Senator Richard Burr: Confused And Wrong On Encryption
from the this-is-ridiculous dept
Senator Richard Burr, head of the Senate Intelligence Committee and long time friend to the intelligence community, has now penned a ridiculous, misleading, fear-mongering opinion piece for the Wall Street Journal, entitled: Stopping Terrorists From “Going Dark.” It’s pretty much exactly what you’d expect if you’ve paid any attention to the ridiculous “going dark” debate in the US. But, let’s dig in and show just how bad this one is:
While the terrorist attacks in Paris, San Bernardino, Calif., and Garland, Texas, have brought discussions about encryption to the front pages, criminals in the U.S. have been using this technology for years to cover their tracks. The time has come for Congress and technology companies to discuss how encryption?encoding messages to protect their content?is enabling murderers, pedophiles, drug dealers and, increasingly, terrorists.
Right, except so far officials haven’t been able to show evidence of any of those cases actually using encryption. Similarly, law enforcement has failed to show that criminals using encryption have really been that much of a problem either. And that’s because it’s not a problem. Even in the (still mostly rare) cases where encryption is being used, criminals still reveal plenty of information that would allow law enforcement to track them down. It’s called doing basic detective work.
Consumer information should be protected, and the development of stronger and more robust levels of encryption is necessary. Unfortunately, the protection that encryption provides law-abiding citizens is also available to criminals and terrorists. Today?s messaging systems are often designed so that companies? own developers cannot gain access to encrypted content?and, alarmingly, not even when compelled by a court order. This allows criminals and terrorists, as the law enforcement community says, to ?go dark? and plot with abandon.
Yes, criminals and terrorists can use encryption just like law-abiding citizens. But that’s true of any technology. There’s no way to build technology that “only the good people can use.” Criminals use cars and computers and guns. And they eat food and drink too. Some of them talk to each other in person. Yet we don’t freak out about any of that other stuff. And, again, it’s simply incorrect to say they can “plot with abandon.” They cannot. Even when using encryption, many people either mess it up or still leave other clues. Most encrypted communication still reveals metadata about who was contacted, for example.
Leaving aside the terrorism challenges, encryption is affecting the investigations of kidnapping, child pornography, gang activity and other crimes. Federal, state, local and tribal law-enforcement officers can obtain legal authority to conduct electronic communications surveillance on terrorists and criminals. But encrypted devices and applications sometimes block access to the data. This means that even when the government has shown probable cause under the Fourth Amendment, it cannot acquire the evidence it seeks.
Yes, yes, the FBI and folks like the Manhattan DA’s office keep making this claim, but every time they’re asked to provide actual evidence of investigations stymied because of encryption, they come up empty. Official stats on lawful interception orders show that encryption is almost never a problem. They just don’t run into it.
Technology has outpaced the law. The core statute, the Communications Assistance for Law Enforcement Act, was enacted in 1994, more than a decade before the iPhone existed. The law requires telecommunications carriers?for instance, phone companies?to build into their equipment the capability for law enforcement to intercept communications in real time. The problem is that it doesn?t apply to other providers of electronic communications, including those supporting encrypted applications.
This is wrong. Technology has not outpaced the law — quite the opposite. Thanks to technology, law enforcement has more access to more information about every person alive than ever before in history. Technology now allows police to know where basically everyone has been at any moment in the day, who they spoke with, who they called or who they contacted via email. The fact that one small bit of data might be encrypted is hardly the case that technology has somehow outpaced the law.
Separately, yes, it’s true that CALEA (the wiretapping statute) requires that phone calls can be tapped, but that’s entirely different than undermining encryption. In fact, as we noted last week law already makes clear that phone companies are not required to backdoor encryption.
Federal Bureau of Investigation Director James Comey has said that one of the two Garland, Texas, shooters who died carrying out an attack on a Muhammad art exhibit in May exchanged 109 messages with an operative overseas. ?We have no idea what he said,? Mr. Comey told the Senate this month, ?because those messages were encrypted.? He described this as a ?big problem??and I couldn?t agree more.
