US Efforts To Regulate Encryption Have Been Flawed, Government Report Finds (theguardian.com) 110
An anonymous reader writes from a report via The Guardian: U.S. Republican congressional staff said in a report released Wednesday that previous efforts to regulate privacy technology were flawed and that lawmakers need to learn more about technology before trying to regulate it. The 25-page white paper is entitled Going Dark, Going Forward: A Primer on the Encryption Debate and it does not provide any solution to the encryption fight. However, it is notable for its criticism of other lawmakers who have tried to legislate their way out of the encryption debate. It also sets a new starting point for Congress as it mulls whether to legislate on encryption during the Clinton or Trump administration. "Lawmakers need to develop a far deeper understanding of this complex issue before they attempt a legislative fix," the committee staff wrote in their report. The committee calls for more dialogue on the topic and for more interviews with experts, even though they claim to have already held more than 100 such briefings, some of which are classified. The report says in the first line that public interest in encryption has surged once it was revealed that terrorists behind the Paris and San Bernardino attacks "used encrypted communications to evade detection." Congressman Ted Lieu is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients.
FUCK YOU DORKS (Score:5, Funny)
Stop insisting on unbreakable encryption. You're just helping terrorists and criminals while you hurt Americans. If you dorks didn't have anything illegal to hide, you wouldn't use unbreakable encryption. And no, I'm not worried about identity theft. I use Lifelock and, therefore, am immune from this.
Re: (Score:1, Offtopic)
Re: (Score:1)
The only regulation needed for encryption is that encryption methods available to the general public NOT have any built in back doors. We REALLY DO NEED UNBREAKABLE ENCRYPTION, as in when a device has its data encrypted, too many failed tries to access that device or its data, totally deletes that data. Deletes it as in overwrites it with zeros, then again with random characters. To anyone but the owner (as in the person who bought and paid for the device), that device needs to be a black box that cannot
Re: (Score:3)
I'm pretty sure most anyone in government disagrees with this line of thought.
Most individuals, however, don't.
Re: (Score:3)
Actually, back in the (the 1980s) we used portable hard drives, called "Data Transfer Unit Cartridges", or "DTUC", to hold navigational data in B-52 Bombers. No clue on the capacity, but when we pulled a bird off alert, we did EXACTLY that: Overwrite with zeros, then random characters. 10 cycles of this. At that point, the DTUC was considered clean enough of highly classified data, that it could be removed from the secure perimeter, and sent off to the Bomb/Nav shop.
If it was good enough for SAC in 19
Re: (Score:2)
10 cycles of zeros-then-random might have been sensible in the 1980s with stepper motor head positioning and wide inter-track areas, but by the early 2000s the tighter head positioning using voice coils and servos and so on meant that a couple of cycles were considered adequate. (I'm trying to
Re: (Score:3)
Lifelock? Immune? Mod the parent to +5 funny.
Re:FUCK YOU DORKS (Score:4, Insightful)
No one wants unbreakable encryption. We just want encryption to work like copyright - it's completely breakable on a completely impractical timescale (heat death of the universe + 2 billion years should be ok).
Re: (Score:3, Funny)
You damn encryption fanatics. Copyright is only death + 75 years, and the copyright of large corporations is far more important than your personal information. So we should compromise, heat death of the universe + 10 years.
Think of the children!
Re: (Score:2)
Careful there, you have to be more clear than that. Are you OK with encryption that can be broken by heat death of the Universe + t billion years for a Kardashev Type I, Type II, or Type III civilization? I'm not sure AES-256 will stand up to a sufficiently large Type III civilization with highly advanced quantum computers.
Re: (Score:2)
Since even a Kardashev Type III civilization is subject to the heat death of the universe (and, hence, the second law of thermodynamics), I'm ok with that.
My personal definition of godhood starts at immunity to the second law of thermodynamics, and if any such entity wants to read my email, it can go ahead.
I'm not sure AES-256 will stand up to a suf
Re: (Score:3)
If "not knowing enough about something to make that kind of decision" is any indicator as to whether you should or should not make a decision, congress can't really make a lot of laws anymore.
