So, here's my take on all this 'surveillance is good for you'.
It more or less proves (to me at least) that the government(s) and the various secret services have absolutely no idea who to monitor specifically. So instead of targeting their operations they want to monitor all of us, just in case something of interest pops out that then allows them to focus their attention.
It's a pretty scary thought: just imagine, all that money, all those resources and still they can't do anything other than to put their ear to the ground and hope that someone messes up in plaintext so they can then try to backtrack and see what they might have missed.
In all these attacks it never happened that everybody was under the radar. Always one or more of the attackers that were technically known or even already under surveillance. And yet the attacks happened anyway. Too many targets make for a very thinly deployed service, which then has to be automated to make it work at all.
It's a pretty sobering thought, it also suggests via yet another route that mass surveillance is indeed meant to attempt to 'keep us safe', and that it fails miserably. The road to hell is paved with the best of intentions.
Terrorists have it so easy, all they need to do is to be just a little bit unpredictable or simply old-fashioned (in person) and there won't be anything whatsoever that we can concretely do to stop them. The only thing that actually gives a bunch of actionable data is when an attack is executed or when an attack goes sour (or rather: sweet as in, it does not work) from which direct evidence of contacts or plans is gained. This will then lead to a relatively short lived number of arrests clustered around the people caught or implicated and then it burns out again where the data ends.
Great writeup. On top of it, the terror attacks are extremely rare because most people have no interest committing mass-murder and the few that do rarely have motive/opportunity. So, refusing to be terrorized remains the best bet.
Far as intelligence agencies, they've not just failed: they've often tried to cover it up, mislead other authorities, or even destroy evidence. The result of incompetent organizations not capitalizing on what they have even when it's obvious should be a net reduction of power and increase of accountability. Instead, they always ask for and often get the opposite.
The technically literate of us following the details should just keep reiterating to anyone that will listen the key detail: almost everyone whose launched an attack did it while already being under surveillance. It doesn't work. End of story.
Note: If it did, they just go back to doing what pro's already are in using human go-betweens and other low-to-no-tech methods like Osama did for years to dodge NSA. They didn't get him until someone tipped them off for the bounty per Hersh.
How do you convince someone to refuse to be terrorized though? If I know someone who feels genuine fear when they hear about these sorts of attacks, what do I say to them?
"You're an idiot", "here is some math", and "you're giving them power over you" are not effective approaches.
How do I convince someone they should try to not feel fear if they strongly believe their fear is valid and that attempts to invalidate their fear are an insult.
I think "here is some math" is a good way, but you need to be really delicate about it and take it slowly. What you're fighting is an emotional reaction that's hard-wired into our brains. The problem stems from them having an invalid view of the world, i.e. perceiving terror attacks as vastly more probable than they really are. Therefore you need to fix their worldview - or rather, help them fix it themselves. Showing the attacks in perspective is one way to do that, and the one that - over time - helped me stop worrying, even though after 9/11 I was scared the world is ending and that I'll die in a mall attack tomorrow. It takes time, and you can't push it too hard - if you become their conversational enemy, you've not just lost, you'll strenghten their fears.
The math is still in favour in the United States and in the European Union. Unless the friend lives somewhere in the Middle East, I don't see a problem with that argument.
What about people who think it's simply unjust when innocent people are killed in the name of some religious/political end? E.g. I know that there is almost no chance that I'll be the victim of gang violence. But that doesn't mean I have to just accept the existence of gang violence in my community.
> What about people who think it's simply unjust when innocent people are killed in the name of some religious/political end?
I don't think that you'll find many exceptions to that.
> E.g. I know that there is almost no chance that I'll be the victim of gang violence. But that doesn't mean I have to just accept the existence of gang violence in my community.
So, as a member of that community you then have the option to go out and do something about it. You can also move out, you can pay someone else to do something about it (which you already do through your taxes, hopefully they do enough). You can also keep your eyes open if you see anything suspicious and report it. You can rally support for better pay for the police so the chances of corrupt police interacting with gangs goes down.
And finally, it may actually mean that yes, you will have to accept the existence of gang violence in your community if that community is incapable of changing from within.
Gang violence takes a while to establish itself, and it - even with the best of the best working to get rid of it - can't be gotten rid overnight. Problems of this kind usually take roughly as long to fix as it takes to solve them.
I don't disagree that it's hard to eradicate. But I don't see anyone saying we should just refuse to be scared by gang violence and not try to do anything about it.
Probably because it has nothing to do with the topic or just doesn't fit it well. What would you do about gang violence if they all looked like innocent people with nothing discerning them and the attacks were so rare that your neighborhood got hit only once every 100-1,000 years? Would it even be worth worrying about vs all the things that have been killing people in your area regularly? Or would you just refuse to worry about it in general while dealing with it if it ever happens? (aka refuse to be terrorized)
Note: The 100-1,000 years is to represent the fact that virtually nobody dies from terrorist attacks. It's so rare that bathtubs and bee stings kill more people each year in the U.S.. I'd imagine it's not a leading cause of death in France either despite the recent attack. So, for your gang thing with 100-200 people in a neighborhood, they'd go through many generations before one person died from gang violence. Sounds like the high risk that should keep them up at night, eh? ;)
You nailed it, I think. If surveillance works, then Paris, Beirut, Bagdad et al wouldn't have happed. Realizing it's a pipe dream, I'd love to see a world accept that we the west have done so much damage that nothing will stop terrorism.
Accepting that means we can throw those wasted resources at things that have a better chance of working - throw the tech that detects copyright infringements at detecting pro-ISIL sites, and use DCMA-style tactics to take them down. Fund new research to put effective bomb and weapon detectors into every doorway. Because protecting borders doesn't work either (crunchy on the outside, soft on the inside). Build schools, instead of bombing them. Stop selling weapons to the very people that shouldn't have them. Teach politicians to value non-American lives as much as American ones. Stop honouring violent death, and honour the deaths of people who move humanity forward instead.
There's an endless stream of ideas of what we could do, if only we actually wanted it.
I liked this comment on Reddit which I think is relevant in a discussion about combatting this form of terrorism:
"The problem is that we have forgotten the power of ideology and the way that you cultivate civilized discourse and expectations. In the Western world, we've spent the last 40 years shitting all over the best weapons we have to address ideology: philosophy, literature, poetry, art, music and religious discourse. We've marginalized the way to talk about the abstract elements of human experience, and now we find that we have nothing to say."
It's not that "we have done so much damage", it's just that terrorism exists, full stop. Europe has a long history of home-grown terrorism - Paris in particular had a lot of various groups attacking it in the 80s, for example. The US has it's own home-grown terrorism as well, the stereotype being the KKK.
There are indeed plenty of third-generation Algerians in France. The ones I know are happy being in France though, I am not sure it is home-grown, it has been planned with local help, but the source was tracked in Turkey, then lost. I think they have a good protocol to handle communication outside internet.
> If surveillance works, then Paris, Beirut, Bagdad et al wouldn't have happed.
I don't think surveillance is very good at preventing terrorism, but I think it could be useful to law enforcement after the fact to round up co-conspirators. I bet that once the identity of the Paris attackers was learned, the NSA pulled up a graph several levels deep of everybody they communicated it or associated with. It could very well help them figure out who else is involved and should be watched.
For the record, I'm opposed to surveillance and would be even if it were shown to be very effective. Privacy is important and is worth more than the lives that have been or will be lost to terrorists and other criminals.
They found one of the terrorists phones dumped in a garbage can outside the theatre they attacked, and got the address of their hideout from the messages, so used just regular police work.
All these guys were already on watch lists for fighting in Syria and returning just nobody seems to ever watch the watch list.
You'd still have a telephone number. From that telephone number you could go to a judge and request a warrant for the telephone records. From there you could look at all the numbers dialed and received. Now you get a warrant for the addresses of the subscribers.
No bulk surveillance required, just honest police work within the confines of a valid and acceptable legal framework.
But then, if they'd used a CB radio, there'd have been no records on the device at all. You can go both lower and higher tech to avoid leaving a trail.
The fundamental issue our society faces is that the world people thought existed, pre-Snowden, wasn't all that bad. There are controls, a system of laws and warrants, judges have to approve requests for data, and companies hand it out only in cases where it's really justified. Terrorist used WhatsApp to send a message to his buddy before blowing up a football stadium? It is - literally - warranted.
Post Snowden we know that world didn't really exist, it was more a sort of theatre governments put on when they didn't care much about the outcome. So now the data is disappearing so nobody has it. It's not obvious that this is an improvement over restoring the world that was previously thought to exist, but that was apparently too unstable to survive.
That's roughly equivalent to 'if those documents had not been properly shred that data would not have been available'.
Each and every operation of this magnitude leaves a trail. The party perpetrating it will try what they can to erase that trail but that will always be an imperfect process.
Maybe next time the phone will be secured, they will scrub themselves of parking tickets, they will burn up their escape vehicle after a few minutes ride and so on. All the media has succeeded in doing is educate the terrorists about how to be more successful in evading capture and possibly being more successful in carrying out the attack in the first place.
France has something like 11,500 on the extremist watchlist. I'm not sure its practical to watch and monitor that many people with the staffing levels of French Intelligence without acting like the stasi
That's precisely the point being discussed. The "collect it all!" mentality of the intelligence agencies just increases the size of the haystack and does not actually result in stopping these incidents, as they are now spread too thin.
