Government is trying to make it illegal for one person to keep secrets and whisper them into another's ear.
We can argue all day about how the law doesn't prevent criminals from using technologies (it doesn't, which makes the law idiotic, from a logic perspective), but that's not the important part.
The important part is that this group of folks we're calling Government is trying to prevent us from being allowed to have secrets and whisper to each other.
Government is not as stupid as we'd like to think. Government doesn't believe that "terrorists" will stop using encryption. These laws are not for "terrorists". They're for us. Take away somebody's ability to keep secrets, and you've gained a pretty good advantage over their position[1].
This is about only one thing: leverage; and leverage is power.
> We can argue all day about how the law doesn't prevent criminals from using technologies (it doesn't, which makes the law idiotic, from a logic perspective), but that's not the important part.
We should tell other people that the law does not stop criminals from hiding their communications. Some people don't understand the nature of software or open source, and it can be explained.
> The important part is that this group of folks we're calling Government is trying to prevent us from being allowed to have secrets and whisper to each other.
Personally I think the people who support this kind of law are the same ones who believe they have nothing to hide from the government. So the privacy argument is lost on them. When you point out the law is harmful to their security and impossible to enforce, then there's a chance you'll be able to convince them.
This is a great opportunity for technologists to chat up their friends and family, start campaigns, or perhaps even run for office. This issue is an easy win if you can keep a cool head while explaining the facts.
The point I'm making is that I don't think it's lost at all. I think these people didn't all get to be in positions of power by being bumbling idiots. They know that they can convince some portion of the masses that they are in danger and need help. And that's all it takes to get a leg up on everyone; a portion of the masses.
I don't think our elected officials are bumbling idiots. But they aren't informed about everything either. It's impossible to be an expert across all fields.
As technologists, we think this issue is so straightforward that you must either be evil or a complete idiot if you support this law.
We'd do well to take a step back and observe our thought process. We often think things about computers are simple which others don't understand. That is why we get paid.
I think most of the elected officials are technologically illiterate, and bills such as this are driven by the fear that's been instilled in those officials by the appointed or hired intelligence community. Because they're the ones, what I'll colloquially call the "citizen conformance enforcement branch" of the government, that are most interested in the data and are most empowered by it.
Investigate the motive and the means, just like you would a crime, and you won't find yourself in the legislative branch of this government.
As technologists, we think this issue is so straightforward that you must either be evil or a complete idiot if you support this law
I don't think it is either. More likely it is the "something must be done, this is something" kind of thinking. You don't need to be absolutely evil or absolutely idiotic to subscribe to this philosophy.
The problem is that we end debating the right side of that claim (because that's what the uniformed masses and legislators focus on), what the something should be, rather than trying to convince people that the left side, the premise, is unfounded.
> "something must be done, this is something" kind of thinking. You don't need to be absolutely evil or absolutely idiotic to subscribe to this philosophy.
To fall into it without warning, no. Like all fallacies, it's a local maxima.
But to stick with it after it's pointed out... At best that's stupidity, at worst it's deceit and treachery.
There are not many people with technical knowledge in respected positions of government. The US CTO, Megan Smith, is probably the most respected. She claims Obama supports strong encryption [1]. She omits the fact that Obama is looking for ways to keep strong encryption out of the hands of criminals, which as we know is as impossible as keeping knives out of the hands of criminals.
The Press Secretary recently stated this about the President,
> he believes that strong encryption should be robustly deployed. At the same time, we should not set up a situation where bad actors -- terrorists -- can essentially establish a safe haven in cyberspace. [2]
There's also a commission that was formed yesterday to handle this question. It is called the President’s Commission on Enhancing National Cybersecurity [3] and they are due to give a report by the beginning of December (7.5 months).
The idea behind keeping secrets and whispering in someone's ear is not esoterica.
The fundamental issue here is that mutual trust between US government and the American people has been significantly eroded. Until this issue is addressed and trust is restored, all other discussions (however informed) are ultimately idle chatter.
We love to think these people are much like our clients who don't know the difference between a popup window and a Python program. These people are informed by groups like the DIA, CIA, NSA, and every other TLA, with a wealth of information on these issues.
Lindsey Graham changed his mind [1]. It isn't a massive conspiracy. I wouldn't say Feinstein is well-informed. Watch some of the hearings where she interacts with other members. It's awkward and clear they don't enjoy working with her.
Why does wanting more power have to be a "massive conspiracy"?
It seems like pretty common sense wisdom that being in power usually leads to wanting more power, and also that power often corrupts. One does not need to be a "conspiracy theorist" to come to this conclusion.
The real conspiracy is the apparently concerted effort to call anyone that believes the government is busy grabbing power a "conspiracy theorists".
> Why does wanting more power have to be a "massive conspiracy"?
It doesn't. You were saying some government officials are saying one thing to the public while knowing another to be true:
>> We love to think these people are much like our clients who don't know the difference between a popup window and a Python program. These people are informed by groups like the DIA, CIA, NSA, and every other TLA, with a wealth of information on these issues.
That implies some sort of secret plot that would harm the integrity of our government and country.
> It seems like pretty common sense wisdom that being in power usually leads to wanting more power, and also that power often corrupts. One does not need to be a "conspiracy theorist" to come to this conclusion.
I agree entirely.
> The real conspiracy is the apparently concerted effort to call anyone that believes the government is busy grabbing power a "conspiracy theorists".
Nobody said this. Claiming that there is a concerted effort by officials to lie, however, is accusing them of conspiracy.
This vibe of distrust hurts the ability of technologists to come together and be as effective as they're capable of being within government. Ultimately, society and its elected government is formed around trust. You have to believe that most of the people who enter into elected positions did so with the aim of improving our society before you can be effective within it yourself.
> saying one thing to the public while knowing another to be true
Yes. This is called lying. It doesn't require a "massive conspiracy".
> implies some sort of secret plot that would harm the integrity of our government and country
It implies nothing of the sort. It implies that Government is losing the leverage that gives it the power to levy taxes beyond what is acceptable by the population, and so Government's present endeavors (partly driven by outside commercial pressure - e.g., military contractors) are overshadowing its primary purpose, which is to protect us and our rights.
> Government is trying to make it illegal for one person to keep secrets and whisper them into another's ear.
That is already the case. If you whisper a secret into my ear, the government can subpoena me and force me to tell a court what you said. They can force you to tell a court what you said so long as it's not incriminating to you, and even then they can do it if they give you immunity.
We can debate about what the law should be, but for the last several hundred years, the law has not really contemplated people keeping secrets from the Government. "Privacy" as it has been understood to date means protection from the government fishing for evidence without probable cause, not an absolute right to keep secrets.
Pervasive, unbreakable encryption is a game-changer that requires rethinking the existing framework. We're not just talking about not being able to get data from a terrorist's phone. We're talking about the bread-and-butter of many sorts of criminal prosecutions being opaque to the government. Good luck convicting someone on insider trading when all the relevant communications are opaque to the government.
I happen to think that the benefits of encryption outweigh the challenges to law enforcement. But its disingenuous to pretend that the government is trying to "take away" a right to "keep secrets" that you already had. Our whole legal system is built on being able to get whatever evidence is relevant wherever it may be found, with extremely narrow exceptions.
With a subpoena or warrant, yes. But not pervasively.
And while we're at it, why is the existing state of affairs not good enough? Why the attempts to subvert the message pipe? After all, the govt can still compel people to talk, and its people receiving those secret messages.
The reason is, to my cynical mind, that they're interested to avoiding the work of warrants etc. They'd like to sidestep privacy entirely, and just record everything in the pipe. Not entirely cynical; its exactly what they've done with the tools they already have.
In my mind there's an enormous gulf between subpoenas of a person for information, and the ability to get that information secretely and continuously.
You make a good point, which is that if companies have to weaken their encryption in order to be able to comply with this law, that opens up the possibility for easier surveillance without a warrant. I think that's a huge concern, because in my opinion the 4th amendment only provides limited protections to bits travelling over third-party pipes on the Internet, so effective end-to-end encryption is essential for privacy.
That being said, the ostensible purpose of this bill is to govern what happens in response to a valid court order.
> That is already the case. If you whisper a secret into my ear, the government can subpoena me and force me to tell a court what you said. They can force you to tell a court what you said so long as it's not incriminating to you, and even then they can do it if they give you immunity.
This is true, but they can't compel me to inform on someone who had a whispered conversation near me that I couldn't hear. To me, the current bill is more like the latter scenario.
If I invented a communication device consisting of two cans and a connecting string, then sold it as a way for neighbor kids to talk privately to each other, they could not compel me to divulge the contents of their conversations because I wouldn't have access, even though I built the canmunicator. I think that in this case, what they're doing is more like mandating that I have a way to let them monitor all string vibrations.
