New Encryption Legislation Coming?

[FrgMstr]

Reuters has an interesting story about encryption in our lives, and while soft on facts it is instead noting the tone of what is being said by the U.S. Deputy Attorney General Rod Rosenstein. This morning Rosenstein basically told us that trying to negotiate with tech companies in the U.S. was a dead end when it comes to encryption. That might seem to signal an upcoming legislative move for "backdoors" that these tech companies afford to countries outside of the United States, but not inside the U.S. Quite frankly, this will likely be a long arduous fight for all involved. Thanks grtitan.

I]While echoing many arguments made by previous senior U.S. law enforcement officials, Rosenstein struck a harder line than his predecessors who led the Obama Justice Department, dismissing attempts to negotiate with the tech sector as a waste of time and accusing companies of putting sales over stopping crime.

“Company leaders may be willing to meet, but often they respond by criticizing the government and promising stronger encryption,” Rosenstein said during a speech at the U.S. Naval Academy in Maryland, according to a copy of his remarks. “Of course they do. They are in the business of selling products and making money. ... We are in the business of preventing crime and saving lives.”

Tech companies and many cyber security experts say requiring law enforcement access to encrypted products will broadly weaken cyber security for everyone. U.S. officials have countered that default encryption settings hinder their ability to collect evidence needed to pursue criminals.[/I]

 

[Deleted member 184142]

Hey Rod Rosenstein, you can take your backdoor and shove it up your backdoor.

 

[grtitan]

Love how they want to know everything about us, but we cannot know shit about them.

As they love to say "You are free, to do as we tell you".

 

[ProfessorUtopia]

The notion a law abiding citizen should surrender any rights or privacy because not doing so might hinder an investigation that is in no way related to that individual, lists amongst the most un-American bullshit I've ever heard our ever-competent, benevolent overlords "suggest".

Also, preventing crime? What is this fucking cretin talking about? The job of law enforcement is to respond and investigate. This asshat needs to find a new career; I hear sanitation workers are in high demand.

 

[Biznatch]

Attempt number 1923287491 for completely tech inept dinosaurs to try and pass laws on something they have absolutely no understanding of. "Just put in a back door, or give us the master key".... Sorry but E2E encryption doesn't work like that, and adding a feature like that makes the encryption useless. If they can access the data, eventually someone will exploit it.

 

[grtitan]

Yes, so does the 4th, 5th, 6th, and 7th amendments to the US Constitution, but I don't think we should get rid of those either.

Oh but I'm sure they are already working hard on how to remove those pesky things from their way.

 

[Armenius]

Oh but I'm sure they are already working hard on how to remove those pesky things from their way.

The 4th Amendment gets violated all the time due to people not knowing their rights, or not wanting to spend the money to lawyer up after said violation occurs. Some people would willingly give up their rights if trying to defend them would be an inconvenience. It's really sad. But I agree that the government would absolutely love to be able to just tear up the Bill of Rights.

 

[Gigus Fire]

I'm a bit wary when i see those people getting caught by terror plots considering the fbi has been caught many times endorsing these home grown terror plots: http://www.nytimes.com/2012/04/29/opinion/sunday/terrorist-plots-helped-along-by-the-fbi.html

The cat's out of the bag already with encryption. You can't legislate retroactive encryption. I mean you can, but it would be extremely stupid. I would fully expect that the fbi/cia lose a few laptops which contain the backdoor keys in the future which would make all communication unprotected. They already have a history of doing this: http://www.cnn.com/2007/US/02/12/fbi.laptops/index.html

So no, i can't support any measure to destroy encryption. We already have the NSA working with exploits https://www.huffingtonpost.com/2014/04/11/nsa-heartbleed_n_5134813.html circumventing the law. Their efforts have hurt the US both technologically and in our companies own reputation: https://www.scientificamerican.com/article/nsa-nist-encryption-scandal/ https://arstechnica.com/information...ked-zeroday-targeted-its-firewalls-for-years/

I understand the need to monitor for terrorist activities. The idea that the government needs to monitor everyone's communication or hurt lawful sensitive communication is ridiculous.

 

[Axiomatic]

This argument implies that all encryption is created by companies alone? That's just not true.

 

[FrgMstr]

So would having the Minority Report tech, but I wouldn't advocate for that either.

I advocated for nothing, simply answered the question that crime can be prevented.

 

[lcpiper]

On the one hand, we have the government with both a Law Enforcement venue and an Intelligence/Security venue. On the other hand we have private companies who most certainly collect far more personal information of far more diverse types then the government, who is resisting working with the government to come up with a solid middle ground that "we", (you know, the guys in the middle) don't go crazy over.

