Graham, Cotton Introduce Yet Another Attempt to Torpedo Encryption
Graham, Cotton introduce yet another attempt to torpedo encryption:
On Tuesday, Sens. Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.), and Marsha Blackburn (R-Tenn.) introduced yet another bill attempting to poke holes in data encryption, called the Lawful Access To Encrypted Data Act. This bill follows previous US efforts to weaken encryption, including March's proposed EARN IT Act and demands made by US Attorney General William Barr in his 2019 keynote address at the International Conference on Cyber Security.
A press release from the Senate Judiciary Committee—which is chaired by Graham—describes the bill as "a balanced solution that keeps in mind the constitutional rights afforded to all Americans, while providing law enforcement the tools needed to protect the public from everyday violent crime and threats to our national security." It goes on to emphasize—in both bold and italic text—that the bill would "only" require service providers to grant law enforcement a back door after a court issues a warrant.
Graham expresses his personal position in strong terms:
Terrorists and criminals routinely use technology, whether smartphones, apps, or other means, to coordinate and communicate [...] tech companies have refused to honor [court orders] and assist law enforcement in their investigations. My position is clear: After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations. Our legislation respects and protects the privacy rights of law-abiding Americans.
Unfortunately, as is typical for these resolutions, Graham's expressed ideas don't adhere to technological reality. In order for a service provider to "honor and assist" law enforcement investigations in the way Graham demands, it would necessarily—and fatally—have to compromise the very encryption it offered in the first place. This would apply to every consumer the provider services (American or otherwise), whether a warrant were issued or not.
Encryption doesn't work that way
Senate Republicans Target Encryption With Bill Aimed at Apple, Facebook, Other Tech Giants
Senate Republicans target encryption with bill aimed at Apple, Facebook, other tech giants:
Sens. Lindsay Graham (South Carolina), Tom Cotton (Arkansas) and Marsha Blackburn (Tennessee) introduced the Lawful Access to Encrypted Data Act, which would put an end to what they called "warrant-proof" encryption.
"My position is clear: After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations," Graham, who is chairman of the Senate Judiciary Committee, said in a statement. "Our legislation respects and protects the privacy rights of law-abiding Americans. It also puts the terrorists and criminals on notice that they will no longer be able to hide behind technology to cover their tracks."
[...] The bill is targeted at companies like Facebook and Apple, which have repeatedly defended their stances by saying they have an obligation to protect the billions of innocent citizens who trust the encryption embedded in their devices and apps to shield their information from public exposure. The tech companies fear that if they provide investigators with a back door past encryption, they'll open up an avenue for bad actors to exploit the entryway.
"End-to-end encryption is a necessity in modern life – it protects billions of messages sent every day on many apps and services, especially in times like these when we can't be together," Facebook said in a statement, according to CNET. "Rolling back this vital protection will make us all less safe, not more. We are committed to continuing to work with law enforcement and fighting abuse while preserving the ability for all Americans to communicate privately and securely."
Senators Introduce "Balanced" Bill That Aims to End Warrant-Proof Encryption
Senators Introduce "Balanced" Bill That Aims to End Warrant-Proof Encryption:
Republican senators have introduced what they have described as a "balanced" bill that would require technology companies to give law enforcement agencies access to encrypted user data.
Authorities in the United States and other countries have long tried to convince — an in some cases force — tech companies to develop and use encryption that would allow law enforcement to access encrypted data if needed. Experts have argued that adding backdoors to encryption systems would also allow malicious actors to abuse those backdoors, thus defeating the purpose of strong encryption.
Senators Lindsey Graham (R-South Carolina), Tom Cotton (R-Arkansas) and Marsha Blackburn (R-Tennessee) are making another attempt with a new bill introduced on Tuesday, which they have named the Lawful Access to Encrypted Data Act.
They claim the goal of the bill is to "bolster national security interests and better protect communities across the country by ending the use of 'warrant-proof' encrypted technology by terrorists and other bad actors to conceal illicit behavior."
The officials believe that while encryption is "vital" for securing data, communications and financial transactions, law enforcement should be given access to the information they seek if they present a warrant.
[...] On the other hand, security and privacy experts who support the use of end-to-end encryption provide journalists, activists, whistleblowers and members of persecuted groups as examples of individuals for whom strong encryption is crucial.
[...] The Attorney General would be allowed to ask companies to report on their ability to comply with court orders, but it's prohibited from forcing vendors to use specific technical methods.
