[wulfstan]

Playing devil's advocate here...

What is wrong with:

* an expiring certificate

* issued by the device manufacturer or application creator

* to law enforcement

* once a competent court of law has given approval

* that would allow a specific user's content to be decrypted prior to expiry

There are a million gradations of privacy from "completely open" to "e2e encrypted". Governments (good ones!) are rightly complaining that criminals are using encryption to commit particularly awful crimes. Politicians are (mistakenly) asking for a master key - but what I feel we should as a community support is some fine-grained legal process that would allow limited access to user information if justified by a warrant.

Competent jurisdictions allow this for physical search and seizure. It's not unreasonable to ask for the same thing to apply to digital data.

[01HNNWZ0MV43FF]

That sounds like a golden key approach, and the problem is your communication is no longer protected by math, it's only protected by the will of a stranger to be tortured by the government to protect you

https://www.rsaconference.com/library/blog/a-golden-key-to-u...

The back and forth discussion on cryptography is happening because there just isn't much middle ground. Either someone else can read your messages, or nobody else can. If one person can read them, the government will push on then until they crack.

[wulfstan]

No, I don't accept that this is the case any more than the root certificate system is a golden key. I'm quite sure that Apple can issue me a certificate that allows me to build a custom version of iOS that can be flashed onto my phone; why doesn't the same thing apply to other things?

[benmmurphy]

The two things you are talking about are very different. One is signatures and one is encryption.

[like_any_other]

The first thing that's wrong is the principle - we should have a right to try to preserve our privacy. When even trying to hide is a crime, you live under tyranny.

The second thing that's wrong is the practice - despite the "going dark" panic spread by intelligence agencies, we have far, far less privacy than at any prior point in history, and spying on people, even people trying to hide, is much, much easier. So why the hell must we make it even easier still??

[haswell]

I don’t think this particular devil needs more advocacy.

Law enforcement agencies currently have more data about each of us and more sophisticated tools to investigate crimes than at any time in human history.

> Politicians are (mistakenly) asking for a master key - but what I feel we should as a community support is some fine-grained legal process that would allow limited access to user information if justified by a warrant.

The problem with all backdoors is the human element. Master keys will be leaked. A process to gain access to a temporary key is also subject to the human factor. We’ve already seen this happen with telecom processes that are only supposed to be available to law enforcement.

The other issue is one of a legitimately slippery slope. The asymmetric nature of the power dynamic between governments and their citizens makes it even more critical to avoid sliding down that slope.

And finally, in the environment you propose, criminals will just stop using services that are able to provide such services to the government. Criminality will continue while ordinary citizens lose more and more of their rights.

[wulfstan]

Well that's your view - but these demands aren't going to go away, and what I think is sensible is for us a technical community to consider reasonable alternatives. Every society is a compromise between anarchic freedom and authoritarian tyranny, and this is another discussion about how a (relatively) new set of technologies can fit into that compromise in a way that is acceptable and reasonable.

I acknowledge the problems you raise, but it does seem to me that we have a good set of systems in place in the form of PKI that has a remarkable amount of flexibility.

It's frankly a bit of an article of faith in our community that encryption == unalloyed good and I think we'd be right to think more critically about that position.

[haswell]

> but these demands aren't going to go away

To me, this just means that we must remain vigilant. The slow creep towards authoritarianism isn’t going to go away either. The solution is not to look for reasonable ways for authoritarian rules to exist. Continuous harmful pressure must be met with continuous resistance.

> Every society is a compromise between anarchic freedom and authoritarian tyranny

Except not every society is such a compromise. Some are fully under authoritarian control, and serve as a warning for others who are tempted by authoritarian ideas.

> this is another discussion about how a (relatively) new set of technologies can fit into that compromise in a way that is acceptable and reasonable.

Breaking encryption need not inherently be part of that compromise. And until someone can explain how breaking encryption will actually stop the kind of bad actors used to justify such a direction (vs. driving them deeper underground, i.e. even if you outlaw encryption, it’s not as if law breakers will obey such a law), I see no merit in entertaining such a compromise. The crimes being committed are already illegal.