Yes, yes, this is the example it took Comey over a year to finally come up with, but again it’s an incredibly weak one. Note: the encryption did not stop them from knowing who the shooter was communicating with, because the encryption does not impact the metadata. Yes, it may limit the ability to read the exact content of the messages, but the same would be true if they had just communicated via a phone call on an untapped line. Or if they had simply communicated with a simple code that those two knew and the FBI did not. This is really no different than any other criminal investigation situation, and it’s not the encryption that’s the problem.
Last month Manhattan District Attorney Cyrus R. Vance Jr. released an in-depth report specifically on ?smartphone encryption and public safety.? Many cellphones, including those designed by Apple and Google, now encrypt by default all the data they store, which is accessible only with a passcode.
Yeah, and we talked about how ridiculously wrong that report was at the time. And, again, the default mobile encryption only applies to data stored on those phones, not metadata. Apple would still have the keys to most data backed up in the cloud. Same with information shared with others where encryption may not be used. The amount of data that is truly “unobtainable” is minimal — which is why no one has any really good examples of it being a problem.
The challenges presented by encryption extend to financial transactions. In August Sen. Elizabeth Warren wrote letters to six federal agencies voicing concerns that banks were using Symphony, an encrypted messaging system that could prevent regulators from detecting illegal activities. The letter came shortly after New York?s top banking regulator, the New York State Department of Financial Services, raised the same concern with several major banks and Symphony?s developer.
In response, the banks agreed to store decryption keys with independent custodians, and Symphony agreed to retain electronic communications for seven years. All parties also agreed to a periodic review process to make sure that oversight keeps in sync with new technologies.
It would seem to me that daily financial flows shouldn?t command more attention than terrorist or criminal communications, yet here we are. Although the agreement described above may not be the solution for all encrypted communications, it does show that cooperative solutions are possible.
That is not an apples to apples comparison by any stretch of the imagination. The reason for the concern with the banks is that banks are a highly regulated industry in which they are legally required to keep records of certain communications. That’s not true of the general public, and unless Senator Burr is looking to wipe out the 4th Amendment, he shouldn’t even pretend these things have anything in common.
Second, what a cheap politician’s trick to pull out the “daily financial flows shouldn?t command more attention than terrorist or criminal communications” line. This is blatant fear mongering, because the issue is not about terrorists or criminals, but you, me, and everyone reading this who has an expectation of privacy. The only way to break encryption for “terrorists and criminals” is to make everyone less safe by putting in dangerous backdoors.
And, every time we put backdoors into encryption we see how it’s abused — such as with the recent Juniper vulnerability.
Finally, the “cooperative solution” in the case of the financial industry is an entirely different animal as well. Again, that’s a limited use case in a specific, highly regulated industry. To even suggest that because of that specific use case, there must be some sort of “cooperative solution” once again highlights a near total ignorance of how encryption works.
I and other lawmakers in Washington would like to work with America?s leading tech companies to solve this problem, but we fear they may balk. When Apple objected to a recent court order in a New York criminal case requiring it to unlock an iPhone running iOS 7?an operating system that Apple can unlock?the company refused, arguing: ?This is a matter for Congress to decide.? On that point, Apple and I agree. It?s time to update the law.
You fear they may balk? You want to know why? Perhaps because your friends in the intelligence community spent the last fifteen years breaking into their systems at every opportunity, undermining the trust and security of all of their users. You think that might have something to do with it? Maybe?
Senator Burr is doing something incredibly dangerous here. He’s misleading the American public in a totally ignorant way, that will put our security at risk. He is making the world a more dangerous place, on purpose, because of a misunderstanding of how technology works. He has no place regulating technology issues at all.
Filed Under: backdoors, congress, encryption, going dark, richard burr, senate intelligence committee
Comments on “Senator Richard Burr: Confused And Wrong On Encryption”
spelling fix, Senate ” Intelligecen ” Committee
Yea it’s not like we had other forms of encryption before this was enacted *cough* PGP *cough*
Excessive word use
I can’t help but feel that the article title could have been made a little bit shorter and a lot more accurate by dropping the last two words.
Senator Richard Burr: Confused And Wrong
Wrong again
Maybe he should have consulted his Brother Raymond Burr
I wonder if Mr Burr would support a law that demanded everybody to carry voice recorders for personal conversations and have the data, including who and where, stored and available to the Government anytime. Terrorists do speak face to face you know? One can never bee too careful.
