Both Michael Hayden And Michael Chertoff Surprise Everyone By Saying FBI Is Wrong To Try To Backdoor Encryption

from the going-dark? dept

Well, here’s one we did not see coming at all. Both former Homeland Security boss Michael Chertoff and former NSA and CIA director Michael Hayden have said that they actually disagree with current FBI director Jim Comey about his continued demands to backdoor encryption. Given everything we’ve seen in the past from both Chertoff and Hayden, it would have been a lot more expected to see them both toe the standard authoritarian surveillance state line and ask for more powers to spy on people. At the Aspen Security Forum, however, both surprised people by going the other way. Marcey Wheeler was the first to highlight Chertoff’s surprising take:


I think that it’s a mistake to require companies that are making hardware and software to build a duplicate key or a back door even if you hedge it with the notion that there’s going to be a court order. And I say that for a number of reasons and I’ve given it quite a bit of thought and I’m working with some companies in this area too.

First of all, there is, when you do require a duplicate key or some other form of back door, there is an increased risk and increased vulnerability. You can manage that to some extent. But it does prevent you from certain kinds of encryption. So you’re basically making things less secure for ordinary people.

The second thing is that the really bad people are going to find apps and tools that are going to allow them to encrypt everything without a back door. These apps are multiplying all the time. The idea that you’re going to be able to stop this, particularly given the global environment, I think is a pipe dream. So what would wind up happening is people who are legitimate actors will be taking somewhat less secure communications and the bad guys will still not be able to be decrypted.

The third thing is that what are we going to tell other countries? When other countries say great, we want to have a duplicate key too, with Beijing or in Moscow or someplace else? The companies are not going to have a principled basis to refuse to do that. So that’s going to be a strategic problem for us.

He’s right on all accounts, and does an astoundingly good job summarizing all of the reasons that many experts have been screaming about ever since Comey first started whining about this bogus “going dark” claim. But then he goes even further and makes an even more important point that bears repeating: it’s not supposed to be easy for law enforcement to spy on people, because that has serious risks:


Finally, I guess I have a couple of overarching comments. One is we do not historically organize our society to make it maximally easy for law enforcement, even with court orders, to get information. We often make trade-offs and we make it more difficult. If that were not the case then why wouldn’t the government simply say all of these [takes out phone] have to be configured so they’re constantly recording everything that we say and do and then when you get a court order it gets turned over and we wind up convicting ourselves. So I don’t think socially we do that.

On top of that, he points out, as we and many others have, that even if you can’t figure out what’s in an encrypted message it does not mean you’ve really “gone dark.” There are other ways to figure out the necessary information, and people always leave some other clues:


And I also think that experience shows we’re not quite as dark, sometimes, as we fear we are. In the 90s there was a deb — when encryption first became a big deal — debate about a Clipper Chip that would be embedded in devices or whatever your communications equipment was to allow court ordered interception. Congress ultimately and the President did not agree to that. And, from talking to people in the community afterwards, you know what? We collected more than ever. We found ways to deal with that issue.

Soon after that, at the same conference, Hayden spoke to the Daily Beast and more or less agreed (it is worth noting that Hayden works for Chertoff at the Chertoff Group these days). Hayden’s denunciation of Comey’s plan is not so detailed or thought out, and he admits he hopes that there is a magic golden key that’s possible, but recognizing it’s probably not, he thinks the damage may be too much:


“I hope Comey’s right, and there’s a deus ex machina that comes on stage in the fifth act and makes the problem go away,” retired Gen. Michael Hayden, the former head of the CIA and the NSA, told The Daily Beast. “If there isn’t, I think I come down on the side of industry. The downsides of a front or back door outweigh the very real public safety concerns.”

As the Daily Beast notes, this is — to some extent — a roll reversal between Hayden and Comey who famously clashed over Hayden’s original warrantless wiretapping program after 9/11, with Comey actually arguing against some of the program (though what he argued against wasn’t as complete as some believe). Still, it’s quite amazing to see both Chertoff and Hayden point out what the tech sector has been telling Comey for months (decades if you go back to the original “crypto wars.”) This isn’t a question about “not wanting to do the work” but about the fact that any solution is inherently much more dangerous for the public.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Both Michael Hayden And Michael Chertoff Surprise Everyone By Saying FBI Is Wrong To Try To Backdoor Encryption”

Subscribe: RSS Leave a comment
27 Comments

Hm... this is suddenly relevant?

Love this quote:

The third thing is that what are we going to tell other countries? When other countries say great, we want to have a duplicate key too, with Beijing or in Moscow or someplace else? The companies are not going to have a principled basis to refuse to do that. So that?s going to be a strategic problem for us.

Gee… this is suddenly relevant NOW?! Cripes…

DannyBsays:

Maybe this is what it means . . .

Follow this line of assumptions / conspiracy theory.

Former NSA and CIA director Michael Hayden knows that NSA can get what it needs (maybe not all it wants) using other techniques unavailable to the FBI.

