This is, far and away, the most authoritarian proposal for the regulation of encryption that I have EVER seen. As far as I know, no nation on Earth has legal provisions so explicitly authoritarian as to require every civilian to maintain copies of all their communication in a form that cops can access after the fact.
If I send you a letter and you promptly burn it, that does not entitle the police to imprison either of us, no matter what sorts of subpoenas they obtain after the fact. But if I send you an encrypted message, we both throw away the key, and the police later subpoena our communications, this proposed law would permit one or both of us to be jailed for the ENTIRE term of whatever crime we are ACCUSED of:
> Then, fourth and finally (drum roll, please!), they'll need to allow courts to jail the accused until: (a) the communication has been decrypted by someone; (b) the maximum penalty for the charged crime has been exceeded
Unless this is a joke that's gone over my head, this is an open embrace of totalitarian surveillance. Either way, it's farcical. Fortunately it would not survive basic constitutional challenges in any liberal democracy.
---
Here's another silly detail. (Ugh, this article is bad on so many levels.)
> Then the legislators can get to work. First, they'll need to make it a crime to force or trick anyone into using stronger encryption than they consent to, no matter how that might be done. (Note that IT liberalists who claim encryption is a human right never realize this should also include the right not to be forced to use encryption against one's will.)
This means, if you start a conversation with me in plaintext, I'm obliged to continue exactly as I would if we were talking through encryption. This compels speech, which is both unconstitutional in most places and completely untenable in practice. (And why would there be a human right not to be "forced" to use encryption? There's no human right precluding "no shirt, no shoes, no service" policies. People who don't use encryption do not constitute a protected class!)
cluckindan · 3h ago
”So, a judge who is convinced you're about to kill somebody can unleash the police to follow you everywhere in hopes of preventing that crime. Similarly, a judge who thinks your computer system contains information related to financial crimes can allow the police to hack that system. Likewise, a judge who thinks you're stalking your ex can order you to stay out of a certain part of town.”
One of these things is not like the others…
mattnewton · 2h ago
This article frames a false choice of either designing a system that allows government access to everything you do digitally (which is now almost everything), or having the government design such a system.
In reality the choice is between such a totalitarian surveillance state without the possibility of digital security guarantees, or one where police can’t read your digital mind but can do good old fashioned police work.
halffullbrain · 2h ago
PHK’s piece assumes that there’s a clear and effective distinctions between the government and the juducial system:
The police can’t wiretap unless authorized by a judge (this could be backed by certificates/whatnot, and not just “ok, go ahead” as it is now.)
However:
Not all countries have this effective separation/independence between branches, and some countries which have so far enjoyed such separation are perhaps not so certain anymore.
Even so: I think the point still stands - there is a choice to make, and the current trajectory (EU’s ChatControl, and UK’s encryption ban), is what we’ll risk getting instead.
mattnewton · 5m ago
Even in the US which has those systems, they are not robust enough for me to trust handing over the state this kind of power over all modern communication. Never have the police had this power before, even with warrants.
Backdoored encryption makes everyone unsafe while not stopping bad guys from using actual encryption. And when the bad guys use real encryption, the police can still catch them- see the case of Ross Ulbricht.
The point doesn’t stand because the magic system that only lets the good guys decrypt if only the engineers would think harder probably does not exist, and framing it this way obscures that fact and paves the way for ChatControl or encryption bans, not user freedom. We had this debate before with the Clipper chip, and reason mostly prevailed. Now we’re having it again with even higher stakes and people are arguing to give in to a framing that assumes defeat.
cyanydeez · 2h ago
Nah, you forgot the choice when you naively think corporations can provide a simulacrum of privacy, when in reality they're indistinguishable from any other large org.
scubbo · 1h ago
> corporations [...a]re indistinguishable from any other large org
Presumably a Freudian slip for "governments"?
6177c40f · 2h ago
So, if we were to implement what this author is proposing, governments would be allowed to jail people indefinitely simply because they used effectively unbreakable encryption- regardless of whether what they encrypted was illegal (or evidence of a crime)? Because if so, that is absolutely unacceptable in any society that would call itself free.
Kim_Bruning · 2h ago
If you weaken encryption so that your government can get access, now other sides can get access too. Including criminals and other governments.
