From another leaked memo (or maybe the same memo):
Although “the legislative environment is very hostile today, it could turn in the
event of a terrorist attack or criminal event where strong encryption can be shown
to have hindered law enforcement.”
There is value, he said, in “keeping our options open for such a situation.”
In other words, he was hoping for a terrorist attack that could be used as a flag to push anti-encryption legislation.
I wouldn't go that far. This is ODNI's General Counsel saying that they would prefer to defer public attacks -- er, debate -- on any specific plan until a crisis occurs, at which point opposition will be muted. They can then take advantage of the climate to go full court press with whatever strategy has been preselected. Whether "preparing to leverage" is worse than "hoping" is up for debate.
That's a rather pedantic difference. What you're essentially saying is they just used weasel words that gives them an out instead of just blatantly saying what they mean.
This is not necessarily bad by default. There do exist inherently good things that do not have public support or the support is muted until there is a crisis. For those items, a crisis is an opportunity to come out ahead at least as it relates to those good things which now have support.
Sure, in theory. I just think politicians should be honest and transparent with their intentions. Don't treat the public like little children that need to be manipulated into accepting what the politician deems as good.
And historically, I would argue that crisis has been used primarily to consolidate political power, and fuel nationalism (Japanese internment camps, Iraq war, government surveillance etc)
You say "hoping" but the quote reads to me like he's making sure they are prepared. Even Obama's staunchest critics don't actually think that the President of the US is hoping for a terrorist attack.
Power attacking (or planning to attack) its self to further it's agenda is not unprecedented. In the most famious case, it was the President that put a stop to the plan. See Operation Northwoods: https://en.wikipedia.org/wiki/Operation_Northwoods and the Strategy of Tension.
If there is a successful attack politicians will be questioned about why they did not do more, no conspiracy needed. Is it dangerous to have encryption keys stored? Of course, but the danger is mostly that they will be stolen not used by the government, although that is still a risk but smaller.
I don't, I said it is a threat, but the bigger threat is someone else getting them. Every group is made of people with various agendas so that is a pretty vapid statement.
> I don't, I said it is a threat, but the bigger threat is someone else getting them.
I see no reason to accept this as prima facie true. If you look over the course of history, most of the world's violence has occurred at the hands of a state, religion or combination of the two.
Cry me a river. The widespread adoption of encryption wouldn't have been such a pressing issue if spy agencies like the NSA hadn't been abusing their powers by conducting mass surveillance on law abiding citizens.
You do realize that all government agencies, especially those under the DoD, serve at the pleasure of the POTUS, right? Obama has had close to two full terms to tell NSA what he wants done and how he wants it done. He could shut the whole joint down tomorrow. He has not. He is very aware of exactly how NSA operates, and he has not changed a damn thing.
Blame NSA, or whoever, all you want. They serve at the pleasure of their customer.
> You do realize that all government agencies, especially those under the DoD, serve at the pleasure of the POTUS, right?
This is false. Government agencies largely are creations of statute law, and their existence is governed by Congress. The heads of agencies (and top-ranking subordinate officers to a certain level) often serve at the pleasure of the President, but the agencies themselves do not exist at his pleasure.
In most cases where the agencies that are not created by statute are subordinate to those that are, those subordinate agencies still do not exist at the discretion of the President, they exist under the statutory authority of some officer of the statutorily-created agency to which they report. (That officer may serve at the pleasure of the President, so the President could fire them for not acting as he wishes with respect to the subordinate agency, but the agency itself does not exist at the discretion of the President.)
There are exceptions -- subordinate organizations not created by statute within the Executive Office of the President, for instance -- but generally federal government agencies do not exist at the discretion of the President.
Heck, even doing this through a back-door approach by refusing to spend Congressionally-appropriated funds in order to kill a program has been ruled unconstitutional; Train v. City of New York, 420 U.S. 35 (1975).
"Independent agencies of the United States federal government are those agencies that exist outside of the federal executive departments (those headed by a Cabinet secretary). More specifically, the term may be used to describe agencies that, while constitutionally part of the executive branch, are independent of presidential control, usually because the president's power to dismiss the agency head or a member is limited."
The NSA isn't an independent agency, it's a part of the US military chain of command under the Department of Defense and hence is under the direct control of the Command in Chief.
