Allow me to ask what I'm certain is an incredibly naive question, so please bear with me. But it's a question that the average / non-tech folks ARE asking, and I'm not looking to be attacked, I'm looking for an intelligent answer (or corrections if my assumptions are wrong.) Base scenario:
We have adversaries. Our adversaries are plotting something objectively bad - to blow up things and kill innocent people. They are plotting and coordinating these bad things via communications with one another. Historically, we have been able to intercept those communications, read them, and interrupt our adversaries from the bad things they are plotting.
If our adversaries' communications are completely impossible to intercept, we have lost one of the most valuable tools in our ability to prevent them from doing bad things. How are we supposed to prevent them from doing these bad things?
Again - please don't attack me - just looking for a smart answer here.
> How are we supposed to prevent them from doing these bad things?
Well, we might not be able to. Such is the price of liberty. Personally, I think the thousands that died in the trade centers do not justify the massive loss of civil liberties, and it's STILL not clear we would have been able to do anything about it.
Bad guys are going to use encryption no matter what. Citizens should not be restricted from using it themselves just because it makes it easier on the federal government.
1) It's a tough sell to Average Joe. Average Joe wants it both ways - he wants Liberty AND to be protected from bad guys. Obama etc. were effectively hired to protect Average Joe from the bad guys. If Obama were to say "Sorry guys, we can't protect you in the name of Liberty", he's going to be eviscerated.
2) Agreed completely that banning encryption is foolish. I think what they really want is NSA-style backdoors - "encryption for everyone except us." And of course I see the concern with that.
> Average Joe wants it both ways - he wants Liberty AND to be protected from bad guys.
If Average Joe "wants Liberty AND to be protected from bad guys" then he doesn't have both if he doesn't have Liberty.
The only way you can have Liberty and Security is if you don't sacrifice one for the other. The need for the sacrifice is the lie. There is no reason you can't have both, because sacrificing liberty is not necessary for security.
In reality the opposite is the case. "Those who give up essential liberty for a little temporary safety deserve neither and lose both." Liberty and privacy are essential components of security. You're not secure if the bad guys can compromise your entire infrastructure just by infiltrating the police or police computers (to say nothing of the security risk from corrupt government officials). Creating intentional security vulnerabilities in order to facilitate government spying does not bring about a security improvement. It's based on the premise is that we need to reduce security in order to be secure, which is preposterous and untrue.
Rights are frequently unpopular with the Average Joe. There are often majorities for the abrogation of rights for the minority side. That is why a Bill of Rights, and a government of divided powers.
If the Average Joe doesn't like it, well, then it's the President job to explain the relationship between encryption and rights like free speech, presumed innocence, and security from search without a warrant. Not to go looking for ways to abrogate those rights to satisfy the Average Joe.
I find it works best to use something the "Average/non-tech" person will surely understand:
"What if there were cameras in your house that recorded everything you did & said, but the government promised you the footage would only be reviewed in the case that they suspect you committed a crime. How would you feel about that?"
I've gotten a lot of mileage from this metaphor myself. The response is usually silence while they internally question their worldview or something. Never gotten a counter argument, nor anyone replying with "I'd be okay with that". Would be interested if HN could poke a hole in this so I can patch it. :)
"Oh, I think it will be a great idea. The government will see how good of a citizen I am and how much I learn on my own, and perhaps, if I'm lucky, they'll give me a job so that I can stop cooking the rats in my walls."
Not a counter argument at all. You've just shown that any more time on you will be wasted. There will always be types like you. Nothing to do but write you off.
I agree with that perspective completely. The problem is that the people who are generally the most blindly pro-government say something like:
"I've got no problem with that. I have nothing to hide."
(I have a friend who says _exactly_ that.) But at that point you really can't keep the argument/discussion going, because you're dealing with someone who clearly says one thing and would act differently. I'm sure if the camera crew arrived and started drilling in his house he'd change his tune, but what can you do short of that. The problem with debating with a lot of people, sadly.
This metaphor has worked well for me too, to show people that they already expect there to be limits on what the government can do to keep people safe--even though they might have not have realized it.
So it's good as a throwaway metaphor for illustrating that concept, but it's not great for arguing against surveillance, because Internet traffic is not the same thing as getting dressed every morning. Most people get a lot less worked up about email and web surfing than being naked.
The Charlie Hebdo attackers used regular cell phones, and they were on security watch lists, and Algerian officials claimed to had sent warnings about them.
The gunman in Canada who tried to shoot up Parliament openly posted his plans and talked to jihadi sympathizer accounts on Twitter in the open. He was also on watch lists and had his passport pulled for trying to go to Syria.
One of the Boston bombers was on a watch list, and Russian officials sent warnings about him.
