And we better not fall for it
FYI, there's a long history of politicians attempting to regulate mathematical truths they don't understand. My favorite example is probably the infamous Indiana Pi Bill, via which local politicians wanted to regulate the value of Pi to be exactly 3.2, according a "proof" published by some crank. The politicians were even hoping they could get people outside Indiana to pay a royalty for the "proof." No, I'm not making this up:
Honestly, that seems to be a bit of a distortion. What I've read about that makes it sound like some state legislators were fooled for a little while by a crank, which caused a dumb bill to advance a little before being killed. No law was ever passed, and the motivation appears to be less of trying to force nature to submit to law and more trying to secure rights to (what they thought) was advanced technology. Even the "regulate the value of Pi" aspect is a (popular) overstatement, since (IIRC) that value was only implied by the bill.
> The bill easily passed committee and was unanimously passed by the house. Representatives received it favorably, with one gushing that "The case is perfectly simple. If we pass this bill which establishes a new and correct value of pi, the author offers our state without cost the use of his discovery and its free publication in our school textbooks, while everyone else must pay him a royalty."
The Wikipedia link is way better and more credible:
> Upon its introduction in the Indiana House of Representatives, the bill's language and topic occasioned confusion among the membership; a member from Bloomington proposed that it be referred to the Finance Committee, but the Speaker accepted another member's recommendation to refer the bill to the Committee on Swamplands, where the bill could "find a deserved grave".:385 It was transferred to the Committee on Education, which reported favorably; following a motion to suspend the rules, the bill passed on February 6, 1897:390 without a dissenting vote.
Honestly, it sounds like none of them understood the mathematics and the main effect of the bill had something to do with getting the state a license to use the copyrighted techniques royalty free. I'm speculating, but I wouldn't be surprised if many of those who voted for did so because they thought there'd be little harm in getting something for free.
If anything, the more embarrassing thing seems to be they didn't seem to understand copyrights or patents very well, which are creatures of law that legislators should better understand than mathematics. I don't know if the precedents existed 120 years ago, but you can't patent/copyright mathematical truth, so even if the crank was right they should have known they didn't need to to anything to avoid paying him royalties to use his results.
Feinstein was one of the EARN-IT Act's sponsors, and a long-time opponent of cryptography.
She is one biggest pro-spy-on-everyone senators there is.
Thank you for writing to me to share your concerns about law enforcement access to encrypted communications. I appreciate the time you took to write, and I welcome the opportunity to respond.
I understand you are opposed to the “Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act of 2020” (S. 3398), which I introduced with Senators Lindsey Graham (R-SC), Richard Blumenthal (D-CT), and Josh Hawley (R-MO) on March 5, 2020. You may be interested to know that the Senate Judiciary Committee - of which I am Ranking Member - held a hearing on the “EARN IT Act” on March 11, 2020. If you would like to watch the full hearing or read the testimonies given by the hearing witnesses, I encourage you to visit the following website: https://sen.gov/53RV
The “EARN IT Act” would establish a National Commission on Online Sexual Exploitation Prevention to recommend best practices for companies to identify and report child sexual abuse material. Companies that implement these, or substantially similar, best practices would not be liable for any child sexual abuse materials that may still be found on their platforms. Companies that fail to meet these requirements, or fail to take other reasonable measures, would lose their liability protection.
Child abuse is one of the most heinous crimes, which is why I was deeply disturbed by recent reporting by The New York Times about the nearly 70 million online photos and videos of child sexual abuse that were reported by technology companies last year. It is a federal crime to possesses, distribute, or produce pictures of sexually explicit conduct with minors, and technology companies are required to report and remove these images on their platforms. Media reports, however, make it clear that current federal enforcement measures are insufficient and that we must do more to protect children from sexual exploitation.
Please know that I believe we must strike an appropriate balance between personal privacy and public safety. It is helpful for me to hear your perspective on this issue, and I will be mindful of your opposition to the “EARN IT Act” as the Senate continues to debate proposals to address child sexual exploitation.
Once again, thank you for writing. Should you have any other questions or comments, please call my Washington, D.C. office at (202) 224-3841 or visit my website at feinstein.senate.gov
You'd think this would have given both Feinstein and Graham a better appreciation for cybersecurity, but no.
Like most real world systems this sounds incredibly inefficient to me. In germany there used to be (and maybe still is) the "Wahl-O-Mat"  ( an artificial word made out of two words: vote and automation ). The idea is to answer some questions and the Wahl-O-Mat tells you for which party you should vote.
Let's extend this idea and make a thought experiment. Imagine the questions and the answers would be tended / adjusted over time (like a profile on a dating site). The rules how the voting suggestion is computed are straight forward ( a weighted sum or something ). If a new controverse question arises then people adjust their voting-profile according to their beliefs (or if it doesn't matter to them they don't). If the profiles are public then the outcome of the next elections can be predicted easily. Best next thing to direct democracy.
Whatever your political affiliations may be, these are grounds for r/pcm level unity.
Think of all the bills you don't understand that are just as bad!
They want control over majority. Nothing else. Any legal business will be required to do what law requires them and it will affect every citizen.
I have no hope given the stupidity of my country to do something against acts like  personal data protection law or the decryption act. US going towards that road only means it's easier to justify our country and many others to go even higher. Soon a mandatory camera inside house for legal citizen.
Of course then they'll probably legally attack the open source model.
As would EU, South American and Asian businesses, they would VPN to another continent VPN to finally have nested encryption for key stakeholders communication.
The decentralized services won't be able to provide as smooth a service as the centralized ones, if for no other reason than network effects. Most people don't really care about end to end encryption. What percentage of WhatsApp users or Apple Messages users will quit the service if Facebook or Apple dropped end to end encryption. It will be pretty close to 0%. Thus what you will have is that the majority of people on the decentralized services are there because they are doing shady stuff. Thus the decentralized services will become hives of scams, dick pics, terrorists, child porn, alt right, etc. After a while, even being on one of those services will be seen as suspicious.