> does not actually result in stopping these incidents
My point was that collecting it all isn't necessarily about stopping incidents, it's about instantly knowing everything about a terrorist once they are identified through other means. There's certainly value there and the debate is whether or not the cost is too high.
My point was that the collect it all mentality is driven by the number of extremists on the list. It takes something like 20 agents to follow someone around the clock.
That means the DGSI would need 230,000 staff to follow all of the extremists all of the time
I'm opposed as well (I think big piles of personal info are radioactive), but it's worth pointing out that this usage, of finding folks after the fact, should be easy to do in a way that allows proper judicial review, even if the process is expedited. Working from an actual crime makes a lot of things more straightforward vs trying to justify surveillance of someone thought to be a risk, or connected to a risk of some hypothetical future crime.
I live in a country that has bomb detectors in every doorway. It's not that bad - at the very least, everybody preferrs a bomb detector to another suicide bombing.
I think that when terror is something that can happen constantly for months at a time, people learn to keep living their lives without fear, but also to take measurable actions that really prevent the next attack.
The only thing that can prove or disprove anything is the abundance of information, which we don't have.
We have no idea how many attacks have been prevented (everyone likes to claim this is zero....but they do so without any evidence to support that, as relevant information is surely classified beyond Top Secret).
We have only the slightest, tiniest, smallest idea of what the NSA and other intelligence organizations are capable of.
British intelligence took how long to tell people that they cracked enigma? 50 years?
Out of the THOUSANDS of documents that Edward Snowden leaked to reporters, the public has access to what? on the order of 50?
Yeah....we know nothing...so saying one way or the other is kind of ridiculous at this point.
Sort of the invisible unicorn argument. I can't really say how many invisible unicorns are in the room with me right now. Could be dozens, if they're small, quiet, and quick to get out of the way.
As always, the burden of proof lies with the party making the existence or effectiveness claim. It is on the surveillance proponents to prove their effectiveness.
I call bull.
The government has a strong incentive to prove to us that they are doing an effective thing, and obama and various other officials have been quoted saying from 54 down to various numbers of attacks, and their claims have been shown to be bogus.
This argument is actually subject to Russel's Teapot, if you cant prove or disprove anything the burden of proof is on proving the thing. I have yet to see any evidence.
What incentive is that? The only people they have to prove their worth to are the people that have the power to shut them down.
We as a society do not have that power, and that should be obvious by now.
When a court decided what they were doing was illegal, less than a day later (probably the fastest anything has EVER happen in the legal system), another bench decided that what the NSA was doing was TOO BIG TO STOP. Like seriously, their argument for not stopping something UNCONSTITUTIONAL was that they were doing too much of it.
You and I, and every other civilian who actually understands what they're doing have ZERO power to stop them, so they have ZERO incentive to convince US what matters.
You know who they DO have to convince? The exact people that keep voting to KEEP THEM IN POWER.
I don't care what Obama and his administration claims, like I said, they have no incentive to prove anything to the American public.
I don't entirely disagree with you, but how do you explain that the former director of the NSA is seemingly fully engaged in explaining and justifying their activities? It would appear that they do have at least some incentive, no?
As usual, arguments depending on an arbitrary ordering or arbitrary negation are nonsensical:
"Is mass surveillance useless? Unless you can prove it, it's obviously useful. See Russell's teapot."
(Russell's teapot doesn't apply anyway, because the thing to prove is falsifiable: governments /could/ release information about thwarted attacks, in case there are any.)
> We have no idea how many attacks have been prevented
Yes, we do. We know ALL of the FBI's high profile terrorism cases. Apart from the Tsarnaev brothers, it has been all cases where one or more fools got snared by a provocateur.
So unless you believe that there is a secret system of arrest, a secret court that hears terrorism trials, and secret prisons all operating inside the US, we know exactly how effective mass surveillance of the US population has been in preventing terrorism.
Unless you have security clearance, most likely above top secret, you have no clue what happens (and if you did, commenting on it in a public forum would most likely be a federal crime).
We already know there are secret courts that hear secret arguments that can't be refuted by defendants/targets. Oh, and if that court involved you, you're legally not even allowed to tell anyone.
We already know that the NSA/FBI/CIA/DEA uses parallel construction to actually prosecute crimes against US citizens.
How do we know this stuff? Someone with clearance risked his life, and gave up his freedom to tell the world. Oh, and the US said they MIGHT NOT waterboard him if he ever came back to the US to face his crimes.
And out of the thousands of documents he had, how many do we have access to? A few handful?
Sure...we know everything </sarcasm (as if you couldn't tell)>
> It more or less proves (to me at least) that the government(s) and the various secret services have absolutely no idea who to monitor specifically. So instead of targeting their operations they want to monitor all of us, just in case something of interest pops out that then allows them to focus their attention.
Except that most of the recent terror attacks have involved at least one person known to the authorities. One of the Paris attackers even had an international arrest warrant out for him.
The only way to deal with any form of mass shooting is to have systems in public places that can automatically detect and disable the shooter within milliseconds of their first shot. Anything else - encryption backdoors, etc. - is absolutely pointless and will at best prevent only a small percentage of incidents. If you want to deal with the problem, do it directly.
We all know that while terrorism gives these initiatives fuel, they ultimately have little to do with terrorism and much more to do with governments wanting as much surveillance and control over their populations as possible. The odds of dying in a terrorist attack are approximately 1 in 20 million; for comparison, you are 25X more likely to die by drowning in a bathtub and 1,000X more likely to die in a car crash [1]. If terrorists are 1/25th as effective at killing people as bathtubs, how many of our civil liberties should we be willing to give up to stop them?
There are currently at least 3,278 prisoners in the US serving life without parole for non-violent offenses [2]. Perhaps we should stop terrorizing our own citizens before we worry about foreign terrorists that can't even keep up with bathtubs.
Better not go blowing up paper bags then. False positives would be a bit messy and would likely kill more people than any terrorists ever would. It would have to automatically and reliably detect and disable the shooter, and they'd still be able to fire that first shot. It also does not protect against bombs.
Paper bags don't emit projectiles traveling at 1,700 mph. Bullets fired from a gun have a very specific profile including speed, size, and shape that are shared by literally nothing else. There are multiple ways to track the speed, size, and shape of objects traveling within any public space. With this kind of detection, even attackers using silenced weapons could be targeted and neutralized within milliseconds of their very first shot.
I don't see this scheme working. It would require a whole bunch of sensors and a chunk of local computing power to make a 'kill' decision (or at least, an attempt to immobilize) on an individual in a crowded space based on the reliable detection of bullets fired from a gun. The kill device could be disabled prior to discharging a fire-arm, it could trigger falsely, it could be made to trigger falsely on purpose and it could malfunction. I'm sure that if you pitch this idea to the right party they'll shower you with money, nothing like more security theater and false feelings of safety to get big $.
> The only way to deal with any form of mass shooting is to have systems in public places that can automatically detect and disable the shooter within milliseconds of their first shot.
You are proposing that public spaces be fitted with some kind of system that can reliably detect bullets based on their "speed, size, and shape" profile.
How do you propose to do this without using a bunch of sensors?
> and much more to do with governments wanting as much surveillance and control over their populations as possible
Outfitting all public spaces with sound and vision recording/analysis devices seems like the very definition of mass surveillance and control.
> Anyway, generally you're referring to technical challenges, all of which could be readily solved.
Of course, we should not get bogged down in the technical implementation detail, but you can't just brush away these - very valid - technical criticisms of your idea.
No, they want to collect everything to find something to hang you with after the fact.
There is way too much volume and noise to find threats in the hurricane of hay flying past to find the needles in real time.
But if you have someone specific to start targeting, you can quite easily take their whole life apart and find their friends and make all these connections after the fact.
The goal isn't to stop attacks, it's to ensure that nobody goes unpunished.
It helps them to find people who they were in contact with and so get deeper into their network. If they have a log of all the telephone calls they are then able to run a simple "SELECT * from BigTable WHERE 'badphone' = NumberCalled" and then take the investigation from there. I know that's simplified but gives a highly filtered starting point of people of interest.
Another reason not to publicise their successes is that may give an indication of how they are tracking and if the terrorists know how they are being tracked they can change how they operate. For example perhaps they always call directory enquiries to get a number/address and if that is the way in it's in the interest of the spies to not let them know that so they can continue to use that chink.
If knowledge was power then by the argument advanced above, they would be able to stop terrorist attacks. Why don't they? Surely the obvious effective program being claimed to not exist would be an excellent argument to expand surveillance operations.
If I was slightly more conspiratorial I would suggest that that is the 64 million dollar question.
In reality though, I think we are talking about two different types of knowledge here.
When I say knowledge is power, I'm talking about power over individuals. The type of knowledge that allows you to say "Hmm, those are some interesting emails you sent, Senator. Let's see if we can come to an agreement to make sure nobody else sees these." The type of knowledge that makes the average citizen think twice before making that Google search, or before posting a comment online.
Even with total info awareness, to stop attacks you need the ability to filter and flag the data you have to sound the alarm when needed. Fundamentally, that's a data processing problem and not specifically what I am talking about.
That's a long term plan. People are clamoring for action 'now' and want this to end preferably next week. To tell them that there is no 7 day solution to this is going to be a very tough sell.
I think the response should be a careful, cursory action that acknowledges the public demand for retaliation, but all else put into the long game of building resistance to radicalised violence - working on education, poverty, etc amongst the communities where agitators source members. We should be encouraging people to find common ground rather than react aggressively, even if that is the gut response.
