NSA director Michael S Rogers says his agency wants "front doors" to all cryptography used in the USA, so that no one can have secrets it can't spy on — but what he really means is that he wants to be in charge of which software can run on any general purpose computer.
Rogers's proposal is no less stupid than the proposal made by UK Prime Minister David Cameron, but it's even scarier in that Rogers runs a highly technical criminal organization with state backing and a history of attacking the security of American computing infrastructure by deliberately introducing vulnerabilities into computers used by American citizens, businesses, and government.
There's no way to stop Americans — particularly those engaged in criminal activity and at risk from law enforcement — from running crypto without locking all computers, Ipad-style, so that they only run software from a government-approved "app-store." The world teems with high quality, free, open crypto tools. Simply banning their integration into US products will do precisely nothing to stop criminals from getting their code from outside non-US vendors or projects. Only by attacking the fundamental nature of computing itself can the NSA hope to limit its adversaries' use of crypto.
The split-key approach is just one of the options being studied by the White House as senior policy officials weigh the needs of companies and consumers as well as law enforcement — and try to determine how imminent the latter's problem is. With input from the FBI, intelligence community and the departments of Justice, State, Commerce and Homeland Security, they are assessing regulatory and legislative approaches, among others.
The White House is also considering options that avoid having the company or a third party hold a key. One possibility, for example, might have a judge direct a company to set up a mirror account so that law enforcement conducting a criminal investigation is able to read text messages shortly after they have been sent. For encrypted photos, the judge might order the company to back up the suspect's data to a company server when the phone is on and the data is unencrypted. Technologists say there are still issues with these approaches, and companies probably would resist them.
White House aides aim to report to Obama this month, though the date could slip. "We want to give the president a sense of what the art of the possible is," said a senior administration official who requested anonymity because he was not authorized to speak on the record. "We want to enable him to make some decisions and strategic choices about this very critical issue that has so many strategic implications, not just for our cybersecurity but for law enforcement and national security, economic competitiveness overseas, foreign relations, privacy and consumer security."
As encryption spreads, U.S. grapples with clash between privacy, security [Ellen Nakashima and Barton Gellman/Washington Post]
(via Hacker News)