't actually commit them.

Edit: Reading Wikipedia [1], it looks that mere conspiracy is not enough for a conviction, but an "act in furtherance to committing the crime" is necessary.

[1] https://en.wikipedia.org/wiki/Conspiracy_%28criminal%29#Unit...


Do you allow people to conspire to commit crimes?

Yes, that's exactly what you do. I would much rather we let a few (more) crimes get through here and there. Weakening privacy for everyone isn't worth it.


You'll find the people value security more than privacy. This is why conspiracy to commit crime is already illegal.

That's just how society is.

Your choice on whether you want to live with the rest of society or not.


Polls show more support for Apple's position than for the FBI's, so I'm not sure your argument regarding the position of society is very convincing: http://www.reuters.com/article/us-apple-encryption-poll-idUS...

Just making conspiracy illegal doesn't mean you don't value privacy; it depends on what means are permissible to obtain evidence for the conspiracy.


If you believe in the concept of natural rights, then it doesn't matter what polls show. Privacy is a fundamental human right, and neither government nor mob has any authority to impinge upon that right.


You can justify anything with "natural rights".


false dichotomy.

The reality is that security is also suffering when you weaken encryption. Do you want people to be able to track your children? Do you want criminals to know when you are home? Do you want stackers reading messages of their victims? Do you want rapist to know where you and your friends go camping?

These are just things outside the problem that their is a multibillion doller industry depending on encryption in the internet.


dead wrong. The majority of people do as you say, but the majority don't understand the balance. Security means protecting a few targets. Privacy means protecting the freedom of every single person.

With that kind of reasoning, you'll favor research for medicine against rare 100% lethal diseases instead of 20%-lethal cancer...


So how DO you disrupt criminal plots, then? Do you allow people to conspire to commit crimes?

Yeah

You're going to find, that once you think it through, that you'll end up limiting the rights and freedoms of individuals... there's no getting around that.

No, because in free societies you shouldn't have absolute security.

Life sucks that way. People aren't their own little countries.

Is this where you rip on Libertarians again and talk about "your army".


How to prevent crime, and what works? There is a long history behind that question, and even longer history of attempted strategies. Studies has asked why different nations has different crime rate, why it can change from decade to decade, or between cities in the same nation.

From that, there is also meta studies/books that has asked what the studies has shown. To take an example, the book freakonomics pointed out that out of all the crime reducing strategies, abortion laws has shown to be one of the best method. Unwanted children tend to have higher risk of being born with low social and economic status, which is then a strong predictor for crime. None of the other strategies that were looked on had any major effect on crime rate.

Then we have surveillance. Government studies has shown CCTV is effective to reduce vehicle crimes, but no evidence is found that it prevent violent crime. One study concluded that better illumination could be a cheap way of cutting illegal activity to the same degree as CCTVs.

Surveillance in stores and bank has shown a very unexpected result. It has proven useless in preventing robberies, and shoplifters are generally not bothered by them. However, studies has shown that employees accounts for 43% loss of revenue from shoplifting and that is reduced by surveilling. Banks was also one of the early adapters who noticed this.

Then we have studies such as the last month from Harvard, which said that the available information that police investigators has when investigate crime is increasing at a very fast rate. "The trajectory of technological development points to a future abundant in unencrypted data," the study said. Comparing today with the days before encryption, and today is much easier time for a police investigator.


How do the extreme majority of our citizens protect themselves from hackers and identity thieves if they can't have reliable private key encryption? It seems like you are focusing on solving a small segment of "criminal plots" by exposing many more of us to other "criminal plots".


The larger issue, by far, is whether we are a free people.

From the article:

  CLARKE: No, the point I'm trying to make is there are 
  limits. And what this is is a case where the federal 
  government, using a 1789 law, is trying to compel speech. 
  And courts have ruled in the past, appropriately, that 
  the government cannot compel speech. What the FBI and the 
  Justice Department are trying to do is to make code 
  writers at Apple - to make them write code that they do 
  not want to write that will make their systems less 
  secure.
If the FBI gets its way in this case, forcing Apple employees to perform a service for the government, then it sets the precedent for the government to compel anyone to do anything the government wants. When you are forced to work for someone against your will, this is called slavery.

Of course the FBI used a terrorist attack to try and get what it's always wanted, and it will abuse the unlock power in the future if it gets it now, but judges could easily cite this case as a defense for the government to compel other action from the people.