Moreover, the government would compensate companies for their compliance and the Attorney General would create a prize competition to reward those who create a solution that maximizes privacy and security while allowing lawful access to encrypted data.
Original Submission #1 Original Submission #2 Original Submission #3
Related Stories
Bill Aimed at Ending 'Warrant-Proof' Encryption Introduced in House:
Referred to as the Lawful Access to Encrypted Data Act, the bill aims to put a stop to criminals using “warrant-proof encryption and other technological advances” to hide their activity from authorities, Congresswoman Ann Wagner (R-MO), who introduced the bill, said.
“It is time tech companies stand with criminal investigators and the public to make clear they are committed to rooting out perpetrators who use their services to commit horrific crimes. As the digital world advances, so must our legislative solutions to investigate crimes that hit hardest the most vulnerable in our society,” Rep. Wagner commented.
Law enforcement agencies have long argued that strong encryption hinders their ability to conduct successful investigations in certain cases, often asking for backdoors that would provide them fast access to data of interest, but tech companies have opposed these requests, arguing that backdoors would introduce serious security and privacy risks.
The legislation would require tech companies to provide authorities with access to encrypted user data, while also stating that the Attorney General would report on which companies can comply. Furthermore, the government would offer compensation to companies that comply with the legislation.
Previously:
(2020-07-07) US Senate Panel OK's EARN IT Act
(2020-06-27) Senators Introduce "Balanced" Bill That Aims to End Warrant-Proof Encryption
(2020-06-11) Plundering of Crypto Keys From Ultrasecure SGX Sends Intel Scrambling Again
(2020-06-06) Zoom Says Free Users Won't Get End-to-End Encryption so FBI and Police Can Access Calls
(2020-05-19) AG Barr Seeks 'Legislative Solution' to Make Companies Unlock Phones
(2020-05-19) FBI Successfully Broke Into a Gunman's iPhone, but Still Very Angry at Apple
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @12:59AM
Encryption, that horse bolted the barn long ago.
Dumb crackas.
(Score: -1, Troll) by Anonymous Coward on Sunday June 28 2020, @01:02AM (4 children)
There, now SJWs will ensure it gets cancelled.
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @01:19AM
This has been one helluva campaign season so far.
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @02:15AM (2 children)
Yeah, because Tom Cotton [wikipedia.org], Marsha Blackburn [wikipedia.org] and Lindsey Graham [wikipedia.org] are the SJWs [wikipedia.org] from hell, right?
Do you even read the crap you write? I suggest using the "preview" button before posting to make sure you're not just spewing textual diarrhoea.
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @02:31AM (1 child)
AC was offering a stupid alternative to the Cotton/Blackburn/Graham bill, which will fail in the House.
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @05:55AM
Cotton/Blackburn/Graham, imagine you are a member of Congress; now imagine you are an idiot, but, I repeat myself.
Mark Twain. Seriously, Cotton is actually more stupid than Runaway1956! Runaway for the Senate! Could not be worse, or more stupid, even though he comes close. Do we not have literacy tests for running for Congress?
(Score: 5, Touché) by EJ on Sunday June 28 2020, @01:06AM (5 children)
This is so silly. All they need to do is make encryption illegal. Then, the criminals won't use encryption because it's illegal.
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @01:17AM
Yep,
If it's illegal, I will give it a wide berth.
Source: Imma (minor) criminal.
(Score: 1) by fustakrakich on Sunday June 28 2020, @01:50AM (2 children)
Yes, if you are caught using unauthorized protocols, the cops will bust your door down and shoot your dog
La politica e i criminali sono la stessa cosa..
(Score: 1, Touché) by Anonymous Coward on Sunday June 28 2020, @02:17AM
Or your girlfriend [wikipedia.org].
Oh, wait. You don't have one of those, do you? Sorry about that. The dog. Yeah, that's the ticket.
(Score: 1, Interesting) by Anonymous Coward on Sunday June 28 2020, @02:45AM
Guilty! 6 months in the county jail, $10,000 fine, and a 4 year tail. Don't let me catch you using ssh again, or you'll be going to the big house!
(Score: 4, Interesting) by PinkyGigglebrain on Sunday June 28 2020, @02:03AM
They tried banning encryption, that effort failed, Now they have "stepped back" a bit from the original extreme and just want this reasonable and "balanced" legislation.
Then once LaTeDa fails to stop terrorism and crime they will try again to ban crypto outright.
