”So, a judge who is convinced you're about to kill somebody can unleash the police to follow you everywhere in hopes of preventing that crime. Similarly, a judge who thinks your computer system contains information related to financial crimes can allow the police to hack that system. Likewise, a judge who thinks you're stalking your ex can order you to stay out of a certain part of town.”
If you weaken encryption so that your government can get access, now other sides can get access too. Including criminals and other governments.
No I would not like to weaken encryption for my bank (obviously), my personal information (if only due to spear fishing), cryptographic authentication like passkeys in general and ssh keys in particular, and absolutely no one gets access to any teenager's phone anywhere. (unless it's their parents maybe,... that one is debatable).
ps the term "NOBUS fallacy" is apparently not a thing yet. (I thought it was!)
This article frames a false choice of either designing a system that allows government access to everything you do digitally (which is now almost everything), or having the government design such a system.
In reality the choice is between such a totalitarian surveillance state without the possibility of digital security guarantees, or one where police can’t read your digital mind but can do good old fashioned police work.
(1) It's important to remember that part of why Telegram is in this pickle is that they deliberately designed a system that increased the surface area of what governments could demand from them, because they're not fully (or even mostly) end-to-end encrypted (in fact, they were openly dismissive of end-to-end encryption). We get these kinds of interventions in part because governments know they can work; we know how to design systems where they can't work.
(2) The idea that governments worldwide will uniformly solve this through international agreements seems fallacious, because some of the largest countries in the world have sharply different legal and political standards. For an agreement on lawful intercept to work, you need to foreclose on products that refuse lawful intercept. There are countries you can do that in, and others where you can't.
I think there is a well-taken point that cutting off law enforcement access to data isn't a long-term stable equilibrium; something will give eventually. But I think PHK is way overshooting how strong that argument is today.
Any online service typically keeps some amount of logging. A fully encrypted online service can certainly hand over some amount access and account information, and in my experience that's plenty enough for law enforcement to go and do the normal police detective work they're used to doing.
So, if we were to implement what this author is proposing, governments would be allowed to jail people indefinitely simply because they used effectively unbreakable encryption- regardless of whether what they encrypted was illegal (or evidence of a crime)? Because if so, that is absolutely unacceptable in any society that would call itself free.
This is, far and away, the most authoritarian proposal for the regulation of encryption that I have EVER seen. As far as I know, no nation on Earth has legal provisions so explicitly authoritarian as to require every civilian to maintain copies of all their communication in a form that cops can access after the fact.
If I send you a letter and you promptly burn it, that does not entitle the police to imprison either of us, no matter what sorts of subpoenas they obtain after the fact. But if I send you an encrypted message, we both throw away the key, and the police later subpoena our communications, this proposed law would permit one or both of us to be jailed for the ENTIRE term of whatever crime we are ACCUSED of:
> Then, fourth and finally (drum roll, please!), they'll need to allow courts to jail the accused until: (a) the communication has been decrypted by someone; (b) the maximum penalty for the charged crime has been exceeded
Unless this is a joke that's gone over my head, this is an open embrace of totalitarian surveillance. Either way, it's farcical. Fortunately it would not survive basic constitutional challenges in any liberal democracy.
---
Here's another silly detail. (Ugh, this article is bad on so many levels.)
> Then the legislators can get to work. First, they'll need to make it a crime to force or trick anyone into using stronger encryption than they consent to, no matter how that might be done. (Note that IT liberalists who claim encryption is a human right never realize this should also include the right not to be forced to use encryption against one's will.)
This means, if you start a conversation with me in plaintext, I'm obliged to continue exactly as I would if we were talking through encryption. This compels speech, which is both unconstitutional in most places and completely untenable in practice. (And why would there be a human right not to be "forced" to use encryption? There's no human right precluding "no shirt, no shoes, no service" policies. People who don't use encryption do not constitute a protected class!)
> This means, if you start a conversation with me in plaintext, I'm obliged to continue exactly as I would if we were talking through encryption. This compels speech,...
