Encryption backdoors are like TSA luggage-locks for the Internet


#1

[Permalink]


#2

Oh hush. There’s no possibility government employees would abuse this. It says so right in the law.


#3

This is a non-sequitir. What do TSA locks with master keys have to do with people smashing locks open? Isn’t the problem there all about people failing to take advantage of the backdoor, not that the backdoor was there? Further, the point about theft seems questionable - are we implying nothing was stolen before the invention of Travelsentry bags? Or from airports in other countries? Can we actually even connect those thefts to the existence of the backdoor, given that locks can be smashed off, and the majority of thefts identified by CNN were by baggage handlers without (apparently) access to the master key?

Personally I don’t think the technology is there yet to make backdoor-encryption viable. (I don’t think it’s totally unworkable, you just need to make it so that the backdoor’s access is impractical to abuse and really inconvenient, perhaps requiring physical access/disassembly of the machine and some kind of physical device to do the unlocking. From an individual liberty point of view, this would maintain the present situation with respect to security/privacy - an individual can lock stuff in a safe, but a court can order someone to go at the safe with a drill.) But this TSA-lock analogy just fails.


#4

I thought the same thing while reading the first time, and it does seem a little out of place. But after another read, the point of the paragraph it’s in is about unaccountability and buck-passing, which is definitely a related issue.

Required backdoors in encryption would be more like requiring every safe to have its combination registered in a big list (or… requiring every luggage lock to have a master key…). No drill required - if you have access to the list and the safe, you can get in with ease and there’s no evidence afterwards that you did. And since we’re also talking about bits that fly across the internet, there’s never going to be a way to require physical access.

There are already ways to go at encryption with a drill. The problem is that the government is saying that’s too difficult, and they want a nice easy way in at all times.


#5

Well, my point is that it comes down to how these backdoors are implemented. The assumption seems to be that backdoors = like you say, the ability to backdoor access over the internet. Which is certainly silly and a bad idea. But law enforcement - at least, reasonable law enforcement under judicial oversight does not need that. Backdoors that work on physical access would be a reasonable counter to things like phones with encrypt-by-default.

In terms of the drill-analogy, the problem is that it is getting harder. Strong encryption could take many years to brute force, and that is certainly an escalation from the existing situation before the internet where once you get a search warrant, most locks can be legally broken with a box of basic tools and an afternoon.

Of course you can say that law enforcement have other things they can do nowadays (like interception and survelliance), but personally I’d rather ban mass interception and work for a return to the old model of ‘crack a safe once you get a warrant’, than the new method of ‘collect everything in case it becomes useful’.


#6

Also my first thought, but, it also points out that even if you do use encryption the government can still use a hammer to get what it wants with impunity and that it’s “who will think of the children” (or something) hyperbole about encryption is BS. That and the TSA is stupid. Generally, though, this is Cory at his best - compelling and visceral essay on an abstract topic.


#7

Bits are bits. It doesn’t matter whether they’re sitting on a device the owner physically has, flying across the internet, or sitting on a company’s server. You can’t put a backdoor in for one of those cases that won’t impact the security of the others, unless you somehow require only a specific case to use a specific type of encryption.

And in either case, they’re not asking for them to be separate. Cameron has been talking about any “means of communication between two people”. So even if this hypothetical physical-access-backdoor-encryption were possible, it’s not what’s being discussed.


#8

Requiring a specific case to use a specific type of encryption is the exact point. If for example your private keys are stored in a location on your hard drive whose protection can be overridden by setting a physical switch, then you have something that requires physical access to break but is still secure when crossing the internet. I’m not saying that’s a solution, I’m saying that this does not seem like a technologically insurmountable issue.

You’ll have no argument from me that Cameron is a doo-doo-head. But I can’t help but think there’s a failure of imagination with respect to whether we can have a reasonable compromise that still preserves secure communications, but also grants law-abiding, due process following, authorities no more and no less access than they have, and are supposed to have.