I am very irreligious, but there was a great comment on HN the other day about a fairly orthodox Christian finding that they had more in common with a fairly orthodox Muslim colleague than with other atheist co-workers.
Often the political and public reaction after an event like this is to focus on differences (language, clothing like burkas, etc) rather than things like a love of family, of food, sport, music and so on.
I live in Australia and our new prime minister is far, far better at this than the previous us-vs-them dog-whistler.
perhaps it would be hard to sell it, unless it is being sold as the only way to truly put the brakes to the trend (if there is actually an upward trend).
You want to remove the terrorist impulse from all of humanity forever? That's...ambitious.
But let's take at face value that that's possible, you'd still have to assume that all terrorists have a) some rational set of demands; and b) even if they did, that we'd be willing to meet those demands.
What ISIS believes is incompatible with Western democracy. There is nothing we could do to eliminate their desire to attack us that wouldn't mean our own destruction, anyway.
>>ou want to remove the terrorist impulse from all of humanity forever? That's... ambitious.
No, the goal should be to improve the living conditions, infrastructure, access to education, etc of impoverished regions where terrorist sentiment typically appears and festers.
To give an extreme example, there is a reason the Saudi royalty aren't walking into the middle of a marketplace and blowing themselves up: they already have everything they want/need. I'm not saying we should make everyone royalty, but that there is a clear correlation between standard of living and terrorist sentiment.
Ah yes, the good old 'if only they could all be treated like Saudi royalty, they wouldn't blow themselves up in the middle of a marketplace' argument!
Standard of living is a continuous curve which has absolutely nothing to do with mass murder. There is a binary switch which occurs separately from any experience which is measured in terms of 'standard of living'. Now maybe there are some experiences which can drive a person to commit terrorism, but I think more likely, this terrorism is not a consequence of some action, but rather, these are a group of people who use terrorism as a tool to wage war. Why are they at war with the West? It's not because of standard of living, I'm pretty sure it's because they hate everything the West stands for and wants it to burn.
> these are a group of people who use terrorism as a tool to wage war
You mean the United States of America, terrorizing Pakistanis for years now?
There's no binary switch. There are tactics effective for given goals and circumstances. Mass shootings and suicide bombings are a perfect strategy if you want to make a country destroy itself. The question is - why would you like to make that country destroy itself? The answer is not:
> It's not because of standard of living, I'm pretty sure it's because they hate everything the West stands for and wants it to burn.
That's not only bullshit but, if it were true, it would be the best argument to just ignore those attacks and treat them as any other murder done by organized crime. Because if they "hate our freedom", then by overreacting and turning ourselves into police states, we're doing their job for them - we're putting our economy and industry into dismantling everything the West stands for.
No, I don't. I think they do quite a better job terrorizing themselves than they do us or we do them. In any case it's all out war at this point. Against exactly who or where will be interesting to find out.
You look for a second at the people who actually carried out recent attacks, you will see what I mean. Who said anything about police state?
The thing which has impressed me is apparently this guy was a prolific attack planner. Known and poorly tracked. I'd say a major intelligence failure.
Either that or you work against whatever gives them irrational demands. And I wouldn't do that by fighting on religious grounds, but building the alternatives - through education being one. It's not exciting or retaliatory, but the status quo in the Middle East is not particularly effective.
If that was it, why are these terrorists not attacking Armenia? Or Zambia? Or Mexico? Or pretty much anywhere in Central and South America?
All those have a higher percentage of Christians in their populations than the US or anywhere in Western Europe, and they don't have the same level of anti-terrorism focus so are presumably easier targets.
Could it simply be that those countries haven't been bombing and invading places in the Middle East?
> If that was it, why are these terrorists not attacking Armenia? Or Zambia? Or Mexico? Or pretty much anywhere in Central and South America?
These countries have negligible numbers of Muslims.
There have been multiple Islamic terrorist attacks in Tanzania (which borders Zambia) and Kenya, both of which have significant Muslim minorities. Not to mention the frequent attacks by Boko Haram et al in Nigeria and the perpetual civil war in Somalia, which is overwhelmingly Muslim.
I'm not saying militant Islamism doesn't exist, but rather that the attacks have several underlying motivations, and that radicalization is more likely when there is a preexisting conflict.
Even the threats and attacks against cartoonists, as mentioned by another commenter, go beyond the simplistic "kill all infidels just because they exist".
Why do you think you know more about why Al Qaeda and ISIS attack the West than Al Qaeda and ISIS? They have explicitly and repeatedly stated other reasons for their attacks on the West than those you claim. Why don't you believe them?
To put it more simply: when Danish cartoonists are threatened for offending Islam, is that also because of imperialism?
> They have explicitly and repeatedly stated other reasons for their attacks on the West than those you claim.
And why would you believe them? What they say on TV is also a weapon. People who don't come and negotiate but go straight to killing won't be posting their real goals on their website, they'll rather post something that helps further those goals.
Hillary Clinton apparently used non secure hard disks to store confidential data and we are unable to prosecute here. US government launched a $1.7 trillion worth war on Iraq which we did not win and not a single person is held accountable. These scums in Washington and despicable beings.
Encryption backdoors are a lightning-rod topic on HN, but instead of repeating all the common-talking points, I'd suggest the following:
Think through something like this, outside of your expertise, that you think the powers-that-be should just do. Maybe it's something with your local municipality's approach to road resurfacing, maybe it's the quarterback on your favorite football team, maybe it's your local zoning board.
Chances are better than even that there is a decent technical reason why they don't do what they do. Looking at things that way will save you a lot of headache in your life, and set you on the path to getting on someone's side to affect change, rather than just being another shrill voice yelling against them.
So politicians and intelligence services calling for encryption want, institutionally, to keep people safe. How can tech companies do that without breaking or backdooring encryption? That's the real problem to solve, and the first person to figure out how to do that will be way ahead.
The best backdoor to encryption has always been social. Talk the right way to the right people... and it doesn't matter what type of security you have.
Isn't that the entire purpose of agencies like the CIA?
It just bothers me when privacy is treated as a negative thing, for the greater good or not. Encryption is a tool to create privacy. The ability to create privacy should be a point of pride as not everyone has that luxury. It should be a human right.
This is the primary reason why I feel things like CISA/CISPA/etc take society in the wrong direction. It doesn't matter if the intentions are good or bad when everyone loses.
Except encryption provides a level of privacy that has never before been possible. Could you imagine a physical padlock that was unable to be cracked, cut, or circumvented in any way? It is easy to see how that would scare law enforcement. Imagine your job is to keep people safe. Now envision a kid strapped to a bomb inside a shack and the only thing preventing you from breaking in and saving that kid's life is that magical and unbreakable padlock. That is how many laypeople view encryption. It is hard to tell that person that you won't consider introducing any weakness into that lock.
That's a good analogy, but the padlock has already bolted!
Information about the uncrackable padlock is widely available. Bad guys will always be able to get these padlocks from the black market. The question is whether we want the good guys (i.e. us) to have the padlocks too.
This is a fair counter, but I feel like we already have examples of how the government would respond there. We might have to switch analogies, but wouldn't encryption then be like a weapon. The goal would then shift to being about deproliferation. The fact that nuclear weapons or AK47s already exist doesn't prevent the government from preventing regular people from acquiring or using them. Maybe preventing new products from entering the market and flooding the market with faulty products (encryption with backdoors) is a good way of combating what is already out there.
I don't think non-proliferation would be a good idea for encryption technology:
1. Depriving the the public of decent encryption does a lot of harm. If you let some people in through the backdoor you're going to let bad people in too.
This is different from nuclear bombs. It doesn't harm the public to deprive them of nuclear weapons. I like having my financial information encrypted, but I don't want a personal nuclear bomb.
2. Non-proliferation of encryption wouldn't work. The algorithms and ideas are already widespread. Every university teaches it. Millions of computers have the code already. The code and ideas can be proliferated anonymously, instantly, undetectably and cheaply.
This is different from nuclear bombs. Nuclear bombs are much more complex and expensive to transport, manufacture and hide.
(I haven't mentioned AK47s, but I'd say they fall somewhere between between encryption and nuclear bombs in benefit vs harm to the public and in ease vs difficulty of non-proliferation, which is why there are more of them around than there are nuclear bombs.)
And I might be able to get my hands on an AK47 if I really wanted and had enough money to dedicate to it. That is the truth of the world. But do you believe that making it harder to acquire a weapon like that doesn't have some benefit?
Back to HN's world, one of the basic principles of human factors is "make the right thing easy and the wrong thing hard." You might not be able to prevent people from doing the wrong thing, but there is still value in making it harder to do.
"Deproliferation" is impossible. It's not like banning guns. It's like banning the idea of how a gun works from ever being communicated, burning every book that contains the concept, erasing it from all electronic records, and strictly monitoring anyone with chemistry or metallurgy knowledge.
All you need to write an encryption program is an explanation of the concept behind a single algorithm, someone with math smarts, and almost any computer.
I think there would be an ever better angle to this. If the government can listen to any legally encrypted communication via their backdoors, then by definition any communication they can't listen to is illegal and they can focus their intelligence resources people communicating in such way.
But honestly, I think it'll result in bad guys using the same backdoored crypto that everyone else will be using, relying on steganography and disappearing in the noise - so basically, they'll do things in the same way as they always did, since assuming all communications is broken by the government is simply good OPSEC.
But those are not the same thing. Encryption in this case would be like the location of the kid and bomb being kept secret.