Fox guarding the hen house comes to mind right from the start, but continuing ..... from the government's angle I see two possible approaches. They can try to force the backdoor thing, or they can simply try to force company's that collect information to give up specific data that they "find permissible constitutionally", or even worse, everything that the company's collect from us because we have already shared it with third parties.

I really do so wish that business leaders would have engaged with the government on this to work out ways to do things instead of drawing a line in the sand and forcing the government to play hardball. I feel that with the right business leaders we might have had a chance to come out better because I feel that they could come up with better technological approaches then the government can alone.

If my crystal ball is working right, I'd say that if the government is going to enforce new rules on this issue, the first sign will be the death of anonymity on the internet. We'll see a law that requires all businesses to determine the real identity, within reasonable standards, of all customers who they do business with or offer services too, even if the services are free. This would include forums and blogs operated by any non-private entity to include hosting services. It's already the way most of the world operates so the US Government will simply be following suite. Once that is established, the rest is easy.

Keep in mind, this isn't something I want to see happen, it's just what I think we will see happen.

 

[Vader1975]

Things like this in congress will eventually lead to banning or requiring tracking on all crypto currencies being used in US jurisdictions.

 

[gsilver]

They looked at Equifax and thought: needs more data breaches

 

[NeghVar]

If a backdoor becomes mandatory among commercialized encryption such as Bit Locker and File Vault, open source encryption, such as VeraCrypt, will flourish.
https://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software

 

[N4CR]

It's already the way most of the world operates so the US Government will simply be following suite. Once that is established, the rest is easy.

China isn't the rest of the world and is one of the few places.

And when they do this, we will simply go to I2P and other p2p based variants. If they crack down at ISP level to stop that, certain groups are already ten years ahead beginning research in to quantum mesh networks...

Backdoors used to be part of US law in the early days, this is why PGP was exported in a book. It was repealed for obvious reasons.
Of course a (((Rosenstein))) pushes this bullshit.

Have we not learned enough from Vault 7, IME and countless other backdoor breaches? They're already everywhere.

 

[FrgMstr]

You don't need to break encryption to surveil people, the government just wants the ability to do ti on the cheap. Hell look at wiki leaks most the way they get information is exploiting the operating system and that gets around encryption. To me having the ability to legally send a coded message goes hand in hand with the first and second amendment.

Fully agreed, that is why I did not type that.

 

[FrgMstr]

The Supreme Court has already ruled that law enforcement does not have an obligation to prevent crime. Now, at a high level, I think this is a good thing, because otherwise, every time a crime is committed and a law-enforcement officer was unable to stop it, they'd get sued.

Agreed. I never typed anything to the contrary or even addressed your point.

You people do have issues staying on topic.

 

[Paladin21]

I have said repeatedly that, regardless of how terrible an idea it is, the Government will not be content to be locked out of communications forever. From their perspective, when they have a valid warrant to search your phone then they should be able to. They aren't going to allow the companies to pass the buck on this indefinitely. "We can't unencrypt it by design" will become the impetus for forcing designs that do allow it.

I personally think this is a bad idea. I do not endorse it. I do, however, completely understand where they're coming from. It isn't a conspiracy theory to deprive you of your rights, it's a response to having their legal tools for information gathering neutered.

 

[Ur_Mom]

Encryption has always been evolving. If one is compromised, they move to a better one. Those that are using encryption to commit a crime or plan a crime are going to move to something better that's not compromised. Those that don't know shit (the guy in OP), will stick with what they have. So, this will target the Average Joe, not those that are using encryption for what it's designed for.

 

[lcpiper]

China isn't the rest of the world and is one of the few places.

And when they do this, we will simply go to I2P and other p2p based variants. If they crack down at ISP level to stop that, certain groups are already ten years ahead beginning research in to quantum mesh networks...

Backdoors used to be part of US law in the early days, this is why PGP was exported in a book. It was repealed for obvious reasons.
Of course a (((Rosenstein))) pushes this bullshit.

Have we not learned enough from Vault 7, IME and countless other backdoor breaches? They're already everywhere.

I don't think you are getting me, most of the world requires users to create user accounts using and divulging their country's equivalent of a Social Security Number, only Americans think this isn't true. Anonymous access to business services and communications services just is not allowed. I'm not even talking about China, they take it even further, and I am not talking about a country blocking access to things. If you want to access a service that is available in your country, by a business that is in your country, you must create an account with them and part of that account creation process is entering your country's version of a National ID number. That is how a great big part of the world out there works and it certainly isn't just China cause I know it's that way elsewhere.

