FBI Director Claims That The World's Most Knowledgeable Cybersecurity Experts Are Not 'Fair Minded' About Encryption Backdoors
from the oh really? dept
Earlier this week, we noted that a huge list of companies, non-profits and cybersecurity experts had signed a letter to the White House about the stupidity and danger of trying to order backdoors into encryption (disclaimer: we signed the letter as well). While many in the press focused on the companies that had signed onto the letter (including Google, Apple, Cisco, Microsoft, Twitter and Facebook), as we noted, what was much more interesting was the long list of cybersecurity/encryption experts who signed onto the letter. Just in case you don’t feel like searching it out, I’ll post the entire list of those experts after this post.
It’s a who’s who of the brightest minds in encryption and cryptography. Whitfield Diffie invented public key cryptography. Phil Zimmermann created PGP. Ron Rivest is the “R” in “RSA.” Peter Neumann has been working on these issues for decades before I was even born. And many more on the list are just as impressive.
So how do you think FBI director James Comey — who has been leading the charge on backdooring encryption — responded to these experts?
I wish I was joking.
A group of tech companies and some prominent folks wrote a letter to the President yesterday that I frankly found depressing. Because their letter contains no acknowledgment that there are societal costs to universal encryption. Look, I recognize the challenges facing our tech companies. Competitive challenges, regulatory challenges overseas, all kinds of challenges. I recognize the benefits of encryption, but I think fair-minded people also have to recognize the costs associated with that. And I read this letter and I think, ?Either these folks don?t see what I see or they?re not fair-minded.? And either one of those things is depressing to me. So I?ve just got to continue to have the conversation.
First of all, it’s kind of hilarious for the FBI director to be arguing that the people who signed that letter haven’t done a cost-benefit analysis, since we’ve noted that the intelligence and law enforcement communities almost never do such an analysis. They always insist “more surveillance” must be better, without considering the costs involved.
And then there’s this, showing that Comey still doesn’t understand the letter at all:
We?ve got to have a conversation long before the logic of strong encryption takes us to that place. And smart people, reasonable people will disagree mightily. Technical people will say it?s too hard. My reaction to that is: Really? Too hard? Too hard for the people we have in this country to figure something out? I?m not that pessimistic. I think we ought to have a conversation.
Hey, Comey! No one is saying it’s “too hard.” They’re saying it’s IMPOSSIBLE to do this without weakening everyone’s security. Impossible. It’s not a “hard” problem, it’s an impossible problem. Because if you weaken security to let the FBI in, by definition you are weakening the security to let others in as well. That’s the point that was being made.
And this is important. For all of the ridiculous claims by Comey and others that we need to “have a conversation” on this, we do not. A conversation is counterproductive. All of these people can and should be working on systems to make us all more safe and secure. But if they have to keep explaining to ignorant folks like Comey why this is a bad idea, then they are taken away from making us safer. You can have a discussion over things that are hard. But there is no point in having a discussion over things that are impossible.
Security and Policy Experts
Hal Abelson, Professor of Computer Science and Engineering, Massachusetts Institute of
Ben Adida, VP Engineering, Clever Inc.
Jacob Appelbaum, The Tor Project
Adam Back, PhD, Inventor, HashCash, Co-Founder & President, Blockstream
Alvaro Bedoya, Executive Director, Center on Privacy & Technology at Georgetown
Brian Behlendorf, Open Source software pioneer
Steven M. Bellovin, Percy K. and Vida L.W. Hudson Professor of Computer Science,
Matt Bishop, Professor of Computer Science, University of California at Davis
Matthew Blaze, Director, Distributed Systems Laboratory, University of Pennsylvania
Dan Boneh, Professor of Computer Science and Electrical Engineering at Stanford
Eric Burger, Research Professor of Computer Science and Director, Security and
Software Engineering Research Center (Georgetown), Georgetown University
Jon Callas, CTO, Silent Circle
L. Jean Camp, Professor of Informatics, Indiana University
Richard A. Clarke, Chairman, Good Harbor Security Risk Management
Gabriella Coleman, Wolfe Chair in Scientific and Technological Literacy, McGill
Whitfield Diffie, Dr. sc. techn., Center for International Security and Cooperation,
David Evans, Professor of Computer Science, University of Virginia
David J. Farber, Alfred Filter Moore Professor Emeritus of Telecommunications,
University of Pennsylvania
Dan Farmer, Security Consultant and Researcher, Vicious Fishes Consulting
Rik Farrow, Internet Security
Joan Feigenbaum, Department Chair and Grace Murray Hopper Professor of Computer
Science Yale University
Richard Forno, Jr. Affiliate Scholar, Stanford Law School Center for Internet and Society
Alex Fowler, Co-Founder & SVP, Blockstream
Jim Fruchterman, Founder and CEO, Benetech
Daniel Kahn Gillmor, ACLU Staff Technologist
Robert Graham, creator of BlackICE, sidejacking, and masscan
Jennifer Stisa Granick, Director of Civil Liberties, Stanford Center for Internet and
Matthew D. Green, Assistant Research Professor, Johns Hopkins University Information
Robert Hansen, Vice President of Labs at WhiteHat Security
Lance Hoffman, Director, George Washington University, Cyber Security Policy and
Marcia Hofmann, Law Office of Marcia Hofmann
Nadim Kobeissi, PhD Researcher, INRIA
Joseph Lorenzo Hall, Chief Technologist, Center for Democracy & Technology
Nadia Heninger, Assistant Professor, Department of Computer and Information Science,
University of Pennsylvania
David S. Isenberg, Producer, Freedom 2 Connect
Douglas W. Jones, Department of Computer Science, University of Iowa
Susan Landau, Worcester Polytechnic Institute
Gordon Fyodor Lyon, Founder, Nmap Security Scanner Project
Aaron Massey, Postdoctoral Fellow, School of Interactive Computing, Georgia Institute
Jonathan Mayer, Graduate Fellow, Stanford University
Jeff Moss, Founder, DEF CON and Black Hat security conferences
Peter G. Neumann, Senior Principal Scientist, SRI International Computer Science Lab,
Moderator of the ACM Risks Forum
Ken Pfeil, former CISO at Pioneer Investments
Ronald L. Rivest, Vannevar Bush Professor, Massachusetts Institute of Technology
Paul Rosenzweig, Professorial Lecturer in Law, George Washington University School of
Jeffrey I. Schiller, Area Director for Security, Internet Engineering Task Force (1994-
2003), Massachusetts Institute of Technology
Bruce Schneier, Fellow, Berkman Center for Internet and Society, Harvard Law School
Micah Sherr, Assistant Professor of Computer Science, Georgetown University
Adam Shostack, author, “Threat Modeling: Designing for Security”
Eugene H. Spafford, CERIAS Executive Director, Purdue University
Alex Stamos, CISO, Yahoo
Geoffrey R. Stone, Edward H. Levi Distinguished Service Professor of Law, The
University of Chicago
Peter Swire, Huang Professor of Law and Ethics, Scheller College of Business, Georgia
Institute of Technology
C. Thomas (Space Rogue), Security Strategist, Tenable Network Security
Dan S. Wallach, Professor, Department of Computer Science and Rice Scholar, Baker
Institute of Public Policy
Nicholas Weaver, Researcher, International Computer Science Institute
Chris Wysopal, Co-Founder and CTO, Veracode, Inc.
Philip Zimmermann, Chief Scientist and Co-Founder, Silent Circle