Tech Giants Hit by NSA Spying Slam Encryption Backdoors (zdnet.com) 129
A coalition of Silicon Valley tech giants has doubled down on its criticism of encryption backdoors following a proposal that would give law enforcement access to locked and encrypted devices. From a report: The group, which focuses on efforts to reform government surveillance, said in a statement that it continues to advocate for strong encryption, and decried attempts to undermine the technology. "Recent reports have described new proposals to engineer vulnerabilities into devices and services -- but they appear to suffer from the same technical and design concerns that security researchers have identified for years," the statement read. The renewed criticism follows a lengthy Wired article, in which former Microsoft software chief Ray Ozzie proposed a new spin on key escrow. Device encryption has hampered police investigations, and law enforcement officials have pushed tech companies to fix the problem -- even by way of suing them.
Criticism or collusion (Score:1)
Re: (Score:3)
The criticism might be the only canary in the coal mine that we have. They have limited options if they don't want to just shut down operations (and somehow explain that to shareholders without violating their national security letter).
Re:Criticism or collusion (Score:5, Insightful)
We really need more heroes in Congress, like Senator Ron Wyden who both voted against FOSTA/SESTA (because it's stupid and makes the problem worse) and lost his shit at Christopher Wray for asking for backdoored encryption [senate.gov]. Representatives with the integrity to stand for what's right even if it's a losing battle and politically unfavorable.
I'm hoping to see Rikki Vaughn replace Cardin this term; and I'm going for Elijah's seat, so there's that. We need legislation putting a stop to the overuse of powers in secret against our own citizens.
Executive Order 13526 was an important step for government transparency; and at some point, we have to work toward accepting manageable risk--allowing for that it may be slightly more-difficult to achieve a national security end goal, yet still not likely that an adversary will advance its campaign against the Nation--in order to protect the rights of our people. Yes, restricting what the NSA can pull from Facebook in total darkness and restricting the use of national security gag orders to clear and present dangers might telegraph things a bit and keep some enemies of the state circling at distance instead of sitting around while we purportedly close in on them; that's better than the State becoming the shadowed enemy of the people.
Re: (Score:3)
We really need more heroes in Congress, like Senator Ron Wyden... Representatives with the integrity to stand for what's right even if it's a losing battle and politically unfavorable.
It isn't politically unfavorable at all; Senator Wyden is a Democrat from Oregon!
Rather, his politics are unassailably popular! He's the least likely politician in the State to lose an election, and he gets votes from the left and right. He also has a bunch of people in his office who spend their time advocating for individual senior citizens in Oregon who are having problems receiving (mostly medical) services that they are due.
Voters in States where everybody assumes politicians are corrupt go on to vote
Re: (Score:1)
Wyden is just fine with tossing out the first Amendment when you criticize Israel though. A co-sponsor of the bill, " S. 720 would criminalize anyone advocating a boycott of Israel, with a maximum criminal penalty of $1 million and 20 years in prison."
And he knew about the NSA spying, thought it was illegal(had clapper lie to his face about it) yet didn't take the simple step of informing the public about it in a senate floor speech, which would not be breaking any law. Maybe lose some committee positions
Re: (Score:2)
Voters in States where everybody assumes politicians are corrupt go on to vote for corrupt politicians
I started campaigning and immediately had people yelling at me. A lot of people like me, though. Odd.
we have a really strong "ballot measure" system for local politics, and very few ballot measure receive party-line votes
I'm going to need to look at this for Maryland. Our local politics are a mess. It's Democrat-held territory with a sense of strong party control, which is why everyone in the world is trying to break the Central Committee this election: the voters want control of their government again. We have an obscenely powerful executive, and need to make the Governor more like the President. We also have a wea
Re: (Score:2)
Have you considered Social Democracy today? It works quite well in many nations [wikipedia.org].
Re: (Score:1)
If they were leftists, the corporate bottom feeders would have been stripped of profits.
As for regulations, I AGREE that MORE regulations are needed in the era of tRump.
We've already seen coal slurry dumps destroying the water for towns.
your "Freedom" to get rich ends when WE have to pay for it!!
Re: (Score:2)
You have a family to threaten, right?
No, I don't form social attachments and have no capacity for emotional intimacy. I also don't have any sort of weird emotional attachment to money--it happens to be necessary to live here (like food and water), and more is useful--which has made me a poor fundraiser.