> It's frankly a bit of an article of faith in our community that encryption == unalloyed good

I don’t think most people in our community see it as inherently/perfectly good, but as extremely important and necessary. This is a critical distinction. As with everything, there are harms that come with the good, and such is the nature of all things. The question becomes: are the harms allowed worse than the good that is preserved? And would the new harms of disallowing the status quo be potentially worse than the harms supposedly prevented?

> I think we'd be right to think more critically about that position.

I agree that we need to think critically about this. But clearly we disagree about what one should conclude from such a critical analysis. I’d argue that taking the position that the government needs more power - especially at this moment in history - is the result of not thinking critically enough.

[wulfstan]

> Except not every society is such a compromise. Some are fully under authoritarian control, and serve as a warning for others who are tempted by authoritarian ideas.

Every society is on a continuum, and so represents some compromise between freedom for the citizen and power for the authorities. No society is perfectly free and no society is entirely authoritarian.

> Breaking encryption need not inherently be part of that compromise. And until someone can explain how breaking encryption will actually stop the kind of bad actors used to justify such a direction (vs. driving them deeper underground, i.e. even if you outlaw encryption, it’s not as if law breakers will obey such a law), I see no merit in entertaining such a compromise. The crimes being committed are already illegal.

Being able to legally access a private citizen's encrypted data in specific situations would help to (at least more rapidly) prosecute certain crimes more successfully. This is, I think, inarguably true. You can decide for yourself if that is worth a compromise. I'm somewhat on the fence.

> I don’t think most people in our community see it as inherently/perfectly good, but as extremely important and necessary. This is a critical distinction. As with everything, there are harms that come with the good, and such is the nature of all things. The question becomes: are the harms allowed worse than the good that is preserved? And would the new harms of disallowing the status quo be potentially worse than the harms supposedly prevented?

I think it's convenient and useful, but I hardly think it's necessary. Society managed to function just fine (although less conveniently) when strong encryption wasn't available for communications. Banking still happened, money still changed hands.

> I agree that we need to think critically about this. But clearly we disagree about what one should conclude from such a critical analysis. I’d argue that taking the position that the government needs more power - especially at this moment in history - is the result of not thinking critically enough.

It depends on how you define power. As society changes and new technologies emerge, maintaining existing government authority in new areas - and working out ways to ensure that authority is maintained - isn't really giving governments more power, but trying to ensure your society remains in the agreed location on the freedom/authority continuum.

If you see this as expanding powers, I can see how you would consider that a problem. But I think this is more about ensuring existing power is maintained correctly over a new area where crime is being committed.

[ethersteeds]

Playing devil's prosecutor, I would say that technology has simultaneously made telecommunication a nearly constant part of life while also enabling mass surveillance on a global scale, and the process hasn't reached an endpoint. The result is an extremely slippery slope from "targeted lawful intercept" to "AI assisted sentiment analysis of every iMessage". Or in the future, everything seen by your AR glasses, every thought encoded by your neuralink chip...

Your limited lawful intercept example is reasonable to most, but as you yourself acknowledged, that's not what politicians are seeking. Therefore even if the community supports and enables "just that", politicians will eventually demand their wildcard cert. It will be a national emergency, after all.

[ivl]

Prior to expiry would suggest the encryption is broken from the start.

Although I do disagree on the reasonable/unreasonable angle, because I don't tend to analogize the contents of your phone to the contents of your safe, but rather to the contents of your mind.

[wulfstan]

Well I get that a significant part of our lives is wrapped up in our phones nowadays, but I still try to preserve a safe haven between my ears...mostly...

[kube-system]

If the OEM can issue such a certificate, it probably isn’t necessary, because they can access the data and be subpoenaed directly, no?

[wulfstan]

Yes, I am arguing for is requiring OEMs to implement this mechanism.

Frankly, if the NSA wanted to have Apple build a custom iOS version for a criminal so they could sniff his network traffic and flash content from the comfort of Maryland I don't believe that would be impossible today.

[kube-system]

If an OEM could decrypt a users data, a government typically won’t bother to do it themselves. They’ll just use legal mechanisms to require the OEM to do the work for them.

