"In 1995, there was a debate at Harvard Law School – four of us discussing the future of public key encryption and its control. I was on the side, I suppose, of freedom. It’s where I try to be. With me at that debate was a man called Daniel Weitzner who now works in the White House making Internet policy for the Obama administration.

On the other side was the then Deputy Attorney General of the United States and a lawyer in private practice named Stewart Baker who had been chief council to the National Security Agency, our listeners, and who was then in private life helping businesses to deal with the listeners. He then became, later on, the deputy for policy planning in the Department of Homeland Security in the United States and has much to do with what happened in our network after 2001.

At any rate, the four of us spent two pleasant hours debating the right to encrypt and at the end there was a little dinner party at the Harvard faculty club, and at the end, after all the food had been taken away and just the port and the walnuts were left on the table, Stuart said, “All right, among us now that we are all in private, just us girls, I’ll let our hair down.”

He didn’t have much hair even then, but he let it down.

“We are not going to prosecute your client, Mr. Zimmermann," he said. “Public key encryption will become available. We fought a long, losing battle against it, but it was just a delaying tactic.” And then he looked around the room and he said, ”But nobody cares about anonymity, do they?"

And a cold chill went up my spine and I thought, all right, Stuart, and now I know you’re going to spend the next twenty years trying to eliminate anonymity in human society and I am going to try to stop you and we’ll see how it goes.

And it’s going badly."

https://www.softwarefreedom.org/events/2012/Moglen-rePublica...

I don't want make believe anonymity, I want to know where data is going and where it's coming from. Once I have that I can encrypt for privacy and web sites can strip identifying information if they want to provide an anonymous forum.

The primary problem is that it's expensive for users -- expensive in terms of time, cost, and complexity; which means usage is low. Consequently, it also makes people targets simply for using the system as the number of those using the system is relatively small -- something one can't really get away from easily unless makes it look like one isn't using the technology. To do that, one then has to go through the effort of creating cover traffic -- and creating consistently good cover traffic (good enough to fool a human analyst, because one is one of thousands, not one of millions/thousands of millions) is immensely difficult and techniques change over time w/ local conditions so it's hard to automate. Life gets really really difficult when survival depends not only on keeping people out but also on keeping them from knowing anything of interest is there in the first place!

Don't forget about stylometry and inadvertent signatures; never communicate in real time, avoid absolutely everything but plain text data if at all possible, write very plainly (say, using only first few thousand most common words in your language) and use stylometry defeating tools (for example, Anonymouth -- though I haven't audited it; others have, but it's still just a thin layer to apply to other work) to prevent others from creating signatures based on the words you use and how you use them. NEVER forget that binary data you send might contain metadata fields to give you away (version numbers, encoding settings -- all seemingly innocuous but possibly unique to you!). Sending images? Make absolutely certain your camera doesn't have sensor glitches that can create a signature. ( see https://www.schneier.com/blog/archives/2006/04/digital_camer... ) Don't forget your surroundings either ( NSFW Language/Topic (4Chan helps track down targets) but incredibly illustrative - https://i.imgur.com/nLCklgZ.jpg ). Sending scans of documents? Most new printers print identifying patterns using steganographic techniques. ( see https://www.eff.org/issues/printers ). Stop and meet someone and both of you brought your mobiles? The fact that your phones traveled together, and where you went, is recorded (CO-TRAVELLER; see https://www.washingtonpost.com/world/national-security/nsa-t... ). The world is INCREDIBLY hostile to anonymity seekers.

Relying on third parties to strip data isn't a workable anonymity solution because you can't trust them to do so, correctly or at all. Not to mention that; but with pervasive internet monitoring (which, thanks to Snowden, we know is real) the mere fact that you've communicated with someone or a site storing your data is stored in a place where it cannot be wiped by any party authorised to participate in your conversation. Generally, if you're not anonymous to the person you're communicating with, until you choose to identify yourself during communications who's contents may then be repudiated (say, an olm/axolotl ratchet) at a later time by publishing that private key, now expired and no longer good for future authentication -- then you won't be anonymous to any party, period.

It's a trust no-one, verify everything type of situation; people don't deal well with that. Pervasive encryption is only the first and easiest step. If you want true (or even just reasonable) anonymity, things get very expensive, very quickly.

When you talk about things like torture nobody really worries about things like that happening to them, because it mostly won't. But I think people tend to forget that these ABC agencies are made up of people. People that, like all people, are very flawed. My family tends to be of the 'I don't care - I have nothing to hide' state of mind. Referencing these events, which are really just basic consequences of human nature, sent them on a 180 fast.

[1] - http://www.businessinsider.com/edward-snowden-guardian-inter...

[2] - https://blogs.wsj.com/washwire/2013/08/23/nsa-officers-somet...

Who decides what is meaningfull to hide in 20 years time? The relationships you had 20 years ago, what are they doing now? You don't know but the government surely does and you had connections to these people that now are possible terrorists. Good luck getting through the security check at the next airport.

I found it very telling that they announced their inability to access the phone only a few days after the incident. It struck me as a very clear PR move that was designed to lay the groundwork to shape public opinion. My threshold for declaring that the device is inaccessible requires more time for research and effort than this.

They shouldn't even be asking for this power if they can't at least academically prove that they can't mess it up.

I think this mixes up what is true and what people (myself included) wish was true.

Governments don’t have power given to them. Their default state is God-Kings ruling on personal whims.

Governments have power taken from them, either by corporations, or by religions, or by other governments — sometimes these groups even call themselves “the people” — but the restrictions are not stable equilibriums, they are constantly fought against on all sides.

For as long as we ignore this fact, we'll get corrupt governments. Alas, its also a key reason that governments are corrupt - a government is only as ethical as the people it governs.

Encryption is the only way to secure information. This is true for criminals and non-criminals alike. To deny encryption is to deny security to everyone.

Presuming it's the criminals who will look to exploit these vulnerabilities, denying security is making every non-criminal susceptible to attack.

So the only question that needs to be answered is this. Do we want to protect our citizens? The only answer is yes. The only solution is encryption.

The problem with strong encryption is that it already exists. Even if strong encryption were made illegal, criminals will be the one's securing their data despite the law. To deny citizens the right to protect themselves is just putting them all at risk. It's disarmament.

Under the law, all the police should need is a warrant. It's not even an exception to any rule.

This is not the right question. It is the one they use but is not the right one.

"Do we want our citizen able to protect themselves" is the right question. And as most government have shown, they really don't want it. They want to be in charge of the protecting.

Once you see things from their perspective their position makes more sense.

From a european perspective it's so strange.

I'm not sure the metaphorical person on the street even knows encryption exists; if they do, it's only very vague and probably an entirely incorrect understanding of it.

As for people who are for one and not the other, even though I'm personally in favor of both the second amendment and encryption in the hands of people, it's not hard to see a meaningful difference between them that would make it reasonable to have differing opinions. Guns in the hands of the populace is a positive power to do harm, encryption in the hands of the populace is strictly defensive. Criminals can use encryption to defend things we'd rather not have defended, but that is fundamentally a different concern that criminals using guns to attack things we'd rather not have attacked.