Or just a search history?
Full of probes at the Internet. I actually considered attending the Heritage Foundation's candidate training, but it looks boring; and when I checked out their page of stuff for it, I found very little in need of heavy analysis. They have e
Re: (Score:3)
Re: (Score:2)
Comment removed (Score:5, Interesting)
The irony, as I understand it... (Score:5, Interesting)
Is that Qualcomm (who is used in basically all the chinese phones not using MediaTek SoCs, since afaik RockChip doesn't produce any cellular SoCs) already has a master signing key for all their SoCs, with a per vendor child signing key. So in theory any Chinese phone should be compromisable by the Chinese government, and those phones are a subset of the phones compromisable by the NSA and select 5 Eyes partners. When you factor in that all ARM/MIPS hardware was effectively designed by British companies (now owned by Softbank and... who for MIPS?), and all x86+PPC hardware is designed by US controlled corporations with much of it designed in foreign countries (Intel's Israel branch doing major portions of both x86 design and Intel ME today.) the picture of just how backdoored modern hardware should be considered is *NOT* pretty.
In order to have a chance at any sort of national security, or secure processors, we really need either openly audited designs produced internationally, published transparently, and then audited by parties suspcicious of the manufacturing nation. And we need fabs producing versions of these chips on each of the major continents, ideally under politically hostile regimes. Only by playing each party against the others will we have a chance at sabotage free chips, as each party is jockeying for a bigger piece of the trust pie.
Re:The irony, as I understand it... (Score:5, Interesting)
ARM doesn't design hardware though, they only define an instruction set. Each company that makes an ARM chip had to either design or license an implementation of their own, and that is where any backdooring would happen. ARM doesn't even include any peripherals like memory!
That really shows how considered your comments were. ;)
Most of the ARM chips I use were designed by Texas Instruments, in Texas. They do have one chip fab in China, a bunch in the US, a couple in Japan, and a couple in Europe, though the ARM chips are probably mostly produced by contract fabs.
If you think "you're" "playing each party against the other," that tells me you're looking for somebody to play you, and feed you the correct supporting PR.
Re: (Score:3, Interesting)
Being actually followed doesn't mean you aren't paranoid. The question to consider is "What does it take for you to believe you are being followed?". Even paranoids require some evidence, and even non-paranoids can be convinced by certain levels of evidence.
A friend of a friend demonstrated that there can be interesting levels of complexity. He became convinced that there was a powerful conspiracy out to kill him. Then he noticed that they hadn't been successful, and became convinced that there was an e
Re: (Score:1)
Found this recent story [bbc.com] utterly fascinating.
This is the fight that will define the future (Score:5, Interesting)
If the anal-retentive, power-grubbing law-enforcement and politician types get their way, then there will be no such thing as 'private communications', 'secure data', or for all intents and purposes 'privacy' -- unless you're law enforcement, a politician, or (of course) The Rich. There will also, ironically, be less of things called 'justice' and 'law and order', because in their mad, foaming-at-the-mouth dash to have access to all things at all times, bar none, they will open the door for criminals to freely and easily take whatever data or communications they want; even your average script-kiddie would soon enough be able to break into whatever data-store they want. Your financial accounts? Your very identity? Up for grabs -- unless you're a cop, are a politician, or have money.
THAT IS WHY THERE HAS TO BE A LINE DRAWN IN THE SAND; HERE, AND NO FARTHER.
Re:This is the fight that will define the future (Score:4, Insightful)
Re: (Score:2)
...and then maybe I'll consider whatever the hell it is you have to say.
... but you just did; great job. Why do you care so much if he's anon if what you're fighting for is privacy?
Get a grip dude.
Re: (Score:1)
Would this not be a good thing? The ultimate form of privacy is complete anonymity. In a world where everyone is compromised and therefore all data is untrusted you can be truly anonymous. This may all backfire on them. If I'm the only one with access to my encryption key then you can be sure that everything signed with it is from me. If everyone has my encryption key, well then you can't be sure I was the origin of said information. Sure nothing is hidden but does this matter is nothing is verifiable?
Re:This is the fight that will define the future (Score:5, Informative)
If I'm the only one with access to my encryption key then you can be sure that everything signed with it is from me.
