James Comey's New Idea: An International Encryption Backdoor Partnership
from the let's-all-share-the-pain-equally dept
FBI Director James Comey is still pitching encryption backdoors, despite there being almost no one — from the Intelligence Community to legislators around the world — interested in what he’s selling. Comey claims to be sitting on a pile of encrypted devices the FBI can’t get into, even with help from outside contractors.
His latest backdoor idea was floated at a national security symposium at the University of Texas. Knowing any legislated backdoors might result in US device customers turning to overseas suppliers, Comey thinks he can minimize domestic fiscal damage by getting the rest of the world to fall in line with an idea most foreign governments still find unpalatable, even as they suffer terrorist attacks with a far greater frequency than we do at home. Michael Kan has more details at ComputerWorld:
Speaking on Thursday, Comey suggested that the U.S. might work with other countries on a “framework” for creating legal access to encrypted tech devices.
“I could imagine a community of nations committed to the rule of law developing a set of norms, a framework, for when government access is appropriate,” he said on Thursday.
Comey doesn’t say how he plans to set this in motion. He’s had no luck on the domestic front, so hoping for an “international framework” to spring into existence is, at best, inordinately hopeful. He directly addressed one of the many concerns device makers have about encryption backdoors, stating he had no desire to “chase innovation” out of the US. But that doesn’t mean he’s not interested in harming US innovation. He simply believes every country in the partnership should suffer equally.
As always happens when Comey opens his mouth about encryption, plenty of experts in the field are on hand to criticize his comments.
“I don’t think it makes sense,” said Nicholas Weaver, a researcher at the International Computer Science Institute at the University of California Berkeley.
Comey’s idea means that all countries will essentially agree to weaken the security in their vendors’ tech products, Weaver said. However, other countries will balk, fearing that the U.S. might exploit the cooperation for spying purposes.
“Would you still use a U.S. product, even if you know the NSA (National Security Agency) could have the rights to it?” he said.
Most of our allies around the world are still stinging a bit from multiple national security leaks — some of which have exposed nearly as much intrusiveness of their own security agencies as they have about the NSA’s reach and grasp. With the NSA heavily-involved in diverting hardware shipments to implant backdoors, no one’s in any hurry to add their country to the list of “buyer beware” electronics.
Even if most of Europe agrees to weaken encryption to make law enforcement easier, there’s no preventing non-partner countries from taking advantage of security holes to engage in greater domestic spying and civil rights abuses.
And, as is always the case when Comey opens his mouth about encryption, it’s again suggested the nerds of the world are simply not applying themselves when it comes to “safe” backdoors.
[O]n Thursday, Comey said the tech industry can find an approach that creates government access, while keeping malicious actors out.
“I reject the, ‘it’s impossible’ response,” he said. “I just think we haven’t actually tried it.”
Counterpoint from Nate Cardozo of the EFF:
“It’s childish to stomp your foot, and say, ‘nerds you have to try harder,’” Cardozo said.
That’s Comey all over: insisting he’s right despite nearly no one else in the world agreeing with him. The phones he can’t get into are apparently viewed as a personal insult — a middle finger from device makers to the feds. He claims device makers shouldn’t “decide how [their customers] live” by providing default encryption. He feels it should be left up to customers whether or not they want that level of security.
He makes this claim while pitching backdoors that remove that choice, allowing the FBI to tell Americans how to live: less securely, because criminals and terrorism. Again, classic Comey — who handles every discussion of encryption like a child. He’s not guileless, not by far. But he so deeply believes in the inherent “rightness” of his arguments that he’s unable to see their inconsistency and incoherence. Or worse, he does… but just doesn’t care.
Filed Under: backdoors, encryption, fbi, going dark, james comey
Comments on “James Comey's New Idea: An International Encryption Backdoor Partnership”
“I reject the, ‘it’s impossible’ response,” he said. “I just think we haven’t actually tried it.”
I guess he never bothered to read the history books about the last time this was done. Seem to remember just a few years ago someone exploited a flaw left over from that. Something to do with browser downgrading encryption when asked because at the time we couldn’t “export strong encryption”
This idiot really should be forced to go back to school and retake those math classes he obviously flunked or cheated his way through.
If he's so knowledgeable about what's possible...
surely it would be very easy for him to prove that it’s not impossible by doing it himself ?