The bad guy may have told someone in person where the location is... or sent an encrypted email. But unless you were involved in either conversation, you are still in the dark.
Except the government also has stuff it needs to keep secret, so they have a vested interest in unbreakable padlocks existing. So they want a skeleton key for all civilian padlocks, but they will continue to use magic padlocks. That requires journals on padlock research, which probably won't themselves be kept behind magic padlocks.
Clever locksmiths will always be able to make powerful padlocks using that research.
>Except encryption provides a level of privacy that has never before been possible
Not really. It secures long distance communication, but I've always had the option of just talking to someone privately if I want something to be secret.
>The ability to create privacy should be a point of pride as not everyone has that luxury. It should be a human right.
I agree; so does the UN in The Universal Declaration of Human Rights:
Article 12.
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
Article 18.
Everyone has the right to freedom of thought, conscience and religion; this right includes freedom to change his religion or belief, and freedom, either alone or in community with others and in public or private, to manifest his religion or belief in teaching, practice, worship and observance.
The universal declaration of human rights doesn't grant you an unqualified right to privacy. Article 29, part 2:
"In the exercise of his rights and freedoms, everyone shall be subject only to such limitations as are determined by law solely for the purpose of securing due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and the general welfare in a democratic society."
In addition to what torgo said, there are a few countries that have only upheld UN directives and treaties when it suits them. The US is a example of this.
So, like the Tel Aviv airport where the main security measure for departing flights is a short chat with every passenger. The agents are trained to recognize red flags.
> So politicians and intelligence services calling for encryption want, institutionally, to keep people safe. How can tech companies do that without breaking or backdooring encryption? That's the real problem to solve, and the first person to figure out how to do that will be way ahead.
I don't think this is a technical problem, and I don't think it's our responsibility to solve it.
If the US wants to stop terrorism they need to stop creating terrorists. The US created terrorists by starting economic wars, supporting violent dictators, creating economic that harm the common people and not the national leaders they purport to, providing conditional and earmarked aid that is sometimes actually harmful, and a wide variety of other internationally sociopathic behaviors. If we want to stop being attacked by people from other countries, we need to stop harming other countries.
The US doesn't have to be harming countries to be the target of terrorists, it only has to be thought to. So unless your alternative is for the US to go out there and forcibly quell all dissenting speech...
People are good at having enemies, whether they deserve them or not. There are people who would kill me right now having done nothing particularly wrong. There are even places where it is legal and encouraged to do so.
Yet, most democracies aren't being massively targeted by terrorists. Largely just those involved in imperialism or regions contested by imperialists. jacquesm's comment is spot on.
Additionally, notice that what jacquesm said is never brought up in these debates much like what U.S. did in Operation Ajax or sanctions that followed wasn't factored into recent Iran debates. Much easier to pretend all this stuff happens in a vacuum that requires a surveillance or police state. Which doesn't work anyway:
>Yet, most democracies aren't being massively targeted by terrorists. Largely just those involved in imperialism or regions contested by imperialists.
You know who is involved in these regions? Countries with money. Because without money, you can't do anything but let dictators and mass-murderers trample around like vicious kings. Turning a blind eye to your abused neighbors isn't a way to prevent terrorism, either. You might reduce anti-US terrorism by ignoring the rest of the world, but a lot of people will die, and you're still going to have enemies. It's a factor, not a solution.
Though I suppose if the US were poor as dirt, we wouldn't have to worry about terrorism. Just civil war and invasion.
The organization currently targeting the U.S. is largely the result of their unnecessary invasion of Iraq that smashed the country and left plenty of weapons over there. The organization that did it before was funded and trained by the U.S. for proxy war with the Soviets with a lot more alleged in between. Same for Saddam for use against Iran. Iran hit in Mossadegh days to steal their oil and control the area.
And so on and so forth. Vast majority of terrorism against the U.S. is by actors whose activities or capabilities are directly tied to U.S.'s own imperialism abroad. Not our money, democracy, religion, anything. Just doing evil dangerous stuff over there and funding/equipping those that do the same often to rip off resources.
Far from a mere "factor," it's been the single most consistent and driving force behind all terrorism against us. That means... that eliminating that while working to improve the situation over time might eliminate most terrorism against us? Well, let's do that then!
Just because something isn't necessary doesn't mean we shouldn't do it. Your comment isn't necessary, and it isn't making a friend of me. Does this mean that it's your fault if I attack you? That you should have backed out and minded your own business?
That's a stupid and suicidal policy.
>Far from a mere "factor," it's been the single most consistent and driving force behind all terrorism against us.
So you say. But I can't distinguish that whether that statement is fact or ideology. So I don't believe you, and I shouldn't until you've got some convincing evidence that it's true. You can tell me a story. I don't want a story.
And I really don't see how people committing acts of terrorism are making good decisions that we should support by giving them what they want for doing so. Seems like a bunch of grudge-holders that need to grow up before negotiations become an option.
> Just because something isn't necessary doesn't mean we shouldn't do it. Your comment isn't necessary, and it isn't making a friend of me. Does this mean that it's your fault if I attack you? That you should have backed out and minded your own business?
Surely you can discern why disagreeing with someone on HackerNews is different from invading their country, seizing their resources, and killing their family members.
> So you say. But I can't distinguish that whether that statement is fact or ideology. So I don't believe you, and I shouldn't until you've got some convincing evidence that it's true. You can tell me a story. I don't want a story.
And you can distinguish fact from ideology when people say that the solution to terrorism is more of what we're already doing?
I can understand you discarding information because you don't believe it's reliable. What I don't understand is that in the absence of information you believe to be reliable, you've still decided to form an opinion and argue for it. If you don't have enough information, it's okay to admit you don't know.
> And I really don't see how people committing acts of terrorism are making good decisions that we should support by giving them what they want for doing so.
"Just because something isn't necessary doesn't mean we shouldn't do it."
So you're saying we should have committed mass murder and armed terror groups throughout the Middle East in the name of stealing resources or manipulating politics? Did you do any research to back this or are you writing up some far-fetched, sophist comment since you can't counter my points?
"And I really don't see how people committing acts of terrorism are making good decisions that we should support by giving them what they want for doing so."
Last I checked, the U.S. was still trying to screw with and control much of the Middle East instead of support them. The regions where we have the most meddling are among the least stable. Doing good over there instead of evil might actually accomplish something. Further, areas with groups like ISIS aren't terrorism vs Some Good Government rather than a group of competing evil groups all set on controlling and oppressing the area. So, fighting one isn't fighting terrorism so much as fighting one group while putting another into power.
You won't see the U.S. truly fight oppression over there because it's not in power-players financial and political interests. There's benefits to be had from continued partnerships with dictators and theocracies. Just ask Saudi Arabia.
I'm saying you're vastly underestimating how easy it is to maintain peace with other cultures. I'm saying what I said, not what you wish I'd said so you can believe I'm an evil fool.
>Did you do any research to back this or are you writing up some far-fetched, sophist comment since you can't counter my points?
No, I didn't do any research. I took a class on West Asia and North Africa in school. I lived in Iraq for a year.
But I don't think you've done any research, either. You're just saying talking points.
>Last I checked, the U.S. was still trying to screw with and control much of the Middle East instead of support them.
You checked? Let me know what you checked. Where you checked. Who you checked with.
>You won't see the U.S. truly fight oppression over there
Truly? Isn't there a term for this kind of waffling? "No true scotsman" or something?
> So, fighting one isn't fighting terrorism so much as fighting one group while putting another into power.
That's what fighting is. Any fight you do is going to put someone in power. It doesn't matter if you're fighting terrorism or not; that's the whole point of fighting.
You're doing a lot of sophistry rather than addressing the points. Lots of side points and vague counters rather than any facts. So, let me help you focus your mind so it might product something of substance that's actionable.
The point of the discussion is U.S. government and a chunk of America wants to stop foreign terrorists from trying to blow us up. The foreigners doing that have exclusively done it due to interference, often violent and imperialistic, in the Middle East. So, many of us draw the logical connection that this was the cause of actual attacks against us rather than terrorism in general which we don't care about. So, to reduce number of attacks, we must stop doing what caused them and modify our strategy of dealing with the mess we're in to account for this. Otherwise, our actions over there, esp collateral murder (err damage) & weapons distribution, will likely just create the next wave of terrorists like Bush/Cheney Administration just did with ISIS.
That's my claims. Now, do you have any counter to those specific points or would you like to add to them? To be extra clear, given your sophistry, I've claimed the following:
1. The U.S. takes overt and covert action against Middle Eastern countries for financial and political reasons rather than for survival. So, it shouldn't have taken that action and should reconsider future behavior like that.
2. Disruptive U.S. actions in the Middle East creates opponents, including the organizations that attacked us. So, they should stop doing that and fewer terrorists that attack us would be created.
3. Previous handling of opponents equipped and trained likely long-term foes before abandoning them. They consistently ended up turning into problems: Taliban; Saddam; ISIS. The U.S. needs to stop doing that. Throw their best minds on fresh strategy before doing any major interventions and with much focus on long-term effects with regard to terrorism blowback.
> Because without money, you can't do anything but let dictators and mass-murderers trample around like vicious kings.
But with money, you can arm those dictators and mass-murders so that they can become actual vicious kings.
> Turning a blind eye to your abused neighbors isn't a way to prevent terrorism, either.
That's true, which is why it's so puzzling that we so frequently turn a blind eye to our abused neighbors and fund the abusers.