Clarke makes it sound like there is court precedent against this compulsion, but that would be overturned if the FBI wins.

Indeed, encryption and privacy are very important, but our very liberty is more important.


This is way overblown. Yes, the government should not be able compel Apple to build back doors, but this isn't some kind of new precedent about compulsion. There are plenty of industries where the cost of doing business includes creating something to satisfy a regulatory requirement.


I believe that it is indeed a new precident about compulsion. If say, I want to make airplane parts I need to satisfy regulatory requirements. I know those requirements in advance, and can decide if I want to be a parts manufacturer or not. Lets say I instead decide to make drone parts for hobbyists because there's less regulation. Should the government be able to compel me to obtain an AS9100 cert so that they can bolt some of my hobby parts on a DHS operated drone? I would call that slavery. The FBI is attempting to compel Apple to do work that they never anticipated in order to comply with laws that do not yet exist.


It seems clear to me that if all the money we spent on fighting terrorism since 9/11 were instead spent on, say, reducing traffic fatalities, it would have saved a lot more people.


We are veering off topic here, but I agree with your perspective.

"The US spends more than $500 million per victim on anti-terrorism efforts. However, cancer research spending is only $10,000 per victim."

http://thinkbynumbers.org/government-spending/anti-terrorism...


Well, it's all of a piece -- the prominence and attention terrorism and preventing it are given over all sorts of issues varied and sundry is completely disproportionate, whether that's shredding the Bill of Rights or lighting piles of money on fire to appease the terror gods.


That's so clear and so mathematically obvious, +100 karma point for you !

That's basic risk analysis


I mean, it's "clear and obvious" to me, but since it's a major issue every campaign season and the risks presented by our old and crumbling infrastructure, global warming, and other menaces that don't make gruesome cell phone videos is not most people don't seem to have noticed.


100% agree... My old age tells me that politics are a necessary evil...


Except that the comparison isn't:

320,000 people dead due to traffic fatalities over 10 years.

  vs
350 people dead in terrorism over 10 years

It's:

320,000 people dead due to traffic fatalities over 10 years causing little political fallout.

  vs
350 people dead in terrorism over 10 years plus a lot of political fallout for each event.

Bluntly, to shift the risk argument we'd either need to take politicans out of the decision making and give it to some independent fact-based body, or get the media and people in general far more riled up about car crashes.


It seems to me that you are simply reiterating the original argument.


I know right? It's almost as if the purpose of this whole farce wasn't actually to save lives and to protect our freedoms (for which they hate us). Wow, who'd have guessed...


I think Apple and all other tech companies that support it move as the FBI (or whoever controls the FBI) expected or wanted.

What was revealed a few years ago was the fact that big tech companies betrayed people's trust. So quite naturally they should attempt to regain that trust. Because if majority of people stop trusting tech companies and start using end-to-end encryption, use of encryption stops working as a signifier that indicates a higher likelihood that the user's doing something wrong. Thus it's crucial to keep ordinary people away from using encryption. In order to achieve this, it's important to make people trust big tech companies again.

In my opinion, this is what the writer of the plot of the dispute between the FBI and Apple thinks.


"You dont need a gun"

"You don't need encryption"

It's not the bill of needs. I was born with these rights. This is the danger of eroding the constitution, the arguments can be used against whatever issue you want. If we want it changed, do it the right way and pass an amendment. But please, protect the integrity of the most important document we have.


Sometime I wonder if the FBI and other security agencies lost perspectives or they know something that we don't.

Time and time again, their argumentation are not particularly persuasive.

I don't doubt the existence of terrorists, but it seems that they are more boogeymen rather than an actual threats.

And when it came down to it, the power of terrorists is to inspire fear, rather than kill people. They can change us because we felt the need to change.


Politicians need to appear strong.

For some reason, especially in the U.S., "leaders" have to appear strong. When there's no war going on, they have to start one. Terrorism is easy. There's really nobody to fight, but you get to fight them anyway. Politicians LOVE this.

Law enforcement loves it too. They get to trot it out as an excuse to lengthen their leashes.


Standard power play. There always needs to be an enemy to fight against to keep the population inline. After the Soviet Union collapsed it left a vacuum so we had to invent terrorism as the new threat. IMO anyone who is scared of a couple of inbred bible/koran thumping terrorists isn't fit to lead a country.


