If you substitute "house" for computer, it casts a different perspective on what law enforcement agencies are asking for. Our society has wisely decided that we are not required to put tv cameras in our bedrooms so the police can see what we are up to any time they like. Even though it would make us all safer. Ah, but the police tell us they almost never abuse their power and privilege. Almost never. Well, hardly ever.
18
Times should talk to encryption experts (e.g. Schneier) before writing this stuff. Breaking encryption requires creating a back door. Once there is a back door - it will be discovered and used by others (malicious hackers and stealth state actors) in way we would not want. Since the algorithms are out there - more motivated people (i.e. those with the most illegality to hide) will create end-to-end encryption without back doors and use them. Ergo backdooring encryption will create lots of unintended security vulnerabilities AND still fail in it's objective. The right answer is to trust the legal system and lawful intercept and take legal action if people deny access when legally required to.
6
@dsanford0
The 'back door' that you speak of in Public-key/Private-key encryption often means that a copy of the private-key is sent elsewhere at the time they keys are made by the encryption software. It can be sent immediately via the internet, or embedded in a file or document and left on the computer itself. Cracking the message then involves the simple matter of combining the readily available Public-key and the purloined Private-key to decrypt the message in the normal way.
The U.S. Supreme Court seems to speak of this process with respect to foreign installations of U.S. made software, in Microsoft Corporation v. AT&T Corporation, 127 S.Ct. 1746 (2007): "“While copying software abroad is indeed easy and inexpensive, the same can be said of other items, such as keys copied from a master.” (127 S.Ct. 1746, 1749)"
1
For immediate clarity here, let's break this down to its basic elements in terms of the argument.
What our government seeks to do, and has been seeking to do for a long time now, even though they've been repeatedly caught at it, is to take the power to deprive you of your fourth amendment rights (among others) based not on what you have ever done or tried to do, but rather on what they may claim, without any proof, indication by past or present statements or acts or other justification, that you just might at some time do, based upon some unproven assumption on their part. Thought crimes, perhaps? Why not?
Will you easily and willingly give up your rights based on something that might (barely) conceivably happen at some time in the future?
Are you willing to be tried for a crime you've never even contemplated - but it's asserted to be somehow remotely possible that somehow, some day, you might because someone somewhere else once did?
No? Then why would you give up your rights to your security and privacy on that same basis?
And please don't argue 'probable cause.' How many times has our government, under several different administrations, been caught snooping on Americans on a wholesale basis with absolutely no proof or permission?
Truly, now, whose government do you actually trust?
10
This is an important article, but since it goes into specifics of encryption, it should get them right.
The end-to-end section is correct, but for the "other forms of encryption," the author writes, "A more common form of encryption, known as transport layer encryption, relies on a third party, like a tech company, to encrypt messages as they move across the web." That is not what transport layer encryption, or security (TLS), means. When you use Facebook's Messenger, Facebook is not the transport layer. The transport layer is the infrastructure that actually moves your data from one place to another -- from your phone to Facebook's server and then to another user's phone. Facebook here is a middleman. When you use Facebook Messenger, you should think of your messages as still being encrypted end-to-end from your phone to Facebook's servers, decrypted by Facebook so it can read your messages to serve you more relevant ads, then re-encrypted end-to-end to the recipient's phone. It's simply end-to-Facebook-to-end encryption instead of end-to-end encryption.
Furthermore, TLS is widely used on both applications with end-to-end encryption and services with end-to-middleman-to-end encryption. And TLS still uses public-private key encryption for its initial handshake, so the distinction is definitely not public-private key encryption versus transport layer encryption.
10
@Mike I agree with previous comments on the inaccuracy of explaining TLS and encryption technologies. If the author cannot even get that part correct, the whole article falls apart.
Understand what you're writing about before you attempt to make a case and explain it.
2
Based on numerous cases, including Fisher v. United States, 425 U.S. 391 (1976), the government cannot force me to reveal the combination to a safe holding documents they may want to see. That should be the relevant precedent for the question of their having the right to force decryption of communications in general.
1
"... Fisher v. United States, 425 U.S. 391 (1976), ..."
That case involved tax documents held by attorneys, which is a very different scenario from communications between two parties over an encrypted connection (so-called "end-to-end encryption").