[wulfstan]

Again, as a thought experiment, what legal protections can we put in place - an encryption ombudsman or independent authority - that would allow an arms length, controlled and expiring mechanism that allows limited access to a user's data? What would we as a society be happy to accept? I don't think the demand is an unreasonable one, but I'm trying to figure out what a reasonable collection of mechanisms looks like.

[kube-system]

I think that’s more of a technical question. How would that entity be granted the ability to decrypt your data without the OEM being able?

[moffkalast]

Well if decryption is so justified then brute force breaking that takes significant resources so it's hard to unnoticeably misuse would be a good approach. When you can only break into 100 phones a year, then there's no slippery slope or fascist governments that could wildly misuse it for their own gain because it's not physically viable.

[wulfstan]

Ok! That is a sensible rejoinder. Make a proof-of-work system that limits the authority from making more than n requests in a space of time. A good brake on abuse.

[procaryote]

This requires the device manufacturer to have the capability to decrypt the data (to be able to do so when all this process is properly observed)

If they have the capability to decrypt the data, a court can compel them to do so, disregarding the process you suggest. A cyberattack could achieve it without a court order.

This can't be solved technically.

[wulfstan]

It requires decryption by means beyond the sole supply of a user-owned key. That doesn't require a manufacturer to be capable of decrypting it.

I suspect that there are many ways that can be achieved, all technical ;-)

[procaryote]

describe one.

[AAAAaccountAAAA]

Because it is not realistic to except a government to always be "good". Courts are just going to rubber-stamp warrants, like they have done with present-day "lawful interception" warrants. And the keys are inevitably going to leak, if they are used routineously to investigate common crime.

[wulfstan]

Apple's iOS firmware encryption key hasn't leaked, as far as I am aware. Do you know otherwise?

There are already very good solutions for ensuring that key leakages are very difficult to do and limited in effect.

[procaryote]

is that very good solution "manage your own keys and don't give a special one to the government"?

[hansvm]

That expiration is impossible to enforce. If you have the data and the cert, you can use it whenever you'd like, and the only thing preventing you from doing so is some piece of software voluntarily choosing to comply.

What that means is, there exists a master key in your scheme.

[wulfstan]

Certificates expire right now. It's in the schema for how PKI works. Why can't the issued cert expire in the same way?

[01HNNWZ0MV43FF]

Users can ignore the expiration date on a TLS cert. Cryptography doesn't enforce time constraints, business logic does.

somewhere a piece of code would have to say "here I've got this key, which can decrypt this text, but I'm not going to" and that decision is not protected by math.

[wulfstan]

I'm not sure I follow. Obviously the application itself needs to support the business logic described, in the same way as your web browser needs to notice that a certificate has expired and tell you there's a problem with a website you're visiting. What I'm exploring is why requiring certain applications to support the same sort of thing to decrypt user data in certain circumstances to support law enforcement is a problem.

[benmmurphy]

the closest you can get to what you want is a trusted third party who would help derive the final key. so the key could not be revealed to law enforcement without cooperation of the trusted third party who would verify policies like time, etc. it may also be possible to have the 'trusted third party' be a piece of tamper proof hardware. i think generally people are suspicious of these schemes because it relies on 'trust'.

also, i think apple has a scheme similar to this for protecting the passcode from being brute forced when recovering from iCloud backup. however, if this scheme breaks it doesn't reveal the encryption key i believe it just allows the passcode that protects the encryption key to be brute forced which I guess may or may not result in the encryption key being revealed.

[hansvm]

The problem is that nefarious actors aren't physically barred from the data. If China, Big Balls, Zuckerberg, or anyone else want to access that data then they can just remove that check.

More importantly, the thing you're asking for (law enforcement retroactively snooping without there existing a master key) is always impossible.

For other forms of snooping (like a warrant to tap communications for a single device for a period of time), you have related issues. Suppose you magically make such a thing flawless -- the client can't detect intrusion, a single key is actually time-bound, etc. There still exists a group of people with the power to hand out such keys, and that power, however it's implemented, is still a master key to all future communications over that protocol.

You can partially mitigate the risk in various ways, but you can't eliminate it. Every proposal for weakening cryptography in that way has had glaring flaws, and many known attempts at actually weakening it have later been cracked by nefarious actors. Spying, but only for the "good guys," should be met with extreme skepticism as far as cryptographic protocols are concerned.

