This is very naive. Just assume the scenario where a CEO or politician has a certain fetish that he/she rather would not like to be splattered over the front page of a national news paper. This person is likely going to use his personal email, phone, voice and data applications to indulge in this fetish. If there is a backdoor, it is almost guaranteed China, Russia or any other country will eventually break it and potentially use it for blackmail to get their hands on corporate or national secrets.
It's a solved political, human-access issue that doesn't need an easily-hackable technological hammer in search of a nail: if they can get a warrant, then they demand the password or one goes to jail. Adding backdoors would inevitably give unimaginable power to a host of foreign governments, random hackers and political adversaries... little good could ever come from it that couldn't come from warrants and traditional channels of legally-compelling disclosure without the damage to the already tenuous image of the integrity, security, and trust in most every type of system. The attack surface of modern, complex systems is big enough without a hole the punches right through it if you have the master key to everyone. For example, think of the immense risk and target posed by a master escrow key database, and some random subcontractor losing or "losing" a laptop, compromising everyone.
I agree with your sentiment completely, but do want to serve as a footnote on the sentence I am quoting: Being an "appointee" does not imply competence or incompetence on technological details. Being elected does not imply competence or incompetence on matters of technological details.
When the officials in charge of the decision are entirely elected, it is not as if they are elected because they have a technical pedigree, presented at DEF CON, or have a high score on leetcode. They are elected because of a myriad of complex factors, most of which relate to the prevailing cultural memes of the day. Heck they only stand for election based on a similar set of complex factors and impulses, and awareness of technological specifics is eternally low on the list.
I say this having known one low-level federal bureaucrat well (he might even qualify as part of the "deep state", if such a thing existed), and interacted with a few others in passing. In some ways they are ridiculously competent in their area of expertise. In other ways, they are depressingly in favor of the inertia of the status quo. But in all cases, I can't say that replacing their hiring process with an election would change a damned thing.
The last two aren't realistic. The first two might be.
In fairness, this is pretty naive too.
The idea that a backdoor exists, and our intelligence community is not monitoring the proclivities of, say, Halliburton's chairman, is fanciful in the extreme.
I think it's safe to assume that everyone would be recorded, and some people would be watched in such a scenario. Anyone above VP level at Oscar Meyer, Boeing, Procter and Gamble, Booz Allen Hamilton, etc would be pretty high up on that "watch" list. Probably even anyone who knows the CEO at Boeing, or Intel, or whatever would be high up on that list.
I always look at it this way, the intelligence guys are at least as smart as I am, and if I had a back door, that's the minimum list of who I would watch. I think it very likely that we would have gotten to those guys and gals long before any Chinese, Indian, Israeli, or whatever nation's operative would.
This is part of the insidiousness of backdoors.
What happens when a foreign or hostile intelligence community gets their hands on some of those secrets? Just because "your own" know them already doesn't mean they're completely worthless for all the others.
An adversary armed with such secrets can change the course of an election, undermine certain people and initiatives to promote others or change a company's leadership, etc. And they can do it with 0 accountability since they never have to ever directly leverage the information, just release it in very targeted ways to the people who will then do all the work, knowingly or not.
Having backdoors is a bad idea and it has proven as much time and time again. And coming out in public to say "corporations can have their way but regular people have to be kept on a leash" is exactly the kind of thing you'd expect from someone on the wrong side of such a backdoor, someone with no choice but to prostrate themselves.
Should we allow prisons in the united states to have "master keys" or "back doors" to allow firemen to evacuate prisoners in the case of fire?
Not that he was the first in US history, by a long shot.
Hell yes. Solidarity.
See for example tobacco and asbestos companies.
And did Enron really die if all their assets were sold to competitors and continue to operate?
Cells make no sense for the business entity, however justice definitely does.
When we regain sanity and quit insisting corporations are people, and recognize them as the constructs and devices they are, then these discussions can make more sense.
Interesting choice of bad guys there. Snowden already showed us that you've omitted the biggest bogeyman.
However, I take issue with this part:
> After all, we are not talking about protecting the Nation's nuclear launch codes. Nor are we necessarily talking about the customized encryption used by large business enterprises to protect their operations. We are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications.
I think he is intending to argue that the quality of the encryption should be tiered, that "consumer" comm crypto should be weaker than business operations crypto should be weaker than gov't crypto. If so, I think this is a bad policy.
I just got through a security audit by one of our customers at work. One of the points that their security team made was that they want us to do more to protect the mobile devices used at our company. Even though said mobile devices do not, and will never have, access to the customer's sensitive data, the customer argued that a mobile device being breached gives an attacker a foothold, and allows said attacker to move closer to getting access to their data.
I think the same principle applies to this notion of lower-tier crypto for the peasants. Lower-security systems interact with higher security ones, and if those lower security systems are breached because their security was artificially lowered, they become threats to the higher security systems with which they interact.
I don't doubt that if crypto for Not-Government were kept artificially weak, that China or Russia would leverage that to their advantage, moreso than they already are. I think it would also make things easier for not just state actors, but lower-tier criminals, as well. If Barr wants to have an easier time catching bad guys, he should probably not make it easier for bad guys to do bad things.
Allow me to openly think about this:
Take an image for example. If I hash it and encrypt it I can still recognize similar pictures. If I use a different set of analysis like color distribution I can also identify the picture with more time. If I release tiny bits of encryption key, I can weaken encryption but still cause a significant time of consumption to break down the code. Meaning it still won't be easy without effort.
I believe NSA tried to weaken encryption in a way that only they could break the code with enough time. They ran some sort of limitation on the kinds of keys that were generated.
This still brings a high cost to decrypting but streamlines it so that only certain people will have the power of doing so.
A little farther, you'll have services where you bring your own message ("really really mine. I just forgot the encryption key!"), pay, and get a decryption.
