SoylentNews is people
SoylentNews
Graham, Cotton Introduce Yet Another Attempt to Torpedo Encryption
Graham, Cotton introduce yet another attempt to torpedo encryption:
On Tuesday, Sens. Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.), and Marsha Blackburn (R-Tenn.) introduced yet another bill attempting to poke holes in data encryption, called the Lawful Access To Encrypted Data Act. This bill follows previous US efforts to weaken encryption, including March's proposed EARN IT Act and demands made by US Attorney General William Barr in his 2019 keynote address at the International Conference on Cyber Security.
A press release from the Senate Judiciary Committee—which is chaired by Graham—describes the bill as "a balanced solution that keeps in mind the constitutional rights afforded to all Americans, while providing law enforcement the tools needed to protect the public from everyday violent crime and threats to our national security." It goes on to emphasize—in both bold and italic text—that the bill would "only" require service providers to grant law enforcement a back door after a court issues a warrant.
Graham expresses his personal position in strong terms:
Terrorists and criminals routinely use technology, whether smartphones, apps, or other means, to coordinate and communicate [...] tech companies have refused to honor [court orders] and assist law enforcement in their investigations. My position is clear: After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations. Our legislation respects and protects the privacy rights of law-abiding Americans.
Unfortunately, as is typical for these resolutions, Graham's expressed ideas don't adhere to technological reality. In order for a service provider to "honor and assist" law enforcement investigations in the way Graham demands, it would necessarily—and fatally—have to compromise the very encryption it offered in the first place. This would apply to every consumer the provider services (American or otherwise), whether a warrant were issued or not.
Encryption doesn't work that way
Senate Republicans Target Encryption With Bill Aimed at Apple, Facebook, Other Tech Giants
Senate Republicans target encryption with bill aimed at Apple, Facebook, other tech giants:
Sens. Lindsay Graham (South Carolina), Tom Cotton (Arkansas) and Marsha Blackburn (Tennessee) introduced the Lawful Access to Encrypted Data Act, which would put an end to what they called "warrant-proof" encryption.
"My position is clear: After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations," Graham, who is chairman of the Senate Judiciary Committee, said in a statement. "Our legislation respects and protects the privacy rights of law-abiding Americans. It also puts the terrorists and criminals on notice that they will no longer be able to hide behind technology to cover their tracks."
[...] The bill is targeted at companies like Facebook and Apple, which have repeatedly defended their stances by saying they have an obligation to protect the billions of innocent citizens who trust the encryption embedded in their devices and apps to shield their information from public exposure. The tech companies fear that if they provide investigators with a back door past encryption, they'll open up an avenue for bad actors to exploit the entryway.
"End-to-end encryption is a necessity in modern life – it protects billions of messages sent every day on many apps and services, especially in times like these when we can't be together," Facebook said in a statement, according to CNET. "Rolling back this vital protection will make us all less safe, not more. We are committed to continuing to work with law enforcement and fighting abuse while preserving the ability for all Americans to communicate privately and securely."
Senators Introduce "Balanced" Bill That Aims to End Warrant-Proof Encryption
Senators Introduce "Balanced" Bill That Aims to End Warrant-Proof Encryption:
Republican senators have introduced what they have described as a "balanced" bill that would require technology companies to give law enforcement agencies access to encrypted user data.
Authorities in the United States and other countries have long tried to convince — an in some cases force — tech companies to develop and use encryption that would allow law enforcement to access encrypted data if needed. Experts have argued that adding backdoors to encryption systems would also allow malicious actors to abuse those backdoors, thus defeating the purpose of strong encryption.
Senators Lindsey Graham (R-South Carolina), Tom Cotton (R-Arkansas) and Marsha Blackburn (R-Tennessee) are making another attempt with a new bill introduced on Tuesday, which they have named the Lawful Access to Encrypted Data Act.
They claim the goal of the bill is to "bolster national security interests and better protect communities across the country by ending the use of 'warrant-proof' encrypted technology by terrorists and other bad actors to conceal illicit behavior."
The officials believe that while encryption is "vital" for securing data, communications and financial transactions, law enforcement should be given access to the information they seek if they present a warrant.
[...] On the other hand, security and privacy experts who support the use of end-to-end encryption provide journalists, activists, whistleblowers and members of persecuted groups as examples of individuals for whom strong encryption is crucial.