If they want to subpoena information, they can demand that one of the parties actually involved in the communication surrender their keys. If they refuse, then it seems like basically the same situation as when both parties to a whispered conversation refuse to talk about it.
> Pervasive, unbreakable encryption is a game-changer that requires rethinking the existing framework.
It is. But - I'm sure you've heard this better stated before, but - the first game-changer was the massive volume of everyday conversation and chatter that has moved from ephemeral speech to various digital forms, such as SMS, Facebook, messaging apps, or this very site, and thereby (usually inadvertently) preserved indefinitely, along with a ton of metadata such as location information. Digital message records are in theory the same type of information as, say, the result of a subpoena asking someone what they heard in a not particularly important conversation in a private space three years ago, but the former's volume and precision creates a significant qualitative difference. Using encryption to take that information out of the government's reach is in large part a return to the status quo.
Of course, for the case of stored information on a phone, an alternative to encrypting such data is just periodically wiping it - something which, if Snapchat is any indication, appeals to people at some level and should be more widespread.
All that pervasive unbreakable encryption does is make it possible to whisper in someone's ear at a distance. You right there said there is a tool for that situation:"the government can subpoena me and force me to tell a court what you said."
That is, you said it is a "game changer," and not a game-changer. You have to issue subpoenas, conduct depositions, etc.
Government can attempt to legally compel you, but they cannot actually "force" you to do something. Even torture cannot actually "force" you to do something. What can force you to "tell a court what you said" is making it impossible for you to keep a secret; like mind-reading technology.
> ...legal system is built on being able to get whatever evidence is relevant wherever it may be found...
Think about it for a minute; Government says "tell us what you whispered", you say "no", then Government says "fine. you go to jail for contempt". Has our society collapsed because people said "no" to this question?
> ...being disingenuous to pretend that the government...
I'm not sure "disingenuous" was the word you meant to use here. There is nothing I've feigned ignorance about, and I've made my points pretty clear.
EDIT:
Ah, see @JoeAltmaier's already great sibling reply.
You are taking a literalist view of the word "force" there. You can be compelled to testify, and the people asking the questions need to do their homework so they can catch you in a lie if you try that. That's how things were before every communication was electronic.
I think probably the right way to go after this bill is not to tell people that they need to protect their secrets from the government, but that they need to protect their secrets from 'criminals'.
Point out all the times that government databases have been hacked, and that if their secrets are swept up in government dragnets, it's only a matter of time before blackmailers and identity thieves get hold of them.
I'm not suggesting that Government is intrinsically a boogeyman (and I'm not an anarchist), but first and foremost on the list of entities that privacy and weapons protect citizens from is Government.
Feinstein's seat is up in 2018, and she'll probably retire. How do we ensure our next Senator has a more technically literate position on encryption? Who are the plausible candidates?
In the 2012 open primary, the next highest Democratic candidate only got 2 percent of the vote compared to Feinstein's 49.5. So who is waiting in the wings?
While it's convenient to paint this as "the government," many people, the ones who elect most officials, are also of the opinion that if authorized (by some manner) that encrypted data should be made available in plaintext. For the common people this comes in the form "I believe my dead relative's phone has information which will expose their killer, I want the carrier or manufacturer to make that data available, it's legally my phone, not Apple's or Samsung's, I want that data."
You may disagree with a perhaps naive perspective like that, but that interpretation does not make it any less real. There are plenty of common folk who would agree in the above scenario data in plain text should be made available upon lawful request by either carrier or mfg. That's not "the government" and to think so kind of misses the mark.
Yes, exactly, it's the same thinking that lets the government search people's houses when authorized, or detail and question them when authorized.
We already have this concept of "the government can go through your stuff" in the form of search warrants. It's not a leap at all to apply that to encryption, too, even if some specific law gets it wrong at first.
I'm sure if pocket enigma machines were around when these laws were first being put to parchment, there'd have been something in there about encryption from the start.
The problem is that your government wants to break all forms of encryption regardless of where or how they are used. Either they want something like a skeleton key or a method of bypassing the security altogether.
So they're not requesting a search warrant. They are requiring that you hand over the keys to your home or install a special door for them that is always kept unlocked.
> That's not "the government" and to think so kind of misses the mark.
The difference is that when it's not the government we're free to disagree. We're only concerned with people wanting to force it on us which these civilians with their personal concerns would not be doing.
> You may disagree with a perhaps naive perspective like that, but that interpretation does not make it any less real.
You may honestly hold a view but that does not make it any more real or sensical.
People want the comfort you describe (easy unlock) and perfect security. They believe it's possible but they resist thinking critically about it.
> For the common people this comes in the form "I believe my dead relative's phone has information which will expose their killer, I want the carrier or manufacturer to make that data available, it's legally my phone, not Apple's or Samsung's, I want that data."
And if the data was in a safe you'd be saying "It's legally my paperwork, not American Safe Co's paperwork. I want that paperwork." If you hadn't planned ahead they wouldn't be able to help you either.
If you don't have anything super-secret or valuable in the safe you can take advantage of bricks-and-mortar key escrow like putting the key/combo in a safe-deposit box, or trusting the manufacturer to hold it such as with restricted keyways and encrypted bitting patterns.
And similarly, you (or rather, the relative who might be killed) could buy a phone with some family unlock option on the cloud backup or they could put their unlock code on a piece of paper, put it in their safe-deposit box, and will it to you in event of their suspicious death.
We're all worse off if unlocking a phone or safe is easy to do without these measures. It's better that a few people lose their paperwork than that none of us are ever secure in ours.
(Speaking not necessarily to what you said, but more generally.)
This is a relatively new area, so we must careful to be precise with the terms we are working with. Like naming variables.
>encrypted data should be made available in plaintext
'Encrypted' data that can be rendered as 'plain text' or any other interpretable form of data upon certain conditions being met outside the scope of the initial encrypter is not 'encrypted data.' But could rather be referred to as something like 'concealed data.'
Encrypted data is data that is only accessible to those who have been authorized to access it by the initial encrypter.(setting aside human error in encryption techniques)
This definition follows exactly from the use of modern encryption algorithms. Therefore, encrypted data accessible to anyone other than 'Alice' or 'Bob,' is not in fact encrypted.
Remember folks, the Government you get in the future is unwritten and unknowable.
Sure, I don't think Obama is going to throw me in jail and I have nothing to hide now...but that doesn't mean in 20 years there won't be some Nationalist/Authoritarian type in control of the country like we saw with countless fallen democracies in the 20th century.
Similarly, the Government has shown it incapable of keeping a secret with the sheer number of security failures they've experienced. So anything they have, we can assume is both public and indefensible. They use this capability and they might as well hand the information to criminals on a silver platter.
> Government is not as stupid as we'd like to think. Government doesn't believe that "terrorists" will stop using encryption. These laws are not for "terrorists". They're for us.
This is one of the things that the Snowden leaks should have made clear to everyone but sadly that isn't the case.
> The important part is that this group of folks we're calling Government is trying to prevent us from being allowed to have secrets and whisper to each other.
A huge amount of my social and work communication is via IM, text, email etc. What is the justification this should all be recorded and reviewable but things I say in person are not? I don't see a huge difference at this stage given how much communication happens online now.
I think the american voter has started to lose it's way, or at least feel hopeless to change what is put in place. but I dont care if the nominee is a republican or democrat, we need to pass laws that keep the government at bay and stop letting them push us around. the media and politics pit us, the people, against each other in order to swayed us and get laws passed that control us. I am tired of it. most people on one side of an issue or another could come together and be friends. but the media pushes hate and fear till both sides are so defensive they think the other is the enemy instead of the guy saying "he said she said" and throwing the knife in the middle.
You have to love this, especially as it comes from the same people who think that government interfering with their firearms is the end of society. Meanwhile, losing their ability to keep a secret from the government they think they're getting ready to revolt against doesn't faze them.
> Slight digression, but does that mean owning assault weapons is a ok again in the US? Just curious.
It depends what is meant by "assault weapon". If you mean fully automatic weapons, then no, but those were essentially banned (with minor exceptions) for private ownership in 1986[0]. Ownership of those had been regulated since 1934[1]. The 1994–2004 "assault weapons" ban covered specific features[2] on guns. Since 2004, purchase of guns with (2 or more of) those features is once again legal. Note that some opposed to the 1994 assault weapons ban claim many of the features are cosmetic, rather than functional.
What do you consider an assault weapon? Fully automatic guns have been and still are illegal without proper permits. The problem with the ban referred to in the GP, is that it was mostly a superficial feel good law. Take a normal hunting rifle, add some cosmetic changes and suddenly it is an assault weapon under the old ban. Add that most gun crimes are committed with hand guns, and the ban amounted to nothing more than a news soundbite.