Similarly, former Homeland Security boss Michael Chertoff might know that what the NSA has, homeland security has.

Since they can both get what they need, they see no reason to support the FBI. Maybe due to behind the scenes in fighting between competing bureaucratic fiefdoms, they would be happy for the FBI to be beholden to the NSA and/or homeland security and/or CIA for intelligence in exchange for other favors.

Hayden was also former CIA head honcho. According to this he was at NSA before he was at CIA. But maybe being at CIA he also has something against the FBI.

Okay, now I’ll take off my conspiracy theory hat.

DannyBsays:

Re:

Being able to break all widely used encryption is hard to believe.

More believable is the idea that when the NSA wants to target specific computers, it can hack them. It’s not as far fetched to believe that all commonly used operating systems are already so completely, so utterly compromised that NSA can implant software agents into targeted computers. By ‘compromised’, the NSA may have had back doors that are built right in to commercial software at manufacture. This may be known or unknown to the manufacturer of that commercial software.

Think about that. Isn’t this the kind of thing NSA does? There are probably only a few organizations that NSA would have to penetrate with one of their own human agents as an employee, in the right position, to be able to get such back doors into widespread use. And there’s the possibility of forcing software manufacturers to do it. Or even simply forcing certain individuals already employed there to do it without the knowledge of people higher up in the organization. I’m a bit skeptical of this, because someone, somewhere who is approached, pressured, blackmailed, etc to try to implant a back door into their employer’s software, might decide to go public with it.

It is also believable that a software agent implanted into a targeted computer could monitor all commonly used cryptographic libraries and obtain the key material being used.

I don’t think this sounds as far fetched as the idea that NSA can break all encryption. There are other ways to compromise cryptogrpahic systems.

NSA’s ability to hack computers is a technology race. Just like the US Mint is in a technology race with counterfeiters of US currency.

DannyBsays:

Re: Re: Re:

Yeah, that assumption is so basic. I take it for granted that hardware does what it is supposed to do. Also the firmware. But you’re right. I should have thought of that.

OTOH, consider.

It would be difficult enough to modify firmware to compromise one of several well known OSes. Difficult to impossible to compromise an unknown OS.

It would be much harder to modify hardware to compromise even a well known OS. Although hardware could substitute in different firmware momentarily. Or have something like a ‘micro firmware’ that recognizes when a known OS is being loaded. Such compromised hardware would need a fair amount of storage built in.

Which hardware component would be compromised? The motherboard? The microprocessor? Maybe a major chipset that handles much of the IO? As I think about it, a chipset that is used across many major motherboards, and might easily have room for a bit of extra storage, might be an ideal location to sit in between the processor, memory and IO.

Open hardware has not gained nearly the traction as open source software.

Sheogorathsays:

“We often make trade-offs and we make it more difficult. If that were not the case then why wouldn?t the government simply say all of these [takes out phone] have to be configured so they?re constantly recording everything that we say and do, and then when you get a court order it gets turned over and we wind up convicting ourselves?”
It would pretty much make a nonsense of the Fifth Amendment is why. Why the hell does an Englishman need to point that out to an American? facepalms

Anonymoussays:

>”We often make trade-offs and we make it more difficult. If that were not the case then why wouldn?t the government simply say all of these [takes out phone] have to be configured so they?re constantly recording everything that we say and do, and then when you get a court order it gets turned over and we wind up convicting ourselves?”

>It would pretty much make a nonsense of the Fifth Amendment is why.

>Why the hell does an Englishman need to point that out to an American? facepalms

That was a rhetorical question. Presumably the writer was thinking that Americans (other than Sekurity Apparatchniks) wouldn’t need the answer spelled out. (The S.A. critters are probably already thinking “why didn’t I think of that? Do I have a security letter that I can pretend covers it? And whom do I have to strong-arm to get it implemented?”)

SteveMBsays:

Re:

Translation: Their current financial interests are vested in options (Van Eck phreaking, bug planting) that are too expensive to be competitive if the Feds have push-button backdoor access.

If so, good for them. Chertoff is quite correct that it should be difficult to snoop, thus imposing limits on the amount of snooping.

Anonymoussays:

No one is using cryptography

The NSA doesn’t need to break cryptography because: NO ONE IS USING IT.

If the Clipper chip worked as proposed without the design bugs that plagued it, so that only law enforcement could listen in on conversations (with proper oversight from a judge), I bet we would have more safety and privacy than we have now in our curently unencrypted world.

This is the data they’re collecting.

Yes, I know I'm commenting anonymouslysays:

Follow the Money

Most likely, they think they can make more money with encryption in place, Either by selling encryption, selling access to encrypted data or by selling access to encrypted PCs or something else completely.
The other alternative is that they did a cost/benefit analysis and concluded that encryption (either way) does not affect their bottom line.

Leave a Reply to Matthew A. Sawtell Cancel reply

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it