Re:Classifed? Well, there's your problem (Score:5, Insightful)
Re: (Score:3)
You make it sound like those two choices are mutually exclusive.
Re:Classifed? Well, there's your problem (Score:4, Funny)
But but but ... there ought to be a law!
We must do something, this is something, therefore we MUST DO IT!!!!
Re: (Score:2)
I'd already be happy if laws had to be reviewed every couple years. Every other year a law has to stand the test of time whether it is still necessary.
What do you say? We have so many laws that this is unfeasible? Well, maybe it's time to get rid of a few that are outdated and useless.
Re: (Score:2)
Why not a moratorium on laws? Require a current law to drop for every new law passed?
Unfortunately that would just lead to longer "omnibus" laws. To be effective we would need to limit the total content of the laws, including anything included by reference, not just the number of laws. (For example, the FCC/FAA/FDA/etc. might still come up with the actual regulations but they couldn't take effect until approved by Congress as a replacement for some existing set of laws of equal or greater length.)
I would actually go a bit further and say that as we have far too many laws and regulations alr
Re: (Score:2)
That would be for the good of the people then.
Develop a far deeper understanding (Score:5, Insightful)
If legislators ever bothered to try and understand anything before passing laws about it, government as we know it would cease to exist.
Re: (Score:1)
Quid pro quo is as deep as it gets.
Re:Develop a far deeper understanding (Score:4, Interesting)
"lawmakers need to learn more about [insert topic] before trying to regulate it"
I was going to type up a lengthy missive on how unsurprised, yet blind with rage I am about the above phrase. But I just do not care any more. I have no faith left in the U.S. government, and at my age, I will not waste the time on meaningless scorn. Congress can bicker back and forth on whether plants crave electrolytes all they want.
Perhaps some very distant day, hundreds or thousands of years in the future, we (as a species) will have some system of government where experts in their field are the ones who decide how best to regulate that field, with appropriate checks and balances in place of course.
Re:Develop a far deeper understanding (Score:5, Insightful)
That's what we have in the financial industry now. Almost all of our financial regulations have been written by people who make their living in the field.
Don't assume that expertise means caring what's best for society. It just means you know what's best for you. Technocracy can be an express train to dystopia.
Re: (Score:2)
I think that's how our system is supposed to work.
An
Re: (Score:2)
The regulator also needs a broad view of "expert" and affected party. For example, when regulating mortgage practices, first in the room is bankers because they are affected and experts. Alas, the ranks of the not invited include average people who have a mortgage or hope to get one. Also absent, people who were foreclosed on. They too are affected and could be considered experts on their own personal situation at least.
A good regulator will understand that. Alas, I know of no algorithm to choose a good reg
Re: (Score:2)
But you left out the critical part:
with appropriate checks and balances in place of course
That would not include lobbyists who have any current or promised financial incentive to push for laws favoring their company or industry.
Re: (Score:2)
In other words, nobody who might be able to get employed in an industry can help regulate it? There doesn't need to be a promised financial incentive for someone to go from a regulatory body to industry. It can be implied, or even assumed. Should lobbyists be banned entirely, since they're probably paid by a company or an industry association?
Re: Develop a far deeper understanding (Score:2)
Perhaps, but a total ban may be extreme and ultimately ineffective. One idea is to provide a formal and transparent venue for contact to occur between current industry representatives and government officials... in other words, no more schmoozing elected representatives with wine and food.
However, I do believe government representatives should recuse themselves from voting or speaking to Congress on matters in which they hold financial interest.
That's a fair point (Score:2)
And I was cognizant of that risk, which is why I put the "appropriate checks and balances" at the end.
The financial industry is an excellent example of why subject matter experts cannot be the sole determinant in such things. In that case, it's more like self-regulation than perhaps any other. However, as I was typing that, I was thinking about scientists; who for all their empirical work and impartial judgement, are still just human beings as flawed as the rest of us. Motivations must always be a concern.