Seems nobody is watching the people on watch lists
Even if previous well known attacks didn't rely on encryption, it seems likely that future attacks will be organised over encrypted channels because they are now more ubiquitous.
How did they find out Person Y's phone needed to be searched/monitored to begin with? Obviously they have other sources of intelligence.
The question also doesn't address the issue of how far is too far, imagine how many crimes would be discovered with nightly searches of everyone's homes. Should we begin searching everyone's homes warrantlessly? What is more detrimental to society, the criminals, or the police state?
What are they doing to do, deploy unremoveable malware on every phone by default? Because as long as phones have CPUs and we can tell them what to do, they can employ unbreakable encryption. How are they supposed to get around that? Mandatory spyware?
What did police do before the telephone was commonplace? Criminals met and still meet in speakeasies and other safe locations to communicate without a phone, are we gonna install mics in every room as part of new building codes?
If phones do become irreversibly broken and monitored, guess what, criminals will stop using phones. Kevin Gates (rapper) has a song about drug dealing called... I Don't Talk On Phones, lol.
tl;dr: surveillance state monitoring all phones just means criminals will stop using phones to communicate so its only going to hurt "legitimate" privacy.
First let me clarify that I agree the notion of "banning encryption" is misguided and wrong. I'm looking at Obama's position (perhaps incorrectly) as "we need to be able to have backdoors", not "ban encryption".
I think the government's argument would be that yes, the most sophisticated adversaries will always find a way around monitoring. But I think they'd argue that 95% of adversaries are not the most sophisticated, so the position to is to make it as easy as possible to catch that 95%.
"If we're trying to monitor 100 bad guys and 95 of them are just using iMessage, then let's make it easy to read what the 95 of them are saying and deal with the other 5 with more sophisticated countermeasures, rather than having to use more sophisticated countermeasures for all 100 of them."
I absolutely see the whole argument here. I'm just trying to figure out what the right solution is.
- legal. It's against the law; there are strong 1st and 4th arguments against surveillance, and 5th and 6th amendment arguments as well. Some people have even tried to argue that if encryption is a munition the 2nd amendment applies. The "we could stop bad people" argument applies especially to the 4th.
Similar legal protections exist in Europe, although not generally as strong.
- practical: either a system is secure or it isn't. Handing it over to anyone increases the risk of compromise. Bans on effective encryption are self-defeating.
- collateral damage: US intelligence agencies have a track record of killing innocent people themselves (e.g. drone strikes), supporting murderous governments (CIA in south america), funding terrorism and failing to prosecute the guilty (Iran-contra), use of intelligence for domestic immoral politics (Watergate, FBI vs MLK). Handing over data about your e.g. Chilean users to the CIA may result in them being murdered.
- international hypocrisy: saying that mass surveillance is OK says it's OK for other governments too. Do you support Chinese interception against their adversaries? Are you happy to turn over your entire email history on entering a country?
- finally, I'm going to question how much it does help. The Paris terrorists were known to the police, as was the killer of Lee Rigby. Intercept evidence is generally not used in trials. Nobody is presenting a cache of encrypted emails found on a computer used by the Parisian terrorists and saying "if we'd decrypted this we could have prevented it".
Technology marches inexorably forward. These algorithms already exist in unbroken form. What the government is doing is mandating that Apple and Google make user's data less secure. The government will claim that any such backdoor will only be openable by them and only in cases of great need (read terrorism).
What will happen is that non-governmental organizations will find these keys and get the same ability. What will happen is that the government will overreach, as they have done before time and time again.
This isn't about stopping terrorism, this is about keeping the current ability to spy on US Citizens. The internet was the single greatest intelligence boon in history and the government is concerned about loosing spying capacity.
Unsophisticated terrorists would gain little protections from at-rest and over-the-wire encryption. It's really quite easy to screw up and be found in the dragnet. Sophisticated actors would be using additional software anyway. You know, the kind that already exists.
The libraries are free and public. The algorithms publicly published. You can't put the cat back in the bag.
The government is trying to legislate particular usages of math. They are literally saying that Apple and Google shouldn't be using certain sequences of numbers. This isn't an exaggeration or hyperbole since everything is encodable in numbers and obviously some communication is illegal.
This is literally illegal equations, and it is so very far down a slippery slope that every citizen should be concerned.
To answer your question, the government will still not be able to decrypt many communications, even with this backdoor. These technologies protect casual users from data theft, but putting in backdoors makes everybody less safe.
To take your argument further, it's not the equation of the A-bomb, it's the implementation? That's somewhat compelling.
But, at least in the US, firearms aren't illegal. Using them in a crime is the illegal part. The biological act of moving your arm isn't illegal, but hitting somebody is.
The analog would be making it illegal to form a fist because you might use it to attack something.
How are we supposed to prevent adversaries from making their communications impossible to intercept?
