Bill Gates: Tech Companies Are Inviting Government Intervention

As long as we have no access to the phone who knows what's on it? Let's be honest most people are not criminal masterminds. He might even have a selfie with the dead body.


If someone confesses to crime A because they find evidence of crime B, then he's really really dumb. And if they find evidence of wrongdoing, why shouldn't he be punished for that? After all Al Capone was also done in for tax evasion as well.


Then why do you have a problem with "court order, go to apple, samsung, whatever and get access to their phone"?


There is nothing special about it, it's just another avenue worth pursuing when looking for evidence.


I'm sure they'd get a court order for every person on the spot. Oh wait, it's a completely different thing. Let me refer you to #10 on the regressive agenda.


You entirely missed his point. Its not the court order to access the device we are in objection to. Its to requiring a skeleton key to every lock and giving the governments of the world that key and making them promise to never use it except when they really need to. Its like putting a kid in a candy store and telling the kid not to eat any candy and then walking out and leaving the kid alone and unsupervised. Candy will get eaten.
 
If someone confesses to crime A because they find evidence of crime B, then he's really really dumb.

Because that's exactly what happens. the DA walks in, says we have you on this laundry list of charges, you're going to get 25 years...but you can take this plea deal and get 10 years off that. Amazon, Google, et al shouldn't be doing the government's work. If they want in, hire security experts try to get in.

And yes I would rather let a murder, rapist, whatever get away than to give the government the ability to access anything they want. Same as I feel about convicting an innocent person: I would rather see 10 criminals walk than convict one innocent. We arent "letting" anyone off, we are simply accepting that in a free society we may not be able to stop every criminal because it is so important to us to protect our rights. We accept that as a social burden in exchange for increased freedom.

Exactly this. This is why we are innocent until proven guilty, the burden of proof is on the government. If the evidence is so weak you need to get into a phone and more or less self incriminate, then maybe that person shouldn't spend significant time in jail. I have a reasonable doubt, and the prosecutor failed to prove to me beyond a reasonable doubt the person was guilty. I don't think the trade-off is worth it. We catch a few more scumbag drug dealers, but sacrifice secure banking and out privacy? Nah. I'm good with the current state of affairs.
 
As long as we have no access to the phone who knows what's on it? Let's be honest most people are not criminal masterminds. He might even have a selfie with the dead body.
I'm asking both to question this and as well because i'm genuinely curious. Has this ever happened before? You would think if a murderer is using a cell phone to take selfies they would get caught immediately.

If it's never happened before.... I'm not going to assume it'll never happen, but... i dunno, sounds highly unlikely. Selfies are associated with social media.
If someone confesses to crime A because they find evidence of crime B, then he's really really dumb. And if they find evidence of wrongdoing, why shouldn't he be punished for that? After all Al Capone was also done in for tax evasion as well.
But this happens all the time. It's why people do plea deals.
Then why do you have a problem with "court order, go to apple, samsung, whatever and get access to their phone"?
Because it's not possible to break the encryption unless there's a backdoor which there's not currently. It's different when the data is on their servers. When you put your emails on google's servers or yahoo's, it's their server, they have access to the data and will do everything to comply with law enforcement if it's through the proper means. Since the phones are sold with good encryption, it's not like there's a backdoor to get access to them.
It's not just a matter of asking companies to comply if it's within their means. You're asking them to redesign their security on existing and past products to comply with law enforcement desires without thinking things through. Once that backdoor is in place, anyone can get access to it. This means for all intents and purposes, that those secured phones become insecure. I could see possible outcomes where every single phone passing through immigration both in the US and lets say China are scanned and all the information is maintained and searched through. Obviously no business person would want any of that. It's already happening on a smaller scale, but it would be widespread within a few months.
There is nothing special about it, it's just another avenue worth pursuing when looking for evidence.
But it's unnecessary and impossible at the moment.
I'm sure they'd get a court order for every person on the spot. Oh wait, it's a completely different thing. Let me refer you to #10 on the regressive agenda.
It's an example of abuse. This clearly falls under illegal searches and seizures. Stopping someone from speeding doesn't mean obtaining information on their phone and seeing what else you can get them on, yet this was routinely done.
Let me point back to the previous idea of plea deals and confession to Crime A because they find evidence of Crime B.
Here's how it'll go. Backdoor A is installed, law enforcement (FBI, whoever) claims it'll only be used in capital crimes. A few months later local law enforcement is utilizing unlock backdoor method to obtain access to phones. At traffic stops, they will ask for your phone and download everything from it and put it in a database. They see you were texting and driving, so they add that to your ticket. Later on you get a letter from the IRS stating you forgot to claim your internet purchases that were obtained through your phone search. They'll add an additional 500$ for misreporting on your tax income. Based on your phone's data, they've determine that you qualify to be on a watch list because of your association with a facebook group on bit coin, so now they want to know all your dealings.