Re: (Score:2)
Don't assume that expertise means caring what's best for society. It just means you know what's best for you.
It's more complicated than that, even. Sometimes expertise works against you by limiting your perspective. If you're an expert developer, it might predispose you to building applications that make sense to developers and are useful for developers, while having a very hard time making applications that make sense to regular people. You see a app that most people would find simple, elegant, and frustration-free, and you get annoyed at the lack of features (features that most people would find extraneous an
Cross-advertising (Score:5, Insightful)
Re: (Score:1)
Or, in this case, DIRECTLY FOLLOW ONE ANOTHER on the website.
Re: (Score:2)
FTA: (Score:3, Insightful)
Apple CEO Tim Cook, along with executives from Google and Facebook, have argued that if Washington starts ordering them to build universal key features into their encryption software, it will create vulnerabilities that both the “good guys” (western governments, in this case) and “bad guys” (other governments and hackers) can exploit.
Sadly, the lines are a little more blurry than this.
right hand doesn't know what the left hand is doin (Score:5, Informative)
Re: (Score:1)
When you're trying to convince someone to agree with you, don't call them a villain unless that's how they self-identify.
Re: (Score:2)
Ya, you might hurt their feelings.
Re:FTA: (Score:5, Informative)
They are more blurry than "Western Governments are good guys/other governments and hackers are bad guys", but the overall point is that even if you COULD trust all western governments to never abuse their encryption backdoor (a huge assumption), the mere presence of a backdoor would lead to hackers exploiting it. And, walking back the assumption, let's say you (for some reason) trust the current administration with an encryption backdoor. Do you trust the next one with it? What about the one after that? How long until an administration comes along that abuses the backdoor (whether Nixon-Whitewater level abuse or slowly encroaching on what is acceptable abuse)?
Re:FTA: (Score:4, Insightful)
the mere presence of a backdoor would lead to hackers exploiting it.
Well, it would lead to hackers exploiting the encryption used by regular, law abiding people. Criminals and terrorists could still encrypt things with other schemes that don't include a back door.
Re: (Score:3)
That's the other reason this debate is pointless. Even if the US government could, tomorrow, declare all non-backdoored encryption illegal AND every company complied immediately (a turn of events that would make me looking for airborne S. Domesticus), there would still be open-source, non-backdoored encryption hosted in other countries. How would the US force all websites in every country into backdooring all of their encryption? And why wouldn't any hypothetical terrorist use this non-backdoored encrypt
Re: (Score:2)
As are you, and everyone else. You all are bad guys! I am the only good guy left!
So does this mean they will stop demonizing it (Score:2)
Comment removed (Score:4, Informative)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I am not clear what you mean by this. Are you referring to secret communication or anonymous communication or both? Encryption works to provide the former and the later is possible though not common; you can secretly communicate anonymously via NNTP for instance although that d
Re: (Score:1)
"Their wire" = ISP, that single point of failure that will always answer to government demands for tracing, censoring, etc. Yes, the capability of both anonymous and encrypted communication is the goal. That cannot happen under the present circumstances. Until we build a robust ad hoc peer to peer network and dump the DHCP and DNS server/client model, we have no way to circumvent them yet.
Re: (Score:2)
"Their wire" = ISP, that single point of failure that will always answer to government demands for tracing, censoring, etc. Yes, the capability of both anonymous and encrypted communication is the goal. That cannot happen under the present circumstances. Until we build a robust ad hoc peer to peer network and dump the DHCP and DNS server/client model, we have no way to circumvent them yet.
Well, I just pointed out how both anonymous and encrypted communication can be achieved despite cooperation of the ISP with the government short of blocking unapproved communications. The former costs a lot more bandwidth but is achievable. The later is trivial. Both of course are subject to exploits depending on the implementation but that will be the case for anything.
The above is one of the reasons I do not care as much about the protections provided by the 4th amendment and any other rights; the gove
Wait, What? (Score:1, Insightful)
U.S. Republican congressional staff said in a report released Wednesday that previous efforts to regulate privacy technology were flawed and that lawmakers need to learn more about technology before trying to regulate it.