I think the only weird case would be being in favor of gun rights but thinking the government should have back door access to encryption, on the part of someone who deeply understands both. That is to say, I'm sure you can find people who believe both those things, but I suspect the latter is mostly an un-thought-out instinctive reaction to generally trust authority figures who seem generally trustworthy to them combined with a lot of ignorance about what encryption is and how it works. Humans have an all-but-instinctual understanding of physical weapons, encryption is basically magic by comparison.

Fair point. Although that still does feel weird to look at the us from Europe where guns nor anti-encryptions are popular.

The person who actually believes what he espouses will actually work for that goal.

Unfortunately, the vast majority of politicians are the former rather than the latter, hence the popular perjorative "RINO". Maybe there's a similar thing on the Democrat side, but I can't think of one right now.

Agreed. To me, it seems that encryption should be uncontroversially accepted from the populations's standpoint, while gun policies have valid arguments for and against.

Basically: it's really hard to shoot someone in the face with pgp.

Well, anybody can hide their use of encryption by using steganography, [1]. E.g. you just piggy-back your secret file as noise on top of a legitimate file.

[1] https://en.wikipedia.org/wiki/Steganography

    Hi Alice, I just did a billion coin-tosses, and the outcomes were:

    HTTHHTHTHHTHHTHHTHHTTTHTHTHTTTHHTHTTHT ...

    Regards, Bob

If you consider police officers and judges to be that stupid, you don't even need that. You can simply say: "No, my hard drive isn't encrypted, I'm just collecting white noise."

The whole point of steganography is to not raise suspiciousness in the first place.

Answer: you can’t.

So it's business as usual. It's obstruction of justice. Book'em.

And of course, "I can't remember" is always the greatest defense.

This whole thing is about the government endangering the public in exchange for abusing their rights.

It's all bad. You could go as far as argue that the government is obstructing justice and endangering the public by denying basic security.

We already know the enemy will find ways to access all the data. Encryption is not the last line of defense. It's the only line.

This is what DoJ wants to close by making just possession of encrypted documents criminal.

(Note: not a lawyer.)

It is? I'm not sure how you'd disprove it. Anecdotally (which I suppose actually matters in this case!) I've had a case where a (fairly long, 26 character) password I used regularly suddenly (and thus far, permanently!) went out of my head. I can remember some fragments of the password but not the whole thing.

The only novel issues encryption brings to the table involve self incrimination, because, AFAIK, IANAL, etc., the only time an encryption key is inarguably protected by the fifth amendment is where the fact that the defendant knows the key is itself incriminating evidence, because the fifth amendment only applies to self-incriminating testimony, not other self-incriminating evidence in the defendant's possession (e.g., the contents of a hard drive, encrypted or not).

The problem with this of course is that its a truly horrible idea which defeats the whole concept of a private key. Another massive problem here is that you've just created the biggest target for hackers. once the keys are out... everyone is screwed.

What would the logistics of this be? Would the government need to store all master keys to be able to decrypt an old message? How would you know you're using the right key to decrypt a message? What happens if all the old keys leak?

What about foreign communications? You can't compel foreign actors to encrypt with your algorithm. What if I'm storing foreign data which is encrypted with illegal algorithms, is that going to be illegal? If so, then goodbye hosting services in the US. If not, how are you going to differentiate between foreign data and local data?

What about the transition period? What do you do with legacy encryption? What about people who haven't received the newly updated government-sanctioned encryption yet? What about old devices that can't run your encryption algorithm, closed systems, etc?

I don't think it's as incredibly simple as you put it.

Yes it will. A single user being careless with their password only exposes that user. Leaking the master key (and it will leak) exposes everyone. The target is much bigger, the payoff is much bigger for the bad guys, the risks are immense.

I agree that it should be assumed that the key will leak but there are plenty of ways to practically mitigate the usefulness of a leaked key.

I mentioned expiring keys already, which is obvious, but there are more sophisticated protocols that can be put in place.

> The target is much bigger, the payoff is much bigger for the bad guys

I don't think this is true. These keys would only be usable with physical access to a device. If you have physical access to the device its hard to imagine a scenario where the easiest route to cracking it would be penetrating a secure government facility.

Let me add that you have to think about security in relative and not absolute terms.

If you trust the government to secure a massive stockpile of NBC weapons, if you trust the government to manage a massive state security apparatus with hundreds of thousands of armed agents deployed domestically, then it is a little silly to draw the line at trusting them with your facebook feed.

Physical security and digital security are very different. Someone stealing a bomb is still only one bomb. Securing that bomb involves fortifying a well-defined local border. Attacking it requires personal risk that is hard to parallelize.

Digital networks can be attacked at any time from any number of opponents. These attacks are usually automated without the risk of being found by a guard with a machine gun. Stealing the escrow key database isn't merely a single bad event; it would allow access - possibly retroactively - everything supposedly protected by those key, which is presumably "everything".

> key

You seem to be using "key" to mean several different concepts.

It's foolish to assume this after Snowden was able to walk away with his archive of classified documents. In his case, storing that many documents within the reach of one person risked losing the entire archive, which is exactly what happened. If literally everything depends on a government held escrow key, You've painted a target on a huge single-point failure.

Yet, it's very possible to share a copy of every user key using methods like Shamir's secret sharing - therefore requiring P out of N entities agreeing on allowing the decryption to happen.

The secrets can be shared in advance with attorneys, civil rights groups, government entities and allows a democratic-ish process around decryption.

I am not sure that this argument is simple at all.

Encryption only provides theoretical security. In practice even if strong encryption can't be broken it can almost always be bypassed rather trivially if data is being accessed on a regular basis.

If data is encrypted and left cold then that can be difficult or impossible to retrieve if a secure key is used and that key has never leaked anywhere but that is a pretty limited use case.

For average people encryption provides very little real world security because their data is online on buggy insecure devices all the time so there are always easier ways to compromise their data than breaking crypto.

Sophisticated criminals also don't trust encryption and don't use digital devices at all.

The only security you have is the fact that there aren't nearly enough criminals to exploit all of the info that has already been stolen so there is a very low chance that you will be a victim of identity theft, but it has nothing to do with transport layer encryption.

It may not be in everyone’s threat model, but it is definitely very important and provides real world security.

This is pretty much the case, to include security vulnerabilities in most systems as well. Most just are not exploited because their arent enough criminals with enough time.

The Dept of Justice official referred to was Deputy Attorney General Jamie Gorelick, who is now a partner at a big DC law firm WilmerHale, where she represents Jared Kushner and Ivanka Trump.