The list goes on and on with possible ramifications of allowing anyone to view and peruse your data on your phone.
 
I'm asking both to question this and as well because i'm genuinely curious. Has this ever happened before? You would think if a murderer is using a cell phone to take selfies they would get caught immediately.

If it's never happened before.... I'm not going to assume it'll never happen, but... i dunno, sounds highly unlikely. Selfies are associated with social media.
I remember reading about at least one case like this where they had photographs of the victims. It doesn't even have to be a photo of a dead body. I can think of a dozen ways in which he might implicate himself. Stored destination data, stored wifi access points, visited web sites from the phone, but he can have a 100 photos of stalking the victim from the past even.
We can't rule out a significant source of intel based on fear. Lack of trust in government agencies is a separate issue. But if there is no loophole to abuse the system it's not just helpful but a must have imo.
But this happens all the time. It's why people do plea deals.
Where did this happen? Why would you confess to a more serious crime when they find evidence of a lesser crime on your electronic devices? Any lawyer suggesting to their defendant to take that deal is either corrupt or a fool.

Because it's not possible to break the encryption unless there's a backdoor which there's not currently. It's different when the data is on their servers. When you put your emails on google's servers or yahoo's, it's their server, they have access to the data and will do everything to comply with law enforcement if it's through the proper means. Since the phones are sold with good encryption, it's not like there's a backdoor to get access to them.
It's very easy to think of ways to prevent abusing the backdoor. Make the backdoor, but make it in a way that using it bricks the phone. Or even better it displays only a message that says: "backdoor has been used, the oversight authorities have been informed" and if they had no warrant for accessing the phone they'll be the ones going to jail.
Every problem we have is technical. So there is a technical solution if you care to look for it.

It's not just a matter of asking companies to comply if it's within their means. You're asking them to redesign their security on existing and past products to comply with law enforcement desires without thinking things through. Once that backdoor is in place, anyone can get access to it. This means for all intents and purposes, that those secured phones become insecure. I could see possible outcomes where every single phone passing through immigration both in the US and lets say China are scanned and all the information is maintained and searched through. Obviously no business person would want any of that. It's already happening on a smaller scale, but it would be widespread within a few months.
See above.

But it's unnecessary and impossible at the moment.
You just asserted that it's unnecessary, you can't know how many cases have been dismissed due to lack of evidence where it would've helped. I'm not saying there were any. I'm just saying it's better to look and not find anything a million times, than never even look and miss just one.

There is a difference between impossibility and unwillingness.


It's an example of abuse. This clearly falls under illegal searches and seizures. Stopping someone from speeding doesn't mean obtaining information on their phone and seeing what else you can get them on, yet this was routinely done.
Let me point back to the previous idea of plea deals and confession to Crime A because they find evidence of Crime B.
Here's how it'll go. Backdoor A is installed, law enforcement (FBI, whoever) claims it'll only be used in capital crimes. A few months later local law enforcement is utilizing unlock backdoor method to obtain access to phones. At traffic stops, they will ask for your phone and download everything from it and put it in a database. They see you were texting and driving, so they add that to your ticket. Later on you get a letter from the IRS stating you forgot to claim your internet purchases that were obtained through your phone search. They'll add an additional 500$ for misreporting on your tax income. Based on your phone's data, they've determine that you qualify to be on a watch list because of your association with a facebook group on bit coin, so now they want to know all your dealings.
That's not confessing to crime A because of evidence of crime B. That's finding evidence of crime B while looking for evidence for crime A. And then convicting you for crime B. That's an entirely different thing. And it's not like you haven't committed those offenses. So technically you have no right to complain. It also happened in my circles. Some of my acquaintances were cited for A, and then fined for B (And it's not like they were innocent of A either)

The list goes on and on with possible ramifications of allowing anyone to view and peruse your data on your phone.
Not anyone. This is the whole discussion is about. Only by court ruling, and only in cases of violent crimes. And if that makes you content there could even be an addendum that says if you unlock the phone to find evidence for A, then anything else you find on the phone cannot be the sole basis for raising another charge.

It's not impossible to do right. But everyone seems to be thinking in black and white: Either nothing at all, or the worst dystopian nightmare.
 
It's very easy to think of ways to prevent abusing the backdoor. Make the backdoor, but make it in a way that using it bricks the phone. Or even better it displays only a message that says: "backdoor has been used, the oversight authorities have been informed" and if they had no warrant for accessing the phone they'll be the ones going to jail.
Every problem we have is technical. So there is a technical solution if you care to look for it.
Sorry, but i do not want anything on my phone that will purposely brick it. It's my device. I don't want to relinquish control in a way that makes it susceptible to be destroyed.