Oh, no, you don't seem to understand: Unbreakable encryption will be illegal if they have their way; you'd have to obtain the software from illegal sources (even if you wrote it yourself), and you'd be arrested, tried, and convicted as a cybercriminal for posessing and using it. Furthermore your entire life would be turned upside down, as they sift through it trying to find your connections to terrorism. That 'investigation' would include your family, your friends, your employer, and everyone you know, and they'd sift through their lives, too, looking for any links to terrorism. Your life would be essentially ruined.
Re:This is the fight that will define the future (Score:5, Insightful)
It's worse than that, because then people who really wanted security would turn to concealing the fact that they were using their own non-backdoored system through a lot of clever steganography. Which means, everyone would be a suspect of using illegal cryptography, so the government would then have to develop tools to detect steganographically hidden encrypted messages. Which means doing AI/entropy analysis on "all teh data" and accusing people because some heuristic fucked up and gave a false positive.
Re: (Score:2)
Re: (Score:2)
You're conflating the elimination of confidentiality with the elimination of non-repudiation and/or integrity; there is no particular reason why they have to lose the ability to claim definitively that you sent the message when they prosecute you for the content.
Re: (Score:2)
If the anal-retentive, power-grubbing law-enforcement and politician types get their way, then there will be no such thing as 'private communications', 'secure data', or for all intents and purposes 'privacy' -- unless you're law enforcement, a politician, or (of course) The Rich.
In my experience, law enforcement, politicians and the rich have the most to hide and the most to lose from weakening encryption. If I were of the mind to be a snoop I wouldn't target Joe Blow from Idaho. I'd go for the juiciest secrets.
Here's the problem, feds, listen up (Score:5, Insightful)
Unlike these companies I can speak easily to you since I have no horse in that race. I don't have to bullshit you so you keep buying my software and so you don't send the IRS down on me to keep my finance department in enough red tape to ensure they don't do anything sensible anymore this decade.
Here's the problem: If you mandate a backdoor into software, nobody with at least a hint of sanity will use that software. If you mandate that all software used within your jurisdiction has to have that flaw, you put your domestic industry at a severe disadvantage over every other on the planet, because you open them up to industrial espionage.
"Government only" backdoor keys are much, but not government only for long. Such keys are valuable. They offer entrance to all the sweet, juicy R&D details that every company and some governments on this planet want. Do you think that such keys have a price? You bet. Do you think that "give me the key or your little baby girl gets a bullet through her head" is too high a price for some governments? Think again.
People have weaknesses. Everyone has them. Even if they can't be bribed, they can be bullied, coerced, threatened or simply blackmailed. Works with everyone. I have not met a single person that had no weak spot you could exploit to get them to do anything, literally anything, you wanted. For most it's family. People do a hell of a lot of things if you offer them the life of their children in return.
Even China, one of the most restrictive countries with a surveillance state that would make Orwell wonder whether they used his books as manuals, wasn't foolish enough to demand something like this from its industries. That alone should tell you just how bad an idea it is.
Re:Here's the problem, feds, listen up (Score:5, Insightful)
Re: (Score:3)
They don't care that the bite the hand that feeds them, i.e. the industries that send them their fat donation checks? Wow, that's rough. Other whores I know at least have that much of a work ethic to at least perform their duties once you paid them...
Re: (Score:1)
Equifax already released all that data on us. That game has been over for a while. It's to the point I can't be sure I'm me even if I vouch for myself.
This is just one more step along the abuse of power trail. Unfortunately the time to stop them was a long time ago. When the changes were less obvious. Any time they need people to give a little of their freedoms or rights in order to "stop the bad guys" we should be concerned.
Re: (Score:2)
I think you support the official story of what happened, despite the evidence that it's incorrect. The evidence is far to weak to say in what particular way it's incorrect, but there are multiple uncontested lines of evidence that show it didn't happen the way we were told.
E.g., (and to pick just one line of evidence) within a day or two of the event special legislation was pushed through Congress. This is a clear sign that someone knew something, even though it's not clear just what they knew.
Re: (Score:2)
So I guess everything you do is legal. Now. Do you know whether these things will be legal in the future? A lot of things change, many things that we enjoyed are now frowned upon or even illegal. Smoking is one of them. Guns is another thing that gets more and more regulated.