Re: If he's so knowledgeable about what's possible...
Mr. Comey, why can’t you catch terrorists without breaking everyone’s encryption?
Don’t tell me it’s impossible.
I reject the ‘it’s impossible’ response. I think you just haven’t actually tried it.
Re: Re: If he's so knowledgeable about what's possible...
Comey harder?
It's not a backdoor
It’s a screen door.
Claude Shannon — in the 40’s — proved — mathematically — that what Comey wants is impossible. He didn’t prove that it was difficult or that given enough compute power it could be done. He proved that it is simply impossible.
What Comey wants is similar to the Indiana Legislature trying to legislate the value of PI. They didn’t like irrational numbers.
Comey is an idiot.
Re: Re:
Despite being irrational themselves. Imagine that.
Re: Re:
He’s not an idiot, of that I am almost sure of. Dishonest, malicious, indifferent, a threat to privacy and security yes, but not stupid. He knows that what he’s demanding will put huge numbers of people at risk, he just doesn’t care so long as he comes out ahead.
Re: Re: Re:
Actually, he is a bit stupid if he’s unaware of the fact that in addition to losing all credibility with sensible people, he’s lost all credibility with the politicians he needs to convince. So, Jimmy, who do you want to lobby first: the ones who hate your guts for screaming “E-Mail-Ghazi!” on the eve of the election, or the ones who hate your guts for telling everybody “The Trump Kremlin Connection is real and the Trump Tower Wiretap isn’t”?
Re: Re: Re:
I would argue that he’s all of those.
Dear America...
We sincerely approve of this idea and look forward to partnering with you on it. Comrade Comey is an American hero!
Love,
China Russia Alliance on Prevention of Crime
CRAPC
For some reason these calls for secure encryption with backdoors tends to remind me of that old SNL skit where there’s a company who is spending millions of dollars in research in an attempt to get a camel to fit through the eye of a needle via crazy plans like really large needles, really tiny camels, pureeing the camel so it can be more easily poured through the eye of a needle, etc.
Re: Re:
lol – “secure encryption with backdoors”
that’s fucking funny.
Committed to the rule of law
I understand that legislators can make the laws be whatever they want.
But when someone says they are committed to the rule of law, I tend to assume, or I used to assume that means they support things like citizens’ right to have private encrypted communications and data storage.
When these two things no longer go together it is a sign that the country is sick. The laws, at least in part, are no longer to protect the citizens, but at least in part to work against them.
Re: Committed to the rule of law
rule of law.
Think about it more like this.
rule of the law.
"If we can land a man on the moon, surely if we put our minds to it we can land a man on the sun."
… yeah, his ‘nerd harder’ mantra is that stupid.
Mind, I said the mantra is stupid, not the man, because I rather doubt he himself is that stupid, rather he’s just incredibly dishonest and focused only on making his job easier, no matter the damage it will cause if he ever manages to con a government into following him.
He’s a massive threat to public safety and security, and it’s not because he’s too stupid to realize it, he just doesn’t care.
Re: "If we can land a man on the moon, surely if we put our minds to it we can land a man on the sun."
I support an effort to fund NASA to land James Coney on the sun as he desires.
Think of how Stingray cell site snoopers were for catching terrorists… and now they’re in use by 13 federal agencies plus many state and local police agencies. And police agencies around the world. They’ll all demand access to the backdoor too.
Sharing the backdoor password internationally – to multiple agencies in every other country – will only add redundancy to the backdoor being leaked/found/exploited by the bad guys.
But contrary to this article, it’s not a new idea. There was never any question that a backdoor would be shared. Germany, Japan, Russia and the rest would never accept phones being sold in their countries with that foreign-controlled backdoor, unless they too have access. Remove that backdoor (not that they’d trust it to be gone) and Americans can simply import phones from those countries. Or just import the OS updates.
Even in a world with unicorns and magic pixie dust and backdoors that magically stay closed for the bad guys, it’s only a matter of time until we hear about these backdoors being used in bulk to find out who leaked a movie script or White House meeting. Or insulted a CEO or foreign leader.
Re: Re:
Just had very interesting thought…. One of the worries is that the key would be stolen and fall into the wrong hands.
How many stingray devices do you think are currently “missing”? After all, they mount these things in police cars and drive around with them. I find it hard to believe one hasn’t walked off, and you know if one got stolen the agency that lost it would never come forward and admit it publicly.