2
This article contains a lot of disinformation. Public-key/Private-key encryption has always applied to end-to-end communications. Encryption only solves the problem of sending a private message through a public medium, such as by shortwave radio or the local phone company. People usually equate privacy to the breaking of a encrypted messages that have been snatched from the public medium. In reality, privacy is mostly about controlling access to the endpoints. Be it the hardware in a smart phone or the operating system in your desktop computer. Whoever controls those endpoints will control your privacy, and there's not much you can do about it.
Mr. Rosen appears to be at the forefront of this disinformation campaign. According to the article: "While a [justice] department spokesman declined to discuss specifics, a speech Monday by the deputy attorney general, Jeffrey A. Rosen, pointed toward heightened interest in technology called end-to-end encryption, which makes it nearly impossible for law enforcement and spy agencies to get access to people’s digital communications."
Rest assured, law enforcement and spy agencies are already present in 'your' endpoints. Every hardware, software and chip company in the U.S. is taking federal grant money, hiring guardsman and veterans (who are pre-disposed to look the other way in perceived areas of national security), and submitting to regulations often enforced as punitive measures against those who don't tow the line.
4
Encryption is both free speech and the right to privacy.
If government tries to steal our rights, expect fallout.
3
What you mean we are going to have to start doing our jobs again?!
Encryption is not the problem. People have always been able to communicate privately without the government being able to snoop on them.
The problem is that the people in the professions at FBI and NSA are not doing their jobs. They have come to rely on myths and cheating like TV cops do as if it were perfectly normal to assume guilt then act upon that assumption.
2
@magicisnotreal Government always wants full control over you, their cash cow and target for their authority. It's how governments work by nature, just as humans are self-interested, a large monopoly with vast powers (run by those very humans) will also be this way.
It's why our founders didn't want a big federal government, wanted it to preserve our rights, not have us prove to government why we need our rights, and why only fools give government more power despite the never-ending stream of problems that flow from tyranny.
We need end to end encryption because we can't trust the government! It's the only thing Silicon Valley gets right anymore!
5
I find it misleading that so many articles emphasize that end-to-end encryption is about data privacy. It is far more fundamental: it provides data security. It enables far more secure communications, enabling a lot more than secure chat. Increased privacy protections are a benefit, but removing end to end encryption has impacts far beyond the potential impact to privacy.
10
Nice explanatory piece, Nicole! I actually worked the Clipper Chip issue and remember that phones including the Chip were stockpiled at DOJ, never to see the light of day.
1
Just when you think the government can't be any more intrusive than it already is give them the key to read anything they want and you'll see the end of democracy as we now know it.
Whatever happened to real investigative police work. Too difficult, too much work? I believe the government just wants to scrape all the data they can without any limitations, just because they can.
Remember the secret room AT&T built for the feds years ago at one of their sites. Explicitly for the purpose of the government to collect data. And it was a secret until someone blew the whistle.
3
This is about convenience for law enforcement, and surveillance, not about never having evidence. Any encryption can be cracked, and increasingly it's cracked easier, due to advancements. Get the hardware by a real subpoena, then crack it. If their jobs are too easy, autocratic power will come easily too - such as in China right now. It's much more important to have some privacy than complete power for the gov't.
We need a privacy amendment, as soon as possible.
And, notably, the White House uses these and none of these same people are enforcing the laws that are already written against that. These same people erased Bush's emails and no one was arrested. This is about power, not law enforcement, no matter how well meaning some law enforcement is. They don't truly understand what is occurring here.
"Do as I say, not as I do" the American conservative says, always hypocritical, "When I break the rules it's for the best, when you break the rules it's criminal, you knew the consequences."
4
@mjw Modern encryption (AES-256 for example) has no known way to be cracked, and it's not getting easier because keys are getting longer. If it's "cracked," it's because of access to those keys, not cracking the keys themselves.
3
I can see the govts of the world going as far as making sure you speak in a clear audible voice, facing the big brother cameras, so they can capture every word, nuance, and gesture/facial expression. Sounds far-fetched? You do remember that Obama said in 2016 that Trump would never be president.
1
Clapper and Brennan (now CNN stars) lied repeated to Congressional oversight committees about the extent of domestic surveillance.
So who wants to trust Big Government with a backdoor now?
4
Many of us enjoy the show TV, NCIS. Yet they freely decrypt, hack, use facial recognition, etc. in pursuit of villains, with no apparent concern about constitutional rights. Are they good guys or bad guys? Food for thought...