I find the entire "backdoor" term to be so disingenuous. A backdoor in this case refers to a way to gain unauthorized access. The government is not asking industry for backdoors. They are asking industry to work with them for solutions for authorized access. Authorized access means controlled access, permitted, sanctioned, logged, authenticated, and proper. For the access to be properly sanctioned, it must be constitutional and at times, authorized by court order, etc. This isn't a backdoor, it's not a secret hole that no one else is supposed to know exists.

Consider all this from a civil law point of view and not a criminal law angle. The government essential serves businesses and the population in regards to civil law. In civil law, the government becomes the referee mostly and doesn't have a "dog in the fight" itself. Or think of the times that the federal government is enforcing regulation on big business, for instance when the FTC resumes this lawsuit against AT&T.
http://www.sfgate.com/business/article/FTC-lawsuit-against-AT-T-over-iPhone-data-speeds-11133842.php

If records regarding this lawsuit are stored with a third party company as a service, and the FTC subpoena's those records, and the records are encrypted and the hosting service can't get them, what then, and who looses?

Now maybe a personal view is all you want to take on this, how it effects or is likely to effect you personally. Maybe it's OK, let business look out for themselves, they do anyway right. Again, all I am saying is that I think the tech industry should have accepted the governments pleas for assistance in developing something that works and doesn't fuck us all. I say that because I don't have any faith in the government pulling it off all on their own and I absolutely do believe that the IT industry, by refusing to take part, will doom us to that "government solution" and I am not looking forward to that at all.

 

[Gigus Fire]

I find the entire "backdoor" term to be so disingenuous. A backdoor in this case refers to a way to gain unauthorized access. The government is not asking industry for backdoors. They are asking industry to work with them for solutions for authorized access. Authorized access means controlled access, permitted, sanctioned, logged, authenticated, and proper. For the access to be properly sanctioned, it must be constitutional and at times, authorized by court order, etc. This isn't a backdoor, it's not a secret hole that no one else is supposed to know exists.

I don't think you get it. Encryption is made to reduce access to only the parties that you want to get access to the information.

Backdoors are never a legitimate way of getting information. Never. Government mandating illegitimate access because of terrorism or crime is preposterous. The problem is two fold.
1) There is no encryption in the world that's still strong when it has holes purposely designed in the algorithm.
2) The government has no need to spy on citizens for any reason.

It simply will not work. Even if the government passed a law outlawing encryption methods without backdoors, people will simply import algorithms from other countries or use existing non-backdoor encryption methods like PGP. Do you really want to live in a country where a mathematical formula is outlawed?

 

[lcpiper]

Encryption has always been evolving. If one is compromised, they move to a better one. Those that are using encryption to commit a crime or plan a crime are going to move to something better that's not compromised. Those that don't know shit (the guy in OP), will stick with what they have. So, this will target the Average Joe, not those that are using encryption for what it's designed for.

Not true by a long shot my friend. Smart criminals may stay ahead of the game. Then there are the stupid ones. Just like when I was in Iraq, yes there were smart insurgents, but then there are all the rest and man did they do some stupid ass shit all the time. If anything, we missed them precising because we didn't check some things thinking that they couldn't be stupid enough to do that ..... wow were we giving them too much credit.

And when you say "this will target the Average Joe", what exactly is it that will be targeting someone cause I didn't read anything at all about anything that could be construed as an action or process, or anything like that, that could be targeting someone.

 

[lcpiper]

I don't think you get it. Encryption is made to reduce access to only the parties that you want to get access to the information.

Backdoors are never a legitimate way of getting information. Never. Government mandating illegitimate access because of terrorism or crime is preposterous. The problem is two fold.
1) There is no encryption in the world that's still strong when it has holes purposely designed in the algorithm.
2) The government has no need to spy on citizens for any reason.

It simply will not work. Even if the government passed a law outlawing encryption methods without backdoors, people will simply import algorithms from other countries or use existing non-backdoor encryption methods like PGP. Do you really want to live in a country where a mathematical formula is outlawed?

Again, you are exactly right in what a backdoor is, and you turn right around and misuse it in application. The government is not asking for backdoors even though that is what other people call it in the media reports. The government is asking for valid, legitimate access. Calling it a backdoor is just a way to make their requests sound unreasonable.

"Sir, I have a warrant here to search your house, would you please unlock the front door and come with me while I conduct a search for this and that?"

"No you can't sneak in the backdoor and rummage through my entire house looking for whatever you can find to pin a charge on me!"

"Umm, Sir, the warrant only authorizes me to look through your bedroom for a 9mm handgun, your wife says that you shot the TV with it and you always keep it on your night stand"

"Oh no, I'm not going to let you sneak in the backdoor and rummage through my entire house looking for whatever you can find to pin a charge on me!"

