It puts the idea into the world that it could be a crime and maybe that it is the status quo.
Much better IMHO is something like "Encryption is a fundamental right.", "Encryption protects everyone.", "Without encryption there is no democracy." and so on.
Maybe "Don’t let them take your right to privacy."
I can imagine Iran has some effort to discourage use of VPNs, though of course everyone does.
I thought China simply made it easy to stay within the Great Firewall, and moderately difficult to get out.
Encryption is free association and free speech. Talking to someone about what I like without eavesdroppers
Transitioning gender is also free speech, freedom of expression. Presenting how I like and not how some wannabe king wants me to
Yeah, as someone who's viewed America from the outside for decades tragically it's no longer the country I once knew.
I wish people understood the American system at a philosophical level. What you call "American freedoms" are largely based off of negative rights, i.e. John Locke. Our bill of rights use specific language like "Congress shall make no law", "shall not be infringed", "shall not be violated". It's inherently freedom from state action.
Over the past 100 years a different interpretation of rights has emerged, so called positive rights as exemplified in FDRs second bill of rights; e.g. "the right to a good education" or "the right to earn enough to provide adequate food and clothing and recreation". This requires state action to facilitate freedoms for its citizens.
Unfortunately these systems are incompatible. I think a lot of the friction we are seeing in modern times can partially be traced to this contradiction.
They had an apartheid up to 60 years ago. There are living people from that time, and you can't believe in any human right and have an apartheid at the same time.
Is a legal requirement for others to affirm this expression also "free speech?"
Put more simply: the modern internet doesn’t work without encryption, it is a fundamental part of the technology. Without it, anyone could log into any of your accounts, take your money, messages, photos, anything.
I'm pretty pro encryption, but even this is pretty dishonest. Phones (ie. PSTN, not iPhones) aren't "encrypted" by any means, but there's plenty of sensitive information sent over it. Lawyers fax each other important documents, and doctors fax each other medical recorcds. There was (is?) even telephone banking where you could do basic transactions over the phone. Even today, some banks/brokerages require you to phone in to do certain high risk operations (eg. high value transfers or account resets). All of this happens without encryption. While that's less security that I'd like, it's safe to say that "anyone could log into any of your accounts, take your money, messages, photos, anything" isn't true either.
There is plenty of encryption used when you send any sort of message from an iPhone, even SMS. You can’t even turn the dang thing on and unlock it without encryption. Then when you send it, it’ll be encrypted by the radio before transmission. Then in transit it may or may not be encrypted at various points.
And POTS is not the internet.
My overall point is that encryption is used all of the time when people use the internet for routine tasks that they expect to work, and would not work in a modern reasonable way without it.
People use these technical implementations details to muddy the water of this conversation and demonize encryption, when the reality is that everyone uses it literally all the time for almost everything.
It's only recently that more secure alternatives to faxing have become practical, like DirectTrust Secure Direct Messaging.
2. Is there a way for phone call man in the middlers to get that info without wasting a ton of time listening to calls? With internet MITM it is very easy to set up a program that scrapes unencrypted login info.
being pandantic that should read - the modern usage of the internet..
the internet does work ok without encryption, has it has done from a long time ago
But this particular article represents a particular pathology surrounding freedom. Freedom is supposed to be about doing what you want. It's not about making florid speeches about how free you supposedly are. If you want to use end-to-end encryption, just use it, and maybe offer advice to others on how to use it.
There are some politicians who have decided that only bad people use encryption. Going up to one of these politicians and trying to explain that you use encryption but you're actually a good person won't convince them that encryption's okay, it'll just convince them that you're a bad person. Politics is one of those things that attracts people who just want to find the shortest route to a decision about who are the good people and who are the bad people, and keeping secrets isn't something that those sorts of people like other people doing.
Unless you have evidence that the government is rounding up people just for using encryption, all this sort of advocacy does is to draw attention to you having something to hide, and therefore probably being some sort of wrong'un. If the government is rounding up people for using encryption, that's a specific threat you need to respond to, and starting a public campaign is not the right response.
Clearly the pressure on government to write these laws is coming from somewhere. You should engage with the arguments the other side makes.
The arguments are "Protect the children.", "Catch terrorists.", "Catch criminals.".
Those arguments have been engaged with for decades. They are purely emotional arguments. Anyone who still pushes those arguments forth is most likely doing so with ulterior motives and cannot be reasonably "engaged" with.
https://fedsoc.org/commentary/publications/encryption-techno...
> The arguments are "Protect the children.", "Catch terrorists.", "Catch criminals.".
> Those arguments have been engaged with for decades. They are purely emotional arguments. Anyone who still pushes those arguments forth is most likely doing so with ulterior motives and cannot be reasonably "engaged" with.
Oh come on. Why do you think a "purely emotional arguments" are illegitimate? Are you some galaxy brain, coldly observing humanity from some ivory tower constructed of pure software?