No I would not like to weaken encryption for my bank (obviously), my personal information (if only due to spear fishing), cryptographic authentication like passkeys in general and ssh keys in particular, and absolutely no one gets access to any teenager's phone anywhere. (unless it's their parents maybe,... that one is debatable).
ps the term "NOBUS fallacy" is apparently not a thing yet. (I thought it was!)
FuriouslyAdrift · 2h ago
Harkens back to the days when we could only export 40 bit encryption due to ITAR (which still applies to a lot of stuff... just not the 40 bit part)
You don't have to weaken your encryption to your bank though. The author proposes extending the TLS protocol so that the bank declares themselves responsible for the contents of communication and full strength encryption can be used.
tptacek · 2h ago
"NOBUS" isn't a fallacy. We can build systems that have access mechanisms that are for all intents and purposes NOBUS.
tialaramex · 2h ago
I don't buy it. These systems are always multiparty. In a single party cryptosystem we can have internal integrity. We know we're not the bad guys and we didn't share the private information with the bad guys, therefore the bad guys don't have the data.
Once you're multiparty that goes away, any other party can definitely betray you and then it's game over, your own integrity doesn't matter.
Historically NOBUS was about having a particular technological lead, that's very fragile and didn't work out long term. If anybody has that lead today it's the Chinese, but realistically nobody has such a lead.
tptacek · 1h ago
The argument about who the trustworthy "us" is is deeply uninteresting to me. I just care that there's precedent that if you stipulate the existence of such an "us", computer science does allow for NOBUS-y access mechanisms.
Kim_Bruning · 2h ago
The other party doesn't even need to betray you, just have their systems compromised. See also, eg. : Salt Typhoon.
If 100 different governments think "nobody but us have access", between 99 to 101 governments are wrong. O:-)
(I will grant number 101 is the hard one to defend.)
nemomarx · 2h ago
At minimum, bad actors inside the government could always use the access mechanism. What's your concept for preventing other bad actors from getting it though?
tptacek · 2h ago
"What if 'us' is bad" is a separable question from "is NOBUS possible".
I'm not advocating for it, I'm just saying the computer science of this matters, and a lot of people have objections to the concept of NOBUS that are more ideological than empirical.
AnthonyMouse · 1h ago
I don't think it's a computer science claim to begin with. To my knowledge nobody has ever broken 256-bit AES, but that's not the part of the system that fails. There are two things that prevent it from working in practice:
The first is that "us" would be something like "governments in the US"; but then that's too big of an organization to sustain as free from compromise. There are tens of thousands of judges in the US, well over a million police and military. All it takes is one of them to be corrupt or incompetent or lazy and the bad guys get to use the skeleton keys to everything in the world, which can unlock secrets worth billions or get people killed. And that's assuming they only compromise the authorization system; if they actually gets the keys it's practically armageddon.
And the second is that it's not just one government. If the UK makes Apple and Google build a system to unlock anybody's secrets, is Australia not going to want access? Is China? Let's suppose we're not going to give access to Russia; can the fallible humans operating this system fend off every attack once the FSB has been ordered to secure access by any mean necessary?
It's a system that combines many points of compromise with an overwhelming incentive for everyone from state-level attackers to organized crime to break in and severe consequences when they do.
nemomarx · 2h ago
I think any practical implementation needs to have an "us" that's like "with a valid warrant" or secured on the govt end anyway, right? Otherwise you have to deal with "what if someone in the govt leaks the keys" or "what if someone in the govt is a spy". I consider those outcomes the same as foreign governments getting backdoor access basically.
ls612 · 14m ago
And then Salt Typhoon happens and suddenly it isn't NOBUS anymore and we are hosed.
throw0101c · 2h ago
> "NOBUS" isn't a fallacy. We can build systems that have access mechanisms that are for all intents and purposes NOBUS.
Have any such system been built?
tptacek · 1h ago
Have the private keys for Dual EC ever been disclosed, or is there any evidence of them having leaked?
But also, Dual EC was suspected of being backdoored from day one, was slower than existing CSPRNGs, and was therefore avoided like the plague. Whereas the premise is that if you put all the world's secrets behind one set of keys, there doesn't exist a level of defense that can withstand the level of attacks that will attract. Which doesn't apply when it isn't widely used.
On top of that, the attackers would be the likes of foreign intelligence agencies, and then them not getting it and the public not hearing about them getting it are two different things.
tptacek · 12m ago
That was a Juniper supply-chain backdoor, not a compromise of the Dual EC keys.
commandersaki · 2h ago
China iCloud? Not sure it is actually a NOBUS or just key escrow mechanism with administrative controls.