This is what the backdoor argument sounds like to me.

And you don't need to explain to me what encryption's purpose is. I was probably using it long before you were born.

Why do you guys keep insisting that the only way to support government access to data is via a backdoor? Why can't you ever admit that it would be perfectly easy to engineer secure access to data. So stupid.

 

[Gigus Fire]

Again, you are exactly right in what a backdoor is, and you turn right around and misuse it in application. The government is not asking for backdoors even though that is what other people call it in the media reports. The government is asking for valid, legitimate access. Calling it a backdoor is just a way to make their requests sound unreasonable.

"Sir, I have a warrant here to search your house, would you please unlock the front door and come with me while I conduct a search for this and that?"

"No you can't sneak in the backdoor and rummage through my entire house looking for whatever you can find to pin a charge on me!"

"Umm, Sir, the warrant only authorizes me to look through your bedroom for a 9mm handgun, your wife says that you shot the TV with it and you always keep it on your night stand"

"Oh no, I'm not going to let you sneak in the backdoor and rummage through my entire house looking for whatever you can find to pin a charge on me!"

This is what the backdoor argument sounds like to me.

And you don't need to explain to me what encryption's purpose is. I was probably using it long before you were born.

Why do you guys keep insisting that the only way to support government access to data is via a backdoor? Why can't you ever admit that it would be perfectly easy to engineer secure access to data. So stupid.

There are issues with your analogy.

We're talking about data, not physical items. Data which in the past could be memorized. The government can't force you to spit out information in your head.

The second big issue is a difference in scope. Warrants are targeted and have a specific limit. The government enforcing backdoors on encryption goes far beyond that as there is no scope and no limits. The main issue has always been with the strength of the encryption. If the government has sanctioned access like you are claiming, then what's to stop foreign governments from getting the same access? What's to stop businesses from spying on other businesses?

The analogy would be saying that governments mandate that a secondary access to vaults be installed on each bank vault in which they only have access so they can bypass opening the vault normally. You're telling me that information will never fall into the hands of bank robbers? It's only safe to assume that they will eventually find out and use it.

In this same analogy, would you feel the same way if your local government forced you to give them a copy of the key to your house/apartment/car? That's what they're asking for with vague notions to protect you.

Would you allow the post office to open your mail and read it for your security?

 

[Ur_Mom]

Not true by a long shot my friend. Smart criminals may stay ahead of the game. Then there are the stupid ones. Just like when I was in Iraq, yes there were smart insurgents, but then there are all the rest and man did they do some stupid ass shit all the time. If anything, we missed them precising because we didn't check some things thinking that they couldn't be stupid enough to do that ..... wow were we giving them too much credit.

And when you say "this will target the Average Joe", what exactly is it that will be targeting someone cause I didn't read anything at all about anything that could be construed as an action or process, or anything like that, that could be targeting someone.

Ok, targeting was the wrong word. Affecting might be the better one. Those smart people are going to stay ahead of the game, like you say. These regulations won't stop them.

Yea, there are some dumb criminals out there.

Having someone else have access to encrypted data that wasn't meant for them kind of defeats the purpose, regardless of if it's a government agency or not. Even if they are investigating a crime. I can come up with arguments all day, but it comes down to one thing for me - I don't like it. I want some privacy, even with my non-criminal data. Hell, if they asked nicely, I'd let them see any of it. But, I'm not the one the law would be made for. But, I'd be affected by it. I highly doubt they'd want to see my stupid stuff, but if someone else had access to my encrypted data, I'd consider it compromised.

 

[Paladin21]

There are issues with your analogy.

We're talking about data, not physical items. Data which in the past could be memorized. The government can't force you to spit out information in your head.

The second big issue is a difference in scope. Warrants are targeted and have a specific limit. The government enforcing backdoors on encryption goes far beyond that as there is no scope and no limits. The main issue has always been with the strength of the encryption. If the government has sanctioned access like you are claiming, then what's to stop foreign governments from getting the same access? What's to stop businesses from spying on other businesses?

The analogy would be saying that governments mandate that a secondary access to vaults be installed on each bank vault in which they only have access so they can bypass opening the vault normally. You're telling me that information will never fall into the hands of bank robbers? It's only safe to assume that they will eventually find out and use it.

In this same analogy, would you feel the same way if your local government forced you to give them a copy of the key to your house/apartment/car? That's what they're asking for with vague notions to protect you.

Would you allow the post office to open your mail and read it for your security?

They're talking about requiring access to encrypted data specifically because they can't serve a warrant against it currently. If you had some shield you could slap over your house at will that would make it impossible to get inside, then a physical warrant would be worthless. Encryption does the same thing for data. Thus the push for alternate methods. There is no physical object that represents the same burden to acquisition of legal evidence. Safes can be cracked. Safety deposit boxes can be drilled. Foreign bank accounts can still be pulled. The scope that you mention is exactly the problem: they can either accept the current situation in which they can access nothing, or they can legislate that they have potential access to everything. Which do you think they're going to choose?

Again: not supporting this position, just saying that for law enforcement the privacy advocates have pushed them into a corner. I would wager that their ability to gain information in response to a warrant is far worse now than in any previous time period and it will only get worse as more and more people upgrade to new phones that support encryption by default.

 

[lcpiper]

There are issues with your analogy.

We're talking about data, not physical items. Data which in the past could be memorized. The government can't force you to spit out information in your head.

The second big issue is a difference in scope. Warrants are targeted and have a specific limit. The government enforcing backdoors on encryption goes far beyond that as there is no scope and no limits. The main issue has always been with the strength of the encryption. If the government has sanctioned access like you are claiming, then what's to stop foreign governments from getting the same access? What's to stop businesses from spying on other businesses?

The analogy would be saying that governments mandate that a secondary access to vaults be installed on each bank vault in which they only have access so they can bypass opening the vault normally. You're telling me that information will never fall into the hands of bank robbers? It's only safe to assume that they will eventually find out and use it.

In this same analogy, would you feel the same way if your local government forced you to give them a copy of the key to your house/apartment/car? That's what they're asking for with vague notions to protect you.

Would you allow the post office to open your mail and read it for your security?

My analogy isn't an analogy about what is being asked for.

My analogy is intended to highly this circuitous usage of the term backdoor.

I tell you the government isn't asking for a backdoor and you just ignore that as if it was never said and go right on talking about backdoors.

Here is an example of an engineered solution.

Verizon has decided to work with the government regarding access to encrypted data. Verizon hangs a workstation for government access on their network within their storage network, inside the fiber hard zone with the storage systems. This workstation can not communicate outside of that zone, all it can talk to is the storage systems where data is stored. Copies of all encryption keys are stored on this workstation in an encrypted format where they can only be used on this one workstation, there is printer and a DVD ROM on this workstation for the data retrieved from searches.

The FBI shows up with a Court Order to search for email within a given data between the data owner and two other email accounts along with location data that is timestamped within 5 minutes before and after each email that was sent or received from the data owner to the two accounts. The Verizon employee who is tasked with these court order data requests operates the terminal and conducts the searches as defined in the warrant. The data is copied in encrypted format to removable media and passed to the FBI Agent who witnessed the process and verified the search terms of the queries.

This is not a backdoor. If the warrant doesn't posses the specificity required by the agreement between Verizon and the Government, Verizon can choose to take it to the Judge and argue that the search terms are too broad. No one can gain access to that workstation without physical access to the server room and any other security measures Verizon chooses to make use of. It's in as secure of a network location as can reasonably be expected.

With some thought, Apple, Verizon, any one of them could come up with even a better solution than mine. It's not a backdoor and it's as secure as anyone could ask for. Furthermore, it's an opportunity for Verizon and Apple and the others to engage with the government and explain what they require of the government for this agreement. They can start with more specific warrants that aren't just carte blanc fishing trips through a person's entire data cache.

This is how I see it. If you don't agree fine, but for fucks sake give up on this backdoor dodge because I know your smarter than that, I certainly am.

 

[IcePickFreak]

What about the old manual encryption, so you write an email that looks like a bunch of gibberish for the other person to hand decipher. They gonna prosecute you for that? Between shit like this and the cases where they detain people indefinitely for not providing passwords, I can guess how that would pan out.

 

[lcpiper]

Ok, targeting was the wrong word. Affecting might be the better one. Those smart people are going to stay ahead of the game, like you say. These regulations won't stop them.

Yea, there are some dumb criminals out there.

Having someone else have access to encrypted data that wasn't meant for them kind of defeats the purpose, regardless of if it's a government agency or not. Even if they are investigating a crime. I can come up with arguments all day, but it comes down to one thing for me - I don't like it. I want some privacy, even with my non-criminal data. Hell, if they asked nicely, I'd let them see any of it. But, I'm not the one the law would be made for. But, I'd be affected by it. I highly doubt they'd want to see my stupid stuff, but if someone else had access to my encrypted data, I'd consider it compromised.

Now this I can get. An honest to god, "I just don't like it" is actually OK with me. I'm not one of those people who insists that you have to be like me. I'll tell you what I think and you tell me what you think and we both get to say our peace. What I can't get behind is someone who acts like they want to discuss an issue but refuses to consider anything you might say in that discussion and instead just repeats some tired mantra like a propaganda puppet.

In my example above there exists a problem right? The Verizon employee who has access to the entire world. What do you do about him, do we just depend on Verizon to hire only the most trustworthy. Hmm, maybe the computer workstation can only be accessed with a security token that is issued to the Agent, a one time use smart card. It's sort of like the two guys with two separate launch keys, can't launch a nuke without both keys. Maybe the Verizon employ can't be a normal sysadmin and doesn't have any elevated privileges on the workstation and a little booklet on how to use the search tool. But whatever they come up with, I bet that these IT tech people can figure out a smart way to do it that is acceptable to all parties involved.

I am just pretty sure that something good will not come of it if it's left up to the government to come up with all on their own.

 

[lcpiper]

What about the old manual encryption, so you write an email that looks like a bunch of gibberish for the other person to hand decipher. They gonna prosecute you for that? Between shit like this and the cases where they detain people indefinitely for not providing passwords, I can guess how that would pan out.

What about it? Encrypting something isn't a crime, but it's not a legal defense against a criminal charge either.

Those people who are "detained indefinitely" can get out any time they choose, they just have to give up their password and then they can get on with their trial. They control the length of their detention all on their own.

You know it's not the FBI or some local police force that ordered them jailed, it was a Judge, because the Judge was convinced, through evidence and testimony, that the person is lying and actually knows his password. Is there a chance someone could get screwed over? Certainly, people get wrongly convicted of murder too. The system isn't perfect, but it works for the most part and the other options are perhaps much worse.

King says "Off with his head"

 

[viper1152012]

I don't trust a government with my data that: gets breached and loses it, intercepts my data without cause, stores that data for untold periods of time, demands access to my household hardware, loses more data, buys exploits from hackers making it more profitable, won't agree to at least pay for my higher education and medical care in hopes that ill die from manual labor poor, stupid and young so their jobs will be safe and paid for.

 

[Chunder]

Damn, Democrats and their big and intrusive governments... Oh wait...

Like normal, it's not the size of the government or who's in power that's the problem. Its who the government works for, and it hasn't worked for the people in recent times since day 1 of the Reagan administration.

 

[lcpiper]

I don't trust a government with my data that: gets breached and loses it, intercepts my data without cause, stores that data for untold periods of time, demands access to my household hardware, loses more data, buys exploits from hackers making it more profitable, won't agree to at least pay for my higher education and medical care in hopes that ill die from manual labor poor, stupid and young so their jobs will be safe and paid for.

OPM had your records?

They had mine for sure.

 

[Gigus Fire]

My analogy isn't an analogy about what is being asked for.

My analogy is intended to highly this circuitous usage of the term backdoor.

I tell you the government isn't asking for a backdoor and you just ignore that as if it was never said and go right on talking about backdoors.

Here is an example of an engineered solution.

Verizon has decided to work with the government regarding access to encrypted data. Verizon hangs a workstation for government access on their network within their storage network, inside the fiber hard zone with the storage systems. This workstation can not communicate outside of that zone, all it can talk to is the storage systems where data is stored. Copies of all encryption keys are stored on this workstation in an encrypted format where they can only be used on this one workstation, there is printer and a DVD ROM on this workstation for the data retrieved from searches.

The FBI shows up with a Court Order to search for email within a given data between the data owner and two other email accounts along with location data that is timestamped within 5 minutes before and after each email that was sent or received from the data owner to the two accounts. The Verizon employee who is tasked with these court order data requests operates the terminal and conducts the searches as defined in the warrant. The data is copied in encrypted format to removable media and passed to the FBI Agent who witnessed the process and verified the search terms of the queries.

This is not a backdoor. If the warrant doesn't posses the specificity required by the agreement between Verizon and the Government, Verizon can choose to take it to the Judge and argue that the search terms are too broad. No one can gain access to that workstation without physical access to the server room and any other security measures Verizon chooses to make use of. It's in as secure of a network location as can reasonably be expected.

With some thought, Apple, Verizon, any one of them could come up with even a better solution than mine. It's not a backdoor and it's as secure as anyone could ask for. Furthermore, it's an opportunity for Verizon and Apple and the others to engage with the government and explain what they require of the government for this agreement. They can start with more specific warrants that aren't just carte blanc fishing trips through a person's entire data cache.

This is how I see it. If you don't agree fine, but for fucks sake give up on this backdoor dodge because I know your smarter than that, I certainly am.

Lets define backdoor.
A backdoor is an alternate way to access the data.
There's the authorized front door method. That's having the right password, private key or whatever other method of decryption which is normal.
Backdoors are an alternate way which either used a intentional or unintentional method to access the data without having the required password/private key/etc.
Whether or not the backdoor is authorized or not doesn't change it's definition as you are claiming it does. It makes zero difference.