Other governments are definitely going to force manufacturers to make their phones unlockable or not for sale in their country.

China, Russia, Saudia Arabia, all forced Blackberry to turn over their encryption keys long ago.

US politicians should set an example and say we are NOT going to be like China and Russia and other repressive regimes and that when people's lives are literally on their phones, they have a reasonable right to privacy and protection from search and seizure, you know like in our constitution but ignored everyday.


Well the winds have changed on that stance, at least in Europe. I've seen a couple of leading politicians say something in the line of: "If china can do it so can we" concerning the Chinese firewall and blocking "unwanted" content on the web, which is scary.


If it happens, it'll become precedent, then all countries will want to do it.

The next logical step is to outlaw phones and devices that are incapable of breaking into. Then they'll make it so you need a license to employ cryptography.

It sounds crazy, but where we are right now would have sounded just as crazy 15 years ago.


> The next logical step is to outlaw phones and devices that are incapable of breaking into. Then they'll make it so you need a license to employ cryptography.

Welcome to the 90s: https://en.wikipedia.org/wiki/Export_of_cryptography_from_th... [0]

> It sounds crazy, but where we are right now would have sounded just as crazy 15 years ago.

Hardly. 15 years ago, the US were just barely past their encryption export ban, and we had yet to deal with the (still ongoing) fallout from it.

[0] although back then the US only tried to backdoor or ban strong encryption for the international market, not for the domestic one, for simplicity reasons the domestic versions of exported products often used "export-grade" (shit) encryption


I read the "we're back to the 90s again" articles. I think I would be careful not to overstate the case. I coded in the 90s. I did light crypto in the 90s. This isn't the 90s.

The world was so different then that the analogy wears thin. It was mostly client-server, the web was just taking off, and vast cloud server farms weren't even on the horizon. As you noted, the laws back then weren't for creating crypto -- it was for exporting it. At least in the states, we saw a healthy market for all sorts of new crypto tech: DES, AES, and RSA started in the 90s. (RSA became public in the 90s).

Note that I'm talking from the viewpoint of the average developer making applications. The business side, the international side, and the exporting mess? Yes, it's very similar. My comment was about changes Joe Dev is seeing now. The 90s was "write it, but only sell it locally", the 2020s are likely to be "don't write it unless you have permission", which is a completely different can of worms.

Agreed that the development community as a whole is still recovering from the 90s. The damage we're doing right now will take as long or longer to recover from, if we ever do.


The only thing I think that directly ties back to the Zimmermann case would be the public nature of this fight.

..but since we're referencing the 90's: If the feds succeed in gaining the IOS source and signing keys I would say it's more like Phiple Troenix 2.0.


> Note that I'm talking from the viewpoint of the average developer making applications. The business side, the international side, and the exporting mess? Yes, it's very similar. My comment was about changes Joe Dev is seeing now. The 90s was "write it, but only sell it locally", the 2020s are likely to be "don't write it unless you have permission", which is a completely different can of worms.

I'm not from the US, so there may be a difference if you're a solely a domestic US developer, but from outside the US the distinction is pretty much entirely academic.


>Then they'll make it so you need a license to employ cryptography.

You already need one to export certain goods / to certain countries.


Big difference between "need" and "are required to have"!


The interesting thing is that Chinese officials sometimes make similar statements that say, "This is in line with what other countries around the world say and do." Submarine marketing worldwide. :)


And the result has been, so far..."no we won't." Politicians tend to say stupid shit - for some of them, that's practically the job description.


"You know, we could, at the far extreme to make the FBI's job easier, put ankle bracelets on everybody so that we'd know where everybody was all the time. That's a ridiculous example, but my point is encryption and privacy are larger issues than fighting terrorism."

Ok so replace "ankle bracelets" with "GPS/cell triangulated device" and it's a ridiculous example because what, things that are already real aren't really "examples"?


I am surprised that a search for "math" only turned up one result in this thread, about car accidents vs terrorist victims.

Isn't it true that encryption legislation or policy is sort of irrelevant next to the very clear math that says encryption will always be ahead of decryption? Even in a (hopefully avoidable) dystopia where encryption is illegal, would that really stop technology companies from continuing to do what they've always done?

John Oliver has a great segment[1] where he notes that the majority of cheap, available encryption applications aren't even US-based, and so it becomes nigh-impossible for our (or any) government to stop any pedestrian from encrypting.

