Hacker News new | ask | show | jobs
by Alupis 3774 days ago
Then what is at stake here?

We have essentially a decade of evidence to show having access to electronic communications (both encrypted and not) has little to zero effect on law enforcement's ability to do their job.

Just recently, the Paris attackers use unencrypted cell phone text messages to coordinate and plan their attack. Nobody detected it...

Before that, the FBI successfully caught Ross Ulbricht, through good 'ol police work (because they couldn't beat his encryption and proxy usage).

We don't need access to private communications (both encrypted and not) in order to conduct lawful law enforcement -- we just need better law enforcement practices.

All this anti-encryption rederick put forth by the government is really just smoke and mirrors, covering up systematic failures of law enforcement.
2 comments
tptacek 3773 days ago
This seems far-fetched. Encryption has historically had zero effect on law enforcement, but collection of electronic evidence has made thousands of felony cases. Meanwhile, the issue isn't simply what criminals encrypt today, but the fact that everything they do will be encrypted in 15 years.
link
Alupis 3773 days ago
> the issue isn't simply what criminals encrypt today, but the fact that everything they do will be encrypted in 15 years

Everything everyone does will be encrypted in 15 years -- and that's a good thing. It makes it harder for the bad guys to be, well, bad.

Identity theft happens to far more Americans every year than the number that have been involved in a terrorist attack since the founding of our nation.[1] Backdooring/weakening/banning encryption will literally make stealing people's identities far easier. We want to make the government's job marginally easier to spy on everyone at any time, but we're ignoring the major side-effects of doing just that.

[1] http://www.techjuice.pk/a-data-scientist-explains-odds-of-dy...

link
tptacek 3773 days ago
I'm confused as to why you keep bringing terrorism up. I haven't brought it up once. I am not especially concerned with terrorism, and I'm not especially concerned about identity theft --- at least, not to the point where I think we need to address it with regulation on consumer devices.
link
dragonwriter 3773 days ago
> Meanwhile, the issue isn't simply what criminals encrypt today, but the fact that everything they do will be encrypted in 15 years.

No, everything they do will not be encrypted in 15 years. Most relevantly, except when the crime at issue itself is an act of communication, the crime won't be encrypted, or even subject to encryption, so all the usual police work that enables solving crime based on the actual criminal act and the evidence naturally attaching thereto will remain available.

link
tptacek 3773 days ago
I'm not sure what this has to do with my argument, which is that electronic evidence definitely plays a nonzero role in law enforcement today.
link
Alupis 3773 days ago
The argument being laid out is that electronic surveillance, in whole, has played a very minimal (close to zero) role in law enforcement. None of the NSA programs can be attributed for stopping some plot on their own[1] - the few they did lay claim to already had mountains of other kinds of evidence collected through regular law enforcement means.

Coming back to the encryption debate - if we cannot stop plots and crimes from taking place that were orchestrated over clear-text communications[2][3][4] - then there is practically zero hope of success by forcing everyone to not encrypt communications.

To say that better - if we can't stop crimes that are communicated in clear-text, then having the ability to decrypt messages does not change our probability of success.

Yes, encrypting all the things will provide some level of convenience for the "bad guys", but it also provides immense levels of security for the "good guys", as well as us regular people. Going back 15 years - we did not have capabilities to intercept and decrypt mass communications - yet we still caught the "bad guys". September 11th happened, and now we're all still whipped into a frenzy thinking somehow if we could just backdoor encryption, we would have prevented that attack (which is absurdly false).

The big point I'm making - backdooring/weakening/banning of encryption makes nobody more safe. Maybe we catch one or two plotters before they do something - but we also expose all citizens to online attacks on their identity, finances, privacy, and more.

[1] http://www.nbcnews.com/news/other/nsa-program-stopped-no-ter...

[2] https://theintercept.com/2015/11/18/signs-point-to-unencrypt...

[3] https://www.privateinternetaccess.com/blog/2015/11/after-par...

[4] http://arstechnica.com/tech-policy/2015/11/paris-police-find...

link
tptacek 3773 days ago
Please stop doing this. My argument isn't that bulk electronic surveillance has been valuable for law enforcement. I don't think it is. I don't think most law enforcement agencies do either, because relative to the enormous amount of foreign SIGINT work the US does, it does virtually no evidence collection for domestic cases through dragnet surveillance.