I think the author would say that if you don't want to continue in plaintext, you can just not respond.
> If I send you a letter and you promptly burn it, that does not entitle the police to imprison either of us
Aside: The fact that someone (legally) deleted data or (legally) switched to an encrypted channel may still be used against them, when establishing mens rea regarding some other actual crime.
That said, I don't want to dissuade anyone from taking steps to be safe.
I think that only establishes mens rea if it's not part of your normal procedure. If I always shred my mail that has my information on it after reading it, then shredding a piece of mail allegedly related to some crime is just normal. I would have to be an unusual intentional act, such as only shredding the illegal mail and not the regular mail.
> The United Nations' new "cybercrime" treaty, readied for signatures at the time of this writing, is very much focused on how to get court orders to work quickly and efficiently across borders. Bear in mind that international bodies don't fashion treaties like this unless they think an urgent response is vital.
Truly there is no process as quick and urgency-aware as creating and signing international treaties.
There are a few ideas so basically evil that just holding them, regardless of deeds, renders the speaker forfeit of the basic "shared humanity" level of comradery that I share with the vast majority of other people. This may be one of the few examples I've come across that fit that description while not falling under the normal umbrella categories of bigotry or unjustified calls for violence.
This proposal isn't just evil, it's evil in a remarkably novel way. I'm disgusted in ways normally reserved for stumbling upon a group of neonazis chatting amongst themselves.
I'm still reeling that someone had the gall to write a sentence like this and call it "good civics." It's a love letter to totalitarianism.
> Then, fourth and finally (drum roll, please!), they'll need to allow courts to jail the accused until: (a) the communication has been decrypted by someone; (b) the maximum penalty for the charged crime has been exceeded; or (c) the court decides to release the accused.
It takes a refined form of cynical misanthropy and tanky statism to believe that on balance, people are undeserving of even having the option of their private affairs being unexamined by the authorities, and that to even attempt to hide something from their eyes is to become a criminal.
There is already a tenuous balance in terms of power and consent between the governing and the governed. On balance, more harm is done to me by those in political / financial power than by the average criminal.
I'm not convinced handing governments omniscient surveillance is worth the price it exacts.
This quote from the original article reveals its author's fruitless strain to justify his ridiculous idea:
"(Note that IT liberalists who claim encryption is a human right never realize this should also include the right not to be forced to use encryption against one's will.)"
It would be true in context only if the users were given two options, like two buttons: "Click here for strong encryption" and "Click here for breakable stuff".
Who would click the breakable stuff? Yeah, me neither.
I feel like throwing up after reading this crap and the gratuitous abuse of the term 'fundamental human rights' in ways that would make Orwell blush. It is utterly disgusting on a moral level. Of course idiots like the authors would think civics are boring.
Can someone explain to me why wiretapping can't just.. evolve? Upon a court order, send a guy to bug someone's house with cameras and watch him put in his password. Use a microphone to listen to him type in his password, perhaps even from a distance, then use some open source tool to convert the audio data into keypresses & similar. Order the ISP to copy the packets for you so you can do traffic analysis. Order companies the guy has accounts on to cough up whatever data they actually have access to. Intercept his mail. Follow him around.
Encryption doesn't prevent any of these things, so what's with all the focus on it? Wiretapping was never zero cost, and we the people only consented to the norm of court ordered wiretapping in a world in which it took some effort to do. It ought to stay difficult.
22 comments
[ 3.0 ms ] story [ 56.3 ms ] threadOne of these things is not like the others…
No I would not like to weaken encryption for my bank (obviously), my personal information (if only due to spear fishing), cryptographic authentication like passkeys in general and ssh keys in particular, and absolutely no one gets access to any teenager's phone anywhere. (unless it's their parents maybe,... that one is debatable).
ps the term "NOBUS fallacy" is apparently not a thing yet. (I thought it was!)
In reality the choice is between such a totalitarian surveillance state without the possibility of digital security guarantees, or one where police can’t read your digital mind but can do good old fashioned police work.
