Both Michael Hayden And Michael Chertoff Surprise Everyone By Saying FBI Is Wrong To Try To Backdoor Encryption

from the going-dark? dept

Well, here’s one we did not see coming at all. Both former Homeland Security boss Michael Chertoff and former NSA and CIA director Michael Hayden have said that they actually disagree with current FBI director Jim Comey about his continued demands to backdoor encryption. Given everything we’ve seen in the past from both Chertoff and Hayden, it would have been a lot more expected to see them both toe the standard authoritarian surveillance state line and ask for more powers to spy on people. At the Aspen Security Forum, however, both surprised people by going the other way. Marcey Wheeler was the first to highlight Chertoff’s surprising take:


I think that it’s a mistake to require companies that are making hardware and software to build a duplicate key or a back door even if you hedge it with the notion that there’s going to be a court order. And I say that for a number of reasons and I’ve given it quite a bit of thought and I’m working with some companies in this area too.

First of all, there is, when you do require a duplicate key or some other form of back door, there is an increased risk and increased vulnerability. You can manage that to some extent. But it does prevent you from certain kinds of encryption. So you’re basically making things less secure for ordinary people.

The second thing is that the really bad people are going to find apps and tools that are going to allow them to encrypt everything without a back door. These apps are multiplying all the time. The idea that you’re going to be able to stop this, particularly given the global environment, I think is a pipe dream. So what would wind up happening is people who are legitimate actors will be taking somewhat less secure communications and the bad guys will still not be able to be decrypted.

The third thing is that what are we going to tell other countries? When other countries say great, we want to have a duplicate key too, with Beijing or in Moscow or someplace else? The companies are not going to have a principled basis to refuse to do that. So that’s going to be a strategic problem for us.

He’s right on all accounts, and does an astoundingly good job summarizing all of the reasons that many experts have been screaming about ever since Comey first started whining about this bogus “going dark” claim. But then he goes even further and makes an even more important point that bears repeating: it’s not supposed to be easy for law enforcement to spy on people, because that has serious risks:


Finally, I guess I have a couple of overarching comments. One is we do not historically organize our society to make it maximally easy for law enforcement, even with court orders, to get information. We often make trade-offs and we make it more difficult. If that were not the case then why wouldn’t the government simply say all of these [takes out phone] have to be configured so they’re constantly recording everything that we say and do and then when you get a court order it gets turned over and we wind up convicting ourselves. So I don’t think socially we do that.

On top of that, he points out, as we and many others have, that even if you can’t figure out what’s in an encrypted message it does not mean you’ve really “gone dark.” There are other ways to figure out the necessary information, and people always leave some other clues:


And I also think that experience shows we’re not quite as dark, sometimes, as we fear we are. In the 90s there was a deb — when encryption first became a big deal — debate about a Clipper Chip that would be embedded in devices or whatever your communications equipment was to allow court ordered interception. Congress ultimately and the President did not agree to that. And, from talking to people in the community afterwards, you know what? We collected more than ever. We found ways to deal with that issue.

Soon after that, at the same conference, Hayden spoke to the Daily Beast and more or less agreed (it is worth noting that Hayden works for Chertoff at the Chertoff Group these days). Hayden’s denunciation of Comey’s plan is not so detailed or thought out, and he admits he hopes that there is a magic golden key that’s possible, but recognizing it’s probably not, he thinks the damage may be too much:


“I hope Comey’s right, and there’s a deus ex machina that comes on stage in the fifth act and makes the problem go away,” retired Gen. Michael Hayden, the former head of the CIA and the NSA, told The Daily Beast. “If there isn’t, I think I come down on the side of industry. The downsides of a front or back door outweigh the very real public safety concerns.”

As the Daily Beast notes, this is — to some extent — a roll reversal between Hayden and Comey who famously clashed over Hayden’s original warrantless wiretapping program after 9/11, with Comey actually arguing against some of the program (though what he argued against wasn’t as complete as some believe). Still, it’s quite amazing to see both Chertoff and Hayden point out what the tech sector has been telling Comey for months (decades if you go back to the original “crypto wars.”) This isn’t a question about “not wanting to do the work” but about the fact that any solution is inherently much more dangerous for the public.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Both Michael Hayden And Michael Chertoff Surprise Everyone By Saying FBI Is Wrong To Try To Backdoor Encryption”

Subscribe: RSS Leave a comment
27 Comments

Hm... this is suddenly relevant?

