Cryptographers and security experts gathered on the Hill yesterday to tell Congress how stupid it was to ban crypto in order to make it easier to spy on "bad guys."
The Electronic Frontier Foundation's roundup on the day's events has five key takeaways from the testimony:
1. Lawmakers are willing to throw the Constitution under a bus if it helps them fight the War on Terror. For example, here's John McCain: " I've heard my colleagues, with all due respect, talking about attacks on privacy and our constitutional rights et cetera, et cetera, but it seems to me that our first obligation is the protection of our citizenry against attack, which you agree is growing. "
2. Companies don't want to have to leave a key to their crypto under the doormat for "legitimate" spies to use. If the companies that handle your email and sensitive data are holding onto a key that lets them look at your stuff without your knowing it, they'll never be able to promise that your data is genuinely private.
3. Free/open source software is the elephant in the room. When crypto-deniers talk about banning strong crypto, they're inevitably talking about forcing companies to leave your data insecure. But much of the best in security comes from the free/open source world, and no one has any idea what to do about amorphous global collectives who make and maintain tools that would be untouchable by such a ban.
4. Cops and spies have no evidence that they need a crypto ban. Despite scare stories about criminals "going dark" through crypto, no one was able to present any hard evidence about criminals getting away with it because they were using unbreakable crypto. None. According to one DA, encrypted phones account for 0.1% of all phones seized in the course of criminal investigations — and he didn't testify that this got in the way of a conviction.
5. James Comey believes in sorcery. The hearings involved some bizarre moments for FBI Director James Comey, who is, weirdly enough, a cryptography denier: that is, he believes that cryptographers are lying when they tell him that they don't know how to make a security system that works against criminals, voyeurs and foreign spies, but that will let him and his pals in when they want to peek at our communications.
Some of Comey's choice remarks: "A whole lot of good people have said it's too hard… maybe that's so. But my reaction to that is: I'm not sure they've really tried." Also, "Maybe the scientists are right. Ennnh, I'm not willing to give up on that yet."
Multiple times during the hearings Director Comey admitted that he had no idea how to accomplish his goal of getting access to user data in actual practice, even going so far as to say "Don't listen to me if I suggest a technical solution." Instead, he insisted that he needs a way to get at encrypted data, and that he didn't care what method companies used to provide that access. He also said (as he has before) that he doesn't think providing that access will require a backdoor.
But saying that you want access to truly encrypted data without requiring a backdoor is like saying you want to travel to Mars without requiring the trip be via rocket. Sure, some ingenious person might invent a warp drive tomorrow that would allow you to do it—but nobody at NASA actually expects that to happen.
Similarly, no computer scientist or cybersecurity expert knows of a way to give Director Comey what he wants without weakening everyone's security. They've told him that. They've been telling law enforcement that for nearly twenty years. But despite this, Director Comey testified today that he doesn't think they've tried hard enough. He thinks that some genius in their garage in Silicon Valley might find a way to do it tomorrow. And Senator Mikulski said that she's sure the patriots in Silicon Valley will step up to help their country.
It's possible the same people who invented the cryptography our technology relies on are wrong. And it's also possible that the standard model of physics is wrong and a different genius will invent a warp drive tomorrow, too. But we're not going to hold our breath or stake our security on such a pipe dream.
Our Top Five Takeaways From Today's Hearings on Encryption
[Jeremy Gillula and Nadia Kayyali/EFF]
FBI Director Says Scientists Are Wrong, Pitches Imaginary Solution to Encryption Dilemma [Jenna McLaughlin/The Intercept]