[1] https://www.youtube.com/watch?v=zsjZ2r9Ygzw


Yep. Cory Doctorow has talked about this: how the universe "makes it easy" to secure communications because mathematically, it's really easy to encrypt (verify that a number is prime) and really difficult to decrypt through hacking (factor a huge prime number).

And because of that, outlawing encryption is really outlawing math, which is ridiculous. Math is a universal API everyone has access to simply by existing. You can't outlaw math.


Do you have a link to that? Because I know a guy who really needs to counterpoint it. High-security engineer, Clive Robinson, always said security is about physics if you look at it down to the hardware. The physics try to connect things in ways you didn't see coming. That allows unauthorized communications. The physics also try to corrupt the operation of your chips. That compromises computational security mechanisms. Even encryption algorithms had tons of problems when they were implemented to the point that it takes pro's with years of experience to implement them with any assurance. Those are often broken later.

So, if Doctorow said that, he couldn't be further from the truth. The universe seems to do everything it can to make security difficult via physics itself. Throw in economics and biology (evolving malicious attackers) to top the argument off.


Security != encryption in every case. What you're describing is actually also what makes encryption stronger/easier than decryption:

A priori there's only 1 correct plaintext, while there are limitless chipertexts of any given plain text (assuming arbitrary IV lengths and key). You can't change that and this is basically what makes encryption so much stronger than decryption.


Only two sentences were about encryption. The others mainly covered the foundations, like kernels or MMU's, encryption depends on or can be bypassed with. You should look up TEMPEST Level 1 safes, PC's, peripherals, and rooms. That's just EMSEC part tgat requires all thst because physics fights us. Then, look up NSA Type 1 hardware and physical separation with Red/Black model to see how you start on endpoints. Rad-hard and fault-tolerant circuitry too where you'll see probabilities instead of certainties.

Add it all up to say that, outside a few products, your security mechanisms from CPU go crypto arent secure. Physics and intrinsic complexity work together to ensure this. Systems fighting all of it have less features, are heavy, more manual steps, less battery life, and cost several times more. Economics takes over there where physics leaves off.

"A priori there's only 1 correct plaintext, while there are limitless chipertexts of any given plain text (assuming arbitrary IV lengths and key)."

A priori there's electrical signals going through analog and digital circuitry that implements a form of it with malicious hardware, software, or networks connected to it. There's tons of ways to intercept or leak those secrets. These are not in the formal model of crypto. Once included, the picture changes considerably and leans my way.


Except of course I can create an unbreakable encryption with two pieces of paper and a pencil by constructing a one-time pad. And that encryption has nothing to do with computers except for the fact that doing encryption by hand would take ages these days and we therefore choose to delegate it.

The fact that our computers are too unreliable to be trusted with encryption does not mean that the universe does not favour encryption.

Unless you constantly keep inventing malicous hardware or hidden 'observers' in the paper and pencil scenario there's no way you can say that decryption is easier than decryption.


I saw that counter coming. A little bit different, better argument. Several things in here. So, let's look at them.

re paper encryption

That was defeated regularly in the Cold War in a number of ways. Easy or not, the mathematical proof didn't translate directly into the real world due to human issues and physical ones like intercept or observation. FBI's crypo unit has been defeating custom pencil and paper ciphers of criminals for a long time, too. So, we can say the best, provable encryption makes the job more difficult if no observation of the act of encryption, KEYMAT, or decryption take place. That's a lot more limited than mathematicians pronouncements imply. ;)

re universe

"universe does not favor encryption"

Oh, I think it doesn't. For one, encryption only happened one time in known universe that we know of. When it did, it screwed up more often than it worked. Then, even the best forms are defeated by stuff above thanks to other properties of the universe. Universe seems to favor plain text to me. Its own codes are plain to observe, too. Obfuscated at worst.

re computers

That was a nice dismissal but computers are the whole point, right? We talk encryption that we're going to use on a computer most likely. Then someone says some stuff like how we can trust the math. Then I have to point out we run electrical impulses representing machine instructions, not math. Then the conversation drifts to pencil and paper or arcane stuff.

At least you admitted we can't trust the math on a computer because it doesn't represent what it does. Often not on pencil and paper either or in speech if under surveillance. So, we can't trust the math at all. It's always math + all kinds of circumstances and methods. Even then, we can only trust it with probability C as in odds of Compromise.


