> Law enforcement has more power than ever before because of digital technology.
When a fraction gets larger overall, and both the numerator and denominator have changed, it can be difficult to say which quantity is to blame.
Digital technology has given potential bad guys new powers too: you can get radicalised online, you can download bomb-making manuals (over TOR, if you have any sense), or you can get involved in phishing and ransomware and crypto rug-pulls and other cybercrime that wouldn't exist without technology. In some ways, law enforcement has much less power than ever before.
That does not automatically mean I'm for, or against, any specific bill. But it does mean that an intellectually honest pro-privacy answer has to acknowledge this and then make an argument why the benefits of end-to-end encryption outweigh the risks - which, personally speaking, I don't think is that hard an argument to make.
(Part of such an argument might be that, in areas where law enforcement has less power than before, it's because the crimes involve people or servers outside of their jurisdiction. Banning e2e whatsapp from e.g. one US citizen to another would do precisely nothing about that.)
Great. Ted Kaczynski and a host of other malfeasants were radicalized through books and philosophy but we didnt turn public libraries into listening posts or start banning books wholesale. since theres no tangible KPI it can also be argued most netizens do not get radicalized online. the best defense against radicalization is education and open discussion. prevention, instead of detection.
> you can get involved in phishing and ransomware and crypto rug-pulls and other cybercrime that wouldn't exist without technology.
confidence art is a tale as old as time itself. that somehow because criminal activity takes place online I am supposed to hand a duplicate key to all my locks over to the state is a pretty weak argument.
Your moral outrage is not a convincing argument to those who would consider the authorities having a master key.
Technology _does_ give criminals and terrorists new avenues and techniques to commit harm.
If you want to convince people who think "well I have nothing to hide from the authorities and I'm scared of terrorists so I'd prefer authorities be able to read what they need to keep me safe" then you need a stronger argument that acknowledges how technology also enables nefarious ones.
Because ultimately those are the people you have to convince, as there's a lot of them and they're ready to vote in favour.
Moral outrage just gets those of us who agree nodding along.
id argue no, ultimately the voice of cowardice and ignorance does not deserve equal vote. A child understands a kitchen stove, but isnt given wholesale authority to ban them when theyre burned.
people who cannot understand the implications of security outside of rare events and pop culture should not be invited to participate in the legislation of its outcome. its how you wind up with things like the TSA.
i acquiesce the reality of democracy is something entirely different though.
I am not, in the post, claiming either that we should or should not create a magical duplicate skeleton key. I am claiming that a rigorous argument against creating such a key would have to take into account online crime as it exists today, and argue why we still shouldn't attempt to create a back-door marked "good guys only". There are many forms this argument could take: that the back-door would be useless for its intended purpose; that the harm would outweigh the benefits; that it would be unconstitutional etc. etc.
The one argument I will not accept _against_ a back-door is that online crime is not a real problem. This just hands the pro-back-door community a massive stick to beat the other side with.
By the way,
> but we didnt turn public libraries into listening posts
As far as I know, my local library doesn't have Al-Qaeda's Inspire magazine, nor The Anarchist's Cookbook. I haven't checked for sure though, just in case it is in fact a listening post - people have landed on no-fly lists for stupid reasons before now.
(Weirdly enough, during the Cold War, Switzerland quite officially published a book called Total Resistance (Der Totale Widerstand) and made it available in at least some public libraries. It was a basically a manual of "how to become a ~~terrorist~~ resistance fighter if the Soviets invade".)
> confidence art is a tale as old as time itself
That is entirely true, but it seems to me there's a lot more of it around since the internet made it a lot easier to get in the business.
On the topic of "outside of their jurisdiction", one method used by overseas scammers is spoofing phone numbers to make calls and SMS messages appear local, providing at least an initial layer of legitimacy.
How (the actual fuck) can telecomms companies not have this under control? (I know it has to be much more complicated than I could fathom, but on the other hand, are they not in control of their own networks? If not, that's pretty scary given the telecomms industry is both highly profitable and powerful).
This problem doesn't need a master key, it needs appropriate regulation to bring said telecomms companies slightly further away from a status of complete dereliction of duty.
Digital technology, maybe specifically the internet, has made it ridiculously easy to masquerade surveillance as convenience.
