Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Encryption Government Privacy Security United States

U.S. Gov't Grapples With Clash Between Privacy, Security 134

schwit1 writes: WaPo: "For months, federal law enforcement agencies and industry have been deadlocked on a highly contentious issue: Should tech companies be obliged to guarantee U.S. government access to encrypted data on smartphones and other digital devices, and is that even possible without compromising the security of law-abiding customers?"

NSA director Adm. Michael S. Rogers wants to require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it. But progress is nonexistent:

"The odds of passing a new law appear slim, given a divided Congress and the increased attention to privacy in the aftermath of leaks by former NSA contractor Edward Snowden. There are bills pending to ban government back doors into communications devices. So far, there is no legislation proposed by the government or lawmakers to require Internet and tech firms to make their services and devices wiretap-ready."
This discussion has been archived. No new comments can be posted.

U.S. Gov't Grapples With Clash Between Privacy, Security

Comments Filter:
  • by Anonymous Coward

    So what's the acceptable limit?

    Should they be allowed to watch you urinate?

    Should they be allowed to watch you defecate?

    Is it okay if they do this with a device that has an "Internet of Things" sticker on it?

    • I wouldn't doubt thaht the NSA has broken iPhone's encryption. https://firstlook.org/theinter... [firstlook.org]
      • by Jane Q. Public ( 1010737 ) on Saturday April 11, 2015 @10:04PM (#49455775)

        I wouldn't doubt thaht the NSA has broken iPhone's encryption.

        This proposal by NSA mirrors the Clipper Chip/Skipjack + Key Escrow system proposed back in the early 90s. People didn't trust the government with their keys THEN... why the hell should they do so NOW, given that government intrusion into our lives has only increased in the interim?

        Unlike the 90s, by now they have proved they can't be trusted.

    • Should they be allowed to watch you urinate?

      Should they be allowed to watch you defecate?

      Sure! If can watch them fornicate...

      • *sigh* some day I will see the things that are missing, oh wait, I do see things that are missing, until it's too late of course. I should be a procurement officer for the Pentagon.

    • They should be required to! That might make them learn.

      Think Clockwork Orange like...

    • Oh please. That is a false dichotomy.

      The only thing "clashing" here is the high tech political donations vs the military and surveillance dollars.

      Its funny how the only "clashes" follow this same pattern...ok not funny at all.
    • Should they be allowed to watch you urinate?

      Should they be allowed to watch you defecate?

      The government? Hell no.

      But if Twiglebook and their selected partners wish to serve up targeted ads to enhance my waste elimination experience then sign me up!

    • by Anonymous Coward

      This Admiral is a treasonous POS. He took an oath to defend the constitution and here he is undermining it.

  • , but divide the key into pieces so that no one person or agency alone could decide to use it.

    Exactly how do they intend to split a key; by piling layers of encryption atop each other or by splitting the RSA public key modulo's factors into multiple authorities?

    Given the option of piling layers of encryption on top of each other, it would seem that private keys would need to be divulged to create this encrypted comm. system

    • by bohmt ( 900463 )

      , but divide the key into pieces so that no one person or agency alone could decide to use it.

      Exactly how do they intend to split a key; by piling layers of encryption atop each other or by splitting the RSA public key modulo's factors into multiple authorities?

      Given the option of piling layers of encryption on top of each other, it would seem that private keys would need to be divulged to create this encrypted comm. system

      The modulo is a semiprime number, so it has only 2 factors. I think he wants a Threshold cryptosystem, where m out of n parties need to use their keys for it to work.

      • splitting the RSA public key modulo's factors

        The user generates 64 bits of the first key, the US Govt. generates the next 64 bits, the Canadian govt. generates the next 64 bits, et cetera. Apply same process for both keys, then use a one-way conversion process to create a new key from the old one such that only govt.s whose random numbers went into the making can reverse the new key in a finite amount of time. Of course, this would get hurt by FREAK-like vulnerabilities.

    • Yep, they don't understand "digital tear point"...

      It's a way of sending a block to a lower-level person that gives them the headline and some of the story, enough to convince them to hand it to the high-level authorities that get the rest of the story by decrypting a second block that's only for them.

      Breaking a key apart just means they have to get together and they they have everybody's secrets... that's not how it's supposed to be done.