Depending on your definition of 'assault', yet. In the US is was essentially defined by the number of features your rifle was allowed to have, and indeed there is no longer a limit. It's hard (>$20k to buy a used one) to get a fully automatic rifle.
> Oh yeah, has been since Bush the second let the ban lapse.
The ban expired because that's what was in the original law. There were efforts to pass a new ban, but they didn't even make it out of committee[0]. Perhaps a presidential endorsement could have helped it go farther, but one can't hold the president responsible for what happens in the Senate and House committees.
Err, it's Feinstein, who represents California, that's introducing this legislation.
Republican representatives have been pushing back against these bills. Representatives Amash, Issa, Labrador. Senator Paul.
Last weekend I was at the Colorado GOP state convention and I spoke in-person to Colorado's leading GOP senate nominee and he spoke at length of our need to block this sort of legislation. In addition, I spoke with State Sen. Tim Neville, who was the party favorite for the Senate nomination, and he spoke very highly of the efforts of Amash and Paul.
Of course, they're joined by Democrats like Lofgren and Wyden and Independents like Sen. King.
It's really the establishment within both the Democratic and Republican parties that is pushing for this. It's opposed by more left-leaning Democrats and more libertarian-leaning Republicans.
Bullshit. This is coming from John McCain-style neoconservatives and democrats that don't lean liberal on civil liberties.
In my opinion, the only political identity that you might hope would fight back are Tea Partiers, and that's the same group that feels strongly about gun rights. I don't think you could be more wrong.
It will be interesting to see what Cruz does here when inevitably questioned about it. Will he alienate his new neoconservative base on this issue? Will he stick to his Tea Party roots?
The EFF is great but we need to figure out a way to kill this thing. Get your checkbooks. We need an apparatus to kill things like this. Think of it as an NRA for crypto.
Richard Burr is up for reelection this year. Remember to send money to his opponents. We might want to look for any other groups that have issues with Burr and send them money too. Perhaps this is how you kill a bill.
There is definitely a market for this for anyone who wants to pioneer it. We ran a bunch of Cryptoparties and at each we had to clarify that we weren't a political organization - strictly an educational one. This seemed to disappoint a number of people.
Comment all you want on HN or whatever forums you like, but they're basically echo chambers, and nothing really matters unless you make yourself heard to the politicians.
[edit: I just called. It'll take you like two minutes]
[edit: I made the phone calls in front of my 11-year-old son, who was eating breakfast, explaining who I was calling and why. He totally gets it. I'm not sure why a certain set of senators do not get it.]
And tell 5 friends and family to do the same. Figure out what's important to them. Do they have children? Tell them without encryption it will be possible for bad people to know their whereabouts and general day to day movements for the purpose of exploitation and abduction. Tell them to call or write the politicians to protect their children.
Maybe your friends think they have nothing to hide, but when they consider they may want to shield their children from harm, that might make them start to think about what is actually at stake.
You know, I think this is the first opportunity for "think of the children!" to be a rally in cry for something meaningful, that actually can affect a large swath of our children.
An excellent point.
However, its power is limited by all the times "think of the children!" has been used as the rallying cry for anti-citizen legislation. So it has to be strengthened. You're on the right track. The cliche turns into a platform when you have concrete examples that are identifiable to the Android/iPhone toting parents. I am willing to guarantee that the "most frequently visited locations" available on both platforms would illuminate a parent's employer, home, maybe the favorite lunch place, and the school(s) of their young children. Possibly even that their kids have medical issues (pediatrician is a frequent stop) or are on the autism spectrum or have some other developmental delays (speech pathologist or occupational therapist or developmental pediatrician is a frequent stop). Or that they're new homeowners (lots of trips to Home Depot and "big box" stores) Possibly (gasp) where they take their lover when they're supposed to be with their spouse.
> You know, I think this is the first opportunity for "think of the children!" to be a rally in cry for something meaningful
No it's not, because that's going to blow up in your face. This law is going to be put in place to protect the children. Bad people can't hide child porn. Bad people can't hide their plans to hurt your children. Bad people can't ... etc. Hand in hand goes 'good people' can track your children if they're kidnapped.
Think of the children always works in the favour of those trying to consolidate power.
Find who are the major corporate donors of the backers, organize a boycott of them and call, not write, the donor companies this is why you boycott them. That's the effective way post Citizens United.
I just called my local reps (John Larson, Chris Murphy and Richard Blumenthal). Each call was quick, professional and friendly.
That was my first time calling and it was surprisingly painless.
I opted to provide my name and zip code. I think that allows them verify that I am a resident and maybe makes my comment carry more weight than it would without personalizing it. They seemed willing to accept comments either with a name or without one.
Calling the government to complain of their corrupt illegal bills is only a good way to be singled out for increased harassment.
You almost surely will be placed on a list of possible dissidents, your life will be sucked in a government database and your communications more closely watched.
Those things this is crazy have had their head buried in the sand this last decade.
The political process is broken, America is despotic police state ruled by an illegitimate, unaccountable elite.
There of thousands examples of government abuse at every level and officials are never held accountable.
Torure? Pass. Bomb a hospital? Pass. Assisinate children and emergency responders? Pass.
The people on HN live ina fantasy world where they still think calling btheir rep does anything besides putnthem on the government shit list.
I am gobsmacked by the tenor of comments here. At what point will HN posters finally realize that participation in the democratic process does precisely nothing against naked power?
Not to mention more restrictions to come via the various secret international trade pacts being made.
People must understabd this, to disagree is to be disingenuous on the face of mountains of evidence. The American people have zero say on policy, the laws the government wants the government will get, it may take a few more years but it will happen.
The system cannot be reformed, it's very core is corrupt, those who disagree are for the status quo of the police state and they are our enemy and the enemy of justice.
It is ironic to comment that comments have no influence upon others.
Personally I like to comment on this issue because it's about free speech and I like talking about that with people who are willing. Also I think technologists have a good chance to practice speaking up about this issue and be heard. Normally we are back-office people =)
I think you have a very valid point and seeing it downvoted instead of debated shows most of us are not bothered by that status quo. You can call your representative every time you think a legislation tries to overreach and hope your voice is heard, or instead of the symptoms you can treat the root cause. I believe the easier problem is to design a more just system which inherently advocates freedom and self regulates, while the much harder is to incentivize people to actually move away from the current one. Especially because usually the ones benefiting are the same ones holding the keys.
Keyword is more just. I don't pretend I have an answer, there are people far more knowledgeable on these matters. IMO the key points would be something like decreasing the overall power of the government (and red tape) and moving towards more self representation. Voting from your IOT device is technically pretty feasible at this point (maybe check the link in my profile). Also, I feel nepotism and corruption might be reduced if positions of power (even potus) would be selected from the general citizen pool randomly (~like a jury) instead of campaigning for them. I'm not American but following the election I could not pick a candidate from any of the parties who I would trust to represent my views.
I guess these points are easily debatable according to personal taste, but I'm sure there are many better ideas around.
I agree voting from your IOT device is something that should happen. We will get there some day.
To get to that point sooner, we should elect more people who are knowledgeable about technology. If you disagree or feel that is an impossible route, you may be able to find others who feel similarly. Personally I think people who feel this way are part of a minority and that limiting your interactions to a certain group is isolating and not productive. I am always looking for ways to engage people with different ideas, both to learn and to share what I've learned.
Ultimately, I reject vox_mollis comment that participation in the democratic process is worthless or powerless. Just listen to This American Life's episode on "Take the Money and Run for Office" [1],
> Barney Frank: If the voters have a position, the votes will kick money's rear end any time. I've never met a politician-- I've been in the legislative bodies for 40 years now-- who, choosing between a significant opinion in his or her district and a number of campaign contributors, doesn't go with the district. [2]
Or look at how Lindsey Graham changed his mind in the encryption case [3]. Our representatives are not entirely useless. Similar to your day job or at your school, some people are good at what they do, and some are bad at it. That's no reason to throw the baby out with the bath water. We have the longest running democratic republic in the world. We should study it, contribute improvements by speaking up and voting, and be proud of it. Much of the rest of the world faces strict repercussions when they even speak against their government.
When guns are outlawed, only lawmen and outlaws will have guns. Good. That's the state of affairs in every developed country except one and it's demonstrably better in every way.
You may not have realized that your statement is ambiguous between the state of affairs and the sole exception.
Either way you meant it, that is your individual belief based upon your own preferences, and there are literally millions of people who would disagree with you on this particular point. If there were no exceptions, where would all those dissenters go?
PS: I have actually been paid to look into crime statistics. Guns are bad, really really bad. But, you can twist statistics to say the sky is orange if you want to.
These guys just don't get it... they'll come back saying "crooks are dumb" and that's the end of it. I remember this being discussed when Skype went backdoor friendly. They'll catch some even... just no one who knows what they're doing.