I'm definitely not proposing isolationism. I'm proposing we spend aid money actually helping the populations of nations instead of funding whatever militant promises to protect US interests.
"I'm definitely not proposing isolationism. I'm proposing we spend aid money actually helping the populations of nations instead of funding whatever militant promises to protect US interests."
No idea, it's an opinion, however, many nations have suppressed many other nations and it's historically atypical for the aggrieved to lash out to others of indirect involvement. Have Congolese (after the conflict ended) gone and bombed Belgium, or why not Albania, who had no relation to Belgium's involvement?
It's not about some abstract historical notion of right and wrong. The US has created an environment that fosters terrorism. Whether this is wronger or righter than any historical colonialism by other countries is completely irrelevant. We've created "the YC for terrorists" in the countries we have smashed in the Middle East, and now there is a lot of terrorism.
Look at Thailand, a land with many masters over the millennia, India, china, British, Japan. Yet there is only a certain faction involved in terrorism there, their society at large doesn't feel the need to engage in antiwestern terrorism.
Besides not being directly relevant, it's also a facile and simplistic view of the situation. Sayyid Qutb, the godfather of al-Qaeda's ideology, was famously "radicalized" by going to a sock hop in Colorado in the 1950s. No economic wars, violent dictator support, et cetera was required.
There will always be crazies, but crazies like Qutb would likely not have as many supporters if they didn't have a wide base of people with real reasons to dislike the US to draw from.
No idea. Also no idea why the GP isn't being downvoted.
Just because some politician claimed that it's tech's people responsibility to fix their flaws, it does not make it true.
It's repetitive, but the police did have all the information they needed to go after such people even before the murdering. What does the GP want? A machine that queries the news from the day after tomorrow? (Because tomorrow won't do - the police had warning that it would happen at the previous day.)
If the Paris police had all the information they needed to go after such people, but didn't, that's the technical problem that really needs solved, not an encryption backdoor.
I agree that you've identified a problem. I don't agree that it's a technical problem. It seems to me that technology simply doesn't offer any solutions to this kind of problem. Perhaps that's a failure of imagination on my part, though: what are some areas of research you think might cause law enforcement to start responding to credible threats?
Metadata analysis and pattern recognition of publicly available data is one.
Better data organization tools are another (a family member is studying forensic science and has done internships with large-ish police departments that still largely use printed and hand-written documents to manage cases)
But that's my point. I haven't done much thinking on this either, so I can't see around the corners of time to see what it could be. But just more yelling back and forth about encryption isn't accomplishing much.
Maybe it's not a bits and bytes technical problem, but it's technical according to the definition of the adjective, "of or relating to a particular subject, art, or craft, or its techniques." If the Paris police had the information, but were unable to properly analyze it, that's completely a technical problem.
But I still don't think this should distract from a conversation about encryption. Encryption has very importat implications for free press and privacy far outside of preventing terrorism, and it's important that it stay legal and accessible to normal people. Experts need to make their voices heard so that legal decision isn't made by people unconcerned with these important issues.
Maybe it's not a bits and bytes technical problem, but it's technical according to the definition of the adjective, "of or relating to a particular subject, art, or craft, or its techniques." If the Paris police had the information, but were unable to properly analyze it, that's completely a technical problem.
It's not a productive line of argument. We want to keep doing those things. Might as well say that the solution to traffic accidents is for everyone to stop driving.
Speak for yourself. I'm an American citizen and I don't want to start economic wars, support violent dictators, create economic sanctions that harm the common people and not the national leaders they purport to, provide conditional and earmarked aid that is sometimes actually harmful, and a wide variety of other internationally sociopathic behaviors. I think most people would agree if they actually understood that that's what's happening. But most people think we're spreading peace and freedom and protecting human rights.
> So politicians and intelligence services calling for encryption want, institutionally, to keep people safe.
That's the public face. The underlying motives are much more closely aligned to the power structure and the flow of money and votes than keeping folks in suburbs "safe".
"So politicians and intelligence services calling for encryption want, institutionally, to keep people safe. How can tech companies do that without breaking or backdooring encryption? That's the real problem to solve, and the first person to figure out how to do that will be way ahead."
That's the problem: they can't. The tech just moves information around in ways that are visible and can be invisible. Even the subtle timing of the signal can be used to communicate. What you're asking is that tech companies do two things:
(a) Ensure every tech with communication mechanisms can only work in a way known perfectly ahead of time and controlled to prevent all leaks.
(b) Ensure that every message, regardless of its words or properties, isn't aiding evil somewhere.
(c) Ensure that it's impossible for a user to put obstacles between their identity and a communication tech so we know exactly who the evil-doer was.
That's simply impossible. It can't be done at all. Talking about lay terms, North Korea has the most totally controlled Internet and country locked down by both technology and terror. Possession of a cell phone can get you locked up and leaving can get them after your family. Yet, there's regularly communication from small numbers of courageous people coming out of that country. If that ideal surveillance setup won't work, how on Earth could any tech accomplish the same thing with the diversity of sites, language, interactions, and tech that exist in Western countries like America?
It just can't because it can see bits and read the minds/hearts of those that create them. That's what the government wants. It's not possible. Otherwise, they'd probably have eliminated most crime already looking at people's homework in school or text messages divining their character. ;)
Also, the problem's been known so long there's even a meme for it:
> So politicians and intelligence services calling for encryption want, institutionally, to keep people safe. How can tech companies do that without breaking or backdooring encryption? That's the real problem to solve, and the first person to figure out how to do that will be way ahead.
Its not a tech problem or a solvable problem in the way you imply. It sounds reasonable but it is like solving lightning strikes. You can't actually "solve" lightning.
You can reduce the causalities through reasonable precautions but people are still going to die.
Its frankly irrational to talk about this problem as an actual problem. Terrorism is less dangerous to me than preventable medical errors for fuck's sake.
> In 1999, the Institute of Medicine published the famous “To Err Is Human” report, which dropped a bombshell on the medical community by reporting that up to 98,000 people a year die because of mistakes in hospitals. The number was initially disputed, but is now widely accepted by doctors and hospital officials — and quoted ubiquitously in the media.
> In 2010, the Office of Inspector General for Health and Human Services said that bad hospital care contributed to the deaths of 180,000 patients in Medicare alone in a given year.
> Now comes a study in the current issue of the Journal of Patient Safety that says the numbers may be much higher — between 210,000 and 440,000 patients each year who go to the hospital for care suffer some type of preventable harm that contributes to their death, the study says.
Shaving 1% off 98,000 deaths a year will save more people than preventing the Paris attack.
How the fuck is it rational to be focusing on anything other than major causes of preventable deaths?
Sorry, honestly, at this point I'm just disgusted with anyone who suggests terrorism is a threat worth throwing billions of dollars and lives away on while they casually ignore far more dangerous sources of human deaths.
Get back to me when funding preventable harm in medical care is worth hundreds of billions of government funding.
I don't think it's entirely irrational to throw money at counterterrorism that could have saved more lives elsewhere. However I do think that the money is better spent on prevention (integration, aid, ...) than on war.
People aren't scared of dying in traffic or by a preventable medical error. Maybe they should, but they aren't. Those risks are real, but they don't affect how people go about their lives. Terrorism is a tiny risk of death but an enormous cost in terms of percieved safety.
Its a cliché to say "defend our way of life", but throwing money at creating the illusion of safety so I dare go to the football stadium is just that. I wish we didn't have to spend millions securing a football match, but one can't dismiss it as a waste without assigning a zero value to the idea of going to watch the match. Times many thousand spectators.
> People aren't scared of dying in traffic or by a preventable medical error. Maybe they should, but they aren't. Those risks are real, but they don't affect how people go about their lives. Terrorism is a tiny risk of death but an enormous cost in terms of percieved safety.
The perception stems from the difference in media coverage and political grandstanding imho.
At least you have a legitimate objection, I just don't agree with it.
It's kind of a tricky legal situation. If they're European citizens, can you really stop them from coming back from Syria? What if they claim they didn't do anything illegal there?
People don't lose their rights just because they travel to the Middle East...
Well, the UK government are trying to cancel people's citizenship if they go to Syria to fight for IS. But you're right, it's questionable, and it might be a legal hassle to do anything about this.
I'd love to see what a detailed version of security policies and infrastructure look like in a world of backdoor-less strong encryption from Schneier, the EFF, the Hopkins crew, etc. Something that can be used to persuade, or at least influence policymakers by allowing them to see that another way is possible, one that allows security services to do their job in a way that allows them to feel that their work isn't futile, while simultaneously respecting privacy rights.
I think the need for strong encryption and no backdoors (which has Schneier explains, are always a double-edged sword) are very important and I support them, but that those on the side of it who also have in-depth knowledge about the finer details don't deign to articulate just what exactly the policy looks like without resorting to just a list of what we shouldn't do and vague allusions to "just go old-school" or "utilize human assets more."
A coherently articulated, normative counterfactual security platform would be a better place to argue from.
It's a cousin to the negative liberty arguments: they only list what not to do to in order to avoid hurting people, rather than what we can do to help them (positive liberty.)
Maybe we could frame the question as "If we let the EFF and Bruce Schneier redesign the United States security apparatus from scratch, what would it look like?"
I see where you're coming from, but at the same time, one does not need to formulate an alternate strategy to point out that the emperor has no clothes.
Strong encryption cannot be back doored in an effective way, this is just a fact. Ignoring that fact because we wish it were otherwise, or asking the people that point out that fact what we're supposed to do in light of that fact, doesn't change that fact.