NoahZuniga · 39m ago
> The United Nations' new "cybercrime" treaty, readied for signatures at the time of this writing, is very much focused on how to get court orders to work quickly and efficiently across borders. Bear in mind that international bodies don't fashion treaties like this unless they think an urgent response is vital.
Truly there is no process as quick and urgency-aware as creating and signing international treaties.
OkayPhysicist · 34m ago
There are a few ideas so basically evil that just holding them, regardless of deeds, renders the speaker forfeit of the basic "shared humanity" level of comradery that I share with the vast majority of other people. This may be one of the few examples I've come across that fit that description while not falling under the normal umbrella categories of bigotry or unjustified calls for violence.
This proposal isn't just evil, it's evil in a remarkably novel way. I'm disgusted in ways normally reserved for stumbling upon a group of neonazis chatting amongst themselves.
tptacek · 2h ago
Two quick hits:
(1) It's important to remember that part of why Telegram is in this pickle is that they deliberately designed a system that increased the surface area of what governments could demand from them, because they're not fully (or even mostly) end-to-end encrypted (in fact, they were openly dismissive of end-to-end encryption). We get these kinds of interventions in part because governments know they can work; we know how to design systems where they can't work.
(2) The idea that governments worldwide will uniformly solve this through international agreements seems fallacious, because some of the largest countries in the world have sharply different legal and political standards. For an agreement on lawful intercept to work, you need to foreclose on products that refuse lawful intercept. There are countries you can do that in, and others where you can't.
I think there is a well-taken point that cutting off law enforcement access to data isn't a long-term stable equilibrium; something will give eventually. But I think PHK is way overshooting how strong that argument is today.
peawee · 2h ago
Any online service typically keeps some amount of logging. A fully encrypted online service can certainly hand over some amount access and account information, and in my experience that's plenty enough for law enforcement to go and do the normal police detective work they're used to doing.
pimlottc · 2h ago
I’m trying to skim this but there is a lot of meandering and I’m still not sure what their main point is.
JoshTriplett · 2h ago
"Give governments broken encryption before they force you to", with various unimportant technical details of how specifically to give up.
The civics lesson is almost useful, except for the part where it treats the current demands as immutable rather than an adversary to be fought and defeated.
skygazer · 2h ago
I didn’t finish reading to the end but by halfway through it’s about building protocols in advance to weaken encryption for government benefit, before the government mandates it, and framing encryption strength has the length of time users are willing to rot in jail. It’s framing breakable encryption as necessary for operation of any government built on laws.
jameshart · 2h ago
It is not easily skimmed. The author is describing a substantially new and different way of thinking about the problems of strong cryptography under the rule of law that you may not have come across before. Consider reading it and then returning if you have more specific questions than ‘tl;dr please?’
If I send you a letter and you promptly burn it, that does not entitle the police to imprison either of us, no matter what sorts of subpoenas they obtain after the fact. But if I send you an encrypted message, we both throw away the key, and the police later subpoena our communications, this proposed law would permit one or both of us to be jailed for the ENTIRE term of whatever crime we are ACCUSED of:
> Then, fourth and finally (drum roll, please!), they'll need to allow courts to jail the accused until: (a) the communication has been decrypted by someone; (b) the maximum penalty for the charged crime has been exceeded
Unless this is a joke that's gone over my head, this is an open embrace of totalitarian surveillance. Either way, it's farcical. Fortunately it would not survive basic constitutional challenges in any liberal democracy.
---
Here's another silly detail. (Ugh, this article is bad on so many levels.)
> Then the legislators can get to work. First, they'll need to make it a crime to force or trick anyone into using stronger encryption than they consent to, no matter how that might be done. (Note that IT liberalists who claim encryption is a human right never realize this should also include the right not to be forced to use encryption against one's will.)
This means, if you start a conversation with me in plaintext, I'm obliged to continue exactly as I would if we were talking through encryption. This compels speech, which is both unconstitutional in most places and completely untenable in practice. (And why would there be a human right not to be "forced" to use encryption? There's no human right precluding "no shirt, no shoes, no service" policies. People who don't use encryption do not constitute a protected class!)
One of these things is not like the others…
In reality the choice is between such a totalitarian surveillance state without the possibility of digital security guarantees, or one where police can’t read your digital mind but can do good old fashioned police work.