For all of these schemes, what happens when the people holding keys and power are physically forced out (DOGE et al)? Even if we assume the thing is implemented flawlessly, the people involved never leak anything, the master keys stay secret, ..., you still have the human problem of transitions in power. Do you want the current US administration, one currently arguing that it can "deport" actual citizens to torture prisons with no recourse or court case, to know that six years ago your daughter confided to her best friend that she got an abortion once? That she doesn't believe Israel should be committing genocide? Or, suppose you approve of the current administration, what about the next one that takes the reins with this new set of powers? It's bad enough without decades of chat history to let 70%-accurate AI comb through and make deportation decisions.

[JKCalhoun]

Am I allowed to keep a secret?

Maybe I am not allowed to write it down and also keep it secret.

[wulfstan]

Yes, but if a court decides you have committed a crime, and law enforcement show sufficient cause to obtain a warrant, they can seize your secret and - if it's relevant - use it to show your state of mind when the crime was committed.

[jagger27]

Did you not read 1984?

[wulfstan]

Yes, several times.

But in the same way that as a society we allow physical privacy (and freedom!) to be removed under certain circumstances, we should consider allowing digital privacy to be removed in the same way. 1984 imagines a world where the authorities can enter your physical space at any time because they feel like it. But I don't lie awake worrying about that because I live in a society where I feel the social contract is largely upheld by the authorities.

[shawabawa3]

> issued by the device manufacturer or application creator

The problem is that if the application has the power to do this then the rest is irrelevant

The means hackers/governments/the CIA can force the application creator to do their bidding and enable mass surveylance

[wulfstan]

I don't accept that. We have "master keys" for some forms of encryption right now in the form of root certificates; knowing that root cert authorities could issue certificates that might allow people to sniff my network traffic doesn't keep me awake at night.

[ziddoap]

To reduce any risks, almost everything PKI-related is conducted in public, is auditable by anyone, and is a cooperation between dozens of distinct entities located globally.

This is not analogous to a single government having non-transparent, non-auditable access to decrypt communications of its own citizens.

[wulfstan]

Then setup the system to be more analogous. Make the publication of key issuance under this mechanism public after a period of time.

Again, I see us falling back into an "all or nothing" view of privacy and I just don't think those are the only options.

[ziddoap]

>Then setup the system to be more analogous. Make the publication of key issuance under this mechanism public after a period of time.

That (somewhat, barely) addresses one of ~dozen issues with the proposal.

>Again, I see us falling back into an "all or nothing" view of privacy

Not to be too pedantic, but I think the distinction between privacy and encryption is incredibly important: almost everyone agrees that privacy is a gradient. The disagreement is whether or not encryption can be a gradient. Most people do not think it can reasonably be without undermining ~everything relying on it.

[wulfstan]

I get the hostility towards it - as I've said elsewhere, it's practically an article of faith in our community that strong encryption == unalloyed good. And clearly it needs a lot of thinking to address potential abuse. But we've done it for other things.

> Not to be too pedantic, but I think the distinction between privacy and encryption is incredibly important: almost everyone agrees that privacy is a gradient. The disagreement is whether or not encryption can be a gradient. Most people do not think it can reasonably be without undermining ~everything relying on it.

That is a fair criticism. I would answer that by saying that encryption is just a technology, and you can employ it in very flexible ways (including e.g. n-of-m style keys) which if thought through well and legislated carefully could give the authorities more reasonable access to data when it is legally warranted.

[01HNNWZ0MV43FF]

Not really. You can get around with pinning public keys like IoT devices and Tor and i2p do

A proposal to backdoor all cryptography is worse than having pki as a think we opt in to for the sake of convenience

[rdm_blackhole]

> Governments (good ones!) are rightly complaining that criminals are using encryption to commit particularly awful crimes.

For starter I don't know a lot of good governments. So you'll have to define how you differentiate between a good one and a bad one.

> Governments (good ones!) are rightly complaining that criminals are using encryption to commit particularly awful crimes.

Secondly, criminals use public transport and roads built with taxpayer money to commit crime. Some even say that they breathe the same air as us honest citizens.

