> Congress should not weaken this vital technology [encryption] because doing so works against the national interest.
The bad:
> Metadata may not completely replace the loss of encrypted content, but metadata analysis could play a role in filling in the gap. The technology community leverages this information every day to improve services and target advertisements. There appears to be an opportunity for law enforcement to better leverage this information in criminal investigations.
The ugly:
> Although much of the debate has focused on requiring third party companies to decrypt information for the government, an alternative approach might involve compelling decryption by the individual consumers of these products. On a case-by-case basis, with proper court process, requiring an individual to provide a passcode or thumbprint to unlock a device could assist law enforcement in obtaining critical evidence without undermining the security or privacy of the
broader population.
> With respect to the Fifth Amendment, is there a substantive or legal difference between unlocking a device with a passcode and unlocking the device with a biometric identifier? Is entering a passcode a “testimonial act,” as some courts have held? Is a fingerprint different in any way?
> Are there other circumstances that would enable the government to compel production of a passcode without undermining the Fifth Amendment?
I see where you're coming from, but a few observations:
- The judicial branch is wading through this question now (sometimes allowing compulsion, often not); it's not a question for Congress to answer, as appealing as it might be to them to help us redefine our Constitutional rights.
- We're in the analogy danger zone, but would you say that your phone is more like a safe or more like an extension of your mind? What do you think your answer will be 10 years from now? 20 years from now?
- Dragnet vs. compelled disclosure is a false dichotomy. The NSA and friends will continue their collection of data + metadata at scale, regardless of the outcome here.
Very much more like a safe. "Extension of the mind" feels like nerd babble.
If you insist on this line of thought there is actually a close analogue that has been around for centuries: the diary.
People have been writing down their private, even intimate thoughts in diaries, and nobody is surprised that diaries can be seized and used as evidence in a court of law.
If we could ever scan your neurons and determine data from them would you be ok with that? While I can't imagine them pulling out whole thoughts I can imagine them extracting phone numbers as an example. Sure that might be 100-200-500 years in the future. I have no idea but unless you believe the data in your brain is stored in your sole it seems reasonable to believe someday there could be a device that could dump your brain the same way we can dump memory from other devices and that certain pieces of data will be able to be extracted.
Is that the same? Different? Okay? Not okay?
Or how about closer to reality: Memory enhancing chips are already available/in the works (https://www.technologyreview.com/s/513681/memory-implants/) should someone using those be required to allow the government to get a data dump of them?
> If we could ever scan your neurons and determine data from them would you be ok with that?
The premise behind the self-incrimination privilege is that coerced confessions are not just unfair, they are unreliable. If you can scan neurons directly (and reliably), that rationale doesn't apply.
And in any case, I don't see the slippery slope here. Your phone and a diary are both external things where you voluntarily put information--completely different from scanning your brain.
Both writing and computers are tools for the mind. To the degree that you create a large distinction between them, you privilege people who don't need tools over those who do.
(I don't really see much difference between scanning neurons and scanning phones. I don't see that one can use phones without involuntarily putting information into them. As hard as I try to ensure my phone's Chrome browser doesn't store my browsing history, Google works just as hard to ensure that it does.)
(PS: on the topic of a bunch of people from the government scanning your neurons looking for stored thoughts: it's a horrifying world I want no part of, because such power would be abused to eliminate dissent. Governments are constructed by people, and people are not to be trusted with that kind of power.)
> The judicial branch is wading through this question now (sometimes allowing compulsion, often not); it's not a question for Congress to answer, as appealing as it might be to them to help us redefine our Constitutional rights.
IANAL, but from what I recall, the entire point of the legislative branch is to create, remove, and re-define constitutional rights. The judicial affirms what they are, and the executive violates them. (Sorry, is that too on-the-nose?)
This is pretty close, but I would phrase it as the legislative branch gets to write the "fine print" of constitutional rights. Often the constitution is vague enough that the legislature has a large amount of creative license; sometimes though particular rights are given by the constitution or an amendment, in which case changing it in a large way, or removing it, requires another amendment - or else such attempted changes may be struck down by judicial challenge.
The full US process could be summed as: The Constitution defines some rights and laws. Congress is empowered to grant additional rights and make additional laws. Congress also implements and defines rights and laws contained in the Constitution. If a citizen feels the Constitution has been violated by Congress, then the judicial system (headed by the Supreme Court) decides whether to invalidate the law(s) or not. If a majority of citizens wish to change the Constitution, then there is an amendment process.
The legislative branch can not create laws that change the definition of what rights are constitutionally protected or interpreted through the normal legislative process. The SCOTUS in fact can strike down laws that are passed but are deemed in violation of the US constitution. There is a process to change the constitution, but it is hard by design.
