{"id":8446,"date":"2017-07-25T08:10:07","date_gmt":"2017-07-25T16:10:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/25\/news-2220\/"},"modified":"2017-07-25T08:10:07","modified_gmt":"2017-07-25T16:10:07","slug":"news-2220","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/07\/25\/news-2220\/","title":{"rendered":"Going dark: encryption and law enforcement"},"content":{"rendered":"

Credit to Author: William Tsing| Date: Tue, 25 Jul 2017 15:00:18 +0000<\/strong><\/p>\n

We\u2019re hearing it a lot lately: encryption is an insurmountable roadblock between law enforcement and keeping us safe. They can\u2019t gather intelligence on terrorists because they use encryption. They can\u2019t convict criminals because they won’t hand over encryption keys. They can\u2019t stop bad things from happening because bad guys won\u2019t unlock their phones. Therefore\u2014strictly to keep us safe\u2014the tech industry must provide them with means to weaken, circumvent, or otherwise subvert encryption, all for the public good. No \u201cbackdoors\u201d, mind you; they simply want a way for encryption to work for good people, but not bad. This is dangerous nonsense, for a lot of reasons.<\/p>\n

1. It\u2019s technically incorrect<\/h3>\n

\"\"<\/p>\n

Encryption sustains its value by providing an end to end protection of data, as well as what we call \u201cdata at rest.\u201d Governments have asked for both means of observing data in transit, as well as retrieving data at rest on devices of interest. They also insist that they have no interest in weakening encryption as a whole, but just in retrieving the information they need for an investigation. From a technical perspective, this is contradictory gibberish. An encryption algorithm either encodes sensitive data or it doesn\u2019t\u2014the only method for allowing a third-party to gain access to plain-text data would be to either provide them with the private keys of the communicants in question or maintain an exploitable flaw in the algorithm that a third-party could take advantage of. Despite government protestations to the contrary, this makes intuitive sense: how could you possibly generate encryption secure against one party (hackers) but not another (government)? Algorithms cannot discern good intentions, so they must be secure against everyone.<\/em><\/strong><\/p>\n

2. They have a myriad of other options to get what they need<\/h3>\n

\"\"<\/p>\n

Let’s assume for a moment that a government entity has a reasonable suspicion that a crime has been committed, a reasonable certainty that a certain person did it, and a reasonable suspicion that evidence leading to a conviction lies on an encrypted device. Historically, government entities have\u00a0not checked all these boxes before attempting to subvert decryption, but let\u2019s give them the benefit of the doubt for the moment. Options available to various levels of law enforcement and\/or intelligence include, but are not limited to:<\/p>\n