[Cryptography] Apple 3rd Party dilemma

Michael Kjörling michael at kjorling.se
Sat Feb 20 06:30:42 EST 2016


On 19 Feb 2016 14:19 -0800, from hbaker1 at pipeline.com (Henry Baker):
> If this means that devices occasionally commit suicide ("apoptosis")
> in order to protect the user's information, then so be it. The good
> news is that IoT chips are getting really cheap.

The problem with this kind of argument is that large portions of the
general public does not share this sentiment at all. It's quite
possible that a large fraction of the people on this list would agree
to a security trade-off like that, but the membership on this list is
very clearly not a representative subsample of the general population.

Here's a thought experiment for you. First, look at how many people
have smartphones.

Then, look at how many of those have data on their smartphone that
would be difficult or impossible to replace if it were lost.

Now subtract the number of people who regularly make backups (to a
_trusted, secure_ data store!) of the data on their smartphones.

Notice how little the group size changed in the last step?

I expect that with services like Apple's iCloud, the proportion of
people who at least _back up_ their data is slightly higher than with
say PCs, but unless the data is securely encrypted _before_ it leaves
the phone, and decryption requires access to a high-grade secret that
both is not bound to the physical phone and the vendor (in this case
Apple) does _not_ have access to, that fails at least the "secure"
data store test. And generally speaking, people are poor at handling
high-grade cryptographic secrets, not to mention their ability of
coming up with them.

The average John or Jane Doe _wants_ their data to be recoverable if
something happens to the device it is stored on. A device that, by
design, makes data recovery after a malfunction or accident difficult
enough to effectively be impossible, is going to be considered broken
by lots of people -- especially people who had their three-year-old
drop their phone into the bath tub just to see what would happen.

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)


More information about the cryptography mailing list