[Cryptography] 200 experts line up to tell governments to get stuffed over encryption
Henry Baker
hbaker1 at pipeline.com
Tue Jan 12 13:29:52 EST 2016
You can sign the letter yourself here:
https://securetheinternet.org/
http://www.theregister.co.uk/2016/01/11/experts_defend_encryption/
200 experts line up to tell governments to get stuffed over encryption
No laws, policies or secret agreements with companies, urge crypto-eggheads
11 Jan 2016 at 20:09, Kieren McCarthy
A group of 200 experts have urged the world's governments not to introduce backdoors into encryption products in an open letter posted Monday.
The group, which includes Amnesty International, Human Rights Watch, the Electronic Frontier Foundation (EFF), the American Civil Liberties Union (ACLU) and CloudFlare among many others, formed as the debate about encryption has intensified. The Obama Administration met tech giants in Silicon Valley last week in an effort to find a compromise and as the UK government tries to pass legislation that would give security services access to encrypted data.
The letter addresses itself to "the leaders of the world's governments" and urges them to support encryption as a way to "protect the security of your citizens, your economy, and your government."
Echoing sentiments expressed by the Dutch government in a formal position on encryption that was published last week, the group notes that "economic growth in the digital age is powered by the ability to trust and authenticate our interactions and communicate and conduct business securely, both within and across borders."
As such, it argues that all governments should "reject laws, policies, or other mandates or practices, including secret agreements with companies, that limit access to or undermine encryption and other secure communications tools and technologies."
The letter, which was posted on a new campaign website at SecureTheInternet.org, ends with a five-point argument that government should:
* Not limit access to encryption
* Not mandate backdoors
* Not require that third parties have access to encryption keys
* Not try to weaken encryption standards
* Not pressure companies into breaking any of the previous four points
While the list is odd in that it appears to make the same point repeatedly, the reality is that US politicians and law enforcement agencies have recently been pushing tech companies such as Apple, Google and Microsoft to create systems by which the security services can access information sent through their products and services, but have been very careful to avoid using the term "backdoor."
Apple CEO Tim Cook has been particularly vocal about the fact that introducing any backdoor into an encryption product means that it will be accessible by others. The term "magical thinking" to imagine any other scenario has even been used by the law enforcement officials that want to access encrypted data.
When is a backdoor not a backdoor?
The Obama Administration also recently ruled out any possibility of legislation passing through Congress that would mandate government access.
That has led to a curious formulation from politicians about the need for the "best minds" to come together and develop a system that works. Or, in other words, to create a backdoor of some kind that doesn't have to be called a backdoor. The wording of the letter is intended to cover all possible scenarios.
The encryption debate itself kicked off shortly after Edward Snowden revealed the extent to which the US security services were spying on internet communications, even tapping the networks and data centers of large tech companies like Google without informing them.
In one specific response that really set the ball rolling, Apple changed the way it carried out encryption on its iPhone so that users were in control of the system and it was simply not possible to de-encrypt messages, even if it were presented with a legal warrant.
That approach put law enforcement on edge, and there has been a huge pushback on the approach in the hope that it can be stopped before it becomes the default approach by tech companies.
In the meantime, those who want access to encrypted communications, including most notably US presidential candidates, have been using the gun attacks in Paris and San Bernardino to argue the case for access, even though there is no evidence that encryption played a role in those attacks.
The groups behind the open letter are encouraging others to sign it something that it appears many people online are hoping to do: the website fell over earlier today due to demand.
------------------
The letter itself:
https://securetheinternet.org/
To the leaders of the world's governments --
We urge you to protect the security of your citizens, your economy, and your government by supporting the development and use of secure communications tools and technologies, rejecting policies that would prevent or undermine the use of strong encryption, and urging other leaders to do the same.
Encryption tools, technologies, and services are essential to protect against harm and to shield our digital infrastructure and personal communications from unauthorized access. The ability to freely develop and use encryption provides the cornerstone for today's global economy. Economic growth in the digital age is powered by the ability to trust and authenticate our interactions and communicate and conduct business securely, both within and across borders.