Email is convenient. It also means a handful of companies have direct access to a mountain of unencrypted messages.
Social media is convenient. Its also an excellent way to track people, as well as influence and even silence them.
Wearable devices and smart appliances are convenient. Again, though, they quite often come with poor security measures and collection of data that people would be shocked by if they ever actually saw what was collected.
"We promise Alexa only listens when you say the right phrase." Just don't ask how it knows when you say it without first listening.
Amazon Alexa is no doubt a great microphone but it’s also an exceptional bastion host for Amazon. And probably a great malware delivery device. I found out Alexa let me know my printer was running low on toner. So if it can do that it can spy in a lot of other things.
I don't think it's "spying" so much as reading the information supplied by the IPP enabled printer that's on the network. The printer readily supplies that information, the Alexa isn't really snooping. If anything, the printer shouldn't be supplying information across the network that readily - I know I turned off a lot of my printer's capabilities because I have no desire to let people use it outside of my local network.
I think the point is that alexa is actively scanning the network for that information, which begs the question what else is it scanning for, or might in a future automatic update?
Fair enough. It would be prudent to assume that your Alexa is actively looking for whatever open information is supplied by devices on your network, especially information that has been announced as being supported by Amazon[1].
It can and it is abused, both in systemic way and in individuals and companies in that ecosystem. That probably is the main goal, surveillance didn't acted to protect in some big events that they knew in advance because "priorities".
All the other arguments aside, this one is I think often repeated but I have never seen a single shred of evidence for it.
>"These ‘solutions’ also ignore the reality that the ‘bad guys’ will just use other tools to communicate; information is information. That will leave law abiding people giving up their privacy and security for little societal gain."
Bad guys are often enough astonishingly stupid, and even smart people have horrible security practices on the regular. There's no indication to think that huge crime rings would not leak enough information if encryption is systematically undermined to give law enforcement significant leverage.
And even if you take at face values that the bad guys start to evade measures, that has big drawbacks itself. One case that came to mind was the bust of an international crime syndicate by US and Australian intelligence because they supplied the literal app that the syndicate thought was anonymous. (https://www.washingtonpost.com/world/2021/06/08/fbi-app-arre...). If you drive criminals into a sort of underground ecosystem that by itself can be very powerful because you're effectively funneling them into a pool.
Centralized law enforcement and intelligence with the talent and tech it has available almost certainly stands to benefit from having access to communications in terms of effectively attacking crime.
And when someone ignores this to support their argument it always makes me think less of the whole debate because that's just an indication that you're trying to deflect from the thing a lot of people will be persuaded by.
Bruce Schneier famously said: "Every time you use encryption, you're protecting someone who needs to use it to stay alive."
If we assume that the government can monitor all of the people some of the time, and some of the people all of the time, but not all of the people all of the time, then the whole e2e debate appears in a new light.
> Bad guys are often enough astonishingly stupid
I am told that Al-Qaeda once (post 9/11) considered using some AES-encrypted messaging system, but rejected it on the grounds that if the infidels had designed it, they could presumably read it. Instead, their own "secure messenger" launched with basically a monoalphabetic cipher based on the Arabic language. The NSA just needed to track down everyone using that particular app (probably one of their easier operations!) and then they could read everything said over that channel as an added bonus.
This is the premise of Sneakers[1], my favorite hacker movie, where a pen test team is hired to steal a hardware module that can defeat any encryption system.
Sidney Potier’s character Donald Crease has an apropos line: “There isn’t a government on the planet who wouldn’t kill us all for that thing”
Not to say he's wrong but just to put this on the other side of the coin, having access (via due process) to digital records would also make for extremely powerful law enforcement in the way it was intended. Meaning we'd be able to enforce the law much more effectively. And it would likely apply to some of the most serious crimes like organized crime and terrorism.
My other counterpoint would be looking at the Cold War. The Gestapo ran the most notorious police state in history and they did it in a country where many people didn't even own a telephone. The division between use and abuse is much more about political will than technology.
Even if this is cause for hope in the short-term, it continues the unsustainable division in society of and "us" and a "them", where one party is responsible for law enforcement (and for that matter, the application of justice) and the other is not.
