[tptacek]

You mean like how Google got ECC forward-secure TLS deployed across the whole Internet?

I have nothing but respect for Apple's stance with regard to cryptography, but Google has been more instrumental in getting strong crypto deployed on the Internet, and, just as importantly, in sweeping the minefield of crappy 90s crypto that defined most Internet crypto until recently.

[jcrites]

Google's also had a positive impact on TLS usage in email: https://www.google.com/transparencyreport/saferemail/

TLS for email is still in pretty bad shape but it's getting better. (Funny, I just noticed that Google's page says "Safe Browsing" while only "Safer Email".) I know you're not a fan of DNSSEC, but something like Secure SMTP via DANE is probably needed for meaningful improvement: https://tools.ietf.org/html/draft-ietf-dane-smtp-01 (though it won't help with the chicken-and-egg problem of domain ownership validation by email)

[pluckytree]

Agreed, but the article is focused on why these companies that have done significant things to protect users with encryption technologies haven’t been a lot more vocal like Tim Cook has. This issue is so important to them and to everyone that they could spare a little time to speak their minds. Otherwise it just looks like that "kooky Apple" going against the grain. Who cares, they are going out of business soon, right?

[tptacek]

Why are we supposed to play dumb about the subtext behind Cook's comment?

I'm sure Cook believes what he's saying, but the real marketing strategy here isn't "crypto versus plaintext"; it's "consumer product company" versus "online service provider".

Seen through this lens, there's an argument that what Cook is doing is counterproductive. He's making an argument that Google can't sign on to, and using crypto as a wedge to drive the argument home. "Be a consumer product company, because then you can protect users with crypto".

Also: the kind of encryption that Apple is really making a stand for? They do a better job of it than Android, but Android provides the same encryption: what scares the USG about Apple is that iPhones are locked by default, and when they're locked, they can't be imaged easily. That's true of Google's phones as well.

Meanwhile, Google is doing a much better job of securing browser crypto than Apple is; Apple is almost an obstacle to better browser crypto.

[chaz72]

I disagree that what Cook is doing is counterproductive. I think Google could take a stronger line to secure user data if they wanted to. They don't have to become a consumer product company to run a messaging system which they cannot read. If Google can't sign on to that, maybe they should change something so that they can.

[tptacek]

iMessage is better than Google's chat offerings in this regard, but not that much better.

If you want secure messaging, you need to be using OTR or Signal. Apple isn't really helping you here.

[sarciszewski]

I'd just like to add: NOT Telegram.

Because some people need it explicitly stated.

[chaz72]

I don't claim that Apple is as good as OTR or Signal, only that Google could do more, Google should do more, and Google should be out there helping Tim Cook make a case that back doors are a terrible idea.

edit: Microsoft, Apple, Google, they all need to step up their game and make their case in public. Apple's not perfect but they're slightly ahead of the other two major OS vendors here.

[tptacek]

But everyone can do more, including Apple. Meanwhile, I think if you build a scoreboard for this, it's not at all clear that Apple is ahead of Google.

[freshhawk]

I think the claim is just that it makes perfect sense for Google to not want to take that stronger line, and perfect sense for Apple to want to do so because of the differences in their businesses.

Google can't show relevant ads for content they cannot read. Nor can they index it.

[Zigurd]

> He's making an argument that Google can't sign on to

That's only true if Google is unwilling to trade ad revenue for subscription revenue. Google Apps for Work is a product area where Google is making that trade-off, and is presumably not cannibalizing their ad business. There is no reason Google can't offer a consumer-friendly subscription service that would be unbreakably private at similar pricing.

[gok]

Google can't sign onto a no back door policy?

[habith]

> You mean like how Google got ECC forward-secure TLS deployed across the whole Internet?

Did you finish reading the article?

> Facebook’s WhatsApp has brought end-to-end encryption to more people – over 800 million – than any other service; and Google’s engineering team has been a leader in securing much of the web in the post-Snowden era.

And then they go on saying:

> But this is much more than an engineering fight – it’s a political one where public opinion is crucial.

Do you think the average voter knows what ECC forward-secure TLS is? Heck, I'd like to think I kind of know a little about the subject but I know _nothing_ compared to you and a bunch of other HNers.

But unfortunately, we live in a society where people who can vote are really scared of terrorism and lack an understanding of how technology works. If a politician tells them we need to decrypt "all the things" for their safety they'll happily vote for them[0].

We need the celebrities of the tech world to reach out and explain why we need crypto in a way they can understand.

[0]: No link really, just watch any of Donald Trump's rallies and tell me if you think those people care about encryption.

[gok]

The article is really about CEOs publicly arguing that security back doors are a bad idea. It's unfortunate that mainstream press seems to be conflating "encryption" and "security back doors", but here we are.

As to the argument in the article, are there other examples of non-Tim Cook CEOs of big tech companies saying anything like this?

"But the reality is if you put a back door in, that back door's for everybody, for good guys and bad guys"

The closest I've found was a letter from many companies [1] which says "introducing intentional vulnerabilities into secure products for the government’s use will make those products less secure against other attackers." Google, Apple, Microsoft, Facebook and many others were signatories to that letter. So it certainly sounds like the companies might feel that way.

[1] https://static.newamerica.org/attachments/3138--113/Encrypti...

[spinchange]

Eric Schmidt needs to be explaining this & why it's important to his politician friends and sphere of influence. Perhaps he already is, but it would be meaningful politically if he (and others) said something publicly. Cook is kind of the lone ranger on the matter as far as public discourse is concerned, post Paris & San Bernardino.

[rpgmaker]

Exactly. It's incredibly valuable to have the CEO of the biggest tech company in the world (the beloved Apple no less) making the counter argument in a debate that has quickly regressed to the early 90s Crypto war levels.

[pheroden]

This has nothing to do with being vocal about security. Yea, they're helping the technical cause, but if you don't want backdoors in everything, the CEO's need to talk to the public so they're aware, and sending letters and phone calls.

[awqrre]

I'm sure what Google did helps curtail mass surveillance, but they still hold all the data unencrypted, no?

[Oletros]

> but they still hold all the data unencrypted, no?

I think no

[awqrre]

Even if the user-data is encrypted, they have the keys to decrypt it.

[Oletros]

And? Like all the usuals suspects like Microsoft and Apple.

[awqrre]

I was not implying that anyone was doing it right (end-to-end encryption)

[aljones]

You just described what google has done in slightly more technical detail than the article. I don't know why. It is definitely not what was meant. Supporting encrypted communications is a prerequisite to publicly advocating for it, but it is not publicly advocating for it.