Comey and Adult Conversations About Encryption

What does an adult conversation over encryption look like? To start we need to understand what Mr. Comey is seeking. Then we can talk about the risks.

AP and others are reporting that FBI director James Comey has asked for “an adult conversation about encryption.” As I’ve previously opined, we need just such a dialog between policy makers, the technical community, and the law enforcement community, so that the technical community has a clear understanding of what it is that investigators really want, and policy makers and law enforcement have a clear understanding of the limits of technology. At the moment, however, it cannot be about give and take. Just as no one cannot legislate that π = 3, no one can legislate that lawful intercept can be done in a perfectly secure way. Mr. Comey’s comments do not quite seem to grasp that notion. At the same time, some in the technical community do not want to give policy makers to even evaluate the risks for themselves. We have recently seen stories of the government stockpiling malware kits. This should not be too surprising, given that at the moment there are few alternatives to accomplish their goals (whatever they are).

So where to start? It would be helpful to have from Mr. Comey and friends a concise statement as to what access they believe they need, and what problem they think they are solving with that access. Throughout All of This, such a statement has been conspicuous in its absence. In its place we have seen sweeping assertions about grand bargains involving the Fourth Amendment. We need to be specific about what the actual demand from the LI community is before we can have those sorts of debates. Does Mr. Comey want to be able to crack traffic on the wire? Does he want access to end user devices? Does he want access to data that has been encrypted in the cloud? It would be helpful for him to clarify.

Once we have such a statement, the technical community can provide a view as to what the risks of various mechanisms to accomplish policy goals are. We’ve assuredly been around the block on this a few times. The law enforcement community will never obtain a perfect solution. They may not need perfection. So what’s good enough for them and what is safe enough for the Internet? How can we implement such a mechanism in a global context? And how would the mechanism be abused by adversaries?

The devil is assuredly in the details.

Cryptowars continued: Harvard paper gives us a state of the net (and it’s not all good)

Cybercrime In November, I opined that a nuanced approach was needed when addressing encryption. I wrote that there are different forms of cryptographic protection, and that each side on this issue needs to consult and not confront one another. Last month, Harvard University’s Berkman Center for Internet and Security released a white paper that attempts to address many of the issues I and others raised. Entitled, Don’t Panic: Making Progress on the “Going Dark” Debate, the the paper points out that governments have many avenues to access unencrypted information. They also have access to so-called “metadata”, and they claim that because of this, the Internet hasn’t really gone dark.

They’re right. For now.

Many of the points the authors made addressed the state of the Internet as they saw it in January of 2016. That is- Google has had difficulty encrypting platforms, Apple has backup recovery keys that governments can subpoena, and the security of the Internet of Things is nothing short of a crying shame, that governments can take advantage of. All three of those points may well change over time. Apple could easily move to a system (if they have not already done so) where recovery keys themselves are encrypted in information that only the owner of a device has, be that a password or one of those questions like, “What was your first pet?” If Apple can accomplish such a feat, the only matter that would hold Google up is lining up those that actually sell their devices to support whatever system they put in place.

Even metadata is likely to dry up. Efforts such as the IETF’s DPRIVE working group attempt to keep private queries your computer makes to convert domain names like ofcourseimright.com to IP addresses that the network understands. At the same time, those who really want to hide are able to do so through ToR networks.

Even the security of Things on the Internet is likely to improve over time, albeit slowly. That will require a concerted effort between Thing manufacturers, network vendors, service providers, and users.

And so the question: do policy makers need to actually do anything today to insure access to law enforcement officials? My answer is a firm not yet. That’s very good news because it gives us time to have the dialog necessary to deal with the many facets of this issue. However, all sides still have come to terms with each other.

“Law Enforcement” Stupidity Harms People

People who are in the country illegally take many risks. They risk being deported and not allowed back into the country. They risk not being able to take advantage of many aspects of the financial market for fear of being deported. They often risk their lives to get into America in the first place. And while it may seem reasonable for them to be arrested because they have entered the country illegally, that doesn’t mean they should be mistreated by the government while in detention. Such was the case with Juana Villegas, as the New York Times reported.

While in custody she went into labor, and was not permitted to see her husband in the delivery room. After the birth she was not permitted to breast feed her child or to have a breast pump. It is generally believed that breast fed babies are able to retain their mothers’ immunities longer than those who use formula. Many branches of our own government encourage breast feeding. And so by unnecessarily separating the mother from the child, the police effectively harmed the child, who is an American citizen and is eligible for social assistance. The child having already become sick once, is now costing Tennessee taxpayers.

This is all as a result of a program called 287G that turns police officers into immigration agents. The behavior of the police in Tennessee is precisely the result of design and desire of the Bush Administration. This is sad, because although this president has many flaws, one of his supposed bright spots was to be immigration reform. Unfortunately even there matters have gotten worse, as a fence is erected along the California border, and children suffer because of stupid policies such as that of this town in Tennesee.

One of the many remarkably stupid things in Mrs. Villegas’ case was the absurd statement made by the corrections official that they routinely bar medical equipment like a breast pump from a jail. It demonstrates either ignorance of the benefits, incompetence at being able to service inmates’ medical needs, blindness to the fact that an illegal immigrant is not the sort that is going to turn a breast pump into a bong, or all of the above. I wonder if they keep walking sticks away from the blind.