It's what happens when legislators have precisely no domain knowledge. I used to be surprised at the naiveté and ignorance when politicians spoke on topics I knew a little about. I'm too old to be surprised any more.
> You think legislators do not understand the subject because of what they said?
Depends. Frequently not as can be seen when the policy to achieve "x" does nothing of the sort, loses them the election or becomes some sort of personal vanity thing. Of course it depends on if the views expressed are of the politician or the party after you've attempted to pick out the double meaning. :)
> You believe what the politicians say?
If it's an independent I might. A party politician of any colour, usually not.
Any weapon analogy is bad for our side of the argument, because weapons sound to many people like things that bad people use to do bad things. Yes, I realize that knives are used in kitchens to cut vegetables, but with the way this discussion is rightly framed as a security thing, people are not thinking about kitchens.
I would prefer to see lock analogies. Here's a half baked example: This is like a law requiring all builders of buildings to install locks that can be opened by any person who gets access to a copy of a law enforcement key.
Personally I like that analogy because it was recently revealed that people can 3D print working keys from a photo of a key. So even the "physical" key is vulnerable to security attacks of a digital nature. All someone needs to do is get a photo of the global "key" and they can then get into anybody's safe.
No more difficult to produce than many illicit drugs. Potentially much easier even, with the right parts. Besides, there are plenty of other countries you can smuggle arms into the U.S. from given sufficient demand.
Of course the knife analogy is still useful. We all know the futility of outlawing software.
I read it. There seems to have been a bunch of studies that reached the consensus that the laws had little impact on a trend that existed before the laws and continued afterwords.
>The authors conclude that "the hypothesis that Australia's prohibition of certain types of firearms explains the absence of mass shootings in that country since 1996 does not appear to be supported
>In 2006, the lack of a measurable effect from the 1996 firearms legislation was reported in the British Journal of Criminology. Using ARIMA analysis, Dr Jeanine Baker and Dr Samara McPhedran found no evidence for an impact of the laws on homicide.
>In 2005 the head of the New South Wales Bureau of Crime Statistics and Research, Don Weatherburn,[49] noted that the level of legal gun ownership in NSW increased in recent years, and that the 1996 legislation had little to no effect on violence.
One of the only 'wins' seems to be that people who committed suicide were less likely to use guns, but more likely to use other methods.
>As hanging suicides rose at about the same rate as gun suicides fell, it is possible that there was some substitution of suicide methods. It has been noted that drawing strong conclusions about possible impacts of gun laws on suicides is challenging, because a number of suicide prevention programs were implemented from the mid-1990s onwards, and non-firearm suicides also began falling.
>Most recently, McPhedran and Baker found there was little evidence for any impacts of the gun laws on firearm suicide among people under 35 years of age, and suggest that the significant financial expenditure associated with Australia's firearms method restriction measures may not have had any impact on youth suicide.
Yikes, "license distributors" are covered entities:
"c) LICENSE DISTRIBUTORS. - A provider of remote computing service or electronic communication service to the public that distributes licenses for products, services, applications, or software of or by a covered entity shall ensure that any such products, services, applications, or software distributed by such person be capable of complying with subsection (a)."
I suspect it would practically impossible for FOSS projects to comply, and everyone who creates or distributes free and open source software that is capable of encrypting anything would fall under this definition. Also I don't see any provision for existing software... if this bill passes, are we just supposed to stop distributing software on Day 1 until it can be rewritten to make it possible to comply?
This bill is astonishingly stupid, even when compared to the unusually high level of stupidity of federal legislators.
I'm getting pretty deep into bets on Twitter AGAINST this bill having a chance of passing. My logic is simple: this bill outlaws all sorts of things huge corporations use to protect their networks. No big company I've ever done security work for has ever been OK with crypto keys being escrowed by vendors; in fact, we were often instructed to look for exactly those kinds of features as disqualifiers for products.
I do not believe this Congress will succeed in passing a bill that would require Bank of America to escrow keys with IBM and Symantec.
I wouldn't count on that. They could go with a licensing system where you need to pay big bucks to use crypto without escrow. This scheme, of course would be beneficial for incumbents, because it raises the barrier for entry and pushes out the smaller players who can't afford such costs.
The poor drafting of the bill is reflective of lack of support from groups who have the expertise to produce a more realistic bill like NSA lawyers. The bill reflects the lack of cooperation from the Intelligence Community that has been reported.
This is negotiation. It's an adversarial system. The proponents of this bill know they are not going to get everything they ask for. The point is to stake out a position very far toward what they want so as to force opponents of this bill to just whittle it down.
If they proposed something saner and lost, they'd lose completely. But propose something insane and lose and you still might win something.
The first amendment does not guarantee the right to privacy. Most Americans would be surprised to know that the Constitution does not guarantee privacy at all.
The closest you get is the 4th amendment which only protects against unreasonable search and seizure (without a warrant).
Some argue that the 3rd amendment implies a right to privacy and was the intent of the amendment, but alas it only protects against being forced to house soldiers.
I don't know enough about California politics, how is it that Feinstein is able to be a proponent of these crazy ideas and somehow get elected in the home state of Silicon Valley and many of the companies who will be ruined by these proposals?
(Edit: What I'm trying to say is that she was the person that found Harvey Milk shot and was one of the people that police asked to identify the bodies of both Milk and Moscone. Certainly being that close to the aftermath of violence changes a person.)
The good ones always die and the assholes live. It seems like Feinstein has been trying to legislate that day away for decades now. Shame on her. She's obviously not competent to do her job and this is not the first bill to reflect that.
Wow, I had no idea Feinstein was so close to the assassinations. That's traumatic. I wonder if those events lead to her positions on defense and privacy which are so uncharacteristic of the rest of her party.
Her positions on defense and privacy are actually pretty representative of the establishment wing of her party. The Democratic party has some pretty severe divisions in it, and has for years.
I highly recommend a book called Season of the Witch by David Talbot. It's a great history of SF in the 50s-80s with a strong focus on the 60s and the counterculture. It's some amazing history that many people don't know much about.
If the 60s counterculture and the rest of America had been geographically segregated like the South and the North in the 1860s, you'd have had secession and civil war.
* There are a lot of Republican voters in California who are happy to vote for Democrats, so even better if they're more towards the right
* I'm not old enough to have voted in too many elections, but her opponent in 2012 was a joke
* She doesn't really have an anti-Silicon Valley reputation (yet)
* California is more than just Silicon Valley
* Likelihood of voting correlates directly with age, and Silicon Valley is dominated by young people
* Her family is just so established in California politics, so the money's rolling in. Her husband is chairman of the University of California Board of Regents.
California is a conservative state outside of SF and LA, although because of their populations, the state is owned by the Democractic party.
Feinstein is a party machine candidate who can appeal across the aisle to those conservatives. Sure, she'll lose some Democrats, but the base will stick to voting with the party, and enough conservatives will crossover that it all works out.
Note that if SV goes to war over this, and it should, it could change the balance in the state. The problem with this from the SV point of view is that if you sabotage Feinstein, you don't get another Democrat. You get a Republican. And I imagine the Republicans are looking for a little payback if they can ever get the levers of power back.
So what do you do? Do you get rid of Feinstein over this one-issue, idiotic and harmful security state nonsense, then end up with a bunch of folks in power that might hurt you on a bunch of things, or do you grit your teeth and bear it?
Looks like the compromise is to let her posture a bit for the conservatives, then fund the opposition to make sure that nothing she proposes gets through. That's a tricky game to play, though.
> The problem with this from the SV point of view is that if you sabotage Feinstein, you don't get another Democrat. You get a Republican.
Well, not necessarily. California abolished partisan primaries a few years ago. The way it works now is that all candidates for a position run in the same primary, and the top two advance to the general election, regardless of affiliation.
I'm not sure if there have been any races so far that involved two Democrats (it's only been two or so election cycles since the change) but the 2016 Senate race seems likely to be between two Democrats.
Of course there's still the problem of finding a Democrat with enough clout and balls to challenge Feinstein in 2018.
Sources please. I did a research on her legislation and voting record back then, expecting to find horrible things, and found her work to be thoughtful and helpful to the populous.
Things have dramatically changed since then, unfortunately. It'd be fascinating to uncover what caused this marked phase change.
Incidentally, my testimony in the second session that day is at
http://www.csl.sri.com/neumann/judiciary.html, along with my answers to
subsequent written questions from Senators Thurmond, Grassley, Leahy, and
Feinstein. At the end of the first session. Senator Feinstein excused
herself to go to another hearing, but remarked that if FBI Director Freeh
said he needed access to essentially everything, we'd better give it to him.
I don't know about her voting record to know if that's true or not, but again, I'm talking about her reputation, which is partially shaped by fact but also shaped by public perception. And she's not really perceived as anti-tech.