Encryption and privacy are what make this reality work. You think you are you. I think I am me. This reality's ability to keep those separate is a privacy feature. From a Buddhist's perspective our understanding (Dharma) is that we are, on some level, all the same entity.

One of the early sutras put it this way:

> "Discrimination is consciousness. Nondiscrimination is wisdom. Clinging to consciousness will bring disgrace but clinging to wisdom will bring purity. Disgrace leads to birth and death but purity leads to Nirvana."

Encryption gives the means by which we can enable privacy between ourselves, or what we think of as self. If we enable complete privacy from all others, we drop into a self-world. If we disable privacy, and join all the others disabling privacy, we drop into an isolated type of Nirvana, with the implication everything becomes quite boring. I have compared this in the past to the observed push and pull of public and private cloud business models.

One solution may come via virtual realities where we can arrive at consensus in a fair and measured way without centralized control. It is my belief that immutable data structures backed by encryption, such as a blockchain, are the path out of this mess.

Here's Alan Watts talking about this: https://www.youtube.com/watch?v=lBOcFwUzIIQ


>We could put ankle bracelets on everybody so we'd know where everyone was all the time.

How does everyone carrying phones not already make this the case?


It's a choice. Duh. Don't have a phone so they can't monitor you while you are not at home.


How easy is it to be part of society without a phone? The way people communicate, organize, meet, is all via these devices.

Yes, whether to have these devices is technically a choice, but when the social cost of choosing not to have one is so high, the choice is made for you.


Dont be so dramatic. You can have a phone and leave it at home if your gone do something where you don't want to get tracket. Thats just the most simple option. Its not a binary choice.


I don't want to be tracked when I go to work (or ever), but I have to bring my cell phone to work because I need it to do my job.

So, yes it's a "choice": I can have my privacy or I can have my job.


Get a dumb phone for work.


Dump phones still allow tracking you.


That doesn't solve any problems.


For people on Hacker News? Easy as shit. You have employable skills and Internet access. Life will be strictly better than it was when you didn't have a smartphone fifteen years ago.


It is fairly easy. I have a fairly dumb feature-phone I almost always leave at home unless I want to be reachable away from home. During work hours I work on a computer connected to the Internet, and can be reached quite reliably via e-mail, or via my employer's office phone.

You do need a mobile phone these days because (in The Netherlands) the government requires SMS authentication for some services, but I don't feel the need to own and carry a smart phone with me all the time.


The Apple situation annoys me because it's no longer about the web. It's about breaking crypto on a device which is vendor-locked. The same thing as breaking homegrown crypto, or DVD crypto; easy and trivial. The fact that Apple doesn't use ephemeral keys and can't simply throw away the key in the event of an incident is worrisome enough.

Real crypto needs to be more compartmented than that. A bank is not secure because of the massive door - it's safe because it would take a thief weeks to empty every safety deposit box.

It's also made even safer when the key is (more or less) thrown away for periods of time and nobody can get it. Even with manual over-ride. Literally somebody could be dying inside the safe and nobody could save them.

In properly implemented crypto nobody should hear you scream.


The hole concept of end to end encryption works far better if the ends are actually secure. We use end to end encryption to protect our communucation one the move and our endpoint are protected with secure hardware.

Weakening end point security is certantly not as bad as going after tls (for example) but its still a vital piece of our trust chain.

And the smartphone will grow in importance as an authentification factor and that makes it even more vital.


I just had a thought: what happens if Apple complies with the order (say they lose the legal battle or something), but individual employees refuse to build the software? I think the verdict is out on whether or not Apple, a corporation, can be compelled to do this, but what if they can't find anyone to do it?

Just thinking it _should_ be much harder to compel individuals to do something like this than it is to compel a corporation.


Ha! Folks will line up to do the job. I've refused to violate federal regulations (re wireless devices, bands and transmission rules) as a contractor and had the regular employees jump right in and volunteer for the job. At a Midwest manufacturer in a liberal (college) town.


Not actually interested in if people are willing to do ethically questionable engineering work; I'm interested in whether or not the government can compel them to do so.


Gun rights are larger issues than fighting mass shootings.


Edit: Posted to wrong article. My apologies.


Wrong article. You probably meant to reply to https://news.ycombinator.com/item?id=11288841


Yes, my apologies. Too many tabs open.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: