Encryption Is Not a Crime(privacyguides.org) |
Encryption Is Not a Crime(privacyguides.org) |
It puts the idea into the world that it could be a crime and maybe that it is the status quo.
Much better IMHO is something like "Encryption is a fundamental right.", "Encryption protects everyone.", "Without encryption there is no democracy." and so on.
Maybe "Don’t let them take your right to privacy."
I can imagine Iran has some effort to discourage use of VPNs, though of course everyone does.
I thought China simply made it easy to stay within the Great Firewall, and moderately difficult to get out.
Encryption is free association and free speech. Talking to someone about what I like without eavesdroppers
Transitioning gender is also free speech, freedom of expression. Presenting how I like and not how some wannabe king wants me to
Yeah, as someone who's viewed America from the outside for decades tragically it's no longer the country I once knew.
I wish people understood the American system at a philosophical level. What you call "American freedoms" are largely based off of negative rights, i.e. John Locke. Our bill of rights use specific language like "Congress shall make no law", "shall not be infringed", "shall not be violated". It's inherently freedom from state action.
Over the past 100 years a different interpretation of rights has emerged, so called positive rights as exemplified in FDRs second bill of rights; e.g. "the right to a good education" or "the right to earn enough to provide adequate food and clothing and recreation". This requires state action to facilitate freedoms for its citizens.
Unfortunately these systems are incompatible. I think a lot of the friction we are seeing in modern times can partially be traced to this contradiction.
They had an apartheid up to 60 years ago. There are living people from that time, and you can't believe in any human right and have an apartheid at the same time.
Is a legal requirement for others to affirm this expression also "free speech?"
Put more simply: the modern internet doesn’t work without encryption, it is a fundamental part of the technology. Without it, anyone could log into any of your accounts, take your money, messages, photos, anything.
But this particular article represents a particular pathology surrounding freedom. Freedom is supposed to be about doing what you want. It's not about making florid speeches about how free you supposedly are. If you want to use end-to-end encryption, just use it, and maybe offer advice to others on how to use it.
There are some politicians who have decided that only bad people use encryption. Going up to one of these politicians and trying to explain that you use encryption but you're actually a good person won't convince them that encryption's okay, it'll just convince them that you're a bad person. Politics is one of those things that attracts people who just want to find the shortest route to a decision about who are the good people and who are the bad people, and keeping secrets isn't something that those sorts of people like other people doing.
Unless you have evidence that the government is rounding up people just for using encryption, all this sort of advocacy does is to draw attention to you having something to hide, and therefore probably being some sort of wrong'un. If the government is rounding up people for using encryption, that's a specific threat you need to respond to, and starting a public campaign is not the right response.
Clearly the pressure on government to write these laws is coming from somewhere. You should engage with the arguments the other side makes.
We went from Patriot Act to literally disappearing people without due process in only 23 years. Imagine if they could also decrypt your phone and plant evidence in advance.
Even if you trust someone with your life and you know this person is never going to betray you and will always have your best interests at heart, that doesn't mean that they automatically get a free pass to view and inspect everything I do every minute of every day until I die.
Unfortunately, that is what these governments want.
If we want to play in a world with full transparency, let's start with the politicians!
Lets see how happy the voters are when they have to start walking to their Bank again every week, can't order their latest temu toxic waste product anymore and their GDP drops in half.
/s
Also 's/pedo/terrorist/', or {russian|chinese|iranian|north korean} spy or any "bad guy of the day".
0 - https://www.politico.com/story/2019/06/27/trump-officials-we...
And people wonder why democracy is out of style. With democrats such as these, you don't need tyrants.
If you ask anyone if privacy matters they will of course say yes. If you ask them why they use software with telemetry or websites with Google Analytics they will simply shrug.
If you ask them if it's alright for the NSA to collect and analyze data from everyone they will say yes and they have nothing to hide.
People don't know what privacy is. They don't know what they are fighting for or where the fight is taking place.
If you take that and then add encryption to the mix... and you have politicians and agency plants talking about "saving the children from online pedos" by banning these "encryption apps and technology"....
You nailed the problem. Privacy is the tension between freedom and overwatch. Perfect privacy would yield zero justice, while zero privacy yields big brother/1984 overwatch. A healthy balance must exist for society to thrive.
The only way to guarantee secrecy is through encryption, preferably e2e.
As long as we preserve the knowledge of one-time pads, they will not take this power from us.
1. There's a thing T in the world, and that thing has negative outcomes X, Y, Z, and positive outcomes A, B, C.
2. Some people believe that Y and Z are so bad, that they want to partly compromise C to diminish them.
3. However that will never work! And they'll definitely also take B if we let them mess with C.
4. Besides, C is so important, that we should accept Y and Z to have it.
If so I don't believe it applies, in particular because you have stated that only a partial compromise on C is needed to prevent Y and Z.
There is no "partial compromise" on encryption, so this argument is flawed. There is no way to have encryption that "only the good guys" can break. It is either secure, or it is not.
But well, even that rebuttal is getting tiresome. It's the same people that keep pushing for banning air again and again. They control all the communication channels, so nobody can ever rebut them in a forum that matters, they control the governments, and they are still not popular enough to make that thing pass. Yet, they keep pushing for it.
I don't think we'll solve this by talking about this. We need to talk about systemic corruption instead. (But then, they control the communication channels...)
And of course the definition of terrorist is will vary based on what politicians want. US recently sent some "Terrorists" to a gulag for example.
To me, the only sure end-end encryption is gnupg, where you personally create the keys and distribute.
See also: the ACLU.
And yet it seems like every last politician without literally a single exception thinks that they it does work that way.
https://community.qbix.com/t/the-global-war-on-end-to-end-en...
a) This seems like a decent introduction to the subject of cryptographic regulation in the last 30 years. It's far from exhaustive, however. I do appreciate the collected references from diverse points in the last several decades.
b) I would have mentioned "Sink Clipper" and the ACLU "dotRights" campaigns. Neither are especially easy to find in the increasingly enshittified google cache, but Le Monde Diplomatique has this article, complete with a link to Sink Clipper poster (I think from the mind of Kurt Stammberger) that no collection of CypherPunk oriented ephemera from the era can be without: https://mondediplo.com/openpage/selling-your-secrets
The ACLU dotRights.org site seems to have receded into history, but some of it's content is still available at the archive. For example: https://web.archive.org/web/20100126102126/http://dotrights....
c) Herb Lin presented a very nice paper back in the day comparing PROPOSED encryption regulation with ACTUAL encryption regulation. I think the thesis was through the 90s, proposed regulation was increasingly draconian (clipper, etc.) but actual regulation was liberalizing (effective deregulation of open-source tools.) I found Herb's page at Stanford and heartily recommend it if for no other reason than it's sheer volume of written material: https://herblin.stanford.edu/recent-publications/recent-publ...
d) I was a little surprised the wired article linked to at the beginning of the piece didn't have that issue's front cover, which was sort of a cultural touchstone at the time. But you can see it here: https://pluralistic.net/2022/03/27/the-best-defense-against-... - and this one: https://www.reddit.com/r/Bitcoin/comments/1cgpktp/31_years_a... (dang, look at those non-receding hairlines!)
e) Making the web "secure" or "private" is like putting lipstick on a pig. Modern web technology is designed to de-anonymize and collect identifying information to enable targeted ad delivery. Thought I generally respect Moxie Marlinspike and have no great beef with Signal, there has been a concerted effort to exploit its device sharing protocol and your carrier and national governments can easily extract traffic analysis info from people using it. Were I to add one sentence to this guide, it would be "While these tools are better than nothing, they are far from perfect."
f) The guide seems to conflate encryption with privacy. Encryption technology can enable privacy, but you're not going to get privacy from encryption technology unless you pair it with well reasoned policy (for organizations) and operational guidelines (for both organizations and individuals.)
The extreme example is to say "nothing stops a participant in an encrypted communication from sharing the un-encrypted plaintext after it's recovered." People earnestly trying to maintain message security probably know not to do that, but when talking about exchanging keys and figuring out which keys or organizations you should trust, it's easy for even the well-informed to make privacy-eroding decisions.
So... I think this article is a good jumping off point, covering material I would call "required, but not sufficient." I would just view it as the beginning of a deep-dive instead of the end.
What is wrong with:
* an expiring certificate
* issued by the device manufacturer or application creator
* to law enforcement
* once a competent court of law has given approval
* that would allow a specific user's content to be decrypted prior to expiry
There are a million gradations of privacy from "completely open" to "e2e encrypted". Governments (good ones!) are rightly complaining that criminals are using encryption to commit particularly awful crimes. Politicians are (mistakenly) asking for a master key - but what I feel we should as a community support is some fine-grained legal process that would allow limited access to user information if justified by a warrant.
Competent jurisdictions allow this for physical search and seizure. It's not unreasonable to ask for the same thing to apply to digital data.
A locked home's door is still trivially opened. You can pick the lock or even apply simple brute force, neither of which all that difficult, and open happily it will. Similarly, I don't suppose anyone would be concerned about you using rot13 encryption. If a home could be sealed to the same degree as strong encryption, absolutely it would be a crime, for better or worse.
Scalability is the crux of why encryptions must not be infringed.
The claim that LEOs need to break encryption is based on laziness: they want to easily obtain access to communication, and at scale. They've always been able to obtain communication the hard way, and one-at-a-time - encryption doesn't change that.
A warehouse with shutters and bulky padlocks, a night security guard and camera system is a crime? A bank vault is a crime? Safety deposit boxes?
No, why would it be? The security guard isn't going to wage war with the police/military when they want in. The guard will politely comply to any legitimate (and probably even illegitimate) request for access.
> A bank vault is a crime? Safety deposit boxes?
Banks are heavily regulated by the government. They especially aren't going to impede access if push comes to shove.
Laws aren't created on purely theoretical grounds. They are created only when a problem that needs to be solved is identified. The government has never had much trouble accessing physical spaces when they feel a need to. They have had trouble accessing encrypted data.
And of course, UK being a country, where every form of self-defense is the most serious crime, when attacked you must call police, then lay on the ground and die, is cherry on top.
I wonder where in the UK you live, because up here in the North that definitely doesn't seem right - it's rare to see anyone non-white on the street.
I'm pretty pro encryption, but even this is pretty dishonest. Phones (ie. PSTN, not iPhones) aren't "encrypted" by any means, but there's plenty of sensitive information sent over it. Lawyers fax each other important documents, and doctors fax each other medical recorcds. There was (is?) even telephone banking where you could do basic transactions over the phone. Even today, some banks/brokerages require you to phone in to do certain high risk operations (eg. high value transfers or account resets). All of this happens without encryption. While that's less security that I'd like, it's safe to say that "anyone could log into any of your accounts, take your money, messages, photos, anything" isn't true either.
There is plenty of encryption used when you send any sort of message from an iPhone, even SMS. You can’t even turn the dang thing on and unlock it without encryption. Then when you send it, it’ll be encrypted by the radio before transmission. Then in transit it may or may not be encrypted at various points.
And POTS is not the internet.
My overall point is that encryption is used all of the time when people use the internet for routine tasks that they expect to work, and would not work in a modern reasonable way without it.
People use these technical implementations details to muddy the water of this conversation and demonize encryption, when the reality is that everyone uses it literally all the time for almost everything.
It's only recently that more secure alternatives to faxing have become practical, like DirectTrust Secure Direct Messaging.
2. Is there a way for phone call man in the middlers to get that info without wasting a ton of time listening to calls? With internet MITM it is very easy to set up a program that scrapes unencrypted login info.
being pandantic that should read - the modern usage of the internet..
the internet does work ok without encryption, has it has done from a long time ago
The arguments are "Protect the children.", "Catch terrorists.", "Catch criminals.".
Those arguments have been engaged with for decades. They are purely emotional arguments. Anyone who still pushes those arguments forth is most likely doing so with ulterior motives and cannot be reasonably "engaged" with.
https://fedsoc.org/commentary/publications/encryption-techno...
> The arguments are "Protect the children.", "Catch terrorists.", "Catch criminals.".
> Those arguments have been engaged with for decades. They are purely emotional arguments. Anyone who still pushes those arguments forth is most likely doing so with ulterior motives and cannot be reasonably "engaged" with.
Oh come on. Why do you think a "purely emotional arguments" are illegitimate? Are you some galaxy brain, coldly observing humanity from some ivory tower constructed of pure software?
Nearly all positions people take are, at their core, "emotional." And the disagreements that result in "arguments" are often really about differing values and priorities. You might value your "freedom" more than anything and are willing to tolerate a lot of bad stuff to preserve strong encryption, some other guy might be so bothered by child sexual abuse that he wants to give it no encrypted corner to hide in. You're both being emotional.
Software surveillance vendors.
> Chat control: EU Ombudsman criticises revolving door between Europol and chat control tech lobbyist Thorn
> Breyer welcomes the outcome: “When a former Europol employee sells their internal knowledge and contacts for the purpose of lobbying personally known EU Commission staff, this is exactly what must be prevented. Since the revelation of ‘Chatcontrol-Gate,’ we know that the EU’s chat control proposal is ultimately a product of lobbying by an international surveillance-industrial complex. To ensure this never happens again, the surveillance lobbying swamp must be drained.”
https://www.patrick-breyer.de/en/chat-control-eu-ombudsman-c...
This is a lie: obtaining cleartext just makes enforcement vastly easier and more scalable. If crims have encrypted mobile phones, you can still point a microphone at them.
Scalability is the big issue.
According to The New Oxford Companion to Law, the term crime does not, in modern criminal law, have any simple and universally accepted definition.
Society also determined it was ok to use a firehose on black people, so I think the best we can say is that the term Crime has nothing to do with Morality, and people who conflate the two need to be looked at with suspicion.
> You should engage with the arguments the other side makes.
I don't. I think most arguments about crime require one-side to act in bad-faith. After all: The author doesn't actually mean that Encryption isn't illegal in some jurisdictions, they mean that it shouldn't be. You know this. I know this. And yet you really think someone needs your tautological definition of crime? I don't believe you.
The article does address the flaws in some of their arguments (encryption inconveniences law enforcement, think of the children) by pointing out that the average person and children are kept save from criminal elements by encryption.
*edited to add "on matters of faith"
https://www.rsaconference.com/library/blog/a-golden-key-to-u...
The back and forth discussion on cryptography is happening because there just isn't much middle ground. Either someone else can read your messages, or nobody else can. If one person can read them, the government will push on then until they crack.
The second thing that's wrong is the practice - despite the "going dark" panic spread by intelligence agencies, we have far, far less privacy than at any prior point in history, and spying on people, even people trying to hide, is much, much easier. So why the hell must we make it even easier still??
Law enforcement agencies currently have more data about each of us and more sophisticated tools to investigate crimes than at any time in human history.
> Politicians are (mistakenly) asking for a master key - but what I feel we should as a community support is some fine-grained legal process that would allow limited access to user information if justified by a warrant.
The problem with all backdoors is the human element. Master keys will be leaked. A process to gain access to a temporary key is also subject to the human factor. We’ve already seen this happen with telecom processes that are only supposed to be available to law enforcement.
The other issue is one of a legitimately slippery slope. The asymmetric nature of the power dynamic between governments and their citizens makes it even more critical to avoid sliding down that slope.
And finally, in the environment you propose, criminals will just stop using services that are able to provide such services to the government. Criminality will continue while ordinary citizens lose more and more of their rights.
I acknowledge the problems you raise, but it does seem to me that we have a good set of systems in place in the form of PKI that has a remarkable amount of flexibility.
It's frankly a bit of an article of faith in our community that encryption == unalloyed good and I think we'd be right to think more critically about that position.
Your limited lawful intercept example is reasonable to most, but as you yourself acknowledged, that's not what politicians are seeking. Therefore even if the community supports and enables "just that", politicians will eventually demand their wildcard cert. It will be a national emergency, after all.
Although I do disagree on the reasonable/unreasonable angle, because I don't tend to analogize the contents of your phone to the contents of your safe, but rather to the contents of your mind.
Frankly, if the NSA wanted to have Apple build a custom iOS version for a criminal so they could sniff his network traffic and flash content from the comfort of Maryland I don't believe that would be impossible today.
If they have the capability to decrypt the data, a court can compel them to do so, disregarding the process you suggest. A cyberattack could achieve it without a court order.
This can't be solved technically.
I suspect that there are many ways that can be achieved, all technical ;-)
There are already very good solutions for ensuring that key leakages are very difficult to do and limited in effect.
What that means is, there exists a master key in your scheme.
Maybe I am not allowed to write it down and also keep it secret.
The problem is that if the application has the power to do this then the rest is irrelevant
The means hackers/governments/the CIA can force the application creator to do their bidding and enable mass surveylance
For starter I don't know a lot of good governments. So you'll have to define how you differentiate between a good one and a bad one.
> Governments (good ones!) are rightly complaining that criminals are using encryption to commit particularly awful crimes.
Secondly, criminals use public transport and roads built with taxpayer money to commit crime. Some even say that they breathe the same air as us honest citizens.
They also live in homes with 4 walls that you can't see through either.
I am being facetious but you can see where I am going with this.
If you think that the governments will stop at spying on criminals once this backdoor is in place, then I have a bridge to sell you.
Do you want your kids to grow in world were everything they do online will be analyzed, categorized and reviewed by some random government employee somewhere?
What if this government turns bad in the future as it has happened countless times in the past? What do you do then?
> I feel we should as a community support is some fine-grained legal process that would allow limited access to user information if justified by a warrant.
The problem with this line of thinking is that it doesn't hold up in the real world. Once you grant access to something like say your browser history to the government or any entity, what's to stop them to ask for more next time?
It's not a big deal right, they can say, well you gave us access to A, now we want access to B. Then in 3 years they will come back demanding access to C, D and E until your entire privacy has been taken away from you.
And every time, they will use the same excuses, fighting crime, fighting drugs, child grooming and terrorism.
> Competent jurisdictions allow this for physical search and seizure.
That is not even remotely comparable.
In those cases, you need a judge or someone to approve the seizure. With a backdoor that can be opened at any time, you should consider that nothing will be private because there is no one who is going to be monitoring it 24/7 to make sure that there are no abuses.
I'm not sure you've read what I wrote correctly. My hypothetical system would not allow the backdoor to be opened at any time, but it would require a certificate to be issued (derived from the manufacturer / application creator's root) that gives limited, expiring access on the production of court-authorised warrant, in exactly the same way a judge gives the police permission to enter your physical property.
Is Indian government a good one, or Hungary's, or Turkish, German, or British, or the US? In the last case (well, in all cases), does "goodness" of a government depend on the current incumbent? What if a previously "good" government turns into an atrocious one?
See also: the detailed Dutch census, which was mostly harmless, until it fell into hands of the Nazis in 1940 and helped them to identify and exterminate almost all Jews in the country.
Good governments ensure that a breach of personal privacy has to travel through a legitimate process with an independent judiciary to limit the risk.
I'm pretty certain you're correct but I won't attempt to justify it detail here as we have to bring out the political philosophy texts on mass.
In the light of the English Civil War many thought about politics and freedoms Locke being one, his contemporary [almost] Thomas Hobbes with a different position—the Leviathan. Rights, freedoms and social contract theory was still raging nearly a century later with Rousseau whingeing about man being born free but everywhere he's in chains—opening line of the Social Contract. And there's still no universally agreed consensus.
Over the centuries political philosophy has covered almost every conceivable interpretation/position about the rights and powers of the State versus individual freedoms, so it's not for the want of options/choices. Dichotomies still remain because the citizenry is composed of people with wide range of political beliefs many of which are incompatible (this has always been the situation).
We shouldn't expect a consensus.
As an example, the civil rights act necessarily curtails the freedom of association.
For many of us outside the US there's a dichotomy here. The North won the bitterly contested Civil War and freed the slaves but never really afforded them true freedoms. Why?
The perception from the outside is that conscience over slavery per se drove the North to war and not concern for the fact that slaves were actually people who were suffering enslavement and or unfairly treated.
Edit: Given the Civil War why was the Civil Rights Movement 100 years later necessary?
This site is not full of "normal people" and it shouldn't confuse people/ muddy the water if being dicussed here
If your argument for encryption is "we need encryption because if it's banned overnight all our phones will turn into bricks!", then yeah sure I guess it's true. But even the diehard encryption opponents aren't arguing for this. My point is that you can very much have no encryption, but not "anyone could log into any of your accounts, take your money ...".
Many people are unaware that they use it in everyday life.
If you listen to discussions on this topic outside of technical forums, this perception is not uncommon. It’s important to be clear to laypeople about the ubiquity of encryption, because they are the majority of voters.
Nope, it's about exactly that. This policy would work only for law-abiding citizens which terrorists are not, that's the point.
Added: The current gulag expeditions in US nor Guantanamo have nothing to do with US citizens, which is a big difference from GGP's comment.
Not in the vast majority of the United States.
To me, this just means that we must remain vigilant. The slow creep towards authoritarianism isn’t going to go away either. The solution is not to look for reasonable ways for authoritarian rules to exist. Continuous harmful pressure must be met with continuous resistance.
> Every society is a compromise between anarchic freedom and authoritarian tyranny
Except not every society is such a compromise. Some are fully under authoritarian control, and serve as a warning for others who are tempted by authoritarian ideas.
> this is another discussion about how a (relatively) new set of technologies can fit into that compromise in a way that is acceptable and reasonable.
Breaking encryption need not inherently be part of that compromise. And until someone can explain how breaking encryption will actually stop the kind of bad actors used to justify such a direction (vs. driving them deeper underground, i.e. even if you outlaw encryption, it’s not as if law breakers will obey such a law), I see no merit in entertaining such a compromise. The crimes being committed are already illegal.
> It's frankly a bit of an article of faith in our community that encryption == unalloyed good
I don’t think most people in our community see it as inherently/perfectly good, but as extremely important and necessary. This is a critical distinction. As with everything, there are harms that come with the good, and such is the nature of all things. The question becomes: are the harms allowed worse than the good that is preserved? And would the new harms of disallowing the status quo be potentially worse than the harms supposedly prevented?
> I think we'd be right to think more critically about that position.
I agree that we need to think critically about this. But clearly we disagree about what one should conclude from such a critical analysis. I’d argue that taking the position that the government needs more power - especially at this moment in history - is the result of not thinking critically enough.
Every society is on a continuum, and so represents some compromise between freedom for the citizen and power for the authorities. No society is perfectly free and no society is entirely authoritarian.
> Breaking encryption need not inherently be part of that compromise. And until someone can explain how breaking encryption will actually stop the kind of bad actors used to justify such a direction (vs. driving them deeper underground, i.e. even if you outlaw encryption, it’s not as if law breakers will obey such a law), I see no merit in entertaining such a compromise. The crimes being committed are already illegal.
Being able to legally access a private citizen's encrypted data in specific situations would help to (at least more rapidly) prosecute certain crimes more successfully. This is, I think, inarguably true. You can decide for yourself if that is worth a compromise. I'm somewhat on the fence.
> I don’t think most people in our community see it as inherently/perfectly good, but as extremely important and necessary. This is a critical distinction. As with everything, there are harms that come with the good, and such is the nature of all things. The question becomes: are the harms allowed worse than the good that is preserved? And would the new harms of disallowing the status quo be potentially worse than the harms supposedly prevented?
I think it's convenient and useful, but I hardly think it's necessary. Society managed to function just fine (although less conveniently) when strong encryption wasn't available for communications. Banking still happened, money still changed hands.
> I agree that we need to think critically about this. But clearly we disagree about what one should conclude from such a critical analysis. I’d argue that taking the position that the government needs more power - especially at this moment in history - is the result of not thinking critically enough.
It depends on how you define power. As society changes and new technologies emerge, maintaining existing government authority in new areas - and working out ways to ensure that authority is maintained - isn't really giving governments more power, but trying to ensure your society remains in the agreed location on the freedom/authority continuum.
If you see this as expanding powers, I can see how you would consider that a problem. But I think this is more about ensuring existing power is maintained correctly over a new area where crime is being committed.
But in the same way that as a society we allow physical privacy (and freedom!) to be removed under certain circumstances, we should consider allowing digital privacy to be removed in the same way. 1984 imagines a world where the authorities can enter your physical space at any time because they feel like it. But I don't lie awake worrying about that because I live in a society where I feel the social contract is largely upheld by the authorities.
Also, there is a question if you believe the authorities that without decrypting data, they can't investigate crimes.
Imagine an analogical assertion that without torturing suspects, law enforcement is stymied. Someone might assert that, but we still say no, for all sorts of fundamental reasons. Same with American Miranda rights and others.
Myself, I don't believe in that assertion at all. Most crimes leave a massive real world trace that cannot be encrypted. The ones that don't, maybe should not be crimes in the first place.
Yes, I do - or rather, that is the point of the discussion. We currently allow central authorities to indicate our permission to do or be something in the root certificate system. Why can't something similar be designed to allow controlled decryption?
> Also, there is a question if you believe the authorities that without decrypting data, they can't investigate crimes.
Clearly there are circumstances in which being able to decrypt the data of a criminal would assist in prosecuting crime. See EncroChat for an example of how this has worked.
> Imagine an analogical assertion that without torturing suspects, law enforcement is stymied. Someone might assert that, but we still say no, for all sorts of fundamental reasons. Same with American Miranda rights and others.
Yes. Clearly there are reasonable limits that need to be applied before we can allow controlled decryption of data. I am not arguing for issuance of a master key. See my original post.
> Myself, I don't believe in that assertion at all. Most crimes leave a massive real world trace that cannot be encrypted. The ones that don't, maybe should not be crimes in the first place.
Some do, and some don't. Things like e.g. cryptocurrency heists have profound effects, and are propping up North Korea. Those are definitely crimes...
Can you do the same thing, but in the other direction? How many people would have been harmed if weaker/no encryption was the standard?
How many whistleblowers would have been killed without a secure way to blow the whistle? How many journalists and journalist sources would have been killed? Etc. These people aren't using the USPS for good reason.
Point being, you are only doing one side of your calculation and presenting it as a full argument. But it's just a bad argument unless you calculate both sides.
Have you ever called into a bank or brokerage? Most ask "security questions", often ones that you can't even choose, like your address or how many accounts you have with them. It's arguably far worse than speaking your password into the phone.
>2. Is there a way for phone call man in the middlers to get that info without wasting a ton of time listening to calls?
Automated speech recognition has been around for decades. Even before that signals intelligence agencies have shown that widespread wiretapping/eavesdropping is possible and effective.
If you were MITM is HS- your modern day equivalent is way stronger than you think. Easy for kids to clone voices and deepfake these days. Anybody can ask any one of the free chatbots out there for a step by step guide to implement this- they will even write the Python script for you, tell you what IDE to download and how to run it out of the terminal.
At least that is how I see the word used.
Rationality and emotionality are not mutually exclusive, and I would say there are very, very few arguments that are devoid of emotion.
The the GP was using "emotional" to dismiss the kind of arguments you're saying are reasoned.
I'm dismissing arguments that are designed to appeal to (and manipulate) the emotions of the person listening. Such as the three examples I gave, which are, in almost every case, used to win an argument without having to consider any possible nuance of the situation.
Often, it's a completely thought-stopping appeal, because everything is simply countered with "so you don't care about children". Or, in your case, subtlety alluding to me being tolerant of CSAM (which was wildly inappropriate, albeit a great example of why I generally just don't talk to people who use those types of arguments).
Apparently that makes me galaxy-brained or whatever, though. ¯\_(ツ)_/¯.
I just think arguments based on appeals to emotion are very often fallacious. But sure, I guess that means I'm a... whatever you just said.
How many terrorists were not caught by these systems? How many would have actually done these actions instead of just talking about it? How many could have been caught with just standard police work?
Without knowing these variables then there is no way to say if these systems are particularly good at catching terrorists.
> Without knowing these variables then there is no way to say if these systems are particularly good at catching terrorists.
I dont think we can ever figure this out since no one is willing to run an rct when it comes to counter terrorism
This is undoubtedly so; but much turns on the trust in government. In this U.S., the president, himself a documented profligate liar, just invited an equally untrustworthy unelected person into the halls of government to vacuum up whatever data he pleased. Maybe trust in the UK government is higher.
https://nsarchive2.gwu.edu/NSAEBB/NSAEBB116/index.htm
Collecting data is often not the problem. The problem is how to evaluate it and use it to direct the use of finite law enforcement or counterintelligence resources.
But to your point, let's not forget congressional republicans rushing a SKIF on capitol hill with their mobile devices out in clear violation of policy (and common sense.) I am relieved by the fact that Trump and Musk do not seem to understand what they can use sensitive information for (other than perhaps to sell or give away to foreign governments and businesses.)
I think my point is good intelligence comes from stitching together numerous data points and often traffic analysis is as good (or better) than content analysis. And maybe that the overwhelming majority of elected officials have no conception of how intelligence is collected and evaluated.
Moreover, it's only a matter of time until the criminal fraternity all catch up and are on the same wavelength. That's when all but the dumbest know exactly what not to do or say on the net.
The Internet is still comparatively young and like everyone else those who've evil intent are still learning exactly how it works. I'd bet money that it won't be long before a 'bestseller tome' of definitive what-not-to-dos cirulates amongst this mob.
The question is at what level will law enforcement's catch have to fall before it has to turn to other methods.
somewhere a piece of code would have to say "here I've got this key, which can decrypt this text, but I'm not going to" and that decision is not protected by math.
also, i think apple has a scheme similar to this for protecting the passcode from being brute forced when recovering from iCloud backup. however, if this scheme breaks it doesn't reveal the encryption key i believe it just allows the passcode that protects the encryption key to be brute forced which I guess may or may not result in the encryption key being revealed.
More importantly, the thing you're asking for (law enforcement retroactively snooping without there existing a master key) is always impossible.
For other forms of snooping (like a warrant to tap communications for a single device for a period of time), you have related issues. Suppose you magically make such a thing flawless -- the client can't detect intrusion, a single key is actually time-bound, etc. There still exists a group of people with the power to hand out such keys, and that power, however it's implemented, is still a master key to all future communications over that protocol.
You can partially mitigate the risk in various ways, but you can't eliminate it. Every proposal for weakening cryptography in that way has had glaring flaws, and many known attempts at actually weakening it have later been cracked by nefarious actors. Spying, but only for the "good guys," should be met with extreme skepticism as far as cryptographic protocols are concerned.
For all of these schemes, what happens when the people holding keys and power are physically forced out (DOGE et al)? Even if we assume the thing is implemented flawlessly, the people involved never leak anything, the master keys stay secret, ..., you still have the human problem of transitions in power. Do you want the current US administration, one currently arguing that it can "deport" actual citizens to torture prisons with no recourse or court case, to know that six years ago your daughter confided to her best friend that she got an abortion once? That she doesn't believe Israel should be committing genocide? Or, suppose you approve of the current administration, what about the next one that takes the reins with this new set of powers? It's bad enough without decades of chat history to let 70%-accurate AI comb through and make deportation decisions.
Thinking without a willingness to share what you thought with the government when it feels it needs to know (e.g. in court) is illegal. Full transcription is not always legally required, but it is in some specific contexts where there have been problems getting proper disclosure. Again, laws are created to deal with actual problems, not imagined problems.
I'll note that encryption isn't illegal today. While there are some outlier cases where it has been a challenge to government, it hasn't become a big enough problem to do anything about yet. But if it reaches the point where it is deemed sufficiently problematic, it will become illegal in some kind of fashion. What that looks like is obviously to be seen. It won't necessarily be a blanket ban on all encryption, or even a ban on encryption at all, but most people are not capable of imagining anything else, so here we are.
Dead people are distinctly immune to prosecution, and generally granted fewer rights.
Explosives and bulldozers are likely to harm whatever was motivating the entry in the first place. The vault system can be engineered to ensure this conclusion, as well.
And, sure, if enough perfectly engineered vaults were impeding the government from carrying out the activities it wants to carry out, there would be calls to make building/using such a vault illegal too. In the real world, such vaults, if they exist at all, don't meaningfully get in the way. Thus there is no reason to think about it. We don't create laws on what theoretically might be a problem in some magical imagined world. We only create laws after something is identified as an actual problem.
After your five ninja edits, it's been hard to keep up:
Glass relocker mechanisms have existed (in reality) on safe doors for decades and will often result in the destruction of contents if triggered and opening is still required.
Governments are normally seeking evidence: a stack of cash or a quantity of bulk substances are substantially harder to rig to destroy (obviating evidence gathering) than documents or data.
"Lose custody of your child" is very much a "legal repercussion."
>Whistleblowers can still encrypt documents on a flash drive, and drop it into a mailbox. There is nothing stopping them from doing so.
The only thing I want to highlight for your consideration is that the USA is not the entire world. The USPS, even if it were perfect, does not exist in the overwhelming majority of the world. People talk to people across borders.
(Also, with some of the proposed laws, encrypting the USB would be illegal)
My point is that's pretty much all arguments, except maybe some very obtuse ones no one really cares about.
> Or, in your case, subtlety alluding to me being tolerant of CSAM (which was wildly inappropriate, albeit a great example of why I generally just don't talk to people who use those types of arguments).
That's not what I was doing. I was giving an example to show it's a trade-off driven by priorities and values. But if you want to be super-logical about it, supporting strong privacy-preserving uses of encryption necessarily implies a certain level of tolerance for CSAM, unless you support other draconian measures that are incompatible with privacy. Privacy can be used for good and bad.
There is a distinct difference between a person having emotions while arguing, and using an appeal to emotion as a rhetorical tactic. I do not agree that "pretty much all arguments" contain an appeal to emotion (again, as a purposeful fallacious rhetorical tactic), even though all arguments obviously will have people feeling some sort of emotion.
Even looking through this entire thread, most of the disagreements here do not contain appeals to emotions.
I'm sure that any book on logic and rhetoric from the last few centuries would explain it better than I can. The wiki page has some good explanations and examples as well.
This is not analogous to a single government having non-transparent, non-auditable access to decrypt communications of its own citizens.
Again, I see us falling back into an "all or nothing" view of privacy and I just don't think those are the only options.
That (somewhat, barely) addresses one of ~dozen issues with the proposal.
>Again, I see us falling back into an "all or nothing" view of privacy
Not to be too pedantic, but I think the distinction between privacy and encryption is incredibly important: almost everyone agrees that privacy is a gradient. The disagreement is whether or not encryption can be a gradient. Most people do not think it can reasonably be without undermining ~everything relying on it.
A proposal to backdoor all cryptography is worse than having pki as a think we opt in to for the sake of convenience
What I didn't mention was that I've been to the US many times and I've relatives there, and I've even worked there and these factors have also influenced my perception.
Let me put it this way, if the Greatest Generation, aka the G.I. Generation were to come back today and saw what has happened they'd not only be dismayed but horrified. Right, much of that reaction is to be expected with intergenerational change, etc. but again I'd suggest it's more than that.
It's not possible for me to even begin to justify what I've said as even a précis would take me many pages. Instead, I'd refer you to journalist Tom Brokaw's 1998 book The Greatest Generation wherein he describes the values and beliefs of the people of this generation as well as the ethos of the era in which they lived. Far be it for me to tell American society what it ought to be doing but I'm of the opinion it wouldn't be a bad idea if all Americans read this book—after all, it's actually Brokaw who's making the suggestion that his countrymen read the book or he wouldn't have written it.
In short, Brokaw wrote this book because he sensed the same change in US society as I had done and no doubt much more acutely so. I'll now extrapolate: it's now over quarter century since he wrote it and I'd contend the contrast to which he referred is now even more extreme.
https://en.m.wikipedia.org/wiki/The_Greatest_Generation_(boo...
BTW, just don't take my word, I'd suggest you search out some of the book's reviews.
Incidentally, when I was working in NY some decades ago I shared my office with a GI of that generation and he became a great friend. I had many discussions with him about his past experiences. I consider it great privilege to have known him (his name would be familiar to some of you).
Let's just take some examples. What about interment camps during WW2, deporting communist supporters shortly after, racial segregation, performing human subject experiments on black people and biological weapons research on the public without consent, and much higher abuse of power or corruption in politics and in policing. Which freedoms existed then that don't exist today?
Classic strawman argument. Where was anything like this suggested? Are they barred today under existing legislation?
The eventuality of this line of reasoning is that: "special interests who control the DSM (or whatever standards body governs these soft sciences) can influence and determine the outcome of custody battles."
DSM-4 defined "gender-identity disorder" as a thing, that's now been de-pathologized to "gender dysphoria."
Under your framework, a body of unelected, politically and financially-motivated "experts" can now determine the imposition of legal consequences on a whim.
"Are you suggesting that family courts in Colorado should be barred from hearing info from psychologists about the impact of dead-naming?"
It is a simple question. I think it tells more about your viewpoint than you may think that you consider discussions of trans issues "a strawman."
I also appreciate how you have decided that you know my thoughts on a complex subject simply by me asking you to provide more detail as to what you were saying.
It's entirely possible I'm not attacking you. It's possible I don't understand what you're saying.
> Not to be too pedantic, but I think the distinction between privacy and encryption is incredibly important: almost everyone agrees that privacy is a gradient. The disagreement is whether or not encryption can be a gradient. Most people do not think it can reasonably be without undermining ~everything relying on it.
That is a fair criticism. I would answer that by saying that encryption is just a technology, and you can employ it in very flexible ways (including e.g. n-of-m style keys) which if thought through well and legislated carefully could give the authorities more reasonable access to data when it is legally warranted.
There's no denying your examples but here we are discussing war. In times of war the normal order of things and ethics fall apart no matter which side one's on. During war, people are very scared and they act outside the box, they do strange things they'd never do in peace time. When I was conscripted I was not only furious but also shit-scared that I might be killed in an unethical war that my side should never have been involved† in (why die in the name of a wrongful cause?).
If you've never been in that situation then you would never know what it's like. (You may think you can imagine the situation but when you actually experience it you know damn-well your initial thoughts were wrong and way off the mark.)
Some of those matters to which you've referred are of my generation and right they're unforgivable by any standard, but again that was the time of the Cold War—and people acted as if there had been an actual war in progress. I know, I can never forget the Cuban Missile Crisis in October 1962 and how people reacted, for thirteen horrific days days we wondered if we'd live until the next morning. Again, people act very strangely in such circumstances.
Did you actually live through the 1950s and 60s? I did, so I speak from actual experience.
"…and much higher abuse of power or corruption in politics and in policing."
How you can say that just beats me given the unmitigated mess that politics and governance is in today (and I'm not only referring to US politics, democracy is in real trouble everywhere). If I were blogging on my own website I'd ask you to provide solid references to back your assertions—ones that can be authenticated.
Moreover, how do you know what abuses of power are taking place today if they're hidden? Of which jurisdictions today are you certain that are free of human rights abuses, if any? Do you actually believe what you read in the media and or on social media? Where do you get your verifiable facts from?