General Alexander was very precise in his choice of words when he repeatedly stated "in the United States". What went unasked was whether these operations take-place against U.S. citizens outside of the borders of the United States.
So long as the courts entertain the loophole, it's more accurate to say that searches do not require a warrant than to say that they do.
Why not use a 1st Amendment approach? Doesn't my freedom to speak also cover the "language" (i.e. encrypted bits) I'm using?
Like why are you making it the mailman's problem?
The idea behind strong (especially E2E) encryption is that even with a warrant, the information in question is entirely inaccessible.
Encryption is still a different idea from warrantless searches though.
With a warrant, law enforcement is permitted to search a safe containing written records of a conversation; why shouldn't they be allowed to search an encrypted consumer electronic device containing the same?
IANAL, but as far as I know, if the police can't physically break into your safe, there is nothing saying that they have any legal recourse to compel you to open it. Why should encrypted data be any different? Any why should it be the responsibility of the manufacturer/service provider to supply law enforcement with a key? The government can always pass a law allowing law enforcement to legally require you to unlock your device, but that is not what they are doing.
I'm not sure, to be honest, but I think it's certainly a reasonable position to take.
> IANAL, but as far as I know, if the police can't physically break into your safe, there is nothing saying that they have any legal recourse to compel you to open it.
If it can be established that the safe is yours and that you possess the key or know the combination, I believe a court can indeed order you to open it or to produce the contents, punishable by contempt of court.
> Any why should it be the responsibility of the manufacturer/service provider to supply law enforcement with a key?
Because the state has a compelling public interest in ensuring that law enforcement can successfully execute lawful search warrants. The existence of indestructible safes would constitute a significant impediment to achieving that goal, so manufacturers of such safes have the responsibility of ensuring that law enforcement can access them.
I don't necessarily agree with that argument, but I don't think it's unreasonable.
I got curious about this, so I did some quick research. Again, IANAL, but my understanding is that, in the US, the court can order you to give up the physical key (if it is determined that you have it) but not the combination. The latter is protected by the Fifth Amendment right against self incrimination, in the same way as sharing knowledge verbally. So then the question becomes, is an encryption key (or passcode, etc) more like a physical key, or a combination? If the former, then you would be legally compelled to decrypt it if law enforcement asked you to do so. If the latter, however, then there is no legal way for law enforcement to force you to decrypt the device.
The legal framework for deciding how to handle encrypted data already exists, it's just ambiguous. Instead of passing a law that completely changes the scope and usefulness of encryption, doesn't it make much more sense to simply disambiguate and update existing laws accordingly? I don't know the full repercussions of that, but it seems that there exist less drastic solutions to the problem.
> I don't necessarily agree with that argument, but I don't think it's unreasonable.
I think it is unreasonable because it's asking companies to willfully violate their user's privacy and trust, and to severely undermine encryption as a whole. There is zero chance that this does not get abused.
Not exactly. Yes, revealing the combination requires the person to implicitly admit that they know the what the combination is. But if the government can prove that they already know this "testimony" -- which they can in most cases -- then the "foregone conclusion" doctrine applies and the 5th Amendment privilege cannot be asserted. See, for example, the Massachusetts Supreme Court's decision in Commonwealth v. Jones. 
There is also conflicting 11th Circuit precedent that further requires the government to establish with "reasonable particularity" what is on the encrypted device.  In my opinion this is not correct; the contents of the drive have nothing to do with the testimonial value of the combination. In any event, this issue will eventually need to be resolved at the Supreme Court.
> I think it is unreasonable because it's asking companies to willfully violate their user's privacy and trust, and to severely undermine encryption as a whole. There is zero chance that this does not get abused.
I don't see how it violates user privacy or trust. In general, you don't have the right to keep records secure from law enforcement if they have a warrant. If this law is passed, these companies should simply disclose to their customers that they will provide law enforcement with the means to decrypt their data, as many already do.
I also don't see how it severely undermines encryption. Yes, end-to-end encryption is more secure, but it's not the industry norm. Security is relative, but I wouldn't call Gmail "insecure" just because Google allows law enforcement to read emails with a warrant.
That's fascinating, thank you for sharing! That helps make my point, though, that the legal framework for handling encryption already exists and just needs to be clarified a little bit, instead of making new, far-reaching laws with serious implications on the landscape.
> I don't see how it violates user privacy or trust. In general, you don't have the right to keep records secure from law enforcement if they have a warrant. If this law is passed, these companies should simply disclose to their customers that they will provide law enforcement with the means to decrypt their data, as many already do.
It will get abused. Just like wire tapping got abused, just like NSA surveillance got abused. Furthermore, having a master key floating around means that at some point, inevitably, a foreign government or organization will get ahold of it. If this were implemented correctly—over a special, secure channel that only law enforcement could access (with a warrant!)—that would be mostly harmless, but I simply don't trust our government and businesses to implement anything correctly that has to do with the privacy and security of user data. There have simply been too many previous violations.
> I also don't see how it severely undermines encryption. Yes, end-to-end encryption is more secure, but it's not the industry norm. Security is relative, but I wouldn't call Gmail "insecure" just because Google allows law enforcement to read emails with a warrant.
But the issue with bills like the EARN IT Act is that they make end-to-end encryption completely infeasible for any company to implement. That's the problem: you can't even have E2EE in the first place if it passes, because it conflicts with the requirement to allow law enforcement to be able to read messages.
I think this can be a reasonable argument, but it depends on whether criminal suspects generally comply with decryption orders. If most don't, then it is understandable that the government also wants the keys to reside with parties that almost certainly will comply: OEMs and service providers.
> It will get abused. Just like wire tapping got abused, just like NSA surveillance got abused.
Yes, warrants get abused, but they're necessary for the criminal justice system to function.
I think we need to be careful not to conflate this issue with warrantless surveillance, which is a different beast.
> Furthermore, having a master key floating around means that at some point, inevitably, a foreign government or organization will get ahold of it.