There is no way to select who the encryption is "weak" for and who it is "strong" for, except with a backdoor (e.g. DUAL_DRBG, or backdooring an RSA private key generation so the public key includes an encrypted version of the seed used for the private key) -- but a backdoor, once open, is open for everyone.
I don't think this is strange, since this is how it works in physical. A home has a simple lock, a business a few better ones and a security system, and a military base has 24/7 armed soldiers on guard.
Impossible to do right now for encryption of course.
Where this falls down, is that if my threat model is different, rightly or wrongly, I can still change the locks on my home to something more fitting the threat model. If we were to try to fit the crypto policy that that Barr seems to want to real-world locks, then that could get problematic, quicky. I want to lock my hunting rifle's case with an Abloy, because using the toy locks from Home Depot is fucking irresponsible? Nope, not allowed. That's miltary-grade; civilians don't need military-grade tools. Requiring one be a business before one can get/use moderately-strong encryption could all too easily become a regulatory burden that causes a lot of small and medium businesses to become less secure, and further entrench the largest companies. And as the current top root-level comment points out, it would make getting blackmail on the rich and powerful that much easier.
I think it should remain impossible to do for crypto, because as another reply to you points out, the real world differs from the digital world in important ways. Trying to force the digital world to be more like the real world is likeable to make both suck more, not less.
The physical world can't have all locks past, present and future broken simultaneously across the world, possibly without you knowing.
Knowingly and arbitrarily weakening encryption is risking those stakes for IMO not a good enough reason.
About the only things in common thinking about physical and digital security is the word security.
Yes, but this is not how it works in cryptography and there's no reason it has to. Should we deliberately weaken crypto systems so that they work similarly to some other arbitrary system? The question seems to answer itself.
Everyone knows when they put a TSA lock on their luggage it does almost nothing to improve the security of their luggage. Any serious criminal has a key to TSA locks.
Adding backdoors is like putting a TSA lock on your bank password. It keeps honest people from seeing it but doesn't do much else.
Unless that repo is backdoored and the code has been altered.
So, when I collect my bags, I can tell whether they've been opened since I last saw them.
>The Washington Post inadvertently published a photograph of all seven of the TSA master keys in an article about TSA baggage handling. The photograph was later removed from the original article, but it still appears in some syndicated copies. In August 2015 this gained the attention of news sites. Using the photograph, security researchers and members of the public have been able to reproduce working copies of the master keys using 3D printing techniques.
I love that Schneier weighed in on this.
Anyone capable of rational thinking knows it's nonsense, a power-grab by politicians, law enforcement and the security services looking for mass surveillance; overreaching powers that will inevitably be misused, abused and slowly creep into other areas of government.
And yet the bombardment continues, banging on about terrorists, paedophiles, the Russians, the Chinese, the bugbear de-jour.
Honestly, I fear for what is happening to Western democracies just now - it feels like we're on a slow but steady march to an Orwellian nightmare I don't want to live it.
Let’s pretend the Big Tech companies build something robust and unbreakable (impossible) for the US govt. Now the EU and former English colonies want the same.
Now Syria wants the same access and full history of anyone in Syria. China would like the same for Hong Kong.
It’s slippery slope that goes down hill very fast. The line between criminal investigations and persecution are blurred.
And that's not even touching on SSH and HTTPS and GDPR complications.
If we don't laugh at and discredit the idiots pushing this, people are going to take them seriously and we will have to deal with the consequences.
Regarding companies (like facebook) that collude with the gov to bypass encryption with MITM snooping, we need to continue to expose them, and major players like Google and Apple need to actively disobey any orders from the gov, and send an army of lawyers at it, and I think that's what will happen.
They only need to lean on relatively few people - the humans who live in the US and who run Facebook, Apple, etc. to put back-doors in their services. Or worse, they put back-doors in their services while denying that they have done so.
The fact that strong encryption still exists will be of little use if it's not what the bulk of people actually use.
Despite all of the rhetoric and public statements, the legal burden and actual enforcement seems to be going very much the opposite direction in the US and EU. There is good reason to suspect that the monitoring (and centralized censorship) infrastructure built up in other nations could end up producing the opposite desired goals in the long term.
This is seriously wrong, and that word "laughable" is a key-word for others who share you larger assumptions.
Let's assume that protocol enforcement is heaped upon those who can do nothing about it, not "laughing" techies with time and skills; .. until it is. Common access to network infrastructure is clearly being monitored and more and more requirements and restrictions are added each year, not less, in a dizzying number of ways. The ability to find a transaction from a "regulated IP address" used by those who do not have the skills or background to understand what is happening, only increases each year.
This cavalier analysis is counter-productive to someone who wants to a) stay our of the security swamp and b) live life somewhat un-monitored with individual choices.
I'm not disagreeing, but you gotta cite that one. To educate the readers.
Because NSA can't legally "spy" on US citizens, they would be happy to allow UK, or say NZ, to access those backdoors and record everything US citizens do. Then they just have to find a loophole in how to access that information later. Granted they can probably just redefine what "searching" and "access" means, which do already, but this would open even more loopholes and possibilities.
It's sometimes useful to think of these government agencies not as working for the US citizens but as adversaries who work against our interests.
This is, modulo using the hypothetical backdoors under general discussion, pretty much exactly what the "Five Eyes" member states (which set includes .nz and .uk) are doing for one another already.
> Nor are we necessarily talking about the customized encryption used by large business enterprises to protect their operations. We are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications.
It is AG Barr's suggestion (as far as I can tell from the quote above) that these are not regular consumers so they should get "the real thing". Everyone else would get the "inspectable encryption" version.
It seems to me that certain lawmakers and people like Barr either don't put the time in to understand or are willfully ignorant to further their own goals.
I think that applies here.
Didn't Chaum write up a quick-and-dirty spec specifically to stop that little parenthetical from being repeated?
