[NewsPoster]

On the heels of Apple CEO Tim Cook's spirited defense of the general tech industry (and Apple-specific) trend of encrypting many types of user data on the television newsmagazine show "60 Minutes," a Republican senator again attempted to claim that encryption creates a haven for "child pornographers, drug traffickers, and terrorists alike." Senator Tom Cotton (R-Arkansas) accused the tech industry generally of resisting calls from authorities such as FBI Director James Comey for them to provide "backdoors" in their security that law enforcement can exploit.

The senator had no response to Cook's defense that backdoors in tech products create serious privacy and security vulnerabilities that are often subject to abuse by police and federal agencies, and that if such loopholes exist, they will be exploited by "bad guys" as well. Cotton instead took issue with Cook's contention that while Apple cooperates with authorities on lawful warrants, when it comes to encrypted data it cannot turn such communications over because Apple doesn't have the encryption key. "We don't have it to give," Cook said.

"While it may be true that Apple doesn't have access to encrypted data, that's only because it designed its messaging service that way," the senator replied in a statement issued today. "As a society, we don't allow phone companies to design their systems to avoid lawful, court-ordered searches. If we apply a different legal standard to companies like Apple, Google and Facebook, we can expect them to become the preferred messaging services of child pornographers, drug traffickers, and terrorists alike -- which neither these companies nor law enforcement want."

Apple declined to respond to the senator's remarks, but has maintained that it cooperates where it can with legal search warrants. In recent televised debates, a number of Republican candidates have said that they support forcing technology companies to institute "backdoors" in encryption for the benefit of law enforcement.

Democratic candidate Hillary Clinton said in the most recent Democratic debate that she would like to see further study and proposals on how to balance law enforcement requests with privacy rights enshrined in the Constitution, though she indicated she is against the "backdoor" approach for the reasons Cook outlined. Senator Bernie Sanders was not given the chance to address the security question Clinton and third candidate Maryland Governor Martin O'Malley responded to, but has a track record of opposing mass surveillance measures, and is likely in line with Clinton and O'Malley on the topic of encryption.

[prl99]

These members of Congress need to take a basic class in computer security because many of them haven't the faintest idea how anything works, especially encryption. All it would take is for one of them to be hacked and have all their dirty little secrets exposed for them to get off the terrorist bandwagon and regain some sanity. Honest people need their data secure and this is what would be taken away.

[Mr. Strat]

Politicians have no clue when it comes to technology.

[Inkling]

Don't take the tech industry's professions of concern about security seriously. It'd have been trivial as far back as the late 1990s, to add a standardized public-key encryption to their email software. The first exchange of emails would set up the encryption, after that every message would be reasonably secure. That's the giant security hole in all our lives and about that they have done nothing. All this chatter about encrypting data on our smartphones is a distraction. Even if there's an easy hardware backdoor, they've got to find someone and grab their phone. In my more cynical moments, I even suspect Tim Cook and the others are reading one set of lines from a common script and federal authorities the other. Remember that Rule One in spying on communications is giving your foe the impression they are secure. This suspiciously loud fuss does just that.

[Charles Martin]

In point of fact Inkling, emails using an iCloud.com email address (and the legacy related names, like mac.com) are encrypted. Apple can, if a warrant is served, deliver some metadata on the emails (like when they were sent and to whom) but not the content.

Public-key encryption was long ago rejected as too difficult/undesired by typical users -- you must set up an encryption key with EACH AND EVERY person you want to have encrypted email with -- there aren't many people willing to do that, even though it's been freely available as a plug-in to various email programs for decades. It's too complicated. Back in the day, I tried to get people to use PGP, that was pretty hilarious in hindsight (and still is).

Wholesale, end-to-end encryption is the best approach so far, and I'm grateful to Apple for offering it and making it as automatic as possible.

[arkansasvoter]

As one of his (unhappy) constituents, I respectfully request that Sen. Cotton clarify what he means by "backdoor".

http://www.theblot.com/anti-gay-congressman-tom-cotton-advertises-gay-hook-app-7727578

[Steve Wilkinson]

I think Comey already laid out the plan Hillary seeks... end-to-end encryption, but going through a service where it's unencrypted in the middle for government access. No back-door. They are going to push and incentivize for that to happen within the tech industry... and of course, since they are granted immunity, who knows if they are even telling us the truth about whether they are involved or not. And, there are $billions worth of funds available to 'compensate' the companies if they cooperate.

[Steve Wilkinson]

BTW... if anyone cares what is going on with all of this stuff, Congressional Dish is a podcast where all the major bills are covered (and, you'll find that it's so messed up, it's probably worse than you can imagine). And, the recent episode of No Agenda podcast (#783) also starts covering this at about 1:30:30 in.