*Republicans* are creating and authorizing the publication of reports critical of government-mandated encryption 'backdoors'?
We keep being lectured by those on the Left that the Democrats are the ones that protect the "regular Joe" and the Republicans are the ones that want to crush the rights/privacy of the "regular Joe".
This is unpossible!
Strat
Re:Wait, What? (Score:4, Interesting)
Re: (Score:1)
Yes. Of course *Republicans* will be highly ciritical of government mandatated encryption backdoors, if "government" means "those Democrats!".
Translation (Score:1)
previous efforts to regulate privacy technology were flawed and that lawmakers need to learn more about technology
Translation: we need to spend yet even more tax money so that we can expand our power over the people yet again.
Re: (Score:2)
Hillary Clinton: "I want the FBI to have every tool possible to defeat terrorists and criminals, especially racist, homophobic domestic right wing groups which the FBI tells me are the most immediate threat to public safety. We cannot allow encryption to stand in the way of American civil rights and public safety."
Donald Trump: "I want the FBI to have every tool possible to defeat terrorists and criminals, especially radical Islamic immigrant groups which the FBI tells me are the most immediate threat to
confession of congressman X (Score:2)
They're too busy raising fund for their next election. Their staff reads the bills and tell them which way to vote. They consider the voters retards and deserves every anal rape they dish out to us.
If they can't be bother to read the bill they're vote on, do you honestly expect them to study the issues and author meaningful bills that actually does something useful for the voters (and not their largest campaign fund contributors) ? Hello?
Title (Score:4, Funny)
"Going Dark, Going Forward: A Primer on the Encryption Debate and it does not provide any solution to the encryption fight" is a bit long for a title, isn't it?
I'd like to... (Score:5, Insightful)
Some perspective, people; we've had encryption in use for over 40 years, and the actual amount of people using it to escape prosecution is almost none. Furthermore, if we put in a backdoor, it's inevitably going to be discovered by the rest of the world, and we will wind up with a situation where anybody in the world can read traffic made by American citizens, but they can't read the rest of the worlds. How does it improve national security if the US's banking details are all in plaintext while the rest of the world's isn't? Not only doesn't it improve it, but it dramatically weakens it - if the US really winds up in a war against China or Russia or whatever, and they've figured out the secret, they can effectively spy on any data in the US, read any file. We all know there's no way people are going to upgrade after, so how exciting will it be when the entire infrastructure is easily hackable and no citizen's data will be secure?
Second off, I'd like to point out this isn't going to yield us much benefit. If criminals can't communicate securely with computers, then they'll... use encryption anyway. If they constantly switch WiFi hot spots, use different computers and phones, only send brief messages, and use it for dead drops when they're not around, they have absolutely no possible risk, and the data remains unreadable anyways. And if even that is somehow, magically and impossibly, fixed, then they'll simply do it the old fashioned way; rely on (physical) coded messages, talk person to person, or use stenography or other measures to evade detection. They'll still successfully escape oversight, and it'll be even easier because now they'll be needles in a 300 million pound haystack.
Finally, let's consider the kind of data they're after. They're probably going to want messages, personal videos, etc. from people - stuff that's actual communication. If the data is not stored on the phone, or the phone is destroyed, then... where is it? I know that I don't send the same email back and forth to a person for 30 days, and if neither of us have a copy, there'll be non-left anyways. Oh sure, maybe the server you say, but if we assume a criminal or spy willing to use advanced encryption, why exactly wouldn't they securely delete their messages after they've been read? We did it with burning papers, and once that message is gone, it's gone, encryption or not. Unless, of course, you propose to store every single message, video, and photograph that crosses US internet lines, and that is impossible with how much data there is. Also, how much crime is committed with just the internet? Law enforcement has access to criminal records, on seen evidence, bank records, security footage, witnesses, talking to family, and all manners of power; why would this hamper them? If the criminal is caught with his face bare on a security cam, we's convicted; if a spy blatantly and repeatedly does erratic things and snoops around, he's going to be caught also. Every country did it perfectly fine back in the 80's. Computers are (theoretically) a nice thing to have for this sort of purpose, but they don't contribute that much in the grand scheme. They simply make the inevitable a little quicker.