I don't see why this is necessarily true, and many Internet services are premised on it not being true. HTTPS requires that you trust the ability of CAs to keep their master keys secret. Gmail and Outlook require that you trust that Google and Microsoft will keep their master keys secret.
> But the issue with bills like the EARN IT Act is that they make end-to-end encryption completely infeasible for any company to implement.
I realize that. My point was that there's an argument to be made that in practice, most people don't use E2EE or even need it in the first place.
E2EE is probably necessary in certain cases -- for example, if you're a dissident in an authoritarian regime. But that doesn't mean it needs to come standard on every iPhone.
To be honest, I'm undecided on this issue. Maybe the security benefits of standard E2EE are worth making it more difficult for law enforcement to execute lawful search warrants. But to me the answer isn't obvious.
Right now China is engaging in textbook "secret war" with Hong Kong as well as a variety of other human rights abuses. It used to be that we, the U.S., could speak up, and have dozens of allies rush to our side on the principle that we are to be trusted. Consider how shoddy the evidence for justifying Iraq was, and the fact that most countries still chose to send their troops with ours. Our word used to mean something.
But now? How can we hold a higher ground than China when our own police forces use the very same tactics against our own protesters? How can we accuse the other side of building concentration camps when we have our own?
Backdooring encryption is just another attack on our basic freedoms. It is crazy that at a time we should be touting our values as proof they are objectively better compared to our competitors', we are also trying to take them apart and bring us down to the same level as our competitors. It's like a vast cargo ship encountering a dinghy, and the captain tells the dinghy "you need to change your construction materials, you're shooting yourself in the foot by making poor choices" while his crewmen are hard at work drilling holes into the windows below deck.
But we’ve had things like this for a long time. The police have acted like they do for generations, we had concentration camps for Japanese people during World War II, and we’ve always done a variety of other reprehensible things (propping up brutal dictators, destroying native civilizations, institutional racism of every possible flavor.) Frankly, I’m shocked that our word ever meant something.
Internet was a tool that allowed all sides to be equally heard (the fact that it was abused to disseminate fake news supports that claim even more), so only now it's too obvious what's going on.
Oh, and other governments and organizations are catching up quickly with the same practice.
I study WW2, and it's important to be factual.
The correct term is internment camps. Japanese-Americans usually lost their property, but the purpose was to locate them in central locations, not to re-educate or liquidate them, as our enemies did to the Allies.
For that time in history, it could be argued that the decision made sense. Japanese subs did shell the US mainland, and Japanese-Americans in Hawaii did help a Japanese aircrew try to escape after Pearl Harbor. Japan planned to return to Hawaii after Midway to occupy Hawaii.
I think using the term "moral high ground" is not helpful for a number of reasons. However, the US did rebuild the world economy after WW2, mostly to prevent it from becoming aligned with the Soviet Union. Most of the world's national borders are descended from WW2.
As leading historian Dr. Victor Davis Hanson says, "[WW2 was German and Japanese soldiers machine-gunning unarmed civilians by the tens of millions.]"
There were separate death camps (sometimes combined) that involved direct train-to-killing-field pipelines, and most concentration camps involved work in horrible conditions, but that's because of further goals above relocation.
We have a nasty habit of creating scenarios where death is an inevitable consequence without it being the official policy.
This could be investigated further; was the average length of imprisonment less than a year, were the causes of death different than in the larger population, did economic conditions and racism increase the base death rate among Japanese-Americans in the first place, was the age distribution different among those the US bothered to move to camps, pushing their base rate lower?
Evidently people died because of these camps, and it is incredibly likely that many of those deaths were racist hate crimes committed by US employees on US citizens. Even that aside, it was very much wrong it imprison innocent civilians on the basis of their race. 'Thousands died' does seem like a substantial overstatement when the only number I can find is less than 2,000 (it's from the US, so it may be biased). Probably a few hundred died as a result of these camps, mostly from disease.
 - https://www.npr.org/sections/codeswitch/2017/02/21/516277507...
I'm not pedantically quibbling over whether it was 1980 or 2000 who died. I'm saying that if you took a random sample of 120,000 people at the beginning of 1943 and checked back at the end, 1,300-1,400 would have died. That leave hundreds, not thousands, who died in internment that wouldn't have died otherwise. These are arguable numbers, as I stated above, but they have more substance than I think you're implying.
Additionally, the US invested considerable resources into keeping these people alive. There were on-site hospitals, and not like the ones in Auschwitz where people were held until they died. These camps shouldn't have existed, but they were completely different animals from death camps and are not just a step away.
I’d be interested to know how many of the 120k were released. And of those who died, who many died “on parole.”
During the Gulf War (1992) the UK interned Iraqi citizens in the UK, just as they did with German citizens in WWII.
That was not a step away from mass murder.
This is the same rhetorical slight-of-hand people use to ignore Guantanamo. One tends to learn more about the speaker than the topic.
The problem is that these words have taken on entirely different meanings that perhaps what they once meant and there are those who take advantage of that disparity. When people hear about concentration camps, they think death camps, even if that isn't specifically what the word once meant.
There are many such ways to twist words like this and rarely do I find them being used for positive reasons. It is like when someone lists all the large name chemicals in a vaccine. They might be factually correct, but what is the chance they are doing that to scare people who have a misunderstanding of chemicals thinking that large name means harmful chemical?
It doesn't change the part where concentration camps were modeled after British and US approaches of dealing with "undesirables"
As a classicist he's tolerable, if no more than that; in any century where the years count up instead of down, the man seems entirely at sea.
The U.S. had a global nuclear monopoly for several years. It didn’t abuse it. That’s a hell of a high ground.
Using a new weapon to end an existing war is one thing. Using a new weapon to start new wars is another. That delineation is independent of one's judgement of the weapon per se. They're both bad. But one is worse than the other.
The U.S. had the opportunity to go on a mission of global military conquest. There was military support for nuclear war with Russia and China. The United States didn't do that, and I think that's a unique and admirable trait.
Yes, using nukes defensively is less bad than using it to start a war. That doesn’t mean I support the use of nukes.