Edit: I guess it was more than a quick-and-dirty spec:
I’d suggest if they really want to push this line of reasoning, then we should also abolish the 2nd amendment. It is there in order to revolt against the government. But it’s place also degrades the security of the country, as evidenced by the constant shooting and mass shootings that occur in American life.
Encryption is much the same way. It protects individuals against government spying, whatever their situation may be. And these products exist not just for the US, but are made by Americans for export with the American ideal of individual liberty in mind. If we remove that, it’ll get moved for China, Burma, Russia, etc.
It’s quite a price to pay for society.
One idea I saw floated around the time of the San Bernadino iPhone was arguing that encryption is protected by the second amendment as a means to not having to fight against backdoored encryption every few years. I don't have the case law familiarity with the 2A & encryption to say if it would go well but I did find it a fun idea.
Edit: I should add that this would be in addition to the clear 1A protection code and therefore encryption has.
Law enforcement will end up spying on regular citizens and catching small fish while big fish and bad hackers will laugh watching.
Just owning one of them could then become probable cause for a search of everything else you have, and then you'll be held in contempt and jailed until you hand over the password.
Or it could just be made illegal to own one at all. Anyone with a secure smartphone could probably be tracked just by traces it leaves when it connects to a cellular network.
> Just owning one of them could then become probable cause for a search of everything else you have, and then you'll be held in contempt and jailed until you hand over the password.
Could you explain your reasoning? Just owning a safe in my trunk doesn't give people probable cause to search my trunk, so it's not clear how you came to that conclusion.
DEA was looking though records of who bought money counters.
> I prefer to live in a free but insecure world than in a perfectly safe but not free world.
Which I interpret to mean, we're free to use whatever protections we see fit. But institutionally we can't promise security, since bad actors will always exist.
But: There is no such thing as "security" in and off itself, security is always relative to something that you value that you try to protect. So, if you value freedom, you can not achieve security through limiting freedom, because that would mean destroying what you value, supposedly in order to protect it ... but that would obviously be a total failure at achieving that goal.
The point is: Part of living in a world that is as close as possible to perfectly secure is that you have to mitigate the risk of concentration of power in the hands of authoritarians and corrupt people. Limiting the power of the state is a security mechanism, and authoritarians who want to obtain more and more power by calling their power "security" are simply lying.
If you accept that authoritarians dismantling security mechanisms is somehow an increase in security, you have already fallen for their propaganda.
Agreed. I think part of the issue stems from how people define freedom, seemingly thinking that freedom means "no rules".
For example: If having rules is intrinsically against freedom, then why would anyone who desires freedom play sports, where rules define the game. If you eliminate the rules, you eliminate the game and your freedom to actually be able to play it.
The problem is when certain people want others to live by their rules and are willing to apply disproportionate force to get their way. Capital punishment for theft, fines and imprisonment for copyright infringement, penalties for refusing to aid an official investigation, etc.
If you’re free to own guns, you’re not free from someone else owning guns and shooting you with one.
If you’re free to drive a car, you’re not free from someone else who drives a car not running into you and killing you.
Sure, they will be punished for it, but the harm to you has already been done. You are not safe from it. It is an unlikely, but possible danger.
The only protection from guns and cars is universal disallowment of guns and cars and the immediate catching and ban of all people that begin the process of creating or thinking about guns or cars.
This example can be spread to almost anything that has any potential of harm at all.
No, they are not.
> If you’re free to own guns, you’re not free from someone else owning guns and shooting you with one.
Or in other words: Different freedoms are at odds with each other.
> If you’re free to drive a car, you’re not free from someone else who drives a car not running into you and killing you.
You might as well be saying that if you are not free to own guns, you are not secure from having your guns taken away. None of that is fundamentally about security vs. freedom, it is only about conflicts between different freedoms that have to be weighed against each other. Arbitrarily labeling one of those freedoms as "security" is a lie.
> The only protection from guns and cars is universal disallowment of guns and cars and the immediate catching and ban of all people that begin the process of creating or thinking about guns or cars.
No, it's not. The only protection from guns and cars is to have everyone agree that owning guns is bad, so noone does, or that owning cars is bad, so noone does, or whatever. The moment you suggest "catching and banning", you are talking about giving some people guns so that they can use them to force others to get rid of their guns, and that is the moment where everyone is at risk of being shot at using one of those guns, be it by mistake, due to corruption, oe whatever the reason might be, so obviously you are not "protected from guns". That is exactly the authoritarian propaganda lie that I was talking about.
There is nothing inherently secure about giving some group of people power, no matter for what purpose you do it. Giving people power is a danger. It's a danger that may be well-justified due to the other dangers that you might be able to control this way, but it is always a danger. It is always about weighing one danger against another, about weighing one freedom against another--framing it as "security vs. freedom" is an authoritarian propaganda lie that tries to convince you that one of those dangers isn't a danger by mislabeling it as "security".
People on Hacker News will upvote that when it is about encryption, but downvote it when it is about financial markets (e.g. the SEC). Just an observation.
The thing that I don't really see discussed in this is the question of who do you trust to have the keys?
Personally I can't imagine entrusting decryption keys to anyone appointed by or simply hired by the Trump Administration given its history of choosing people for sensitive positions. I guarantee that there are a ton of people who think that Hillary should be locked up that would feel exactly the same way about security keys under the control of any Democratic Administration. What's more, unless the policy becomes that all communication must go to the United States government to then be retransmitted onto a final destination then security keys would be vulnerable to disclosure by anyone from a former Administration who had access to them, and it only takes a limited number of compromised or dishonest individuals to compromise the entire system.
Don't discuss whether people are comfortable with the FBI or Department of Justice or William Barr having the authority to get to all of their Communications. Discuss whether they'd be fine with Barack Obama or Hillary Clinton or Eric Holder or whoever ends up being the Democratic nominee having that access.
