Last week, US Attorney General William Barr and FBI Director Christopher Wray chose to spend some of their time giving speeches demonizing encryption and calling for the creation of backdoors to allow the government access to encrypted data.
You should not spend any of your time listening to them.
Don't be mistaken; the threat to encryption remains high . Australia and the United Kingdom already have laws in place that can enable those governments to undermine encryption, while other countries may follow. And it's definitely dangerous when
senior U.S. law enforcement officials talk about encryption the way Barr and Wray did.
The reason to ignore these speeches is that DOJ and FBI have not proven themselves credible on this issue. Instead, they have a long track record of exaggeration and even false statements in support of their position. That should be a bar to
convincing anyone--especially Congress--that government backdoors are a good idea.
Barr expressed confidence in the tech sector's ingenuity to design a backdoor for law enforcement that will stand up to any unauthorized access, paying no mind to the broad technical and academic consensus in the field that this risk is
unavoidable. As the prominent cryptographer and Johns Hopkins University computer science professor Matt Green pointed out on Twitter , the Attorney General made sweeping, impossible-to-support claims that digital security would be largely
unaffected by introducing new backdoors. Although Barr paid the barest lip service to the benefits of encryption--two sentences in a 4,000 word speech--he ignored numerous ways encryption protects us all, including preserving not just digital but
physical security for the most vulnerable users.
For all of Barr and Wray's insistence that encryption poses a challenge to law enforcement, you might expect that that would be the one area where they'd have hard facts and statistics to back up their claims, but you'd be wrong. Both officials
asserted it's a massive problem, but they largely relied on impossible-to-fact-check stories and counterfactuals. If the problem is truly as big as they say, why can't they provide more evidence? One answer is that prior attempts at proof just
haven't held up.
Some prime examples of the government's false claims about encryption arose out of the 2016 legal confrontation between Apple and the FBI following the San Bernardino attack. Then-FBI Director James Comey and others portrayed the encryption on
Apple devices as an unbreakable lock that stood in the way of public safety and national security. In court and in Congress, these officials said they had no means of accessing an encrypted iPhone short of compelling Apple to reengineer its
operating system to bypass key security features. But a later special inquiry by the DOJ Office of the Inspector General revealed that technical divisions within the FBI were already working with an outside vendor to unlock the phone even as the
government pursued its legal battle with Apple. In other words, Comey's statements to Congress and the press about the case--as well as sworn court declarations by other FBI officials--were untrue at the time they were made .
Wray, Comey's successor as FBI Director, has also engaged in considerable overstatement about law enforcement's troubles with encryption. In congressional testimony and public speeches, Wray repeatedly pointed to almost 8,000 encrypted phones
that he said were inaccessible to the FBI in 2017 alone. Last year, the Washington Post reported that this number was inflated due to a programming error. EFF filed a Freedom of Information Act request, seeking to understand the true nature of
the hindrance encryption posed in these cases, but the government refused to produce any records.
But in their speeches last week, neither Barr nor Wray acknowledged the government's failure of candor during the Apple case or its aftermath. They didn't mention the case at all. Instead, they ask us to turn the page and trust anew. You should
refuse. Let's hope Congress does too.
In response to today's judgment in the People's vs the Snooper's Charter case Megan Goulding, Liberty lawyer, said:
This disappointing judgment allows the government to continue to spy on every one of us, violating our rights to privacy and free expression. We will challenge this judgment in the courts, and keep fighting for a targeted surveillance regime that
respects our rights.
These bulk surveillance powers allow the state to hoover up the messages, calls and web history of hordes of ordinary people who are not suspected of any wrong-doing.
The Court recognised the seriousness of MI5's unlawful handling of our data, which only emerged as a result of this litigation. The security services have shown that they cannot be trusted to keep our data safe and respect our rights.
new call for evidence will explore the role of government and the private sector in the development of digital identities - the way people prove they are who they say they are using digital technology - and seek views on how to achieve
higher levels of trust between the public and organisations checking their identities.
Err...how about making it totally illegal for organisations to use sensitive data. How about no more government laws that let age verification providers do what the fuck they like with your porn browsing data? No more 'voluntary standards'
governing the keeping of porn browsing data?
The government continues:
With people increasingly required to prove their identity to access services, whether it is to buy age-restricted items on and offline or make it easier to register at a new GP surgery, these plans aim to help make doing so easier and more
By cutting down on the need for physical documents, which could be misplaced or stolen, they also aim to reduce fraud. Reports suggest that unlocking the value of digital identity could add 3 per cent to UK GDP by 2030 - positioning the country
as a world-leading place to develop cutting-edge innovation.
Recent figures show identity fraud is a growing problem across the UK and last year the fraud prevention service Cifas reported 189,000 incidents of identity theft.
Err... so how is it going to make it safer to put all your ID eggs in one basket and pass the basket around to all and sundry.
The government continues:
A small pilot scheme will be launched to help people speed up their applications for services, for example applying for a credit card, by allowing organisations to digitally check their identity using British passport data, where they have used
this to register for government services. It will begin with companies who currently provide digital identity services to Government.
Individuals applying to access selected services online could have their identity verified this way if they choose to. The scheme will then be opened up to a small cohort of additional private sector companies for use across a range of services.
Err... like Facebook, Google, Cambridge Analytica, Ashley Madison, Pornhub...
The government continues:
No organisation would be given access to government-held data under these proposals, identity providers would simply get a yes or no as to whether the document was validly issued, and no personal data not already provided by the individual would
be used or shared.
Any new solutions will be compliant with recently strengthened data protection laws and set out requirements for the secure transfer of data. There will be no central identity database and individuals will be in control of their personal data.
The pilot scheme will also test if there is a market for these new types of digital identity checking services.