Nearly all positions people take are, at their core, "emotional." And the disagreements that result in "arguments" are often really about differing values and priorities. You might value your "freedom" more than anything and are willing to tolerate a lot of bad stuff to preserve strong encryption, some other guy might be so bothered by child sexual abuse that he wants to give it no encrypted corner to hide in. You're both being emotional.
Software surveillance vendors.
> Chat control: EU Ombudsman criticises revolving door between Europol and chat control tech lobbyist Thorn
> Breyer welcomes the outcome: “When a former Europol employee sells their internal knowledge and contacts for the purpose of lobbying personally known EU Commission staff, this is exactly what must be prevented. Since the revelation of ‘Chatcontrol-Gate,’ we know that the EU’s chat control proposal is ultimately a product of lobbying by an international surveillance-industrial complex. To ensure this never happens again, the surveillance lobbying swamp must be drained.”
https://www.patrick-breyer.de/en/chat-control-eu-ombudsman-c...
This is a lie: obtaining cleartext just makes enforcement vastly easier and more scalable. If crims have encrypted mobile phones, you can still point a microphone at them.
Scalability is the big issue.
According to The New Oxford Companion to Law, the term crime does not, in modern criminal law, have any simple and universally accepted definition.
Society also determined it was ok to use a firehose on black people, so I think the best we can say is that the term Crime has nothing to do with Morality, and people who conflate the two need to be looked at with suspicion.
> You should engage with the arguments the other side makes.
I don't. I think most arguments about crime require one-side to act in bad-faith. After all: The author doesn't actually mean that Encryption isn't illegal in some jurisdictions, they mean that it shouldn't be. You know this. I know this. And yet you really think someone needs your tautological definition of crime? I don't believe you.
The article does address the flaws in some of their arguments (encryption inconveniences law enforcement, think of the children) by pointing out that the average person and children are kept save from criminal elements by encryption.
*edited to add "on matters of faith"
We went from Patriot Act to literally disappearing people without due process in only 23 years. Imagine if they could also decrypt your phone and plant evidence in advance.
Even if you trust someone with your life and you know this person is never going to betray you and will always have your best interests at heart, that doesn't mean that they automatically get a free pass to view and inspect everything I do every minute of every day until I die.
Unfortunately, that is what these governments want.
If we want to play in a world with full transparency, let's start with the politicians!
Lets see how happy the voters are when they have to start walking to their Bank again every week, can't order their latest temu toxic waste product anymore and their GDP drops in half.
/s
Also 's/pedo/terrorist/', or {russian|chinese|iranian|north korean} spy or any "bad guy of the day".
0 - https://www.politico.com/story/2019/06/27/trump-officials-we...
And people wonder why democracy is out of style. With democrats such as these, you don't need tyrants.
If you ask anyone if privacy matters they will of course say yes. If you ask them why they use software with telemetry or websites with Google Analytics they will simply shrug.
If you ask them if it's alright for the NSA to collect and analyze data from everyone they will say yes and they have nothing to hide.
People don't know what privacy is. They don't know what they are fighting for or where the fight is taking place.
If you take that and then add encryption to the mix... and you have politicians and agency plants talking about "saving the children from online pedos" by banning these "encryption apps and technology"....
You nailed the problem. Privacy is the tension between freedom and overwatch. Perfect privacy would yield zero justice, while zero privacy yields big brother/1984 overwatch. A healthy balance must exist for society to thrive.
The only way to guarantee secrecy is through encryption, preferably e2e.
As long as we preserve the knowledge of one-time pads, they will not take this power from us.
1. There's a thing T in the world, and that thing has negative outcomes X, Y, Z, and positive outcomes A, B, C.
2. Some people believe that Y and Z are so bad, that they want to partly compromise C to diminish them.
3. However that will never work! And they'll definitely also take B if we let them mess with C.
4. Besides, C is so important, that we should accept Y and Z to have it.
If so I don't believe it applies, in particular because you have stated that only a partial compromise on C is needed to prevent Y and Z.
There is no "partial compromise" on encryption, so this argument is flawed. There is no way to have encryption that "only the good guys" can break. It is either secure, or it is not.
But well, even that rebuttal is getting tiresome. It's the same people that keep pushing for banning air again and again. They control all the communication channels, so nobody can ever rebut them in a forum that matters, they control the governments, and they are still not popular enough to make that thing pass. Yet, they keep pushing for it.
I don't think we'll solve this by talking about this. We need to talk about systemic corruption instead. (But then, they control the communication channels...)
And of course the definition of terrorist is will vary based on what politicians want. US recently sent some "Terrorists" to a gulag for example.
To me, the only sure end-end encryption is gnupg, where you personally create the keys and distribute.
See also: the ACLU.