Love this quote:

The third thing is that what are we going to tell other countries? When other countries say great, we want to have a duplicate key too, with Beijing or in Moscow or someplace else? The companies are not going to have a principled basis to refuse to do that. So that?s going to be a strategic problem for us.

Gee… this is suddenly relevant NOW?! Cripes…

DannyBsays:

Maybe this is what it means . . .

Follow this line of assumptions / conspiracy theory.

Former NSA and CIA director Michael Hayden knows that NSA can get what it needs (maybe not all it wants) using other techniques unavailable to the FBI.

Similarly, former Homeland Security boss Michael Chertoff might know that what the NSA has, homeland security has.

Since they can both get what they need, they see no reason to support the FBI. Maybe due to behind the scenes in fighting between competing bureaucratic fiefdoms, they would be happy for the FBI to be beholden to the NSA and/or homeland security and/or CIA for intelligence in exchange for other favors.

Hayden was also former CIA head honcho. According to this he was at NSA before he was at CIA. But maybe being at CIA he also has something against the FBI.

Okay, now I’ll take off my conspiracy theory hat.

DannyBsays:

Re: Re:

Being able to break all widely used encryption is hard to believe.

More believable is the idea that when the NSA wants to target specific computers, it can hack them. It’s not as far fetched to believe that all commonly used operating systems are already so completely, so utterly compromised that NSA can implant software agents into targeted computers. By ‘compromised’, the NSA may have had back doors that are built right in to commercial software at manufacture. This may be known or unknown to the manufacturer of that commercial software.

Think about that. Isn’t this the kind of thing NSA does? There are probably only a few organizations that NSA would have to penetrate with one of their own human agents as an employee, in the right position, to be able to get such back doors into widespread use. And there’s the possibility of forcing software manufacturers to do it. Or even simply forcing certain individuals already employed there to do it without the knowledge of people higher up in the organization. I’m a bit skeptical of this, because someone, somewhere who is approached, pressured, blackmailed, etc to try to implant a back door into their employer’s software, might decide to go public with it.

It is also believable that a software agent implanted into a targeted computer could monitor all commonly used cryptographic libraries and obtain the key material being used.

I don’t think this sounds as far fetched as the idea that NSA can break all encryption. There are other ways to compromise cryptogrpahic systems.

NSA’s ability to hack computers is a technology race. Just like the US Mint is in a technology race with counterfeiters of US currency.

sigalrmsays:

Re: Re: Re: Re:

“By ‘compromised’, the NSA may have had back doors that are built right in to commercial software at manufacture. This may be known or unknown to the manufacturer of that commercial software”

Don’t forget hardware. Hardware’s even more difficult to suss out than software.

DannyBsays:

Re: Re: Re: Re: Re: Re:

Yeah, that assumption is so basic. I take it for granted that hardware does what it is supposed to do. Also the firmware. But you’re right. I should have thought of that.

OTOH, consider.

It would be difficult enough to modify firmware to compromise one of several well known OSes. Difficult to impossible to compromise an unknown OS.

It would be much harder to modify hardware to compromise even a well known OS. Although hardware could substitute in different firmware momentarily. Or have something like a ‘micro firmware’ that recognizes when a known OS is being loaded. Such compromised hardware would need a fair amount of storage built in.

Which hardware component would be compromised? The motherboard? The microprocessor? Maybe a major chipset that handles much of the IO? As I think about it, a chipset that is used across many major motherboards, and might easily have room for a bit of extra storage, might be an ideal location to sit in between the processor, memory and IO.

Open hardware has not gained nearly the traction as open source software.

Sheogorathsays:

“We often make trade-offs and we make it more difficult. If that were not the case then why wouldn?t the government simply say all of these [takes out phone] have to be configured so they?re constantly recording everything that we say and do, and then when you get a court order it gets turned over and we wind up convicting ourselves?”
It would pretty much make a nonsense of the Fifth Amendment is why. Why the hell does an Englishman need to point that out to an American? facepalms

Anonymoussays:

>”We often make trade-offs and we make it more difficult. If that were not the case then why wouldn?t the government simply say all of these [takes out phone] have to be configured so they?re constantly recording everything that we say and do, and then when you get a court order it gets turned over and we wind up convicting ourselves?”

>It would pretty much make a nonsense of the Fifth Amendment is why.