Did you stop doing what we know you did 5 years ago when it was still legal or should we come and take a closer look?
Re: (Score:2)
The deaths of 3000 people is insignificant to the privacy and security of every person still alive.
Re: (Score:3, Interesting)
Even China, one of the most restrictive countries with a surveillance state that would make Orwell wonder whether they used his books as manuals, wasn't foolish enough to demand something like this from its industries. That alone should tell you just how bad an idea it is.
However, China does mandate that certain people groups physically install spy software on all their devices under penalty of law. Installation that must be verified by the local law enforcement.
Which if the US Gov't doesn't get back doors, will be the next big push "Protect America! Install this great piece of spyware, er security software!"
Re: (Score:1)
Its called windows...
Re: (Score:2)
Which if the US Gov't doesn't get back doors, will be the next big push "Protect America! Install this great piece of spyware, er security software!"
First, sex offenders will be required to install the software. The Supreme Court ruled you can't bar them from using Facebook et al., so we've somehow got to monitor that they're not on there grooming little kids for sex slavery (even if their conviction was for peeing on wall at 4AM). And nobody will oppose that, because you don't support pedophiles and child sex trafficking do you?
Next, it will become standard terms of probation/parole for all offenses. Nobody will care; those guys broke the law and too
Re: (Score:2)
I'd rather support child molesters than government surveillance. Pure self interest. The former are no threat to me, the latter is.
Re: (Score:2)
It's worse than you claim. None of the four major parties had a candidate who was trustworthy. Not a single one. For a while I thought the Green candidate was trustworthy, even though hopeless, but this was proven incorrect.
I didn't examine most of the V.P. candidates, so I can't comment as definitely on them, but I sure wouldn't trust the one that got elected.
Re: (Score:2)
they probably don't need to exploit people to get them. the government hasn't been doing a stellar job of keeping any secrets these days. they even managed to release their hacking tools accidentally. and they're no more successful at securing their networks than most businesses. Give it a year or two and someone will have the keys. A few years after that, everyone will,
Re: (Score:2)
That's why I don't buy most conspiracy theories. The government, of all entities, is notoriously BAD at keeping secrets. If after years and decades of people actively digging for information nothing at all surfaces while at the same time tons of documents get "leaked" in other areas...
Re: (Score:2)
That was seen in the wild with
SISMI-Telecom scandal https://en.wikipedia.org/wiki/... [wikipedia.org]
"5,000 persons (including politicians, magistrates..." " had been placed under illegal surveillance."
Greek wiretapping case 2004–05 https://en.wikipedia.org/wiki/... [wikipedia.org]–05
'... network belonging mostly to members of the Greek government and top-ranking civil servants. The taps began sometime near the beginning of August 2004"
I love it (Score:1)
Everyone makes arguments like "backdoors in encryption would make devices vulnerable to malicious actors". This argument should not be made. We don't NEED a reason to deny the NSA or FBI access to our devices. Remember we the people make the decisions. This is our government, grow some balls and tell them (at voting time) that we run the show.
Re: (Score:1)
A panopticon what? (Score:4, Insightful)
The biggest problem isn't crime but dictatorship. We should not be giving dictatorships free reasons to force backdoors just so some agents can get brownie points catching crooks. For each crook caught, how many millions continue to live with a boot on their neck?
Stop building the tools of tyrrany.
The same google that is pushing Chat? (Score:3)
You know the end-to-end text messaging replacement that doesn't include encryption?
Re: (Score:3)
Well-known "security" guy Ray Ozzie (Score:5, Insightful)
As I recall, Ozzie was at Microsoft during the heyday of remote SQL ports being open by default, IIS 4, IE 6... basically back when Windows security was a laughingstock. Why anyone would take anything he says regarding security seriously is beyond me.
Let's call this what it is. (Score:5, Insightful)
You can't have security and backdoors. Let's just say, for the sake of argument, that Ray Ozzie's approach - assuming it worked perfectly (heh) - of vendor-held key escrow was legislated and implemented. This is a huge leap for the industry, but they could do it. It would never be reasonably secure, and it would be near impossible to fix the flaws, but let's say it was done. The next step would be Fed-held key escrow. This is an almost microscopically tiny incremental step - just moving some boxes, folks - but at that point the concept of digital privacy is as dead as the rest of the Bill of Rights. Don't kid yourself that that isn't the end game here.
