[Cryptography] Statement from Attorney General William P. Barr on Introduction of Lawful Access Bill in Senate

[Phillip Hallam-Baker]

On Mon, Jun 29, 2020 at 3:11 PM Henry Baker <hbaker1 at pipeline.com> wrote:

> At 10:23 AM 6/29/2020, Jon Callas wrote:
> >Encryption has never been regulated internally for almost all purposes.
> (Ham radio can't use encryption, but that's not only just for radio, but
> internationally it was. Even here, there are complexities that I can't
> describe both succinctly and accurately.)
>
> A few years ago I looked into *actual armor* -- e.g., kevlar vests --
> and found (to my surprise) that kevlar vests were regulated.
>
> I thought that this was pretty stupid -- as vests might actually
> be a good idea in some neighborhoods -- and any restrictions are
> likely unconstitutional.
>
> After all, it's pretty difficult to kill someone by hitting him
> with a kevlar vest, so I'm not sure who I'm putting in danger
> from *my* wearing such a vest.
>
> I liken encryption to *defensive* armor -- e.g., kevlar vests --
> its hard to consider encryption as *offensive* -- the old saying,
> "sticks & stones may break my bones, but words will never
> break me".
>

The Aurora shooter used kevlar armor to make themselves invulnerable. The
result was a lot of dead people.

The second amendment is a local ordinance at best. And the interpretation
was changed radically by the Renquist court. Given the current state of the
country with confederate statues being toppled, the idea that the
established order must prevail seems rather silly. The folk toppling the
statues are the folk who are looking to reduce and constrain the power of
the police and they are the people winning at this point. Mark and Patsy
pointing guns at protesters in St Louis look like they are on the losing
side of history to me.

People are not really linking guns to crypto to protect crypto, they are
making the argument to defend an extremist position on gun rights that
consistently polls at 60% or less.

The NRA is currently on the verge of collapse due to a protracted
corruption scandal. That is not an organization that is going to wield
power or influence.

I don't argue about technical impossibility either, that is another losing
argument: I can build escrow features into my systems, in fact I have done
exactly that. If people are going to use strong encryption of data escrow,
they need escrow.


The argument I make is very different:

The reason the US has the government it does at present is that email is
insecure, James Comey grossly abused his office and Donald Trump colluded
with Russia to obtain political advantage from the DNC email attack.

The Democratic party cannot trust the FBI. Freeh colluded with Kenneth
Starr, Comey colluded with the Trump campaign. This is not the time to be
giving more power to the FBI. It is time to do what should have been done
in the 60s: Dismember the agency separating the Law Enforcement and
Counterintelligence functions. And since we are demolishing monuments to
racism, Hoover's name has to come off that HQ building.

Edward Snowden taught the NSA that it had been derelict in its duty to
defend the US against cyber attack. The lack of end-to-end security in
email, the fact that messages are stored in the clear on mail servers
allowed Putin and the FSB to change the outcome of the 2016 US Presidential
election.

Strong cybersecurity is in the US national interest. Ubiquitous deployment
of effective cryptographic security must be made a national security
priority.


I do have a technical argument as well but I am not going to lie about my
technical capabilities

What I cannot do is to cause people to forget how to use encryption
technology. Terrorists were using RSA to encrypt messages long before PGP.
In the 1980s there was certainly a tactical advantage in keeping competent
crypto out of their hands. But the information on how to do it right has
circulated freely for three decades and there is no shortage of strong
crypto available. All that governments can do is to deny access to crypto
to the general public.

Governments can put pressure on large corporations like Apple and Facebook
but they can't put pressure on private individuals living outside their
borders. Russia has been trying to shut down Telegram for years without
success.

The Internet is an international infrastructure. Does the US Congress want
me to add backdoors for Russia, China and Iran or just the 'good guys'?

Absent a global government, I can't see how an escrow scheme is going to
work in an open, standards based communications infrastructure. People are
not going to use applications with backdoors for governments that cause
them concern. They will choose other providers. And if 2016 taught the US
intelligence community anything it should be that Russia is rather good at
persuading US citizens to distrust their own government more than they
distrust Putin's dictatorship where elections are won by gunning down the
leader of the opposition on the streets of Moscow.

In short, don't argue about the technical challenges of building the one
ring. Instead focus on the impossibility of controlling it.


And stop using walled garden communications systems. Within five years,
Apple, Microsoft and Google will control the entire vertical stack from
silicon to device to application. So you only need to trust one party.

That same situation is going to put Apple, Microsoft and Google under
severe pressure from the US government, the EU. Other governments will not
be so polite, they will just try to infiltrate people into the teams that
might gatekeep whatever backdoors the five-eyes might achieve. If Facebook
is lucky, they may likewise be feeling the pressure but it looks rather
more likely to me that they will be taken to the woodshed as an example to
the others. Zuckerberg's super-power turns out to be making enemies of
every member of Congress, who knew?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200630/eb1034ba/attachment.htm>