>Why the hell does an Englishman need to point that out to an American? facepalms

That was a rhetorical question. Presumably the writer was thinking that Americans (other than Sekurity Apparatchniks) wouldn’t need the answer spelled out. (The S.A. critters are probably already thinking “why didn’t I think of that? Do I have a security letter that I can pretend covers it? And whom do I have to strong-arm to get it implemented?”)

SteveMBsays:

Re: Re:

Translation: Their current financial interests are vested in options (Van Eck phreaking, bug planting) that are too expensive to be competitive if the Feds have push-button backdoor access.

If so, good for them. Chertoff is quite correct that it should be difficult to snoop, thus imposing limits on the amount of snooping.

Anonymoussays:

No one is using cryptography

The NSA doesn’t need to break cryptography because: NO ONE IS USING IT.

If the Clipper chip worked as proposed without the design bugs that plagued it, so that only law enforcement could listen in on conversations (with proper oversight from a judge), I bet we would have more safety and privacy than we have now in our curently unencrypted world.

This is the data they’re collecting.

Yes, I know I'm commenting anonymouslysays:

Follow the Money

Most likely, they think they can make more money with encryption in place, Either by selling encryption, selling access to encrypted data or by selling access to encrypted PCs or something else completely.
The other alternative is that they did a cost/benefit analysis and concluded that encryption (either way) does not affect their bottom line.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
12:25 Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks (6)
10:50 Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim (45)
10:45 Daily Deal: The All-in-One Microsoft, Cybersecurity, And Python Exam Prep Training Bundle (0)
09:43 Want To Understand Why U.S. Broadband Sucks? Look At Frontier Communications In Wisconsin, West Virginia (8)
05:36 Massachusetts College Decides Criticizing The Chinese Government Is Hate Speech, Suspends Conservative Student Group (71)
19:57 Le Tigre Sues Barry Mann To Stop Copyright Threats Over Song, Lights Barry Mann On Fire As Well (21)
16:07 Court Says City Of Baltimore's 'Heckler's Veto' Of An Anti-Catholic Rally Violates The First Amendment (15)
13:37 Two Years Later, Judge Finally Realizes That A CDN Provider Is Not Liable For Copyright Infringement On Websites (21)
12:19 Chicago Court Gets Its Prior Restraint On, Tells Police Union Head To STFU About City's Vaccine Mandate (158)
10:55 Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones (8)
10:50 Daily Deal: The MacOS 11 Course (0)
07:55 Suing Social Media Sites Over Acts Of Terrorism Continues To Be A Losing Bet, As 11th Circuit Dumps Another Flawed Lawsuit (11)
02:51 Trump Announces His Own Social Network, 'Truth Social,' Which Says It Can Kick Off Users For Any Reason (And Already Is) (100)
19:51 Facebook AI Moderation Continues To Suck Because Moderation At Scale Is Impossible (26)
16:12 Content Moderation Case Studies: Snapchat Disables GIPHY Integration After Racist 'Sticker' Is Discovered (2018) (11)
13:54 Arlo Makes Live Customer Service A Luxury Option (8)
12:05 Delta Proudly Announces Its Participation In The DHS's Expanded Biometric Collection Program (5)
11:03 LinkedIn (Mostly) Exits China, Citing Escalating Demands For Censorship (14)
10:57 Daily Deal: The Python, Git, And YAML Bundle (0)
09:37 British Telecom Wants Netflix To Pay A Tax Simply Because Squid Game Is Popular (32)
06:41 Report: Client-Side Scanning Is An Insecure Nightmare Just Waiting To Be Exploited By Governments (35)
20:38 MLB In Talks To Offer Streaming For All Teams' Home Games In-Market Even Without A Cable Subscription (10)
15:55 Appeals Court Says Couple's Lawsuit Over Bogus Vehicle Forfeiture Can Continue (15)
13:30 Techdirt Podcast Episode 301: Scarcity, Abundance & NFTs (0)
12:03 Hollywood Is Betting On Filtering Mandates, But Working Copyright Algorithms Simply Don't Exist (66)
10:45 Introducing The Techdirt Insider Discord (4)
10:40 Daily Deal: The Dynamic 2021 DevOps Training Bundle (0)
09:29 Criminalizing Teens' Google Searches Is Just How The UK's Anti-Cybercrime Programs Roll (19)
06:29 Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink (41)
20:51 Copyright Law Discriminating Against The Blind Finally Struck Down By Court In South Africa (7)
More arrow