Re: Re: Re:
America has several private companies – usually with board members in the revolving door to high-level government positions – that provide security services to Saudi Arabia, Bahrain and other non-democracies.
I wonder how many of them stock Stingray devices. And how many would stock Comey’s backdoor.
> He feels it should be left up to customers whether or not they want that level of security.
Customers have already voted “yes” with their dollars.
What do you want to bet...
that his proposed back-door would not apply to government devices and/or communications?
Re: What do you want to bet...
Back when the Clinton administration was pushing mandated back-doors they wanted to exclude bankers as well as the government. The reason, given by Bill Clinton, was that "bankers are good citizens". As opposed to the rest of us, I suppose.
Re: Re: What do you want to bet...
Could you provide a reference for this, or at least some keywords to search for? My Google-fu has been unable to turn up anything.
Re: Re: Re: What do you want to bet...
Yeah, I can’t find it on-line anymore either. It seems to have been disappeared. I have an electronic copy of the article in which Bill is quoted as saying that, but the machine on which it is stored is currently off-line. Sorry.
Re: What do you want to bet...
Well that’s just it. He wants military grade encryption to be a thing ..again(?). Now that post2k information sharing is a thing the doj has its foot in the door.. What would a king do with these sorts of tools? The Sheriff of Nottingham would surely get his share of the gold.
If these encrypted phones are evidence of such horrible crimes
Then how is there no other evidence somewhere that it can actually be found? If the only evidence the accused left is on their phones, and there is no other trace, what did they do? Kill someone, incinerate the body, destroy all records the person existed, and mind-wipe everyone who might realize the victim is missing?
I’ve said it before: We’re all missing an opportunity here: We should be calling encryption “Digital Rights Management.” Which it is, of course; DRM for the consumer.
That way, powerful people who have declared jihad against encryption would be declaring jihad against DRM.
I wish he would explain why the cannot stop terrorists that they know about, and why they think that banning laptops and tablets in the cabin will prevent them being used as a bomb in the cargo hold.
Over the last few years the problem has not been one of going dark, but rather failure to keep track of known risks, who often do not bother with encryption. They also seem to have the exploits they need to get into the electronics of suspecter terrorists, so I can only assume they are concentrating on trying to spy on non violent political opposition which can force governments to listen to their citizens, if they are not stopped from organizing the protests.
Re: Re:
The whole going dark thing is a lie anyway. People have all kinds of devices in their homes now, “Internet Of Things” type devices with some really piss poor encryption that’s easily hacked.
Don't listen
Don’t listen to James Comey, all he ever does is talk out of his back-door.
Re: Too dangerous not to
If he was just some nutter on the street holding a sign about the evils of encryption then yes, it would be safe to ignore him.
However when the person making those claims holds the position of FBI Director then you ignore them at your own risk, as you’re talking about someone in a position of power holding a demonstrably dangerous idea and trying to get other people to believe it too.
Intel ME, amd PSP, cellular baseband.
The lack of research/acknowledgment of these low level hardware issues grossly harms reporting on these issues. Please, for everyone’s sake, do some research. You’re failing to see past the propaganda narratives. It makes me not want to trust this site when you seam either inept or compromised.
I think the Clipper chip was a good example of why what Comey is asking for is impossible. If there’s a secret way to decrypt, it will not stay secret.
Re: Re:
Well the Clipper Chip was a U.S. only thing. So things U.S. company’s made and sold in the U.S. were suppose to have it. What other country would allow those products sold in their own where the U.S. Government had easy access to those devices? That’s just never going to work.
Get the rest of the country on board and every country can spy on everyone around the world, that’s more fair and all good in the name of stopping Terrorists.
Why Don’t The NSA Do It?
If the Government is so keen on a workable back-doored encryption system, why don’t they come up with one? The US Government employs the NSA, which (allegedly) has the largest and brightest pool of crypto talent on the planet. If anybody has the necessary hashtags to come up with such a scheme, wouldn’t it be them?
Maybe President Trump can issue an Executive Order to that effect—could that be the missing sprinkling of magic pixie dust that is needed to kick-start the process?
Re: Why Don’t The NSA Do It?
That sounds like the NSA’s Clipper Chip backdoor device, which was intended to be enthusiastically adopted by telecommunications companies for voice transmission.