It's not like knowledge about cryptography suddenly vanishes. And it's not like those computers aren't annoyingly programmable to do such evil deeds like encrypting data in a way that officials can't access it.
Given that, what's this all about? Governments could mandate key escrow (which is what I guess they're really aiming for) for any system under their control. So adversaries build their own, in Excel using VBA, if necessary.
There is no way to honor that demand by the US and UK governments unless computers become a _much_ different thing than what they're now.
> Historically, we have been able to intercept those communications, read them, and interrupt our adversaries from the bad things they are plotting.
I challenge this assertion. It has happened in some cases, but the claim that surveillance is an effective way to stop terrorism has failed to be backed up with many success stories.
> If our adversaries' communications are completely impossible to intercept, we have lost one of the most valuable tools in our ability to prevent them from doing bad things.
The most organized adversaries' communications are already impossible to intercept. They know they are under surveillance and are taking measures to counter that surveillance. The people that surveillance affects most are innocent people.
In a different perspective (and I'm going to speak in an American context because I'm American and the article is about the American president) there are some things that are worth the lives of Americans. Our nation was founded with a rebellion and many Americans died in that struggle. They died for freedom, to gain rights. American history is full of people dying to protect the rights of Americans.
And from another perspective, terrorism is a hugely overblown concern. More Americans die in car accidents every year than have died from terrorism in the entire history of the United States[1]. 33561 people died in car crashes in the US in 2012[w]: that's like the September 11 attacks happening almost once a month. The fact that we're spending $10.8 billion in a year on the NSA[3] to prevent a handful of deaths that it may not even prevent, and less than 10% of that ($815 million) on the NHTSA[4] shows that our priorities are not where they should be.
I think that in this case what makes your story incorrect is that banning encryption software will only prevent normal every day people from using it. With the vastness of the internet, there is no way for any government to prevent encrypted communications from any determined individuals.
All they can end up doing is preventing the everyday users of the mass services from using encrypted transmission. So the innocent lose freedoms but the guilty carry on as normal.
They don't need mass surveillance and weak crypto to find out what a few known evil doers are up to. You can develop informants, physically bug devices, and get warrants for service providers (the old fashioned way where you specify a person's name and what you're looking for).
But they'd rather have a database with the sum total of human thoughts and interactions.
> How are we supposed to prevent them from doing these bad things?
Are we necessarily able to prevent these bad things from happening? Right now, we aren't able to entirely stop crime from happening. Why would we necessarily be able to stop these types of crimes from happening?
It's all a question of whether we want to give up certain freedoms in exchange for increased safety (or sense of safety).
It's not very complicated, it's just a balance of one thing (freedom) versus another (safety). Different people will value these two things differently, and I'm not sure I can make an argument that choosing safety over freedom is necessarily a "bad" choice.
That being said, I'm not in favor of the government banning private communication. But I understand that there are people who are, and their reasoning.
Because as someone smart said - If we want to defend our own freedoms, we have to start with defending freedoms of scoundrels, because the government will always start with taking away theirs. And when it's gone, ours will be gone too.
"The trouble with fighting for human freedom is that one spends most of one’s time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all."
— HL Mencken
Though, personally the scene that springs to my mind is the one from "A Man for All Seasons":
William Roper: So, now you give the Devil the benefit of law!
Sir Thomas More: Yes! What would you do? Cut a great road through the law to get after the Devil?
William Roper: Yes, I'd cut down every law in England to do that!
Sir Thomas More: Oh? And when the last law was down, and the Devil turned 'round on you, where would you hide, Roper, the laws all being flat? This country is planted thick with laws, from coast to coast, Man's laws, not God's! And if you cut them down, and you're just the man to do it, do you really think you could stand upright in the winds that would blow then? Yes, I'd give the Devil benefit of law, for my own safety's sake!
> "They are plotting and coordinating these bad things via communications with one another"
Yes, but has anyone considered the means they might be using to do this? Why assume it's electronic? Check the wikipedia page for the Millennium Challenge, especially the section on 'Exercise action'.
Human intelligence assets that we gutted in the 70's would have been quite useful in fighting terrorism. Humans blow things up and humans organize. The idea that they are not already using encryption in communications is foolish.
If we leave a backdoor for the "patriots", then we can guarantee that foreign governments and criminals will find and use the same backdoor. All any restrictions on encryption will do is lead to more non-terrorism arrests.
We have adversaries. Our adversaries are plotting something objectively bad - to blow up things and kill innocent people. They are plotting and coordinating these bad things via communications with one another. Historically, we have been able to intercept those communications, read them, and interrupt our adversaries from the bad things they are plotting.
If our adversaries' communications are completely impossible to intercept, we have lost one of the most valuable tools in our ability to prevent them from doing bad things. How are we supposed to prevent them from doing these bad things?
Again - please don't attack me - just looking for a smart answer here.