Wednesday, July 24, 2019 [Tweets] [Favorites]

Attorney General William Barr on Encryption Policy

Bruce Schneier:

Yesterday, Attorney General William Barr gave a major speech on encryption policy -- what is commonly known as “going dark.” Speaking at Fordham University in New York, he admitted that adding backdoors decreases security but that it is worth it.

[…]

I think this is a major change in government position. Previously, the FBI, the Justice Department and so on had claimed that backdoors for law enforcement could be added without any loss of security. They maintained that technologists just need to figure out how: an approach we have derisively named “nerd harder.”

With this change, we can finally have a sensible policy conversation. Yes, adding a backdoor increases our collective security because it allows law enforcement to eavesdrop on the bad guys. But adding that backdoor also decreases our collective security because the bad guys can eavesdrop on everyone. This is exactly the policy debate we should be having not the fake one about whether or not we can have both security and surveillance.

That sounded encouraging. However, Barr also said (via Nick Heer):

We are confident that there are technical solutions that will allow lawful access to encrypted data and communications by law enforcement, without materially weakening the security provided by encryption.

If he’s only conceding a theoretical—not material—difference, I’m not sure how much of a change this really is.

Previously:

Update (2019-08-15): See also: Bruce Schneier.

Update (2021-03-09): Christopher A. Wray:

The FBI remains a strong advocate for the wide and consistent use of responsibly-managed encryption – encryption that providers can decrypt and provide to law enforcement when served with a legal order. Protecting data and privacy in a digitally-connected world is a top priority for the FBI and the U.S. government, and we believe that promoting encryption is a vital part of that mission. But we have seen that the broad application of end-to-end and user-only-access encryption adds negligible security advantages. It does have a negative effect on law enforcement’s ability to protect the public. What we mean when we talk about lawful access is putting providers who manage encrypted data in a position to decrypt it and provide it to us in response to legal process. We are not asking for, and do not want, any “backdoor,” that is, for encryption to be weakened or compromised so that it can be defeated from the outside by law enforcement or anyone else. Unfortunately, too much of the debate over lawful access has revolved around discussions of this “backdoor” straw man instead of what we really want and need.

We are deeply concerned with the threat end-to-end and user-only-access encryption pose to our ability to fulfill the FBI’s duty of protecting the American people from every manner of federal crime, from cyber-attacks and violence against children to drug trafficking and organized crime.

3 Comments

Ghost Quartz

Encryption is only meaningful if the ciphertext is inaccessible without the corresponding key, and I should be the only person who decides who has that key. A system inherently lacks privacy if access to my personal information is out of my control. This debate is like asking for a bullet-proof vest that lets police officers’ bullets through. It’s not really bullet-proof if someone can still shoot you.

The whole "going dark" framing is dishonest to begin with. Things were always invisible to law enforcment until they took real sheps to make them visible. Conversations and postal letters were invsisible until the police bugged phones or intercepted mail. It's only with increased digitaliuation that there was even a chance for this data to be easily and universally visible to governments. Even with full, safe encryption, modern law enforcment has more visibility into this data than ever before in the history of humanity.

Nothing is going dark here, even with universal encryption, this is the most transparent time in history.

@Lukas, I think dishonest is an excellent adjective.

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment