Haha this article is fantastic and I'm only a few paragraphs in,
> The FBI has been terrific at reading statutes — including CALEA — in ways that require the rest of us to do headstands to understand what the agency is up to
I really want to hear from Obama's current tech advisors, such as Megan Smith, the current CTO of the US, or Obama himself about the discussions he had after his remarks at the keynote. I bet he had some tough conversations.
Unfortunately nobody in the press has asked this question in the White House Press Briefings which occur every day and whose transcripts [1] and videos [2] are posted online
I'd honestly say it is more important than Susan Crawford is not only a technological adviser but a professor of law.
Megan Smith is an engineer and lacks the standing [in the eyes of some people who value qualifications from an accredited University] to really argue with the president about the legality of an action like Susan can.
So, I'd say this message works better with Susan as the spokesperson regardless.
But yes, honestly, its quite embarrassing how far out on a limb both Obama and the FBI have gone to insist on this path. It is just a question of whether public opinion supports that limb at this point, honestly.
Yes I agree Crawford's JD, professorship, and experience as an internet activist lend a lot of credence to her stance.
Generally I like to think if you understand encryption and where it is used in technology, then you should be able to understand why back doors are bad for public safety and the economy. But there is still 42% of the population who thinks the DOJ is in the right. That's too many.
The facts need to be brought to the attention of the public so they can make up their own minds. And it is happening. Several public figures have already changed their positions to support Apple after learning more about the issue. Lindsey Graham and Sam Harris are two examples. Crawford's post is one more voice of reason in this debate.
About Megan Smith, I assume if the President did not feel she was qualified to advise him, then he would not have named her. We can only guess as to the conversations that are happening. We haven't had much transparency with the CTO on this issue.
What if a "terrorist" wrote some "bad words" down on a piece of paper and shredded it before/during a raid? Can the FBI require that paper shredders come with an auto re-assemble feature? What if a drug dealer keeps a coded ledger, can they go to crypto experts and compel them to work on solving it? The government has in its possession the data, the data is just not in a format the government wants so they are trying to bend the rules for themselves.
It's pretty clear that the laws need to be different for a device that goes with you everywhere and for all intents and purposes records your entire life.
I like the "extension of the brain" analogy. Where by searching your phone should be tantamount to thought policing.
I don't think that's pretty clear at all. Back when people wrote down their daily activities and most intimate thoughts in their journals, one might have argued those were an "extension of the brain." Yet, peoples' desk drawers have always been subject to search with a warrant.
No, it's more like mandating that those journals have to be written in english instead of sanskrit. The government has the authority to reasonable search and seizure, but they don't have the authority to mandate how we express ourselves in written word or data.
It's highly unlikely a fully physical key could be developed for a digital system that would have sufficient security not to be exploited by bad actors that have physical access to the device.
Given that it's likely that fully physical access is unlikely to be a necessity to make use of the backdoor. Thus it's fair to assume it could also be exploited (or used "legitimately" by law enforcement) remotely - even if it is primary intended to unlock the device they have seized it physically.
Backdoors of any description are simply impossible to implement securely.
> Thus it's fair to assume it could also be exploited remotely
When the data in question only resides on the physical device that is not a fair assumption at all.
An alternate OS that allows all 10,000 4-digit codes to be rapidly tried isn't a piece of magic that allows you to do anything you want. It has a very limited use.
Someone already covered the goes with you everywhere part but it's worth noting that a diary though very personal is something you consciously populate with thoughts that you know one day could very well be read by someone else.
A lot of the things people do on a phone they may not even be aware is leaving history and other information on the device as they use it.
You could argue they they should be better informed, but should they really? Should we expect to forever limit ourselves to only our brain for storing secret information as it's the only place held sacrosanct in the eyes of the law?
I think not. The law should change with the times. The mind/brain is expanding into the electronic world and the protections afforded to our biological brain should be extended in concert.