WWII was unique in starting with no nukes and ending with them. We also didn't yet understand the long-term ramifications of the weapon's use.
After the failure of the Treaty of Versailles at the end of of WW1, resulting in WW2, the Allies learned that unconditional surrender was needed to prevent future wars.
The Japanese military command preferred that their troops never surrender.
So the 2 options the US had were:
1) Curtis LeMay would use 10,000 bombers to napalm those cities, and every last village in Japan.
2) Use 2 nuclear weapons and demand a surrender. The military commanders in Washington debated the ethics of using such weapons, so this wasn't done lightly.
Having studied this over a period of years, #2 makes the most sense to me.
And Japan and the Soviet Union had been at each others throats since before there was a Soviet Union and Japan thumped the tsar.
I am sure Japan did not want to surrender under a Soviet flag that was looking for 50 years of retribution.
In a strange way it was an American coup to get peace signed before Russia started stripping the place down to the bone.
It could also be argued that it made sense to do the same for Germans since we had a minority of Germans siding with Hitler and even holding Nazi rallies before we got involved in WWII. We weren't exactly good arbiters of fairness when it came to race either.
Note that in Hawaii, Japanese-Americans were a significant portion of the local population, about one-third. Of the 150k+ Japanese-Americans living in Hawaii, only 1,200 to 1,800, or about 1%, were interned. On the mainland US where they were a smaller portion of the population, far more Japanese Americans were interned. This discrepancy probably comes down to a matter of practicality again; one third of the population is just too many to intern.
Anti-German sentiment was certainly present in America and the UK during the world wars. In response to Anti-German sentiment, the British royal family anglicized their name during WWI, changing it from House of Saxe-Coburg and Gotha to House of Windsor. In America, German Americans largely stopped speaking German in public (German was the second most common language in America and was spoken particularly often in Pennsylvania, remnants of which can still be seen today in "Pennsylvanian Dutch" culture.) However, treating German Americans as severely as Japanese Americans were treated, at least on the mainland, was probably too impractical to be considered.
It's called having protestors in the first place. China wouldn't let you hear about it, or all you get is distorted information, which means you don't know what's going on in their society.
> They absolutely are allowed.
So you and I can go to tiananmen square tomorrow for a healthy protest and drum circle?
Ie “It would be a shame if something were to happen to your business model here.”
r/pcm has been a rare instance of unity, blunt kindness, and understanding in these times, and I greatly appreciate it.
Feinstein, Burr, and others like them haven't been champions of mass surveillance powers extensions for the past 20 years out of "ignorance". They know exactly what they're doing.
I still remember a video from the Senate floor showing how ruthlessly and in bad faith Feinstein argued FOR FISA 702 extension back in 2012 using lazy fearmongering about terrorists - the same kind of bad faith fearmongering used to allow the Iraq war, etc.
It boggles my mind that Feinstein has remained a senator for so long in California, but I suspect it may have something to do with the electronic voting machines there. I mean, you could say she has more than enough friends that could help her out with that, especially if she continues doing what she's been doing in the Senate.
I'm curious to know if anyone has any insight from the inside: do the particular congresscritters drafting these bills genuinely not understand the damage that would be done if this sort of drivel passed into law, or do they just not care?
do you really think that the DHS will just break its own encryption because of some laws?
There is no doubt they are using some bigco vpn or other software that can/will eventually be compromised.
Using Ed Snowden’s autobiography as a point of reference, I’d say the IS agencies have probably 25% of the staff or higher as contractors, so definitely heavy use.
Consider a foreign adversary with the ability to break encryption used by banks, credit card companies, large retail facilities, hospitals, etc.
There are a few things that seem tempting-- think "steal from the banks", but a lot of that is unlikely to work, anyway. Banks and wire transfer systems have auditing and verification measures in place that would make it difficult to pull this off successfully. Credit card companies and retailers would have a serious issue with reissuing cards, etc.
What would turn things upside-down is the LOSS OF FAITH in these systems and the economic, social, and practical effects. The Russians would be all to happy to exploit this.
Suppose somebody recovers the necessary keys to send out fake-but-authenticated buy/sell orders on the NYSE, NASDAQ, or even commodities exchanges, with the specific intent of causing havoc with algorithmic trading, and causes a crash.
Suppose somebody is able to break into JP Morgan Chase and reveal private records, transfer information, and the session keys used to decrypt them.
Suppose somebody is able to modify a single prescription in West Bumfuck, Georgia, cause their death, and show off that they can do it again.
In all of these cases, you would see an immediate collapse of trust in important institutions. If the attackers make clear that their ability to fuck things up is the result of backdoored crypto, there would likely be spillover from one institution to the others-- "I can't even trust my pharmacy; how the hell can I trust my bank?!"
That collapse of trust would result in severe, immediate, and possibly unrecoverable damage to entire industries. That would likely destroy a lot of wealth as stocks take a giant shit.
Could somebody DO that? With backdoored cryptio, I'd say it's likely, even inevitable. Backdoored crypto either has to have a mathematical weakness inserted somewhere into the algorithm itself (in which case I would expect adversarial equivalents of the NSA to hire fucktons of mathematicians and tell them find and exploit said backdoor), or you have to do some form of key escrow (in which case the master keys used to protect session keys will be SUPER high priority for attack, including technical attacks and the famous "give the right disgruntled IT worker a bunch of money" attack).
Strong, un-tampered-with encryption is SERIOUSLY vital for national security.
Yes, some companies already have issues with this due to shit security practice, but those can be treated as isolated incidents. If it becomes clear that EVERYBODY is fucked, I would expect to see the market crash worse than it has during the pandemic.
EARN-IT is NOT OKAY by a long shot, but as others have pointed out, this is an attempt to make EARN-IT look like a responsible, reasonable compromise. It isn't a reasonable compromise, but Congress is basically a giant bag of assholes, s we're probably screwed.
1. Most congresspersons don't even read what they are voting on.
2. Most congresspersons don't even write the bills that have their name on them, most of that work being done by staffers in collusion with K-street or the MICC.