The head of the NSA is always an active enlisted officer who is part of the of the joint chiefs (Admiral/General ;)) and is also the commander of the US Armed Forces Joint Cyber Command (USCYBERCOM).
https://en.wikipedia.org/wiki/National_Security_Agency
> The NSA isn't an independent agency, it's a part of the US military chain of command under the Department of Defense and hence is under the direct control of the Command in Chief.
The NSA's existence, as well as some particular details of officers that it must have, etc., are mandated by Congress in statute; see the National Security Agency Act of 1959 (and subsequent amendments thereto.) That it is within the military chain of command doesn't change this; Congress's power to do direct the structure of the military is an enumerated power in Article, Section 8. The designation of the President as Commander-in-Chief does not make the President unreviewed dictator of the military, it simply restricts Congress power over military organization such that the Congress cannot place authority to command the military within the regulations adopted by Congress in some other person than the President.
Congress's power to direct the existence, function, organization, and funding of agencies -- and the President's lack of Constitutional power to disregard Congress's directions on those matters and disband statutorily-mandated programs and agencies -- is not, contrary to your description, restricted to independent agencies. It absolutely does extend to federal executive departments, including the Department of Defense.
> The head of the NSA is always an active enlisted officer who is part of the of the joint chiefs
No:
(1) The Director of the NSA is always an active commissioned officer (and a four-star flag officer during the tenure in the position.) Commissioned officers are not enlisted personnel.
(2) The Director of the NSA is not a member of the Joint Chiefs -- the Joint Chiefs of Staff include the Chairman and Vice Chairman of the Joint Chiefs, and the Chiefs of Staff of each service (Chief of Staff of the Army, Chief of Staff of the Air Force, Chief of Naval Operations, Commandant of the Marine Corps, and the Chief of the National Guard Bureau.) The Director of the NSA is Chief of the Cyber Security Service, but not every position with the word "Chief" in it in the military is a member of the Joint Chiefs of Staff.
> The NSA isn't an independent agency, it's a part of the US military chain of command under the Department of Defense and hence is under the direct control of the Command in Chief.
The NSA's existence, as well as some particular details of officers that it must have and its functions and duties, are mandated by Congress in Statute; see the National Security Agency Act of 1959 (and subsequent amendments thereto.) That it is within the military chain of command doesn't change this; Congress's power to do direct the structure of the military is an enumerated power in Article, Section 8. The designation of the President as Commander-in-Chief does not make the President unreviewed dictator of the military, it simply restricts Congress power over military organization such that the Congress cannot place authority to command the military within the regulations adopted by Congress in some other person than the President.
Congress's power to direct the existence, function, organization, and funding of agencies -- and the President's lack of Constitutional power to disregard Congress's directions on those matters and disband statutorily-mandated programs and agencies -- is not, contrary to your description, restricted to independent agencies. It absolutely does extend to federal executive departments, including the Department of Defense.
"The Act does not describe the functions of the National Security Agency (NSA), but deals with "housekeeping" matters such as pay and allowances, training, property acquisition, and leasing, It exempted NSA from the requirement to provide detailed information regarding organizational and functional matters to the Civil Service Commission (the predecessor of the Office of Personnel Management)."
The NSA is the only Agency that it's mission is dictated by the Executive Branch.
I didn't think this comment would blow up so much. Thank you for clarifying my point. I should have cited sources, but NSA specifically literally directly serves the POTUS. He can _literally_ shut it down tomorrow, among other things.
There is no such thing as an "enlisted officer" in the uniformed services of the United States. There are Non-Commissioned Officers, but they're not actually officers and they're never in command of anything larger than a patrol boat or a tank.
"The agency was formally established by Truman in a memorandum of October 24, 1952, that revised National Security Council Intelligence Directive (NSCID) 9.[28] Since President Truman's memo was a classified document,[28] the existence of the NSA was not known to the public at that time."
I believe that you are correct that the NSA was originally an agency created by unilateral Presidential action that could have been disbanded by discretionary Presidential action, however, AFAICT, it has been a regular statutory agency since the adoption of the National Security Agency Act of 1959. [0]
Why do you people keep repeating these blatant lies? The POTUS does not have direct power to do these kinds of things. It's the whole lot of politicians that are ignorant and corrupt.