And indeed it was quickly proven insecure.
Just like Comey’s plan.
Re: Why Don’t The NSA Do It?
This is a very good question.
Nobody needs to get the full source code for programs or OS’ in order to come up with a basic overview of how this could be achieved. Just a crude description or drawing would go a long way to prove his point, so why is it that he hasn’t even shown that? It is not because they don’t have access to the people, but because everyone he has gone to has said the same thing: “It can’t (and shouldn’t) be done!”.
I refuse to believe that he hasn’t gotten the message 1000 times by now, so what I imagine he is doing now, is trying to get a good old regular backdoor without any regard for the consequences.
It is almost as if you could believe that he were working for terrorists as hard as he is trying to create chaos and destroy the infrastructure.
(As a note: No I don’t really believe that… he is just a power-hungry, greedy, and stupid person)
Re: Why Don’t The NSA Do It?
The tone of your comment has me thinking that it’s more a rhetorical/sarcastic question, but assuming anyone sees it and honestly wonders the same…
Because it would fail, completely, and having the government with it’s massive funding fail on such a ‘simple’ task would make it much harder for them to then turn around and claim that less well funded groups would have no problem succeeding where they failed.
There’s also the fact that only a complete and utter lunatic would trust ‘Securely Broken’ encryption offered by the government at this point, given how much open contempt various government agencies have displayed towards public privacy and security in the last few years, but the primary reason is because they don’t want to provide an example of how difficult the ‘easy’ task they’re trying to dump on others actually is.
Re: Re: The tone of your comment has me thinking...
…but not actually reading, it seems.
“Necessary hashtags”, after all…
What if the encryption key is spread across several legal jurisdictions?
Suppose the key is split into 12 parts and Apple transmits these partial keys to private key-holder companies in 12 independent nations. When the US government gets a warrant to open your iPhone, for instance, they ask 12 separate countries for their partial keys. Suppose the Swiss look at the warrant and decide its BS. Then no key. If 12 can agree, the key is complete and the end user and maybe the public is notified that a key has been surrendered.
If a trust company is hacked, other trust companies are compelled by contract and local law to destroy their own keys. New keys only get generated when you decide to change your device password. Governments wanting to preserve the quick warrant process will defend their trust companies against hackers. If a trust company is threatened with legal action, an employee is jailed, or the private company becomes a public entity, any of the other private trust companies are free, under their local contract law, to destroy the keys entrusted to them by customers in other nations. It’s MAD.
The trick is to find 12 countries that don’t necessarily like one another but who would value the key recovery mechanism.
I suppose the mechanism would become politicized at times and keys might be shared under dubious circumstances somewhat like a cyber prisoner exchange in reverse. You may decide that the design should not require a unanimous decision in case of war, key spoilage or a company withholding keys out of spite. Still, key recovery could be very quick and the traditional notion of a warrant is restored.
It’s not one backdoor that any criminal can walk through once it has been discovered, it’s twelve front doors that you have to walk through with an engraved invitation. Is it foolproof? No, but it’s a lot better than a law saying every iPhone must have a single, common point of failure (backdoor) by design.
Sorry I can’t recall the academic paper where I saw this partial key escrow idea discussed.
Re: What if the encryption key is spread across several legal jurisdictions?
I certainly no expert on this but…
Suppose a government requested the partial keys from the other 11 nations for a valid terrorism investigation. That government now has the entire key, negating the entire system from then on.
So you need a system where the each key is retired after it’s used. Every device notified and updated with a new key list. That notification/update system would no doubt be quickly owned by the NSA. Or whomever is running it could be ordered to hand over the full list.
Even without that: The FBI and Border Patrol have thousands of phone that they’d like to get into. If turned down by the other countries for those investigations, they simply wait until the partial keys are turned over for an investigation everyone does agree on. And then they use it to unlock ALL the phones on hand.
Am I wrong?
Re: Re: What if the encryption key is spread across several legal jurisdictions?
“Am I wrong?”
Sort of. Crypto systems have been designed (and are in use) that allow for key splitting to occur (Require X of Y key holders to input a unique key to perform an operation), but while the concept is elegant, the implementations I’ve personally seen and used are somewhat clunky (although admittedly quite secure, within human limits)
If you coupled that type of system above with a along with a hypothetical compliant, cryptographically perfect public key infrastructure, you could theoretically get to a point where every device had a PKI-Based Additional Decryption Key (ADK) burned into it at manufacture, with private keying material stored behind an X of Y key-split system.
