The American Senate Wants Secure Encryption With Government Backdoors
US District Attorneys and Senators are convinced that Google and Apple are simply being difficult when they claim that it's a binary choice between actually secure encryption and government backdoors. You can, somehow, have your cake and eat it too. Don't worry if you see no practical way of doing this, a US senator just promised that he will figure out how to make seemingly impossible mathematics possible.
IU, famous for her Red Shoes, is confused by both the US senates position and law enforcements position on encryption.
The US Senate held a long hearing titled Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy on December 10th, 2019 (actual hearing starts 19 minutes and 20 seconds into the video in that link). Senator Dianne Feinstein gave this statement explaining the purpose of this hearing:
"Today’s hearing provides an opportunity to examine how technology companies and law enforcement can work together to obtain encrypted information that is vital to investigating and prosecuting serious crimes while protecting people’s privacy"
The statement goes on to say that
"It would be helpful if our witnesses today could identify ways technology could comply with the legal process without creating unacceptable security vulnerabilities.
Everyone agrees that having the ability to safeguard our personal data is important.
At the same time, we’ve seen criminals increasingly use technology, including encryption, in an effort to evade prosecution.
We cannot let that happen. "
One small problem with that position is that security really is binary. You either have it or you don't. Encryption is either compromised or secure. Encryption is based on mathematics. 2+2=4. The answer to two plus two is either four or you've somehow ended up with the wrong answer. It is therefore not strange that the almost two hour long hearing was filled with very conflicting and confusing testimony from the technology industry, "academics" and law enforcement "experts".
Committee Chairman Senator Lindsey Graham and other senators put a lot of weight on the importance of citizens right to privacy as long that right to privacy does not include the government who, according to the US senators, should have full access to it's subjects computers, phones and other electronics.
"I think all of us want devices that protect our privacy. Having said that, no American should want a device that becomes a safe haven for criminality."
Apple And Google Are Liars
New York County District Attorney Cyrus R. Vance, Jr. submitted a written testimony to the committee titled "Smartphone Encryption and Public Safety". Two quotes from this statement are interesting.
"Until the fall of 2014, Apple and Google routinely provided law enforcement access to their mobile phones when they received a court-ordered search warrant. That changed when they rolled out their first mobile operating systems that, by design, often make the contents of smartphones completely inaccessible. In doing so, Apple and Google effectively upended centuries of American jurisprudence holding that nobody’s property is beyond the reach of a court-ordered search warrant"
The statement goes on about how he and his office tried to sound the alarm and warn about the evil dangers of smartphone encryption for years and years. Then it gets to the really good part:
"Apple and Google, meanwhile, have framed this issue as an either/or proposition. Either we can have user privacy or lawful access, but we can’t have both, they say. And they’ve been successful in propagating this message, even though it’s not true.
My Office is not anti-encryption. Far from it. We routinely use encryption in the course of our daily work, whether in guarding our city’s critical infrastructure against cybersecurity threats or soliciting tips on crimes against immigrant New Yorkers, and we recognize its value in our society and across the world. That does not mean encrypted material should be beyond the law when a judge signs a search warrant - especially when we’re talking about evidence tied to a child sex abuse case or a potential terrorist attack.
Apple and Google have maintained their absolutist position that no form of lawful access can be reconciled with privacy concerns. Yet they have not demonstrated to law enforcement leaders what, if any, damaging effects to user privacy their pre-2014 cooperation with law enforcement caused. Further, they have decided for their own private business interests that the Fourth Amendment grants a right, not just to privacy, but to anonymity. This is wrong, and it upends the careful balance our Constitution strikes between privacy and public safety interests."
Cyrus R. Vance, Jr is essentially arguing that the fact that law enforcement could get data from devices running operating systems from Google and Apple when those devices didn't have encryption means that they could allow law enforcement access now that the devices do have encryption.
Page 8 of the very long statement which is filled with graphs and charts showing how many bad people use encrypted devices makes it "clear" what Cyrus R. Vance, Jr and other law enforcement representatives are asking for:
"To be clear, I, as well as prosecutors across America, are not asking Apple or Google for something extraordinary. We are not asking for a “backdoor” mechanism that would allow our offices to surreptitiously snoop on private citizens. Nor do we want “surveillance” of smartphone communications. Instead, we are asking these companies to comply with warrants issued by impartial judges upon findings of probable cause: something I explained in letters to Apple CEO Tim Cook and Google CEO Larry Page in 2014. "
Nothing in the 37 pages long PDF statement explains how the tech companies would be able to provide secure encryption without any backdoors and be able to grant law enforcement access whenever they ask. The simple truth is, of course, that they can't: They can either provide secure encryption OR provide something insecure with backdoors. Perhaps "We are not asking for a “backdoor” mechanism that would allow our offices to surreptitiously snoop" means that he would like Google and Apple to have a "backdoor mechanism" they can use to provide law enforcement. Either way, it seems like he believes that you have have your cake and eat it too.