When Bush was in charge, everyone was quick to blame him. But now that Obama is in charge, suddenly it is "president has never been the one pulling strings .. why is everyone blaming him?"
When Bush was in charge, Republicans apologized for him and Democrats blamed him personally for destroying the country.
While Obama is in charge, Democrats apologize for him and Republicans blame him personally for destroying the country.
The truth is, the president is never the one pulling the strings (at least not all of them), but both sides insist it's the case when it's to their advantage to attack strawman positions of the incumbent party.
I dunno, the whole concept of a "commander-in-chief" -- Chief Executive of a country, "The Buck Stops Here" -- is an odd dynamic. While we have the 3 branches of government, one of them is physically and institutionally commandeered by one human being, subject to the limitations and weaknesses shared by the 300 million human beings he oversees.
The checks and balances system is nice, preventing a situation in which a depressed or cranky president launches a war "just because"...But there are a lot of other less direct ways that his personal state of being could drastically affect the entire country. What if the senator who is a leading advocate for surveillance reform personally insulted the president's family? Sure, the senator's a jerk, and the president would never admit to basing his decision to ignore the senator on such a personal slight. But if such personal hostility resulted in the president putting the senator much lower on his priority list...such that he never gets around to giving the issue the proper amount of attention...The impact on the country is virtually the same as if the president's reaction had been, "Fk that d-bag and everything he stands for"
This is just a long way of saying, yeah, kind of crazy how so much of what affects us as a society is in the hands of one human being, and it's unfair to blame him for not being able to control everything. And yet, he is the one who signed up to have those powers...criticizing him is not just a reflexive tendency to scapegoat, but the current "user-friendly interface" we have with our bureaucracy.
>>> The POTUS does not have direct power to do these kinds of things
He hasn't had the power to do a lot of things but that hasn't stopped him from shredding the constitution and using executive orders to override his own legislation that passed into law did it?
People want to say he doesn't have these powers, but even a cursory look at how he's been running his office is in direct conflict to the statement.
Ok, I took a cursory look and I see that he uses executive orders less often than any other president (normalized per term served).
As for the first sentence, what are the examples of his orders that are shredding the constitution? Does SCOTUS (final authority on constitutional law) agrees with your assessment?
>> I took a cursory look and I see that he uses executive orders less often than any other president (normalized per term served).
It doesn't matter how many orders he's issued, but the overall effect of constitutionality.
>> what are the examples of his orders that are shredding the constitution?
First you have to understand what executive orders can't do. They cannot make laws and they cannot stop laws from being carried out.
- This means his executive order to delay the employer mandate - but only for certain businesses. He said he will not enforce the mandate for businesses with 50-100 employees, but will enforce it for business with more than 100 employees.
THAT is effectively writing new a law. Congress said it starts at 50, but Obama says it starts at 100. By the constitution, only congress has this power, not the POTUS.
- Another example is his changes to the DACA act to include illegals who entered the country before 2010. Again, this is not something he has the power to do. By actively not enforcing exiting laws, and then creating his own set of criteria on who can stay in the US and who cannot, he's subverted the existing immigration laws and replacing it with his own.
- Another good example is how he said that person or business that doesn't support LGBT nondiscrimination cannot receive a business contract with the government. This means if a Muslim doesn't want to bake a cake for a gay couple, the government has the right to refuse to do business with them.
I won't even start with how unconstitutional such a law would be if it was passed by congress. Considering this is already protected under the Free Exercise Clause of the first amendment which states no citizen can be required to forfeit their right to do business with the federal government.
Again, only congress has the ability pass a law like this, but Obama did so anyways.
This is the issue with his orders. It has nothing to do with how many orders he's making, it's how he's using them. Effectively creating or overriding existing laws as he sees fit - something the POTUS should not have the power to do.
I don't agree with you that number of orders is irrelevant. It at the minimum is an indicator of administration policies.
As for your examples, I am not a constitutional scholar, neither is you. Right now they are just your opinions. For instance, Free Exercise Clause does not mention right to do business with the federal government. I'll wait for SCOTUS interpretation of the clause rather than yours.
He may not officially have the power to change things through the official bureaucratic channels, but he could stop them if he wanted. He has a lot of power that he doesn't tap into. For example, he has the ability to address the nation. With that power alone you can really stir up some change.
> For example, he has the ability to address the nation.
This power is pretty overrated.
How often have you turned on the TV and seen a network cover the entirety of one of Obama's speeches/press conferences, other than a major speech like the state of the union? Usually they cut away to something else after a little while or don't cover it at all, except maybe on a morning show.
Being from a country where the TV and radio networks are required to stop whatever they are doing to air a presidential speech, this sounds really strange.
Such a weak excuse. Sure a TV show might not play clippings from a speech of his, but if Obama actually offers to do a live interview on any TV show, no one would turn down that ratings boost.
Right! That's why I consider, for example, his campaigning on closing Guantanamo to be completely disingenuous.
Get on TV every single night, spread awareness about what's happening there, tell US citizens that we need to lead by example, and use the propaganda machine to create positive change, for once.
The truth is with a bad economy the more a president with lagging approval ratings gets involved in some issues the less likely their passage.
More importantly there's a limited amount of political capital you have as POTUS. While you may think Obama should have directed more of this to closing Gitmo, I think the big ticket accomplishments he spent that political capital on such as ACA were more important.
How can you honestly say the ACA was more important than shutting down a US run gulag that actively commits war crimes on a daily basis with approval from the entire chain of command?
I can honestly say it is not even close: access to health care via ACA saves more lives every year than the population of Gitmo by nearly two orders of magnitude.[1]
And it's not clear at all that Obama could have successfully closed Gitmo even had it been a higher priority of his. It is clear that he immediately ended interrogative torture [2] and made efforts to close it. There's still force feeding but that's also an issue in us prisons so closing gitmo and sending the detainees to other prisons is not necessarily solving anything there.
It's clear that he issued an executive order, which may or may not be utterly meaningless.
And Gitmo was just an example, not necessarily saying it would even be at the top of my list. Of course sending the detainees to other prisons is not the answer. These people need to be freed, now. Same deal with the multitude of other US military prisons and CIA black sites.
The word you used above was 'disingenuous' and I think that deeply mischaraterizes the issue. The overwhelming blame for gitmo being open today falls on the GOP.
The president can't arbitrarily shut things down or have much direct control. Congress both controls the purse strings and requires money to be spent. At best, POTUS can generally enforce the law, but NSA actually has authority to do mass surveillance from Bush era laws.
That said, Obama is clearly in favor of surveillance.
You do have to wonder what exaggerated lies they're told to believe that such surveillance is even necessary. I say lies, because if there were any real threats so many more terrorist attacks would happen than actually do.
The other theory I've seen is that people in power are used to having their life scrutinized publicly, so personally don't really care about privacy, so are the worst people to making decisions about such things.
I think it's more of an incentive problem, after a disaster like say Hurricane Katrina it's really hard to stand up and publicly say everything is working just fine.
Ideally, you want to be able to say well "where it not for the other guy we would have implemented my solution!" Which creates huge pressure based on how bad things look vs. how they actually are.
Setting aside the fact that the POTUS can't actually do that, when you think about the fact that information is what makes governing possible in the first place, it makes complete sense that they would explore this sort of thing. Given an vague(and ultimately impossible) mission of "stopping all terrorist attacks", it makes sense that the NSA would be exploring what they have been, and that TPTB would be wholly supportive of it.
This type of wholesale spying on law abiding citizens goes back 15+ years. I blame Obama, Bush, Congress, et al for not showing a backbone and ending these programs.
Edit: I'm in an exceedingly grumpy mood today. :-/
15? It's arguable that the government's institutional abuse of power to spy on law-abiding citizens began in earnest with J. Edgar Hoover, who began his tenure as the head of the FBI in 1924.
I want to revisit the earlier point in your context. You say that it goes back 15 years. You are right.
Each of these parties is jointly and severally liable for it. Obama is currently liable. I think it's just and right to criticize him for failure to act. His lack of fortitude is not excused by the lack of fortitude of others.
It's probably not correct that Obama could close down the entire NSA tomorrow. However, he has essentially complete control over what it does. If he wanted to direct it to do, for example, only military intelligence activities directed solely at warfighting intelligence, he could.
State and local police and prosecutors don't work for the federal government at all. Any avenue for mass surveillance is also an avenue for legitimate law enforcement investigation.