However: Not all countries have this effective separation/independence between branches, and some countries which have so far enjoyed such separation are perhaps not so certain anymore.
Even so: I think the point still stands - there is a choice to make, and the current trajectory (EU’s ChatControl, and UK’s encryption ban), is what we’ll risk getting instead.
Backdoored encryption makes everyone unsafe while not stopping bad guys from using actual encryption. And when the bad guys use real encryption, the police can still catch them- see the case of Ross Ulbricht.
The point doesn’t stand because the magic system that only lets the good guys decrypt if only the engineers would think harder probably does not exist, and framing it this way obscures that fact and paves the way for ChatControl or encryption bans, not user freedom. We had this debate before with the Clipper chip, and reason mostly prevailed. Now we’re having it again with even higher stakes and people are arguing to give in to a framing that assumes defeat.
Presumably a Freudian slip for "governments"?
No I would not like to weaken encryption for my bank (obviously), my personal information (if only due to spear fishing), cryptographic authentication like passkeys in general and ssh keys in particular, and absolutely no one gets access to any teenager's phone anywhere. (unless it's their parents maybe,... that one is debatable).
ps the term "NOBUS fallacy" is apparently not a thing yet. (I thought it was!)
https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...
Once you're multiparty that goes away, any other party can definitely betray you and then it's game over, your own integrity doesn't matter.
Historically NOBUS was about having a particular technological lead, that's very fragile and didn't work out long term. If anybody has that lead today it's the Chinese, but realistically nobody has such a lead.
* https://en.wikipedia.org/wiki/2024_global_telecommunications... "The hackers were also able to access wiretapping systems used to conduct court-authorized wiretapping."
(I will grant number 101 is the hard one to defend.)
I'm not advocating for it, I'm just saying the computer science of this matters, and a lot of people have objections to the concept of NOBUS that are more ideological than empirical.
The first is that "us" would be something like "governments in the US"; but then that's too big of an organization to sustain as free from compromise. There are tens of thousands of judges in the US, well over a million police and military. All it takes is one of them to be corrupt or incompetent or lazy and the bad guys get to use the skeleton keys to everything in the world, which can unlock secrets worth billions or get people killed. And that's assuming they only compromise the authorization system; if they actually gets the keys it's practically armageddon.
And the second is that it's not just one government. If the UK makes Apple and Google build a system to unlock anybody's secrets, is Australia not going to want access? Is China? Let's suppose we're not going to give access to Russia; can the fallible humans operating this system fend off every attack once the FSB has been ordered to secure access by any mean necessary?
It's a system that combines many points of compromise with an overwhelming incentive for everyone from state-level attackers to organized crime to break in and severe consequences when they do.
Have any such system been built?
https://blog.cryptographyengineering.com/2015/12/22/on-junip...
But also, Dual EC was suspected of being backdoored from day one, was slower than existing CSPRNGs, and was therefore avoided like the plague. Whereas the premise is that if you put all the world's secrets behind one set of keys, there doesn't exist a level of defense that can withstand the level of attacks that will attract. Which doesn't apply when it isn't widely used.
On top of that, the attackers would be the likes of foreign intelligence agencies, and then them not getting it and the public not hearing about them getting it are two different things.
Truly there is no process as quick and urgency-aware as creating and signing international treaties.
This proposal isn't just evil, it's evil in a remarkably novel way. I'm disgusted in ways normally reserved for stumbling upon a group of neonazis chatting amongst themselves.
(1) It's important to remember that part of why Telegram is in this pickle is that they deliberately designed a system that increased the surface area of what governments could demand from them, because they're not fully (or even mostly) end-to-end encrypted (in fact, they were openly dismissive of end-to-end encryption). We get these kinds of interventions in part because governments know they can work; we know how to design systems where they can't work.
(2) The idea that governments worldwide will uniformly solve this through international agreements seems fallacious, because some of the largest countries in the world have sharply different legal and political standards. For an agreement on lawful intercept to work, you need to foreclose on products that refuse lawful intercept. There are countries you can do that in, and others where you can't.
I think there is a well-taken point that cutting off law enforcement access to data isn't a long-term stable equilibrium; something will give eventually. But I think PHK is way overshooting how strong that argument is today.
The civics lesson is almost useful, except for the part where it treats the current demands as immutable rather than an adversary to be fought and defeated.