[...] The Attorney General would be allowed to ask companies to report on their ability to comply with court orders, but it's prohibited from forcing vendors to use specific technical methods.
Moreover, the government would compensate companies for their compliance and the Attorney General would create a prize competition to reward those who create a solution that maximizes privacy and security while allowing lawful access to encrypted data.
Original Submission #1 Original Submission #2 Original Submission #3
(Score: 1, Informative) by Anonymous Coward on Sunday June 28 2020, @01:13AM (4 children)
You can set up a TLS session, but the service provider--like Twitter, Failbook, or any Fediverse server in the USA--will have to keep a record of every communication it relays, in order to provide it when there is a warrant for it. Room 641A [wikipedia.org] was done quietly. This is done out in the open.
(I'm guessing "back door" is committee-speak for providing the requested information in some form or another. They just want a written record of all your conversations including pics, and they're proposing judicial "oversight" for access control.)
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @01:29AM (3 children)
There are encrypted conversations going on right now that can only be stored, not decrypted, and Silicon Valley companies are enabling some of it.
TLAs want metadata, sure, but contents are even juicier.
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @02:36AM
Yeah, it would be defeated by something like OTR or GPG. Then in 10 years, only terrorists and pedophiles will use OTR or GPG.
(Score: 2) by edIII on Monday June 29 2020, @06:07AM (1 child)
You refer to zero-knowledge services. In these cases, a backdoor is 100% impossible. Defeats the purpose of what is sold in the first place.
It might be technically possible, but only as a software update to the clients uploading the supposedly protected data. Which can be extremely problematic with open source based clients. IIRC, there is such a service for Linux that allows you to SFTP client-side encrypted data to their online storage. With a proprietary client it may be possible to push a software update that allows remote code execution and surveillance, and maybe just enough to capture the encryption key used to encrypt the data client-side. Exfiltrate just that, and then afterwards decrypt the data in the online storage. How do you compromise either the open source implementations used for client's to connect to the service, and the possibly entirely unknown and widely varied methods by which the client-side data is encrypted before transport?
As an example, I can rsync a Veracrypt container to an online storage provider. That company, warrant or not, has zero capability to either affect the rsync binaries (which vary wildly), nor can it affect the methods and processes used to manipulate the data sent by rsync. That would be a "symmetric" example. "Asymmetric" would endpoint-to-endpoint encryption. Not all implementations allow a company to make changes, and almost everyone I know would require the ISP or service provider to also control 3rd party companies providing the tech. They're forcing Comcast to provide lawful access to Signal protected communications when a different company, say Digium or Grandstream is actually responsible for the hardware and software stacks generating the encrpyted communications.
This demand to lawfully intercept encrypted communications via forced key-escrow only resulted in the development of systems where the keys moved to the endpoints. Their further attempts to gain the impossible are now trying to force companies to provide access to things they never had the ability to control in the first place, because that's the whole point of the "movement" to provide security. Encryption keys held in the center, controllable by a single company vulnerable to the government have proven to be unsecure and not as valuable as systems that moved control over the encryption to very edges, with the express intent of being uncontrollable. Are companies going to be forced to abandon entire software stacks, develop a whole new proprietary methods that support centralized key-escrow, and then seamlessly change out client services in production with mass-surveillance compatible methods?
Whether government accepts it or not, their requests are impossible. Especially when they're trying to force the wrong company to act. This is like threatening to sue the Outback Steakhouse if they don't deliver a new type of steak for consumers immediately, or upon written demand to be produced timely. Sure it can't be done in the fucking first place, but just maybe, they may want to ask the cattle rancher for that instead.
You cannot legislate reality and force it to conform.
In the meantime, if people become convinced that it's not possible to do so over the service, they will move to very simple purpose built local systems using endpoint-to-endpoint encryption. All built upon open source hardware and FOSS. Can government legally demand a private organization, that only provides reference implementations for ciphers, to create backdoors? Can Signal, Matrix, or Telegram be forced to do these things?
They can try. The tighter their grip, the more systems and networks will fall from their hands to go dark.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Monday June 29 2020, @08:10PM
Silicon Valley companies are starting to offer free, user-friendly, end-to-end encrypted services.
Use legislation to scare the Silicon Valley companies away, and end-to-end encryption will be used by just millions instead of hundreds of millions.