See our paper, Keys under doormats: mandating insecurity by requiring government access to all data and communications, for more. https://doi.org/10.1093/cybsec/tyv009

However two things are striking about this speech, and similar recent (over the past few years) ones in the US and UK at least:

1 - Rosenstein is no dummy, so must be perfectly aware of the doublespeak in his statement that they don't want to make things easier for criminals yet companies must provide accomodation for alleged non-criminals. The pre-GWOT NSA took information assurance seriously and, at least in some cases, made encryption stronger for everyone (consider the RSA S-box) even (perhaps) at the expense of the NSA's SIGIINT efforts. I don't know if the Information Assurance Directorate is even staffed any more.

2 - The propaganda is at its most flagrant with the Sutherland shooter: Apple reportedly offered its help but the FBI ignored that until the 48 hours had passed to lock the phone, and then excoriated Apple. Meretricious malpractice, as far as I am concerned.

Neither of which makes me in any way supportive of the FBIs position, no matter what actual merit might lie in it.

That the patterns of bits in the chips make up some unrecognizable utterance is seemingly immaterial. I could write gibberish in my journal at home if I wanted to, and I think we'd all agree it would be ridiculous for the FBI to run around screaming about unbreakable ink

The way to fight for strong privacy isn't to run around screaming how "these people just don't GET it!". Because they will look at the framed Math PhD certificate on the wall and rightfully conclude that you're starting from wrong assumptions.

Instead, start by imagine the most perfect FBI agents you can. Then, debate them.

That debate must start with agreeing that your idealized agent does indeed have a harder job when all evidence moves from binders full of incriminating paper to an encrypted, impenetrable blob. Not accepting that truth makes you useless for your cause, because nobody who isn't already a convert will listen to you if you deny reality with ill-fitting analogies.

Only then can you make your case, the two main arguments of which should be:

- It is impossible to weaken encryption without running the risk of those weaknesses being exploited, or the keys to the backdoor, falling into the hands of bad actors.

- The ability to automate electronic surveillance potentially increases the quantity of surveillance to a point where it also takes on a different quality. Even if judicial oversight remained (which is questionable, considering FISA et al), privacy invasion was previously limited by two informal, yet important, caveats: the costs and resources required to have agents physically search, and the public visibility of such searches.

This. 1000 times this.

I'm actually really worried that, the harder our community pushes back against seemingly reasonable requests for access, and the louder we scream about stuff like the Texas shooter's phone, the less political capital we're going to have left to spend when we need it. And we're going to need a lot of it for this fight.

Specifically encrypting incriminating data after you have evidence of a crime in an effort to cover it up should be treated as the equivalent of shredding documents. (Assuming, of course, they can prove it, just as they have to prove that you had the documents in question prior to destroying them in order to prosecute you for destroying evidence.)

That's not in any way the same thing as having your data encrypted and refusing to decrypt it.

To avoid cases where people legitimately forgot their passwords just assume that the police have video evidence of you unlocking the files just before you were arrested. You know the passphrase and the police could prove it beyond reasonable doubt in court.

You just start with your files encrypted with a strong passphrase and refuse to provide it when you get caught. This is different than routine shredding because the moment when they become inaccessible is when you refuse, not the moment you encrypted them.

If they were instead physical documents buried somewhere hidden where the police could not possibly find them without your help the court still has the ability to hold you in contempt if you don't produce them. What makes the secret knowledge of their location any different than the secret knowledge of the password?

Are you sure this is so, this sounds awfully similar to compelling you to testify against yourself. Perhaps you are confused.

Are you sure? That would imply that you could be compelled to produce documents that are known to exist but were stolen from you.

It seems like a faulty premise. If they don't know where the documents are then how could they know they haven't been stolen or destroyed?

It's the same problem with encryption keys. Just because you had it yesterday doesn't mean you have it today. People actually lose or forget things, especially under stress.

That's one of the main purposes of protection against self-incrimination -- so that the government can't claim you know something that you don't and then hold you in contempt for not telling them.

Yes. A quick google for "foregone conclusion doctrine" will turn up a bunch of fairly-recent news about this.

> It's the same problem with encryption keys. Just because you had it yesterday doesn't mean you have it today. People actually lose or forget things, especially under stress.

Yes, and that's part of the problem. I'm not saying I agree with how all this works, just stating that's how it is.

There are limits, of course. If the court cannot establish that you know (or at least knew) the password/phrase/key. "I forgot" can certainly be a legitimate defense, but it of course depends on whether or not a judge believes you. If we could use "I don't remember" as an unquestioned excuse, we could get away with anything.

> That's one of the main purposes of protection against self-incrimination -- so that the government can't claim you know something that you don't and then hold you in contempt for not telling them.

That's not what we're talking about here. We're talking about things the government affirmatively knows that you either have or know. Unfortunately, of you no longer have or know that thing, the burden is on you to prove that you don't, which is difficult.

You have to keep in mind that judges make rulings that conflict with the rulings of other judges all the time. It means one of them is wrong and it takes a higher court (or legislative action) to sort it out.

Pointing to lower court rulings in the news doesn't mean the issue is settled.

> If we could use "I don't remember" as an unquestioned excuse, we could get away with anything.

That is obviously nonsense. People are regularly convicted without being compelled to say or do anything. The government simply has to prove their case without the defendant's testimony.

> We're talking about things the government affirmatively knows that you either have or know. Unfortunately, of you no longer have or know that thing, the burden is on you to prove that you don't, which is difficult.

But that's the point. They should have to prove that you have it, not that you had it. And when the thing is the contents of your mind, it's impossible for them to prove that without your cooperation, and impossible for you to disprove it.

The burden that something can't be proven in a criminal proceeding is supposed to fall on the government, not the accused.

You're forgetting that the courts are human and would be sympathetic in this case. If it couldn't be shown that you have access to the documents or you could show they were stolen then you would be fine.

> Just because you had it yesterday doesn't mean you have it today

Right, which is why I prefaced the discussion with the situations where the police can prove beyond a reasonable doubt that you posses the key/password. We can make it more direct by arresting you immediately after you prove on video that you're capable of decrypting the documents.

> can't claim you know something

Right, but the difference is we're talking about a case where they can prove you know something. We're firmly in foregone conclusion territory.

But that's the whole problem. How are you supposed to prove that you don't have something? It's completely reasonable that someone can have stolen it from you without you being able to prove it.

They can prove that you do have it by finding it in your possession, but if they could do that then they wouldn't need you to tell them where it is. If they don't know where it is then they can't know whether you have it or not.

> Right, which is why I prefaced the discussion with the situations where the police can prove beyond a reasonable doubt that you posses the key/password.

That's just assuming the conclusion.

Proving beyond a reasonable doubt that somebody knows something is next to impossible. You can have them on video entering the correct pass phrase and it only proves that they knew it when the video was made, not that they still remember it now.

I agree and if I was designing the legal theory I would make sure that the burden of proof is on the person claiming an other has knowledge.

> the correct pass phrase and it only proves that they knew it when the video was made, not that they still remember it now.

Right, which is where reasonable doubt comes into play: if the video was months ago it's completely reasonable to forget a password -- if it's two hours later they have a much tougher case to make about spontaneous amnesia.