The law should change with the times only when technological change implicates the rationale of a rule. The rationale of the 5th amendment isn't to have a place for storing secret information. It's the uniquely pursuasive nature of confessions and the incentive to coerce them. Note that when there is no such threat, even being in your brain doesn't stop courts from getting at information. A court can compel a witness to testify, for example, so long as the testimony isn't incriminating.
Phones don't implicate the threat of coerced confessions regardless of what is on them.
But the reason for the police being able to search you in the first place is to investigate crime because of the harm it causes to society. That needs to be balanced against the harm such searches cause.
If the harm caused by searches goes up, what changes to balance that?
You're taking the law as a given and saying that society must bend because the law has been constant for many hundred years.
But that's a bug. Yes, the systems for change are rusty and those in power would rather inflict the wrong laws than allow them to change, but the point in this discussion is more than what can Apple get away with now, but what should they strive for. In that sense, what should the law be to best serve people who feel that Apple is right in creating "unhackable" phones?
You did read the part about the differences right. Did you carry that desk drawer with you everywhere? Did it record your location?
The point is about what the law should be to be useful. Not about what the law says, or can be taken to say.
The FBI plays it as if the law binds the people, but the law is the people's, and binds the FBI. We don't have to care what they like. It isn't a two-way street, or a conversation. They're employees. So's Obama.
> The point is about what the law should be to be useful.
The law creates a perfectly useful distinction. What's in your mind is in your mind. What's on inanimate objects, whether they be desk drawers or iPhones, is subject to search.
That is the current law. I'm arguing that it should be changed . Inanimate objects got a lot more advanced in the last 20 years, the law hasn't become nuanced enough to deal with this.
What does it matter that inanimate objects got more advanced? Was the original distinction ever due to the fact that inanimate objects weren't advanced?
Legally, it's not at all clear. But morally it is. Which is why secure crypto needs to be adopted far and wide. Man-made laws follow physics, not vice-versa.
The reason I don't like the safe analogy is that it is something physical, which the courts have repeatedly said is fair game. They can compel you to open a safe, they can not compel you to turn over a password. Something you have vs something you know. Which is why I also added the crypto example. The feds can not force me to decrypt my own crypto, I have 5th amendment protection against that. The 5th does not extend to something you have / are, which is why fingerprints to unlock an iphone can be compelled by the courts but they can't force you to turn over your password.
> The feds can not force me to decrypt my own crypto, I have 5th amendment protection against that.
That depends on what the gov't knows about what encrypted files you have. In the worst case, they don't need to ask you for your password, they just need you to decrypt your data.
In Re Boucher is the most famous case where the government ruled that the 5th amendment couldn't prevent the government from compelling someone to decrypt their data. On the flip side, Wikipedia has this short blurb on it's article on U.S. V Hubbell: "The Supreme Court ruled in favor of Hubbell. The Court held that the Fifth Amendment privilege against self-incrimination protects a witness from being compelled to disclose the existence of incriminating documents that the Government is unable to describe with reasonable particularity. The Court also ruled that if the witness produces such documents, pursuant to a grant of immunity, the government may not use them to prepare criminal charges against him."
Well, they can "compel" in the sense that they can demand the owner release it.
The owner can refuse and suffer the legal consequences.
In such a case, has there ever been a precedent of going to the safe manufacturer and compelling them to break into the safe? Have they ever then required all safe makers to make exploitable safes with master keys?
In the case where the safe maker has special ability to break the existing safe, there is plenty of precedent. Every application of the All Writs Act follows that analogy, including this San Bernardino case.
> They can compel you to open a safe, they can not compel you to turn over a password.
Note that they can, however, force a third party to turn over a password. The privilege against compelled testimony only applies to self-incrimination.
That's a tough analogy, because unbreakable safes aren't real and are probably impossible to make.
I prefer to look at the history of cryptography. Unbreakable cryptography isn't new. PGP is 25 years old. Classic techniques like one-time pads and book ciphers go back a very long time. Yet they never forced these things to be made insecure.
The government can listen, we can try to hide things, and they can try to un-hide them (with a warrant). Their ability to un-hide them depends on how well we do the hiding. It has always been this way, but they're not happy with it.