IANAL either, not even an American, but I know there's a very objective process for the US legislative to change the constitution, which is hard by design.
The Gp's criticism is based on the unstated assumption that they'll try to bypass that process.
>would you say that your phone is more like a safe or more like an extension of your mind?
Your phone is an extension of your nervous system.
Marshall McLuhan claimed that all media and technologies were extensions of a human function. Clothes extend the skin, the wheel extends the foot, and electric media extends the central nervous system.
>Men are suddenly nomadic gatherers of knowledge, nomadic as never before, informed as never before, free from fragmentary specialism as never before - but also involved in the total social process as never before, since with electricity we extend our central nervous system globally, instantly, interrelating every human experience.
It's exactly what Congress is for. Compelling a citizen to provide a password is a gray area wrt 5th amendment because the founders didn't foresee it. Judges have to make their best guess. Congress can set the law explicitly.
Re dragnet vs compelled. The difference is I can provide strongest security possible that stops most of that and black hats without trying to get a perfect backdoors right. Then, only only a tiny fraction of users are at risk via that system to organizations their lawyers have a chance against.
Because they're claiming that they have the right to extract information that (allegedly, not even certainly) exists inside the defendant's head, i.e. to force a testimony.
There's a very obvious difference between saying "We're allowed to look inside your documents and records" and "We're allowed to force you to give up any fact we claim you know on pain of contempt charges". Even worse is the fact that people might not actually remember encryption keys (it's happened to me several times), which would mean you could be kept in jail indefinitely for forgetting the password to some trivial volume. I know I've used Truecrypt to keep copies of business receipts and subsequently forgotten the password years later; imagine if the government had erroneously accused me of having illegal materials in that encrypted volume.
Many countries already have these laws on the books, so you can see how it plays out in the rest of the world. In the case of your phone it's pretty unlikely you will not know the code.
> If you think the government should be able to gain access to your house, filing cabinet, etc- with a warrant, why not your phone as well?
They can gain physical access to the phone, just like they can gain physical access to a safe; they can also compel the production of physical keys or security tokens, if any. They can't compel you to provide information from your mind, such as the passphrase to a phone.
Why is information from your mind, like your phone passphrase, significantly different from other information to your mind, like the location of a physical key?
> Why is information from your mind, like your phone passphrase, significantly different from other information to your mind, like the location of a physical key?
In the USA because of the Fifth Amendment which protects individuals from being forced to incriminate themselves. [1]
Other (civilised) countries have similar laws.
Which makes something like the UK law which forces an individual to reveal their private key, at conflict.
Specifically about my own country, The Netherlands recently adopted a revision of the computer criminality law (it being v3 of it). It is called the 'hack back law' because one major part of it is it allows the police to hack suspects. That's not all it is about though. Of note, the part scrapped was the one about a suspect being forced to hand over their private key.
That doesn't answer my question. Why is giving one piece of remembered information that leads to incriminating evidence treated differently from another?
None of those Fourth Amendment concerns are at play. What is at stake are the limits of the Fifth Amendment. I think there's more here than just that, but that's the more interesting part.... and may well be "ugly".
If you can be forced to divulge something that you know in order to convict yourself, where exactly do you draw the line? Yes, revealing a password that you know isn't exactly forced confession, but there are a lot of stops along that path that are short of being forced to confess and yet probably prejudicial against yourself. So what is the right being defended and are the current boundaries appropriate?
> revealing a password that you know isn't exactly forced confession
Revealing a password reveals that you knew the password. It's admitting to having access to the device.
There is also the obvious problem when you don't know the password. It's manifestly unreasonable to punish someone for not doing something they can't actually do.
But if not knowing is unconditionally a valid excuse then this is all a just hair splitting exercise to determine how defendants will phrase the refusal. And if it's only conditionally a valid excuse then you're back to forcing someone to testify as to why they don't know the password (e.g. admitting "that's not my phone").
People forget their passwords all the time, even after using them regularly for long periods of time. Unless we want to risk keeping people in prison their whole lives in order to compel information they simply don't have, wouldn't a simple 'I forgot' have to suffice, even if it's for a device proven to belong to the suspect?
The only way to enforce a requirement that the government should be able to access your device / encrypted message / computer, is to require that software be written to follow government-mandated protocols which will allow the access and decryption.
It's possible that you'll design a safe that the government cannot get into without destroying the contents. We say that the government can do their best to get into that safe if they have a warrant.
There is no requirement that they be able to access the content (building the safe is not illegal), but there is a procedure that lets them try under appropriate conditions. What the parent posters have been talking about is a permission structure like that where law enforcement can try their best. Doesn't force anyone to write software in a particular way.