3
@Roy Westerberg
They are a TV show.
1
@Roy Westerberg They are not real, but are entertainment. They also will torture and get good results, and they can shoot their guns accurately while rolling on the ground.
2
"Are they good guys or bad guys?"
The good guys always catch the bad guys in one hour.
As to your main point, if you watch enough cops-and-robbers shows, you will find that they almost never mention search warrants.
For a relief from NCIS, watch "Father Brown", where illegal searches are routinely conducted. (The show is otherwise very entertaining.)
1
Once this starts, where does it go? Now, government says it needs to be able to snoop on us when it involves serious crimes, without a permanent definition of what a serious crime is.
Our cancel culture concerns me. When we start to apply cancel culture standards to "serious crime," and we will, it should be a matter of great concern to all of us, because there will be nothing to stop the government's curiosity and desire to snoop.
4
Government's mass surveillance for security purposes is absolute nonsense. Let's face the truth: crime is inevitable and serious criminals are no pinheads. They will adapt to a changing environment as they always did. New E2EE messengers will appear without governmental access and at the end of the day we would have just lost our privacy without gaining any security - if not losing some of it.
15
Quantum computers will in a few years make end-to-end encryption moot. Then, the NSA will be able to eavesdrop on anything.
"Quantum computers will in a few years make end-to-end encryption moot."
You've been listening to too much fear-mongering. Quantum cryptography also STRENGTHENS cryptographic protocols.
"Then, the NSA will be able to eavesdrop on anything."
Eavesdroppers can be detected with "quantum key distribution", which eliminates the need to use public-key cryptography. A web search will find more.
7
@Kevin Blankinship A, the magical "few"...wonder if that's 5, 10, 25, 50, 100, 250, 1000 years? Predicting the future is flawed, and it assumes no advanced encryption using new technologies.
1
A backdoor means, effectively, no encryption and no privacy.
These governments are wrong.
16
I like my Protonmail account more every day.
13
I'm confused. When we read about the Chinese government potentially being able to tap into communications, that's bad so we can't buy some products from that country. When we read about our own government having the same capability, that's essential. Could someone clarify this for me?
Also could someone explain why any foreign government would allow communicating over these compromised channels?
16
"... why [would] any foreign government would allow communicating over these compromised channels?"
It's not clear who you are asking about, but the article says that governments LIKE "compromised channels":
"Last year, Australian lawmakers passed a bill requiring technology companies to provide law enforcement and security agencies with access to encrypted communications."
That's even worse than it sounds, because Australia is one of the "five eyes" countries* that share intelligence:
‘Five Eyes’ Nations Quietly Demand Government Access to Encrypted Data
By David E. Sanger and Sheera Frenkel
Sept. 4, 2018
https://www.nytimes.com/2018/09/04/us/politics/government-access-encrypted-data.html
* The others are Canada, New Zealand, the UK, and the US.
3
@NHK I'm sorry, to be more clear, why would any foreign country allow communicating over channels potentially compromised by the US government?
It'd be unlikely any country's government would object to having this power for itself and perhaps its allies.
@edwardc
Perhaps, the future democracies are not in the English speaking countries. It would be a sorry state of facts, but not so improbable.
"If you give up essential liberty to purchase a little bit of safety, you will have neither liberty, nor safety." Ben Franklin figured this out a long time ago. But that has not prevented "democratic" governments from trying to get the public to give up liberty for purchased safety. India, US and Australia are excellent examples.
22
Freedom of speech is one of our highest values as a country. How we speak, to whom we speak, and the right to not be forced to speak against our own interests is to be protected against intrusion. Mathematics, of which encryption is one branch, is a language and clearly a protected form of speech.
Even our own government insists on the inviolate right to encrypt communications. It is a grave error to elevate the rights of government officials above the rights of the citizens they purport to "serve."
28
@Paul Central CA, age 59 Just know that their "service" is a self-delusion based on propaganda (keep saying nonsense and people start to believe). Who uses force to take your money? Who can lock you up? Who can kill you? Who regulates your behavior? Who searches you at airports or anywhere within 100 miles of a border? Who drops 50 bombs a day in Afghanistan and is that because Americans are being served?
4
"On the other side are law enforcement and some lawmakers, who believe tough encryption makes it impossible to track child predators, terrorists and other criminals."