Any backdoor method will be known and be exploited, Period. If you could remotely brick a phone, people will do that just to be malicious. Imagine chinese hackers getting a hold of a telco's company's servers and pushing out a remote brick signal? It will happen one day.

Even if it's not remotely accessible in that manner the backdoor will be exploited. If it's possible to brick a phone, it's possible to unbrick a phone without someone knowing.
 
Sorry, but i do not want anything on my phone that will purposely brick it. It's my device. I don't want to relinquish control in a way that makes it susceptible to be destroyed.
Now you're just pivoting to another problem. This is really childish. Who says they won't replace the phone after it has been bricked by using the backdoor and it turns out it held no relevant information? That shouldn't even be a question.
Any backdoor method will be known and be exploited, Period. If you could remotely brick a phone, people will do that just to be malicious. Imagine chinese hackers getting a hold of a telco's company's servers and pushing out a remote brick signal? It will happen one day.
Who said anything about remotely? That was never part of the proposal.
Even if it's not remotely accessible in that manner the backdoor will be exploited. If it's possible to brick a phone, it's possible to unbrick a phone without someone knowing
That's just another assertion. You just said phones right now are uncrackable currently without a backdoor. So the same companies that made uncrackable phones presumably can also make the backdoor access irreversible. It can even be a hw failsafe that disables a certain component in the phone beyond repair. Or the backdoor can even work in a way that it doesn't allow access to the phone, it just copies the data on encrypted channels to a remote server of the manufacturer that is mandated for this purpose and only accessible by high ranking members from the authorities. These are just the technical details. The question is whether the electronic devices of people accused of violent and serious crimes should accessible by court order. After that's decided we can work out the technical details so it doesn't present any danger of being exploited by 3rd parties.
 
Now you're just pivoting to another problem. This is really childish. Who says they won't replace the phone after it has been bricked by using the backdoor and it turns out it held no relevant information? That shouldn't even be a question.
I was focused on your proposed solution because the argument started to devolve way too fast in the "what if" scenarios and postulations thereof.

The government and or police will never replace phones. They don't replace hardware they confiscate, they'd rather sell it at auctions and then pay out a fraction if the person ever decides to go through the lengthy process of trying to get it back via the courts.
Who said anything about remotely? That was never part of the proposal.
You're talking about a software backdoor to encryption. Exactly what portion don't you think that could be run remotely?
That's just another assertion. You just said phones right now are uncrackable currently without a backdoor. So the same companies that made uncrackable phones presumably can also make the backdoor access irreversible. It can even be a hw failsafe that disables a certain component in the phone beyond repair. Or the backdoor can even work in a way that it doesn't allow access to the phone, it just copies the data on encrypted channels to a remote server of the manufacturer that is mandated for this purpose and only accessible by high ranking members from the authorities. These are just the technical details. The question is whether the electronic devices of people accused of violent and serious crimes should accessible by court order. After that's decided we can work out the technical details so it doesn't present any danger of being exploited by 3rd parties.
I will never buy anything that can be bricked by the government. It's my device (after i buy it). I will never give the power to anyone to do anything to it that i don't want them to. I'd much rather buy Chinese phones without the hardware brick than buy any device with it.

I don't think that my way of thinking with things that i own are out of line or that it's not a common line of thought.

Every single device created today has some sort of bypass found. Intel's spectre and meltdown are examples, rooting snapdragon phones with cpu faults, bypassing ps4 checks and running arbitrary code, etc. These are all done on devices which are secured and aren't designed with a backdoor. Do you think designing a backdoor would be more secure or less secure? Because i'm leaning toward the extremely dangerous side of things. Once any exploit is found, that person has access to all the mobile phones out there? That's an insane but likely scenario if this ever comes to pass.

If i develop an uncrackable safe that no one can crack or less it will self-implode, is that illegal? I saw this because i honestly don't know. But i do know that encryption has made things very difficult to crack. If it's illegal to keep secrets from the government or the courts, then encryption itself is already illegal. If it's not, then there's no grounds to try and enforce a backdoor.
 
It's not impossible to do right. But everyone seems to be thinking in black and white: Either nothing at all, or the worst dystopian nightmare.

Yes it is. Otherwise the fourth amendment would read more like this:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. Except in special cases.
 
"their view that even a clear mass-murdering criminal's communication should never be available to the government"

The problem with giving this content to the government is that it means any content can be made available to the government. Governments have a long history of vilifying people who did nothing wrong, as well as recent revelations of casually snooping on everything they could get their hands on. If you care about the privacy of your customers, why would you want to be able to read their data, or make it available for the government?