> On a case-by-case basis, with proper court process, requiring an individual to provide a passcode or thumbprint to unlock a device could assist law enforcement in obtaining critical evidence without undermining the security or privacy of the broader population.
I can write a piece of messaging software which writes one of the following two in a log, without exception: (1) hash of /dev/urandom (2) message history with passphrase encryption
If the government comes to me and asks for my passphrase and I say "I don't have one", how can they prove that I have a passphrase and am in contempt of any lawful order? The only actual way to enforce this is to make it illegal to write software which does (1).
My point is: the reason the quoted parts in the top-level post are ugly is because search warrants should already be sufficient, unless you want to crack down on the ability of citizens to do the above.
What I'm more frightful of, is not knowingly possessing this data but having it planted on me, e.g. a plaintext crypto header with random data, stenographically encoded into a video I'm streaming, stored in my browser cache, and this being discovered when the TSA-equivalent of a country I'm visiting surreptiously scans my HDD (because unless they hide it from me I'd much rather refuse, sit in a booth with angry men for 24 hours and get sent back to my home country).
If not decrypting what looks like random bytes (because that's what good encryption looks like) becomes punishable in a country, it's no longer safe to visit that country with any digital data carriers.
There's a difference between a filing cabinet and your brain.
> why not your phone as well
They can do whatever they want to my phone with a warrant. What they can't do is force me against my will to testify as to the contents of the phone. Be very careful not to conflate those two activities.
> The issue with the Snowden revelations and similiar programs is that there is no warrant or court process.
For Americans, yes, or rather that the NSA meddles with internal US affairs at all. For the rest of the world, the issue is of privacy, economic espionage, and having no way to vote in the US to get rid of this practice. Apart from Merkel. She only cared her personal phone was tapped. Which is exactly what I expect the NSA to do: target specific high priority targets. Including heads of nation states.
But, economic espionage and mass surveillance? No.
They can access your filing cabinet, but if they don't understand what's written on the papers inside, can they compel you to decode the full meaning of all papers so that they can evaluate it? They can have access to physical stuff, but not to information that they are not privy to.
> That's the gold standard to me, not the ugly. I WANT courts to issue warrants against individuals based on a real concrete criminal case.
Then you are not aware of the state of things. Most courts now issue warrants without fact checking, simply based on police reporting info from dubious informers. That's not how it's supposed to work yet they are doing little more than just stamping requests for warrants now.
The beef in the metadata analysis comes with mass surveillance.
Getting warrant to see where suspect sends emails is not in question. There is little analysis needed there.
Very much can be done on a case-by-case basis: Get proper warrant, ask telecom provider to provide call logs for customer under investigation. Analyse. Ask for call records for other customers that seems to be interesting based on initial study (if necessary after getting extended warrant.)
None of this needs a constant omnipresent dragnet ir secret courts interpreting secret laws in secret ways.
I'd go so far as to say it is dangerous to spread the idea that this is necessary.
It's not entirely encouraging because the "national interest" is separate and distinct from civil liberties. That is, if there were a way to do this while keeping the national security intact and trampling over civil rights they'd be all for it.
What is the "civil liberties" you are talking about. It is already well established that the government has a right to (under certain conditions) search through your documents and belongings.
You could also be talking about a civil liberty to be able to run what software you want. However, the hypothetical laws that are covered by this report include ones that only restrict what major companies do; and we already accept limitations on what companies can do. (For example, no one's civil liberties were violated when Microsoft was forbidden from preferentially bundling IE with Windows).
You could also be talking about the civil liberties associated with dragnet surveillance. However, those violations are not a result of the use technology; but rather the surveillance program. They should be regarded in the same fashion as an old fashioned surveillance program.
The only civil liberty that I can make a convincing argument for being directly relevant is the right to bear arms. [0] Interestingly, in my experience, support for encryption is anti-correlated with support for gun rights (myself included).
[0] Is cryptography still classified as a munition?
Interestingly, in my experience, support for encryption is anti-correlated with support for gun rights
IMO this shouldn't necessarily be so. I'm not American but still pretty sure NRA would welcome crypto enthusiasts;-)
At least on my local shooting range there is a lot of different people and possibly the most common trait except liking to shoot is that they aren't convicted of any serious crime :-)
For one: I'm talking about the freedom to do what I describe here: https://news.ycombinator.com/item?id=13253207 Without cracking down on the ability to do that, they've achieved nothing on the search warrant front.
