[WalterSear]

The author is working from the assumption that it's easier to make governments and authorities infallible and incorruptable than it is to deal with a world with encrypted communication.

Coming from a reporter (someone supposedly professionally versed current affairs), this is contemptibly stupid position to take.

[aaronmhatch]

I agree: that is a contemptible position to take - and it's not mine.

It's impossible to make authority infallible and incorruptible. However, the United States has proven that it is possible to create a society of checks and balances with a sufficient justice system that works in favor of the citizen. Home search and seizure seems to generally go well. Why aren't there groups speaking up about it?

Just so I'm clear, do you disagree with Amnesty International's suggestions for restricted encryption?

[WalterSear]

>However, the United States has proven that it is possible to create a society of checks and balances with a sufficient justice system that works in favor of the citizen. Home search and seizure seems to generally go well. Why aren't there groups speaking up about it?

Wow!? What makes you think any of that? Or did you miss a negative there? :)

Yes, I am against the assumption that backdoors are a good idea, whoever puts it forward, and whatever you try to call them.

[aaronmhatch]

> Wow!? What makes you think any of that?

My experience living in the United States and researching other countries has given me that perspective.

> Yes, I am against the assumption that backdoors are a good idea, whoever puts it forward, and whatever you try to call them.

So, you do disagree with Amnesty International's recommendations for restricted encryption. That's fine, but I hope you also disagree with the government being allowed to enter our homes with a warrant.

[osivertsson]

Aaron, I have only read the executive summary of the briefing from Amnesty International you reference, but I fail to see that they make any suggestion for restricted encryption.

Can you please clearly cite what in that briefing makes you conclude this?

[aaronmhatch]

Here's the direct link to the briefing: https://www.indybay.org/uploads/2016/03/31/encryption_a_matt...

Restrictions are discussed in section 4, page 25.

Their recommendations are in part 5, page 31:

"any restrictions on encryption must be contained in laws that are precise and transparent, must be used only when necessary to achieve a legitimate aim and must not discriminate against specific individuals or groups. Critically, any measure interfering with encryption must be proportionate to achieving the legitimate aim for which it is imposed, and the benefits gained through the adoption of such measure must not be outweighed by the harm caused, including to individuals and network infrastructure and security."

[osivertsson]

...and I still fail to see where in this Amnesty International recommends restricting encryption.

The use of 'any' does not imply recommendation. I guess you could interpret the 'only when necessary' part as maybe opening the door to restrictions on encryption, but I feel Amnesty International's wording here intentionally wants us to really consider the drawbacks.

[aaronmhatch]

I agree that Amnesty International is being extremely cautious in making recommendations, but if they felt that no compromises could / should be made, I don't see why they would bother with the quoted paragraph.

"any restrictions on encryption must be contained in laws that are precise and transparent"

^ This suggests that they think restrictions are possible, whereas many pro-encryption people think that restrictions are mathematically impossible and are stupid to even suggest.

"must be used only when necessary to achieve a legitimate aim"

^ Again, while there is no specific recommendation, they are implicitly suggesting that restrictions are acceptable under certain conditions.

"any measure interfering with encryption must be proportionate to achieving the legitimate aim for which it is imposed, and the benefits gained through the adoption of such measure must not be outweighed by the harm caused, including to individuals and network infrastructure and security."

^ Same thing. In three separate places, they suggest that restrictions are permissible, and they are making recommendations for when they may be permissible.

[foolshdropout]

I agree, the author is clueless on so many fundamental levels it's a travesty.

[aaronmhatch]

Please explain, thanks.

[foolshdropout]

Here's a short list I compiled just for you Aaron, but you have to do your own reading.

http://www.theguardian.com/technology/2015/may/01/encryption...

http://reason.com/blog/2016/02/18/4-reasons-to-fear-encrypti...

https://www.servint.net/university/article/keep-the-back-doo...

https://pando.com/2013/12/19/the-nsa-review-panel-says-encry...

http://www.techrepublic.com/article/why-government-mandated-...

http://www.newsweek.com/why-we-need-encryption-even-nsa-cant...

https://www.wordfence.com/blog/2016/02/wordfence-supports-st...

https://www.rt.com/usa/319236-no-encryption-backdoor-apple-c...

http://www.techrepublic.com/article/encryption-you-cant-put-...

http://www.theguardian.com/commentisfree/2015/mar/04/backdoo...

https://www.yahoo.com/tech/defense-secretary-favors-strong-e...

http://www.freerepublic.com/focus/f-news/3395743/posts

BTW Aaron, a sidedoor is just a backdoor on an adjacent wall...

[aaronmhatch]

Thanks for the links, foolshdropout. I've read most of those, and they tend to the make the same points over again.

I called it a "side door" to make the point that we need a compromise between the front and back. The pro-encryption crowd doesn't want a back door, and the anti-encryption crowd doesn't want a front door. As Amnesty International recommends, we need some compromise.

Given that you think I'm clueless on many fundamental levels, I presume you disagree with Amnesty International.

[WalterSear]

The pro-encryption crowd knows that a 'side-door' is mathematically impossible and the 'side-door' crowd know the power of magical belief.

[aaronmhatch]

I agree that the answer is complicated, but I don't agree that we must appeal to mathematics to solve the problem. We need to have a discussion about what is a good compromise and how much security and privacy we have to sacrifice in order to ultimately strengthen them. We sacrifice some of our privacy and security by allowing government to break into our homes, yet we feel safer and more private because law enforcement and our justice system is on our side and works to thwart criminals. It isn't perfect, but I personally would feel less comfortable if our homes were impenetrable - think of the ramsomware cases with encryption. The fact that there's no way to unlock those encrypted machines without the key is a tragedy. You might say the answer is to stop the ramsomware nuts instead of undermining encryption, but that's like saying we should stop the pedophile from raping our kid in his impenetrable basement instead of making it so we can break in.

How do we solve this? It's hard to say, but there are solutions. foolshdropout's first Guardian link presents a good example with the TSA luggage lock standardization. That is essentially a backdoor and has led to many thefts. The flaw in that example, however, is that with enough force, a lock can be broken, and any luggage can be penetrated, making the need for master keys and standardized locks unnecessary. So, it's not a good analogy with encryption, which cannot realistically be broken into.

Giving the government master keys to standardized encryption methods is not a good way to do it. However, the FBI's method of getting Apple to disable the guess limit is a "lesser" backdoor, if you must call it that. That provides some compromise because it requires the government going to Apple for each warrant and having them on a case-by-case basis disable the limit. This adds a few hurdles to slow down the process, which is basically what encryption does in the first place, while allowing authorities to lawfully search and seize.

I'm not sure what the answer is, but I know that if we stick to absolutes (total encryption, no encryption), we are only hurting ourselves.