So let's call this bullshit what it is: "Flat Earth Encryption." It's technically infeasible, practically infeasible, and politically infeasible to have any sort of key escrow system that won't be abused like an underage Congressional intern.
Re: (Score:2)
that won't be abused like an underage Congressional intern.
How exactly do you abuse an intern? They're not exactly treated as employees anyone intends to keep to begin with.
Re: (Score:2)
The problem with Ozzie's system (Score:5, Interesting)
In the article Ozzie proposes a slight modification to the golden key solutions previously proposed. Instead of a single master key that would unlock every single device or system, his system relies on the manufacturer or creator to create specific asymmetric paired keys. When law enforcement requires a device or account to be unlocked, the manufacturer can unlock with their private paired key. In the case of San Bernandino, Apple would unlock only that particular iPhone.
The problem with this is that it requires the creator or manufacturer to be the stewards of these keys for an indefinite amount of time. In the case of Apple, they have to maintain keys for as long as an iPhone could exist which could be decades. It is also going to be problematic for companies or organizations that no longer exist. When companies go bankrupt, one of the few remaining assets they could sell is their data.
It doesn't shift the problem of risk to the stewards. It is still possible that the keys could be stolen; it just means hackers do not have to steal a single key.
Practically how will this work with independent developers? Open source developers would never follow this system.
Re: (Score:3)
Frankly, that isn't much of a problem as far as I'm concerned. Ozzie's proposal is that both the government and the manufacturer must independently agree to unlock a phone in the government's possession, a phone which the government irretrievably bricked in the process of making its request.
I like this idea. The government has no ability to decrypt without specific, limited permission from the device manufacturer. The manufacturer is not forced to grant their request. The device first has to come in the pos
Re:The problem with Ozzie's system (Score:5, Insightful)
As usual for a techie, Ozzie fails to apprehend the human aspect. The government only needs to force the company to agree -- risk of an audit or even criminal charges against company officials will do so. So it's still 100% the government's call.
And I don't happen to trust many governments. Even if you did trust the US government (don't forget: it's one of the world's largest incarcerators), do you trust the Chinese? Or the Russians? Both of which will be ruthless with a company's ability to do business if they're not obeyed.
Nah, better to have unbreakable devices. If a few criminals get away with it, that's life -- you can't have a perfectly safe, perfectly controlled society.
Re: (Score:2)
The danger of letting people have things that not even the _courts_ can inspect is far, far greater than any benefits you can name. If you live in a civil society, the "civil" part of that is that everyone follows the law. We intentionally place ourselves under the law because we recognize that it is the best way to protect our own interests.
As Jefferson put it, a free government is one instituted with the consent of the people to protect their rights and interests.
Re: (Score:2)
As Jefferson put it, a free government is one instituted with the consent of the people to protect their rights and interests.
Yes but that's the US government at best. The poster mentioned other governments like the Russians and the Chinese specifically. It's not practical to implement this with multiple governments who have different agendas.
Re: (Score:2)
The danger of letting people have things that not even the _courts_ can inspect is far, far greater than any benefits you can name.
We already have our wetware and have had it for all of civilized history... they don't yet know how to decrypt that reliably, and we seem to have survived said "dangers" so far. Also, we've had crypto schemes that aren't backdoored for quite some time.
Govt just needs to get used to the fact that people can whisper over instantaneously over large distances. Adapt or perish. They've already had decades of warning this was coming, and decades after it came they still won't admit it to themselves. Trying to
Re: (Score:2)
Re: (Score:3)
The manufacturer is not forced to grant their request.
I don't know if that is true.
What's not to love? I have no issue with the government inspecting my property and even my very self -- as long as they are acting under the orders of the court. At some point, you have to trust your government.
The problem is that there is more than one government in the world. Right now what keeps companies like Apple from complying with foreign governments is the lack of the ability. That means never traveling to other countries. For example if you visit China, the government could arrest you and then would have possession of your phone which they could ask Apple or Samsung to unlock. It's not like China hasn't been involved with industrial espionage on a grand scale for decades. Rig
Re: (Score:1)
I am in agreement.
Not the 'at some point you have to trust your government' statement. Won't trust them as far as I can throw them.