      • by dbIII ( 701233 )
        I'd say they understand all right and this is just PR. Remember the big fuss about needing a launch code, and then the launch code was all zeros so that it was just the same as if there was no launch code.

        Breaking a key apart just means they have to get together and they they have everybody's secrets

        Yes. I give it fifteen minutes, only because somebody will be making coffee before sharing the key in the first morning.

    • Exactly how do they intend to split a key

      They don't. This is just for public consumption. They have no intention of slowing themselves down with any privacy safeguards.

      They just think everybody's stupid. And, they would be right, except post-Snowden the number of people paying attention has gone up.

    • by dbIII ( 701233 )
      Easy, they give the key parts to other agencies and then the NSA seconds people from those other agencies so that they've got the full key fifteen minutes after the parts are sent out.
      There's so much pissing in each others pockets and "retiring to private enterprise" but getting millions of dollars in government work that there's no clear line between agencies and between government and private companies (eg. those Booz losers Snowden worked for). If the Chinese, Iranians, Russians etc don't have top level
  • Introducing my super clever hack:

    Wait till the key is needed.

    Write the key down.

    Use it whenever we want from then on, but make sure we tell everyone we're not.
  • The Math (Score:5, Informative)

    by Lord Duran ( 834815 ) on Saturday April 11, 2015 @05:07PM (#49454789)

    An example of how to do cryptographically secure secret sharing:
    Shamir's secret sharing [wikipedia.org].

    There are other secret sharing schemes there, follow the link to the main article.

    • The problem here is that when the SSL snoops get credit card data, they become the cracker that's supposed to be arrested. These warrentless wiretap losers don't last long, yet they always seem to be making more of them.

  • They will just do it anyway. It doesn't matter. Most people prefer to feel secure, they don't care how it's done.

    • I think most people fear a SWAT team coming in and shooting them in their own homes, than jihadist terrorists.

      NSA has not measurably made anyone more secure since they started this big brother program. You assume it works, but collecting more noise does not make the signal stronger.

      This idea of 'secure' you have, indicates a nice trust of the perfect nature of your leaders (i.e. the NSA), but those of us in foreign countries know where that leads to.

      Really, swap NSA for KGB and you've got the situation you'

  • by Anonymous Coward

    NSA director Adm. Michael S. Rogers wants to require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it. But progress is nonexistent:

    Sure. I totally believe that you're going to do that. I mean, it's not like you scum have a history of blatantly lying to the American people and doing the complete opposite of what you say you will, right?

    How about no. Just fuck off and stop invading my privacy. You have absolutely no right there, whether you split that responsibility with other criminal--I mean, government-- organizations or not (not that I believe you'd even do that much).

    • [Quote]NSA director Adm. Michael S. Rogers wants to require technology companies to create... But progress is nonexistent:[/Quote]

      Nobody's helping him, so he's complaining to the media... nothing to see here, move along.

  • The problem here is that uncrackable-without-the-secret crypto poses a problem for the "give us everything!" police investigators... these are the guys who want warrentless wiretaps and other gifts from the tech industry.

    There's no master key that can solve all crypto... what they really want is a password that causes the device to give up its locks.

  • Perspective (Score:4, Insightful)

    by laing ( 303349 ) on Saturday April 11, 2015 @05:24PM (#49454885)
    When considering whether or not it should be okay for the US government to have backdoor access to any device, one should also consider whether other [techdirt.com] governments should also have that same access. The answer shouldn't depend upon which government you support.

    One should also remember that government employees with privileged access are people, and people can misuse [cnn.com]the access they have.

    We should recognize that the Fourth Amendment of the US Constitution was created to prevent this exact scenario. Law abiding people encrypt sensitive information to protect it from misuse by criminals, but the information can be misused by ANYONE with access.

    Dividing a backdoor key between multiple parties simply creates a requirement that all parties agree to access the information before it can be accessed. It doesn't guarantee that the access will be lawful.