She's a Democrat and a long tenured, high ranking one at that. Apathetic voters are largely to blame but no one wants to rock the boat because I'm sure she pork barrels a ton of money back to California.
She also has access to oodles of money from her husband (TPG Capital).
She's not opposed to being a hippocrite. She rails against guns but has a concealed gun permit. Her secret service detail carries automatic weapons and that's OK with her. It's not OK with most of her neighbors, but again, apathetic voters.
Tenure and pork. Same reason Jesse Helms and Strom Thurmond kept getting reelected when most of the population didn't like them. To paraphrase: she's a jerk, but she's our jerk.
Blaming reelection of corrupt officials on conspiracies and voting fraud before doing any introspection on why they actually won is the best way to perpetrate those reelections.
It's pretty remarkable that Texas and California seem to elect the scummiest people possible to the Senate. I guess that's what happens when you have a massive population of mostly apathetic voters?
I really think this country would be better off if CA and TX were not allowed representation in the Senate (and I say this as a Texan).
>I really think this country would be better off if CA and TX were not allowed representation in the Senate (and I say this as a Texan).
Removing national government representation would be more antithetical to democracy than anything that's going on now. A better solution, in my opinion, would probably be new state redistricting. Voters are apathetic because they feel their votes don't count due to overwhelming concentrations of opposing viewpoints, which probably should be split off into their own states (Bay Area, New York City, so on).
There's nothing really wrong with Barbara Boxer, and she's retiring this year anyways. Sure California has one bad senator, but when you can only have two at a time, it's hard to even out one mistake.
I wonder if Feinstein's relationship with the CFR has anything to do with her strangely strong stances on technology. It's weird that an 82 year old senator is so focused on technology issues.
It's really disheartening to read or hear almost any discussion about this issue. They're chock-full of broken analogies to meatspace that sound perfectly reasonable if you don't understand the nuances. The instant access, wide platform, and cheap copying that the Internet provides is unlike anything our species has dealt with before, and if you're not really informed on these issues, it's easy to lead yourself into what sounds like a reasonable position, but would actually destroy much of the modern economy.
My point being, the anti-encryption side has the support of nearly everyone who isn't informed about encryption and computing, which is a whole lot of people.
> My point being, the anti-encryption side has the support of nearly everyone who isn't informed about encryption and computing, which is a whole lot of people.
That just means there is more of a chance for technologists to take a leading role in this discussion through activism. It's an easy win if you can keep a cool head while explaining the issues.
Haha. It's an opportunity, not a responsibility. At some point in your life you may feel more inclined to contribute in that way. Or you may not. Both are fine =).
Ultimately you shouldn't feel pressured by what other people ask of you. The choice of what to do and how to feel about it is always yours. When other people say it's your responsibility, like even if I had said that, that would just be me trying to convince you. That means nothing when you choose how to feel about it.
So I work for a company that sells a security related appliance. We sell to mid to large sized enterprise customers.
We made the decision to go with an appliance over hosted services because this way if we get hacked, our customers don't.
Part of our product is a secure secret store, and of course we use encryption for many other purposes. Our customers use our software (or standard tools) to generate their own key material to encrypt their secrets.
Very importantly, we can't help the government, or anyone else, get access to our customers secrets. We can't reasonably be asked to backdoor the software, because many of our customers do code reviews and audits on it before buying.
Can someone help me understand how this law would affect my company and others like it, our customers, and their users?
This bill effectively makes it illegal for US companies and persons to build or use secure enclaves / TPMs and to publish cryptosystems without either including backdoors or retaining and storing keys. It also implies that companies would need to store keys indefinitely, otherwise they would not be able to decrypt data, as no time limitations are set on the capability of accessing data.
This would not make SSH or TLS illegal or require users to hand over keys. It could mean that if a US person or corporation contributed to an SSH or TLS library, they could be expected to provide a backdoor mechanism to the government. (EDIT: would not require to hand over keys enmass, or in any way above and beyond current statutes)
Interestingly, this bill covers vendors and presumably US persons that "provide a product or method". You'll still be able to legally use foreign-developed tools. The US would have grounds to ask those foreign agents to decrypt data, but would have limited means of enforcement.
Section 2 (4) spells it out: communication service and software providers. That's the maker of every app on your phone, the phone manufacturer, your phone company, emails provider, retailer (they're communicating your data to their data warehouses).
The summary clearly says "software manufacturers" (aside: manufacture software? facepalm), "providers of wire...electronic...[or] remote communications services, or any person that provides a product or method to facilitate a communication or to process or store data" are all "covered entities" and that they're responsible when they or "another party on their behalf" have made data unintelligible.
The bill, in section 3 (c) includes "license distributors", e.g. thr App Store and Google Play.
Now that I've typed all that out, and please pardon the profanity, but:
What. The. Actual. Fuck.
"No one is above the law", except clearly the legislators and enforcers themselves. "Protect ... Privacy with strong data security", which doesn't exist with the sort of recovery mechanism the bill would require.
If the data is made intelligible again by a party other than the person who uttered it and their intended recipient, it has, by definition, been breached. You've been pwned. Game over. Full stop. You've lost control of your data.
It would cover your use of SSH/TLS for providing a service, but they can already subpoena those keys under existing law, so it's of limited relevance in a conversation about what this bill introduces.
What changes here is that if you deployed SSH/TLS using a HSM (Hardware security module), you'd need to be prepared to provide a plaintext stream upon a court order. Obviously, the alternative is to choose the non-HSM route which is, and has always been, vulnerable to subpoena.
I would say the HSM example is likely the government's understanding of the law as it exists today anyway. This is a matter of codifying and clarifying that position.
All of the above-such systems are such where the vendor or operator already controls the means and mechanisms for encryption and decryption. These are already vulnerable to subpoena.
The serious changes in this bill are around building systems where only the end-user can control access to their data.
> What changes here is that if you deployed SSH/TLS using a HSM (Hardware security module), you'd need to be prepared to provide a plaintext stream upon a court order. Obviously, the alternative is to choose the non-HSM route which is, and has always been, vulnerable to subpoena.
Forgive me if I'm wrong, but doesn't SSH always use a Diffie-Hellman key agreement, where the keys are destroyed after their use? No subpoena has the power to recover keys destroyed in the past, even if no HSM had been used. The same applies to modern TLS using DHE or ECDHE suites, and AFAIK the current TLS 1.3 proposal allows only these suites.
They might be able to subpoena the authentication keys, but these are useless to recover the ephemeral keys of past connections (except from older TLS cipher suites which didn't use DHE/ECDHE), and even for future connections they would have to be used with an active attack.
I hadn't considered DH, but if this bill would be used as basis for a court order to decrypt data obtained via a wiretap, then yes, it would be problematic for PFS cryptosystems. :(
Also, the government tends to separate out makers (manufacturers) from sellers (vendors), though they could be the same entity. Someone may be able to sell software (say on the Google Play Store or Steam or Apple's App Store), without restrictions. But the makers of the software would be subject to this law if their applications permitted or enabled encrypted communication.
There is something inherently despotic about framing seeking basic accountability as questioning the legitimacy of government.
Security has always been the first resort of tinpots and despots for self seeking behavior. Only those ignorant of history or too distracted with material gain and hubris will fall for it. There always has to be a balance because ultimately everyone is safe in a cage. But that's not what we mean by free democratic societies.
Spying on everyone gives some individuals a sense of power and the logical response to that must be to prosecute them in open courts so their regressive mindsets can be exposed for the sickness they perpetuate. Privacy is much more important and valuable than making day to day law enforcement and governance easier.
Now back to the real world if there was any serious interest in dealing with terrorism Saudi Arabia would have been tackled 30 years ago rather than let them fund and spread Wahhabi ideology globally and the latest round of terror. Yet even today they are the USA and UK's closest allies in the middle east while Iraq, Libya, Syria and Iran who have nothing to do with global terror campaigns are casually destroyed with millions dead and millions in disarray making a complete mockery of the world we live in and the humanity we claim for ourselves.
There is no legitimate argument for a surveillance society other than coming from ignorance of history or narrow self interest. It's high time this country makes an example of those emboldened enough to advocate it and reiterate its commitment to its fundamental values.
They're really hitting the "nobody should be above the law" talking point hard. How fortunate for us — it sounds good but doesn't survive even casual scrutiny. Crypto might interfere with investigations, but that is very different from being above the law. There are huge numbers of cases where some perp used encryption and was still bought to justice.
The best analogy I can think of is the document shredder. As a society we accept that individuals can protect their personal privacy and safety even if this occasionally frustrates law enforcement investigations. Shedder manufacturers aren't forced to limit how good a job they do to potentially aid LE as this would do more harm than good. And, after all, if you banned shredders, criminals would still be able to just burn their incriminating papers.