The group constantly pushing for backdoored strong encryption fails to realise that they are asking for regulations to ensure that all water is only ever sold in ice form. This does not, and cannot, mean that all water will only be available as ice. This needs to be realised, accepted and moved on from.
Only then we can start actually trying to formulate a coherent asymmetric warfare strategy, cognisant of the actual facts on the ground rather than wishful thinking and ignorance.
I agree that we don't need to formulate a strategy to criticize. What I'm saying is that we're already fantastically good at that, and have articulated the negatives very well; I just don't think we've presented a credible, compelling vision that will get those in power to say "Ok, there's an alternative that might work. Let's try that instead of going down this other road that is only making people angry and/or probably won't have the desired outcomes anyway."
The problem with what you are saying is that even if a backdoor could work technically, and it was actually used effectively by the authorities (the Paris attackers communicated over unencrypted media), it STILL would not do anything to "keep people safe".
130 people were killed in those attacks. 361 people died in automobile accidents in Minnesota in 2014, to find a random statistic. Terrorism is simply not a real threat, and eliminating it will not make anyone any safer.
While not a "we should live in fear" level threat (or even a "take off your shoes at the airport" level threat) terrorism is certainly a real threat. I do want the government investigating and dealing with that threat. That being said, the threat is not immediate enough to warrant the infringement of our basic rights.
I generally agree with your tack... I just want to grow out there that I'm a little concerned about our use of the word shrill. It means high pitched and piercing, and is typically used for women's voices for obvious reasons. There's nothing actually bad about being shrill... That just means you are a woman (high pitched) whose message is getting through (piercing). There's no similar word for men who are being heard and the listener is uncomfortable with it, that I know of.
It's often used as code for "a woman is speaking, plz ignore" the same way bitch is.
I would just politely suggest you use a more descriptive word for what you were alluding to.
I've never heard shrill used to describe a voice, I for one mostly associate it with mechanical noise ("The machine errupted to life with a shrill screch").
In any case, in the above comment it is used to refer to the way the pitch of male and female voices rises when frightened or exited and is far from being a gender-specific slur.
You are making a rather large logic leap in assuming what politicians and intelligence services want. It is extremely unlikely to be only "keeping people safe".
> It is extremely unlikely to be only "keeping people safe".
Why do you say this? It seems you are accusing parent of making a big leap in logic and then doing the same type of leap yourself.
Do you have any evidence that they want to do more than keeping people safe?
I've worked with and talked to many who work in the DoD space and while there were some who didn't seem to understand how technology worked I never met one who didn't seem genuine in wanting to keep people safe. Sure plenty of contractors just want the money and don't give two shits either way and sure this is only anecdotal but do you have anything better?
Seems the easiest, least complex reasoning is people who are not well enough versed in the technology but have good intensions are trying to do what they think is most correct when it may not be.
There is certainly such evidence, you don't even need it really as it's literally in the mission statement of some of these intelligence agencies: they do anything that is "in the national interest". Yes, keeping people safe is clearly in the national interest, but many other things are too, hence the fact that GCHQ has spied on climate change talks, trade deals, attempted to influence online discussions, the NSA has hacked oil companies, etc. They are in no way limited to a mission of 'keeping people safe'.
This is one reason I tend to think intelligence agencies should be disbanded and their best people merged into police forces. The police have a clear and (relatively) focused mission: fight crime. Most of those criminal investigations are about keeping people safe in one form or another. Police forces aren't tasked with economic wellbeing or "cyber defence" or any of the other crap that the intelligence community has tried to take on for itslf.
Exactly. Remembering all their extra goals and schemes they've used to achieve them helps keep things in perspective. I've had success presenting it to lay people as a bait and switch showing all the crap they do then what they say. Hardliners swallowing tons of propaganda will usually disagree and back their media's claims no matter what. Yet, many people are receptive to this technique.
Bonus points if you show the risk to them personally: makes them most likely to act against it politically. :)
Things like mass phone surveillance, passively breaking legitimate encryption used by non criminals, introducing vulnerabilities, and other plainly illegal behavior is being deployed against citizens
..with no recourse..
..which are answered with outright lies when challenged (c.f. Snowden, Clapper's lies before Congress)..
..and the methods are of dubious actual effectiveness when it comes to "keeping people safe"
..and they in fact reduce safety when it comes to introducing vulnerabilities which can be misused by criminals
Therefore:
The aims of said behavior is plainly not to "keep people safe", but some other alterior motive. Simple statistics show that garden variety cybercriminals are a more real threat to the average person than terrorists - so do no statisticians work for the feds, or is there a different plan we're not seeing?
Surely informing you that you were wrong should be sufficient to prompt you to look up what I was actually referring to. It would take all of 4 seconds. If you're not going to do even that little, rudely stop replying.
I am not saying that it is 'only' or that they are entirely guided by that motive. But if you look at that as one of their primary guidances, and assume a lack of technical knowledge in many areas by the lead principals, their actions make sense. Maybe their are ways to help them achieve their goals that have not been conventionally explored?
I am sure most politicians and intelligence people want to keep people safe, the problem is it is unlikely to be their only motivation.
Lets say we do manage to come up with an alternative that would keep people safe without requiring mass surveillance then it would not remove any of the other motivations (say business espionage). I think appealing to a technical solution for a political problem is unlikely to work, but it could be possible.
How about this: we assume terrorists can fucking talk covertly whenever they like (since there are myriads of channels and codes that they can use) and that mass surveillance is not the way to catch them plotting their next act.
And from then on, ONLY use surveillance on specific targets under investigation.
And while at it, maybe even have a limit on the number of targets each agency can investigate, so they chose them wisely.
>And while at it, maybe even have a limit on the number of targets each agency can investigate, so they chose them wisely.
This is an insanely bad idea. I understand where you're coming from, but think about how that would play out in real life. I was going to write it out, but I really think that you can probably figure it out if you do think it through. From the perspective of the intel/policing agency, and from a political side, there are too many good reasons why we should not limit the number of targets an agency can investigate.
>This is an insanely bad idea. I understand where you're coming from, but think about how that would play out in real life.
Make it a sane number, and it's not gonna play that bad at all. The only problem would be them claiming "if I had more allowable targets I would have caught this or that case before it happened" etc. Which we should just ignore.
After all, before they got these modern toys, they used to be content with 1/1000000 the available targeting that they have now.
In the seventies and eighties even, to target somebody involved lots of people actually in the streets, a semi-manual process to record his phonecalls (and you had to go through them with a real person, no keyword triggering etc), no "web" and other records automatically available etc. Checking half or all of the US at once at the scale we do today was not an option, not even 1/100000 that. You could ask for phone records and a couple other items at best.
How about actively at one time if not in general? I think if you think through it you can figure it out. Just start with all the terrorists and crooks they already had red flags on but did nothing. Then, look at what excuse they make about connecting the dots in so much data. Then look at the two obvious solutions:
(a) Magic, AI, pixie dust tech that spots the evil, relationships, and all key information in nearly unlimited, streaming data.
(b) Eliminating bulk collection (except maybe metadata) while forcing them to focus on the results of targeted investigations on accounts or individuals. Also, forcing them to follow-up on solid, red flags rather than BS around trying to find reasons everyone else might be guilty.
I think pushing for option B is a rational choice. Also, ensuring the greatest accountability possible given all the main players have a history of using their police and intelligence for matters that have nothing to do with protecting citizens.
When does an investigation start and end? What about when you're close to filling your limit but a few new great leads come in. Now the agents have to go close a ongoing investigation to follow up on a new one. Sounds like a lot of overhead. Not only that, but the fact of modern intel work is that investigations don't operate in a clear, linear progression.
I think that anyone that's had to deal with arbitrary limits imposed from above understands the perverse incentives that they create. This would be another example of administrators trying to fix something that they don't understand.
>When does an investigation start and end? What about when you're close to filling your limit but a few new great leads come in.
What about that? They could have a limit in the tens of thousands or so. As long as they don't waste it on BS, they could follow all the promising cases they want.
The idea is not to let them follow everybody, just for the fun of it.
You're focused on lots of hypotheticals whereas I'm talking about what they do. Currently, the NSA and FBI are looking at hundreds of millions of connections trying to find needles in stacks of needles. They admit, outside these political debates, that they're drowning in data. FBI's metadata investigations are producing jack and missing major attacks while targeted investigations following actual evidence are resulting in convictions. Speaking of perverse incentives, the current model is so ineffective and broken that they're actually creating terrorists to convict while claiming the arrests are due to successful, post-9/11 power. Even have a number on the incentive: $100,000 per terrorist created and arrested.
So, I'm pushing for more than an arbitrary limit on number of investigations. I'm pushing for them to switch their focus back to pre-9/11 where they leave most of America alone, keep good red flags, and focus their investigators on those. The barriers to intelligence sharing have been knocked down and local LEO's are integrated so dots should be connected faster than ever. With this focus, the limit will be the number of cases they're working simultaneously rather than on the books in general. It can be a multiple of the number of agents they have. Because it's hard for me to imagine one investigator effectively working ten, time-critical cases simultaneously. That's just overstretched although exceptions can be made for elite, multitasking, savant investigators if and where they exist.