My issue is that universal default unbreakable encryption doesn't just break dragnet surveillance, but also breaks discovery and evidence recovery done under a warrant in routine investigations. It is in fact hard to break dragnet surveillance without harming routine law enforcement, and I think people should be clearer about that tradeoff.

It also isn't my contention that harming routine investigations means that crypto should be backdoored. Despite what you said upthread, I'm going to hazard that I've done more work to help foil attempts to break crypto than you have. My bona fides here are established, no matter how you choose to misread my comments. It really bothers me when people erroneously suggest that I support crypto backdoors. It doesn't help that the first thing I wrote on this very thread said exactly that.

link
dragonwriter 3773 days ago
> My issue is that universal default unbreakable encryption doesn't just break dragnet surveillance, but also breaks discovery and evidence recovery done under a warrant in routine investigations.

I don't think it affects discovery at all: discovery relies on turning over responsive materials, not breaking encryption.

Anytime evidence doesn't exist or is difficult to interpret because it hasn't been deliberately created in a form which is readily interpreted by uninvolved third parties, it can impair the utility of search and seizure warrants to collect evidence. But this is unavoidable, and compelling affairs to be conducted in a manner which provides the most convenience for law enforcement after-the-fact is simply untenable in pretty much every area of life (encryption is not special this way.)

In the case of data/communications, if an untrusted third party can access your data/communications without your consent, many untrusted third parties can. A ban on secure end-to-end encryption (whether it take the form of mandatory MitM/backdoors, restrictions on parties that can be endpoints in secure end-to-end links, or whatever other form) means exposing everyones data to many potential attackers, just so that law enforcement might have convenient access later.

The development of pervasive electronic communication and data storage/consumption technology means one of two things, either:

(1) people are far more exposed to both criminal exploitation and government abuse of power, but routine, rights-respecting law enforcement is not burdened and, in fact, somewhat eased, or

(2) people are able to do far more without additional vulnerability, and perhaps with a net less vulnerability, to various forms of criminal exploitation and government abuse, but routine, rights-respecting law enforcement is made more difficult.

And the former option requires curtailing substantially the freedom of speech in electronic media (or perhaps all media) in ways it never was curtailed in other media.

link
Alupis 3773 days ago
I risk getting a little too "meta" here, but I feel it will be constructive for us all, and I hope it's ok this one time.

> Please stop doing this

Most of your responses to myself and others begin with a line similar to this. It's meta in itself, but also puts people a little off. We're debating things here, and we seem to disagree on some points... but that's OK since that's really what we're here for. You can't ask people to stop disagreeing with you, but if you feel strongly, you may choose not to respond.

> It really bothers me when people erroneously suggest that I support crypto backdoors.

You have stated this several times, and I do believe you. The problem here is that we're not (and the government's not) just discussing backdoors, but other means such as purposefully weakening encryption, outright bans, or other methods of subverting strong encryption. Stating you don't support backdoors is only one small component of what's at stake here. It's almost a level of misdirection or a half-statement to throw this in whenever someone attacks your argument. In addition - you have made good arguments which seem to illustrate the problems with having universal default unbreakable encryption. This leads one to believe you are in opposition of such.

> My issue is that universal default unbreakable encryption doesn't just break dragnet surveillance, but also breaks discovery and evidence recovery done under a warrant in routine investigations.

This is an example of one argument that seems to favor subverting strong encryption by some means. If you do not support universal default unbreakable encryption, then you must be against it on some level. If you're against it on some level, then the logical conclusion is you support one or many of the government suggested solutions, such as banning/backdooring/weakening. As mentioned, you do not support backdooring, but that leaves two other options that are being actively pursued by the government.

> I'm going to hazard that I've done more work to help foil attempts to break crypto than you have. My bona fides here are established

This is largely irrelevant information. I am aware of your background - however one's professional view is not always the same as one's personal view. Being a security professional and thoughts on encryption are not mutually exclusive.

> no matter how you choose to misread my comments

I think this issue isn't really a misread, but rather the half statements about backdooring. I probably didn't articulate that difference properly, but I submit you failed to do the same.

In any event, it seems we mostly agree on this subject really, although we both argue it differently.

link
dragonwriter 3773 days ago
> We have essentially a decade of evidence

For extremely large values of "decade".

link