The governments would like to have a backdoor they can use to go in and snoop on anyone's communication. But even with a backdoor, the bad actors can always encrypt their messages on their local devices and send them in that form, can't they?
Look at what China is doing to its citizens, who apparently have no privacy whatsoever. Do we really want to hand over to Barr the tools that he can use to emulate his overseas tyrant idols?
12
@JB I'm more worried about future administrations than I am about this one.
I like the distinction between privacy and secrecy. In general, I don't want anybody snooping, especially a competitor. But, if a government agency has the warrant and the resources to crack a communication, then they should be able to. The matter is theoretically one of resources and legality, but the resources alone will keep the wrong players out. The level of encryption will be determined by market forces, and that will act as a mechanical governor to determine just what we need. So yes, let the government crack my communications, but they may have to pay for time on a quantum computer -- which may become a thing, but not for home use for a very long time. And even then, only with a warrant to search.
That seems to be the best approach to me.
There's a lock on my bathroom door. Anyone who tries it from the outside will understand when the occupant wants privacy. However, if the door remains locked for too long, it's a good thing that it can be opened from the outside with only a screwdriver. Secrecy is not what people need in that case.
6
@Alan "if a government agency has the warrant and the resources to crack a communication, then they should be able to"
Not even a sheep could have put it any better.
2
@Alan
You make one critical error. You believe that we will always be led by a benevolent government and a police force that will always support the people.
Can you, with 100% absolute certainty, guarantee that a fascist regime isn't elected to power in ten years? In 25 years? A regime that will use the powers granted years or decades earlier to persecute their opponents or other "undesirables"? Will never happen you say? Just remember that Adolf Hitler was elected in a fair and free election.
Edward Snowden showed us that the government was illegally spying on people. How many people were prosecuted for this criminal act? ZERO.
Government (and it doesn't matter what government or where) always needs an enemy to justify its intrusion into our personal privacy. In the past, it was communism, then drug dealers, then terrorists and then people operating on the dark web. Tomorrow, it might be people expressing their opinions in the New York Times readers forum.
7
Just wanted to shout out the article illustration by Yarek Waszul, great design!
1
It's 2020, and legacy 'services' like Facebook are not safe from man-in-the-middle interception attacks. And you guessed right, the man is your friendly neighborhood police or FBI apparatchik. Move on, people, there's a lot of free as in freedom options out there!
8
"Instead of forcing Apple to create a back door, the agency [the FBI] said it had paid an outside party to hack into the phone of the San Bernardino gunman."
AFAIK, how that was done has not been publicly disclosed.
My guess is that the relevant chips were opened and tapped. That would require a high degree of technical expertise, but the basic concept is used to test microprocessors. See the Wikipedia article, "Wafer testing".
It should also be noted that the FBI made a big mistake while it was trying to access the iPhone's data:
"Unfortunately, we [Apple] learned that while the attacker’s iPhone was in FBI custody the Apple ID password associated with the phone was changed. Changing this password meant the phone could no longer access iCloud services." ("Answers to your questions about Apple and security" at apple.com)
5
Law enforcement can go cry in a corner. It was the warrantless tapping of all internet communication by the Bush administration that finally forced almost all communication over the internet to use end/end encryption. But E2E encryption has been a hallmark of any well-designed communication protocol for the past twenty years, and it isn't going to go away anytime soon.
24
Another issue not mentioned in the article is that people who are skilled and motivated will always be able to use encryption. Whatsapp, Signal ... make it easy for everyone. But if one wants to learn a bit and deal with a bit of hassle there's gnupg and other applications. These applications aren't attached to any company. The source code is freely available. They are by default installed in most linux distributions. Its impossible to stop them. Which means that ultimately motivated individuals will always be able to communicate securely online. Therefore, banning encryption apps will make mass surveillance easier. Banning will make it easier to target low hanging fruit: The local drug deal perhaps. But not more sophisticated motivated entities. Therefore, everyone's security is weakened without effecting the biggest targets.
63
This is completely true. End to end encryption is not something granted to users by big tech companies. Give me an Internet connection and I can communicate in an encrypted way with my compatriots using stock crypyo software. I can even write such software myself if necessary.
18
@Daniel "Banning encryption apps" is also a violation of the First Amendment. Think about it.