He’s basically doing that but he either doesn’t understand it or he’s being dishonest.
Mike – are you aware of anyone having contacted the Wall Street Journal to try to get an OpEd of their own published to act as a counterpoint to enemy-of-the-tech-industry-and-menace-to-public-safety Senator Richard Burr?
Re: Re:
Mike – are you aware of anyone having contacted the Wall Street Journal to try to get an OpEd of their own published to act as a counterpoint to enemy-of-the-tech-industry-and-menace-to-public-safety Senator Richard Burr?
Yes, though I didn’t realize it when I wrote this post, the WSJ actually published a counterpoint at the same time, written by Cindy Cohn, the head of EFF:
http://www.wsj.com/articles/the-debate-over-encryption-the-backdoor-is-a-trapdoor-1450914316
Re: Re: Re:
That’s a pleasant surprise! While I dislike Senator Burr’s habitual doublespeak and malicious framing, at least his views aren’t going unchallenged on the same medium he’s using to proselytize.
Re: Re: Re:
Amusingly, if I go directly to the WSJ link you listed, I can’t read the article without signing in, blah blah blah. However, using Google to search for the article and then going to the article via the Google link, I can read the whole thing just fine.
Re: Re: Re: Re:
I couldn’t bother, I’m going without the paywall stupidity just fine.
Re: Re: Re:
It’s a trap!!! Don’t click the link. It’s a pay-wall trap. Thanks for that one Masnick 🙂
UP next...
The clueless deem spoken words about criminal activity cannot be traced when said in total privacy therefore it is now illegal to speak to someone face to face during discussions of criminal activity unless you record it and they ask that you please send a copy to your local police station.
Re: UP next...
LEt’s take it s atep further:
It is now a Class 1 Felony to talk to, or about, someone or something accused of a crime. Crimes include:
Talking too loudly;
Thinking counter to government;
Mel Brooks and viewing anything related to Mel Brooks;
Camels;
Water;
Rock music;
Black Lives Matter; and
Hugh Jackman.
(NB: This is a non-profit fan-based parody. Criminal acitvity is a product of the United States Government and the Department of Justice. Please support the official release.)
I have yet to see a FUD boogeyman that doesn’t also apply to the US Government.
Not really comparable
With banks (and other financial institutions), they are one of the endpoints of the encryption, and, therefore, have a key. They don’t have to make a “back door”. (Why, however, do I feel “less protected” knowing that there is another copy of that key “out there somewhere”?)
With phone encryption, the manufacturer is not and endpoint of the communication, so they – properly! – do not have a key.
The way it’s supposed to work: if LEO show up with a warrent, banks either produce the information or loose their charter; with people, they produce the information or go to jail (for contempt and obstruction).
I fail to see the actual problem here. And, using the “banks do it” example, the same avenue already exists for “private communications”!
Here is what happens when you fail to use encryption.
http://www.databreaches.net/191-million-voters-personal-info-exposed-by-misconfigured-database/
Perhaps the good senator would agree to everyone carrying voice recorders to everything is recorded in real time. (That includes you senator) No more hiding by anyone.
If it is terrorists you’re worried about, they already have a home brewed encryption program. You can be sure they are not going to change that program for a state sponsored one. Why would they knowing this sort of push is in the air. So it comes down to the real point of this isn’t terrorists but rather the domestic population. What the senator proposes is that no one in the US be allowed to communicate privately on line. Again I remind the senator what is good for the goose is good for the gander. That means those intelligent committee meetings should be open as well so the public knows what is being discussed. Sounds fair to me.
Re: Re:
Good idea. Please ask the Senator to put his recordings in three piles. One that includes conversations with his constituents (that will be the small one) and the other (large) his conversations with his contributors. The third pile (medium) will be his conversations with fellow lawmakers.
Next up on the war on Terror..........
all communications will be done in English, and, spoken/written slowly…
That is all.
The US Intell er Metadata Gathering State
It’s like they claim that if there weren’t encryption, large warning messages would be flying over their desks any time anyone was thinking of doing something bad.