3. If a congressperson reads it and doesn't like it, K-street/MICC is likely to put real pressure on them to change their stance. If they are a freshman in any way they will be threatened with all kinds of isolation in future if the bill is important enough.
4. When it comes to intelligence level stuff, many of them will be told in executive session about dubious national security reasoning, designed to cow them.
5. The people who fund their campaign cycles will be used to threaten their position.
6. If all of the above fail, it' is possible some form that Epstein -alike blackmail or bribery operations (that probably already got said congressperson in the past) will be subtly mentioned.
Only an extremely rare minority have the guts to stand up to any single instance of the above, much less all of the above. Congress doesn't represent it's constituents, it just pretends it does to get elected. Ever try to get a meeting with one? Unless you just donated 5k+, good luck.
The worst of the tactics are deployed rarely and only for the most "important" bills, and only against the more powerful positions. For example: on October 2, 2001, the patriot act is introduced. It is opposed by senators Tom Daschle and Patrick Leahy. They both come out publicly against the bill October 6th. Sometime shortly after, anthrax letters were mailed to them both, being the most deadly version of anthrax thus far sent... by October 25th, only one person voted nay against the patriot act...
What a load of bs.
Because those tech-freaks always find a way right? Innovation will simply appear without any doing on our part. We can just create non-sense bills and laws and they will make it work. They will magically find a way.
These imbeciles do not even understand the simplest things about encryption, but want to make laws for it. Ridiculous. I would laugh right now, if it was not such a serious issue.
Well, I am not in the US, but it will affect people world wide, who use services hosted in the US and next things happening EU comes around the corner with an equally stupid idea and it will hit me directly. Time for EFF again to save this world from idiotic leadership. You have my support.
Companies have been sued for using weak encryption (cough plaintext passwords).
As an aside: does that mean US DoD will get a back door as well? As a secure provider with over 1M users that required encryption at rest and in transit I think they should be the first to give up the keys to law enforcement.
I know they would legally require a warrant to read them, maybe, but he’d have the access without it. Not a fun thought to go back to Hoover-style DoJ practices.
That would fix it.
I do not vote for candidates who I am not informed about, but many people do. Those uninformed votes just drown out the voice of the informed voters and reinforce the party-line tribalism that seems to be slowly taking over the nation. In an ideal world, I would be informed about the issues surrounding all of the offices for whom I'm asked to vote. Unfortunately, I simply do not have time to concern myself with more than a handful of offices.
I've always been a fan of general election ballots showing names, in a randomized order, with no reference to party.
Not sure if it makes a difference in the end but it's cool to know who's claiming they represent you.
Bill Pascrell almost certainly remembers where he was as a kid when he found out Hitler had been killed lol. Are you kidding me?
Everyone complains about how politicians behave, but the truth is that they won't vote for you unless you behave like a politician. Voters are just as two-faced as the representatives they complain about.
From the perspective of these lawmakers, encrypted storage is like a safe. You have the right to store records in a safe to keep them away from prying eyes, but law enforcement has the right to order you to unlock that safe if they have a warrant. You have the same right to store those same records on an encrypted device, but law enforcement has the same right to order you to decrypt that device if they have a warrant.
Since people will sometimes refuse to decrypt a device, even when ordered to do so by a court, these lawmakers want to require OEMs and service providers to maintain control of the keys when they encrypt information on a user's behalf so as to increase the chances that lawful decryption can take place.
Is this a bad policy? Quite possibly. It has certain risks and makes certain tradeoffs, like any other policy. But it is arrogant to assume that anyone who supports it must be ignorant of how encryption works.
Remember "a series of tubes" memes long predating youtube or its many pornographic not-quite-competitors?
It may map to better understanding but it is still ignorant as somebody software proposing applying computer antivirus software style scanning to infectious disease gene scanning of all micro-organisms in the body.
Even if the metaphor is technically correct in some aspects (the microbes being unauthorized executables in a space) the differences are substantial enough that it cannot be called anything but ignorant by those in the know who would point out precisely the current limitations and theoretical impossibilities like "we can't read cell DNA without destroying them currently". In the case of the safe analogy it is essentially impossible for someone to wind up ordered to open a random piece of garbage that is indistinguishable from a safe. Unlike with encryption.
If you can point to specific precedent that would be helpful.
In the case of my digital data that might be stored on google (or some other third party) I may never know that the government asked google to decrypt my data for them. In the past companies have done so without a warrant.
Maybe the contents of this bill does not work this way. I don't know.
No it's not. Because your analogy is, excuse the term, utter bullshit. Producing a safe requires an expert. A government could actually try to force all producers to give them a second key or some backdoor. Producing an encrypted messages requires software. Government has no chance in hell to restrict the distribution of "illegal software". Everyone who supports that narrative is stupid. Period.
Government officials aren't stupid in general, though. So why do they support the fight against encryption? Because they want to read the messages of average Joe, not the messages of Don Heroin or Sheik Al Explosive. They want to know where the next BLM gathering will be, or where the documents about city council corruption leak.
It's funny how you can read just that and know that the bill is going to be absurdly bad. Not even just bad in the philosophical/political sense but actually just bad as in not understanding the problem space, or not even formulated clearly or coherently.
There's plenty of D's who just love to come up with bills that make citizens more vulnerable to the government.
Sometimes I think the USA should have it's own history A/B compared against it's own history as recorded by the rest of the world.
Not saying it's Tiananmen level yet, but it seems some people haven't read their own history.
Disclaimer: I live in NSW, Australia. Some evil stuff happened here that is rarely acknowledged.
It's harder to fit that crap into something short and sweet enough for history textbooks so you don't hear about it whereas simple skin tone based discrimination in the south is easy to make a bullet point out of so everyone knows about it.
...and the rest of the states...
If your voting base prefers the blood of christ over a facemask to protect from coronavirus, you probably aren't writing bills based on, uh, informed analysis of relevant data.
(Just saw an opportunity for a joke and took it)
I same ways, I prefer the Republican approach because they're more honest about how they want to screw you so it's easier argue and fight back against.