    • Re: (Score:3, Insightful)

      by MobSwatter ( 2884921 )

      You can't install a back door to anything without weakening the security for the less than lawful crowd, when taken into context it would appear that the entire surveillance thing is not only unconstitutional, unconstitutional is also unlawful beyond not being that smart. It also concludes that not only the NSA and the elite are above the law, but every other law enforcement agency is going make a play for it because the NSA got away with it. Now take all that and add the element of organized crime that w

  • Keeping Secrets (Score:5, Insightful)

    by Dutch Gun ( 899105 ) on Saturday April 11, 2015 @05:25PM (#49454889)

    So... what makes the NSA think that anyone could actually keep these ultimate "keys to the kingdom" secret? I mean, just about everything else of theirs that was secret has leaked out thanks to a single contractor. Can you imagine how valuable these keys are, and how much money could be made by selling them? Hell, the US couldn't even keep our nuclear weapon plans under wraps.

    And what's awesome about this scheme is that once the secret is out, every single smartphone in the US is compromised all at once. Whee!

    • Re:Keeping Secrets (Score:5, Insightful)

      by Jaime2 ( 824950 ) on Saturday April 11, 2015 @06:37PM (#49455145)

      It goes further... their scheme requires that the people holding the parts of the key work together regularly whenever access is needed. This is likely to be thousands of times every year. There's no way to keep a secret that needs to be accessed so often by so many. Enigma was broken due to poor operational security, not poor technology. Venona [wikipedia.org] broke one-time pads due to poor OpSec. An encryption scheme used by all authorities wanting decrypts of cell phones would involve tens of thousands of people and would be impossible to carry out without making egregious operational errors. Add to that the fact that none of those who hold the keys have much to lose when they screw up. War time operatives know their way of life depends on them not screwing up. The local FBI office only cares about decrypting the phone, if they screw up, it doesn't hurt them, but it hurts me.

    • So... what makes the NSA think that anyone could actually keep these ultimate "keys to the kingdom" secret?

      Hubris, most likely. If Bruce Schneier is correct there appear to be a number of NSA and CIA leakers still active. Not to mention the foreign spies within the NSA and CIA that we don't hear about because they are doing their job correctly.

  • The idea could work. Meet the seven people who hold the keys to worldwide internet security http://www.theguardian.com/tec... [theguardian.com]
  • Dear NSA (Score:5, Insightful)

    by Opportunist ( 166417 ) on Saturday April 11, 2015 @05:41PM (#49454933)

    No matter how many US agencies you distribute the key over, one thing is absolute certain: If you require US companies to make any and all contents on mobile devices available to US government (and, considering who owns it, US corporations), absolutely NO non-US company could sensibly buy anything anymore from a US tech company.

    Hell, the chance to not be spied on would be bigger if you bought Chinese crap!

    Quite seriously, why should anyone trust a country that has a worse record when it comes to industrial spying than China?

  • by Anonymous Coward

    "Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."

    ----Benjamin Franklin, Historical Review of Pennsylvania, 1759

  • by BitterOak ( 537666 ) on Saturday April 11, 2015 @06:02PM (#49455007)
    Does this only apply to cellphones which are regulated telecommunications devices? Or would it also apply to tablets, which are really personal computing devices? And if it applies to tablets, would it apply to other personal computing devices such as laptops and desktop PCs? And if so, does it only apply to encryption software sold with the device, or also to third-party supplied encryption software? And if it does apply to 3rd party software, does it only apply to commercial software, or free open source software as well? Are there 1st Amendment issues involved in regulating the distribution of free software, and if so do they apply only to compiled machine code, or to source code as well? The devil is in the details and I'm not really sure where dividing lines would be drawn.
    • As I know there is a thing named Arduino. Also, there is a thing named Arduino GSM shield. Basically it means that it's possible to make a primitive communication device with almost totally user-controlled code. (Almost - because the GSM shield has a firmware in it, but it's interface can be controlled). You can use it to make an encrypted communication between parties but unfortunately it doesn't save you from collecting metadata; it still needs a solution (Such as "Diverter" in good old days of blueboxing

    • How do they avoid conflict with America's medical records privacy laws? Also, this is a death warrant for America's computer industry. Rule number one of spying: it must be done in secret, or you can't trust anything you get.
  • No Problem... (Score:4, Interesting)

    by CharlieG ( 34950 ) on Saturday April 11, 2015 @06:05PM (#49455021) Homepage

    They can have a back door to my phone - as soon as they give me the key to all THEIR systems (up to and including the President and IRS etc) so that when WE have the right to data, they can't say "we lost it". What? Its only fair - they watch me, I watch them

  • For normal people, we recognize the right to privacy so there is no clash. The title is misleading. The Republicans don't recognize the average person as human thus they believe we have no rights. They strongly believe in the Constitution, but don't think it applies to the average person.