10
...Agreed. and... motivated actors could communicate privately by means of messaging that hides the encrypted content inside of otherwise unremarkable content (called steganography). e.g cat videos with hidden bomb designs that could even be publically posted but with only the hidden part detectable by the intended special recipient.
5
Ironically, the government's heavy-handed and unconstitutional monitoring of the communications of private American citizens, without just cause or warrant, can be considered a major driving factor in the increased use of encrypted communications. Had they limited their surveillance to suspected criminals for whom they had a valid warrant, as required by the Fourth Amendment, there would be a lot more public support for their efforts. But they didn't, they swept everything up and violated the rights of millions of citizens.
44
And we're to trust the likes of former NYPD cop Louis Scarcella, who seems to have framed hundreds of innocent Americans, with the keys to our most private personal data and yet has never been prosecuted?
Or the NSA officials whom the FISA court has said spied on Americans in violation of the Constitution?
Don't think so.
Law enforcement must clean up its act before we can even consider giving them what they want.
18
Safeguarding digital privacy is a critical human rights issue and a foundational prerequisite for social stability.
These are transboundary concerns -- and state-level policy frameworks are an unenforceable exercise in futility. The issues have to be addressed globally with appropriate legal frameworks and compacts.
The current regulatory void has resulted in rampant abuse of surveillance powers by state and nonstate actors - these actions are highly corrosive to the social fabric and creates a destructive state of paranoia and distrust.
From a technical perspective, the core issue is issuance and management of private keys.
Individuals and households universally are expected to secure their private real-world possessions with a combination of physical locks and keys. They are now increasingly expected to employ digital equivalents to safeguard their online resources.
Oversimplification of web security controls to promote usability - simple password protection - has always been a critical design flaw of the internet and must be addressed systemically.
Digital literacy means understanding how encryption keys work and taking responsibility for securing one's online resources.
End-to-end encryption literally requires the individual maintain control of their private keys - just like real-world keys.
Third-party service providers should not take that responsibility. The policy debate should focus on obligations to handle encrypted communications and access to metadata.
12
@Mikhail
Just as burglar may access your home without your house keys and an auto thief might steal your car with your keys, a hacker may access data without keys.
End-to-end encryption is the least vulnerable to hackers.
4
"A more common form of encryption, known as transport layer encryption, relies on a third party, like a tech company, to encrypt messages as they move across the web."
That's misleading. HTTPS connections provide end-to-end encryption between the user and the web site.
Further, users could still defeat government snooping using symmetric-key cryptography, which requires the users to securely exchange secret keys.
Of course, sophisticated parties do not use the internet to communicate. They use trusted couriers.
14
@NHK That is one of several technical misunderstandings in the article. I could also add that public key cryptography is ordinarily used to exchange keys for symmetrical encryption of data.
The engineer in me always wonders when he reads about things he understands in the Paper of Record and knows that the reporter got it wrong: can I trust that source to get the things I don't understand right?
1
"Law enforcement and technologists have been arguing over encryption controls for more than two decades."
It's an absurd argument. Strong encryption exists. You could write whatever law you like, and people who are sufficiently motivated to encrypt their communications – for good reasons or bad – will be able to do so. If the laws make it difficult to do find an encryption tool, then most people won't use one, which will expose their digital lives to increased risk. Sophisticated criminals? Yeah, they'll still encrypt things.
33
The debate is pretty simple - Is thwarting a small number of criminals worth putting hundreds of millions of people's data (And their privacy, safety and security) at risk? Clearly not.
Law enforcement has proven that it can break into individual phones without exposing everyone's data to theft. Why do they keep bringing this up?
38
"... thwarting a small number of criminals ..."
That's a ridiculous oversimplification. Law enforcement can use recovered data to identify and locate conspirators, to track possible future operations, and to prosecute suspects in court.
And remember that "a small number of criminals" carried out the 9/11 attacks.
"Law enforcement has proven that it can break into individual phones without exposing everyone's data to theft."
That's a MUCH better rebuttal to the government's claim that it needs weakened cryptographic protocols.
"Why do they keep bringing this up?"
Because they want to conduct mass surveillance. From the article:
"Privacy activists, libertarians, security experts and human rights activists argue that end-to-end encryption steers governments away from mass surveillance and toward a more targeted, constitutional form of intelligence gathering."
5