She votes according to Trump’s recommendations more than any other democrat, and more than many republicans.
Her history of supporting right wing causes and overt corruption spans many decades.
As a California Democrat, her position has been unassailable most of her career. I suspect getting rid of her was a motivation for open primaries.
Californians, please stop voting for her!
Yes. I call her Senator Hollywood. That's the only constituency she really represents. She's been on the wrong side of all tech related bills over her entire career. EARN-IT is simply the latest one in that list.
The problem is, there is no definition of the word “privacy” in the context of “right to privacy” that a majority can agree on. I highly doubt even the niche audience of HN could agree on what they feel is private or not. I think the EU took a decent shortcut around that debate with “right to be forgotten”.
I thought of UI toolkits as just niceties until recently. Now I realize that being able to make something pretty with good usability is power.
Answer: according to the article "any device that has more than a gigabyte of storage and sells more than a million units a year could have to build a government-required backdoor if it is subject to five warrants or other requests, as would any operating system or communication system with more than a million active users."
First, anything that has more than a gig of memory and sells over a million units must be engineered according to the government's whims. That is pretty much ANYTHING useful nowadays. Hardware will now spy on you. And even though there is old hardware, and theoretically zero-trust programming techniques out there, that won't matter because:
They will go after open-source projects.
Any single method alone wouldn't work, but if pushed all at once, they could smother us. File lawsuits against and harass not just maintainers, but contributors and possibly even users; force registrars to de-register domains, and search engines to forget links; have ISP's stop allowing Tor connections, or possibly even implement whitelists of all websites instead of blacklists of "bad" ones.
Without secure computers, in today's world, there is no organized protest; there is no organized opposition; there is no truly effectual dissent, because the other side can see all and end it before it becomes an issue. And even then... gestures wildly.
Constitutionality means jack without both belief and enforcement. We have neither; a public split and jaded, and a government empowered in the worst possible way. And even if this doesn't pass - and that is a horrifyingly small if - the very fact that this is even being proposed is evidence that the battle is close to being lost completely. There is no second chance in this chase, and we are going to trip and fall eventually.
Though hope may be lost for us, may we retain hope that our descendants are at least somewhat at peace with the world we have given them.
That means a possible end to a whole range of international agreements and treaties, and a fragmented world where anything is possible, somewhere, now that there is no chance of global consensus about anything at all. I'm waiting patiently for the international consensus for protection of "intellectual property" to break down. Plenty of countries take a net loss from it, and without the carrot of access to international trade systems like the WTO, if such are discontinued, they won't have an incentive to continue with it.
All lawsuits are in the jurisdiction of X Tribunal, situated in Switzerland or another privacy-friendly country?
Anyway, as a Canadian, one of my key takeaways from watching it is that it doesn’t matter what country you’re in, nor your nationality, nor the nation where you’re committing crimes; if the FBI or similar large agency decides to target you, you’re going to at a minimum have a really bad time, and very potentially end up getting a free trip to the US to spend time in jail, even if you’ve never stepped foot in the country before.
The show has this “look at how far we’re willing to go to keep America safe!” vibe to it, but as an outsider I found it pretty horrifying.
Smaller just don't have to do it proactive, but can be required to do it later.
> the Attorney General can simply command it to build one, using what’s called an “assistance capability directive.” (If it does already have that capability, the AG can use the directive to command it to maintain it.) That isn’t limited to the million-plus club; any provider can be served with such a directive. That is, the “big” providers have to proactively design for decryptability, and the “little guys” with less than a million U.S. users better gird their loins
In addition, there is already a lot going on in the country to keep the average person from focusing on this issue. It seems like allowing the government to spy on everyone is a pretty bipartisan agenda.
Putin jailing and murdering his political opposition, Chinese concentration camps for muslims - why do so many people assume it can’t happen here? Nazi germany wasnt some backwater nation, it was a strong, extremely cultured, advanced nation that was going through some very hard times. Germans didn’t like what happened - there were countless assassination attempts against hitler, but it was just eventually too late
It _is_ happening already, and despite the few vocal people talking about it the news cycle is spinning so fast that it goes out of the discussion in a matter of days and people seem to forget it.
Is that actually the assumption? I'm pretty sure everyone already assumes that the government already has all of your messages, browsing history, transactions, etc, and they can come for you if they want.
Between the massive surveillance state that already exists and the judicial miracle of "parallel construction", it's already very much a problem. The only thing left to do is scale up.
Telescreens, watched by "AI".
They can arrest you on trumped up charges, but it's not really feasible to do that to everybody, and extreme heavy-handedness promotes resistance.
Once they reach inside your device, they don't have to murder or imprison you, they can just give you a little slap whenever you try to stray from the garden path. Let you know that they're watching so they don't even have to censor you, and can claim that they don't, because you censor yourself.
Crimethink. Doubleplus ungood.
No, but I would imagine there would soon be some way of removing your liberty and keep you under house arrest for a set period. Imagine if they made sure your banking and cards were frozen for the period to stop you going anywhere...
(On the sibling thread: by my calculation at most 13% of the 1984 society had telescreens, so at roughly 60% global internet usage we're well ahead of Orwell for staring into Palantirs.
Someone in the non-aligned movement ought to produce networking gear, so we aren't necessarily beholden to suppliers approved by one of the two largest economies. Then again, seeing what happened to the former "leader of the third world" after the Cold War, maybe it's best not to draw attention to oneself in that way. "None of you has ever seen a dead donkey.")
 China, US, would you all please reflect that "one to embody power the other to crave it" is a philosophy attributed to the "bad guys" in that particular mythos?
That myth has to die - there was no real opposition against Hitler for as long as he was successful. He was probably the most popular political leader of all the time. German people did not have a problem with his hatred against Jews, on the contrary, that's what gave him his popularity. It never was "Bad Nazis vs Good Germans" - Nazis and Germans were one and the same.