Applying the 'you can't possibly prove knowledge under any circumstances' argument would be absurd in any other case.

"Did you know she was under 18?"

"No your honor, I forgot, it had been a few weeks since I saw her ID."

You're confusing less likely with unreasonable.

A pass phrase long enough not to make the whole question irrelevant is hard to remember.

You may have it in short term memory until it gets displaced by "oh crap I need to hire an attorney and a bail bondsman and call my boss and explain this to my wife" type issues. You may be able to remember it sitting in a familiar environment surrounded by your stuff but not in a jail cell without any of those cues.

It's completely reasonable to forget something you knew five minutes ago. It happens all the time.

Haven't you ever walked into a room and been unable to remember why you did? And that isn't 128 bits worth of context-free random data.

> "Did you know she was under 18?"

> "No your honor, I forgot, it had been a few weeks since I saw her ID."

I'm not sure this is making the point you want it to. The real targets of statutory rape laws are pedophiles who rape eight year olds, and in those cases it isn't a question of memory. You may not have remembered whether the child was 8 or 9 but you couldn't reasonably have thought they were above the age of consent. Which is why nobody objects to putting those pedophiles in jail, or to the laws that make it happen.

It's the cases where there could be a legitimate confusion that create exactly this problem. You can't tell if someone is one year above or below the age of consent just by looking at them, which is why those cases are extremely controversial.

How is it absurd that you could forget someone's age? Do you know the exact age of everyone you've ever been to the birthday party of? You probably knew on the day of the party.

Not true. The moment you encrypted them, they became inaccessible without your consent.

If it really had anything to do with when you refuse then you could just proactively refuse as soon as you encrypt so it happens at the same time. And it would imply that if you were killed before being asked to decrypt then the government would have access to the data because you never refused, which is obviously not true.

When does encrypted data become inaccessible? When you encrypted them or when you forgot the password?

Inaccessible to which party? It becomes inaccessible to anyone without the key immediately and inaccessible to anyone with the key when they forget the key.

Compare the situation where a person commits a document to memory and then destroys it, but writes down some inscrutable clues to help them remember it. You have some gibberish you can't decipher, if you give them the gibberish they can recreate the original document, but it's only by application of information that exists only in their mind.

Police need reasonable cause to take action.

If all you have is an encrypted file, there's nothing to say it is incriminating. Encryption is necessary for a whole range of things.

Would you like banks to be forced to use weak encryption when processing bank-to-bank transfers?

Net time, they should ask DoD if they would use the proposed scheme. Or whether the critical economical infrastructure of the US warrants less protection than DoD documents.

Many experts have told them. They have told them that 'backdoored' is contradictory to 'strong.

The impression I get - being as far away from this debate as any other non-US citizen - is this request for "strong but accessible" "encryption" is repeated by administration and echoed by media consistently. Eventually, every citizen with the limited understanding and memory that we have to spare will be asking 'why aren't our scientists giving law enforcement what they need?', instead of what does that actually mean. In a way I find myself very fortunate to be on the side of the pond where these voices still exist, but reason temporarily prevails.

People have been telling that to politicians over and over and over and over again. They refuse to hear it.

The problem with politics is that a lot of people have this idea of how the world should work, and they think this somehow overrules how the world actually works. In the fantasy world they live in backdoors can only ever be used by the good guys.

https://en.wikipedia.org/wiki/Spoliation_of_evidence

A better analogy for cryptography is "a journal written in code". This better captures the property of encrypted data: the contents of the journal corresponds to the plaintext, the rules to encode the writings corresponds to the cipher plus the private key, and having the journal without the rules is like having the ciphertext without the private key. Like with cryptography but unlike with a safe, to get to the contents you have to know or guess the rules; you can't drill the door like you can with a safe.

That's not true; it doesn't make sense to me even if it were possible to guarantee proper handling. The risk of the government abusing it's power in a completely legal way is greater than some crimes going unsolved because documents remain secret.

What matters to me is the power imbalance; with few exceptions whatever the government can do, normal people should be able to do to.

The 4th amendment doesn't mean you can do every illegal thing in the world and never fear the state...simply the state cannot engage in fishing expeditions. If 5 kids are reported missing from your neighborhood, and a day later you have a backhoe digging on your backyard, be ready to answer a few questions--that may lead to other questions and warrants.

>>The risk of the government abusing it's power in a completely legal way

No such thing in a western /democratic society. After you go all the levels, you must obey. Sometimes it sucks, but...

But you're right -- in an ideal world, pretty much nobody would design a future where the worst of humanity can hide behind encryption to avoid accountability.

The problem is that, with the current set of technologies that we have right now, we either give the cops (effectively) the ability to get everything on everyone, limited only by their discretion (ha!), or we give them nothing, and we give guys like Osama Bin Laden and Richard Spencer a place to hide.

One of my biggest fears is that, if we give the voting public only these two options, then eventually they're going to side with Officer Friendly over Bin Laden and Spencer.

Ultimately, it's going to be up to us as technologists to figure out something better.

It's kind of alarming how easily you can throw Osama Bin Ladin (a guy who killed thousands of innocent Americans), with Richard Spencer who _says_ fucked up things. Richard Spencer (just like the Westboro Baptist Church) is probably a complete douchebag nutjob. But to so casually equate saying douchey things with the murder of thousands... that's exactly what leads to Officer Friendly getting more powers over every day, innocent citizens.

Look at Russia and China. They're literally doing what you're suggesting by using thought crimes to justify massive surveillance and censorship of every forum and network to "protect society" from bad thoughts and damaging their "way of life".

The very rights that allowed the civil rights movement to exist, are the ones you guys are casually trying to destroy. Daring to have an opinion the majority finds revolting. Freedom of Speech is literally a protection of minorities from the majority. Those in power don't need protection.

[edit] 1 minute in, and yep, this is going down as I expected. Have a great day. =D

And I suspect that most here wouldn't mind them getting a warrant for his phone under the same circumstances, if they can just bring themselves to admit it.

> The very rights that allowed the civil rights movement to exist

I think I see what you're saying here, but encryption wasn't really around in MLK's day.

> are the ones you guys are casually trying to destroy.

Whoa there, please don't lump me in with the authoritarians, especially the new Leftist flavor that's so popular lately.

The case that I'm trying to make in this thread is that we've got to find a better balance that protects minority voices (like MLK, or Ben Shapiro, or Milo Yanawhatshisname or whoever Berkeley is rioting about this week) in a cryptographically strong way, while still allowing for some sort of accountability in extreme cases.

If we fail at this - or worse, if we can't be bothered to try - then I'm afraid we're going to wind up stuck with something crappy like key escrow, and then the thought police are really going to have a field day.

There's the freedom/privacy argument, but I guess this is debatable depending on if you view computer files as an extension of your ideas/knowledge, or an extension of your physical possessions.

Someone brought up the entire "risk of overreach and abuse" argument.

There's also the likelihood of any tools the government has being leaked and used by bad actors (as we have seen too much recently).