So, we start with non-hypothetical stuff: the current surveillance dragnet that treats a whole country as guilty and watches every communication/association is an utter failure, a waste of money, and imposes chilling effects on democracy. The alternative is the original model of presumption of innocence, trained investigators following leads, prioritizing for most serious, and following through with good policework. Interestingly, the alternative already exists and runs in parallel with the surveillance state. Most convictions come from the alternative method. So, I don't have to justify it so much as point out that one is field-proven, it harms fewer innocents, and its cheaper. Ditching the failed method for that one is a no-brainer.
Unless, it's about money for defense sector and power over dissidents/competition for the nation that wields it. In that case, they'd try to keep the surveillance tech while continuing to lie about its purpose of protecting citizens from stuff it can't catch. Like we're seeing. ;)
Mohammed Atta was also a person of interest. This has always been the case and was the case all the way back to 9/11, and it illustrates why mass surveillance won't stop terror. How do you tell the difference between someone who will actually act and someone who holds beliefs that overlap with terrorist ideologies or who simply talks trash on the Internet and is never going to do anything? Any dragnet will simply drown you in more false positives.
Edit: lots of people saw Atta being a POI as a sign of a "let it happen" conspiracy, but the much more likely explanation is that he was on a very long list of watched persons. Being of interest for whatever reason is not a crime (and shouldn't be), so there is nothing the FBI or anyone else can do until someone actually does something. Of course then it's too late.
Police can rarely stop crime unless they happen to luck out and be at exactly the right place at the right time. They can only catch criminals and take them off the street so they can't commit more crimes.
> lots of people saw Atta being a POI as a sign of a "let it happen" conspiracy, but the much more likely explanation is that he was on a very long list of watched persons.
Yep. Its a prime example of why these surveillance powers simply don't function the way their proponents claim in public.
A large part of the reason there are these conspiracy theories is because their failures seem to be spun so well they might as well have been planned for all intents and purposes. They immediately blame other people and clamor for money and power to further their interests ... and people actually take them seriously which to me is the scary part.
France has the most extensive mass surveillance capability of any first world Democracy and the ability to act without the permission of the courts or legislature ... yet it wasn't enough.
I don't see how "more power" is the answer. It seems to be me that suicidal people are going to be successful at taking other people with them no matter what we do. So we take reasonable precautions that don't infringe on everyone's liberty. Then we make sure people who ignore actionable intelligence have career ending consequences to make them accountable.
Just like American prisons where petty criminals learn to become more violent and escalate their crimes when they get out because prison offers nothing else for them.
That's the kind of shit you'd expect a group of intellectuals to put on parchment or something. Maybe even found a country bound to such principles in some covenant between the people and its government. Maybe we need to look into creating something like that given I haven't noticed one around in North America lately.
Apparently, the terrorists that attacked the concert hall in Paris last week were using... unencrypted text messages to communicate between themselves and/or their "boss".
According to the newspaper Liberation [1], they sent a text message at 9:42pm telling: "we're out we begin".
> but debates about whether the technology should have a "back door" for intelligence services are heating up again
What "debates"? there is absolutely nothing they can do to enforce terrorists to use backdoored encryption, any debate is just a waste of time, money, and maybe even lives. What are they thinking??
> there is absolutely nothing they can do to enforce terrorists to use backdoored encryption,
I suppose they could deceive the public and put something in without telling us. That would be a real improvement! Oh wait,...Snowden...
The more I hear about what Diane Feinstein proposes in areas outside her expertise, the more I wish someone would defeat her in an election. She keep proposing stupid stuff that sounds good to uninformed rubes.
Exactly. This is the same as gun control. If a technology exists, you cannot tell people to not use it; otherwise, all you've done is put law-abiding citizens at a competitive disadvantage while arming the bad guys. To argue otherwise is absolute ignorance.
> If a technology exists, you cannot tell people to not use it; otherwise, all you've done is put law-abiding citizens at a competitive disadvantage while arming the bad guys.
This comment is amazing self parody.
So what, we should we let people cook up nerve gas and anthrax and build surface-to-air missile launchers in their garages, to make sure they have competitive parity with the bad guys?
Most individuals who would even begin to consider trying to "cook up" substances like nerve gas or anthrax "in a garage" would undoubtedly die in the process, in which case problem solved.
And yes, people should be able to build "surface to air missile launchers" in their garages. It's called amateur rocketry, and last I checked it was quite a popular (and legal) hobby.
The vast majority of encryption is used in a lawful way to protect important things (information). The vast majority of firearms (in the USA at least) are used in a lawful way to protect, deter, as a hobby/for fun, and for sport/hunting.
They are very similar arguments, for a number of reasons, including the utter stupidity of attempting to make law-abiding citizens jump through even MORE hoops whilst accomplishing absolutely nothing in "preventing the bad guys from making use of" said technologies.
Do people have a need to shoot down airplanes? How about nerve gas? I don't see the comparison.
The difference is that regular people do have a need for secure communication channels. Even things other than what you typically think of as "communicating" like bill payments and shopping. Encryption is a defensive tool. It keeps people from stealing all your money.
Trying to ban strong encryption because terrorists use it is not like trying to ban nerve gases because terrorists use them. It's more like trying to ban pickup trucks because terrorists use them.
The point is, “if a technology exists, you cannot tell people to not use it” is a terrible argument for anything.
We restrict people’s use of technology in all sorts of ways to protect the basic order of society. For instance we restrict people from driving 150mph rocket cars or armored tanks with cannons on residential streets, we disallow radio jammers, we carefully regulate access to radioactive material, we don’t let unlicensed doctors implant untested medical devices, and so on.
More generally, gun control is almost entirely irrelevant to encryption. It’s an emotionally charged non sequitur which derails the discussion.
Gah. Look, I'm a big fan of end to end encryption and I'd like to see more of it out there, but this kind of post just shows we're collectively missing the point these politician/FBI types are making.
There is a huge difference between https://gmail.com type encryption and true end to end encryption. Pretending there isn't will get us nowhere. The first type is sufficient to keep out ordinary criminals, competitors, even some governments. It is not sufficient to keep out the local government itself, which can still go serve an interception order on the service provider without the target being aware of it.
The upgrade in security between true end to end crypto and user-to-service-provider crypto is essentially, that governments can no longer do that. This is a positive for avoiding 1984 style dystopias, but obviously it's rare or governments to worry about that risk (as they "know" they aren't dystopian ... and don't care to think about the future). When western governments talk about banning encryption, the only type they are really talking about is the type where they can't go to some big corporation and get the data when they want it. And that type is still pretty rare. Actually almost nobody uses it.
My biggest concern isn't so much that the government could get a warrant with probable cause and intercept a few emails or monitor my web browsing, it's that for all I know (seems pretty likely?) a significant chunk of everything I do online is intercepted and stored forever, encrypted or no.
If we allow a ban on secure end-to-end encryption, are we setting ourselves up for a future government to go back and demand access to everything we've ever done? Do I want to have somebody in 2060 datamining my entire life? It's worrying to me.
Short of putting better end-to-end encryption everywhere, I'm not sure how we prevent that. As you say, that sort of encryption is pretty uncommon, so maybe this is what we're headed toward either way. I think it's worrying.
But I'm not an expert on cryptography. Are there are other solutions?
But the fact is we can't stop people cooking up nerve gas and anthrax in their garages if they want to. Just like we can't stop them building their own encrypted apps. Banning it won't stop a determined group.
It's true that bad actors will use those things regardless of if it is legal or not. I agree it's a bad comparison because the difference here is that nerve gas and guns have potential to kill other people even if given to "good guys".
Secure communication does not kill other people, it protects yourself. We should allow everyone to have that because by taking it away the only thing we will do is harm law abiding people.
Here in the UK, there are very strong gun controls - and guess what, there has not been a single mass shooting incident since these gun controls were introduced - whereas in the USA there seems to be mass shooting incidents every other month.
EDIT I should have said mass shootings incidents in the UK are extremely rare, but of course not impossible because people can still legally keep shotguns and rifles.
France also has very strong gun controls. It is of course, more complicated than that. And, by the way, a man shot and killed 12 people in the UK in 2010 with legally held rifles: https://en.wikipedia.org/wiki/Cumbria_shootings
France's gun controls are looser than the UK's, but more importantly they don't have a defensible border. Laws are one thing: successful implementation of them is something quite different. The EU has a very weak border in general and especially once former eastern bloc countries joined Schengen, stockpiles of former Soviet weapons overnight went from one side of the border to the other.
It's not the same as gun control. A gun is a physical thing that cost money, has reliable detection mechanisms, has risk to ship, and so on. A message is just bits or timing that can be coded into anything with little skill or cost by anyone. Free tools all over the Internet to do it, too. Controlling the flow of guns is nowhere near as hard as controlling the flow of information.
Just ask all the gun control states also attempting to prevent crime and track dissidents via mass surveillance. Their failure rate is through the roof except for the most incompetent or uneducated targets. And even some of them slip through.
It's worse, because a gun is a discrete physical item. Encryption code is virtual and infinitely replicable, regulation is extremely ineffective at restricting it from those that want it.
This is the thing I don't get at all about this debate, non backdoored open source encryption tools already exist and have for a while... you can't backdoor them because it'd be obvious from looking at the source that something fishy is going on. Are we just hoping that terrorists won't find out about these technologies?
Once everybody only uses backdoored encryption, it becomes possible to detect those who use illegal encryption. And that's very valuable.
Of course there's the issue of steganography ,but i think it's technically and theoretically much harder than encryption - so maybe the balance of power there benefits intelligence agencies more than encryption.
How about that? Hopefully now the blame will be put where it should be: the wastefulness of mass surveillance, which dramatically increases the "noise" compared to the signals, since the agencies have to "look" at many more innocent people and waste time and resources doing so.
