How exactly are they supposed to permanently remove all semblance of privacy? Short of infiltrating popular open source projects in plain view and proving the (potentially) unprovable, I don't see how this is possible.
If they can't quite do that, then they bring back the whole "export-grade cryptography" thing, except they call it "terrorist-grade cryptography" this time around. Then they start monitoring every crypto-capable open-source project's responsible disclosure system. When they see a vulnerability good enough to subvert that open-source project, they shut down that project before the bug can be fixed. And then they suppress all knowledge of the bug.
Or they infiltrate popular open-source projects in plain view. Wouldn't be hard at all to get that one bug they need in some peripherally relevant subsystem that nevertheless breaks the entire thing.
You're assuming that the government is hyper-competent. I'm not so sure. There are an awful lot of cooks in that kitchen, so to speak. Eventually, it'd leak that they're purposely sabotaging open-source projects. Not that that possibility might stop them from trying, but it'd certainly hamper recruiting efforts considering the people best able to do the sabotage are the ones likely to be contributing to the projects in the first place. And even if they can start forcing tech companies to take actions that hamper their own security, the best cooperation they can hope for would be a grudging one at best. It'd be like getting involved in a land war in Asia.
Look at the fight against child pornography. Tech companies dedicate a lot of resources to fighting child pornography and working with the FBI to help prosecute offenders and NCMEC to help identify the children being exploited. Even with the active and enthusiastic support of the tech community, it's an uphill battle. How much more difficult would that fight be without that support?
Point being, if governments can't make child pornography--something everyone is against--go away, how likely is it that they'll be able to make a dent against encryption?
"Child pornography". Any pornographic depiction of a person deemed 17 years old is child pornography. It needs not be a photo, it could be a drawing. If the origin of the picture is unknown, I assume any picture of a young-looking 25 years old person could be assumed child pornography during an investigation. As horrible as actual unconsented pornography is, which I frankly condemn, I still take it with a grain of salt when I'm told "This CEO has child pornography on his computer".
"Then they start monitoring every crypto-capable open-source project's responsible disclosure system. When they see a vulnerability good enough to subvert that open-source project, they shut down that project before the bug can be fixed. And then they suppress all knowledge of the bug."
...to exploit it? seriously?
i'm not saying it's impossible or unlikely, it just sounds like 1. it's a tremendous amount of work 2. it still doesn't actually solve the problem
I know, I know, the idea is incomplete, it needs some tweaks and refinement. It's just there to demonstrate the kind of power, freedom, and creativity we should be expecting to be pointed at crypto-capable open-source projects in the future we're looking at.
As for it being a tremendous amount of work: First, I'd guess that, given the infrastructure they already have, they could probably pull it off with a few dozen people. It's not bigger than, say, Reddit (78 employees?!). Second, have you seen how much effort they're putting into the kind of thing? They already have server cabinets throughout the US that read most of American's internet. IIRC they managed to stick a black box between Google's datacenters that could snoop on people's email while it was flying back and forth between their distributed storage system. Just imagine how much money, physical access, and and reverse-engineering those things took. And not only that, but that was theoretically GCHQ that did them, not the NSA! Foreign soil!
Seriously. The right mindset here isn't that it's "too much effort" or that it "doesn't work that way". We're dealing with something that has in the past demonstrated the ability to do these kinds of things. If you want a good set of tools for getting into the right state of mind for this, we should be treating it sort of like a hostile superintelligence, not any kind of bureaucracy.
As PHK pointed out, the NSA (and other large SIGINT agencies) obviously already have some amount of influence on popular free and open source software.
If anybody find this at all surprising, watch PHK's "Operation Orchestra"[1] asap.
They can always go the FCC route and enforce a lock down on any general computing device sold within the border; Submit your source code to our automated build and signing service or your software will simply not run.
Remember that all that is required is that the majority of people comply.
As it already is in some cases in the United Kingdom. Granted, their freedom of speech protections aren't as great as ours, but if Congress really wanted to, what's to stop them from making a Consitutional ammendment that declares encryption keys as not being protected under the Fifth Ammendment?
.png){kind=link}