Yes it would. Cybercriminals are even more of a threat than spy agencies to most individuals.
[edit: in case it is unclear, I am saying that cybercrime is as strong reason for individuals to use ubiquitous encryption as government snooping not that it is a justification for government snooping]
Direct perceivable damage? Is there even a question?
Did the NSA over stepped it's bounds sure, but did anyone actually got directly hurt? Well not really.
The NSA is only as "bad" as the rest of the government, it's not a rogue agency that whisks people in the middle of the night to re-education camps, if the US ever becomes such state then encryption isn't going to help you.
This isn't an argument against encryption, or in favor of the NSA violating the privacy of US citizens (I am not a US citizen and I do not expect the NSA to care for my privacy) it's just an argument that people should put things in perspective.
East Germany didn't became a police state because of the Stasi, they've created the Stasi to enforce it. The US wasn't turned into a police state because of McCarthy-nism, it wouldn't turn into one because of the NSA even if they continue to violate the rights of US citizens unless there will be a major major political shift across all branches of the US government and it's population.
It is amazing what a corner encryption has pinned law enforcement into (after the USG of course pinned everyone into a corner by spying on what amounts to nearly the entire globes communications). There are no workable solutions which allow the government to serve a warrant and receive information without compromising the systems of millions of other subscribers to the same networks in some fashion (or reducing faith and trust in those networks).
And the physical port, while an interesting concept, would essentially mean if LEOs jumped the gun by a few days, there warrant would be a bust because there'd be no information of use on the phone and the person obviously wouldn't use that physical device again.
I've never had an issue with warranted communication retrieval. I certainly have an issue with the bulk collection of data on hundreds of millions of Americans at all times (as we all should, this is the sort of stuff you can blackmail politicians with, and when you can blackmail politicians you can control the future of the country, so it's something we need to prevent to maintain the integrity of our democracy).
What tradeoffs should be made? Where should the lines in the sand be drawn? And what solutions exist or can be imagined which allow LEOs acting on good faith and reasonable suspicion to monitor the activities of those worthy of monitoring without compromising the very nature of our nations foundation?
What utter nonsense. Law enforcement absolutely has a solution: they use the traditional methods of investigation that have always worked. Wiretapping is a somewhat recent development, historically speaking, and it obviously isn't the only method of investigation.
The only reason you see law enforcement getting annoyed at encryption is that they really liked how easy wiretapping (and the modern equivalents) made their job, and the power it gave them in the form of "parallel construction".
> What tradeoffs should be made?
A big problem with the rhetoric about rights and security having an inversely proportional relationship is the assumption that by giving up rights would actually result in better security. This is at best unproven, and often results in a loss of security.
Playing devil's advocate here, but instantaneous long-distance communication is also a very recent development, historically speaking. Traditional investigation methods relied on tracking people's movements, who they associated with and so forth. Digital communication has almost completely removed the requirement for non-digital criminal relationships. As we saw with the DPR hired-killer case, two people can collaborate to perform a crime with zero non-digital connections. How do you use traditional methods in a world where criminals can just go about their daily lives, pausing occasionally to send a message to someone who could be a co-conspirator or could just be their mother?
I don't think subverting encryption is necessarily the answer, but to say that law enforcement just wants to do things the easy way is to ignore the emergence of a very real problem that they face.
The government has admitted that it is impossible to reliably extract one party's communication without either watching all the time, or having the ability to do so, and I don't think it's for a lack of creativity. In a way we were spoiled by wiretapping because now we have set the expectation for hard, recorded evidence to be the standard, because facts can't lie.
Thing is, this new age is a bigger can of worms than encryption versus the government is always watching. It could be 10 years away, it could be 50, but a computer will someday be able to generate your voice, create a fake video of your actions, and the state could put you away for nothing - and everyone could believe it.
Neither of you are wrong. Machines can be fooled by prior, and people can be fooled by machines.
There are also no workable solutions that allow enforcement [sic] to read what you're thinking, even with a warrant. But sometimes the universe just doesn't work how they'd like, so their job isn't as easy as it could be. Boo hoo.
This "debate" (actual: another attempt at forcing acceptance) is only occurring because people foolishly adopted webcrapps. The debate was settled long ago at a time when people thought in terms of owning their devices and data, before tech culture had been destroyed by advertising/propaganda. The result was a resounding "Hell No".