Some of the most noted technologists and experts on encryption recently explained (PDF) that laws or policies that undermine encryption would "force a U-turn from the best practices now being deployed to make the Internet more secure," "would substantially increase system complexity" and raise associated costs, and "would create concentrated targets that could attract bad actors." The absence of encryption facilitates easy access to sensitive personal data, including financial and identity information, by criminals and other malicious actors. Once obtained, sensitive data can be sold, publicly posted, or used to blackmail or embarrass an individual. Additionally, insufficiently encrypted devices or hardware are prime targets for criminals.
https://www.schneier.com/cryptography/paperfiles/paper-keys-under-doormats-CSAIL.pdf
The United Nations Special Rapporteur for freedom of expression has noted, "encryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age." As we move toward connecting the next billion users, restrictions on encryption in any country will likely have global impact. Encryption and other anonymizing tools and technologies enable lawyers, journalists, whistleblowers, and organizers to communicate freely across borders and to work to better their communities. It also assures users of the integrity of their data and authenticates individuals to companies, governments, and one another.
We encourage you to support the safety and security of users by strengthening the integrity of communications and systems. All governments should reject laws, policies, or other mandates or practices, including secret agreements with companies, that limit access to or undermine encryption and other secure communications tools and technologies. Users should have the option to use -- and companies the option to provide -- the strongest encryption available, including end-to-end encryption, without fear that governments will compel access to the content, metadata, or encryption keys without due process and respect for human rights. Accordingly:
* Governments should not ban or otherwise limit user access to encryption in any form or otherwise prohibit the implementation or use of encryption by grade or type;
* Governments should not mandate the design or implementation of "backdoors" or vulnerabilities into tools, technologies, or services;
* Governments should not require that tools, technologies, or services are designed or developed to allow for third-party access to unencrypted data or encryption keys;
* Governments should not seek to weaken or undermine encryption standards or intentionally influence the establishment of encryption standards except to promote a higher level of information security. No government should mandate insecure encryption algorithms, standards, tools, or technologies; and
* Governments should not, either by private or public agreement, compel or pressure an entity to engage in activity that is inconsistent with the above tenets.
Strong encryption and the secure tools and systems that rely on it are critical to improving cybersecurity, fostering the digital economy, and protecting users. Our continued ability to leverage the internet for global growth and prosperity and as a tool for organizers and activists requires the ability and the right to communicate privately and securely through trustworthy networks.
We look forward to working together toward a more secure future.
Jacob Appelbaum, Collin Anderson, Matt Blaze, Paul Bernal, Owen Blacker, Eva Bognar, Sara Sinclair Brody, Eric Burger, Jon Callas, L. Jean Camp, Ronald Deibert, Lina Dencik, Thomas Drake, Dr. Suelette Dreyfus, David Evans, Jim Fruchterman, Arzu Geybullayeva, Mike Godwin, Matthew Green, Joseph Lorenzo Hall, Arne Hintz, Deborah Hurley, Birgitta Jonsdottir, David Kaye, Ephraim Percy Kenyanito, Eric King, John Kiriakou, Douwe Korff, Ryan Lackey, Susan Landau, Frank La Rue, Timothy Libert, Rebecca MacKinnon, Morgan Marquis-Boire, Maxigas, Bailey McCann, Andrew McLaughlin, Sascha Meinrath, Eric Mill, Katie Moussouris, Jacobo Nájera, Nikhil Pahwa, Chip Pitts, Jesselyn Radack, Jesús Robles Maloof, Phillip Rogaway, Marc Rotenberg, Bruce Schnei
er, Gbenga Sesan, Micah Sherr, Adam Shostack, Barbara Simons, Norman Solomon, Tim Sparapani, Ritu Srivastava, Maria Swietlik, Nabiha Syed, Trevor Timm, Kenneth White, Meredith Whittaker
More information about the cryptography
mailing list