Yes, initially, in 1933 Nazis did slauther some of their political opponents, but for the years after that they really didn't need to terrorize the nation. Gestapo in 1937 was just 7000 people, inlcuding secretaries and other support stuff, and that was enough to keep 60 million nation in check. Compare that to 200k members of STASI in communist East Germany after war.
As for assasination attempts - if you look at Wikipedia list  you'll notice two things:
1. Most of them are pathetic, with zero chance of succeeding
2. None of them are attempted by common "good Germans" - some are by members of competing radical groups, some by citizens of countries conquered by Hitler, then, starting in 1940s there are attempts by generals that realize Germany is going to lose the war.
Worth noting that their first major win was in response to the stock market crash, but his popularity really only soared after they took power and imposed censorship.
Free speech not such a virtue in Nazi Germany. Much easier to be popular when nobody is allowed to say anything against you.
If you weren't, as americans would say, a "commie"? You felt like you won.
- drug dealers,
- organized crime.
Have a target "thing" you wish to stop, yet lack any moral, or practical reasons for doing so?
1. Pick a fear common to lots of people, something that will evoke a gut reaction: terrorists, pedophiles, serial killers.
2. Scream loudly to the media that "thing" is being used by perpetrators. (Don't worry if this is true, or common to all other things, or less common with "thing" than with other long established systems—payphones, paper mail, private hotel rooms, lack of bugs in all houses etc.)
3. Say that the only way to stop perpetrators is to close down "thing", or to regulate it to death, or to have laws forcing en masse tapability of all private communications on "thing". Don't worry if communicating on "thing" is a constitutionally protected right, if you have done a good job in choosing and publicising the horsemen in 2, no one will notice, they will be too busy clamouring for you to save them from the supposed evils.
That said, I don't think it would end encryption though, since it is out of the hands of governments. Of course a lot of traffic will be compromised still and it would grant access to large data hoarders.
edit: Of course that also means that Apple and MS OS aren't safe anymore.
Effectively the solution has been an effective hard split into two companies one for each set of laws. They certainly have to sever monetary and organizational ties to not locally be engaged in conspiracy. Without coordination or assistance they have no responsibility to tbeir illegal twin abroad.
They do what they can get away with locally and relying upon their counterpart's enforcement failures abroad. It may be illegal but if they are in another superpower's territory entirely they are protected. Being fully lawful to both at once was precluded so they effectively become mirror universe versions of themselves lawful in one and scofflaw in the other.
Other less shady alternative approaches include withdrawing from one superpower and shifting their business entirely or simply deciding to dissolve themselves entirely and distribute their assets to the shareholders.
Clowns trying to "regulate" things they don't understand without seeking expert advices beyond their narrow lobbyists.
AFAIK, that's done already. You won't move further by technical decisions.
Here in the USA we are literally governed by the folks who show up.
If you are using a web browser for a typical online service any backdoor is less concerning than simply going straight to the service provider where all things converge. If a web browser is used in a serverless context, just for localhost user interaction, it can rely on other aspects of the OS to transmit data thereby circumventing any browser backdoor.
Let's skip the denial stage. This is not a technical problem, it's a political problem and needs political solutions. Whatever technical solution you come up with will simply be made illegal if anyone but the nerdy 0.0001% will end up using it.
We are rushing full speed towards a police state. We have to stop.
But that never happened with BitTorrent. Conversely, industry gradually stopped caring about pursuits of IP violators. While this is ultimately a political problem it will only be practiced where it’s enforceable like all other political problems.
Building a company in the US becomes an untenable legal and security risk as if you don't backdoor yourself you'll be liable but if you backdoor yourself and competitors or spies or journalists get the keys, I'm pretty sure you can't ask the US government to pay back the financial or PR losses (which is actually something you can do in Switzerland for privacy-related issues)
And hey, why didn't you say "but that never happened to encryption"? Because it's about to happen in the US? Because it happened in Australia already?
You think a government that is seriously considering such bills will "gradually stop caring" about assaulting constitutional protections by banning effective encryption? If you haven't noticed, we're moving in the opposite direction, and not very gradually I might add.
Over the years, I’ve watched most of my conservative friends defect to the democrats as the Republican party morphed from “small (but efficient) government” to starting the War on Science and War on the Climate, not to mention all the useless wars against the Middle East, etc.
At the same time, the Democratic party also veered to the right, and I’ve watched my liberal friends (and now, some of those conservative defectors) move to the progressive part of the democratic party.
It’s not that people’s opinions have changed, it’s that the parties have sold out their core values to appease big donors.
Prior generations in the US became more conservative as they aged. I don’t see that happening with my generation. Between that and demographic shifts, the Republican party is representing a rapidly shrinking minority of the population. I just wish the senate wasn’t so skewed toward conservative states and against city dwellers. 42 votes are controlled by a group of people the size of California.
Worse, the senate gets to appoint federal judges, so a minority of the US is electing the people that have exclusive control over court appointments (they simply refuse to appoint judges when there is a Democrat in the white house) and they’ve packed them with radicals.
Haha no. They both suck. It's only politically convient
> the Democratic party also veered to the right
I think you mean the left have veered radically more to the left.
> I just wish the senate wasn’t so skewed toward conservative states and against city dwellers.
As designed. Really we should go to the way it was supposed to be with the state legislatures choosing senators.
> hey simply refuse to appoint judges when there is a Democrat in the white house
The democrats will do exactly the same in the reverse situation.
Where is it?
There are over a dozen congressional candidates today (all on the R side AFAIK) who espouse or at least dog whistle to the Qanon cult.
Imagine if PETA, Earth First!, and the most unreasonable histrionic "social justice warrior" types took over the Democratic Party. That's where the Republican Party is going if it isn't there already.
Where's Eisenhower or even Reagan?
The letter I sent to my senators is as follows:
I care deeply about the safety and security of my fellow Americans. I understand the challenges that strong encryption poses for law enforcement. I don’t want the terrorists and pederasts to win.
