Why WaPo's call for a "golden secure key" is stupid


If they have a valid court order, let them deliver it to the person they are targeting. If that person doesn’t comply with the court order, he or she can then be dealt with according to long-established law. None of this “trust us, we won’t abuse our secret powers issued by secret courts” bullshit. If it can be abused, it will. And it has. Repeatedly.



I guess the Washington Post hasn’t heard of google because 30 seconds of using it would have returned tens of thousands of hits explaining why master keys are a shit idea.

One of the hits could even be their very own newspaper:



It’s this disease nontechnical people have that makes them think computers can (1) tell the difference between one person using it and someone else pretending to be that person, (2) tell the difference between one set of ones and zeroes and another set of ones and zeroes beyond superficial format information, and (3) understand which ones and zeroes comply with local law and which forms of access to them comply with local law.

Or, as xkcd recently put it, “In CS, it can be hard to explain the difference between the easy and the virtually impossible.”


I’d classify it more as a bad case of magical thinking; their phrasing of “technical wizardry” is telling. They want a wizard’s charms, the kind of thing that fantasy novels abound with, the blade that only the true king can remove from the rock, the ring that only the true of heart can wear, etc.


The answer is simple: just keep a unicorn on staff, and he’ll certify who’s a virgin, and who isn’t.


Anyone who’s watched Scooby Doo could tell you this is a dumb idea. Hiding the secret entrance to your private stuff is not going to keep out those meddling kids.


Oh no, it’s the Clipper Chip debacle all over again.

https://en.wikipedia.org/wiki/Clipper_chip for those too young to remember.


The chip turned out to have a hole that allowed you to send a different key to escrow than what was really used. So the govt would get a bad key and didn’t know about it until they’d try to actually use it. And even without, nothing would prevent you from encapsulating a second encryption layer in the “government-approved” “legal” one.

I don’t know, unicorns lead to some really odd security vulnerabilities. And recovering from a breach can be a LOT harder than just emailing the affected customers.

1 Like

Golden key? Do you suppose an engineer came up with that phrase? Or maybe it was a lobbyist?

1 Like

Must have been. All of the fantasy lit insist on silver keys. Gold’s too soft to hold teeth properly, afterall, and how are you supposed to open all of those chests in Fable with a gold key?


Pure gold, yes. But you can alloy it, article with table of mechanical properties for some of the alloys here. Most of metals, at least with face centered cubic crystal structure, are rather soft when pure (which includes silver), so they have to be work-hardened, alloyed, or both.

Fantasy writers are rarely metallurgists.

Edit: Especially well it is shown on casting silver bullets with lead-bullet equipment, not taking in account the significantly higher surface tension of molten silver in comparison with lead and its alloys. A much longer entry channel is needed in the mould to counteract the surface tension with the liquid’s hydrostatic pressure, or spin casting or similar trick has to be used (dentists do that often when casting crowns - pour the metal into the mould attached to a string, then spin it for a while until the metal solidifies).

“With the Washington Post’s proposal, it will all be leaked, a kind of secure golden shower.”

All this talk of gold and silver, that line is the real treasure.


It sounds like an exciting opportunity for regulatory capture. Let me charge 10 cents a key stored on behalf of the US Government. :wink:

1 Like

Agree 100% with user Ratel. If we really want privacy, we need to force investigators to justify their need to see your data with a search warrant. If you are not the one-and-only person who has a key to your data, the government will eventually construct a law that allows them to access one or more of those keys without your consent and without a court order. A search warrant makes it clear that you are under suspicion and defines the thing(s) being searched for - in other words, the government is not able to take private actions against you hidden from the eyes of the public. Once they have that ability, they can turn you into a “non-person” fairly quickly, but so long as their actions must be recorded and public, you have a chance to grab a lifeline and begin to protect yourself. Hidden=eventually abused.


Well, I think it amounts to the same thing: people think computers are magic.

1 Like

That would explain the hacker witch hunts.

1 Like

Not a new idea at all. Back in the Internet Dark Ages (thats the Clinton Era for you kids playing on my lawn) I worked for some folks involved in an idea called Trusted Key Escrow. See also Schneirer from back then. Disclosure, one of the co-authors cited there worked for my employer at the time.

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.