Oh, and the "it's technologically impossible" argument, which should be the only one you need -- but they refuse to hear that. (Are there some supposed experts who are telling the DOJ this can be done?)

I don't have a problem with the authorities operating within the purview of the Constitution, eg. a warrant from a court for a particular device. That, however, is not how we got to where we are today.

- They solved crimes before iPhones. Encryption is not a roadblock

- In many countries guns are illegal. Yet criminals do own them. If encryption becomes illegal, criminals would still use it

Making guns illegal doesn't stop criminals from using them, but it does make it possible to jail someone only because they had a gun.

Outlawing encyrption won't stop criminals from using encryption (just look at China) but it does make it possible to jail dissidents only because they were using encryption.

Surveillance will be easier if encryption is illegal, but surveillance would be easier if everyone was obligated to wear a GPS tracker as well. "Making surveillance easier" is not sufficient to argue it should be implemented. There needs to be checks and balances. And when only the government can keep secrets, and they will, there are no more.

The main reason why recent terror attacks in Europe used trucks and knives was because guns are really hard to buy in most countries. Even on the black market it'll be hard to get guns in many European countries. Not saying that there's no black market but most people wouldn't have the contacts to get any. So outlawing helps a lot and while it doesn't reduce gun crime by 100%, it probably reduces it by >90%.

While encryption is easier to get online (no physical shipping), I doubt many people have the knowledge to identify good encryption without backdoors. Most would probably fall for mechanisms planted by intelligence services.

The problem remains that they constantly abuse their power and are able to even circumvent the warrant part once they know that those keys exist.

It's really not.

Encryption is all-or-nothing.

Either encryption works, or it fails. You can't pick and choose for whom it will work, and for whom it will fail.

So that frames the question, "Who is allowed to use encryption?"

This is a dangerous question to be asking, which is why it is hidden behind rhetoric by those who are asking it.

Encryption is speech.

Anyone can create and use a cypher. Such techniques were invented long before modern computing. Encrypted data is indistinguishable from random data, and possibly even unencrypted data.

Encryption is math. Cyphers are mathematical functions, whose derivations are public knowledge.

That brings us to the next question: "How?"

Either you control speech, or make math secret. Neither option is scalable, and neither option is moral.

Things like DUAL_EC_DRBG seem to prove this claim false.

Actually, most people would use it because most people just don't care that much.

>which is sure to be leaked/compromised if shared with the entire DOJ and others

But this is a policy issue, not an issue with the idea of backdoored encryption. There are policies that could reduce the probability of leak to negligible levels (e.g. a secure NSA facility does all the decryption). Not to mention that only the NSA will be in a position to decrypt your communications from 5 years ago. No one else is storing such a vast quantity of data.

https://www.theguardian.com/technology/2017/jun/19/eu-outlaw...

That has changed a bit with recent terror attacks (fear of terror outweighs other fears) but in general, data protection is taken much more seriously in Europe than in other regions and that doesn't only include companies but also the state.

He was your stereotypical brainiac type dude - quiet, lanky, glasses, soft spoken, and razor sharp. He must have been in his 50s, but you would think he had just completed upper division math, chemistry, and physics "last semester" with perfect grades to boot.

He told me a story about how once while in his Masters program, one of his colleagues figured out how to do some cool stuff with unenriched uranium.

Almost like out of a movie, he said, the government stepped in and made sure he did not publish his research.

I wonder if we'll see that type of stuff happen with cryptography or if it's already happening. I wouldn't be surprised if these theatrics were just to maintain the illusion that they don't have access to stuff.

Remember the time when organisations like DARPA actually promoted public research of this magnitude? Or when DoD was making certain research public?

And that kind of misrepresentation just weakens the arguments for strong encryption, because intelligent people will see them as pretty transparent misrepresentations. Have you considered that's why the arguments for strong encryption aren't going well -- that we're not actually engaging with intelligent people trying to understand the issue, we're chanting trite, shallow inaccuracies?

I mean -- "there is not a gradient"? ...what do you call changing key size?

Ed:

I'd like the people downvoting to explain how changing the keysize isn't a gradient of security. (Hint: You can't, because it is.)

key size is not a measure of security. It is a measure of how /long/ we intend the key to be secure.

More explicitly: Key size does not exist of the gradient of protocol security. We know how long a key takes to break given current technology and algorithms. We choose a key size to render the time to break infeasible against our prediction of state of the art some amount of time in the future. If there's a gradient, the gradient isn't "how secure it is", its "how long it will remain secure".

Hence any policy that endeavours to control the "strength" of encryption through controls over key length is /necessarily/ requiring an insecure key size.

It can be put this simply: How small must the key be to allow it to be "good enough" for the DoJ? Would they accept a continuous 5 years on a 10000 gpus? Noting of course that in 18-24 months that key size will now only require 2.5 years, then 1.25, 7 months, 3 months...

Of course I'm sure 5 years and millions of dollars will be "unreasonable", so it would need to take less time, and cost less.

The problem with what others have posited as "money based encryption" easily scales up with AWS, Azure, GCE, and private clouds. Even individuals can buy a large cloud for 1h for cheap and crack with rainbow tables or such.

But for a real safe, I can go get a thermic lance. It nicely cuts inside most safes. Or I can use a bunch of liquid nitrogen and freeze-shatter it.

These vastly speed up even dumb attacks against the passwords. (Not even keys.)

Edit:

You're also completely eliding that security is probabilistic -- they might just guess our key on the first try. We can only discuss it as the expected amount of computation to figure out our key on average. That expected amount has a gradient along keysize.

Anything other than deriving the plaintext of encrypted data alone would mean the protocol was insecure.

That said, I am coming to agree with you in terms of trying to explain to people who don't write crypto code that saying key size is gradient of security is probably the most sensible thing.

I still disagree with you on the actual statement :D

That said most of the demands made by DoJ aren't for reduced key size, they're for variations of key /escrow/: literally breaking the security model of crypto entirely.

So maybe I could be more specific: there is no such thing as an almost secure protocol.

The key (ha!) result of this recognition is that all secure protocols have been moving to some variant of ephemeral keys. Specifically to deal with the problem of all static keys eventually becoming insecure.

Yes, we use keys up the gradient of security that key size represents as attacks become more powerful. The reason we don't use the more secure keys in the first place isn't that 2048b keys weren't always more secure than 1024b keys -- it's just that we didn't (for most purposes) need to be that secure, and so we choose an appropriate spot on the gradient for our cost-benefit analysis.

Pretending that's not a gradient of security is simply dishonest.

> That said most of the demands made by DoJ aren't for reduced key size, they're for variations of key /escrow/: literally breaking the security model of crypto entirely.

That's missing the plot for the details: the DoJ wants a method by which they can break into digital safes in a manner similar to physical safes. Their proposal is key escrow, but that's partly because technologists didn't suggest a better way when the DoJ simply asked to get it done with little guidance. So they made a specific ask. And it sucks -- because they're not technologists. Everyone knows it, but the DoJ isn't inclined to let people flat out refuse.