What the government is asking for is a backdoor. There is no other word or definition to describe it.

Look, the analogy is suspect A cooks the accounting books and write it all in code.

The warrant can get the police the encrypted book written in code. It does not grant them the decryption method to break the code.

So in the modern day world, police can get all the encrypted files they want, it doesn't grant them the ability to decrypt it.

 

[lcpiper]

Lets define backdoor.
A backdoor is an alternate way to access the data.
There's the authorized front door method. That's having the right password, private key or whatever other method of decryption which is normal.
Backdoors are an alternate way which either used a intentional or unintentional method to access the data without having the required password/private key/etc.
Whether or not the backdoor is authorized or not doesn't change it's definition as you are claiming it does. It makes zero difference.

What the government is asking for is a backdoor. There is no other word or definition to describe it.

Look, the analogy is suspect A cooks the accounting books and write it all in code.

The warrant can get the police the encrypted book written in code. It does not grant them the decryption method to break the code.

So in the modern day world, police can get all the encrypted files they want, it doesn't grant them the ability to decrypt it.

I disagree completely.

And if the government is not asking to circumvent use of encryption, keys, etc, as I stated in my example above, then it's not even a backdoor is it. Not even by your own definition.

And in the modern day, continuing with a hardline resistance to totally legitimate government demands for information that are constitutional and court ordered is only going to end one way, badly.

I suppose this is where we admit disagreement and we see if my crystal ball still works.

And while you seem happy with this prospect, the police not getting the unencrypted data, it also means your lawyer won't get the unencrypted results of his subpoena in support of your civil suite against your doctor for fucking up your wife's operation.

You guys only think of this from a law enforcement point of view, it's always the government who is going to come after you for the shit you like doing. It's never going to have any impact on problems you might have with investment companies that rip you off for your retirement investments, realators that fucked you over when you bought your house, employers who fired you so they could hire their buddy's kid, Drug companies who falsified test results with the FDA.

This shit is like tracer fire, it works both ways.

 

[Gigus Fire]

I disagree completely.

And if the government is not asking to circumvent use of encryption, keys, etc, as I stated in my example above, then it's not even a backdoor is it. Not even by your own definition.

And in the modern day, continuing with a hardline resistance to totally legitimate government demands for information that are constitutional and court ordered is only going to end one way, badly.

I suppose this is where we admit disagreement and we see if my crystal ball still works.

In your engineered solution, it's only a matter of time before someone gains access to that workstation (since it's not air gapped and can access the storage network, it's inherently connected to the network) and gains access to all the encryption keys.

In this case specifically, you are just giving the illusion of encryption, but instead storing all the data and keys at a central site and just hope that no one circumvents your security measures and gets access to everything. I can point to several examples of bad implementation which lead to lots and lots of leaks (sony psn account leaks for example).

The main issue is that Verizon is not the military. They don't have the means to secure areas like the military does. Eventually some janitor is going to put in a usb key into that system and copy all the keys to it and sell it to someone.

Let me give an sample of why it's not constitutional:
"
Courts have consistently held that the Fifth Amendment does not prohibit compelling suspects to provide any of the evidence listed above because it is neither communicative nor testimonial in nature (Schmerber v. California, 384 U.S. 757 (1966).

Courts have also agreed the Fifth Amendment does protect against compelling suspects to give statements to the police or to testify in a criminal case against them.

Applying this construct, the Supreme Court has found the Fifth Amendment does not protect against compelling a suspect to provide a key to lockbox because the key is a physical thing.

It does, however, protect against having to provide a safe combination because that is the “expression of the contents of an individual’s mind” (Doe v. U.S (1988), f.n.9.

If we analogize computer files to documents, case law also establishes that if a person voluntarily creates and possesses incriminating documents, he or she may nevertheless have to produce them in response to a subpoena or search warrant. That’s because the creation of such documents is not “compelled” (Fisher v. United States, 425 U.S. 391, 409-410 (1976).

However, the act of producing documents may compel a person to implicitly admit that certain papers exist, are in that person's possession or control, and are authentic. In such circumstances, the production of documents communicates a lot more and, if compelled, may be privileged under the Fifth Amendment if likely to be incriminating.

Accordingly, in United States v. Hubbell, 530 U.S. 27, 36-37 (2000) the Supreme Court held the Fifth Amendment protected a witness from being compelled to disclose the existence of incriminating documents which the Government was unable to describe with “reasonable particularity” because such disclosure was, in effect, a statement the documents existed and where.