> Almost all the attackers were known to the authorities, and if they had been watched, their use of encryption programs would have itself invited closer scrutiny.
This is precisely the scenario that Phil Zimmermann (creator of PGP) and others have been warning about (and working against) for decades. As Zimmermann said in a 1999 essay linked here not long ago, "What if everyone believed that law-abiding citizens should use postcards for their mail?" (https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html) The scary part to me is not just that it's our present reality, but that it's so readily accepted. Crypto advocates need better PR. (And to be fair, better UI.)
The IRA were known to recruit top stem students from universities in Ireland during their campaign to make bombs. Surely an entity as large and as well financed and ISIS would have little trouble finding bright young engineers & technologists sympathetic to their cause to simply build their own encrypted services? And then so much for the spooks 'backdoors'
The tactic you're suggesting has been tried before (the software was called Asrar, I think). It doesn't work well for them, for a couple of reasons:
1) Custom terrorist software is no easier to use than something more mainstream like PGP, but is a lot more incriminating if you're found to be using it.
2) Is it really made by fellow jihadis? Or is it a backdoored plant by western intelligence? How can you know?
The latter question is a bigger issue than you'd expect. Terrorists don't like to helpfully announce their real names and backgrounds on their websites, so the provenance of jihadi software is frequently unknown. It just sort of floats around on the internet. So it can be much harder to trust than just a plain old copy of PGP.
You might think that IS can solve these problems because it's bigger and more organised than a group like al-Qaeda. But it's not like IS has an official website with a nice SSL certificate and a big download button (CA's will generally not sell to sanctioned entities). They use networks of ad hoc and quickly suspended twitter accounts to communicate, and apparently, Telegram. So for them to distribute custom crypto software wouldn't be easy.
> Surely an entity as large and as well financed and ISIS would have little trouble finding bright young engineers & technologists sympathetic to their cause to simply build their own encrypted services?
You wouldn't even need the brightest engineers. In fact so many encryption algorithms have been opened sourced and / or in library form for so long that it's easy for practically any developer to do.
Just having a library that does something doesn't magically bring security. The issue is, engineer still needs to know a lot of stuff (or strictly conform to the instructions) to use the thing correctly. There are too many ways to screw the thing up without even knowing it.
So, if the thing's to slap some nice GUI upon an existing library that implements the security bits, then almost no knowledge's required. But if one has a library full of primitives but still has to combine them in a meaningful way - it's a damned minefield.
That statement shows you haven't spent any time researching the security of secure messaging solutions. Or security software in general. Virtually all of them had protocol or implementation flaws with most having flaws so severe that cryptographers and top programmers saw fit to write books detailing how to do it right.
Books most people making "private" apps still haven't read. ;)
Well maybe i'm transmitting my memory dump or generating random traffic / sprouting entropy. Or everything is transmitted with mime types? Even so it makes no sense as even the most basic steganography would provide plausible deniability. I mean encrypted data is indistinguishable from noise...
I think this article misses the most obvious point. Encryption is widely available for free and in the open. It's not about listing the devices or code they might not trust, if there's even one that they do trust, then you can backdoor everything else and it won't matter.
Why do they think they can put the Genie back in the bottle? The answer is they know that they can't, the backdoor only effects the people who don't care they are being tracked. It's not for terrorists, it's for people who carry smartphones. Which is almost everyone, so good enough for them. But the argument is absolutely nothing to do with "preventing terrorism".
This is like in WWII, when Churchill and Turing gave so many newspaper interviews re: how awful it was they couldn't crack Hitler's encryption anymore that he finally gave in, went back to the 3-rotor Enigma machines and we won the war.
I think your nit-picking needs more thought, nuclear bombs are illegal for an individual to possess, and if someone had managed to obtain a bomb from say the former USSR, they would most definitely be considered a criminal.
I think the entire discussion misses the even more important point - terrorists won't care whether encryption is backdoored or not. It's a good OPSEC to assume all communication is being listened to anyway, and to rely on steganography and disappearing in the noise. Bad guys will simply use the same backdoored crypto everyone else will be using, communicating in the same way they do today, because using the unbroken crypto will be easily detected as suspicious action.
"I was able to leave and come to Shām (Syria) despite being chased after by so many intelligence agencies. My name and picture were all over the news yet I was able to stay in their homeland, plan operations against them, and leave safely when doing so became necessary," Abaaoud claimed in the interview, according to ISIS."
I've gotta believe these organizations can find one or two developers among the billions of muslims on this planet. Why wouldn't they just write their own apps for android and call it a day?
The Mexican cartels captured and paid engineers to build them there own private cell network[0], so it isn't out of the realm of possibility that ISIS is doing something similar.
I am sure they have at least a few engineers kicking around what amounts to be an entire country. I haven't heard many people harping on about encryption, TBH, except people defending it here and that idotic NYT article.
However, if you had 10 amazing engineers you would likely have strike capabilities orders of magnitude higher than a few suicide bombers. So sure, gather surveillance, but let's play some defense. Shore up our infrastructure much better than we do now, because after they make their own apps and networks, they are going to come for ours potentially.
I always assume these types of stories are red herrings and intelligence agencies already have back doors or decryption methods that they want to keep hush. Make a big song and dance about how encryption is secure and push criminals towards it, meanwhile its a trap. Look at all the Tor takedowns as evidence. It's all fine by me really.
This isn't about terrorists using encryption. It's about a culture of control, violence, and domination trying to extend its power to encrypted communiction.
There's no evidence the plotters of the Paris terrorist attacks used encrypted communications
First sentence is already wrong.
They recovered smartphones that had encrypted messaging apps.
Still no excuse for government backdoors which will be stolen by all kinds of entities within months of their creation and allow the wrong people to spy on law enforcement itself.
Government had a 10 year headstart before all this, where are all the terrorists they stopped before this?
My phone has at least two encrypted messaging apps on it that I've been meaning to learn how to use. Everyone I know uses Kik though and has 0 desire to switch. So we really don't know that they where actually using them if that's all they really found.
Well unless they factory reset the phones, which they obviously did not, android keeps usage stats on app so it would be obvious if the apps were used or not.
But you are right, it could just be someone overstating something where apps have the ability to be encrypted, not that they were used that way.
Still all these people were already known to their secret services. Some even had phone taps already. It was yet another intelligence failure like we saw on 9/11
I think one thing we as a tech community overlook is the expectations on the intelligence community. The broader community expects the intelligence agencies to stop ALL terrorists attacks, and thats just not feasible. This drives the intelligence agencies to do more, which is why I think there is a big push for broad dragnet activity.
Back doors are very useful to tracking down tax evaders, political opponents or dissenters, or any other number of things which increase government revenue or power. Terrorism is just one excuse used to justify the rest of it. Crypto backdoors will be mandatory one day, it's inevitable.
Governments regularly intercept plain old SMS messages. If the government can demonstrate cases where this has prevented a terrorist incident in the past, wouldn't that suggest that similar snooping on iMessages would prevent terrorism in future?
"Almost all the attackers were known to the authorities, and if they had been watched, their use of encryption programs would have itself invited closer scrutiny."
Well, unless they were using WhatsApp or iMessage, which almost everyone uses.
You're not allowed to accuse other users of astroturfing or shilling without evidence. Having an opposing view doesn't count as evidence. If you have sincere suspicion that someone is astroturfing, you're asked to email hn@ycombinator.com. We take such emails seriously, look at the data, and if we find evidence, we act on it. I've explained all this dozens of times:
If you poke around HN search you'll find cases where we banned people for abusing the site this way, but the overwhelming majority of accusations are just users slinging dirt at users who happen to disagree with them, and we're adamant about that not becoming more of a thing here.
He is defending a corrupt institution which has repeatedly lied, tortured and murdered.
Also,what he wrote is wrong, chances are not better than even that some random issue is a certain way because of some complex technical reason, most decisions in DC are made through the lens of politics, ask anyone who works in policy and they will say the same.
> unfortunately mods seem more interested in sweeping such incidents under the rug than being upfront with the community.
There you go again. I know for a fact that the mods take these things very seriously and are very upfront about it to the community, of which I am a member.
It more or less proves (to me at least) that the government(s) and the various secret services have absolutely no idea who to monitor specifically. So instead of targeting their operations they want to monitor all of us, just in case something of interest pops out that then allows them to focus their attention.
It's a pretty scary thought: just imagine, all that money, all those resources and still they can't do anything other than to put their ear to the ground and hope that someone messes up in plaintext so they can then try to backtrack and see what they might have missed.
In all these attacks it never happened that everybody was under the radar. Always one or more of the attackers that were technically known or even already under surveillance. And yet the attacks happened anyway. Too many targets make for a very thinly deployed service, which then has to be automated to make it work at all.
It's a pretty sobering thought, it also suggests via yet another route that mass surveillance is indeed meant to attempt to 'keep us safe', and that it fails miserably. The road to hell is paved with the best of intentions.
Terrorists have it so easy, all they need to do is to be just a little bit unpredictable or simply old-fashioned (in person) and there won't be anything whatsoever that we can concretely do to stop them. The only thing that actually gives a bunch of actionable data is when an attack is executed or when an attack goes sour (or rather: sweet as in, it does not work) from which direct evidence of contacts or plans is gained. This will then lead to a relatively short lived number of arrests clustered around the people caught or implicated and then it burns out again where the data ends.
And so then we get to wait for the next attack...