Just As FBI Looks To Undermine Encryption, Federal Government Searches For Better Encryption

from the left-hand,-right-hand dept

Congress: OPM should have encrypted federal employee data. Congress: Apple has blood on its hands for encrypting user data. Got it? — Christopher Soghoian (@csoghoian) July 8, 2015

Congress: OPM should have encrypted federal employee data.



Congress: Apple has blood on its hands for encrypting user data.



Got it?

The National Institute of Standards and Technology is designing a “security platform” to authenticate mail servers using crytographic keys. The platform would let individual users encrypt emails. The system aims to “provide Internet users confidence that entities to which they believe they are connecting are the entities to which they are actually connecting," according to a NIST draft report on the topic. A subpar system, the draft said, could result in "unauthorized parties being able to read or modify supposedly secure information, or to use email as a vector for inserting malware into the system," among other consequences. The draft report is open for comment until Aug. 14, 2015. NIST soon plans to issue Federal Register notices to vendors developing individual parts of the end-to-end system.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

One of the most bizarre points that became clear in yesterday's Senate hearings on encryption was that many Senators are so focused on the big bad threat of theoretical ISIS violence in the US, that they don't understand the very real (and not at all theoretical) threat of our personal data that is being hacked into and exposed on a regular basis, often due to a lack of encryption. The ACLU's Chris Soghoian summed it up nicely with the following tweet If you can't read it, it says:Indeed, there has been plenty of talk, including from Congress, over the fact that the Office of Personnel Management, whose computers were hacked to reveal all sorts of information on government employees (past and present), didn't use encryption , in part because their computers were too old . To be fair, there are indications that encryption might not have mattered that much, since the hackers allegedly got working credentials to access the system, and thus may have been able to decrypt anything anyway.However, it does seem quite telling that at the same time Congress is freaking out about the supposed evils of encryption, the National Institute of Standards and Technology (NIST) is trying to design a better system for encrypting emails via end-to-end encryption -- the very thing that the FBI and some Senators have been complaining about.In other words, as clueless Senators and FBI officials demand ways to undermine end-to-end encryption, the folks who actually understand technology (NIST) are asking for stronger end-to-end encryption. Perhaps, instead of letting FBI director James Comey prattle on about how he doesn't actually understand this stuff (as he said repeatedly), the Senators could have someone from NIST explain why end-to-end encryption is so important.

Filed Under: encryption, fbi, nist, privacy, security