And yet it seems like every last politician without literally a single exception thinks that they it does work that way.
https://community.qbix.com/t/the-global-war-on-end-to-end-en...
a) This seems like a decent introduction to the subject of cryptographic regulation in the last 30 years. It's far from exhaustive, however. I do appreciate the collected references from diverse points in the last several decades.
b) I would have mentioned "Sink Clipper" and the ACLU "dotRights" campaigns. Neither are especially easy to find in the increasingly enshittified google cache, but Le Monde Diplomatique has this article, complete with a link to Sink Clipper poster (I think from the mind of Kurt Stammberger) that no collection of CypherPunk oriented ephemera from the era can be without: https://mondediplo.com/openpage/selling-your-secrets
The ACLU dotRights.org site seems to have receded into history, but some of it's content is still available at the archive. For example: https://web.archive.org/web/20100126102126/http://dotrights....
c) Herb Lin presented a very nice paper back in the day comparing PROPOSED encryption regulation with ACTUAL encryption regulation. I think the thesis was through the 90s, proposed regulation was increasingly draconian (clipper, etc.) but actual regulation was liberalizing (effective deregulation of open-source tools.) I found Herb's page at Stanford and heartily recommend it if for no other reason than it's sheer volume of written material: https://herblin.stanford.edu/recent-publications/recent-publ...
d) I was a little surprised the wired article linked to at the beginning of the piece didn't have that issue's front cover, which was sort of a cultural touchstone at the time. But you can see it here: https://pluralistic.net/2022/03/27/the-best-defense-against-... - and this one: https://www.reddit.com/r/Bitcoin/comments/1cgpktp/31_years_a... (dang, look at those non-receding hairlines!)
e) Making the web "secure" or "private" is like putting lipstick on a pig. Modern web technology is designed to de-anonymize and collect identifying information to enable targeted ad delivery. Thought I generally respect Moxie Marlinspike and have no great beef with Signal, there has been a concerted effort to exploit its device sharing protocol and your carrier and national governments can easily extract traffic analysis info from people using it. Were I to add one sentence to this guide, it would be "While these tools are better than nothing, they are far from perfect."
f) The guide seems to conflate encryption with privacy. Encryption technology can enable privacy, but you're not going to get privacy from encryption technology unless you pair it with well reasoned policy (for organizations) and operational guidelines (for both organizations and individuals.)
The extreme example is to say "nothing stops a participant in an encrypted communication from sharing the un-encrypted plaintext after it's recovered." People earnestly trying to maintain message security probably know not to do that, but when talking about exchanging keys and figuring out which keys or organizations you should trust, it's easy for even the well-informed to make privacy-eroding decisions.
So... I think this article is a good jumping off point, covering material I would call "required, but not sufficient." I would just view it as the beginning of a deep-dive instead of the end.
What is wrong with:
* an expiring certificate
* issued by the device manufacturer or application creator
* to law enforcement
* once a competent court of law has given approval
* that would allow a specific user's content to be decrypted prior to expiry
There are a million gradations of privacy from "completely open" to "e2e encrypted". Governments (good ones!) are rightly complaining that criminals are using encryption to commit particularly awful crimes. Politicians are (mistakenly) asking for a master key - but what I feel we should as a community support is some fine-grained legal process that would allow limited access to user information if justified by a warrant.
Competent jurisdictions allow this for physical search and seizure. It's not unreasonable to ask for the same thing to apply to digital data.
https://www.rsaconference.com/library/blog/a-golden-key-to-u...
The back and forth discussion on cryptography is happening because there just isn't much middle ground. Either someone else can read your messages, or nobody else can. If one person can read them, the government will push on then until they crack.
The second thing that's wrong is the practice - despite the "going dark" panic spread by intelligence agencies, we have far, far less privacy than at any prior point in history, and spying on people, even people trying to hide, is much, much easier. So why the hell must we make it even easier still??
Law enforcement agencies currently have more data about each of us and more sophisticated tools to investigate crimes than at any time in human history.
> Politicians are (mistakenly) asking for a master key - but what I feel we should as a community support is some fine-grained legal process that would allow limited access to user information if justified by a warrant.
The problem with all backdoors is the human element. Master keys will be leaked. A process to gain access to a temporary key is also subject to the human factor. We’ve already seen this happen with telecom processes that are only supposed to be available to law enforcement.
The other issue is one of a legitimately slippery slope. The asymmetric nature of the power dynamic between governments and their citizens makes it even more critical to avoid sliding down that slope.
And finally, in the environment you propose, criminals will just stop using services that are able to provide such services to the government. Criminality will continue while ordinary citizens lose more and more of their rights.
I acknowledge the problems you raise, but it does seem to me that we have a good set of systems in place in the form of PKI that has a remarkable amount of flexibility.
It's frankly a bit of an article of faith in our community that encryption == unalloyed good and I think we'd be right to think more critically about that position.