Edit: moved last paragraph to first.
Just give up on being able to image and examine people's encrypted artifacts, and just give up on trying to tap a firehose of data from the providers now that they have an interest in encrypting what they store.
The state had a good 30 years of unprotected digital artifacts being available, and now it is just going back to the heuristic analysis of the days before, a level of accepted intrusion that government is built around.
Abuse of "contempt of court" to compel third parties not accused of any other crime to assist in an investigation is also a problem. The court can ask for the data, of course, but one ought to have the legal right to refuse; refusal to provide the requested data, on its own, should not be considered evidence of guilt or probable cause to conduct a search.
He experienced the pain and consternation of regulation, and now feels erudite calling BS on “his old industry” as the defender of All Things Right.
But of course, when Hacker News is called upon to “nerd harder” we always rise to the challenge. Except when the difference is, in fact, fundamental.
Back doors have a way of becoming front doors for the wrong people. And absolute power corrupts absolutely.
All of that was true before. It’s just that now getting the wrong set of keys could now open a billion locks at once.
Seriously though, the legal tradition just hasn't caught up to the idea that somebody can possess information outside their person that can't be forced into the eye of the law.
I've thought about this a lot and my best conclusion so far is "give up the encryption keys in exchange for immunity against legal cases that aren't yet open that the secured data might reveal, or you're guilty by default". Seems like the kind of thing prosecutors might think twice about, and it gives them a trump card in extraordinary circumstances. I don't love it, but all the other ideas i can come up with leave one party so heavily favored that either freedom dies or the government won't stop whining.
If 1% of all secure public data transmissions were compromised there would practically be no point in trying to secure anything.
And who is Barr to decide what's worth encrypting on a societal level? I'll put my photo album through 5 different algorithms if I want to. Such is my right.
Go ahead Barr, make laws for corporations to follow and watch as all that data you're trying to capture disintegrate from the networks where you gave yourself access and reappears on even more secure smaller scale distributed systems.
What will happen is instead of Google hosting your data for you they'll just create devices that let you store your data at home, offline while only beaming back the telemetry and meta.
Barr should know about that last one, since he’s in the middle of the current impeachment proceedings, and Trump has also been routinely calling for the prosecution of his political opponents for doing some of the things I just listed.
It is clear that even Barr is uncomfortable with giving these surveillance powers to the executive branch while a Democrat is serving as president.
Except that's not the case. Encryption is mathematically proven to be 100% secure. Assuming the application was coded / implemented correctly, the only thing capable of unlocking encrypted secrets is the secret key.
AG Barr wants to move it from 100% secure to "99.5% secure". Not the other way around.
Well... no. We're pretty sure that factoring large primes is intractable, but nobody has actually proven it. And we know it's not that hard for a quantum computer. Modern cryptography is certainly not 100% secure for all time.
We still don't know how to prove the difficulty of any computing problems which the security of conventional cryptosystems rely on. https://en.wikipedia.org/wiki/Computational_hardness_assumpt...
Some systems, like the one time pad and quantum cryptography have security which doesn't rely on computational hardness, however.
And the bad guys can be the state. People need to acknowledge the phenomenon of systemic failure. People at large can know that the system is deeply flawed, yet not be able to fix it, because the problem is too complex to fix.
One could argue that situations where members of Congress see their compensation increase by an average of 1,800 percent when they leave office and become lobbyists, where fewer than 3 teachers in an entire state are fired in a year due to sweetheart collective bargaining agreements, where police unions protect officers from facing disciplinary action for miscondict, where the wage gap between federal employees and private sector workers has increased significantly since 1950, where more than half of the 20 wealthiest counties in the US are suburbs of Washington DC, where intelligence agents are known to use the state's surveillance apparatus to spy on lovers and exes through a practiced coined LOVEINT, where there are approximately 1 million federal regulations which hold potential criminal convictions for breaching, and where the prison population is 1 percent of the total population, are all examples of systemic failure, and the frequency of such failures requires us to check government power by enshrining legal principles like the right to privacy.
Information is power and centralizing information in the hands of a small government elite through mass surveillance leads to power asymmetry that is dangerous to society.
It makes sense to me, no agreement will hold if any one person can violate it with nothing to stop them.
It's distressing that the support is for more regulation in general (which can be easily coopted to support stuff like this), rather than specific policies or outcomes.
Don't get me wrong: I'm totally against backdoors, and I do consider them a significant weakening of any encryption.
But it's just disingenuous to insist that, for example, a system with the same sort of requirements as exist for search warrants is entirely equivalent to a system without those. Or that one-out-of-two encryption schemes do not exist. Or that it is totally impossible for an agency to keep a keyfile secure.
As but one example for the last: SSL certificate authorities are already entrusted with keys whose loss has just about the same sort of security implications as breaking messaging encryption might have. And that system is working somewhat decently, including in cases where those keys were breached and certificates had to be revoked.
A leak of the private key for a SSL certificate authority (or even for the server itself with modern TLS) doesn't allow decrypting past messages, while these backdoor proposals aim to allow precisely that.
* Honest Government Ad | Anti Encryption Law - YouTube || https://www.youtube.com/watch?v=eW-OMR-iWOE
Also worth noting that Australia already went ahead with their anti-encryption laws. Feels inevitable that we'll lose encryption to the nanny state. Really sucks, but I haven't got a clue how to convince the grandmothers out there why the cops shouldn't be trusted here. It's so frustrating.
* Government Surveillance: Last Week Tonight with John Oliver (HBO) - YouTube || https://www.youtube.com/watch?v=XEVlyP4_11M
I think it'll be one of those things that society won't wake up to needing until it's long gone. Depressing as fuck.
Any state with strong individual rights and courts will be limited in their usage to some extent. Outside actors, unlimited.