Banning the shredders is not a solution, you're right. The correct thing to do would be to legally require every shredder producer to include a little scanner right above the blades. This scanner would then take a copy and wirelessly send it back to a server, where it gets stored for 3 months. If there is no internet connection, the shredder must refuse to work. Living the dream!
> The bill establishes that: No one is above the law.
Yes - except diplomats, journalists, doctors, as well as conversations between people in person are all "warrant-proof", and therefore "above the law" as Feinstein calls it.
As Zdziarski also says in his post below [1], the 4th amendment doesn't grant the U.S. government anything. It tries to restrict the U.S. government from overreach. It says only upon probable cause can the government request personal information, but it doesn't say the government MUST get that information and in a format that's intelligible as well.
But when the U.S. government has started interpreting the Constitution however it gives it more power, even saying that your "emails" can be obtained without a warrant because they've been "opened" [2], or when it believes that spying on millions of people at once is "relevant" to a specific investigation (3-hop spying) then it's no surprise that they also believe the 4th amendment gives it the power to require the data in an intelligible format.
> No new collection authorities. The bill does not create any new collection authorities for the government to obtain communications. The bill simply requires covered entities to ensure that the government’s lawfully-obtained evidence is readable—so that law enforcement can solve crimes and protect our communities from criminal and terrorist activities.
Well, that's a lie. Until now, only "covered entities" under CALEA could be forced to facilitate spying. Now everyone else can be forced as well, including open source developers. I'd say that's quite an expansion of its "collection abilities", no?
What if the follow-on bill will require Microsoft and the rest NOT to provide/allow you with programmable computers?
Or maybe MS decides it is untenable for them to reverse engineer whatever the end user is doing, so it makes business sense to them to simply build tablets good only for consuming content and not producing stuff?!
This is not true. The bill would only apply to encryption mechanisms provided by Microsoft or a third-party application installed by Microsoft as part of the operating system.
Interestingly, this bill covers vendors and presumably US persons that "provide a product or method". You'll still be able to legally use foreign-developed tools. The US would have grounds to ask those foreign agents to decrypt data, but would have limited means of enforcement.
It covers anything that's been licensed into the software, which would include encryption libraries. It covers hard drive manufacturers (provides a product or method of to facilitate a communication or the processing or storage of data).
Communication, by their definition btw, includes electronic and ORAL communication. As others have mentioned, it literally covers whispering if someone or something amplifies or transmits your whisper thus facilitating a communication.
Absolutely, but the bill does nothing to prevent users from installing hardware or software that has been built without a backdoor. You will still be able to use Veracrypt, if you'd like, without backdoors. I do not see in this bill provisions which prevent vendors building equipment that can run arbitrary code, use arbitrary devices, or arbitrary mechanisms. (However, I'll look again)
The assumption of liability is on vendors. Vendors are expected to sell you broken goods. Developers of VeraCrypt in the above example would be expected to provide a backdoor. If they're foreign, then it will be largely unenforceable, although those developers will likely face difficulties visiting the USA.
Where users are restricted is wherein they become vendors or providers of software or services. Running a Tor server may require being prepared to provide keys or offer a backdoor, for instance. I think the bill as written could have trouble with distributing VM and container images as well, although a case may be made that they are not operating as "software manufacturers" and are simply distributors, with the liabilities reaching back to Canonical, RedHat, Microsoft, etc.
The plain-spoken language of the bill is irritating, because it hides how much assistance it provides to the existing surveillance machinery.
For example, it doesn't exempt the FISA court, as far as I can tell, and seems to embrace that use.
I'm having a little trouble with the paradoxes... "Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design". Is this a fig leaf? If you design a system that makes it impossible for you to comply with the act, you're still required to comply, right?
It means "unlike with the Clipper Chip, we take no responsibility for finding the miraculous back door that will only work for US law enforcement. YOU do it. YOU face the embarrassment when it turns out to be usable by Vladimir Putin."
They care very little about your emails. They care slightly more about your phone calls and snail mails, and still slightly more about your office visits. Each increment is tiny, but enough of them add up.
Secure communication between terrorists is impossible to stop if they show any inclination to do so. This will only impact normal people using major online services.
Right off the top of my head a few ways terrorists would thwart this:
- Use end-to-end encryption that's easy to overlay on an existing medium (e.g. PGP).
- Create or use an app that doesn't comply with this law and use that for communication. At least on android all you need to do is allow 'Unknown sources' and you can install apps outside of the play store.
-Use something other than text. Go in an online game and spell something out on the wall.
By repeatedly trying to start this "conversation" it really seems the politicians don't want to accept that it's impossible to prevent encryption at the long tail of users (where the terrorists would be). Instead they're going to stick their heads in the sand. It could be a deliberate attempt to gather session keys for the intelligence services to do their bulk harvesting, but what it definitely won't do is stop terrorism.
How can they not see the contradiction? "We want your data to be secure, but we also want US to be able to see it." Technology and math in particular doesn't know who is who, and equations don't behave differently because someone writes a law. Seriously, RSA is just M' = M^E mod N. You can publish your public key in the newspaper and have people send you encrypted messages on a postcard and nobody - even the government - can decrypt it without your private key. A law can't change that, although forcing back doors into OSes will eventually lead people to using end-to-end encryption more.
Key for me is to identify certain dangerous provisions that has a high chance of sneaking through and becoming law.
I'm sure the senators involved put in as much outrageous stuff knowing it'll be watered down. This with the hopes a few key provisions are not watered down.
That's why in my opinion that bills like these should not be put up for discussions, amendments, and vote. I fear the worst though.
I wish Congresspeople were held to the same standard as the rest of us. This kind of lack of understanding of technology (intentional or not) is evidence of gross incompetence. Feinstein/Burr should be expelled. We all would fired if we demonstrated this lack of ability
How is it that lobbies from oil, guns, banks, telecom have historically been so powerful in passing legislation through Washington, yet the software industry is still so completely limp at protecting it's political interests?
I feel like politicians see tech as an easy target to walk all over to rally the technophobe base, and with good reason - there's really no consequences for doing so.
Why is a company like Apple, at time when it has a historic stockpile of cash, trying to duke out political battles by writing open letters to the press and appealing for public support to uphold basic security practices when other industries manage to bend political will in their favor to do truly greedy things at the public's expense on a regular basis?
From reading the draft, it doesn't seem to say what happens if it is not technically possible (or practical, anyway) for the entity being ordered to comply.
Will they simply be held in contempt of court until they finish brute forcing an encryption key at the heat death of the Universe?
What Silicon Valley needs to make it's voice heard here and to do that they need to pull back donations not just to Feinstein but to the Democratic Party until this disaster is withdrawn
Take whatever money you were planning on spending to support Democrats this election and give it to Planned Parenthood and the EFF until this bill is withdraw
What this bill says pretty much is that all US entities are not allowed to use secure encryption methods and practices. They can offer encryption but at the same time the implementation should be flawed in such a way that it can be reversed via a "backdoor" or a vulnerability.
That is the essence of the bill in my opinion and nothing else.
I genuinely don't understand what the bill would do. This section seems to place no restrictions on the design of devices:
(b) DESIGN LIMITATIONS.—Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity.
If the bill says the government cannot place restrictions on the design of devices, but the bill says providers have to do things they can't do with existing designs (e.g. Whatsapp end to end crypto) what does this bill actually do?
That statement of "no restrictions" is meant to mislead a non-technical person to make the bill palatable. The reality of the bill is in the part that requires companies to NOT build a system that they themselves can't break into.
Interesting, I read it differently. I read it as being internally inconsistent.
From my perspective it says "you need to hand over the plaintext if law enforcement asks for it," which would imply that a master key of some sort needs to exist.
But then it also says that nothing in this act can be construed to require a specific design. But requiring a master key to exist would be requiring a specific design.
The proposed law sounds internally inconsistent to me.
Technically literate folks need to treat encryption regulation the way gun enthusiasts treat gun control. This must become utterly politically toxic to get involved with.
This would ironically only jeopardize the safety of law-abiding Americans and lawful American interests. It would be utterly useless for anything else, including terrorism, espionage, criminality and foreign interests.
As far as I can tell, this is a win for encryption. It says that device manufacturers need to help law enforcement break into a device, but they do not need to create any backdoors. If Apple/Google/etc make it impossible for them to break into their own devices, then there is nothing that they can do. As long as they are not required to include backdoors then encryption wins.
Any odds-makers want to speculate on the odds of this going all the way?
It seems like this could be an anchoring tactic -- now that we've seen the intelligence and law-enforcement wish-list, we should supposedly be happy with any other "compromise" bill that's not quite as apocalyptic.
Politicians legislating for technology is the best real life example of the blind leading the deaf I've ever seen. We should add a constitutional amendment that requires the voting representatives understand the topic for which they're voting in order to have their votes count.
I would actually be okay with this if I had any faith whatsoever that court orders would be issued based on significant evidence that a crime was planning to be committed or had been committed. But as we've seen over the past 5 years, secret orders are given with gags based on practically zero evidence and gather up the data on an unlimited number of people, for effectively no purpose.
We can't trust the Government to properly issue court orders anymore, so it would be irresponsible for the People to give them any more power than they've abused already.
This makes the FBI's requests to Apple look like child's play. I cannot possibly see how our tech economy can survive once all these backdoors are in the hands of criminals (other than the US govt) and enemy states. Feinstein is especially known for her extreme stupidity but killing one of the last prosperous industries in America (tech), this is just simply too much. At least we'll know who to blame when no one wants to buy US tech anymore.
"Certain communication service providers that distribute licenses for a covered entity’s products and services also must ensure that these products and services are capable of providing information or data in an intelligible format."
I'm having trouble understanding the meaning of that, but is it saying if you provide a means of encrypting customers data you must be able to access it unencrypted?
I'm not a lawyer, but it seems like complying with this law would preclude compliance with HIPAA, ISO 9001, various NSA-IAD directives, etcetera. Compliance with standards like those is often written into government contracts and sometimes required by statute or policy.
If this law passed in its current form, wouldn't entire industries have to choose which laws to break when storing data?
I was wondering about this, but the data can remain encrypted and compliant as long as it's ultimately accessible by court order. I then assume the existing laws regarding courts accessing private health data apply.
There's no stipulation that data needs to be decryptable by the party holding it, is there? If the law passes in its current form, we'll probably see a slew of client-side encryption and secure multiparty computation offerings from providers.
What are we going to do a out it? Maybe Wikipedia or Google will deface their own websites, and the bill will die only to resurrect shortly after.
A better solution would be for the millions of tech workers to unite and vote GOP just to send a message that we don't automatically vote for anyone or any party.
If California's vote is locked for a certain party, then it is taken for granted.
Better to start up a new party with a clever nerd name--like Bitwise Party, or Breakpoint Party, or similar--and run its own candidates. The automate the hell out of political party organization. Make running for office as easy as registering a new domain name.
But that will probably never happen, because forming and operating a political party is too much like joining a union with its own PAC. And also, third parties don't count for much in the US.
Of course not. Unless you happen to have R. Paul as your senator the GOP typically is worse.
Its playing the two sides off each other that might work. Make the GOP think will vote for them. Make the democrats think they'll loose our contributions.
Getting rid of Feinstein will be an excellent first step.
Easily see criminals stealing non-criminal systems, user-accounts etc. - and sending encrypted data from them.
Basically, hackers just offer plausible deniability as a service, ransom evidence that you weren't the party sending the data, setup human targets, etc.
To submit a bill like this shows a complete disregard for how it will function in the wild.
Think of every demographic in the US that politicians whore themselves to. The most successful ones are not always large. But they vote as a block, in high numbers, and are not overly faithful to any party.
Tech workers should support senators like Wyden or R. Paul and take steps to really knock down Feinsteins or Burrs.
On one end, I feel like security is hard enough that we don't need to go weakening it, in any way, to allow the government to be able to (with a lawful warrant) read the data. I feel like the citizens of the US are overall more secure with end to end encryption that no-one can backdoor.
On the other end, security is hard and we fail in so many other obvious, exploitable ways. Even with mandating that e.g. Apple be able to decrypt the contents of any iPhone it does not actually reduce our security in a meaningful way because there's so many other ways we routinely fail at security.
Maybe I'm a bit confused; if this bill were to pass, would this make SSH illegal? How about geli on FreeBSD? Am I going to be required to hand over my encryption keys on my server?
A not so rhetorical question: If a bill like this passes, would it make sense for the privacy-aware companies to move completely overseas (like, to UK) where these laws to not apply?
No idea about corporations, but for persons UK already have awful law regarding encryption since 2007. They may put you in jail for up to two years for simply not providing decryption keys if there is a court order.
For anyone that thinks either the government, or that matter the general public, doesn't understand the intent of the bill, you are wrong.
Government clearly understands what is going on and has every reason to support laws like this.
What may not be clear, is that in my opinion, average person understands what is going on, but is afraid. Understanding this fear, and how to counter it is the key, not figuring out how to help people understand how the bill would function in the real world.
If encryption is deemed illegal for whatever reason, then perhaps start creating new things that legally don't fall under the category of encryption, but accomplish the same thing.
There are countless creative, imaginative and intelligent people on this site. PR teams, please let folks brainstorm first.
I'm more of the feeling that if the US outlaws encryption, business should move elsewhere. Many electronic services could operate just fine without a physical US presence.
The bill may allow the government to force a software vendor to perform work without any agreement regarding costs. It allows the government to decide "reasonably necessary costs".
Once any work has begun, the government can force (subpoena) the vendor to testify regarding results, without any payment whatsoever.
This is requiring tech companies to provide decrypted data, yes.
I want a private key that is only creatable by N separate individuals, who will only release their part of the key when they can ascertain I am not under coercion. Is there a system that does this?
Passing a law against strong encryption will totally prevent terrorists from using it to conceal their communications. I mean, how are they going to encrypt their data if it's illegal to do so? /s
I think activism against it will matter a great deal. It should be close to SOPA-levels or even greater to be sure we can stop it.
That said, as it is, I think things are like this:
- House majority will not support it, unless it's dramatically watered down (The House has been quite privacy-friendly/anti-backdoors lately). However, that could still be bad news for us, if say they only demand large companies to never use end-to-end encryption for any of their products, and to only make local disk encryption optional on smartphones (but no backdoor). Apple would have to sell iPhones unencrypted, Whatsapp would have to go back to Hangouts-style encryption, and Google will never implement its End-to-End tool for Gmail. You can forget about research for homomorphic encryption for healthcare or other services (which I think Microsoft, for one, is doing right now).
- Senate majority will likely support it as is.
Edit: Senator Ron Wyden promises to filibuster it, so we have that going for us as well, although I'm not sure if this can guarantee it's dead. I think he threatened a filibuster with the USA Freedom Act as well, but didn't go through with it at the last moment, when they compromised on something else (I may not be remembering this exactly):
- Obama wants to look "neutral" right now, but I don't think he is. I think he wants the Senate version passed as well. But he would probably accept a watered down version as well.
Bottom line, if we want to stop it completely, as we did for SOPA, then we need to organize, and we need companies to do what they did for SOPA, too, and alert the public about it en masse.
Yeah I don't think Obama is neutral. He says the same thing as this bill. He says he "supports strong encryption", and says criminals should not be able to hide their digital communications from government.
They still do not understand that it's not possible to force criminals to use government-approved encryption software. Criminals can write their own encryption.
The sooner we voice up and vote out those who support such unreasonable laws, the sooner we can progress as a society towards finding the right ways to keep each other safe.
Does anyone know if there is a list of representatives showing their positions on this bill?
>They still do not understand that it's not possible to force criminals to use government-approved encryption software.
I think in this instance this is a case of you assuming ignorance where malice is far more likely. Looking at the comprehensive mass surveillance of, well, everyone (by the NSA et al), I think the point here is to further the goal of population control i.e. they don't care about criminals who would write their own, they just want always-on access to everyone.
> I think in this instance this is a case of you assuming ignorance where malice is far more likely
I doubt it because (1) this would involve a wide-ranging conspiracy, and (2) they won't achieve their goal. If they were informed, they would know they will fail. As it is, Obama, Comey, etc will go down in history as asking technologists to perform magic. Nothing about this law helps them catch terrorists, and it hurts the US government's relationship with technologists going forward.
> they don't care about criminals who would write their own, they just want always-on access to everyone
That will not happen without a fight from companies like Apple. Ultimately, this just brings more awareness to users. It is not hard for companies to convince their users that backdoors for government make their data less secure. Tim Cook already took the first step.
More likely, I think, is technologists view government as lying about everything. We are iconoclasts seeking to break down cultural conservatisms. Also, we generalize too easily. We see government being disingenuous about one thing and assume they're dishonest about everything.
Ultimately, it doesn't matter if certain members of government are lying or not. We should be educating the public and our representatives about the fact that we can't force criminals to use government-mandated encryption.
Just a reminder that trying to discuss these matters on HN is a bad idea as the moderators routinely bury any anti government sentiments and articles, ban accounts and IPs which are critical of the government and allow government sock puppets to control the conversation.
Then mods only defense is to say trust them and none of this is true, but ample evidence exists to the contrary.
American government is corrupt and HN Moderation policy is to abide and abet that corruption.
I think policy makers do not understand how easy encryption is to use. I'm sending this letter to help them understand a little better why this bill makes no sense and will not prevent criminals nor terrorists from hiding data if they want to.
Dear Senator,
I am writing today to explain how a draft bill, the Compliance with Court Orders Act of 2017, will affect me.