Because they, (companies), have a legal requirement to be able to comply with court ordered requests for information. Why do you guys not understand this. The law says that they must be able to provide the information when legally and properly requested. It's not "the should", it's not that "they may", they must.

The government has been really casual about this thing giving business a lot of rope to play with in figuring out how they are going to deal with this stuff, but it ain't going to last forever. I have told you guys that if business won't get with the government and help figure out the best way to do all of this, that the Feds are simply going to tell them how it's going to be and when they fail to acquiesce, the penalties will be severe.

You can thump your chest and be the herald of the next revolution, which ain't really going to happen over this, but I really believe this is what will happen. Time will prove me right or wrong.
 
Cats already out of the bag. If any company even leaked that all their encryption keys had backdoors that the government had access to, people would put their own layer of encryption on top of the phones in custom apps. Text messages with one time ppg pads, encrypted voice calls, etc. They already have access to way more than most people think they do, but now they want it out in the open too.

Right, people would.... like 20, or two hundred, maybe two thousand ........ out of over 320 million that's a real movement there you have.
 
I still believe that in a situation that really was important, at least as far as the FBI was concerned, they'd get your password. At least if you're alive, or mostly alive.

The fight against encryption really isn't about "important stuff", in my opinion. It's about being able to infiltrate the lives of people who haven't done anything wrong "yet". Companies getting cute over warrants is encouraging the dawn of legislation that will remove their control. We face the potential of either mandatory back doors, or a ban on encrypted personal information.

All of a sudden everyone who encrypts their data or closes those doors actually is a criminal because encryption itself becomes criminal offence. I know that's tinfoil hat level paranoia, but the digital space seems to be ripe fruit for exploitation, by everyone.


Yup, this is definitely where we're heading. Here's my opinion on what's coming now that NN is being hacked away.

1- ISPs are going to require installation of their proxy SSL cert so they can break your SSL chain and scan all your HTTPS traffic with no warning to the user. They'll update their TOS so you either agree or cannot use their network. I'm sure it will be under the guise of 'but teh turrorists" or "protection from child predators" etc. But it's so they can scan all your traffic for data collection, and so they can inject their own ads etc. Especially since they just got the OK from congress to invade our privacy and sell our data.

2- ISPs will no longer allow direct private VPN tunnels. They will either require the keys to be able to peek at the traffic (but they promise they won't), or require you to use them as an intermediate VPN (You tunnel to them, they tunnel to your end point). This will all be for your 'convenience', which they will gladly charge you extra each month for the 'service'.....


I'm sure there are other ways we're about to get our privacy destroyed, but these are the 2 big items I feel will be targeted first by the ISPs.
 
Because they, (companies), have a legal requirement to be able to comply with court ordered requests for information. Why do you guys not understand this. The law says that they must be able to provide the information when legally and properly requested. It's not "the should", it's not that "they may", they must.

The government has been really casual about this thing giving business a lot of rope to play with in figuring out how they are going to deal with this stuff, but it ain't going to last forever. I have told you guys that if business won't get with the government and help figure out the best way to do all of this, that the Feds are simply going to tell them how it's going to be and when they fail to acquiesce, the penalties will be severe.

You can thump your chest and be the herald of the next revolution, which ain't really going to happen over this, but I really believe this is what will happen. Time will prove me right or wrong.
I'm not sure if this is the case.

Google has no obligation to decrypt anything or provide a backdoor for encryption. I'm sure google didn't develop the encryption, it's a mathematical formula that was invented by academics in universities. It's not like the hardware encrypts anything. If the government wants a backdoor, they can go back to the universities and demand that the researchers re-engineer the encryption algorithm to provide a backdoor (never going to happen, but you know whatever).

It's really up to the government to decrypt the content. Just ask the NSA nicely to use their quantum computers to crack those 4096 bit hashes.
 
Because they, (companies), have a legal requirement to be able to comply with court ordered requests for information. Why do you guys not understand this. The law says that they must be able to provide the information when legally and properly requested. It's not "the should", it's not that "they may", they must.

The government has been really casual about this thing giving business a lot of rope to play with in figuring out how they are going to deal with this stuff, but it ain't going to last forever. I have told you guys that if business won't get with the government and help figure out the best way to do all of this, that the Feds are simply going to tell them how it's going to be and when they fail to acquiesce, the penalties will be severe.

You can thump your chest and be the herald of the next revolution, which ain't really going to happen over this, but I really believe this is what will happen. Time will prove me right or wrong.


I have no problem with warrants and getting legal access to things. I DO have an issue with giving the government a secret backdoor into everything. I *mostly* trust our legal system but I dont trust that it wont get abused by well intentioned government individuals and/or police detective that "just wants to keep kids safe" etc. Nor do I trust that some third party (i.e. a foreign power) will have the same level of respect that our govt currently has.