Presently, the United States is still in a more than century-long process of dismantling a slave-and-plantation economy, which is upheld only by the application of justice being misused to buttress it.
Plantations will continue to masquerade as correctional facilities until the monopoly on justice is dissolved and fundamental functions of society - especially law enforcement - become a universal purview rather than belonging only to "them" or "us".
> the unsustainable division in society of and "us" and a "them"
Assuming we've zoomed in on the US in particular that division doesn't seem to be increasing except in people's heads. We have more unfiltered access to our representatives than ever. Even law enforcement abuse has been worse at every point in history before now. The difference in sentiment is largely due to higher expectations. Which isn't a bad thing at all I'm just saying we're mostly on a positive trajectory.
The challenge there is that we've yet to find a way to make sure law enforcement actually has good reason to search digital records first.
Its a surprisingly common practice for police to collect evidence in ways that aren't admissible only to use that as justification for a search. Digital makes that much worse, and centralized digital with a handful of massive corporations holding the data again compounds the risk.
Actually, this is a great pro argument for E2EE: It acts as a bulwark against illegal searches - not only by law enforcement, but by any intermediaries.
Absolutely, IMO its one of the best arguments in favor of E2EE. Law enforcement could still seize the data, but only by accessing my copy of it directly and presumably by going through proper legal channels. If nothing else, there's only one (or a few) points of failure, much like paper copies of anything in the past.
You're still taking the perspective of "what if they come after me" which is highly improbable. And not the "what if they can't go after someone who has wronged me". I'm not saying that should flip your point of view, just being aware that it's at trade-off.
That does assume that I'm more likely to be the victim than the perpetrator though.
I've seen various studies (and unreferenced claims) about the idea that we regularly break multiple laws every day without realizing it. Allowing law enforcement more access to various parts of my life requires that I trust they won't come after me for something that is technically illegal but currently rarely enforced.
There is also the risk that what is legal today is not tomorrow. That's no small risk given the potential outcomes depending on who is in power later on.
I hope I don't come off argumentative here, that's not my goal but text alone is pretty limiting sometimes. I get your point and it is a good one, I just personally am more concerned with the risks of what could be used against me than having an authority protect me.
I'm also a bit biased here. I live in an unincorporated area and, unless some real shit is going down, if I call the police they may show up tomorrow.
I've had my house raided, and $10k worth of gear taken by law enforcement, which they kept for 8 months, finding nothing, then I got to go and pick it up.
My perspective is permanently in "what if they come after me" as a result of this.
However, even prior to that incident, I've believed that violating the rights of an innocent party is a worse outcome than not being able to access incriminating data of the guilty.
>No one should have that much power, because messaging and other encrypted services have become people’s memories, their casual hallway chats, their intimate whispers. Yes, there is longstanding legal precedent for searching someone’s papers and home, but the barriers to doing so are considerable – not just those imposed by law, but also physics.
I agree with most of the article, but I think it is important to acknowledge that technology has also enabled many things that were previously impossible.
A "casual hallway chat" or "intimate whisper" across countries and between thousands of participants was previously impossible.
I don’t entirely agree with the closing statement, simply because asking police to ‘just police harder’ doesn’t involve breaking any fundamental mathematical laws, and so isn’t on the same level as asking cryptographers to ‘just nerd harder’ and create encryption that’s always breakable by ‘the good guys’ but never by ‘the bad guys’.
I actually agree with the statement, as the feeling I get is that police have been doing the opposite (ie. policing less hard) instead relying on 'the wonders of technology' such that the actual attributes of good police and investigators is atrophying with disuse.
Surveillance technologies are providing a tidal wave of additional data points at a rate that's too fast for even humans of average intelligence (if not inclined towards technology, mathematics, or statistics) to be able to properly comprehend the nuances and gaps and potential for counter-evidence.
They have far fewer pieces of the puzzle than they think, but appear to conduct themselves with the bravado and arrogance of having solved the entire thing.
"Evidence for" gets their stats up, "evidence against" helps the guilty escape justice...
ASIO chief Mike Burgess (youtube transcript manually corrected, hopefully I didn't miss anything):
>I can confirm that ASIO has been using artificial intelligence for many years now it's not replacing our people, it's augmenting and assisting them. As one example the vast amounts of data being produced every day means that finding a critical piece of intelligence is less like finding a needle in a haystack than looking for a needle in a field of haystacks. AI makes that process easier and faster, it can identify worrying patterns and relationships in minutes and hours, rather than weeks and months.