However, you have a system that requires two organizations that have opposing view to come to an agreement. The Gov't wants access to devices. The vendor doesn't want folks to have access - it's bad for business, stockholders, etc.
However, there is a single defining instance in which it which both agree it is necessary - when lives, security, etc. are at stake.
Pros
- Gov't doe
Re: (Score:3)
The best part is that if anyone feels otherwise, they can always secure their device themselves, by throwing another application layer on it. (Or just outright replacing whatever crap comes preloaded.)
What everyone needs to understand about this whole topic, is that we're not talking about how secure
Re: (Score:3)
The manufacturer is not forced to grant their request.
Right.... Think for even a second any corporation isn't going to hand over the keys, when mister three letters does not say "Gosh it would be shame if you made me go get a warrant; we'd have to look at obstruction charges etc..." Apple only kind of did it because they did not themselves have some magic unlock key - the technical information and know how to build it perhaps but no ready working exploit code if you will.
The device first has to come in the possession of the government in the first place, with all the 4th Amendment protections we already have in the law.
Again keep telling yourself that buddy, just do yourself a favor don't go near any air
Re: (Score:2)
Backdoors in devices = quartering troops in homes (Score:4, Interesting)
Simple Constitutional Argument.
There's a reason why you don't want backdoors to be open to the government.
Re:Backdoors in devices = quartering troops in hom (Score:5, Interesting)
Yep. 1st, 2nd, 3rd, 4th, and 5th amendment violations.
1st: Crypto is speech. Courts have ruled. .GOV needs a warrant
2nd: Crypto was under ITAR, therefore it's an armament.
3rd: specified here
4th: Beaten to death.
5th: Obvious
Re: (Score:1)
If the US government has sufficient evidence, one loses the 4th (search warrant) and the 5th (subpoena) amendment rights.
When the US government can 'stop and frisk' at will (violates 4th and 5th), and claim digital data is not personal or private (In cases of 'cloud services' and '3rd-party', so true.), an individual is already deprived of privacy.
The congress-critters shouting 'look, terrorist' are happy to throw voters under a bus but they're not thinking about about their employers: How is Bank America
Re: (Score:2)
The question is not whether a warrant is required or not. The question is whether it's required to enable the government to be able to read a device with a warrant, and there's at least some precedent in CALEA [wikipedia.org], which requires all telecommunication systems to allow government wiretapping. The Fourth is inapplicable, because its protection ends with a warrant (which it places restrictions on).
Re: (Score:2)
I see your analogy, but I doubt that a court would. The prior responder has a better argument....but it's still not good enough to stop the government until afterwards, and maybe not then.
Just being illegal won't stop the government. It often hasn't in the past. (I'd like to claim it never has, but that's quite difficult to prove.)
Cryptography is a commodity (Score:2, Interesting)
PGP came out how many decades ago? And yet it's still better than what most people use today.
There's a technologicially-easy but socially-hard solution to this problem: stop using "tech giants"' products to secure your communications. Free is the right way to do this genre of software, because there's no one particular individual to coerce into weakening it. And that's really what we need: independence from meddling, because purposely-making-it-wrong is pretty much the main weakness we're facing today.
Propr
Re: (Score:1)
Even if they have it, they should never have the means to break the encryption. Some cases might go unsolved, but it's worth having total freedom to use and be secure in your own articles and papers. Key escrow will simply mean that software authors will start making dead man switches for devices that cannot be stopped. This would be trivially easy and already needed. Most mobile cracking software/hardware already disables the 10 strikes and delete setup in iPhones, for instance. Since most people check the
It Goes Like This (Score:2)
Masters of the Universe: We object to backdoors and weak encryption!
Government: Aw, that's cute. Here's some money, now shut up and behave.
Let's get this very straight (Score:4, Insightful)
Some facts: the US has forced, and further wants to force companies to provide backdoors to their hardware and software; the US has barred the sale of, or outright banned Chinese, Russian, etc. companies, both at the state and consumer-level, such as ZTE, Huawei or Kaspersky, for allegedly (and in the case of ZTE, admitedly) using backdoors in their hardware/software to spy on the US; China and Russia have obviously done the same, or heavily scrutinized US companies and/or forced them to have local servers and fully transparent operations to the state and even banned like the US (see China and Cisco/Apple/Microsoft); other countries have done similar things to data companies such as Facebook, Reddit, Google, either because they don't hand the keys to the kingdom to their own state authorities like they do the US, or because they can't control data flow like they can on state-based data; and last but not least, due to the Patriot Act, we know of 3 US companies that for sure have had spying on their own citizens, due to warrant canary expiration [wikipedia.org] - we don't know of any other country that has done things similar, but we can assume from their own actions, that China (...), Russia (see the Telegram, VK and other shenanigans), and Iran (...) have as well.