Lets be honest - once you build it you might as well make it public because it will be found and it will be exploited. I expect if they ever do try to mandate something like this it will be held up for decades in court and will land itself before the Supreme Court.
 
Right, people would.... like 20, or two hundred, maybe two thousand ........ out of over 320 million that's a real movement there you have.
I'll go make a pgp messaging app and put ti on google play. We'll see if people use it or not.
 
I'm not sure if this is the case.

Google has no obligation to decrypt anything or provide a backdoor for encryption. I'm sure google didn't develop the encryption, it's a mathematical formula that was invented by academics in universities. It's not like the hardware encrypts anything. If the government wants a backdoor, they can go back to the universities and demand that the researchers re-engineer the encryption algorithm to provide a backdoor (never going to happen, but you know whatever).

It's really up to the government to decrypt the content. Just ask the NSA nicely to use their quantum computers to crack those 4096 bit hashes.


It's already in a case, I just have no time to look it back up.

A Judge didn't say "how" the company had to provide the data, only that they must. If the company does something like encrypt data in a way that they can not comply, then they simply are unable to comply and then it becomes a straight up issue, will such a thing be allowed or not.

See, this is always the rub, I don't have to get into the weeds and tell you how, or make allowances for anything. I just have to tell you that you have to shit that data in un-encrypted human readable form and that is all there is to it. It's a court order, all you can do is appeal and claim that the requirement is unduly burdensome. Then the Judge accepts it or says "no, comply". If the company still doesn't fork over the data, then the company faces charges. Sooner or later companies are going look at the money involved in fighting court cases where the country's tax base bankrolls it's lawyers and realize that this fight is not one they can win and stay in business.

What's worse is, letting the government come up with "a solution" on their own because big execs in IT companies want to play to the crowd. I would not trust the government to come up with the best solution to these issues.
 
It's already in a case, I just have no time to look it back up.

A Judge didn't say "how" the company had to provide the data, only that they must. If the company does something like encrypt data in a way that they can not comply, then they simply are unable to comply and then it becomes a straight up issue, will such a thing be allowed or not.

See, this is always the rub, I don't have to get into the weeds and tell you how, or make allowances for anything. I just have to tell you that you have to shit that data in un-encrypted human readable form and that is all there is to it. It's a court order, all you can do is appeal and claim that the requirement is unduly burdensome. Then the Judge accepts it or says "no, comply". If the company still doesn't fork over the data, then the company faces charges. Sooner or later companies are going look at the money involved in fighting court cases where the country's tax base bankrolls it's lawyers and realize that this fight is not one they can win and stay in business.

What's worse is, letting the government come up with "a solution" on their own because big execs in IT companies want to play to the crowd. I would not trust the government to come up with the best solution to these issues.
I don't see how the government can force someone to do something they cannot do, and then hold them in contempt of court (which is what you're suggesting). It's not even an unduly burdensome thing to do, it's just not possible.

Does google or apple offer this service? Can the courts go company A and ask them to do something they do not do? Is there history that this has taken place in the past? Is there any legal law that mandates that google/apple perform these services or have the ability to decrypt the phones? Is there any legal mandate in any other electronic system to decrypt on court order?
 
Because they, (companies), have a legal requirement to be able to comply with court ordered requests for information. Why do you guys not understand this. The law says that they must be able to provide the information when legally and properly requested. It's not "the should", it's not that "they may", they must.

It's not Apple's or whatever company you like's data, it's the customer's data. The government can go serve a warrant / court order to the person who has the data. After you get enough of these warrants, one of two things happens, you pull a Verizon and start charging obscene amounts of money for the data, or you go all in like Signal and try to reduce the amount of data you have to the minimum required to provide the service. Outside of highly regulated fields like banking and hazardous materials, the government can't compel you to collect data you don't need to provide a service, only to provide the collected data on court order.
 
For me the only question is does Amazon or Google get regulated first.

Google for information access, Amazon for AWS supporting so much of the web.
 
Outside of highly regulated fields like banking and hazardous materials, the government can't compel you to collect data you don't need to provide a service, only to provide the collected data on court order.

Actually they can. The courts have, in the past, forced telecoms to start gathering data for the govt. They have even forced the telecoms to allow the govt to install things on their systems...
 
The idea is not to force them to do what they can't do.

The idea is to set legal requirements in a manner that make the impossible not an issue..

For instance, if the law says that they must surrender the man's email and browser history and other meta data in an unencrypted format, then the company can not use use security methods that make it impossible to do so.