It's been rekindled because these huge silos of irresponsibly stored data are an irresistible trove for control fetishists. And in a sense the public sector control fetishists are right - if the de jure government doesn't gain access to them, it's only a matter of time until the de facto government does - eg insurance pricing, background checks, extreme price discrimination.
Let's hope the (de)centralization pendulum swings back hard this time, with Snowden having given it an extra push (Binney/Klein were pushing at the wrong time :/). We're due for another bubble pop sometime soon, and I hope that honest companies (aligned with user incentives) rise from the rubble. If our society is to have any long term future, the advancements of technology have to be distributed throughout it, not centrally controlled by a handful of entities.
The thing is, encryption is all-or-nothing. You either have quality encryption, or you do not. The only trade-off to discuss here is whether we want to allow secure digital communication, or if all communication must be effectively in plaintext. I think the choice is fairly obvious, as without effective encryption we will basically kill any digital economy. But I do understand where the opposition is coming from.
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
If we define a computer system and its contents as "papers", which seems reasonable, then the extra port approach matches this very well. You give the device a warrant signed by the public key of the judge, and it gives up its secrets. And takes a copy of the warrant.
I mean that's all fine and dandy but there's a couple problems.
1. The public key of the judge will be compromised. Not might, not won't. It will. End of story. This opens my device to a bunch of non-authorized individuals exfiltrating data without my knowledge. This is completely unreasonable at every level. To draw a parallel, this would like all locks in your house having a "police" keying.
2. Computers are not papers. Papers is a well defined term.
3. These ports would be taken advantage of by three-letter agencies without your knowledge and without a warrant.
The only thing your approach allows is that the police officer won't snag your laptop so the office gets a new one. But really, that won't stop them from stealing your stuff so not even that works.
The police cant even be trusted to not shoot an innocent person. What makes you think they can be trusted with a golden key? This approach completely undermines the entire reason we have encryption and AIDS the police in parallel construction. Not the other way around.
Read on skipjack and the clipper chip. This kind of tech has been discussed and it DOES NOT work.
You can't just say "Computers are not papers. Papers is a well defined term" following a suggestion that this definition may be wrong.
The whole point of being 'secure in your papers' is to enable diplomacy and discussion that has a reasonable expectation of being inaccessible to those in power. It's not a place to lawyer the law into irrelevance.
Oh indeed, I don't trust them either. This is more a proposal of "if an even-handed compromise could be reached for allowing the pursuit of legitimate investigations only, here is what it might look like".
The point was to allow only access to "documents" that are (a) on a device physically in the possession of the police (ie NOT remote access) and (b) in a tamper-evident fashion. Making it impossible to do without your knowledge, and partially addressing both (1) and (3). (1) can be further addressed by keeping the key in a hardware module.
Computers have clearly replaced paper and are somewhat analogous. If we can change the construal of "marriage" we can change the construal of "papers".
The LEAF system was for intercepting communications in transit, which is different and I agree with preventing.
If a judge's private key were compromised there are solutions. Treat the judge as an intermediary CA cert (I'm assuming there would be an actual root somewhere) that issues individual certs per warrant. The software on the phone (which holds the ability to decrypt the data) then verifies the entire chain of trust. If the signature appears correct and everything validates, but the certificate revocation list is too old/can't be updated, maybe it enters some kind of lock mode that only the carrier/manufacturer can unlock. But it gives the LEO nothing and prevents the user from deleting data.
All accesses must be logged. This way we can see what warrants have been executed and can track to see if they match what the judge has issued. Any discrepancy can lead to cert revocation.
And the phone knows what time it is because...?
All an attacker has to do is put the phone in a Faraday cage and spoof the cell time while the cert is stolen. trivial.
This is absolutely true and I agree, I think it'd be a great approach to the issue at hand. Of course someone below bought up the issue of someone just using a soldering iron to alter the physical port to be unusable. Or, what if, even, I just dropped my phone enough? Now there's a warrant for me, even if I'm not guilty, would I face criminal charges for obstructing an investigation even though it could have been an accidental mishap?
If you deliberately burn papers relevant to an investigation that's one thing, what if your papers get caught in the rain? has anyone been in trouble for that? I'm not as educated on the subject as I could be, I most certainly admit.