#9

…then you have something that is insecure against anyone who has physical access to the device, and have removed the whole point of local encryption. And you still don’t satisfy all the officials (not just Cameron) who are calling for the ability to open up and read any communications.

It’s said that a good compromise is disliked by both parties, but that doesn’t mean that anything that both parties dislike is a good compromise.

[edit]

Here’s the problem with this: I can do all kinds of things with information I physically store to make it inaccessible both to law enforcement and to others, and there’s nothing they can (or should be able to) do about it. I can seal it in impractically-thick layers of metal that would take days to get through, or drop it to the bottom of the ocean. I can write it in a language of my own devising that no one else knows. I can encrypt it with a sufficiently large one-time pad. I could even manually use the available encryption algorithms and write down an encrypted version.

What they’re trying to say is that, only in the case of digital information, you aren’t allowed to do that last thing, unless you also provide us a key to it that we can use at any time. That’s not giving them access that they’re supposed to have, that’s severely cutting back the security that we are supposed to have.


#10

I think that the issue isn’t making so much making it be easier but untraceable. Apparently one of the thing that will ensure that the TSA will open your bags is putting a seal* on them like zip ties…

  • a lock is a device to make opening something difficult and a seal is designed to provide evidence that it has been opened. Sometimes there is overlap that they’re not the same function.

#11

No, no, no. With crypto you can’t have it both ways. If you have an input into the algorithm that specifies “oh, this is a local law enforcement person” that can and will be forged by others. There’s also no way to say “oh, this is local access but that is not”. Crypto is flat out a mathematical formula. There is really no way to make things secure all the time but insecure to law enforcement.

Frankly, I don’t want law enforcement to have the keys to my information at all, anyway. They’ve completely blown my trust. From the constant systemic racism to them having the ability to trump up charges against you just because they don’t like your face, or you were a slight bit standoffish against their authority.

This gambit for backdoors is not for “we found this guy committing a crime, now we need enough evidence”, this is also entirely for fishing expeditions to find people who they can lock up. Regular law enforcement almost never needs to break someone’s crypto. Police have been putting people away when those conversations happened away from anyone else and were lost to the nonexistent ether. They have plenty of other tools, this is nothing but a power gambit over the populous.


#12

…then you have something that is insecure against anyone who has physical access to the device, and have removed the whole point of local encryption. And you still don’t satisfy all the officials (not just Cameron) who are calling for the ability to open up and read any communications.

I already said that I gave this purely as an example, and the particular thing I am giving this as an example of is the fact that something can be made to have different levels of security depending on the level of physical access to a device. In this scheme, we have something with zero physical security, yet perfect online security. It is far from the only example I could have given, I’m just saying the idea that idea that ‘encryption is just encryption’ is wrong. It really should be obvious: how many of us have strongly encrypted stuff, and then wrote down our password on a piece of paper?

I’m not saying this is exactly how you’d do things. But I would argue that in terms of protecting our data from criminals, online security is generally much more important than physical security. A security system that is crackable over the internet in a week is hugely broken. A 4 digit PIN on a device that could be cracked in a week, with physical possession of the device? Most of us accept that degree of insecurity. And that degree of security would be sufficient to also discourage fishing operations.

Yes you can, but it’s awkward, inconvenient, and no one does it for you by default. The fact that you’ve gone to extreme lengths to secure the document could be used against you.

This is different in the digital sphere. Firstly, with the rise of encryption by default, it gets much easier and more common to encrypt everything, and the decision to encrypt itself confers no useful information. Secondly, the fifth amendment provides a legal protection to refusal to decrypt that it does not grant to refusal to grant a key to a safe, because of the rules on testimony against oneself.

Finally, I don’t propose that a move to introduce backdoors means that non-backdoored devices become illegal. I mean instead that standards be introduced whereupon physical backdoor systems become commonplace and simple to implement, and that legal guideline be set that enables juries to consider the use of circumvention of backdoors in deliberations. This would establish a direct parity with the existing legal practice for non-digital documents.