Look, there are only a few categories of encryption, you can encrypt data in transport, you can encrypt data at rest, and you can encrypt data in process. If a company has a requirement to provided this information on demand, then they have to work out a way to do so, period, and if that means that they have keep copies of keys or whatever in order to meet these requirements, then that's the law.

In short, if a company has a Federally mandated requirement to do something, choosing business practices that make it impossible to comply is the company's problem and doesn't in any way lift the requirements that it knows, by law, it must meet.

This is why I keep insisting that everyone is better off if industry works with the government on how to deal with this issue. Playing the stubborn mule and hoping the problem will go away is only going to lead to government regulation that will be even worse then what they could come up with together.
 
I have no problem with warrants and getting legal access to things. I DO have an issue with giving the government a secret backdoor into everything. I *mostly* trust our legal system but I dont trust that it wont get abused by well intentioned government individuals and/or police detective that "just wants to keep kids safe" etc. Nor do I trust that some third party (i.e. a foreign power) will have the same level of respect that our govt currently has.

Lets be honest - once you build it you might as well make it public because it will be found and it will be exploited. I expect if they ever do try to mandate something like this it will be held up for decades in court and will land itself before the Supreme Court.

I get what you are saying, but I do not accept what some people claim is a black or white situation. There are many people that think that there are only two possibilities, full encryption and perfect protection, or 'secret back doors" that can be found or exploited or abused.

I believe that there are enough smart people, with the required resources, to be able to figure out a way to keep our personal information completely secure from unauthorized access, while still making it possible for companies to comply with valid court orders for that information. And of course I also believe that these same people who see this as black and white and refuse to engage and try to work out a good solution, will only drive the government to dictate a solution that is no solution at all.
 
I get what you are saying, but I do not accept what some people claim is a black or white situation. There are many people that think that there are only two possibilities, full encryption and perfect protection, or 'secret back doors" that can be found or exploited or abused.

I believe that there are enough smart people, with the required resources, to be able to figure out a way to keep our personal information completely secure from unauthorized access, while still making it possible for companies to comply with valid court orders for that information. And of course I also believe that these same people who see this as black and white and refuse to engage and try to work out a good solution, will only drive the government to dictate a solution that is no solution at all.


That's now how math works, which is what all encryption is based on. They cannot create a secure backdoor that can only be accessed by proper authorities, regardless of how many smart people are on the team. If a back door is there, is a vulnerability that WILL (not if) be exploited by hackers at some point. It's only a matter of time. It's completely black and white in this regard. *Devops engineer that works in this field*

Now, if it's a company like VZ that's operating as a phone provider, they are obligated to keep certain records in order to operate in the country. In that case, yes, they have to have the specific records available on demand. That's part the regulations they agreed to in order to run their business here. A company selling hardware is not in the same boat, and should not be obligated to provide anything. And if apple really is able to retrieve the data from the phone, that means the encryption they use is not secure, period. It may be a month, a year, 3 years whatever, it will be hacked. Some of those super smart minds you suggested are going to be using them for nefarious purposes, and they will crack it.
 
That's now how math works, which is what all encryption is based on. They cannot create a secure backdoor that can only be accessed by proper authorities, regardless of how many smart people are on the team. If a back door is there, is a vulnerability that WILL (not if) be exploited by hackers at some point. It's only a matter of time. It's completely black and white in this regard. *Devops engineer that works in this field*

Now, if it's a company like VZ that's operating as a phone provider, they are obligated to keep certain records in order to operate in the country. In that case, yes, they have to have the specific records available on demand. That's part the regulations they agreed to in order to run their business here. A company selling hardware is not in the same boat, and should not be obligated to provide anything. And if apple really is able to retrieve the data from the phone, that means the encryption they use is not secure, period. It may be a month, a year, 3 years whatever, it will be hacked. Some of those super smart minds you suggested are going to be using them for nefarious purposes, and they will crack it.


Dude, really try thinking beyond the concept of point to point encryption.

Challenge yourself for one moment and put yourself in the position of having to come up with a secure solution that offers encrypted data in transport and encrypted data at rest, but still allows access when the company needs access to meet proper legal government needs. And try and do it without being an insulting fool that thinks they are talking to an ignorant moron, instead, talk as if you are addressing a guy who has been using encryption since 1982 and is a current IT professional.

Oh, and don't use that stupid term "backdoor" cause I am not talking about a backdoor and I do not believe at all that the only way to do this is via a backdoor.

And the authorities do not need access, the just need the data surrendered to them when properly requested.

These responses from people insisting on using the word backdoor and insisting the entire issue is about the government being able to directly access the data represents people who just want to stonewall every conversation because they just don't want things to be any other way then how they want it. The one thing I am absolutely sure of is that things staying the way you seem to want them is not going to come out the way you want it to.
 