I predict if (hopefully not when) this gets enacted within one year there will be a high profile Pedophile arrested who, because he is using non-LaTeDa compliant encryption, can't be convicted for lack of evidence.
Then it will be "ban encryption to prevent pedo's from getting away!! Think of the Children!!"
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 4, Insightful) by stormreaver on Sunday June 28 2020, @01:12AM (4 children)
That's great to read! So when can I expect to hear that this bill is being rescinded, as it is a HUGE threat to our national security.
(Score: 2) by ikanreed on Sunday June 28 2020, @03:36PM (1 child)
Ah, I see your confusion.
"National security" refers to the ability of international corporations to make obscene amounts of wealth without anyone fighting back. Not the security of people living in the nation.
(Score: 2) by stormreaver on Sunday June 28 2020, @09:11PM
Please read my posting before responding to it. Thanks.
(Score: 4, Informative) by Tokolosh on Monday June 29 2020, @02:48AM
This gives me confidence: https://www.msn.com/en-us/news/politics/cia-suffered-historic-data-loss-from-lax-cybersecurity-report-says/ar-BB15zszL [msn.com]
(Score: 0) by Anonymous Coward on Monday June 29 2020, @08:21PM
They did a LEAF field before, how much you wanna bet the new attempt has similar issues as the old one, due to math.
(Score: 1, Informative) by Anonymous Coward on Sunday June 28 2020, @01:13AM (4 children)
You can set up a TLS session, but the service provider--like Twitter, Failbook, or any Fediverse server in the USA--will have to keep a record of every communication it relays, in order to provide it when there is a warrant for it. Room 641A [wikipedia.org] was done quietly. This is done out in the open.
(I'm guessing "back door" is committee-speak for providing the requested information in some form or another. They just want a written record of all your conversations including pics, and they're proposing judicial "oversight" for access control.)
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @01:29AM (3 children)
There are encrypted conversations going on right now that can only be stored, not decrypted, and Silicon Valley companies are enabling some of it.
TLAs want metadata, sure, but contents are even juicier.
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @02:36AM
Yeah, it would be defeated by something like OTR or GPG. Then in 10 years, only terrorists and pedophiles will use OTR or GPG.
(Score: 2) by edIII on Monday June 29 2020, @06:07AM (1 child)
You refer to zero-knowledge services. In these cases, a backdoor is 100% impossible. Defeats the purpose of what is sold in the first place.
It might be technically possible, but only as a software update to the clients uploading the supposedly protected data. Which can be extremely problematic with open source based clients. IIRC, there is such a service for Linux that allows you to SFTP client-side encrypted data to their online storage. With a proprietary client it may be possible to push a software update that allows remote code execution and surveillance, and maybe just enough to capture the encryption key used to encrypt the data client-side. Exfiltrate just that, and then afterwards decrypt the data in the online storage. How do you compromise either the open source implementations used for client's to connect to the service, and the possibly entirely unknown and widely varied methods by which the client-side data is encrypted before transport?
As an example, I can rsync a Veracrypt container to an online storage provider. That company, warrant or not, has zero capability to either affect the rsync binaries (which vary wildly), nor can it affect the methods and processes used to manipulate the data sent by rsync. That would be a "symmetric" example. "Asymmetric" would endpoint-to-endpoint encryption. Not all implementations allow a company to make changes, and almost everyone I know would require the ISP or service provider to also control 3rd party companies providing the tech. They're forcing Comcast to provide lawful access to Signal protected communications when a different company, say Digium or Grandstream is actually responsible for the hardware and software stacks generating the encrpyted communications.
This demand to lawfully intercept encrypted communications via forced key-escrow only resulted in the development of systems where the keys moved to the endpoints. Their further attempts to gain the impossible are now trying to force companies to provide access to things they never had the ability to control in the first place, because that's the whole point of the "movement" to provide security. Encryption keys held in the center, controllable by a single company vulnerable to the government have proven to be unsecure and not as valuable as systems that moved control over the encryption to very edges, with the express intent of being uncontrollable. Are companies going to be forced to abandon entire software stacks, develop a whole new proprietary methods that support centralized key-escrow, and then seamlessly change out client services in production with mass-surveillance compatible methods?
Whether government accepts it or not, their requests are impossible. Especially when they're trying to force the wrong company to act. This is like threatening to sue the Outback Steakhouse if they don't deliver a new type of steak for consumers immediately, or upon written demand to be produced timely. Sure it can't be done in the fucking first place, but just maybe, they may want to ask the cattle rancher for that instead.