In short, we have absolutely nothing to gain really, unless you want to go after the 2 or 3 people who used it, and we have the world to lose; people will lose confidence in our IT market, businesses will move to a place where they can store encrypted data legally, the US will become completely unsafe for sensitive records, the government can easily turn into an Orwellian tolitarian state, all of our information becomes accessible to an enemy in the event of a war, and everybody who's smart will find loopholes around this provision anyway. We are going to suffer if we ban encryption or require it to have a backdoor, we are going to suffer a lot, and if you've seen the results of humanity's past, irrational fear and hatred tend to produce pretty poor choices.
Re:I'd like to... (Score:5, Informative)
Some perspective, people; we've had encryption in use for over 40 years, and the actual amount of people using it to escape prosecution is almost none.
Encryption has been around for much longer than 40 years!
"The earliest known text containing components of cryptography originates in the Egyptian town Menet Khufu on the tomb of nobleman Khnumhotep II nearly 4,000 years ago."
-- "Past, Present, and Future Methods of Cryptography ", http://www.eng.utah.edu/~nmcdo... [utah.edu]
Re: (Score:2)
so... over 40 years ;)
Re: (Score:1)
talk person to person, or use stenography
*steganography. Stenography is "the action or process of writing in shorthand or taking dictation."
Re:I'd like to... (Score:5, Insightful)
...lots of reasoned arguments clipped...
None of that matters. Not one bit. You are making the wrong arguments, regardless of how logical and well reasoned they are. It's just irrelevant.
What matters is how you can push people's emotional buttons. The enemies of freedom (the FBI, CIA, GCHQ, etc.) are successfully pushing the "encryption equals terrorism" emotional lie onto an ignorant populace. Emotional lies trump reasoned truths every time.
Emotional lies can be effectively countered with emotional truths, but cannot be countered with logical reasoning. Most people are not logical. For example, "The FBI's fight against freedom will expose your children to pedophiles" or, "GCHQ's war on privacy will make you a target of terrorists" will be more effective than debating within the TLAs' frameworks.
Wrong editors comment ... (Score:1)
Below the article it says:
Congressman Ted Lieu is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients.
What has that got to do with this story? I believe that belongs to the previous one: https://yro.slashdot.org/story/16/06/30/0340220/congressman-wants-ransomware-attacks-to-trigger-breach-notifications. I think it's not the first misplacement I saw today. Something wrong with the content generato
Off export regulations (Score:4, Insightful)
I've never understood why the restrictions on exporting encryption outside the US. That seems to operate under the premise that non-Americans are unable to develop their own cryptography...which is certainly not the case. Can anyone explain why the US government tried to govern something that is inherently ungovernable?
Re:Off export regulations (Score:4, Informative)
Because for a time, the US did have better encryption than other countries - DES was good back when it was new.
That is no longer the case, but laws move much slower than technology.
Re: (Score:2)
It's become ironic, since AES was developed by (IIRC) a couple of Belgians.
Re: (Score:3)
If they just went back to declaring that encryption was a munition, then encryption would receive 2nd amendment protection! Then Charlton Heston could claim "you can have my passphrase when you pry it out of my cold dead hands."
Re: (Score:2)
Public Interest (Score:1)
> "public interest in encryption has surged"
Yup. But my gut feeling is that it hasn't been because
> "terrorists behind the Paris and San Bernardino attacks "used encrypted communications to evade detection"
since they mainly didn't, at least in any way which anyone locking their smartphone doesn't also use. Didn't this surge start with Snowden's revelations?
I could very well be wrong. Remember that this is the same kind of public which, on the day after a referendum on leaving the EU, made the second m
But the Paris attackers DIDNT use encryption (Score:5, Informative)
They used burner [arstechnica.com] phones.
