back to article 200 experts line up to tell governments to get stuffed over encryption

A group of 200 experts have urged the world's governments not to introduce backdoors into encryption products in an open letter posted Monday. The group, which includes Amnesty International, Human Rights Watch, the Electronic Frontier Foundation (EFF), the American Civil Liberties Union (ACLU) and CloudFlare among many others …

  1. David 45
    FAIL

    Go for it!

    Probably won't make a scrap of difference though. It's still revolves around idiot politicians who don't have any tech. savvy not listening to people who have, and actually have the know-how to predict what sort of effect this might have. I despair.

    1. Anonymous Coward
      Anonymous Coward

      Re: Go for it!

      Just means open source end-to-end encryption will become the default. Idiot politicians will, of course, try to outlaw that.

  2. asdf

    Let me get this straight

    Silicon Valley: Violating user privacy should be a business model not a tool of governance. Ok got it.

    1. This post has been deleted by its author

      1. asdf

        Re: Let me get this straight

        I agree (edit: changed my post above so sorry if things seem out of context) I mean if a point helps your bottom line and is good PR then win win baby. Nothing like being on the side of privacy just as long as its not paid for by someone. I hope Apple (yeah privacy now costs a premium) is actually being the champion somewhat on this as its obvious Microsoft is apeing Google more than Apple these days. Yes Android can be very open and privacy friendly with know how but that sure isn't what Google and its ilk are delivering out of the box and under warranty (which tends to go away if you want privacy).

        1. John H Woods Silver badge

          Re: Let me get this straight

          @asdf - apologies, I deleted my earlier comment because I thought I was being unnecessarily pedantic and I actually agreed with you. Unfortunately that then 'orphaned' your reply, apologies :-)

    2. Anonymous Coward
      Anonymous Coward

      Re: Let me get this straight

      PR smoke screen. This is where you're supposed to forget that all these tech companies are PRISM members, and that they're still serving up so called "meta data" which is actually just personal data.

  3. Trigonoceps occipitalis

    Request Key

    Public Key Cryptography was invented twice, once by CESG who kept it secret and then by PGP who published. Is the fuss made by the various government tentacles some way to condition us to a new concept of "Safe Back Doored Cryptography" - for low values of safe of course? Is there a system in the wings?

    My mathematics is no where near good enough to assess any new SBDC system but I just can't get over my gut feeling that a back door is open to any who obtain the secret no matter how complex, obscure or protected. Evidence to date is that the secret will leak or be discovered.

    In any case it has proven difficult enough to implement cryptography that is supposed to be built without a back door. Given that the UK authorities, at least, can demand keys from suspects why bother with SBDC.

    SBDC is, of course, an oxymoron.

    1. phil dude
      Boffin

      Re: Request Key

      Well here is a good rebuttal on the general point.

      If you are referring to the "shared keys idea" that was put around, it was very well written. Competent mathematics. And terribly naive. Any component not in your direct control that can be used to expose the cleartext, is by definition a backdoor.

      As it stands the state of mathematics requires some *large* measure of effort to break a properly encrypted message. If done *carefully* it is possible to say "No known method is efficient enough to decrypt a message before the heat death of the universe"*

      An encryption algorithm is only effective if t(E(x)) << t(D(E(x))), where x is the cleartext, E(x) is the encrypt algorithm, D(y) is the decypt algorithm and t(z) is the time for the computational process z.

      If any function B(E(x)) exists that has t(B(E(x)) <= t(D(E(x))), then E(x) is not considered an effective encryption algorithm, since D(y) is obviously obsolete, and cleartext x can be obtained more easily using B(E(x)). (B(y) is the backdoor function).

      Currently, t(B(E(x))) >> t(D(E(x))) for algorithms such as RSA, they are considered secure*.

      The problem is that the mathematically illiterate and politically expedient "wish" that t(B(E(x))) could exist and have the property ~= t(D(E(x))).

      Which makes any encryption algorithm worthless.