For the last 7 years I have been developing a data backup program, HashBackup. HashBackup allows people to securely backup their computer data to cloud storage, without worrying about the storage company or one of its employees accessing confidential data through the use of strong encryption.
There are many reasons for maintaining strict confidentiality:
- financial records
- medical records
- company trade secrets
- top secret intelligence
- general privacy protection
- and yes, committing crimes
The purpose of this bill as I understand it is to compel any person or company who provides software or devices that can create unintelligible (encrypted) data, to assist the goverment in producing the original, unencrypted data, with a court order.
The critical piece of information to have in order to produce the original data is the encryption key. Without that, no one in the world can produce the original data, whether they wrote the software or not. So this bill's ultimate purpose is to compel individuals and companies selling encryption products to use subversive technical means to obtain encryption keys from its customers, presumably without the customers' knowledge.
My backup program, HashBackup, creates keys on each customer's computer. The customer is responsible for their key, just like the lock on their front door. Similar to a lock manufacturer, I do not know or have access to any customers' encryption keys. If the customer loses their key, they lose their backup, and there is nothing I can do to help them recover it.
If my customer uses HashBackup to store their data at Amazon or Google, and the government decides they want that data, I am the one who will get a court order to provide it since I wrote the software that encrypted it. The only way I could possibly comply with the order is to install special "backdoor" code in HashBackup that relayed the customer's key to the government. If customers realize that their encrypted backup data is not really secure and private, I will be out of business.
Our government presents this issue as a way for law enforcement to prosecute crime and prevent terrorism. But as we all know, criminals and terrorist do not obey laws; the laws end up only affecting the law-abiding. If this law is passed, criminals will be unaffected, as they can easily encrypt their own data and hide their keys.
Some people may believe that encryption is a complex technology that only big companies like Apple can use. It is not. Encryption is a simple technology that anyone can use. It doesn't require any special computer skills, training, or equipment. Criminals and terrorists will continue to use simple encryption after this law is passed.
To show how easy it is to encrypt and decrypt messages, here are two very simple programs to encrypt and decrypt messages. These are written in the Python computer language, but similarly simple programs can be written in most modern computer languages.
The first example program encrypts a message. The lines beginning with # are comments to explain what the program is doing:
import binascii
import AES
import os
# create a key and display it
key = os.urandom(16)
print 'Key:', binascii.hexlify(key)
# here's the message to protect;
# add spaces until it a multiple of 16 letters
message = 'this is a secret'
# encrypt and display the same message 3 times
for i in range(3):
iv = os.urandom(16)
encrypted = AES.new(key, AES.MODE_CBC, iv).encrypt(message)
print 'Encrypted message:', binascii.hexlify(iv + encrypted)
The next example program decrypts an encrypted message and display the original secret message:
import binascii
import AES
import os
import sys
# get the key and encrypted message
key = binascii.unhexlify(sys.argv[1])
encrypted = binascii.unhexlify(sys.argv[2])
# separate the iv
iv = encrypted[:16]
encrypted = encrypted[16:]
# decrypt and display the original message
print 'Original message:', AES.new(key, AES.MODE_CBC, iv).decrypt(encrypted)
Now we show the encryption program creating 3 completely different encryptions of the same secret message, all using the same key:
Here is the decryption program changing all 3 encrypted messages back to the original message:
[jim@mb ~]$ py easy2.py 9cba06caad965229457652b3ae760595 4c77810f6f39946a2e525b2ef0e2fe6ed70201d22bb263734dd3aebbbf11af0d
Original message: this is a secret
[jim@mb ~]$ py easy2.py 9cba06caad965229457652b3ae760595 d262cca8d9da4aa01c36be5dcf2809d212348438752ffea491a13dacd2999ba9
Original message: this is a secret
[jim@mb ~]$ py easy2.py 9cba06caad965229457652b3ae760595 0749d160d9e751a67bb908ba8df7800a177e53ea03fad3694bbeab54cd680469
Original message: this is a secret
An interesting fact you may not realize: one key can be used to encrypt the same message in many different ways. These simple programs above can encrypt the same message, using the same key, 340,282,366,920,938,463,463,374,607,431,768,211,456 different ways.
No matter what laws our government passes, criminals will not obey them. If a criminal wants to keep something secret using technology, it is not hard: all they have to do is privately share a key with someone, then send encrypted message like the above.
An important point is that these encrypted messages can be sent over ANY communication medium. Whether the government has access to them or not, they cannot be decoded without the key. Criminals can encrypt GPS coordinates and times for example, send them as a simple text message, and the government, Apple, nor anyone else would be able to see the original message.
I have no problem with law enforcement doing an authorized search to obtain a suspected criminal's encryption key(s) FROM THE SUSPECT. But as a producer of software, I should not be compelled to violate my customers' trust by stealing their key without their knowledge. Then I become the criminal.
Please do not pass this bill. It will not affect criminals or terrorists - just the rest of us law-abiding citizens.
I haven't done it yet but I've contemplated sending a letter along the lines of:
Dear Senator,
The draft bill, the Compliance with Court Orders Act of 2017, fails to take into account the necessity of convenient, effective encryption for protecting things like online commerce and it fails to account for how easy it is to access encryption technology that is not compliant with the bill. An example of readily available software that does not comply with the requirements of the bill is "Pretty Good Privacy" often referred to as PGP. This software is widely used and available outside of US jurisdiction.
Many well qualified technologists are speaking out against the bill. Their reservations and the apparent lack of input from the broader technology industry is very worrying.
I consider support for a bill with these issues disqualifying and will vote as such in all future elections.
It feels like everyone would be better served if the tech community admitted the legitimacy of the government's (and many, MANY people's) security concerns and stopped pretending that the right to privacy always trumps the right to security of the person. (All occurrences of the string "secur" in that EFF letter[1], for instance, are in reference to data and computer systems. Not one is in [direct] reference to people.) Or, if we don't go that far, we need to at least realise the need for political communities to have serious discussions about how to reconcile those two rights without jeopardising either of them.
The tech community's solutions WAY too often feel like they're motivated only by libertarian concerns for freedom which, while extremely important, are not exhaustively fundamental or final to -- and certainly do not settle the question for -- non-libertarians.
There's a lot of trust of the government here[1] and in general[2] -- though, as that Gallup link shows, it MASSIVELY depends on which arm of the government you're talking about.
Again, not many people live in or around the libertarian bubble. And there are lots of intelligent people who avoid it for very, very good reasons.
Many have noted this isn't about security vs. privacy. It's about security vs. security [1] [2] [3]
Also, I think there's something different about getting access to someone's digital communications that makes digital data different from data previously obtained by warrants. Digital databases increasingly contain the entire history of people's communications. That's never been true before and it warrants additional discussion at the very least.
The other argument against this bill is it is unenforceable. Terrorists won't be using the government-mandated encryption tools. They'll create their own.
This is an opportunity for technologists to step up and take a larger role within government by educating representatives and the public, starting campaigns or non-profits, or perhaps running for office.
I don't agree with you but the downvotes for disagreement are very inappropriate, this is a contrarian position to the party line around here but fairly well put and helps to further the discussion beyond some sort of echo chamber.
Remember right now a huge proportion of the US population does NOT agree with us, no matter how many facts you explain to them.
Telling, for example, president Obama that he's an idiot and doesn't understand technology is both a lie and not helpful. He has hundreds of advisors who each know as much as the smartest of us here.
Firstly because, well, that's just the way it is sometimes. Putting a gate in your wall can let in bad guys who can plunder your city, yes. But it can also let in good guys who can fortify it. You just need to design and use your gate well...and, I suppose, think of the government as good guys. (Soz, I've been indulging in some nostalgia with AOE 2: HD recently....)
And two: who says this has to involve decreasing IT security? I haven't seen enough evidence of cooperation between the gov't and the tech industry on this for me to believe that an agreement on this would require decreasing IT security.
>who says this has to involve decreasing IT security?
Which type of system would you feel safer guarding all of your most personal information in? Keep in mind that the system doesn't care if you're a "bad guy" or a "good guy":
1. A system which was designed to be "unbreakable"
2. A system which was designed to be breakable
Without encryption there is no IT security (if there even was such a thing).
We can argue all day about how the law doesn't prevent criminals from using technologies (it doesn't, which makes the law idiotic, from a logic perspective), but that's not the important part.
The important part is that this group of folks we're calling Government is trying to prevent us from being allowed to have secrets and whisper to each other.
Government is not as stupid as we'd like to think. Government doesn't believe that "terrorists" will stop using encryption. These laws are not for "terrorists". They're for us. Take away somebody's ability to keep secrets, and you've gained a pretty good advantage over their position[1].
This is about only one thing: leverage; and leverage is power.
1. https://en.wikipedia.org/wiki/Enigma_machine#Breaking_Enigma