Unbreakable cryptography isn't real either. It's not impossible to reverse engineer a private key it's just impractical. It would require immense computing power and only yield that individual private key broken.
What the president is proposing would allow a key for law enforcement that would, presumably, work on many or all devices. Once cracked, it would give hackers access to all of those devices. This elevates risk considerably because it's no longer impractical to reverse engineer the encryption.
"If the key is truly random, is at least as long as the plaintext, is never reused in whole or in part, and is kept completely secret, then the resulting ciphertext will be impossible to decrypt or break"
That's not a great example in this case, because any useful system that incorporated OTP would have to store the really long secret keystream somewhere. That somewhere would be vulnerable to subpoena.
When that immense computing power is such that it would require turning the entire observable universe into computronium dedicated to the task, and running it for longer than the heat death of the universe, I feel comfortable calling it "unbreakable."
This debate is not about the direct ask imo, but more about the precedent that it would set and what the fbi could compel a tech company to do under the AWA. While in tech we tend to turn up our noses to the 'its always been done that way' mentality, the law takes a different approach, once you comply with the first request, it makes it harder, if not impossible to stop the subsequent requests. Which is why the fbi waited until something related to 'terrorism' to make this ask. I would be willing to be every last dollar I have in the bank that there is no useful info on that phone, and that if there were useful info, the nsa would have already had access to it.
To me, the really fun mental exercise is to identify when this would be acceptable. If there was a bomb about to go off and hypothetically the location was written on the phone, and only on the phone, would we agree that apple should break in? What if the bomb was a dirty bomb, what about a nuke? Now the slippery slope is where does that stop, a backpack bomb? Bomb making materials, texts to people about a bomb, what about a gun? What about a knife....
Honestly, it wouldn't take very much work for Apple to circumvent the lockout mechanism. It might even be possible just by commenting out a couple lines of code. The thing the FBI needs from Apple is the use of their private key.
Not with the new iOS, right? There's no Apple's private key. There's only your own private key. If you loose it - you're loosing your data and nothing can help you. I think you have a choice of backing up your keychain in iCloud. If you haven't backed it up there's nothing that Apple can do to access data - except by changing security design. If you backed it up on iCloud then I don't know - maybe the whole keychain is just protected by password, in which case they could try to brute force it or something. Not feasible if your password is too long.
Essentially there are two keys used to encrypt data on an iphone - one linked to the hardware (hardcoded and unique to each iphone, cannot be erased) and one linked to the software that's stored in NAND. After N attempts the NAND is erased and the key is lost thus all the data on the device is gone (one could try to brute force using a rainbow table style attack but at this point it's a lost cause because the amount of time it would take to decrypt the device). The NSA uses the old technique of copying this NAND to a backup and restoring it every time the device gets erased. This would give them infinite attempts at cracking the passcode with as little device meddling as possible
edit Apologies forgot to mention the passcode/fingerprint is tied into the 2 key process.
Ok, right, that makes sense. That's probably doable - making iOS being able to run auto-update when locked. Once for example. Update still needs to be signed of course.
It would probably make all crooks use long passwords for keychain, but who knows, maybe it would help in some cases.
If I'm not mistaken, the FBI wants a version of the OS that circumvents those limits and runs in RAM. Apple said it will take their team something like 2 weeks to build.
What they have to build and how long it will take them are moot points and detract from the overall argument which is can the gvt use the AWA to compel a 3rd party to create something that didn't exist before.
"What if a drug dealer keeps a coded ledger, can they go to crypto experts and compel them to work on solving it?"
This is a very interesting question, because crypto experts would love to work on a challenge like this. I am fairly certain that they would refuse if they were forced to work on it though.
What interests me about this piece is Ms. Crawford's willingness to interpret President Obama's body language and to draw conclusions from it that support her argument. As a former adviser to Obama, she has the credibility that allows her to make inferences like that.
I wonder how many of Obama's aides depend on that body language for interpreting his intent and preferences. When Obama is in a meeting with dozens of people, only a few of his most senior advisers will actually get to speak directly to him and engage with him in substantive discussion. His more junior aides likely need to rely on non-verbal cues like body language in order to determine what he really means.