Dude, really try thinking beyond the concept of point to point encryption.

Challenge yourself for one moment and put yourself in the position of having to come up with a secure solution that offers encrypted data in transport and encrypted data at rest, but still allows access when the company needs access to meet proper legal government needs. And try and do it without being an insulting fool that thinks they are talking to an ignorant moron, instead, talk as if you are addressing a guy who has been using encryption since 1982 and is a current IT professional.

Oh, and don't use that stupid term "backdoor" cause I am not talking about a backdoor and I do not believe at all that the only way to do this is via a backdoor.

And the authorities do not need access, the just need the data surrendered to them when properly requested.

These responses from people insisting on using the word backdoor and insisting the entire issue is about the government being able to directly access the data represents people who just want to stonewall every conversation because they just don't want things to be any other way then how they want it. The one thing I am absolutely sure of is that things staying the way you seem to want them is not going to come out the way you want it to.


So you're saying they should add a 'method' that allows them to decrypt your data without your private key, but can't call that a back door....... We can call it the 'super secret secure government access pathway to protect us from terrorists' if you want, but that doesn't change what it is. The point of encryption is you can only decrypt with your private key. If you lose the key, you lose your data. That's secure encryption, and anything less is useless. Now if we forget things like math and add a master key or some other method to decrypt outside of the private key and that gets leaked, ALL users encrypted data is at risk. It doesn't matter their intent, or what they call it, that's still a vulnerability in the encryption that will eventually be taken advantage of by hackers, or better yet, our own government. Since they've proven they don't need to concern themselves with silly things like laws....
 
So you're saying they should add a 'method' that allows them to decrypt your data without your private key, but can't call that a back door....... We can call it the 'super secret secure government access pathway to protect us from terrorists' if you want, but that doesn't change what it is. The point of encryption is you can only decrypt with your private key. If you lose the key, you lose your data. That's secure encryption, and anything less is useless. Now if we forget things like math and add a master key or some other method to decrypt outside of the private key and that gets leaked, ALL users encrypted data is at risk. It doesn't matter their intent, or what they call it, that's still a vulnerability in the encryption that will eventually be taken advantage of by hackers, or better yet, our own government. Since they've proven they don't need to concern themselves with silly things like laws....


Why do you say "government access" again, the company is accessing the data, not the government.

And not every encryption solution allowed the Private key to only be held by the user, for a long time companies retained copies of the private key. When Apple made that change this is what they said they did, stopped keeping a copy of the user's Private Key.

There are two big things that go into this that you do not want to recognize. The first is that by your arguments, there is not a 'reasonably secure" solution, only perfectly secure or insecure.

The second is that you only see encrypted data in a single "state". For instance, I think you imagine that data encrypted in transport is in the same state as data that is encrypted at rest but they are not. Even when you add data encrypted in process there still remains a state in which data is not actually in an encrypted state. If you take a file on your personal computer and encrypt it, say with PGP, that file is encrypted and if you send it via email on an encrypted connection then that data is encrypted data that is further being transmitted and encrypted again, like double encryption. But if you send an unencrypted file via an encrypted communications session to a remote process, say on-line banking, and that banking application does not encrypt data in process, the data is not encrypted as it is being processed by the banks application. Now if that server then stores the result of your banking on a storage system via it's database, transmission between the app and the resulting database server could be encrypted and the storage system could encrypt the data at rest. Try and imagine at which points your private key would matter?

So let's stop being obtuse referencing math and "secure government access pathway to protect us from terrorists" and talk about solutions because I am telling you that as long as industry tries to mimic your arguments as if the people on the other end are ignorant totalitarian clowns, your going to wake up one day with new laws that you will not be happy with and you will see your views of what the government is confirmed.

If you keep playing stupid with them they are going to come back and play stupid with you.
 
You're kidding yourself if you think they aren't going to pass those laws anyway. Sure they can go after the megacorps with regulations requiring it, but then all the 'bad' people will just move to different open source encryption. Us common folk will get f'd in the process, like usual. So apple/google playing ball is not going to accomplish anything.

And bringing up obtuse references to math? wtf do you think encryption is built on... It's all math. If opinions from others on the forum won't change your mind because of your countless years of experience, how about checking what the top professionals in the crypto field think about the solutions you/our technologically inept congress are proposing.....
 
You're kidding yourself if you think they aren't going to pass those laws anyway. Sure they can go after the megacorps with regulations requiring it, but then all the 'bad' people will just move to different open source encryption. Us common folk will get f'd in the process, like usual. So apple/google playing ball is not going to accomplish anything.

