Everyone bored to death by DoJ’s latest call for crypto backdoors

The U.S. Department of Justice’s deputy attorney general, Rod Rosenstein, gave a speech on encryption yesterday and boy was it a snoozer. It’s almost as if all those decades of crypto wars never happened.

How many data breaches and ransomware attacks will it take before we don’t have to hear reheated and rehashed arguments against strong encryption?

Rosenstein’s premise in his “remarks on encryption” was that there has never been a secure form of communication in human history prior to end-to-end encryption (er, what about person to person speech, as the EFF points out).

And that this “warrant-proof encryption” is akin to a magical immunity cloak for criminals — immunity from prosecution in this case.

Without the ability for law enforcement to decrypt and access digital comms on-demand, he suggested, criminals will just be free to get away crimes like terrorism or child exploitation — going so far as to say “chaos may follow”.

“If companies are permitted to create law-free zones for their customers, citizens should understand the consequences. When police cannot access evidence, crime cannot be solved. Criminals cannot be stopped and punished,” was literally what he said.

So full marks for logical disproportionality.

All the other types of digital personal data floating around for investigators to tap into just don’t cut it if you want to secure a prosecution, he argued.

So so much for killing people based on metadata, eh? Now it’s ‘decrypt those WhatsApps or the law/civilization ends’.

Rosenstein went on to call out — though mostly not by name — U.S. tech giants for being unwilling to hand over data that they don’t have access to.

Which means, for one, WhatsApp — a company that has rolled out e2e encryption across its comms platform.

And has been named in attempted ‘crypto shame’ by UK politicians as the government there has long been seeking to disuse tech giants from using strong encryption.

But continues to publicly stand firm against the slings and arrows of outrageous politicians.

Rosenstein also criticized tech giants for being unwilling to deliberately weaken the security of their systems in order to afford such access.

He went on to specifically talk about the Apple vs the FBI case — mentioning Apple by name as he sketched out his take on what had happened with the San Bernardino iPhone; before going on to claim: “Thousands of seized devices sit in storage, impervious to search warrants.”

Thing is, he literally said that right after admitting: “Fortunately, the government was able to access data on that iPhone without Apple’s assistance.”

Um…

Rosenstein also tried to play his own shame game by suggesting tech firms will do techie stuff for their own commercial ends, and/or have been willing to co-operate with the techie demands of foreign governments if their bottom line is at stake — just not domestically at home. (Subtext: ‘How unpatriotic!’)

Instead, his not-so-subtle call was for legislation to force unwilling tech companies to backdoor their systems in a non-specific way that would nonetheless afford access to decrypted data.

Though he euphemistically termed this “responsible encryption”.

And tried to claim it would not, in fact, be a backdoor. (“Responsible encryption is achievable. Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization,” er, so a backdoor then?)

At the same time as having the brass neck to claim: “We at the Department of Justice understand and encourage strong cybersecurity to protect our citizens.”

“Technology companies almost certainly will not develop responsible encryption if left to their own devices,” he railed. “Competition will fuel a mindset that leads them to produce products that are more and more impregnable. That will give criminals and terrorists more opportunities to cause harm with impunity.”

So what were Rosenstein’s examples of “responsible encryption”?

“The central management of security keys and operating system updates; the scanning of content, like your e-mails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop.”

At this point — or, let’s face it, long before — crypto experts everywhere sighed heavily into the hands holding their heads.

“Technology providers are working to build a world with armies of drones and fleets of driverless cars, a future of artificial intelligence and augmented reality. Surely such companies could design consumer products that provide data security while permitting lawful access with court approval,” Rosenstein went on to say — an argument the EFF neatly sums up in its takedown of the speech as “nerd harder“.

Thing is, maths is immune to nerding harder — howsoever many people claim it’s not.

(Special shout out to UK home secretary Amber Rudd for her own recent comments on that topic.)

“There is no constitutional right to sell warrant-proof encryption. If our society chooses to let businesses sell technologies that shield evidence even from court orders, it should be a fully-informed decision,” Rosenstein said in his concluding lines.

Earning himself another legal rebuke from the EFF which writes: “This is simply incorrect. Code is speech, and courts have recognized a Constitutional right to distribute encryption code.”

Various other holes in Rosenstein’s argument are available.

Encryption backdoors are the zombie of bad ideas and I want to know how many times we have to shoot it in the head before it stays down. — Eva (@evacide) October 11, 2017

It's ironic that about the only people who think computers and the Internet are somehow TOO secure are senior law enforcement officials. — matt blaze (@mattblaze) October 10, 2017

Deputy Attorney General Rosenstein says "don't worry, backdoor keys won't leak" but earlier in his address he cites NSA-leak-enabled WannaCry as part of the reason we need encryption backdoors. I'm dumber for having read this garbage.https://t.co/EMLuoInqNQ pic.twitter.com/leHtz4iyiF — Jake Williams (@MalwareJake) October 10, 2017

Whenever the gov't tried to specify solutions, researchers found security holes. e.g. https://t.co/dkZHcdBXsC So now its "nerd harder." pic.twitter.com/3WjAHIjC4E — Kurt Opsahl (@kurtopsahl) October 10, 2017