"Which freedoms existed then that don't exist today?"
There are many—actual and implied. I'll steer mainly away from legislated matters because that would require more than just a paper but a whole book, and even then it'd fall short. Let me just say that despite the fear of the Cold War and nuclear armageddon, when I was a child and later as a teenager we kids had a much more carefree existence than today's kids—and that's important for mental health. Here are a few freedoms that don't exist today (there are many more):
• There was no drug problem, we were free of that dreaded vice. We kids were never offered drugs, in fact most of us wouldn't have known the names of them (moreover, many designer drugs had not been invented then). Cleary, none of us died from overdoses.
• Kids were free to roam without fear, we ranged and did what we wanted without question from parents (except to take advice to take care). We played without parental supervision (unfortunately today that childhood right (freedom) has been lost to childhood).
• Kids were not wrapped in cocooned protection as they are today. We walked to and from school without our parents although sometimes we caught the bus. (I walked home from school by myself from age six onward and that involved crossing a busy main arterial road). If parents had picked me up I'd have be hounded as a sissy. It was just not done—that's why we kids developed a much stronger resilience to life's knocks than kids of today (there's substantial evidence for that).
• The term 'helicopter parenting' had not been invented, and kids would not have stood for it (if a parent were to so act people would have thought such action as peculiar). Today, helicopter parenting is ruining many kids' lives.
• Many kids today are so protected and mollycoddled that they are actually frightened to leave the house. If a kid is sacred just to leave the house then it's a freedom lost! When I first heard of this I thought this must have been a gross exaggeration but in fact it's a real problem nowadays. If there were such cases when I was a kid then they would have only applied to very few kids with severe mental problems. What I am saying is that back then that actual instances must have been so rare that the notion of a child being scared to leave the home just wasn't in the public's consciousness.
Now take today's situation. If nowadays parents are so frightened of the outside world then something has happened to make them so act. Whatever the reason, valid or imaginary, there's something wrong with today's society that was OK when I was a kid. Arguing the contrary would simply be a fallacy—a non sequitur.
• Teenage suicide likely happened when I was a kid but it would have been such a rare event that none of us had ever heard if it, again it was not a notion of public importance as it is today. As kids, the notion of suicide never encompassed our thoughts. Kids today are aware of it and some mull over the possibly—we were free of such destructive thoughts.
• No one had ever heard of school shootings, it was so far off the radar that no one would have thought of the notion. School was a place that no kid feared (other than those few who dreaded school for the more usual anti-school reasons).
• Mass shootings were almost unheard of, especially so outside the US.
• Government interference in and intrusion into the lives of ordinary citizens was only a fraction of what it is today, no mass spying etc. Sure, the Cold War wrongly targeted mostly innocent groups (but again a wartime mentality was alive and at work here). That said, the US was gripped by fear far more than any other country with ratbags like Eugene McCarthy fuelling the flames. Otherwise, people in most other Western countries were spared from such human rights indignities and violations.
And that's just for starters. Have things gotten better? No doubt some things have, and no doubt some are definitely worse. And some are just the same—war is just as ugly as it's ever been, perhaps even worse with weapons targeted on civilians (certainty so at any other time since WWII). Witness the current Ukraine, Palestinian and other running conflicts—clearly, things are the worst they've been in many decades.
Am I biased? Yes, everyone is to some extent, but my political science and philosophy training taught me to at least look at the facts objectively.
___
† I am of the firm opinion that to invade another country without, say, imminent annihilation is the gravest and most egregious action that any country can take. To defend one's country from unprovoked invasion is another matter, but even then one's defense must be measured and appropriate. Defending one's country out of sheer patriotism and bravado alone doesn't make sense. As Wilfred Owen said "Dulce et decorum est pro patria mori" is a lie and I agree wholeheartedly. No, I'm not a pacifist, just a realist.
Is the appeal to emotion really necessary? Surely we can discuss the facts without devolving into some kind of "But I want that!!!" toddler behaviour?
No need to reply within the first second. Take your time.
In fact, consider taking a lot more time as you still haven't named the specific vault, or set of vaults, that is causing such a big problem for the government. If we don't know what vault it is, even if your description is vague, how would anyone come to think of it as a problem? Laws are not created by some all-knowing deity. It is just people.
That such a vault might be theoretically possible to build is irrelevant.
Vaults and safes are boutique products. Glass relockers have been sold for decades - can you not extrapolate that heat and impact might destroy something inside of a highly thermally-conductive container?
HSMs and similar tech have had tamper detection systems for decades with internal battery backups.. these aren't illegal yet. My server cases from 20 years ago had tamper switches for exactly this purpose. How hard is this stuff to engineer?
And...?
Let me ask again: Which vault(s) are currently, or at least in recent enough memory for anyone to recall, causing great strife for the government? Even a rough location would be sufficient. We can offer that in the case of encryption. There are countless news articles about police not being able to decrypt data they deem important.
Without that, it doesn't matter. Laws are not created based on imagined situations that you can dream up. They only are created after something has become a problem. You can use a perfectly impenetrable vault all day long and as long as the government doesn't want in, it is never going to care.
Of course, the greater subject is really about houses, not vaults. The government has good reason to want to get into your house. For example, you might perish in it, and it needs to get in to deal with your mess. This is a relatively frequent task placed upon government to carry out. If you've made your house impenetrable, government isn't going to remain amused for long. If the government starts encountering that problem often, absolutely it would become illegal.
It is not illegal today because it has never posed a real problem.
As it pertains to this thread, where the sole key holder is dead and took the knowledge with him, how do you anticipate to carry out gaining access to the data using live attacks? There are plenty of reasons why the government wants access to data even where prosecution isn't necessary.