They also live in homes with 4 walls that you can't see through either.

I am being facetious but you can see where I am going with this.

If you think that the governments will stop at spying on criminals once this backdoor is in place, then I have a bridge to sell you.

Do you want your kids to grow in world were everything they do online will be analyzed, categorized and reviewed by some random government employee somewhere?

What if this government turns bad in the future as it has happened countless times in the past? What do you do then?

> I feel we should as a community support is some fine-grained legal process that would allow limited access to user information if justified by a warrant.

The problem with this line of thinking is that it doesn't hold up in the real world. Once you grant access to something like say your browser history to the government or any entity, what's to stop them to ask for more next time?

It's not a big deal right, they can say, well you gave us access to A, now we want access to B. Then in 3 years they will come back demanding access to C, D and E until your entire privacy has been taken away from you.

And every time, they will use the same excuses, fighting crime, fighting drugs, child grooming and terrorism.

> Competent jurisdictions allow this for physical search and seizure.

That is not even remotely comparable.

In those cases, you need a judge or someone to approve the seizure. With a backdoor that can be opened at any time, you should consider that nothing will be private because there is no one who is going to be monitoring it 24/7 to make sure that there are no abuses.

[wulfstan]

> In those cases, you need a judge or someone to approve the seizure. With a backdoor that can be opened at any time, you should consider that nothing will be private because there is no one who is going to be monitoring it 24/7 to make sure that there are no abuses.

I'm not sure you've read what I wrote correctly. My hypothetical system would not allow the backdoor to be opened at any time, but it would require a certificate to be issued (derived from the manufacturer / application creator's root) that gives limited, expiring access on the production of court-authorised warrant, in exactly the same way a judge gives the police permission to enter your physical property.

[inglor_cz]

Which governments are the good ones?

Is Indian government a good one, or Hungary's, or Turkish, German, or British, or the US? In the last case (well, in all cases), does "goodness" of a government depend on the current incumbent? What if a previously "good" government turns into an atrocious one?

See also: the detailed Dutch census, which was mostly harmless, until it fell into hands of the Nazis in 1940 and helped them to identify and exterminate almost all Jews in the country.

[wulfstan]

Every system of authority carries with it the risk of abuse; but we still accept legitimate authorities carrying out breaches of personal privacy for the sake of law enforcement - the warrant system being the obvious one. That's part of the compromise we make in society.

Good governments ensure that a breach of personal privacy has to travel through a legitimate process with an independent judiciary to limit the risk.

[inglor_cz]

Do you think that this can be done without introducing massive security weaknesses into systems that cannot have them?

Also, there is a question if you believe the authorities that without decrypting data, they can't investigate crimes.

Imagine an analogical assertion that without torturing suspects, law enforcement is stymied. Someone might assert that, but we still say no, for all sorts of fundamental reasons. Same with American Miranda rights and others.

Myself, I don't believe in that assertion at all. Most crimes leave a massive real world trace that cannot be encrypted. The ones that don't, maybe should not be crimes in the first place.

[wulfstan]

> Do you think that this can be done without introducing massive security weaknesses into systems that cannot have them?

Yes, I do - or rather, that is the point of the discussion. We currently allow central authorities to indicate our permission to do or be something in the root certificate system. Why can't something similar be designed to allow controlled decryption?

> Also, there is a question if you believe the authorities that without decrypting data, they can't investigate crimes.

Clearly there are circumstances in which being able to decrypt the data of a criminal would assist in prosecuting crime. See EncroChat for an example of how this has worked.

> Imagine an analogical assertion that without torturing suspects, law enforcement is stymied. Someone might assert that, but we still say no, for all sorts of fundamental reasons. Same with American Miranda rights and others.

Yes. Clearly there are reasonable limits that need to be applied before we can allow controlled decryption of data. I am not arguing for issuance of a master key. See my original post.

> Myself, I don't believe in that assertion at all. Most crimes leave a massive real world trace that cannot be encrypted. The ones that don't, maybe should not be crimes in the first place.

Some do, and some don't. Things like e.g. cryptocurrency heists have profound effects, and are propping up North Korea. Those are definitely crimes...