On a slightly related note: The statement does have a section titled IV. WHY THE CLOUD IS NOT A SUBSTITUTE FOR LAWFUL ACCESS with arguments for device-access which are worth remembering:
"Proponents of smartphone encryption say we are living in a “golden age of surveillance,” and we should therefore obtain evidence from alternative sources, such as data saved on “the cloud.”
My Office does, in fact, regularly obtain evidence from cloud providers pursuant to search warrants, in the form of emails, photographs or videos, and other data that has been backed up from a device.
However, the cloud is an imperfect and incomplete solution to the encryption problem, since the most critical evidence is often only available on a device itself. "
The Technology Giants' Position
Mr. Jay Sullivan, Directory Of Product Management for Messanger at Facebook, had this to say in the hearing (00:41):
"At Facebook we believe that people should be able to communicate securely and privately with friends and loved ones without anyone, including Facebook, listening to or monitoring their conversations. People should be able to send sensitive medical and financial information without the risk of it falling into the hands of identity thieves or others with malicious intent. Journalists, dissidents and civil society should be able to communicate without fear of surveillance or retaliation from repressive regimes.
End to end encryption is the technology that secure messaging systems use to archive these goals and is already established technology used all over the world. Encrypted messaging apps like WhatsApp, iMessenger, Signal, Telegram and others are used by billions of people around the world every day.
We think it is critical that American companies lead in the areas of secure encrypted messaging. If the United States rolled back its support for privacy and encryption foreign application providers will fill the vacuum.
These firms will largely be out of the reach of US law enforcement and will not be as committed to, or capable of, preventing, detecting and responding to bad actors. "
Jay Sullivan goes on to explain that Facebook regularly hands over a lot of unencrypted information about its users to law enforcement. He also explains that Facebook is constantly looking for patterns which could indicate that someone is a "bad actor" - in which case they, at their own initiative, hand law enforcement piles of user-data.
Facebook's fear that competitors in other countries would step in if Facebook where to remove end-to-end encryption from its own services is justified, it is likely why they bothered to add it in the first place.
"It ain't complicated"
At 00:49:30 into the hearing video Committee Chairman Senator Lindsey Graham gave the following enlightened and very thought-through statement which shows his total understanding of the issue at hand:
"It ain't complicated for me. You're gonna find a way to do this or we're gonna do it for ya. We're not going to live in a world were a bunch of child-abusers can have a safe-heaven to practice their craft. Period. End of discussion. You're either the solution or you're the problem. Having said that, I appreciate all you're doing to protect our data, our privacy, I don't want people listening to my phonecalls or reading my messages. I get all of that. But being an American I also don't want a situation where criminals can exploit this situation to hide behind it and do all kinds of dashily things to kids and maybe the country itself.
So I've been following this for a year. My advice to you is to get on with it.
Cause this time next-year, if we haven't found a way that you can live with, we will impose our will on you."
Mr. Graham does not elaborate on exactly how he would like to "impose his will on you". The practical options are fairly limited. The US congress could pass a bill which forbids encryption. They could also pass a bill which requires US-made software with encryption-features to submit a copy of the private encryption keys to either the government or the creators of that software. Both those options would make US-made GNU/Linux distributions like Red Hat's Fedora and RHEL products uncompetitive. European-based distributions like SUSE and mostly-European community distributions like Manjaro Linux would suddenly get a clear competitive advantage.
The bottom line is that it would be nice if Senator Graham would keep his word when he ranted You're gonna find a way to do this or we're gonna do it for ya and actually provide a way to make encryption safe and secure and still allow law enforcement access when a judge has issued a warrant. That is just not how it works. He could just as foolishly demand that someone makes
2+2=5 and threaten You're gonna find a way to do this or we're gonna do it for ya. That leaves encryption-prohibiting or encryption-crippling legislation as the viable practical options. Keep an eye out for those, it would be sad if something like that were to become law in America. The European Union would likely follow suit in short order and you can't expect Russia or China to step in and provide beacons of freedom in those areas.