On a side note, with the new Australian laws, is it now illegal to use tools like LUKS and Veracrypt there?
> This is exactly the policy debate we should be having
Why is this debate needed? It's beating the same dead horse since this debate already happened in the past. It was made clear, that backdoors are not an option.
Don't trust any cryptographic standard put forth by the NSA, ever. They have always been about backdoors.
NSA made DES more resistant.
They reduced the key space down to 56 bits. Which was small enough for government computers to hack even decades ago. The original proposal by IBM was for 128 bits IIRC.
That is interesting that the Wikipedia page you linked claims the contrary and makes me suspect tampering.
Because this story has been told over and over again, even in textbooks. See Springer's Understanding Cryptography chapter on DES for instance.
EDIT: In fact, the Wikipedia page you linked states
DES, as stated above, is insecure. This is mainly due to the 56-bit key size being too small.
So where is this nonsense about the NSA making DES more secure?
The original cipher proposed by
IBM had a key length of 128 bits and it is suspicious that it was reduced to 56 bits.
The official statement that a cipher with a shorter key length made it easier to implement the DES algorithm on a single chip in 1974 does not sound too convincing
"It took the academic community two decades to figure out that the NSA "tweaks" actually improved the security of DES. This means that back in the '70s, the National Security Agency was two decades ahead of the state of the art."
By the mid-1990s, it became widely believed that the NSA was able to break DES by trying every possible key. This ability was demonstrated in 1998, when a $220,000 machine was built that could brute-force a DES key in a few days
But the NSA purposely dictated that DES use 56 bit keys (a strange choice of key length to begin with), so that it would be possible for brute force attacks using government mainframes. The original proposal was for 128 bits IIRC.
This was way back before many people studied cryptanalysis, which is why no one cared at the time.
The argument of data security vs physical security needs to take place with your neighbors and not just your Senators.
Don't get too mad when Law Enforcement does what your neighbors ask.
When Barr and Trump push through legislation that requires back doors put into all our security, who is going to do jail time when all our personal information is leaked again? I try to put the least amount of info out there but when I do I use crypto that I know works, that I know who and how it was designed, who and how it was audited. When the government comes in and some intern loses a USB stick with keys to the back doors I wanna know who's head is gonna roll for it.
* Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.*
Additionally I think there is a fundamental misunderstanding, or lack of understanding, of Pareto and fundamental statistics. At this point we are scraping the bottom of the barrel for safety. We are in the safest time in world history. We are in one of the safest times in American history too^. Certainly in the last couple decades. Yet for some reason we are treating issues of safety as if they are worse than the 90's. And if we can make a statement that is only 99% secure then we're pretty much screwed. 1% of attacks/opponents/people being protected (whatever that measurement of "threats" means) is really low. If it's attacks, well give it a few minutes (that'd be consistent with previous back door implementations). If it's opponents, then really anyone we actually care about is going to happen access (there are far more than 100 countries with computers). If it's people being protected, well there are 350m Americans. That leaves 3m Americans vulnerable. Any of these cases are unacceptably low and I'd argue actually set us back.
The other thing is that even implementing mass surveillance wouldn't help us. In many ways it has more potential to harm us. Like many in the thread have said, it isn't just personal privacy at hand. Politicians, high profile business people, etc can easily be blackmailed. It doesn't even have to be some kink (as others have suggested). Just something like sending nudes to a partner or a charged joke that is taken out of context (how many of you have dark humor or use jokes to illustrate a point?). Nation States will definitely gain access to these backdoors. It's highly likely hackers will as well. Additionally everyone does have something to hide. Banking passwords, sensitive information, personal thoughts and feelings^^.
So we are going to give up a fair amount of liberty for a minute amount of security? (Possibly negative security!) This does not sound like a good deal for anyone involved. I don't think it even helps law enforcement. They already can't handle the information that they have. We've seen that with data they have, or could easily obtain, that things are obvious in post hoc (like someone on 4chan saying they are going to shoot up a school).
How does this help us as American people? That needs to be honestly answered. Otherwise all I see this as a ploy on fear and overreach. We used to fear Big Brother. I'm not sure why or how we have come to embrace him.
^ the issues at hand I do not believe would be solved in any way by monitoring because monitoring does not fix the root causes, which are clearly solvable.
^^ lack of being able to share these will only increase our problems.
Let me start by stating my views on free speech and rights in general, and then how they are shaped by these events.
I think that human rights and freedoms are just that: personal freedoms. Freedom of religion is about personal religious observance without harming others. These freedoms philosophically should not mean entitlement to unlimited exercise thereof. The right to bear arms doesn’t mean you should be able able to stockpile unlimited amounts of ammunition and incendiary devices etc.
Similarly, FREEDOM of speech to me is a PERSONAL human freedom. You can say what you want, and not be punished by the government for it. You can say it in a car, you can say it in a bar, you can say it very far, you can wish upon a star. But there are limits to how many people can hear you. Maybe 10 or 100 people at an event.
Once you get into situations where 5,000,000 people can hear a tweet, that’s clearly not about FREEDOM of speech in its strict sense. It is about entitlement to use a PLATFORM, maintained by an ORGANIZATION that involves many people, to broadcast arbitrary, unfiltered one-to-many messages to everyone.
I think this latter thing is toxic, in both directions. Society listening to tweets of celebrities cheapens public discussion and civic thought. And being reachable by the whole world using email (rather than through networks of shared invited/capabilities) leads to constant spam and papparazzi for celebrities. What happened here is an ORGANIZATION put on a show or movie and catapulted this celebrity into the limelight and carefully maintains their stature, along with their own publicists, social media team on twitter, etc.
This is the society we live in, where we have heroes. But entitlement to unlimited unfiltered megaphones is NOT the same as freedom of speech, any more than being a leader if a paramilitary group of unlimited size is the same as the right to bear arms.