But from a practical perspective, you might as well start from the premise of a perfectly spherical, purple cow, because even if you could make the math flawless, the entire system has to be implemented flawlessly, including the legal and human elements, or it’s ultimately going to become worthless.
Re: Re: Re: What if the encryption key is spread across several legal jurisdictions?
I don’t care how many keys are split, 2, 3, 4 and think that’s any better then 1 key. Because those keys will end up being passed around to unlock whatever over and over again by hundreds of not thousands of people. It’ll be leaked before hackers have a chance to even hack it.
Re: Re: Re:2 What if the encryption key is spread across several legal jurisdictions?
I was addressing the specific question (above) of needing to rekey every device on the planet every time the master key was used, using an example based on a system I use on a regular basis.
It wasn’t a dissertation on how to design a system for Comey.
And to address your point “the key being passed around”: from a purely technically perspective, that could be addressed, too. It increases cost, and makes the system more burdensome to use, but at the end of the day you’d only reduce exposure in some areas and increase it in others.
Any individual technical question could likely be addressed with technology we have today, at least at small scale.
But when you combine the necessary technologies and scale to global proportions, the loss expectancies, risk, and threat profiles get really ugly, really fast.
Re: What if the encryption key is spread across several legal jurisdictions?
Or they can simply demand Apple turn over the full key. Which do you think they’ll do? They’d NEVER go for a partial key system as that would defeat the whole purpose behind backdoors in the first place – to give themselves an EASY and quick way to get into the device.
“His latest backdoor idea was floated at a national security symposium at the University of Texas” and he was laughed off the fucking stage; is how the sentence should have ended.
Re: Re:
I’d lean more towards:
"His latest backdoor idea was floated in his own home, no official organization so crazy as to invite him to speak at their event."
Seriously, a national security symposium inviting someone who has been pushing an idea that would cause significant harm to national security(and security in general) is like an automobile symposium inviting someone who’s a well known proponent of the idea that cars would really be better without those pesky ‘brakes’ or ‘seatbelts’.
I can only hope that whoever invited him did so merely to give the audience someone to laugh at, because the alternative, that they thought he had good ideas to present is insane.
This would work wonderfully. Until China, Russia or whichever country the US currently dislikes decides to use the “international framework” to get data from US companies/citizens. Then Comey will be back here, having another tantrum.
Once, when I was a child, I was very, very thirsty.
There were coconuts in the trees. I tried very hard to get one of those coconuts.
I imagined the cool liquid and knew it had exactly what I needed.
I tried for a long time to get one of those coconuts.
All of the coconut trees were very tall and I could not climb them.
I had found the perfect sized rock and it bumped and missed and bumped again. A hundred times I threw that rock and a hundred times I failed.
I could not make a coconut fall and on the rock’s last drop I turned and I walked, even thirstier than I had been before, the longest mile so that I could quench my thirst.
Re: Coconuts
I hear that James Comey was once in the same position, and kept banging his head against the tree and screaming for somebody to repeal the law of gravity until the men in white coats showed up to rescue him.
Middle fingers
I think keeping all malicious actors out is the primary intent of the "phones he can’t get into".
The middle finger to the feds does make for a nice cherry on top, though!
This news makes my cock hard. But I bet Masnick is going to censor my enduring affection for Comey. Sad!
I think people are missing the point
This is actually very little to do with encryption or terrorism.
It’s to do with making the tech companies look unreasonable and the Democrats (and indeed any opposition) along side them.
By shouting loudly that anyone with an opposing point of view is on the side of the terrorists, he can dirty the name of the opposition and show that he is on the of the “American” in the eyes of those who don’t see (or care) about the truth. No change from the election.
Supported by "no one"
Really? I’d be a bit more concerned that this sort of response is now simultaneously coming from intelligence chiefs in the US, UK, and EU.
The FBI’s Secret Rules
President Trump has inherited a vast domestic intelligence agency with extraordinary secret powers. A cache of documents offers a rare window into the FBI’s quiet expansion since 9/11.
https://theintercept.com/series/the-fbis-secret-rules/
What a fool.