Yet, I strongly oppose Senate bill 4051, LAEDA. Consider giving a copy of your house keys the police just in case they need to come in without you knowing. Boy, I hope no one ever decides to steal all those keys at once. I hope no one guarding the keys ever develops an opioid addiction and decides to sell just a few keys. I hope China and Russia don’t get curious about what you are discussing with your colleagues and decide it would just be easiest to raid the key pantry.
Meanwhile, the real bad guys will just continue using existing, strong crypto. When crypto is outlawed, only outlaws will have crypto. As a strong supporter of the 2nd Amendment, you understand that it is every person’s right to defend themselves against the evil forces in the world as well as protect against a potentially tyrannical government. Just because some criminals use guns for evil doesn’t mean we should curtail the rights of the majority who uses them for lawful defense.
Please don’t be fooled that LAED or EARNIT leave strong crypto intact until a warrant is issued. No. These acts force everyone, law abiding or not, to install a trigger lock the government can switch on remotely. Do we really trust the next administration not abuse that right? Do we really trust big business that much?
Personally, I prefer to stand my ground. I have done nothing wrong. I will not hand over my rights to defend myself.
> Do we really trust big business that much?
In general I trust them more than the government simply because they will never have as much power as the government.
Stop trying to take my guns...and my crypto.
The Democratic and Republican party establishments have been eroding our rights for years.
Populist libertarians (1) and progressives have been fighting it for just as long.
(1) “the government has no right to levy an income tax” types, not “the courts have no right to inconvenience my monopoly” types.
There's also third party sites, such as this one which offers email services. https://www.govtrack.us/congress/votes
It's pretty clear this bill is incompatible with the GDPR, which specifically mandates using state of the art encryption when appropriate (and a backdoored encryption is certainly NOT state of the art).
The 2 laws would be fundamentally incompatible, which means we would probably see different services based on geolocation from the big companies (GDPR applies to EU residents, not citizens, so there is no overlap), but this means small players will have to choose between EU and US or take a legal risk.
From a risk perspective, the US have an exception for under 1 million users, while the EU has nothing of the sort. Which means it would, in theory, be less risky to start in the EU, expand in the US, and when you reach the 1 million users bar, separate EU from US operations (which has obviously a lot of issues, how do you handle a user moving from one place to the other, or users interacting accross boundaries?).
Let's hope this won't be the trigger to have several continental/national "internet" instances, but this is definitely going to contribute to a split.
Also, the CLOUD ACT is already incompatible with the GPDR, so cloud vendors are already in a situation where they’re forced to decide which law to break if they receive a warrant.
Of course, if the US government starts to offer money for data, they may budge anyways. I'm fairly sure MOST data can freely be shared with the US, it's just government data and higher level company data that isn't allowed to cross the borders.
Tl;dr: For most data, the cloud vendor is basically forced to violate either the cloud act or the gpdr. The gpdr has a bunch of fuzzy carve outs for requests involving people in danger or the “public interest”. My guess is that those will be expanded over time to force the data to be handed over, regardless.
If the data isn’t “personal information” (financial records aren’t, for example), GPDR doesn’t apply and the warrant must be served.
I think this means that, because they could hypothetically receive a warrant they have to serve, the Ireland/EU intermediary (or the US company that provides them with the software/hardware) will have to backdoor the encryption.
I am not a lawyer, and I haven’t even read any of these bills. I’m just piecing together summaries. I don’t think anyone really knows how the three bills will interact in practice.
i have a right to be secure in my papers and affects.
okay, this bill emphasizes that police need a warrant, but glosses over the bit about actual security.
administrative controls aren't security. That's why we haven't outlawed locks on the front door...
Picking a lock falls into break and enter, regardless of the name of the charge.
Windows, and even walls offer little security in modern houses too! I can literally punch my way through vinyl siding, with chipboard under that, through to drywall.
False, opening or door window is sufficient for the breaking part of burglary at common law, locks.are irrelevant. If locks are relevant, it's not because of common law.
Primarily, based upon its history.
And as the legislative branch passes laws, they effect the power of, modify the scope of, or render inert many such judicial decisions.
This is why I said "many common law jurisdictions', not just 'common law'.
One vital part of common law, is intent.
A door with a lock on it? And you pick it / disable it? It is going to be exceptionally difficult to prove benign intent here.
An unlocked door? Well...
Are your friends 'breaking and entering' by opening the door and walking in? Again, intent here...
Did you knock, and "thought you heard something"? Again, intent.
There have been many court cases, but as an example, for a while, in Ontario, Canada, it was common for police to knock at the door, and simply enter saying "Oh, I knocked.. but no one heard me."
I kid you not.
But let's take a step back here, and give you an example as to why this becomes more difficult with an unlocked door.
Part of the issue here is, many houses have a covered, 'cold room' prior to the house proper. Yet, this is still part of the house. It has a roof and walls, a door. It is simply part of the house.
In many colder climates, you enter this area. This is fully expected. You're now sheltered, but it isn't heated. When the owner opens the "door proper", blowing snow and wind won't enter their house. Ergo, to knock, you must approach the "real door" of the house, inside this room, and knock.
It is also not immediately clear if the "very outside door" you are accessing, is a cold room, or the actual door of the house. How do you discover one way or the other? Why you open the door, and enter!
Intent is primary here. Entry into an unlocked house does not prove intent, as there is no 'forced entry'.
One thing ; in Canada, the police lay charges. A person need not even make a complaint, for the police to act. Nor does a person insisting that the police not charge someone, indicate this will happen! An example here ; the police discover assault of some form. They only need evidence, not willingness to 'charge'.
Now take this legal position, and assign it to people entering houses. Your friend enters your house, as he always does, without even knocking.
According to you, that's 'break and enter', yes? What differentiates here?
Why, intent of course!
Intent is primary, and a locked door creates a very strong validation of intent. An unlocked? Zero validation.
you see, I am legally allowed to blow my life's savings installing a lock that is secure - if I so choose. and if I do, I'm not legally required to resister the key with the police department... just in case they need to serve a warrant later on. nor are lock manufactures required to make the key available to police for each lock they sell.