(Also interesting to me is the white-labeled medium site... I was not aware that was an option.)
Unfortunately the Democratic party has been running afoul of civil liberties for decades. Especially those in or vying for the Oval Office. Have we all forgotten Clinton and Gore and all that bullshit with the Clipper Chip? Export strength encryption?
I think that's probably a big part of why the Libertarian Party has any legs at all. Large number of people feeling disenfranchised by both major parties, especially around privacy and "things that don't hurt anybody".
Surprised about the down vote, Koch brothers fund voter suppression of minorities and democratic voters, could've sworn we've had articles about this on hn.
The law is never clear. Just look at how unclear our legal system makes a very straightforward statement like "Congress shall make no law [...] abridging the freedom of speech, or of the press." Think of all the exceptions it has made to a very clear decree[1]. And think of the ways that this statement has been hijacked for use in topics like corporate personhood. No, the law is not clear. Not on this issue. Not on any issue, really.
"A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."
That seems extremely straight forward and explicitly applicable to this case.
Exactly, i read through the same sentence. I mean i understand the ideology here, but the article is a clear lie. CALEA clearly states Apple needs to decrypt in this case, there is no two ways about it. The software section is there so that government cannot tell apple to install a backdoor API of governments choosing on the iphone. Government just says decrypt and apple complies, government cannot tell apple how exactly to comply. But if apple says not possible, well government goes and says it is possible, for example like this, and apple looses. I am surprised nobody linked to CALEA before.
"Ok, no problem, you'll provide hardware, right? It will take around 9 * 10 ^ 50 years (for AES-256 as an example). Our universe exists for around 1.4 * 10 ^ 10 years so please be patient. Of course FBI can provide/pay for better hardware if they want it broken faster."
Not going to comment on the law. But "rewrite its OS" seems exaggerated. Without the source, we don't know how extensive the change might be. This might just be a matter of changing a constant and recompiling.
If Apple can't make small changes easily, they won't be able to respond to security vulnerabilities either. This is, after all, what security updates are all about.
Search warrants do not give the government the power to force you to write software, or an equivalent economic activity, against your will. There is no precedent for that in all of US history.
Well, that's partially because software is new. Again, I'm not going to claim it's legal now.
But "equivalent economic activity" seems a bit weak. A butler or security guard can be paid to open the door to visitors. So that's "economic activity", right? It doesn't mean they're not required to respond to a search warrant. And legal discovery can be very expensive.
Writing a simple software patch and recompiling doesn't seem all that hard. Rewriting the entire OS is a major undertaking. It may require passing new laws, but it seems unlikely that we'll end up with a bright-line rule where touching any line of code is forbidden. More likely it'll be a gray area where the line is drawn somewhere in the middle.
The law is never clear. If the law was clear cases wouldn't end up at the Supreme Court (decided by narrow margins in some cases).
The law is open to interpretation and even when opposing parties have differing interests there is almost always a basis for why they decide to sue and/or appeal a court case. [1]
[1] In other words there could be other motives for bringing a lawsuit other than thinking you might win the case.
Because those non-US residents who are abnormally uptight would remind the thread that there are multiple presidents, and that as a world-wide board we should make sure to be specific.
Or, once again, it's just the vernacular for journalists covering world politics.
Software doesn't get patented. Patents apply to "ways of doing things". Incidentally software is used to describe a "way of doing things" but it's the concept that gets patented, not the software.
Also, your assertion that the software is the free speech is a false-presupposition. The private key is data, and data is speech. It's no different than a book or a newspaper, except it's written in a way that only 1 person (device) can understand it.
An important distinction between patents and copyright is that independent invention is not a defense to patent infringement and the patent covers the concept rather than the specific implementation. Which means that unlike copyright, software patents create concepts that you aren't allowed to express, even if they're your own ideas.