Pretending that there aren't technical solutions with transparent ruses -- like there aren't gradients of security -- are how we got to lawyers demanding technical features.

I don't disagree with you that we should use secure protocols, I'm just saying we need to hold ourselves accountable for honest and strong arguments, not ruses.

The one you end on -- that using ephemeral keys is fundamentally a stronger algorithm that doesn't work well with long term taps -- is a strong argument. Much better than things like "there aren't security gradients" -- partly because they're actually true.

I've spent years of my life working on making it so people don't have to risk their information whenever it touches a computer.

Key length is a measure of how long you want the key to be secure. Also note that we tried that once in the past: DES had a deliberately crippled key space. That was resulting in terrible security bugs only a few years ago.

I keep seeing this statement being made whenever this topic comes up. Yet I've never seen a formal impossibility result.

It's amazing. Cryptographers are the smartest people in the world when it comes to solving most problems. (Just ask them!)

But seriously, some of the stuff they can do is like magic. Things that, intuitively, sound like they should be impossible. For example:

Zero knowledge proofs? Can do.

Oblivious transfer? Sure thing.

Fully homomorphic encryption? Coming right up!

But then the DOJ says they want some way to investigate the Texas shooter's phone without also getting access to everyone else's data. And suddenly the whole community is like "I dunno man, aren't you just asking me to 'nerd harder'? ¯\_(ツ)_/¯ lololol"

It was cute at first, but if we keep it up we're going to start burning through our credibility real soon.

It isn't that there are no levels of security, it's that you can't be at two separate levels at the same time. There is no overlap.

Mandating 512-bit RSA is useless because the government could break it but so can everybody else. Allowing 4096-bit RSA wouldn't allow the government to break it.

There is no middle ground. Mandating something like 1024-bit RSA, which is considered weak but nobody has actually broken it yet, is worse than useless. The FBI probably couldn't break it today and some hackers will probably break it tomorrow, so it would only leave people at risk without providing the government access.

What do you say to DUAL_EC_DRBG, which seems to be precisely that "separate levels" of security you claim is impossible?

The same applies to the recently published DUHK attack: once the hardcoded key is known, the whole thing gets broken, showing that the security level was only as strong as the weaker key.

Just like in traditional encryption scenarios, your personal key remaining secret is a part of the assumption. That there are now two secret keys doesn't alter the analysis substantially.

Of course it does. At best it doubles the risk of key compromise, but it's really much worse than that.

A master key isn't like a normal key. If you compromise Alice and Bob's key, you can spy on Alice and Bob, but not Alice and Carol and definitely not Carol and Dan.

The existence of a master key is a massive security risk. Alice and Bob's key is worth say $5000. The value of stealing it generally isn't worth the effort. Nobody sends Mossad to spy on every plain old Alice and Bob.

A master key for everything is worth trillions of dollars. Every government and crime family would throw everything they have at stealing it, and many of them would succeed. Spetsnaz units and foreign intelligence operatives would fall out of the sky. Crime bosses would pay multi-million dollar bribes and still turn a huge profit.

And from there it would leak.

It's a completely different level of risk. Orders of magnitude worse. And it implies a prohibition on forward secrecy. So when it leaks, Armageddon.

It's plausible that the government can permanently keep a key to every lock secure against every attacker?

That is such a ridiculous claim that just skipping right to "no, that's impossible" is a completely reasonable thing to do. But we can do the analysis if you really want to.

Look at the other things the government has tried really hard to protect. Nuclear secrets? Nope.

https://en.wikipedia.org/wiki/Atomic_spies

The government has actually lost hydrogen bombs on multiple separate occasions. Not the secrets, the actual live thermonuclear weapons. The things that one of which can turn all of D.C. into radioactive glass.

What about all the sensitive information about the people with security clearances?

https://en.wikipedia.org/wiki/Office_of_Personnel_Management...

Incredibly dangerous biological materials ("arguably the most deadly disease ever to affect mankind")?

https://www.npr.org/2014/07/08/329884145/in-a-lab-store-room...

Classified information in general? The list of violations is too long to even enumerate.

And this is what happens when the thing they're supposed to be protecting doesn't have incomprehensibly large commercial value on the black market.

There is no question that they are not capable of doing this.

You can devise a defense against any attack you can think of, but for a trillion dollar prize someone will find an attack you didn't think of.

And that's the problem. You can say the words "secured arbitrarily well" but in practice you've created a room with the keys to the world in it and your first indication that your security was insufficient is an incalculable catastrophe.

It's like creating a button that gives anyone who presses it three wishes but destroys North America. "Don't worry, we'll put some guards around it" doesn't cut it. Some things need to just not exist.

It doesn't, and that's the point. There are no "separate levels" of security. The attacker only has to break one of the keys, whichever is the weakest one. The "security level" of the whole system is the "security level" of its least secure part.

Security is a process not a state. You cant say that something is "secure", there is more secure and less secure. What the politicians are saying is that your individual security is not as important as their responsibility in security policy.

Security + Politics = Every shade of grey conceivable and then some not yet conceived.

But as a practical matter, I think we will do more to protect privacy and security by engaging with the process and honestly addressing their concerns so we can strike a balance between conflicting societal needs than we'll do with hardline stances based on inaccuracies.

I think pretty rightly a lot of tech people got told off by the political process for misrepresenting what was possible and how technology worked in an effort to not have to obey social structures. I don't think most of us liked that (I sure didn't!), but we're not going to have everything our way (and especially not by lying or throwing tantrums). I mean, if I were a senator, I'd be thinking "So, they can secure a ledger with floating cryptographic difficulty when they want to make money, but a solution for national security is impossible? Yeah, fuck these guys." There just hasn't been the kind of open, honest discussion around the topic that would satisfy their concerns.

And the key to having some of it our way is explaining why that issue is paramount to have our way and honestly engaging in the process to make it happen. Politics is a game of compromise and negotiation -- the government is almost certainly not only willing to concede some of the things on the FBI wishlist if better alternatives are put forward, but actually is interested in doing so.

Everyone knows professional investigators ask for too much, but if no one else is putting forward honest suggestions -- what choice do politicians have?

The extra key could be set up so that it requires X out of Y keys. Each key could be owned by different organizations, like the state govt, FBI, Courts, Nonprofit oversight committees, citizens oversight of police, and such. This could provide a balance of security and privacy, and allow in extreme circumstances a forced break of encryption.

(Ideally, it would require many orgs that are normally in opposition to agree. It would not be "state govt", "FBI", "CIA" like the old Clipper Chip.)

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." 4th Amendment, Bill of Rights, US Constitution

That's a balance, of between "Get off my lawn", and "I affirm I saw X illegal thing and I swear it in front of a judge, and the judge agreed."

Now, I don't trust some bureaucratic department to honor the constitution. And from the sounds of it, neither do you. Which is why I was keeping in mind of having an antagonist based key-holding scheme which would require a multitude of people to unlock before the data would be unsealed. To me, that does re-enable the balance set forth in the Constitution, namely the 4th Amendment to the Bill of Rights.

