Nice discussion, but the central call to action -- challenging technically ignorant authoritarian extremists in the legislature like McConnell and Feinstein to do something horrible, trusting that they truly won't do it at the end of the day because uhhh their "desire to do the right thing?" -- this is naive tech ideology at work. Realistically, the golden key law is totally feasible, politically viable, and should scare all of us. It would not be used to ban all encryption (which is impossible) but rather to target undesirables selectively and to ensure that either every person's every communication is recorded forever by the government so that they can be prosecuted for their speech later at will, or that they are put on a list of criminals for using banned encryption, so that they can be prosecuted later at will.
No tech person should ever breathe a word of support for this, especially not to play a psychotic game of chicken with people who would permanently disable their brakes in an instant if it would fire up their base for a news cycle.
Never forget the great TSA Master Key fiasco.
To facilitate airline baggage security while easing bag searches, the TSA approved locks which could be opened with a master key (well, one from a small set of keys). These keys, like the "golden key" in the indicated article, were carefully guarded. Anyone using a luggage lock that either wasn't TSA-master-key-compliant, or not already open, was of course considered with great suspicion.
Then someone wrote an article about it. And talked a TSA security agent into posing with the keys displayed. http://www.extremetech.com/wp-content/uploads/2015/09/CM8Naj... was published, and within hours people were 3D-printing copies.
Never forget the great DVD CSS fiasco.
To ward off unauthorized copying, DVDs were encrypted. Authorized playback devices were given the secret decryption key. Controlled properly, this key would never be actually revealed.
Then someone didn't control it properly, storing it unsecured in a playback product. The key was found, copied, disseminated, and DeCSS software proliferated. It was even printed on t-shirts: https://c2.staticflickr.com/4/3451/3228250152_cf84bbd87d_b.j...
No, it's not "going to be different this time". Universal back-door keys get compromised/copied/disseminated eventually.
> In a December 2015 Monday Note titled Let’s Outlaw Math, I mocked our government officials and Law and Order public servants for their obdurate disregard for a fundamental mathematical property that makes well-designed encryption unbreakable
This is a wrong way to think about it. You can say similar things about building a bomb. The steps to manufacture explosives from common materials are simple if you are good at chemistry. Likewise, this mathematical explanation makes encryption sound like a high-school can do it using an abacus. But it's not. It's simple for a person to understand. But coding these algorithms is no joke.
Now if you want the government to not impose restrictions on crypto software, that is the equivalent of wanting to lift controls off explosive substances. Yes these are fundamental truths about the world (mix a and b and get an explosion, multiply prime numbers and you can't factorize), but that does not mean the government cannot try to control them. Just like they control the sale of explosives, for public security, they can also require Microsoft, Apple and Google to put in a master-key. And I don't see a problem with that.
I've tried to think of something that hardware manufacturers could do to grant access to law enforcement and minimize abuse potential.
The best I could come up with would be to make decryption possible iff law enforcement had physical possession of the phone and if the act of decryption would make the phone unusable after (e.g. hardware access requires blowing some fusible links) and if the acquired data was still encrypted with a key that only the device manufacturer can provide.
I'd prefer to see no concessions made, but if decryption is going to be required, it should be expensive, require possession of the device and the cooperation of multiple parties.
> the FBI backed off, probably fearful of the PR consequences.
There was also a PR battle involved and Apple won.
Defending encryption is hard, because it is primarily a PR battle and the enemy always has the high ground. Notice how all these cases hinge on some terrible crime - terrorism, human trafficking, etc. Because the govt then gets to say "Aha, so who wants to stand up and defend terrorists!? Nobody> That's what we thought, so let's pass this new law then".
But what Apple did (and kudos to their PR team) is turn it around said it wasn't just a 1st Amendment issue, but also a practical personal safety risk issue. Not having encryption means being exposed to identity theft and fraud. It is not just something abstract but a specific and real danger that everyone either experienced or knows someone who it happened to.
Read it here: https://www.apple.com/customer-letter/
It is really a great example of good PR and a good punch back in the encryption battle. It helps sometimes when a tech giant throws their weight behind this.
I think this writer dreadfully underestimates just how little legislators know about complex subjects, and how unwilling to learn they are.
They already tried, with the Clipper chip. It was clearly a very bad idea, and flawed, but that won't stop more attempts (and with software, the costs are much more hidden, and the flaws are probably more hidden as well).
It's quite possible for legislation involving key escrow/recovery, import controls and mandatory sentencing for using noncompliant crypto and so forth to pass the current senate and house, regardless of the technical shortcomings of the solution.
My belief is that the LEAs are waiting for a sufficiently egregious event involving crypto so they can push through legislation rather than attempt shaky arguments in court with the current laws. Guessing that the phone involved in the recent shooting was unlockable, at least initially, and didn't contain anything sufficiently interesting to make political hay out of.
I've long wondered whether this is a fight where the NRA would be an unlikely ally.
It shouldn't be that hard to cast strong encryption as a 2nd amendment issue, in emotional if not constitutional terms.
From the article:
> Once they get close enough to the precipice, they’ll experience a salutary fear of consequences.
No, they won't. Look at how Trump got elected or Brexit was decided. Excessive stupidity of a project won't stop people from pursuing it.
Daring the current kakitocracy to do something this stupid seems like a bad idea.