>Unlike our adversaries, Australia's use of artificial intelligence is strictly controlled and governed by ethical controls. We put humans at the center of our decision-making. While a process might be data driven and Technology enabled it will always be human lead.
>AI is a case study in inherent tensions between technology and security. While new technologies can deliver rich evidence they can also be exploited. As I said earlier terrorists and spies are early adopters. We see the same thing with end-to-end encryption
I'm not sure what he means by "AI can be exploited" here, in the context of when it's being used to filter all the surveillance data.
the thing about "nerd harder" is that policy makers will pay the liar/fool who claims they can do what others say can't be done, thinking "here now is someone competent"
"If your end-to-end encryption won't provide me a backdoor, I'll find one that does!"
Relevant quote:
"The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia" - ex Australian Prime Minister Malcolm Turnbull
> Our hero has to stop this key from falling into bad people’s hands, or recover it before it’s too late. Perhaps at one point they utter something like the title of this post. You walk out of the theatre two hours later entertained but wondering why someone would be silly enough to create such a powerful artefact.
To the degree that this is the driving metaphor of the rest of the post, I'm inclined to suggest that there is cause for hope:
While the legacy states argue about what they call "policy" (meaning, the outcomes of their legislative and judicial proceedings), the focus of an increasingly vibrant, thoughtful, and massive part of the human condition is instead focused on the actual machinery of human communication.
In other words, the policy decisions of states ultimately can be relegated to a fairly small degree of influence - and, if we wish, complete irrelevance - in the face of how the internet _actually works_. To utilize the metaphor: the battle for our hero - and I realize this might be less exciting - is becoming much more about living in a world where such a "key" is impossible, rather than a harrowing action journey to stop it from falling into the wrong hands.
End-to-end encryption is extremely commonplace now. Even if you find yourself disappointed at your friends who still insist on voyeurism in the form of plaintext SMS conversations, consider that even a decade ago, few of your friends even used signal or telegram or whatsapp. Two decades ago, none.
> Law enforcement has more power than ever before because of digital technology. They are able to collect, process, summarise and track much more efficiently and at much greater scale...
While the alarm of these matters is proper to raise (I think we all agree on that?), I'm not sure this degree of pessimism is warranted.
The proliferation of cameras has made perjurious practices by cops - once a normal and integral part of their self-promotion - quite difficult. Similarly, the easy availability of textual representations of legal and constitutional protections has given people a much firmer leg to stand on in refusing to answer questions or consent to searches. Finally - and perhaps most importantly - the entire existence of professional law enforcement (and prisons) as the legacy of a plantation economy has become common knowledge, and scholars who have been documenting this transition are no longer working in the dark.
I think we're closer to ending this silly experiment - and finishing the incomplete abolition that stalled in the 1860s - than we have been since the US civil war. In fact, I think it's entirely possible that my 8 year old will be able to live in a world where there are no special access to badges and guns by state agents, and where peace and justice become everyone's responsibility.
And on that topic, I wrote a piece a while ago addressing many of the same issues as TFA, but from the perspective of a parent of an information age child, and the importance of strong encryption for kids in particular:
When a fraction gets larger overall, and both the numerator and denominator have changed, it can be difficult to say which quantity is to blame.
Digital technology has given potential bad guys new powers too: you can get radicalised online, you can download bomb-making manuals (over TOR, if you have any sense), or you can get involved in phishing and ransomware and crypto rug-pulls and other cybercrime that wouldn't exist without technology. In some ways, law enforcement has much less power than ever before.
That does not automatically mean I'm for, or against, any specific bill. But it does mean that an intellectually honest pro-privacy answer has to acknowledge this and then make an argument why the benefits of end-to-end encryption outweigh the risks - which, personally speaking, I don't think is that hard an argument to make.
(Part of such an argument might be that, in areas where law enforcement has less power than before, it's because the crimes involve people or servers outside of their jurisdiction. Banning e2e whatsapp from e.g. one US citizen to another would do precisely nothing about that.)