So, freedoms and rights have limits. Where those limits lie is the heap paradox - as you take away grains, when is a heap no longer a heap? etc.
So what is the alternative to this type of misnamed “free speech” aka megaphones run by organizations, super PACs, mainstream media, and so on? It is COLLABORATION.
Look at Wikipedia.
Look at peer reviewed journals and science.
Look at large open source projects
I would like to see a patentleft movement in drug research, instead of big pharma. I would like to see news reported like Wikipedia with footage submitted by everyday people on the ground instead of “intrepid reporters in a warzone”. CNN used to have a motto that they have “no celebrities”. News agencies tried to stay lukewarm and neutral. FOX News changed the game, lots of people copied the model. The Internet eliminated newspapers and classifieds. News had to adapt because capitalism and cutthroat competition for the same ad dollars means MORE clickbait and MORE lockin to one type of audience. For-profit Social networks further use this content to herd us into echo chambers of outrage, because that’s what drives the most engagement, which the social networks need to monetize. They send notifications in an increasingly desperate attempt to grab your attention in a tragedy of the commons where the commons is our attention.
This has had a corrosive effect on society. The capitalist (competition based) news has made us more polarized and outraged, while the capitalist (competition based) social networks have made us more addicted to our notification slot machine, with smaller attention spans and self control, responding to that stranger on the internet over that latest outrage.
THIS is the culture that leads to more mass shootings. The fact that we have giant platforms instead of peer to peer is another problem. By banning extremist people from platforms, a platform can pop up which attracts the worst extremists, and feeds them. This platform should ABSOLUTELY be a honeypot for the FBI to watch these people. In our world of centralized platforms, Platforms like this should be RUN by the FBI.
Instead, our government takes the wrong approach. They shut down the Craigslist and Backpage hookers sections instead of using them to entrap and catch traffickers. Then they threaten large platforms with SESTA (2018) when they should be the ones catching the people who are out there. The platforms should be honeypots!
Anyway. So although I feel my stance is correct, and beneficial to society, there are three practical problems with it:
1. First Amendment is not interpreted as I do. In fact Citizens United even allowed our politics to be run by PACs with huge money and megaphones (although nonprofits could have always done that). So legally my literal understanding of limits of freedoms is not matching the traditional ones (slander, yelling fire etc.)
2. This may be the more serious one. As we have more end to end encryption and better personal technology, all well-meaning ideas about limits of freedom of speech and arms melt away. Imagine Alex Jones on SAFE Network with 1,000,000 people subscribed to his encrypted feed. Or imagine 3d printed guns from illegally shared 3d models, stored in 10% of the homes in NYC. Can’t stop people using a turing complete language to turn out banned material.
3. Even with numerical limits on each person’s audience, a hateful message can attract people who make plans to use technology to asymetrically perpetrate criminal acts. And end-to-end encryption means we won’t know what they’re saying.
However, I believe that if we took the freedoms in the way I defined them, and moved to collaborative platforms instead of competitive ones, our society’s health would measurably improve.
This very American attitude of separating "business enterprises" from "consumers", which to me sounds like separating the noble and important from peasants or cattle, is utterly sickening. I am not a "consumer", I am a person and I deserve and demand more privacy and freedom than a corporation.
We are not consumers, we are people.
Just as a disclaimer, I've read the guidelines and know them well.
It's also off topic. Whimsical off-topic digressions can be interesting, but generic rhetorical ones are never interesting. Those discussions have been repeated countless times already, thus are predictable, thus are tedious, so we ask people to avoid them. The more generic a subject, the more shallow its discussion—and when it's angry as well, that's much worse. Angry plus shallow equals riler-upper, which is close to flamebait.
I understood your point and I'm not trying to prolong the discussion. However, I consider the implication that my comment was entirely devoid of a point a bit unfair, so I'll try to rephrase.
I think there is no good argument to be made for stripping away the privacy of citizens, with the implication that it's okay since they are somehow less important than businesses. The fact that this is now getting somewhat regularly proposed is scary and a danger to liberty. To me, Barr's statement reads as a long-winded way of saying "it's not too bad if we punch holes in your encryption because your systems weren't secure to begin with and you're also not that important since you are just consumers". My point was to call this out explicitly and try to invalidate it as an argument for breaking encryption.
>The right of large business enterprises to be secure in their employees, locations, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the large business enterprises or things to be seized.
Who do I (continue to) donate to in order to express my opinion that this is inexcusable? EFF?
Donate directly to the open-ecosystem cryptographers, and seek a technical solution whenever a political solution is impossible.
I often base my vote, when all the candidates in a given election have similar policies, on how they refer to people.
Use of "Consumers" loses my vote instantly. "Taxpayers" is a yellow flag - if used in specific situations that involves concern over major public funds going to private businesses (like building a stadium for a pro sports team) I'll let it slide but otherwise it only raises suspicion in me. But if a politician consistently uses "citizen", I'll give them a little mental gold star.
I used to hate the word consumer too (I don't love it now either) but honestly basing your vote on it seems like a really coarse way to distinguish between good and bad candidates...
I was referring to its use in the context of an election, which is often limited to the citizenry (in any democracy).
Also, where I live, public figures who use the word "citizen" to refer to ordinary people often don't use it in the literal sense of the word when discussing public-interest matters. They're often using it to emphasize the responsibilities and rights that all people have in relation to the broader society. In other words, where I live it's not often used in an exclusionary xenophobic way, but instead in an inclusive common-purpose way that emphasizes our shared humanity. The xenophobes here tend to prefer "taxpayer".
In the US some states or cities allow non-citizen legal residents to vote in some state and local elections (SF for examples allows non-citizen residents to vote for school boards)
The irony, I guess, being that the xenophobes probably intend to raise a distinction better delineated by the word "citizen".