      Does that help?

      P.

      *Quantum computers not being real, yet...

      PS. El Reg, MathML? Latex? Please?

      1. Anonymous Coward
        Anonymous Coward

        Re: Request Key

        Does that help?

        Using a pseudo mathematical syntax for something that can be expressed in plain English doesn't make it easier to understand, so no.

        1. phil dude
          Coat

          Re: Request Key

          That was the whole point. Any encryption scheme has these properties, the "pseudocode" is how many algorithms are framed.

          Alice and Bob will be please to get the day off.

          P.

      2. cbars Bronze badge

        Re: Request Key

        I agree with Credas, and just to be pedantic, I think you also need to state that

        D(E(x)) === B(E(x))

        Otherwise; here is a function which won't render the encryption meaningless:

        B(y) = y/2

        And it would still satisfy

        t(B(E(x))) <= t(D(E(x)))

        I reckon. But I don't work in crypto.

        1. phil dude
          Joke

          Re: Request Key

          @cbars, I bow to your superior pedantry...

          P.

    2. Oengus
      Flame

      Re: Request Key

      "SBDC is, of course, an oxymoron."

      Intelligent politician is of course an oxymoron

      SBDC is perfect for political types... Most politicios are just plain morons especially when it comes to anything technical.

  4. Vector

    Horses in Barns

    The interesting "Streisand Effect" of this debate is that it has highlighted the importance of encryption to the very people that all the security agencies deem most dangerous and in the most need of surveillance. The net result is that regardless of whether those agencies get their backdoors or not, the people they most want to spy on will now find the resources to encrypt for themselves even if Silicon Valley caves to the demands. So the rest of us will end up less secure for little gain (ie, the stupidest of criminals).

  5. John H Woods Silver badge

    "Is there a system in the wings?" -- T. occipitalis

    Doesn't matter - the bad actors won't use it. If I can post random thoughts on Facebook I can communicate in code with any system of my choice without anyone apart from the recipient being aware of the hidden content. If I am allowed to post photographs I have taken, that content can be of quite significant size.

    "Given that the UK authorities, at least, can demand keys from suspects why bother with SBDC"

    Because you can't dragnet; That is the whole motivation here. Even with unbreakable encryption they can hit known targets through a variety of old school and technological measures; what they want to do is monitor everyone, all the time, just in case.

    1. Paul Hovnanian Silver badge

      "Given that the UK authorities, at least, can demand keys from suspects why bother with SBDC"

      "Because you can't dragnet;"

      You also can't monitor a subject without their knowledge. Back in the 'old days', when Google, Microsoft and others managed encryption keys on our behalf, security services could ask them for the key with a warning not to tip the suspect off. Now, with end-to-end public key encryption, the only one in possession of the decrypt key is the subject. Asking for the key might get previous messages decrypted. But at that point, the game is up. The subject will change keys and/or communications methods. If the messages to date are not sufficient to secure a conviction, the surveillance has been blown.

      Not that this is all bad. The police work has to be done in advance to be relatively certain that you've got the right person.

      1. John H Woods Silver badge

        "You also can't monitor a subject without their knowledge" -- Paul Hovnanian.

        I disagree: sure, using 'hand-over-the-key-or-else' legislation does have that consequence. But keyloggers, key stealing, shoulder-surfing, bugging devices, etc. can all be used to monitor a subject who is using strong encryption without having to either attack the crypto or let the subject know that they are being watched. Endpoint compromise is effective against everything, even quantum crypto.

  6. Pseudonymous Diehard

    If they backdoor encryption

    Does that mean cryptocurrency gets backdoored too?

    Perhaps thats the goal?

  7. John H Woods Silver badge

    What 200 experts should really do ...

    We need an audited, open-source, secure, traffic-analysis resistant system, impervious to blocking and denial of service.

    This is problematic, because it would be of use to terrorists, but any remotely competent terrorist can do this stuff anyway and, as we have seen, they don't even have to: it seems they can be on everybody's watchlist, pretty much announce their intent publicly and still commit atrocities before being intercepted.

    Such a system would kill, once and for all, the technically ignorant idea that all communication can be policed, as we would just say --- look, what's the point? Bad actors can always use System X.

  8. David Roberts

    Anyone remember Jam ECHELON day?

    The basic principle being that ECHELON was known to intercept communications and search for key words so a day was nominated to flood communications channels with as much traffic as possible with as many keywords as possible so the system would be unable to cope.

    We already know that the TLAs cannot process the level of (non-encrypted) intelligence they already gather in any meaningful way so providing a back door into encrypted communications isn't going to solve the current problems any time soon.

    There is already a huge amount of background noise from SPAM and social media to obscure any meaningful traffic in clear.

    So one response to mandated back door encryption would be to roll over all the currently "clear" traffic to use the new wonder safe but transparent government approved encryption method.

    Presumably perfectly legal unless someone wants to pass a law that only illegal traffic can be encrypted.

    Meanwhile content encrypted on your computer (as with encrypted content in email messages) and not using the new back door method should be nicely indistinguishable from mundane traffic.

    Online banking would, of course, remain a concern.

    I assume the real aim is to ensure the collection of meta-data from the session and not to gather/inspect the content but if all traffic is encrypted by default this may increase the load on the snoopers with no real benefit. Then again, most web sites these days apart from El Reg seem to be going to HTTPS so we may be partly down this route. Is the main concern mobile Apps which can establish secure tunnels between handset and server without the traceability of HTTPS sessions?

    Given the current tools and skillsets it shouldn't be too hard to develope a "Crimchat" App which is opaque to interception.

    Which I suppose brings me back to the start. If mandatory back doors are implemented then perhaps everyone should install a copy of "Crimchat" in protest.

    [I think Apple and WhatsApp at least may already be ahead of the game here.]

  9. Old Used Programmer

    Give 'em what they want...

    Let the LEOs have all the encrypted data traffic they want. (They're doing that now, anyway.) Let them figure out how to decrypt it on their own.

  10. Youngone Silver badge

    It's not what you know...

    The problem here is that Human Rights Watch, EFF and the like don't fund reelection campaigns, and in the US system of government, the only people worth listening to are those who do.

    That's where Google et al come in, but they're going to have to increase their payments, with Presidential and Congressional elections this year. That's not cheap, and if you need laws passed in your favour you have to pay.

  11. Chris King

    Cat Flap

    The politicians are still talking about backdoors ? They're probably thinking more along the lines of a cat flap, one of the "smart" ones that only allows your own cats to enter and leave at your whim.

    But what happens when that flap gets busted ? It's going to allow a lot more than their own cats to get in - we're talking about other cats, small dogs, large rats/mice, birds, whatever.

    Not to mention thieves who can use that open flap to grab unsecured keys and open the door fully.

  12. The Dude
    Devil

    backdoor options

    Gosh.... you mean we aren't already getting sufficiently backdoored by government?

    1. Anonymous Coward
      Devil

      Re: backdoor options

      Yes, we're getting backdoored, but the government has grown tired of the previously required reach-around or post-intrusion cuddling :)

  13. Mark 85

    200 Experts? It could be 200,000 experts

    It doesn't matter as the politico numpties will believe there's a magic wand lying around to allow the agencies to get what they want. The fact that the agencies can't deal with all the traffic now is irrelevant to them and also seemingly irrelevant to the heads of those agencies.

    Which, when I think about it, is peculiar. The heads of the agencies want it also and yes, I know they're not tech heads. Is this so they can monitor the government and funding, etc. more closely? Or just to CYA... "well, we knew about them but didn't have the assets to follow up... more funding please"?

  14. Anonymous Coward
    Anonymous Coward

    From the geniuses responsible for leaving the door wide open at OPM, we have another winning strategy for protecting the country. I wonder how much it costs to do credit monitoring for 400 million epeople, forever?