(1) It's important to remember that part of why Telegram is in this pickle is that they deliberately designed a system that increased the surface area of what governments could demand from them, because they're not fully (or even mostly) end-to-end encrypted (in fact, they were openly dismissive of end-to-end encryption). We get these kinds of interventions in part because governments know they can work; we know how to design systems where they can't work.
(2) The idea that governments worldwide will uniformly solve this through international agreements seems fallacious, because some of the largest countries in the world have sharply different legal and political standards. For an agreement on lawful intercept to work, you need to foreclose on products that refuse lawful intercept. There are countries you can do that in, and others where you can't.
I think there is a well-taken point that cutting off law enforcement access to data isn't a long-term stable equilibrium; something will give eventually. But I think PHK is way overshooting how strong that argument is today.
If I send you a letter and you promptly burn it, that does not entitle the police to imprison either of us, no matter what sorts of subpoenas they obtain after the fact. But if I send you an encrypted message, we both throw away the key, and the police later subpoena our communications, this proposed law would permit one or both of us to be jailed for the ENTIRE term of whatever crime we are ACCUSED of:
> Then, fourth and finally (drum roll, please!), they'll need to allow courts to jail the accused until: (a) the communication has been decrypted by someone; (b) the maximum penalty for the charged crime has been exceeded
Unless this is a joke that's gone over my head, this is an open embrace of totalitarian surveillance. Either way, it's farcical. Fortunately it would not survive basic constitutional challenges in any liberal democracy.
---
Here's another silly detail. (Ugh, this article is bad on so many levels.)
> Then the legislators can get to work. First, they'll need to make it a crime to force or trick anyone into using stronger encryption than they consent to, no matter how that might be done. (Note that IT liberalists who claim encryption is a human right never realize this should also include the right not to be forced to use encryption against one's will.)
This means, if you start a conversation with me in plaintext, I'm obliged to continue exactly as I would if we were talking through encryption. This compels speech, which is both unconstitutional in most places and completely untenable in practice. (And why would there be a human right not to be "forced" to use encryption? There's no human right precluding "no shirt, no shoes, no service" policies. People who don't use encryption do not constitute a protected class!)
I think the author would say that if you don't want to continue in plaintext, you can just not respond.
Aside: The fact that someone (legally) deleted data or (legally) switched to an encrypted channel may still be used against them, when establishing mens rea regarding some other actual crime.
That said, I don't want to dissuade anyone from taking steps to be safe.
Truly there is no process as quick and urgency-aware as creating and signing international treaties.
This proposal isn't just evil, it's evil in a remarkably novel way. I'm disgusted in ways normally reserved for stumbling upon a group of neonazis chatting amongst themselves.
> Then, fourth and finally (drum roll, please!), they'll need to allow courts to jail the accused until: (a) the communication has been decrypted by someone; (b) the maximum penalty for the charged crime has been exceeded; or (c) the court decides to release the accused.
There is already a tenuous balance in terms of power and consent between the governing and the governed. On balance, more harm is done to me by those in political / financial power than by the average criminal.
I'm not convinced handing governments omniscient surveillance is worth the price it exacts.
"(Note that IT liberalists who claim encryption is a human right never realize this should also include the right not to be forced to use encryption against one's will.)"
It would be true in context only if the users were given two options, like two buttons: "Click here for strong encryption" and "Click here for breakable stuff".
Who would click the breakable stuff? Yeah, me neither.
Can someone explain to me why wiretapping can't just.. evolve? Upon a court order, send a guy to bug someone's house with cameras and watch him put in his password. Use a microphone to listen to him type in his password, perhaps even from a distance, then use some open source tool to convert the audio data into keypresses & similar. Order the ISP to copy the packets for you so you can do traffic analysis. Order companies the guy has accounts on to cough up whatever data they actually have access to. Intercept his mail. Follow him around.
Encryption doesn't prevent any of these things, so what's with all the focus on it? Wiretapping was never zero cost, and we the people only consented to the norm of court ordered wiretapping in a world in which it took some effort to do. It ought to stay difficult.