[Charles Martin]

Steve: thanks for the link, but the problem with the plan the government/Comey wants is that if anyone has the decryption key, everybody that wants it has it. That's just another "backdoor," and at least for now Mrs. Clinton is saying no to that option. I suspect a more viable option is that once an individual is identified as a target through other means and one of those FISA warrants is issued, that person's iMessages and email and such are no longer encrypted in a way that doesn't have a method of decrypting (a lower encryption standard), but that could be happening now for all we know ... Comey has kind of piped down of late ...

[besson3c]

Originally Posted by Inkling 

Don't take the tech industry's professions of concern about security seriously. It'd have been trivial as far back as the late 1990s, to add a standardized public-key encryption to their email software. The first exchange of emails would set up the encryption, after that every message would be reasonably secure. That's the giant security hole in all our lives and about that they have done nothing. All this chatter about encrypting data on our smartphones is a distraction. Even if there's an easy hardware backdoor, they've got to find someone and grab their phone. In my more cynical moments, I even suspect Tim Cook and the others are reading one set of lines from a common script and federal authorities the other. Remember that Rule One in spying on communications is giving your foe the impression they are secure. This suspiciously loud fuss does just that.

And what would these companies do when their customers inevitably lose their private keys?

[besson3c]

Originally Posted by Charles Martin 

In point of fact Inkling, emails using an iCloud.com email address (and the legacy related names, like mac.com) are encrypted. Apple can, if a warrant is served, deliver some metadata on the emails (like when they were sent and to whom) but not the content.

Public-key encryption was long ago rejected as too difficult/undesired by typical users -- you must set up an encryption key with EACH AND EVERY person you want to have encrypted email with -- there aren't many people willing to do that, even though it's been freely available as a plug-in to various email programs for decades. It's too complicated. Back in the day, I tried to get people to use PGP, that was pretty hilarious in hindsight (and still is).

Wholesale, end-to-end encryption is the best approach so far, and I'm grateful to Apple for offering it and making it as automatic as possible.

Is iCloud email actually encrypted, or does it just require the key to access in plain text?

PGP works differently than a simple key pair based authentication works, as PGP supports a concept of a circle of trust to specify who can decrypt the info. The problem to me is that requiring only the public key to decrypt (and requiring both key pairs to encrypt) seems backwards - you'd want to require both to decrypt, but private keys aren't meant to be distributed. This is a valid use case for PGP with the circle of trust, but as you've pointed out there are many usability issues with this.

I think you could solve this with key storage provided by a web service, but who would be trust worthy, why, and how would they earn a profit?

[Mike Wuerthele]

Ironic that Clinton is speaking about email security.

[garmonbosia]

"Ironic that Clinton is speaking about email security."

How so Mike? Her emails were just as secure as if she had used a state dept. server.

[thinkman]

Using "Republican" and "attack" in the same sentence is redundant!

[Steve Wilkinson]

@ Charles - Yes, it's technically a back door of sorts, but not in the traditional way. It would be happening directly at the service provider and only available there. So, aside from the government, or possibly employees at that service provider, there would be no back-door. So, I suppose with a clause in the ToS, they could still talk about end-to-end encryption and no back doors, but provide the government what they want as well.

I think that's why we're hearing all of these politicians, who seem to have no clue about tech, talking about seeing no reason why we can't have both strong encryption, no back doors, but government access... it's technically impossible without some kind of fudging as outlined above. But, that they think it's possible, probably indicates what is really going on behind the scenes.

And, again, the government is going to give them legal immunity, and pay them bunches of money... how much do you trust big corporations regarding the honor system or 'doing the right thing' when that kind of thing is involved? Me, not so much.

BTW, the USA now has CISA... it went through in the Omnibus budget bill, along with a bunch of other really bad stuff (and a few potentially good things too). Jen @ Congressional Dish just covered it in the recent episode, and is going to cover CISA next week.

[Steve Wilkinson]

@ garmonbosia

Two separate issues... but that's a fair point given the government track record on IT related stuff.

[quebit]

I wonder if Tom Cotton applies the same logic or rigour to "gun control" as he does to encryption .... I wonder what his "backers" would say if he demanded that same scrutiny from gun companies .... Like maybe running a federal registry with background checks, and audit lists and "hidden subpoenas" etc .... Yeah I think not. Campaign contributions ???? Oh yeah, baby .... keep those coming. Tom Cotton is a total douche.

[Steve Wilkinson]

@quebit - Exactly! The problem is, though, it's pretty hard in the USA, no matter which major party one might decide on, to get any kind of reasonable logic or rigour. Until there is a viable third-party, reasonably separated from the baloney and bribery, either party is much of the same thing, just screwed in a different variation. (Economics, corruption, war machine, oil pipeline 'interests', government control, corporations over the people, eroding of rights, etc. they're all mostly hand-in-hand.)