You cannot legislate reality and force it to conform.
In the meantime, if people become convinced that it's not possible to do so over the service, they will move to very simple purpose built local systems using endpoint-to-endpoint encryption. All built upon open source hardware and FOSS. Can government legally demand a private organization, that only provides reference implementations for ciphers, to create backdoors? Can Signal, Matrix, or Telegram be forced to do these things?
They can try. The tighter their grip, the more systems and networks will fall from their hands to go dark.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Monday June 29 2020, @08:10PM
Silicon Valley companies are starting to offer free, user-friendly, end-to-end encrypted services.
Use legislation to scare the Silicon Valley companies away, and end-to-end encryption will be used by just millions instead of hundreds of millions.
(Score: 4, Funny) by PinkyGigglebrain on Sunday June 28 2020, @01:53AM (1 child)
La Te Da?
wasn't that the lyrics to a song long ago?
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 3, Funny) by SemperOSS on Sunday June 28 2020, @07:40AM
I actually read it as the LATE Data Act, as in deceased Data Act … Obviously, it could also be that it is just like they missed the boat late.
Who knows?
I don't need a signature to draw attention to myself.
Maybe I should add a sarcasm warning now and again?
(Score: -1, Troll) by Anonymous Coward on Sunday June 28 2020, @02:28AM (2 children)
Firearm regulation is tough to enforce, even without the 2nd Amendment (look at Mexico). Do you/we/they think we can regulate information - i.e., encryption?
Fucking boomers.
(Score: 5, Informative) by Anonymous Coward on Sunday June 28 2020, @06:01AM
Fucking
BoomersRepublicans! There, fixed that for you! The asshole authoritarians behind the PATRIOT Act, the ones who want to repeal health care during a pandemic. The ones who passed Paul (Rand)Ryan (Ayn) massive tax cuts for criminals and the 1%! Yeah, those fine upstanding defenders of liberty and the American way, and corrupt Real-estate Developers from New York. The Rupertican party is dead, and even News Corp. and Faux realize it. We will recycle your festering corpses, and liberate your birth mothers, Immortan Trump!!!(Score: 3, Insightful) by Tokolosh on Monday June 29 2020, @02:46AM
The US government has asserted the right to regulate the export of encryption technology as a munition or as a weapon. Therefore I assert my right to encryption under the Second Amendment.
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @08:43AM
mhmm
(Score: 1, Interesting) by Anonymous Coward on Sunday June 28 2020, @09:16AM (5 children)
i kindda agree.
BUT! the warrent is to physically and legally confiscate the device with the data.
it requires that the encryption consists of (at least) two keys: one that law enforcement needs to manage (and will probablly fail to keep secret and leak all over the net, lol) and one that is physically bound to the device.
without physical access to the device AND the "soon to be leaked law enforcment managed key" the data on the device cannot be decrypted (by a non device owner).
we have to be veeery careful that idiot politicians making "laws" don't accidentally allow law enforcement to decrypt a device over the air, that is via celluar signal, wifi or the internet WITHOUT first having gained physical ownership of the device ... methinks.
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @06:37PM (4 children)
Perhaps a decryption key could be encrypted by a public key that the courts hold the private key to. Law enforcement should not have access to said private key. If there is a court order to decrypt said data the courts can decrypt the encryption key. The cops can't decrypt it without the courts. We just have to make sure that the courts don't leak the private key to law enforcement.
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @09:23PM
(Same Poster)
Since there are many courts perhaps there should be a central court/entity with the key that responds to court orders to decrypt.
Again, this leaves the possibility that the police could work with said entity in the background without letting anyone know.
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @10:26PM (2 children)
That actually is a very interesting idea. I believe your worries about it are justified though and would probably render it useless pretty quickly. The courts give great deference to law enforcement on just about everything.
(Score: 0) by Anonymous Coward on Monday June 29 2020, @05:09AM
(Same Poster)
I'm against the whole idea of a back door but if you're going to have one at least have it implemented so that only the courts can decrypt said data. It is cryptographically possible so long as there are no unintended leaks.
(Score: 0) by Anonymous Coward on Monday June 29 2020, @06:10AM
(Same Poster)
You can even have a system where two private keys are needed to decrypt the data and two separate entities, each with one private key, are needed to decrypt it.
So you have the original encryption key.
The original encryption key gets encrypted by a public key from entity one to generate encrypted key one.
This encrypted key then gets encrypted again by another public key from entity two and stored to generate encrypted key two
So if the court makes an order to decrypt the keys entity two first decrypts the encrypted key two to get encrypted key one. Entity one then decrypts encrypted key one to reveal the original key.
Now two entities need to conspire together in order to secretly spy on people without a court order. Plus if one key leaks to the public not all is lost because the other is still needed to make the decryption.
You can even make it so that three entities are needed if you want as well.
The cryptography exists to make this all possible.
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @09:32AM
FTFsenators
When the HW and SW that China makes for the US market will be officially backdoored, who'll have the skeleton key to the backdoors, hmm?
(Score: 1, Interesting) by Anonymous Coward on Sunday June 28 2020, @03:21PM (1 child)
Most people may be unaware of this fact.
But even if you pay cash the seller is using strong crypto in their banking services and transaction clearing services. The WHOLE international economy is dependent on strong crypto. Take that away and we basically go back to the barter system.
The movement over the past decade (by both the left and right) is to constrain trade, particularly digital trade to a small number of vendors. Left and right may take different viewpoints, but NONE of those viewpoints are towards opening up free interchange of ideas.
If the left wants support of the netizens, the first thing to do is get rid of Pai. The second thing to do in reinstate common cairrage. The third thing to do is reinstate Glass Steigal. Fourth lay down some heavy anti-trust whoopass using wiretapping statutes against the likes of Facebook, Google, Microsoft, and Comcast. But even all of that isn't the core problem.
The core problem is this: It takes less time to pass corrupt legislation, than it does to overturn it in the court system. This means that the net legal entropy is moving the country towards fascism. Left or right doesn't matter. They both pass corrupt legislation on behalf of mega-corps. And that has reached a critical mass... Because of ad-tracking. (Huh?)
People used to say: "I disagree, by I will fight for your right to say it". This has devolved into "What can we do to instigate fundamentalism on our side". That change is entirely driven by the ad-tracking industry. Commercial political speech is no longer political speech. It is engineered psychological battery, manufactured by well paid teams using techniques derived from military grade psy-ops doctrines.
If politicians want to stop the fundamentalism, they need to stop the brainwashing. And the brainwashing is lawfully sand-bagged by the rediculous notion that corporations have the right to political speech. And that is derived entirely from bench law (thank you SCOTUS). Which could be blamed on SCOTUS but is more correctly attributed to the negligence and corruption of congress. They could have clarified that "people" (as in "We the people") actually means people at any time. But they chose to be obtuse and let SCOTUS write the law as an extra-jursdictional exercise.
There are dozens of potential approaches forward. But first, you have to acknowledge that the current failure is systemic, and not partisan.
GOTO line 1.
(Score: 2) by TheRaven on Monday June 29 2020, @12:47PM
It's not about the strength of the crypto, it's about who the endpoints are. eCommerce depends on strong end-to-end crypto, but one endpoint is a major corporation that is subject to search warrants. Most email services depend on strong encryption, but the endpoints include servers, at least one of which is typically owned by a big company that is subject to search warrants. Older IM systems (and things like Zoom) provide strong client-server encryption but the server is typically operated by a company subject to search warrants.
A system like Signal provides strong end-to-end encryption. Apple and others want to deploy services like this, where the only way that you can get access to the data is by compromising one of the endpoints. This is very different because the service operator can't technically comply with a search warrant that asks for customer data. For example, when Signal was forced to provide data on a user, they were able to provide the data and time at which their account was created, the data and time at which they last connected, and nothing else. They may have been able to do an active intercept to find out when the user next connected and their IP address but they had no technical mechanism for providing copies of the messages that the user sent and received or who they contacted. The only way to get this information is to compromise one of the client devices (good news: at least one of them typically runs Android, so this is probably easy).
The problem with this kind of legislation is that it's basically impossible to enforce. What happens if the US decides that Signal is illegal? The EU already recommends Signal for all confidential conversations between official entities, so they're not going to ban it as well. The technology is out there and it's relatively easy for someone who really cares about security to set up their own Signal server and use a custom build of the client that uses it. Run the server outside of the US and you need to be tracking pretty much all network connections within the USA to figure out who is connecting to it. Are they going to ban VPNs, because connecting to a VPN service in a foreign country as the first hop makes that kind of traffic analysis almost impossible.
sudo mod me up