Your limited lawful intercept example is reasonable to most, but as you yourself acknowledged, that's not what politicians are seeking. Therefore even if the community supports and enables "just that", politicians will eventually demand their wildcard cert. It will be a national emergency, after all.
Although I do disagree on the reasonable/unreasonable angle, because I don't tend to analogize the contents of your phone to the contents of your safe, but rather to the contents of your mind.
Frankly, if the NSA wanted to have Apple build a custom iOS version for a criminal so they could sniff his network traffic and flash content from the comfort of Maryland I don't believe that would be impossible today.
If they have the capability to decrypt the data, a court can compel them to do so, disregarding the process you suggest. A cyberattack could achieve it without a court order.
This can't be solved technically.
I suspect that there are many ways that can be achieved, all technical ;-)
There are already very good solutions for ensuring that key leakages are very difficult to do and limited in effect.
What that means is, there exists a master key in your scheme.
Maybe I am not allowed to write it down and also keep it secret.
The problem is that if the application has the power to do this then the rest is irrelevant
The means hackers/governments/the CIA can force the application creator to do their bidding and enable mass surveylance
For starter I don't know a lot of good governments. So you'll have to define how you differentiate between a good one and a bad one.
> Governments (good ones!) are rightly complaining that criminals are using encryption to commit particularly awful crimes.
Secondly, criminals use public transport and roads built with taxpayer money to commit crime. Some even say that they breathe the same air as us honest citizens.
They also live in homes with 4 walls that you can't see through either.
I am being facetious but you can see where I am going with this.
If you think that the governments will stop at spying on criminals once this backdoor is in place, then I have a bridge to sell you.
Do you want your kids to grow in world were everything they do online will be analyzed, categorized and reviewed by some random government employee somewhere?
What if this government turns bad in the future as it has happened countless times in the past? What do you do then?
> I feel we should as a community support is some fine-grained legal process that would allow limited access to user information if justified by a warrant.
The problem with this line of thinking is that it doesn't hold up in the real world. Once you grant access to something like say your browser history to the government or any entity, what's to stop them to ask for more next time?
It's not a big deal right, they can say, well you gave us access to A, now we want access to B. Then in 3 years they will come back demanding access to C, D and E until your entire privacy has been taken away from you.
And every time, they will use the same excuses, fighting crime, fighting drugs, child grooming and terrorism.
> Competent jurisdictions allow this for physical search and seizure.
That is not even remotely comparable.
In those cases, you need a judge or someone to approve the seizure. With a backdoor that can be opened at any time, you should consider that nothing will be private because there is no one who is going to be monitoring it 24/7 to make sure that there are no abuses.
I'm not sure you've read what I wrote correctly. My hypothetical system would not allow the backdoor to be opened at any time, but it would require a certificate to be issued (derived from the manufacturer / application creator's root) that gives limited, expiring access on the production of court-authorised warrant, in exactly the same way a judge gives the police permission to enter your physical property.
Is Indian government a good one, or Hungary's, or Turkish, German, or British, or the US? In the last case (well, in all cases), does "goodness" of a government depend on the current incumbent? What if a previously "good" government turns into an atrocious one?
See also: the detailed Dutch census, which was mostly harmless, until it fell into hands of the Nazis in 1940 and helped them to identify and exterminate almost all Jews in the country.
Good governments ensure that a breach of personal privacy has to travel through a legitimate process with an independent judiciary to limit the risk.
A locked home's door is still trivially opened. You can pick the lock or even apply simple brute force, neither of which all that difficult, and open happily it will. Similarly, I don't suppose anyone would be concerned about you using rot13 encryption. If a home could be sealed to the same degree as strong encryption, absolutely it would be a crime, for better or worse.
Scalability is the crux of why encryptions must not be infringed.
The claim that LEOs need to break encryption is based on laziness: they want to easily obtain access to communication, and at scale. They've always been able to obtain communication the hard way, and one-at-a-time - encryption doesn't change that.
A warehouse with shutters and bulky padlocks, a night security guard and camera system is a crime? A bank vault is a crime? Safety deposit boxes?
No, why would it be? The security guard isn't going to wage war with the police/military when they want in. The guard will politely comply to any legitimate (and probably even illegitimate) request for access.
> A bank vault is a crime? Safety deposit boxes?
Banks are heavily regulated by the government. They especially aren't going to impede access if push comes to shove.
Laws aren't created on purely theoretical grounds. They are created only when a problem that needs to be solved is identified. The government has never had much trouble accessing physical spaces when they feel a need to. They have had trouble accessing encrypted data.
And of course, UK being a country, where every form of self-defense is the most serious crime, when attacked you must call police, then lay on the ground and die, is cherry on top.
I wonder where in the UK you live, because up here in the North that definitely doesn't seem right - it's rare to see anyone non-white on the street.