  15. a_yank_lurker

    Czar Reed's Dicta

    Czar Reed (US politician, 19th century Speaker of the US House of Representatives) observed what most politicians were best a was "subtracting from the some total of human knowledge" when they opened their mouths. His observation is still true. Thus the "debate" on cryptography. Those who know something about cryptography know that deliberately weakened systems will be broken rather quickly. Something call mathematics and computing power has a lot to do with this. Given, in the US at least, the superset of shysters called politicians are mathematical illiterates as are most shysters they will through a temper tantrum when mathematics says they are below stupid.

  16. noj

    Its true that the agencies can't deal with all the traffic now. But what they are most likely banking on is that computers will get more powerful, analytics more precise, to the point that all that data will be easier to utilize later on. I would think that some politicians are thinking the same thing. When looked at that way surveillance hasn't even started yet. We're merely in the data collection stage.

    1. Lyndon Hills 1

      Couldn't agree more. I remember reading about a system specified and development starting in full knowledge that processing power now would make it too slow, but processing power at delivery would most likely have increased to meet the requirements. I think that was a military system too.

  17. Anonymous Coward
    Anonymous Coward

    If it's insecure then it's not secure

    Surely?

  18. Anonymous Coward
    Anonymous Coward

    For the benefit of politicians...

    "While the list is odd in that it appears to make the same point repeatedly..."

    Success when hammering a nail into a dense piece of wood usually entails hitting the nail repeatedly on the head.

    1. Loud Speaker

      Re: For the benefit of politicians...

      Success when hammering a nail into a dense piece of wood usually entails hitting the nail repeatedly on the head.

      CP: success when hammering a point into a dense politician's head involves hitting the politician on the head repeatedly.

  19. Adam 1

    > de-encrypt

    That's a new one...

  20. Adam 1

    I for one am happy to use this

    I am quite happy for authorities to decrypt my messages that contain random bytes. They can wrap those with whatever encryption they feel appropriate during transit.

  21. John Brown (no body) Silver badge

    "appears to make the same point repeatedly"

    You forget. They are speaking to politicians. As all politicians know, if you repeat something often enough it becomes true. Starting from true is a big advantage but the pols don't know that the letter is starting from true.

  22. Anonymous Coward
    Anonymous Coward

    But it cannot work?

    If there are backdoors for the goodies, the baddies will find out how to use them too.

    Then there is no security, which might suit the spy agencies short term, however, governments will surely realise the enormity of their mistake when security agencies can be comprimised too, and that no one can do secure transactions online. Presidents and Prime ministers and Kings and Lords and serfs alike will not be able to shop online, or anything else securely for that matter. So it cannot work. At the very least an epic financial disaster, Or do I not understand something?

  23. zaphod7

    Can it work?

    If there are backdoors for the goodies, the baddies will find out how to use them too.

    Then there is no security, which might suit the spy agencies short term, however, governments will surely realise the enormity of their mistake when security agencies can be comprimised too, and that no one can do secure transactions online. Presidents and Prime ministers and Kings and Lords and serfs alike will not be able to shop online, or anything else securely. So it cannot work. At the very least an epic financial disaster, Or do I not understand something?

  24. Anonymous Coward
    Anonymous Coward

    Where are the Banks and online retailers?

    Thought they might have something to say in this, who is going to do online banking, or any online transactions if there is no secure encryption, you'd need to be mad.

  25. Frumious Bandersnatch

    A Cross Tick!

    When enterprise solutions hawk onanism-uncovering lifetime data.

    Always less legal under standard ethics. Save that eejit gangs

    and narco organisations generally reveal aught per habitual Yank

    network-overlord wanking?

  26. FozzyBear
    Mushroom

    I am no encryption expert

    But I would also like to add my voice to the growing din of protests. However, I would like to clearly and concisely express my discontent to the politicians

    FUCK OFF YOU IMBECILES

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like