I feel like we've hit, or are near, maximum saturation regarding Obama's comments at SxSW. We've had so many threads about this and most, I think, were merged into one[1]. Hell, even I wrote something about this and now that every single person in technology has written about it I almost feel embarrassed writing about it on my blog.
Other than Obama's mannerisms that were pointed out I think we can probably stop this feedback loop we're in.
I understand if people feel the topic of DOJ vs. Apple is saturated.
But this is Obama's former tech advisor, who also happens to have a JD from Yale, saying Obama is in the wrong to pursue anti-encryption policy. She's credentialed and worthy of HN readers seeing her article.
> But this is Obama's former tech advisor, who also happens to have a JD from Yale, saying Obama is in the wrong to pursue anti-encryption policy. She's credentialed and worthy of HN readers seeing her article.
I get that and it's fine it's just other than some minor mannerisms that were pointed out it's essentially the same substance of everything else posted to HN about the SxSW topic.
The problem with echo chambers is the same thing tends to increase in volume; if the general public and politicians have a view that we're all being absolutists then echo chambers only end up polarizing and increasing the volume further.
It's a hard topic I'm just concerned about the echo chamber and it ultimately hurting our position due to perceptions is all.
Mmm. I hear you. I leap at these articles because it's one more voice to share the facts of the situation.
As for polarizing the public, well. I think we need not beat the public over the head with a stick and tell them what to think. We lay out the facts in a manner that is understandable by non-techies, and let them decide for themselves. This is coming to pass through credible voices, such as Ms. Crawford's, sharing their unique perspectives.
The "bad for our side" stuff will always exist, and will be created by our opponents if it didn't.
We aren't talking about a real issue, where two sides of honest-intentioned people are trying to decide on a matter of fact. We're talking about an issue where one political group (President, NSA, FBI, etc) are willing to fake evidence and lie to the people.
> The FBI has been terrific at reading statutes — including CALEA — in ways that require the rest of us to do headstands to understand what the agency is up to. Their claim about CALEA in their latest brief in the Apple case is a shining example of just this kind of breathless, vertiginous, Alice-in-Wonderland assertion: CALEA, they say, limited only law enforcement’s authority to directly require companies to redesign devices and software. But once law enforcement is authorized by a court to do a search — given a search warrant, in other words — then (under the AWA) an FBI official can ask the court to do what law enforcement is prohibited from doing directly under section 1002 of CALEA.
I don't get it. Law enforcement is explicitly prohibited from doing all sorts of things without a warrant that can then later be compelled by a court order. If the police don't have a warrant, they can't search your house. But if they do, they can, and if you have a locked safe, they can get a court order that compels you to open it.
I think what the FBI is asking for here from Apple is almost certainly a bad thing, but the above argument doesn't go through.
> Got it? Right, I don’t either. As the well-respected lawyer Albert Gidari carefully explains in a recent blog post, this is a weirdly circular argument that ignores the specific limitation Congress enacted to remove the government from the business of dictating the design of phones or software. No gaps; no interpretive sunlight: CALEA stops the government from doing what it wants to do to Apple.
Look, I think it's useful to discuss the overall impact of "the government" or "the state" as much as the next pseudo-libertarian. But here I think the author is trying to interpret a restriction on law enforcement as obviously intended to restrict the government as a whole, but that's not obvious at all. Distinguishing between law enforcement and the government as a whole isn't complicated, headstand-inducing legal gymnastics, it's well-established legal reasoning.
> Law enforcement is explicitly prohibited from doing all sorts of things without a warrant that can then later be compelled by a court order.
It doesn't say they can't do it without a warrant. It says they unconditionally can't do it.
> Distinguishing between law enforcement and the government as a whole isn't complicated, headstand-inducing legal gymnastics, it's well-established legal reasoning.
The problem with trying to draw that distinction is that having the court order you to do it is how it always works. If CALEA said the FBI could order Apple to build the back door, the FBI still couldn't just throw Tim Cook in prison without trial if he refuses. They would still have to go to the court. So what the law is really saying is that law enforcement can't ask the court to order that -- but here they are asking anyway.
This isn't correct. More precisely, it does not address obtaining court orders.