He needs to look at how the Chinese are doing it, and raise the Chinese flag over the Capitol Rotunda while he is at it.
Re: Re:
He needs to look at how the Chinese are doing it, and raise the Chinese flag over the Capitol Rotunda while he is at it.
I hear the North Koreans are even better at it. I bet they’re his heroes.
Encryption != Encoding
Ugh, why do I feel like I’m the only one pissed that he confused encryption and encoding
“This is wrong. Technology has not outpaced the law — quite the opposite.”
Is it though? CALEA was designed to require exceptional access on the PSTN. Now many communication occurs over IP (note that VoIP is covered under CALEA when it connects to PSTN).
CALEA set a precedent that communications providers must allow exceptional access. There is a real debate as to whether there should be a CALEA II*, but from a procedural standpoint it would fall under the precedent of CALEA. Calling attention to the other ways LE has access to investigatory material is a red herring, and does not address the precedent set by CALEA.
*https://www.schneier.com/blog/archives/2013/06/the_problems_wi_3.html
FTFY
The time has come for The People to discuss how encryption—encoding messages to protect their content—is enabling governments to hide their true intentions, subvert the will of the people and increasingly terrorize the population with propaganda.
Government Encryption
It just struck me…politicians use encryption all the time. When they say in campaign speeches that they are for their constituents, the unencrypted result for campaign contributors is ‘I’ve got your back’!
Well I Did Send Burr an Email Letter
Sent a couple of weeks ago, referenced TechDirt, but no response as of yet from Burr’s office.
“Criminals use cars and computers and guns”
The difference being that cars and computers have predominantly constructive uses, whereas guns are primarily destructive.
Re: “Criminals use cars and computers and guns”
While debatably true (also debatably untrue), it doesn’t really have any relevance to the article.
Re: Re: “Criminals use cars and computers and guns”
It does mean that trying to restrict uses of constructive cars and computers will primarily hurt good people (i.e. nearly everybody), while clamping down on destructive guns will primarily impact bad people.
Re: Re: Re: “Criminals use cars and computers and guns”
Ah. Now that’s just wrong, and I say that as someone who thinks the second amendment is a stupid idea.
Trying to clamp down on guns at this point will be about as effective as trying to clamp down on encryption, for many of the same reasons. And the idea that clamping down on guns will only hurt bad actors is about as accurate as the idea that clamping down on encryption will only hurt bad actors.
Just because you don’t see any constructive uses for guns doesn’t mean that they don’t exist. Would you ban archery, martial arts, knives, explosives, loud noises, strong acids, …?
Re: Re: Re:2 “Criminals use cars and computers and guns”
Sorry, you said “will primarily impact bad people” while I responded “will only hurt bad actors”… I do think that any kind of ban will primarily impact good people rather than bad, even guns.
Unless you have a magic wand that will remove all guns from a (city? country? world?), as well as the knowledge of how to make new guns, anyway. If that’s the case, then we can have a completely different conversation.
Re: Re: Re:2 Trying to clamp down on guns at this point ...
Other countries have managed it: e.g. the UK after Dunblane, Australia after Port Arthur. Both have benefited from significant long-term reductions in violent crime as a result.
What’s so different about the US?
Re: “Criminals use cars and computers and guns”
Depends on how you define constructive and destructive. And some things are better destroyed, while others are better not constructed at all.
Re: Re: Depends on how you define constructive and destructive.
This is how I define “constructive” and “destructive”.
Re: Re: Re: Depends on how you define constructive and destructive.
Can a car feed your family, or put a kangaroo that has broken its leg getting tangled in your fence out of its misery?
As I said above, lack of imagination is no substitute for correctness.
Re: Re: Re:2 Can a car feed your family
A car is absolutely essential to feeding my family.
How else will I get that kangaroo home to the cooking-pot?
Re: Re: Re: Depends on how you define constructive and destructive.
This is how I define “constructive” and “destructive”.
Other people may different definitions. That you seem to think yours is the only one that matters is telling.
Re: Re: Re:2 Other people may different definitions.
Such as? Do you choose to define “constructive” as “blowing things apart” and “destructive” as “putting them together”?