Now, we see this report that companies are fighting back. I am no US citizen or even live there, but I have to admit, this fight is a losers' fight and nothing more than PR stunt for privacy-centric, non-tech savvy consumers. All these companies are US-based and/or have main operations in the US, and whatever they do, they have to abide to US law. And most of all, in a game where every state is playing dirty, there is no room to play fair, especially when you are (still) the player with the better hand. IRIS and secret court orders and gag orders and whatnot were scandalous when they got out, but really, one should really see them for what they are - not killing people in all-out-war, yet killing privacy indiscriminately. Violation of privacy is, in a way, like nukes and any WMD but instead of affecting life, it affects a core freedom. So unless everybody starts signing some very closed, transparent non-proliferation agreements, things aren't really gonna improve for us, the small folk, forever exploited, previously by compulsory military service, and now by compulsory data-gathering exploitation. If there's one thing certain, it is that countries like China, Russia, Iran, or even the US, as they are today, democratically, will never sign such accords because they allow spying on their own citizens, let alone sign it to foreign citizens. None of these countries are even enforcing this on people protected with diplomatic passports, who supposedly should have immunity at all levels to perform their tasks, even on data-snooping.
So whatever you want to make of it, things are dead simple - companies themselves have to take the initiative of NOT using data as they do today for their business models, and in the same way, states cannot indiscriminately enforce their own citizens to surrender non-essential data with a bureaucratic excuse. It's never been about encrypting data or using data anonymously - it's like R. Stallman put it in his recent opinion piece [theguardian.com]. Companies can stop pretending to care, and should start caring for real.
Hilarious (Score:3, Insightful)
One thing I thought was hilarious about Ozzie's not-very-original scheme is step 1: getting a court order. The Wired article breathlessly explained the government would absolutely NOT be able to request the decrypted PIN without a court order. Pinky-swear! They emphasized that as a key aspect of the program.
The thing is, how does Apple/Google/Microsoft/etc know whether a court order was actually obtained? All any LEO has to do is to send the code and they get the decrypted PIN back, no verification required. And with hundreds (thousands?) of these requests coming in per day, how would anyone have the time to verify those court orders anyway? Sounds ripe for abuse to me.
They also did a neat little bait-and-switch in the Wired article. At first, Ozzie claimed that the private key would be kept secure. Very, very secure, like in a deep, dark vault with biometric-based authorization required, like they do for the signing keys for IOS updates. So very, very, *very* secure. Again, that super-security was touted as a major feature of the program.
Then someone pointed out (late in the article) that that kind of heavy security would not be practical with hundreds of unlock requests coming in per day. Who would they hire to do hundreds of biometric scans per day to checkout and re-checkout and re-checkout the same key, over and over and over again. Then Ozzie quickly pivoted and said, "Oh well, they'd be as secure as developer keys, then." WTF? News-for-ya: There's a big difference in the security required for OS signing keys vs. dev keys.
The Hardest Problem (Score:4, Informative)
James Comey sees a darkness abroad and in the general public here, and wants the tools to get evidence against those bad actors. The problem is, of course, those tools work on the good and bad alike, turning us all into potential victims of a surveillance state. None of us are perfect. Encryption backdoors make Lavrentiy Beria's quote even more profoundly threatening: "Show me the man and I'll find you the crime."
Re: The Hardest Problem (Score:1)
He who fights with monsters should look to it that he himself does not become a monster. And if you gaze long into an abyss, the abyss also gazes into you.
Why not just use the existing technology? (Score:2)
So if they have a suspect, they get a warrant to put a bug on their device.
Send the phone a software update that reduces the security and adds a trojan.
Police can then monitor any further activity on that device.
This can be done right now with existing tech and doesn't reduce the security for innocent people.
What can't be done is be able to snoop on EVERY device in retrospect without opening everybody to malicious characters.