The TLA's just tried to use encryption as the reason why their spy machines didn't detect squat, and to try force new encryption laws down peoples throats.
Re:But the Paris attackers DIDNT use encryption (Score:5, Insightful)
I was going to say that but you beat me to it. The Paris attackers used burner phones and SMS. Unencrypted SMS. If worldwide police agencies can't detect the digital equivalent of postcards being sent through the mail, what makes them think that a) terrorists will care enough to go through the trouble to encrypt their communications and b) they could even find the supposedly encrypted messages when they're just tossing more hay on the pile while searching for the same needle.
Re:But the Paris attackers DIDNT use encryption (Score:4, Insightful)
Yes! And, the link provided in the summary to support the statement is not about the Paris attacks. This is like me saying "Scientists have reported that neutrinos do not change flavor [bbc.com]." (The link is to an article confirming that they do change flavor.)
Re: (Score:2)
You know, I got excited that there was evidence for neutrinos interacting with food. It boggled my mind, so I followed your link.
***SPOILER***
That is a very different use of the word "flavor" than I am used to. Great disappointment will be my companion for the next few minutes.
Re: (Score:2)
The antiketchup neutrino is very tasty, but you have to put a whole lot on since it only weakly interacts with your food.
Intelligent report from a Congressional committee? (Score:1)
I only read the introduction and the seven conclusions so far, but this actually reads like a document that recognizes both sides of the issue, privacy versus legitimate needs of law enforcement. While I strongly lean towards privacy should win every time and twice on Sunday and would love to see a report that recognizes the reality that trading a little privacy is like trying to be a little pregnant, I'm actually heartened by the level of genuine intelligence that seems to have gone into this report. It
Ya Think?!?!? (Score:5, Insightful)
Ain't gonna happen... (Score:5, Insightful)
Congress (Score:1)
No.
The story here is that anything behind closed doors does not represent the will of the people, and ignorance is no excuse.
Roll your own encryption, share it only with friends.
Use it to pass encrypted copies of banned books, how-to-books, and amateur novels...
Send these encrypted things to members of congress...
Make then come and ASK for the keys.
Then explain why they have to ask.
Re: (Score:2)
Do NOT roll your own encryption. Approximately nobody here has the expertise to come up with a really good cipher (this being Slashdot, I assume a few of us do). Use something standard, devised by people who really know what they're doing, and heavily tested. The security isn't in the cipher being obscure, it's about the key being unknown.
Basically, cryptology is about secrecy compression. Take a large document you want secret, and encrypt it with AES-256. You've reduced the secrecy to eight bytes,
Really? No kidding! (Score:5, Funny)
Good luck regulating math, morons.
Link about Paris and San Bernardino inadequate (Score:5, Informative)
Translation (Score:5, Insightful)
lawmakers need to learn more about technology before trying to regulate it.
Translation: We need to fire these idiots and elect lawmakers that know more about the things they intend to regulate
Re: (Score:2)
SIGH....I hate to say this, but: Not Gonna Work.
So it's impossible to elect lawmakers who know *more* that the ones we have?
No matter who you elect, they won't know everything about everything.
This is a good reason not to try to regulate *everything* then.
That's why (shudder, I'm saying this) they need lobbyists. INDEPENDENT lobbyists who push all sides of the agenda, not just their own.
And the lawmakers can't know *something* rather than *nothing* in regards to what the lobbyists tell them on any particular subject?
NO, I don't know how you do it either. But asking people to know everything all the time will fail.
I said "Lawmakers should know more about the things they intend to regulate", and you apparently heard "Lawmakers should know everything about everything"
The TL;DR version (Score:2)
Dear Congress,
Please make an attempt to understand the way the modern world works before you attempt to control it though legislation.
( Oh, while we're at it, please at least READ the GD legislation before voting on it. No more of the " We have to pass it to know what's in it BS )
We would all sincerely appreciate it.
Hugs and kisses-
Teh Peoples