Feel free. And then show how your definitions strengthen your case rather than mine.
Re: Re: Re:3 Other people may different definitions.
There are those that consider the use of fossil fuel to be destructive. What kind of car do you drive?
Re: Re: Re:4 Re:There are those that consider the use of fossil fuel to be destructive
Whereas gun nuts really care for the environment, don’t they…
I kinda hope Burr gets this sort of law (saying that the government has the right to know anything if a judge gives permission) passed. Then I’d like to see the following warrants issued:
Historians must reveal the origins of the Voynich Manuscript.
Mathematicians required to come up with a clear and indisputable proof of the validity of the Continuum Hypothesis.
Physicists must produce the Theory of Everything by noon on Friday.
Universe must explain where that weird hum is coming from. Please. Honestly, where is that damn humming sound coming from!?
Re: Re:
Don’t know about the rest of them, but with regards to the last question:
The Source.
Re: Re: Re:
Also the first…
Re: Re: Re:
I was thinking of the Hum Generator for the last item, and just assumed there were xkcd’s for the others. MrTroy got one for the VM. Surprisingly few completely applicable to the other two items, but:
CH: Either this or this.
TOE: Maybe this?
Or maybe CH+TOE would be this…
I got myself Thing Explainer for Xmas. Kinda fun, but don’t try to enjoy it on a phone. (Instead, enjoy this game.)
NO.
I would no more follow a law mandating the use of pre-compromised encryption, than I would mail my snail-mail in glassine envelopes (that is to say I WOULD NOT FOLLOW IT AT ALL).
Happy you wrote this; Mad because you think THEY care...
THEY being those very old and ridiculously expensive Law Makers and Decision Makers currently in office, and if what I am told is true, on their way out very soon. Age and ignorance is now more than a factor than ever when it comes to running a Country.
I really, really wanted to read an argument for Criminals and Terrorists, and all the relevant technology they employ in the acts they imagine, create, and then carry out EVERYDAY.
Do you think Hezbollah manufactures the rockets they fire off every now and then. IS does not have an arms factory building them Kalashnikovs.
Threats Levels are truly an arbitrary point now, where it concerns actual threats. Encryption has to be exposed for what it is… A tool ‘Ready at Hand‘ for use in everyday life. I have add-ons, extensions, a Tor browser, and VPNs, but it doesn’t mean that I am any more secure.
Governments and their agencies have more access and tools than we can imagine – and some people have very vivid imaginations.
I sat with a former ‘Military’ Pilot nee Commercial, who explained to me in no uncertain terms that anything I can think of, the “Government is at least twenty years beyond that”, although I should think because that is a twenty year old conversation, those gaps have been seriously closed – the public sector pays better, and treats their employees surprisingly well.
What I am saying here, is that the government has everything at its fingertips – all of it, and the “stuff” they don’t have, is because it is truly out of everyone’s reach. I am, you are, truly out of league if you think you’re anonymous, or insecure. Briefly recall that the CELLBRITE only costs ten grand and you get almost everything… imagine what a twenty, fifty, or two-hundred million dollar budget gets you.
I’m just saying. The old ways are lost, but not altogether. I needed an Ambulance Tout de suite; Ive had the same cellphone since 2001; it took them almost twenty minutes to get to me because they couldn’t find me. They had absolutely no idea where I was except that I was somewhere in Halifax.
Eventually I made it to the hospital, started breathing again, then got a small lecture on getting my technology updated. I think it works just fine, and I spent a hundred and ten thousand on my education, so I better have a freaking answer if somebody asks me – I do not need google on my cellphone (or Twitter or Facebook or SoundCloud or Spotify or Ello or blah blah blah).
This is what leads me to the assumption that governments are less concerned with encryption, and more concerned with location. Conversations can be had if needed; locations are needed.
Encryption will forevermore be a buzz word. Budgets need it… The ‘Old Guard is leaving, and a new, and hopefully smarter, shift is about to punch in – although there is still a huge problem with trying to keep State and Church separate.
If you consider labeling people that believe in their constitutional rights as dangerous criminals
They don’t even use computers; how the hell are they supposed to understand the importance of encryption?