Whether the act of production has a communicative aspect sufficient to elicit Fifth Amendment protection is a fact-intensive inquiry (Fisher, 425 U.S. at 410). Producing documents is more likely to be a privileged act when a subpoena contains broad categories of documents, because responding is “tantamount to answering a series of interrogatories asking a witness to disclose the existence and location of particular documents fitting certain broad descriptions.” (Hubbell, 530 U.S. at 41-42.)

Encryption Technology
Encrypting data transforms it into a coded form that makes it unreadable to anyone but the author and the intended recipient of the document. Much of the software used in offices and on personal computers has encryption functionality built in.

Most forms of encryption require you to set a password, which allows you to encrypt the file and to decrypt it later on when you want to view it again. Encryption software is freely available and easy to use. Assuming the existence of a strong password, cracking encryption is not realistically possible.

The no-man’s land created by technology is whether compelled decryption is akin to:

a) The production of documents (may be privileged)
b) The production of a safe combination (privileged)
c) The production of a key to a lock box (not privileged)
d) Or something altogether different

Applying the safe-combination / lockbox-key dichotomy might mean that a fingerprint which unlocks an iPhone could be compelled, but a numeric passcode could not. "
https://www.policeone.com/legal/art...el-computer-decryption-with-a-search-warrant/

 

[lcpiper]

In your engineered solution, it's only a matter of time before someone gains access to that workstation (since it's not air gapped and can access the storage network, it's inherently connected to the network) and gains access to all the encryption keys.........................../

My own post following my "engineered solution"
In my example above there exists a problem right? The Verizon employee who has access to the entire world. What do you do about him, do we just depend on Verizon to hire only the most trustworthy. Hmm, maybe the computer workstation can only be accessed with a security token that is issued to the Agent, a one time use smart card. It's sort of like the two guys with two separate launch keys, can't launch a nuke without both keys. Maybe the Verizon employ can't be a normal sysadmin and doesn't have any elevated privileges on the workstation and a little booklet on how to use the search tool. But whatever they come up with, I bet that these IT tech people can figure out a smart way to do it that is acceptable to all parties involved.

Your not a SAN admin are you?

A janitor could drop a USB key in, and get the keys, what then?

Data at rest is not encrypted in the same manner as your user data that is stored on the storage system. For instance, I manage NetApp storage systems and we can purchase disks that support automatic native encryption, whole disk encryption. The keys are stored on a seperate server from the storage system. that is one level of encryption for the data at rest, then your user data is stored within, with it's own encryption scheme. You could come in and take the physical drives and get nothing. As I said, a one time key get's generated and issued to the FBI agent for his part of the search, without the that generated one time key, no one can access the workstation. You can put additional physical constraints on the workstation as well.

And Verizon isn't the military, I work in a SCIF, it's supposed to be pretty secure. I bet Verizon's server rooms are more secure then the SCIF I work in.

 

[Azphira]

Back doors, just what we need in a land of mass data breaches.

 

[IcePickFreak]

What about it? Encrypting something isn't a crime, but it's not a legal defense against a criminal charge either.

Those people who are "detained indefinitely" can get out any time they choose, they just have to give up their password and then they can get on with their trial. They control the length of their detention all on their own.

You know it's not the FBI or some local police force that ordered them jailed, it was a Judge, because the Judge was convinced, through evidence and testimony, that the person is lying and actually knows his password. Is there a chance someone could get screwed over? Certainly, people get wrongly convicted of murder too. The system isn't perfect, but it works for the most part and the other options are perhaps much worse.

King says "Off with his head"

*Until it happens to you.

Gotcha

 

[Gigus Fire]

Your not a SAN admin are you?

A janitor could drop a USB key in, and get the keys, what then?

Data at rest is not encrypted in the same manner as your user data that is stored on the storage system. For instance, I manage NetApp storage systems and we can purchase disks that support automatic native encryption, whole disk encryption. The keys are stored on a seperate server from the storage system. that is one level of encryption for the data at rest, then your user data is stored within, with it's own encryption scheme. You could come in and take the physical drives and get nothing. As I said, a one time key get's generated and issued to the FBI agent for his part of the search, without the that generated one time key, no one can access the workstation. You can put additional physical constraints on the workstation as well.

And Verizon isn't the military, I work in a SCIF, it's supposed to be pretty secure. I bet Verizon's server rooms are more secure then the SCIF I work in.

I was never talking about someone coming in and taking disks. Your engineered solution has a computer with full access to the storage center, there's no need to physically steal anything. I could throw everything into a raid 5 and if someone steals a disk they're not going to get anything useful. Full disk encryption is a joke, it's just so that people can get lazy about throwing out their old drives because the chance of someone getting something useful out of it is close to zero.