What should be considered part of one's mind is not clear, but what is clear is that whatever the mind is, no one should be able to pry without consent.

Not commenting on what the constitution actually means, just saying what I think it should mean.

At some point we will have devices actually embedded in our bodies collecting every thought. Should those not be considered part of us and thus protected under the 5th amendment?

There's no reason it shouldn't require expense and physical breaking to gain entry, just because it's digital (and I think that this scheme gains legal protection because of such features).

By actually discussing it, instead of hiding behind lies like "there are no security gradients", we can talk about systems where it would require X amount of compute effort to break an encrypted key held in escrow for Y years at Z expense to reveal the key. (I was actually thinking about using a hash chain to timelock the key, since we have a pretty good idea of how hard it is to sequentially hash.)

I don't think most of us are against the government being able to see individual, targeted encrypted drives -- I think we object to the ability to transparently compromise all systems.

I still stand by the point of having a consortium of opposing interests as a combined group (or supermajority) to override an encryption. I think of it as a strong version of checks and balances.

In that case, if members are also hidden, it doesn't matter how many dollars are thrown at the problem. Unless you have peoples' willful intent, the escrow doesn't work.

Then in 15 years, that $1M computation still costs $1000.

In 30 years, it can be done for one dollar.

Is that good or bad? I guess it depends on your threat model and what the data is worth.

My actual thought was to have the secure enclave emit an encrypted copy of the key with a targeted key strength when presented with a request signed by Apple's key. It would require Apple's participation (or compromising Apple) but still require that the person spend a significant amount of money on the process.

By having it encrypt a key, you can make normal messages much stronger, such that you can't decrypt messages without the device in question (because the key can't be attacked directly, only the weakly encrypted version of the key when the secure enclave shares it). Further, because you can change how strong the SE emitted key is with each revision, you can have new phones always have a 10 year expected safety window (and even turn up the difficulty over time). In the case of a total compromise of Apple's storage, the attacker still has to spend significant funds to compromise any given phone -- so we'll only see targeted attacks. (That is, they might say, crack Bill Gates' phone, but are they really going to spend hundreds of thousands a pop to break the keys of random Starbucks workers? I'm honestly not super worried if Bill Gates has to spend a few thousand extra dollars every few years to protect his billions.)

But we're never going to get to discuss those kinds of scoping and cost-benefit tradeoffs if we don't engage in the process of shaping legislation in an open and honest way.

Full disclosure: I've been working on some similar ideas for a while. I'll be presenting a high-level pitch for the general concept at the USENIX Enigma conference in January [1]. Also hoping to have a full paper to share on https://eprint.iacr.org/ sometime later this month.

> But we're never going to get to discuss those kinds of scoping and cost-benefit tradeoffs if we don't engage in the process of shaping legislation in an open and honest way.

Agreed. And I'll actually take it one step farther. I think it might make sense for tech companies to adopt a very conservative version of this approach even without a government mandate.

Then the next time the DOJ rolls around to demand somebody turn over their private key (a la Lavabit), or to demand that somebody create a custom OS for them (Apple), we can say "No, we already gave you a way in, just pay the million dollars. Now bugger off and leave me alone."

[1] https://www.usenix.org/conference/enigma2018/

That's kind of the point of end to end encryption. Note that on osx/ios that same e2e encryption protects credit card and password data.

Saying company X should store their keys is the same as saying "Company X should paint a giant target on their servers that have to be weakly protected to appease requests from agency Y". The solution to unending breaches of user data is to not be able to decrypt it, that only way to achieve that is to never have the keys.

The bit I take issue with here is that breakable encryption is absolutely necessary for law enforcement to do its job. No. It makes it _easier_ for them to do their job, at the expense of everyone else's security. There are usually other ways to get a conviction other than being able to decrypt a criminal's data. And if in some instances there isn't, I'm ok with that. I value freedom and privacy higher.

In cryptography there is one information theoretical secure scheme: The one time pad. But even that relies on circumstances to keep it secure. Without limitations you can not say no one can break it, because obtaining the key material might still be possible.

That leaves us with most other schemes. They are computationally secure. This implies that the security of the system depends on the computational power of the attacker. So a system can only be secure for a class of attackers and to a certain extent.

If you apply a binary clssification of secure insecure as you proposed it someone can get in", most systems today, if not all, are insecure.

I'd say that's a fair assessment.

Police have other ways to fight crime. Eventually we may be forced to deploy the ultimate weapon, namely correcting the social, economic, psychological, and neurological factors that breed it in the first place.

Encryption relies on keys. Either the government has everyone's keys, or they don't.

Any stockpile of encryption keys would give access to millions of people's and businesses' data. It would be a hacking target of inestimable value, targeted by criminal organizations and foreign governments using every technique imaginable.

It would be stolen. Period. And every citizen and business would suffer disastrous consequences.

We can't say this enough in this debate: making everyone's keys accessible to one entity means they absolutely will be stolen. Whether we trust a government entity's motives isn't even relevant. They do not and cannot have perfect security, and that should end the debate.

If anyone doubts that the keys would be stolen, please see:

- https://en.wikipedia.org/wiki/Office_of_Personnel_Management... - https://motherboard.vice.com/en_us/article/qkjkxv/fbi-flash-...

And we really don't have to look any further than the Equinox hack to prove this. If they think that was bad, and it's clear that nearly all of them do, then imagine it was more than just identity data... what if it was all your actual data. If politicians know that all of their email, their internet history and all of their other secrets will get out if this happens, I wonder if they'll change their minds.

The DOJ just needs to find one sympathetic test case, or one sufficiently horrible incident to get the laws changed. Like the Patriot Act in the US, or the new French surveillance law that passed after the Bataclan attacks.

It's the classic asymmetry problem that makes security so hard in general. Only now, the party with all the money and power and time is also the one who only needs to win once.

"Where did they keep all their papers and correspondence?"

"Can somebody come break into this safe we have a warrant for?"

What did the cops do before X was invented?

They didn't worry about X being used to commit or cover up criminal activities while continuing to try to do their job of keeping communities either safe or oppressed, depending on how well they related to them.

I support strong crypto, but I think implying detectives and the DoJ are just too lazy or dumb or whatever to deal with this problem is a little unfair.

Apologies if that wasn't the implication

The attempts at preventing ubiquitous encryption don't seem to be focused on crimes where there would have been a paper trail if people still used paper; they are focusing on reconstructing the last year or so of someone who is either dead or uncooperative, all in hopes of finding something they can use.

If they were targeting organizations with a bureaucracy for some crime, I think they could just demand access to all documents and get them? If I remember correctly, in the Levandowski case Google's lawyers got access to a huge trove of Uber's internal emails. If a private company can get that access, it should be possible for law enforcement as well, no?

I realize your question was rhetorical.

