[Cryptography] Comey: targeted ads => plaintext access

Henry Baker hbaker1 at pipeline.com
Sun Sep 13 16:42:57 EDT 2015 

FYI -- Leaving aside Constitutional & political considerations, & focusing purely on technical issues, doesn't the FBI's Comey have a point?  If an email provider can target ads based upon keywords in the plaintext of your emails, why can't the FBI have access to the same plaintext?

Obviously, any scheme that targets ads based upon the *unencrypted content* of an email must *leak a certain amount of information from that content* -- at least to the ad broker.

Perhaps the information is only an alphabetically ordered *set* of keywords, but that is still more than zero.  (An obvious defense: all messages encoded entirely in "Basic English", and every message contains the entire 850-word vocabulary: https://en.wikipedia.org/wiki/Basic_English )

https://www.youtube.com/watch?v=Q3aG0CtZbU4

at 39:26  James Comey, FBI

First of all, I very much appreciate the feedback from the companies.

We've been trying to engage in dialog with companies because this is not a problem that's going to be solved by the government alone.

It's going to require industry, academia, associations of all kinds, and the government.

I hope we can start from a place we all agree there's a problem and that we share the same values around that problem.

When I hear people talk about the crypto wars, it throws me because wars are fought between people with different values I think we all share the same values here.

We all care about safety and security on the Internet, and I'm a big fan of strong encryption, we all care about public safety, and the problem we have here is those are in tension, and a whole lot of our work increasingly in counter-terrorism and criminal work and counter-intelligence work and given that we care about the same things, I hope we can all agree that we ought to come together to try and solve that problem.

I've heard from a lot of folks that it's too hard, and my reaction to that is really?

Have we really tried?

Have we really tried?

When I look at industry today, I see companies I'm not going to name them here, but major internet service providers, who are able to comply with court orders.

Because they strongly encrypt in transit, and they decrypt when it crosses their networks, so they can read our emails so they can send us ads.

I've never heard anybody say those companies are fundamentally insecure and fatally flawed from a security perspective.

So, I don't think we really tried and also don't think there's an "it" to the solution.

I would imagine there might be many, many solutions, depending upon whether you're an enormous company that's in this business, or a tiny company in that business, I just think we haven't given it the shot that it deserves.

Which is why I welcome the dialog.

And we're having some very healthy discussions.

More information about the cryptography mailing list