  • Naw (Score:5, Insightful)

    by Dunbal ( 464142 ) * on Saturday April 11, 2015 @06:18PM (#49455071)
    There's no clash. The law is perfectly clear on that subject. Only the government is choosing to ignore it.
  • Two Keys? (Score:4, Interesting)

    by PPH ( 736903 ) on Saturday April 11, 2015 @06:39PM (#49455167)

    Dr. Petrov: [Ramius has taken the Political officers Missile key and kept it] Sir! The reason for having two keys is so that no one man may...

    Captain Ramius: May what, Doctor?

    Dr. Petrov: Arm the missiles Captain.

    Captain Ramius: Mmm, thank you for your concern Doctor

  • Offer someone an extreme choice, "Here's a car for only $60,000!" and they'll be more likely to accept a more moderate choice (Here's a car for $30,000!) because it's better by contrast, not objectively. Today we're reading, "should the government get to read everything, everywhere?" and your answer is obviously "fuck no". But that immediate answer isn't the point.

    Later you'll be presented with, "Should the government get extra-legal access to some things?" and because of this framing you'll be more likely
  • In what manner was the US government concerned with privacy?

    After 9-11, we were supposed to just stop being Americans and give up the whole idea of what our founding fathers wanted.
    Be a coward, and given them all the power they want, and see where that will get you.

  • Dividing the key makes sure a single individual cannot have access. But since all individual workers obey to their employer, it does not prevent any NSA access.

    This is just a measure against rogue NSA employee access, not against NSA access.

  • by ZeroWaiteState ( 3804969 ) on Saturday April 11, 2015 @09:12PM (#49455611)
    If a backdoor key exists, then the company that created it must by law give it to any lawful government authority that requests it. For example, if a company does business in Saudi Arabia, and a backdoor key exists, they may be compelled under Saudi law to give that key to the Saudi's. If a company does business in Russia, they may be compelled by the Russian government to give them the key. That's the nature of a backdoor. You can't just give it to only one entity. And let's not forget about Gemalto. They have cellphone encryption keys for the SIM cards they produced, which were held on their servers so that law enforcement agencies could obtain backdoor access to cellular communications via the legal process. However, the NSA broke into their servers and stole all of their secret keys, and then used them to mass decrypt cellular traffic. That's a real example of key escrow in action, and it completely failed to protect anyone.
  • Sorry, but if you create a system with a security compromising flaw in it, even a well hidden, obfuscated, extremely well guarded flaw, someone aside from the "intended" users of said compromise are going to use it to break in.

    The government's "need to know" does NOT trump my right to privacy. And if there's a real problem with that, they'd better be overtly bringing soldiers in to try to make me comply.

  • The only thing they're "grappling" with is how to continue unlimited spying while convincing you they're respecting your privacy.
  • by e**(i pi)-1 ( 462311 ) on Sunday April 12, 2015 @07:35AM (#49456843) Homepage Journal
    It is in the interest of anybody to help in providing the best possible encryption because "Whatever govs can do, crooks will do better". It not only helps the industry or privacy. It also protects itself as it is likely that such mandatory back doors will be technically outdated and hacked quickly after put in place. Weak Encryption has decided the fate of Mary Queen, the deciphering of the Zimmerman telegram a hundred ago played a role in the outcome of WWI and weaknesses in the use of the enigma cryptology was important in WW2. Since then, technology has exploded and become more important everywhere. Any government proposing to weaken its own communication infrastructure by mandatory crippling their own industries will be in a disadvantage. The dream is of course that high up, secure systems are going to be used. As they will not have been well tested, they are likely to be hacked even faster than a device for the masses with a backdoor which has withstood standard attacks and gone through peer review by hackers. And if some really sweet military grade encryption will remain to be safe, it will be a goldmine for a company selling devices with such additions abroad.

Why did the Roman Empire collapse? What is the Latin for office automation?

Working...