  America’s homicide clearance rate—the percentage of solved
  crimes that lead to arrest—has fallen considerably in the
  past 50 years, from around 90% in 1965 to around 64% in
  2012, according to federal statistics.

IMO, similar to counter-terrorism efforts (most spectacularly, 9/11), technology becomes a crutch. Frankly, I wouldn't be surprised if mass encryption leads to _improved_ clearance rates, as law enforcement becomes less complacent. Take this latest example: the FBI agent declines Apple's help because he's convinced the geeks at the FBI lab can handle it. He presumably doesn't bother actually confirming with the geeks in the lab, nor does he attempt to put Apple in touch with the lab. Just utter complacency, confident that the machine (computers, bureaucracy) will suffice.

This sort of laziness wouldn't have been tolerated in Hoover's FBI. Moreover, Hoover likely would have been more aggressive using the tools available to him--keyloggers, etc--rather than whining.

Regarding Japan, yes, their official rates are questionable. I wish I could find the journal article, but last year I was researching the supposed 100% clearance rate in Singapore and came across a very in-depth article[1] that discussed clearance rates in Singapore, Japan, and elsewhere in Asia and that left me with the impression that w'ever the actual clearance rates, they're nonetheless _much_ better than the U.S.

[1] Spoiler: the 100% clearance rate in Singapore was plausible, in no small part because it's a small city-state with very few homicides to begin with.

You can very easily make it so all consumer devices ship with software that only uses encryption that the government has escrowed keys for. You can require app stores to have the same requirement. The government requires all sorts of things of people who manufacture products. Of course, they can't regulate the 3d printer or CNC mill in your garage, but that doesn't make regulating mass-produced products a futile effort.

Yes, some people will get around it. They will use open-source software that they download and install themselves on devices that allow sideloading apps. But no one in the government expects perfection out of this. They expect that most criminals, most terrorists even, are not so sophisticated, not so careful, that they will avoid being ensnared.

Remember that the situation they are trying to avoid is one where EVERYONE'S texts and phone calls are by-default hopelessly inaccessible to the government, even with a warrant (or in the case of foreign targets, even with the most sophisticated HUMINT and SIGINT).

Amusingly someone (inadvertently) tried: https://en.wikipedia.org/wiki/Indiana_Pi_Bill

What an odd phrase.

We have a criminal justice system in this country that is adversarial and is tilted in favor of the accused. That's because our founders realized the immense power of the state could easily overrun any person it wanted to unless there were strict and tight guards on what they could do.

These lawyers, who presumably should know much more about all of this than I do, continue to make cases that strike me as "There are bad people! Because they are really bad, we need to change the game to give us more power"

But there have always been bad people. There always will be. There is no stopping that fact. It is part of being human.

I wonder if these people realize that even if they continue to get their way, the only thing they'll end up doing is moving the really bad people from the private sector to the government. I get the feeling they slept through a large part of world history.

I continue to hear arguments than sound reasonable. I continue to hear wonderfully-intricate arguments. What I've yet to hear is any of these yahoos recognize exactly what kinds of trade-offs they're pitching. I get the feeling I'm watching very poor workmen, focused on the tiny job in front of them instead of the ramifications of that job. I don't think we need to argue that many of these people are wrong as much as we need to argue that many of these people are incompetent. It doesn't bode well for the future.

-- James Madison

The music industry had to be dragged kicking and screaming away from their physical distribution model.

Governments will have to be dragged similarly until they accept encrypted content is something they have the same right of access to as private thoughts.

- George Bernard Shaw

Thankfully they work for us right?

And if it's crazy, what's the best way to argue against it?

It is possible to design such a system, where the probability of abuse is arbitrarily low [1], but I have a hard time imagining the current DOJ proposing such a thing.

[1] key escrow with access controlled by a multilevel secret sharing system that requires consensus among a diverse international group of shareholders to release the key from escrow. The shareholder group is chosen so that it includes a mix of public and private entities in a variety of jurisdictions, including anonymous shareholders, so that no entity can acquire enough power or influence to force a key to be revealed.

Intelligence agencies will just steal the keys, and then individual actors leak them onto the black market.

Suppose you use a (5,5) threshold system to make 5 shares of a secret, and you distribute those shares to 5 shareholders. Someone who wants to get your secret without your cooperation has to convince all 5 shareholders to cooperate (or steal copies of the shares from all 5 of them).

If that does not provide a sufficient level of protection, you could instead go with a (6,6) or (7,7) or higher threshold system. The higher you go, the less likely it is that a bad actor will be able to get copies of all the shares.

A drawback of that approach is that if just one shareholder loses their share, the secret is not recoverable. That can be addressed by increasing n more than t. Instead of say, a (7,7) threshold system maybe you use a (7,10).

That's the basic idea. You set t high enough that the chances that a bad actor, even a powerful one, could subvert t different shareholders is low enough for you, and you set n above t a bit to allow for some shareholders losing their shares or being unavailable if the time ever comes when the shareholders decide that there is a legitimate reason to recover your secret.

Going beyond the basic idea, you can add a second level. You take your secret, and make, say, 4 shares using a (4,4) system. Let's call these "level 1 shares". Instead of giving the level 1 shares to shareholders, we can take each level 1 share, use a separate threshold system to make shares of the level 1 share, which we call "level 2 shares", and distribute the level 2 shares to shareholders.

What this does is let us make different categories of shareholders, with different weights.

So we might make 4 level 1 shares, using a (4,4) system. Call these s1, s2, s3, and s4. We thing might apply a (3,3) system to s1, and give the resulting shares to whatever agency or department or branch handles warrants in 3 separate foreign national governments.

s2 we apply a (3,6) system to, and given those 6 shares to 6 non-government civil rights organizations.

s3 we apply a (3,6) system to, and give those to 6 individuals that we trust.

s4 we apply a (2,3) system to, and give those to three commercial entities that offer shareholding as a service. We should pick entities in 3 different countries, separate from the countries we gave s1's shares to.

With that scheme, someone trying to get at our secret needs to get 3 foreign governments, 3 civil rights organizations, 3 people we trust, and 2 companies to all agree that giving up our secret is justified.

As with the single level approach you can bump the particular numbers up or down to decrease or increase the chances that someone can illegitimately get your secret.

Let's assume we have this "diverse group of shareholders" all with private keys and published public keys. The process for distributing and revoking those public keys adds a lot of complexity and points of failure.

Up to this point, the idea "works" but still provides a non-neglible increase in implementation complexity and decrease in security.

Once I use all those public keys to to encrypt my private key to place in escrow, it is impossible to verify if I have complied with the law and honestly provided an accurate escrow entry without actually having all those share holders decrypt my private key and verify that it correctly decrypts my content. At this point my content is exposed anyway.

It is NOT possible to create a secure, enforceable and un-abusable key escrow system.

No government would ever agree to give multiple foreign governments/NGOs the veto power over tools that are "important for national security".

More realistically, your "shareholder groups" in any plan the government might actually approve would be existing groups the government is already involved with (e.g. Equifax).