And bringing up obtuse references to math? wtf do you think encryption is built on... It's all math. If opinions from others on the forum won't change your mind because of your countless years of experience, how about checking what the top professionals in the crypto field think about the solutions you/our technologically inept congress are proposing.....


It's because despite your insistence otherwise, the problem is not an encryption problem.

Encryption is a tool, it's a security mechanism. The problem is companies using encryption and privacy as an excuse to not have to comply with government requests for information. If the government requires that an ISP maintain customer communications for up to five years and to deliver that data when properly requested by Court Order. And if a company develops business processes in which encryption prevents them from being able to comply with said court orders, then the company is not operating within the limits of the law.

Apple made changes to how they implement encryption. They promoted it and "sold it" to their customers. And at the first serious test, an entity from Israel cracked their encryption solution. Something that Apple said couldn't be done. I think the FTC has a case against Apple on the grounds that they promised something they couldn't deliver, and knew it.

So how much would you be willing to bet that the "crack" was just what I mentioned earlier, that the data was not encrypted in process. Maybe it's the email app that doesn't handle the data it's processing in an encrypted state, or something else, maybe the phones file browser, whatever.

But what this should point out to you is that encryption itself is simple math, implementing encryption as an end to end mechanism isn't as simple or foolproof as people seem to think, and because it's actually a much more envolved process, there are perfectly suitable ways to both secure people's data and be able to comply with government requirements.
 
Customers demand privacy. Companies build security guarantees in to their products to satisfy customer demands. Warrant comes later, said company should fundamentally not be able to break the security guarantee they built in to their product without discovering a vulnerability. Security by design. It's not that hard.
 
It's because despite your insistence otherwise, the problem is not an encryption problem.

Encryption is a tool, it's a security mechanism. The problem is companies using encryption and privacy as an excuse to not have to comply with government requests for information. If the government requires that an ISP maintain customer communications for up to five years and to deliver that data when properly requested by Court Order. And if a company develops business processes in which encryption prevents them from being able to comply with said court orders, then the company is not operating within the limits of the law.

Apple made changes to how they implement encryption. They promoted it and "sold it" to their customers. And at the first serious test, an entity from Israel cracked their encryption solution. Something that Apple said couldn't be done. I think the FTC has a case against Apple on the grounds that they promised something they couldn't deliver, and knew it.

So how much would you be willing to bet that the "crack" was just what I mentioned earlier, that the data was not encrypted in process. Maybe it's the email app that doesn't handle the data it's processing in an encrypted state, or something else, maybe the phones file browser, whatever.

But what this should point out to you is that encryption itself is simple math, implementing encryption as an end to end mechanism isn't as simple or foolproof as people seem to think, and because it's actually a much more envolved process, there are perfectly suitable ways to both secure people's data and be able to comply with government requirements.



Ok, you're all over the place here.

1- All sites are going to SSL now. Chrome is about to start posting warnings when you hit any site not on SSL. Once all sites have switched over, the ISPs will no longer have access to any of that data at all. They will see encrypted traffic flowing through their networks, but will not have access to content. They have no way to open the SSL tunnel and view the content either, without the browser showing a big warning that the site/cert are not secure and require you to add an exception. So they couldn't comply if they wanted to.

But, that's why I think we are about to get fucked with some new regulations from the ISPs with NN and our privacy rights now gone. They will force you to install their SSL proxy cert, so they can open the tunnel and see the traffic. Most likely changing their TOS so you either agree or you can't use their network. They are going to ban point to point VPNs. You'll have to sign of for their intermediate VPN service, so once again they can see the traffic. I have zero doubt this is coming, and they'll lobby our dinosaurs to pass regulations allowing/requiring it.


2- The apple hack was done on a phone where all data was at rest (Considering the asshat was dead and couldn't unlock the phone for them). There is no white paper/POC released on how it was done, and no one else has confirmed it was either. So I'm still thinking either the FBI is full of shit, never unlocked the phone but said they did and 'found nothing on it' to save face, or apple helped them unlock it. If it's neither of those, then yes, the encryption is not secure. I'm gonna go with they're full of shit since they have a large backlog of phones from criminal investigations they still can't unlock, or they would have done it already. FTC would most likely need to see proof as well if they were to be able to do anything about it....


3- Encryption is NOT simple math.... This is the kind of shit PhD mathematicians work on to create complex algorithms that cannot be broken in any reasonable amount of time. As computing power/speed increases, so does the size of the keys and complexity of the algorithms to compensate. If you are using encryption based on simple math, you're gonna have a bad time.



And like I said before, go look at what the leading people in the crypto field think. They have a far better/deeper understanding than you or I ever will. There is no secure way to do this without breaking encryption, making it insecure. The only people that think it is possible have zero idea of how encryption works, or what affects this change would have security-wise.
 
Back
Top