> If CALEA said the FBI could order Apple to build the back door, the FBI still couldn't just throw Tim Cook in prison without trial if he refuses. They would still have to go to the court.
If the EPA tells you that you can't dump in the river, and you dump in a river, then they can prosecute you and send you to jail. But this is very different then getting a court order to do something as part of an investigation.
> This isn't correct. More precisely, it does not address obtaining court orders.
Please explain how the FBI could legally compel Apple to do something without a court order. If it's the only way it can happen then it's kind of implied.
> If the EPA tells you that you can't dump in the river, and you dump in a river, then they can prosecute you and send you to jail. But this is very different then getting a court order to do something as part of an investigation.
The primary difference apparently being that in that case there is something the law says you can't do, whereas in this case there is something the law says the government can't do.
Further, I'd point out the author studied law and has a JD from Yale. And she was Obama's tech advisor. And she was/is an internet activist. She knows what she's talking about. She is probably among those who understand this case the best.
She understand the law and she's taken a strong stance on the legal case. I'm sure the DoJ understands the law, as well, and it were actually obvious and clear, the DoJ would have advised the FBI that they don't have a case.
From the policy perspective, I think it's important to think about single user disk encryption in the context of its sibling question: end-to-end encryption (e2ee). They are separate legal questions, of course, but not wholly unrelated in terms of the bigger picture.
There's another possibility, which is that the Attorney General didn't think through the case, or didn't examine CALEA closely enough before deciding to go the All Writs Act route.
From a policy perspective, we don't want the government mandating that a business use any particular form of security in its devices. We want industry to compete on those systems and let the customer choose what security mechanism they prefer. Right?
> the Attorney General didn't think through the case, or didn't examine CALEA closely enough
With a case of this magnitude? That seems to me unlikely to the point of impossibility.
That's one side of the argument. The other argument, as I understand it, is that this is a step to a future akin to a Neal Stephenson novel, one we do not want to live in. The most persuasive counter-argument I see is that this future is inevitable. The most persuasive counter-counter argument is that while moving towards a future where people have access to un-subpoenable smart phones and communication mechanisms which guarantee absolute privacy [1] may be the "current of technology", how quickly we get there and the direction from which we approach it is of the outmost importance, and "in the near future and for people who can afford smart phones" is not the right timing nor direction.
1. "Absolute privacy" defined as secrecy of content and meta-data, from everyone and forever.
> if you have a locked safe, they can get a court order that compels you to open it.
But in this case, the FBI wants the safe manufacturer--not the owner of the safe, who is the one who could be compelled to open it by court order--to redesign the lock on the safe so that the FBI can keep trying combinations indefinitely until it opens. That's not the same thing.
Then I don't understand your position. Just because a court order can compel some things that law enforcement can't compel in its absence, it does not follow that a court order can compel anything that law enforcement can't compel in its absence. But that seems to be what you're claiming--or at least it seems to be the grounds on which you're rejecting the argument you were responding to.
My point is that even if a court order can compel the owner of a secret to either divulge it to law enforcement or face consequences, that doesn't mean it can compel a third party to help law enforcement pry loose the secret in the owner's absence. That seems to be precisely the distinction the article is making.
Are you interpreting the statute via the author's explanation in order to shoot down the explanation, or are you interpreting the statute differently than the author and disagreeing?
> The FBI has been terrific at reading statutes — including CALEA — in ways that require the rest of us to do headstands to understand what the agency is up to
I really want to hear from Obama's current tech advisors, such as Megan Smith, the current CTO of the US, or Obama himself about the discussions he had after his remarks at the keynote. I bet he had some tough conversations.
Unfortunately nobody in the press has asked this question in the White House Press Briefings which occur every day and whose transcripts [1] and videos [2] are posted online
[1] https://www.whitehouse.gov/briefing-room/press-briefings
[2] https://www.youtube.com/user/whitehouse/videos
EDIT: Wow, Susan Crawford even discusses the lack of press in the state house [3]
[3] https://backchannel.com/what-if-we-built-a-c-span-on-steroid...