Heck, the President and many members of Congress, the military, intelligence services, etc. use an iPhone. Maybe let's think about that before we stick a backdoor in that piece of "consumer" technology.
But with extra software that isn't on the iPhones ordinary consumers get, to implement and enforce the government's security policies for its officials.
Corporations are people too. Groups of people, ganged together and agreeing to do big and enormous things to other big, enormous groups of people, is how we get into the corporate nightmare.
The spirit of the individual is what needs to persist in all of this. If you want privacy, you have to be willing to gain it and maintain it yourself.
We are not consumers, we are people - but we can be consumed as well as any other resource. To stay ahead of that, produce!
However, when I read the word "consumer" in pronouncements like this, it seems like something else. The people using it usually don't mean it in a way that implies they are themselves consumers. They mean it in a class-forming way. The only way I would personally be able to refer to other people in this way would be to become the controller of a large global corporation and to be willing to exploit and submit others for my personal gain. This is not something I would ever want to do.
It's a very weird contortion of logic to say something like, "Only people can be the subject of a legal instrument; We need corporations to be the subject of a legal instrument; We must make corporations people."
I mean, we have control over the underlying premise here. We can change it. Maybe that makes some people less angry. Maybe that makes it easier to reason about corporate issues without accidental conflation of the subtly different aspects of "person".
That patch in has had grave consequences.
A liability shield is a fantastic invention for capital owners, because when things go pear shaped, they can leave the rest of us holding the buck.
Most of us aren't capital owners, in any meaningful sense, though.
This is an interesting book looking at how legal structures may have held back otherwise very advanced cultures in the middle east:
It refers to this book:
If you look at the developing world, the situation is even bleaker.
So, as far as ownership structures of capital go, for 95% of the population, it is a rounding error.
Also, damages that required liability doesn't just magically disappear, if you fail to pass it on to a company's owners.
The harm that caused the liability has already been done, the shareholders have already been paid from the profits of it - but the victims aren't getting compensation for it. In any just world, these profits would be clawed back.
That's still investment. Make up your mind on if an investment implies criminal and financial liability or not.
>and won't be receiving a lick of pension upon retirement.
That's because pensions aren't very popular in the US. You should look into IRA's, 401ks, etc to understand how the current working class has to prepare for retirement. Pensions (at least the ones that used to be popular in the US offered by companies) are complete garbage for the very reason that they can be raided.
>The harm that caused the liability has already been done, the shareholders have already been paid from the profits of it
No, it's actually pretty rare for modern companies to immediately issue all profits to shareholders as dividends.
>In any just world, these profits would be clawed back.
Well the company gets hit with a huge fine and all of the shareholders (and bondholders in bankruptcy) lose their investment. It's very rare to find a company that did something illegal long enough to generate 100% dividends to cover the initial shareholder investment and then get caught and wiped out.
"Humans and corporations are both persons" is kind of facile- corporations don't have quite the same set of rights that humans do.
I'm kind of on the fence about this. My counterargument to your comment is that the iPhone, Google search, global shipping, oil production, etc. could not be created by individuals. These things exist because huge groups of humans organized into things called "businesses".
Protecting businesses is like protecting the economies of states. There are massive effects for lots of people if businesses are not treated well. So yes, businesses get special deals sometimes. Unfortunately, this is a slippery slope, and people often fall down it.
To me, the truth in your comment is that US culture tends to give credit to CEOs for the efforts of all the other people in the organization. And this can be easily conflated with all kinds of other issues like "fines are just things that are illegal for poor people".
Businesses are a good and necessary concept, but that does not mean they are above the people. Businesses are servants of the people and of society.
To get back on the topic at hand, businesses should definitely not get special allowance to use some technology that "ordinary" people are outlawed from using. That is a path to disaster.
I also get the sentiment that people have more of a problem with the idea of government access to private communications than with weakening the encryption to allow it. I see a lot of the conversation being all about privacy, and not about encryption.
In discussion of the latter I don't have a lot to add, but in the former, the courts have decided many times over that law enforcement and the state can access information about you if they have probable cause that you're committing a crime. If you enjoy living in a society governed by laws and don't tend towards libertarian extremes of personal freedom it's something worth accepting and the discussion on the highest level of whether we should or shouldn't do this doesn't even consider this side of the argument, despite it filling up 90% of the user generated discussion about this topic whenever it comes up.
But, like, it’s not like the original ratifiers of the Bill of Rights didn’t understand what they were doing. They _knew_ that by outlawing common law enforcement practices like arbitrary searches and coerced confessions, they would be giving up some of their ability to “punish” certain types of “criminals”. They got that it meant they couldn’t listen in on a man’s conversation with God. That’s the deal they struck to try to form a country governed by laws, not by men.
It really seems like it’s not such a new situation, after all; we just have new values.
Imagine billions of unbreakable safes containing secret messages to and from anyone globally, instantly transported to anywhere in the world.
Like, dude, anyone with the appropriate security clearance that is aware of the implications of the encryption status quo isn’t spending time posting here.
Granted, it is new that we can communicate world wide this way, but I don't see how that changes much. "The world" to an individual has always been, and still is mostly, filled with people they could easily meet with for a secret conversation.
Also, are not our minds like an unbreakable safe? Human minds have been around for a long time.
The weakening of encryption, which may allow bad actors to exploit what the government has access to, is the actual discussion that lawmakers are considering.
People have a real hard time with coming to terms with the powers that police have. Those are not in question though. You can get mad about it, downvote me, but powerful law enforcement is a fact of modern life and it's not going away. In the US, you'd need a constitutional amendment, and there's no one calling for it, it's not an issue on any of the major parties platforms.