"Port" could imply something like a JTAG port internal to the device which is very hard to selectively disable. Or a one-shot system involving antifuses in the processor.
Why would anyone choose to run broken software that betrays their interests in such a way?
Being an extension of one's mind, a computer should legally function as an ideal Lawyer/Doctor/Priest. It acts as the owner's agent, and should never cease representing their interests.
They looked into whether it could be done and then decided that doing it was not worth the controversy it would generate. This seems like a good thing, I'm not sure why WaPo went with such a sinister sounding headline. More accurate would be "Obama administration rejects several proposals to bypass smartphone encryption".
Before that, they first had to deliberately ignore that that the government already "looked into" trying to require key escrow. At least that time they had an actual proposal (Skipjack/Clipper Chip) instead of dissembling about "golden keys".
A lot of people in government have been acting as if the this is a new argument, when the backlash already happened. The idea that someone needed to "look into" this to find out if there would be a backlash only makes sense if they were somehow ignorant of the 90s crypto wars.
As I read it, it was to access encrypted information on a suspect after a warrant or court order has been issued. If you have something in a locked room and the police have a warrant to search it, they can cut the lock off and search it, that's perfectly legal. The trick with encryption is to find a way to do that without rendering every other lock in existence worthless, and I think that's what they're looking for.
A 3rd key would have to be kept secret forever but still available easily. How long before this gets leaked? One thing everyone can learn from the Snowden leaks is that governments are rubbish at keeping secrets for long periods of time. Bear in mind that the 3rd key would have a serious financial value and could be sold semi-anonymously.
I assumed it would be a unique 3rd key per user/transaction. It increases the burden of the escrow-holder (by vastly increasing the number of keys to manage), but has the benefit of allowing granular access to data, rather than compromising all of one service if a warrant is served for a single user's information.
Clickbait and sensationalism is a thing in journalism. It is morally wrong because it spreads disinformation and is harmful to both individuals and democracy, but it is legal and profitable, and we haven't done enough to shun it, so it happens.
The approaches were analyzed as part of a months-long government
discussion about how to deal with the growing use of encryption
in which no one but the user can see the information.
Using OUR money, they looked into ways to compromise technology that keeps OUR information private. If you claim you're going to be the most transparent administration, the public ought to hold you to that claim. Without leaks and whistleblowers, and reporting like this, we'd be clueless.
Your headline would also only tell half of the story, because we don't know whose "ways" the administration rejected. They, the administration, spent time looking into something that they later concluded was wrong. Right?
WaPo's headline was in the past tense and doesn't state anything else, so obviously nothing went beyond exploring. It's not distorted at all.
As an American citizen I don't have an issue with gov't funded development of attacks on encryption so long as they don't pass laws that give them an advantage like, as an example, requiring companies to back door their own software. Edit for clarity: I realize that they do this. I'm trying to say that such abuses of power aside, I have a hard time finding it scary or surprising that they, or anyone else want to break encryption.
> The first potential solution called for providers to add a physical, encrypted port to their devices. Companies would maintain a separate set of keys to unlock devices, using that port only if law enforcement had physical access to a device and obtained a court order to compel the company’s assistance.
Soldering gun and that port is a toast.
> The second approach would exploit companies’ automatic software updates. Under a court order, the company could insert spyware onto targeted customers’ phones or tablets — essentially hacking the device. However, the memo warned, this could “call into question the trustworthiness of established software update channels” and might lead some users to opt out of updates, which would eventually leave their devices less secure.
It could be done even today. And I would not be surprised if we haven't already some FISA mandated app updates.
> A third idea described splitting up encryption keys, a possibility floated by National Security Agency director Michael S. Rogers earlier this year. That would require companies to create a way to unlock encrypted content, but divide the key into several pieces — to be combined only under court order. Exactly how this would work remains unclear, but the memo warned that such a system would be “complex to implement and maintain.”
So straight backdoor. While workable for apple, not really suitable for android. And we have the golden key as the mother lode of all cyber criminal activity in the world.
> Under the final approach, which officials called a “forced backup,” companies under court order would be required to upload data stored on an encrypted device to an unencrypted location.
Adava Decrypta or any other magical spell?
