[Cryptography] Who Is the Encryption Working Group?

Alfie John alfie at alfie.wtf
Thu Feb 20 08:04:23 EST 2020


Here's an article that popped up today:

https://www.zdnet.com/article/watchdog-ponders-tougher-independent-oversight-for-australias-encryption-laws/

From the article:

  Renwick rejected the idea that the encryption debate comes down to a choice
  between two binary opposites, however.

  He cited the comments by the "distinguished" Encryption Working Group (EWG)
  assembled by the Carnegie Endowment and Princeton University. EWG called for the
  debate to abandon two straw men.

  "These are, first, that we should stop seeking approaches to enable access to
  encrypted information, but second, that law enforcement will be unable to protect
  the public unless it can obtain access to all -- and I emphasise the word all --
  encrypted data through lawful process," Renwick said.

  As EWG wrote, "[These are] absolutist positions not actually held by serious
  participants, but sometimes used as caricatures of opponents."

The "not actually held by serious participants" is troubling. Having never heard
of the EWG, I looked them up:

  https://carnegieendowment.org/programs/technology/cyber/encryption

Here's an incomplete member list from their website:

	• Jim Baker - Former General Counsel, Federal Bureau of Investigation
	• Katherine Charlet - Program Director, Technology and International
          Affairs, Carnegie Endowment for International Peace
	• Tom Donahue - Visiting Fellow, George Mason National Security Institute,
          and former Senior Director for Cyber Operations, National Security
          Council, White House
	• Ed Felten - Robert E. Kahn Professor of Computer Science and Public
          Affairs, Princeton University
	• Avril Haines - Senior Research Scholar at Columbia University’s
          Columbia World Projects and former Deputy Director, Central Intelligence
          Agency
	• Susan Hennessey - Executive Editor, Lawfare, and Senior

Apart from Ed Felten, that's a few names there I wouldn't want to be on the same 
ist as...

Looking at the group's "Moving the Encryption Policy Conversation Forward" article
[1], it reads like the thin end of the wedge. I found the section "Branch 4:
Focusing on Approaches That Involve Key Escrow, Rather Than Delivery of Code Updates
to a Phone" chilling:

  "As scoped so far, there are two primary ways in which law enforcement could
  theoretically gain access to a mobile phone. One of these is to develop an
  approach involving key escrow, in which copies of encryption keys are held
  securely so that, in certain circumstances, an authorized third party can access
  them. The second would be for law enforcement to ask or compel service providers
  to send a uniquely designed software update that would enable law enforcement to
  surreptitiously access data on a specific, targeted phone."

Now remember... this is an organisation called the *Encryption* Working Group
brainstorming how to sidestep encryption?! I feel like they need to rebrand.

Is the EWG, at all, representative of the cryptography and computer security
community (i.e "serious participants"), rather than the feeling I get that they're
a think tank backed by law enforcement trying to gain mindshare when articles refer
to them as "distinguished"?

Alfie

PS: I also wanted to raise this as a comment on the article, but it looks like
Stilgherrian (I'm guessing also a member of EWG given that he writes for them as
stated in the article) banned me for asking the following in the comments:

  As far as I can tell, Dr James Renwick CSC SC is not an Ombudsman in line with the
  definition of "Ombudsman" within the Ombudsman Act of 1976.

  Given "ASIO gave him access to all documents", it would be interesting to see if there
  was a breach of "317ZF Unauthorised disclosure of information"[2].

[1] Moving the Encryption Policy Conversation Forward
    https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573

[2] Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018
    https://www.legislation.gov.au/Details/C2018A00148

--
Alfie John
https://www.alfie.wtf



More information about the cryptography mailing list