You're right. The US, China, Russia, and many other authoritarian regimes and politicians are working on further militarizing law enforcement and chipping away at the protections of citizens, such as supporting backdoors in encryption. Not a world I want to live in
The instincts of these organizations is to vacuum up every bit of communication that they can, and figure out how to justify access to it later. In such a world, there is no true privacy. The only method we have to combat this instinct is widely-available and widely-used strong encryption.
Imagine China's social credit score policy expanded in the US to factor in every text message you send or website you visit. It does not end well.
The internet has been a force of good, but also a force of evil, in this world. Rapid dissemination of personal opinion masquerading as fact has lead to extremism and polarization across the globe, this is undeniable. Some degree of accountability needs to be introduced into the system for the internet to reach the next level of maturity. The government is allowed to access your telephone records. The corporation holds your records to a certain date as mandated by law, and hands them over when a lawful request (warrant) is made. Full-on disk encryption and end-to-end encryption make it impossible for the government to access those records even when a lawful request is made. Note that the Fourth amendment states unreasonable searchs and seizures. That does not mean the individual is allowed to be impervious to searches and seizures. The reasonableness clause protects the interests of the state and allows courts to decide yay or nay on a case by case basis. That is the very intent and spirit of the law.
Currently technology, not law, is the gatekeeper, and technology is controlled by corporations. In a lawful society, this is untenable in the long-term. If anything, it enables tyranny by corporations, since they are unelected and not responsible to the public, whereas elected governments, in fact, are. The history of US is replete with cases where corporations have grown too powerful and governments required new laws to counter the threat they presented to society.
I think the recent 8-0 ruling by the Supreme Court completely invalidates this statement in the context of the government being able to block ones access to the internet in general.
> Justice Anthony Kennedy began by outlining what he described as a “fundamental principle of the First Amendment”: that everyone should “have access to places where they can speak and listen, and then, after reflection, speak and listen once more.” And even if once it may have been hard to determine which places are “the most important” “for the exchange of views,” Kennedy concluded, it isn’t hard now. Instead, he reasoned, it is “clear” that the Internet and, in particular, social media provide such opportunities, with “three times the population of North America” now using Facebook. Emphasizing that Packingham’s case “is one of the first this Court has taken to address the relationship between the First Amendment and the modern Internet,” Kennedy warned that the court should “exercise extreme caution before suggesting that the First Amendment provides scant protection for access” to ubiquitous social-networking sites like Facebook and Twitter.
And, it may not matter: When making its case, the Justice Department will disassociate the use of encryption technology from access, arguing that limiting encryption options on consumer devices does not limit participation in an online forum.
In other countries access to the Internet is a right . Of course it depends on how one defines what is a "right". It's not a right in the same way that everyone have the right to food or clean water (even though we cannot provide even these consistently to everyone), but it is a right and an increasingly important one.
The fact that many international companies are based in the US is indeed quite unfortunate and I find extremely appalling that they can just hand over my data to anyone asking, especially if that "anyone" can also define what is "lawful".
Things should be end-to-end encrypted for everyone, with absolutely no back doors or any kind of weakening of the encryption.
The argument that "this enables bad guys to do bad things" can only stand if they can show us hard data about how many bad guys they have caught because they were communicating in clear text and how much this number decreased because of the increased adoption of https and end-to-end encryption. But of course they cannot do that, because "National Security".
Well, they can't have it both ways.
In the US you do not have a right to drive a car (s/car/transportation). But lack of access to a car greatly hinders you in almost every aspect of life. Time spent traveling can easily be 2x-100x without access to a car. Some places it's impossible to travel without one. This is such a problem that in America it is all but a right to drive. Drivers licenses are easy to obtain because of this need for access. Overall this low barrier provides much more production and utility that it does downfalls (crashes and fatalities from underexperienced drivers, driving while drunk, etc). Access to transportation is all but a right. In today's day and age it is an essential part of life. Without it life becomes extremely difficult in modern society.
As to your second paragraph, I'll remind everyone that this is not the first time in history that we've had these problems. They are generally rooted from other societal problems. I'm not convinced that the internet amplifies this problem. There's historical examples of rumors spreading faster than a horse could travel between cities. The difference here is really number of people. It's node connections after all that's the issue, not really speed of information between nodes.
If you think the government should have the right to regulate speech via ciphertext, then that would require a constitutional amendment.
>Access to the [grocery store] is a privilege, not a right. There is nothing in the US Constitution regarding [grocery stores]. An individual is not required to use [grocery stores] to [obtain food], this is a matter of convenience, ergo privilege, but not a right.
People will always do bad things, and taking away the tools to do bad things isn't going to stop it. Without even touching privacy rights (where America has less rights than many other countries), there are many other ways the government can lawfully spy on you. Encryption technology is great; the genie is out of the bottle, and I doubt anything can really stop it.
I do not believe (and have not said) that Congress will outlaw encryption. As you said, the genie is out. However, they can, and eventually will, restrict technology companies from providing high-quality, turn-key, encryption solutions on consumer devices. This is what Barr is building up to. Individual users will be free to implement custom encryption on top of said platforms.
How can US law understand/regulate tech, given lawmakers are woefully uninformed, especially relative to those tech companies they seek to regulate?
How do you defend looking back to the Constitution in your argument, given its authors couldn't have envisioned the Internet or all its technological brethren? Do you think that male slave-owners in 1776, "representatives" chosen in a plutocratic fashion, should define what our rights are for all time, or is it possible we may gain new rights to previously un-thought of inventions?
>If anything, it enables tyranny by corporations, since they are unelected and not responsible to the public, whereas elected governments, in fact, are.
I feel the opposite. Corporations can easily be taken down when you stop paying them. Governments are extremely hard to fight against, especially with rampant corruption and gerrymandering. There's also the fact that almost all tyranny in the world is enacted by governments telling people what their "rights" are.
Is this not what courts are for? The government has plenty of tools to enforce lawful orders against companies.