If companies hold any way to decrypt the content, then it is not encrypted. if they don't, what is expected from them is magic.
> ... splitting up encryption keys, a possibility floated by National Security Agency director Michael S. Rogers earlier this year. That would require companies to create a way to unlock encrypted content, but divide the key into several pieces — to be combined only under court order. Exactly how this would work remains unclear, but the memo warned that such a system would be “complex to implement and maintain.”
Actually, this is called a 'lawful escrow', and it is implemented in many enterprise PKI systems specifically to comply with court orders.
So I guess they decided to throw in one sane option, to offset three other fairly insane ones.
I've said this before. They can already get a warrant and visit a suspect. Make them unlock their phone or go to jail for obstruction or some such (legal question, how compulsory can this get?). The problem is that they want to snoop in secrecy without tipping off a suspect. It's undesirable when going after networks of people, but going in the front door seems completely feasible today.
No, we don't. If the DA's office has other evidence you've committed a crime, and know that some encrypted device in your possession has additional evidence, the DA's office can legally compel you to turn over the keys.
The only time you're protected is if the key in question is password protected AND you only memorized the key (ie didn't write it down anywhere). Then you can plead the fifth.
>The only time you're protected is if the key in question is password protected AND you only memorized the key (ie didn't write it down anywhere). Then you can plead the fifth.
I don't think that's the case. There was a court ruling a year or two back where the court ordered the defendant to unlock his data. The key part of the ruling was that passwords and keys aren't evidence in and of themselves - the court can demand them in the same way it can demand, for example, physical keys for a safe.
Failure to provide decryption keys is I think not currently covered by the 5th in USA.
In the UK the punishment for failure to decrypt a device when the police ask is pretty much the punishment for whatever they accuse one of having on the device...
What if you don't have the key? Do they need to prove that you're able and refusing to decrypt the device or are you presumed guilty until you prove you can't?
What about one-time pads where you could make up whatever key you wanted and it would be valid?
I think (and I am not lawyer and not your lawyer) that the onus is on you to prove that you don't have the encryption key (anymore) or have access to it. I don't know what case law exists on this.
To the downvoters. I don't like these things either -- but just downvoting them on HN won't change things.... Vote in your national elections with civil liberties in mind instead.
Well duh, surveillance is core to US National Security. Obviously it comes with some thorny opportunities for abuse, but in the scope of national defense, it would be malpractice not to develop every capability possible.
Your enemies won't hold back, and let's remember that we are more or less already in an asymmetrical information war with both state and non-state actors inside US borders.
The POTUS is not the only responsible party, but is definitely among the supports for wide spread mass surveillance. A person could argue that he is not responsible if the government operated in the nature it's suppose to under the constitution, but with executive orders (among other things) that is not the case.
They say they don't want to sound like they are asking for a backdoor, but they are basically asking for a backdoor. Then they mention that if they start adding spyware to peoples phones through service providers software update channels that people will not find them trustworthy. Well, no shit.
“Rather than sparking more discussion, government-proposed technical approaches would almost certainly be perceived as proposals to introduce ‘backdoors’ or vulnerabilities in technology products and services and increase tensions rather [than] build cooperation,”
You can blame this administration or the other one for pervasive snooping. The sad truth is that we are prisoners of our fear. Remember when Obama tried to shutdown Gitmo ?
I'm still waiting for XKeyScore to be generally accessible by any script kiddie. When it is they'll realize how utterly stupid it is for such a system to exist.
I see what Obama's saying. In my experience, research on bypass methods may become the source of a new terrorist attack. Then a terrorist attack would be our making.
All they need is for a policeman to physically seize a device while it is unlocked.
Or even while it is locked with encryption keys stored in memory, and some custom tech to read the RAM from a running device.
I'd wager that people with sufficient physical security to prevent this are very rare, and it works against any sort of device that doesn't have a dead man's switch.
I do not see value in this discussion. Once your smart phone is powered on, it is not encrypted. All files can be pulled or pushed over the air by the carrier. Not all carriers will ask for a warrant. Click down if you want, but I was told to not ask for a warrant.
Yes and no. Nixon did a lot of things Obama wouldn't get away with. But the technology for the sort of dragnet snooping government agencies can do today wasn't available.
https://www.washingtonpost.com/world/national-security/tech-...