#13

Crypto is a mathematical formula, but implementation of crypto is not. My rsa private key is 16 kb of random ASCII, but if you could get to my computer keyboard you only need to type in a 4-12 letter password. Or, heck, my hard drive is unencrypted anyway, so if you take it out and scan it you’ll have everything. It doesn’t mean I have zero security. I am also pretty well protected from fishing operations because visiting every PC and stripping their hard drives is a pain in the arse!

Feel free to hate law enforcement (I disagree). But the idea that backdoors are a black and white thing that can only be implemented one way is rather naive.


#14

The implementation is the cornerstone here. But we, who trust the law enforcement as much as their past performance allows, are aware of that, That’s why I expect key storage devices to appear that will destroy the uncrackable long key if the PIN is entered wrongly for too many times, and to be tamper-resistant.

The data are mine. I am the highest authority that decides who will get the access; not a cop, not a judge, not a president, just me. This should be my little domain, my little kingdom, where no one else has the right to intrude even if they’d have more paperwork than they weigh, even if the papers would carry the Big Round Stamp.


#15

Encryption is not a safe. Encryption is more like writing something in only a language you know. Comparing it to a safe with a key is a really bad analogy, especially when you’re talking about things which impact the protection they provide.

And (ignoring that this specific article is talking about UK policy, where the fifth amendment doesn’t apply), if the fifth amendment provides a legal protection, then why would it be a good thing to bypass that protection for every American regardless of whether they’re suspected of a crime?

Nobody wants any backdoors, except for the people who want to view our documents without our permission! Whether those people are law enforcement or criminals is completely immaterial.

So you want “you wouldn’t complain if you had nothing to hide” to be enshrined into our legal system as direct evidence of guilt? This is really going off the rails now.


#16

Not at all. When it comes to security back doors are a security flaw. Period. They are like a screen door on a submarine. And your analogy to vulnerabilities to physical access is bunk because with back doors, you don’t need physical access.


#17

[quote=“Nonentity, post:15, topic:56609”]
Encryption is not a safe. Encryption is more like writing something in only a language you know. Comparing it to a safe with a key is a really bad analogy, especially when you’re talking about things which impact the protection they provide.

And (ignoring that this specific article is talking about UK policy, where the fifth amendment doesn’t apply), if the fifth amendment provides a legal protection, then why would it be a good thing to bypass that protection for every American regardless of whether they’re suspected of a crime?[/quote]
I never said regardless of whether they’re suspected, I’m saying there needs to be a way for warranted searches to break encryption in practical periods of time.

Why is encryption not like a safe? The reason for a fifth amendment protection to password protected files is that by unlocking the files, the suspect admits ownership of them. The point of a physical backdoor is to obtain access to the files without making the suspect make that admission.

Nobody at all? While some people believe otherwise, the vast majority of people approve of some limited concessions to privacy to allow criminal investigations. I concede your right to violate my privacy at times, in return for a right for my representatives to violate yours.

I want a consistent set of rules for acts that constitute apparent concealment or destruction of evidence, yes. “I have an encrypted file and I refuse to share” should be treated absolutely equivalently to “when we raided the offices, we found the suspect stuffing documents into a shredder”. There is no material difference between them.


#18

Hardware backdoors are a thing that exists. You can make a backdoor that requires physical access. That’s the sort of back door I am talking about. If you don’t think that should be called a ‘back door’, then what should I call it? Because this is an useless semantic argument.


#19

I didn’t say those acces points don’t exist, rather that your analogy to physical access misstates the scope of the kinds of back doors government wants, which include remote access, not merely the ability to decrypt hard drives in person with physical access.


#20

Insofar as dumb idiots like Cameron want silly types of backdoors, I think that’s a mistake. But I am not Cameron, and I’m not saying Cameron is not an idiot, or defending a single word that man says. I’m saying that ‘back doors’ includes types of back doors that are more secure and practical, and that might confer some of the possibilities criminal investigations can take advantage of, while not opening things up to criminals and mass-survelliance.