They would only need to show that the software they are asking you to unlock does not have the behaviour you describe; which will be easy in the common case of you using default software. If you are using plausibly deniable software, then they could still compel your peers to surrender their passwords unless everyone involved was using plausibly deniable software.
This would put us back to the pre-dark world where the government had access to all digital records that were not maintained by people with super-human op-sec practices.
Further, even if you do have amazing op-sec, they could still attempt to prove beyond a reasonable doubt that the data is an encrypted message through non technical means. For example, if they can show that you accessed the alleged data the week before.
Even if there are some cases where, through technical means, one prevents the government access to the data, the number of such cases is still smaller than the number of cases that would be prevented by default encryption.
Right, the idea is you build and distribute a system, such as Signal, built around this concept.
You haven't addressed the civil liberties angle though: should the government be able to make this software illegal? If not, crypto people can design such a system.
Existing warrant processes already get you to the system that you describe, so I don't know why the House would talk about it as some future innovation and change needed, if their goal wasn't to make the system I describe less permitted.
The question is not if the government can make the software you describe illegal. The question is if the government can forbid Apple/Google/Microsoft from making it the default.
Existing warrant processes do not get you to the system I describe, because it is not settled law yet whether or not the government can legally compel you to surrender your key, even in cases where there is no dispute that there is a key.
The fact that there exists hypothetical software that would allow someone to plausibly dispute the existence of the key is not relevant to the above question.
> It is already well established that the government has a right to [...] search through your documents
That's true, but if you hid the documents somewhere the government can't compel you to tell it where the documents are. If you wrote the documents in a secret language the government can't compel you to translate them.
Note that this is not purely a House Judiciary Committee working group; as the page header says, it is a joint Judiciary Committee and Energy and Commerce Committee working group.
This is an encouraging sign, as it indicates that interests other than those of law enforcement are being represented.
A committee in either house (House of Representatives, usually "The House", and the Senate) is the body that writes laws and sends them to the full chamber for a vote. In doing so, they also research the issues involved, and can conduct investigations and can summon people (including government officials) to testify.
A paper by them does not have any legal force, but it often shapes the views of other members of congress, and reflects the views of those members who have the most interest in the issues at stake (ie the members of the committee).
In this case, both the Judiciary (dealing with both the court system and law enforcement) and Energy and Commerce (dealing with economic issues in a fairly broad sense) committees have a combined working group on encryption, since it affects both their subject areas.
I believe it /technically/ possible that the world could be initialized in such a state that it appears as if evolution occurred when it had instead merely been made to exist in such a state.
That is probably astronomically unlikely, but you don't even really need a 'god' to produce such an outcome. Imagine if an alien race wanted to run a simulation of some sort that was only possible in reality. So they go to the trouble of setting up an entire solar system and planet as their staging ground. It isn't conceptually beyond any possibility, but the effort required is likely beyond my capacity to accurately imagine.
It's so highly unlikely that I don't believe it actually happened, but I cannot say for absolute certain that it didn't.
Given the history of everything, even war-time level efforts to keep secrets, I don't believe anyone could creditably say that any level of over-ride key wouldn't be impossible to leak from /somewhere/.
An omnipotent entity could have initialized the universe (including everyone's memories) one femtosecond ago; one does not obtain actionable information from picking an arbitrary point (e.g., 6000 years ago) for this to have happened.
Merry Christmas, American crypto tinfoil hats. From the summaries I've seen, your govt's attitude to crypto is considerably more enlightened than that of the UK's.
Mind you, aren't most of your state level adversaries in the US above the law anyway? What difference does legislation make when it isn't enforced? Does this report contain any suggestion of penalties for organisations or individuals involved in say, global dragnet surveillance? What provision for oversight is there?
> Congress should not weaken this vital technology [encryption] because doing so works against the national interest.
The bad:
> Metadata may not completely replace the loss of encrypted content, but metadata analysis could play a role in filling in the gap. The technology community leverages this information every day to improve services and target advertisements. There appears to be an opportunity for law enforcement to better leverage this information in criminal investigations.
The ugly:
> Although much of the debate has focused on requiring third party companies to decrypt information for the government, an alternative approach might involve compelling decryption by the individual consumers of these products. On a case-by-case basis, with proper court process, requiring an individual to provide a passcode or thumbprint to unlock a device could assist law enforcement in obtaining critical evidence without undermining the security or privacy of the broader population.
> With respect to the Fifth Amendment, is there a substantive or legal difference between unlocking a device with a passcode and unlocking the device with a biometric identifier? Is entering a passcode a “testimonial act,” as some courts have held? Is a fingerprint different in any way?
> Are there other circumstances that would enable the government to compel production of a passcode without undermining the Fifth Amendment?