---------- Forwarded message ---------- From: Henry Baker <hbaker1@pipeline.com> Date: Thu, Sep 17, 2015 at 1:15 PM Subject: [Cryptography] FBI: Weaker Encryption Is a Worthwhile Tradeoff for Law Enforcement Access to Data To: cryptography@metzdowd.com FYI -- Easy for the FBI to say; they're not on the hook for potentially billions in damages from any breach. (Leaving aside the egregious Constitutional violations.) http://www.nationaljournal.com/s/72407/fbi-weaker-encryption-is-worthwhile-t... FBI: Weaker Encryption Is a Worthwhile Tradeoff for Law Enforcement Access to Data Government officials sparred with privacy advocates over encryption, but acknowledged that “back doors” come with risks of intrusion. Kaveh Waddell @kavehewaddell September 15, 2015 The Justice Department and the FBI are continuing their campaign to convince the tech community and the public that weakening encryption to allow law enforcement to access encrypted communications and data has its risks, but that the drawbacks are outweighed by the security advantages. Amy Hess, the executive assistant director of FBI’s science and technology branch, said at a Christian Science Monitor discussion that allowing access to encrypted messages to anyone other than the sender or the receiver comes with “some risk” of intrusion. But because law enforcement must be able to read encrypted data and communication to do its job, the risk of third-party access is acceptable, Hess said, as long as it is minimized. The Justice Department—-and especially the FBI—-has clashed with the technology community over the agency’s demands that online platforms stay away from encryption practices that keep data private even from the platforms themselves. If the communications service cannot access the data sent across its servers, it cannot turn the data over to law enforcement. Law enforcement has called on tech companies to take the lead in developing an encryption standard that is both secure and accessible to authorities upon request. Last week, FBI Director James Comey said technology experts just need to “try harder” to find a solution. But experts maintain that such a standard is impossible to achieve, because any third-party key for unlocking encrypted data—-even if reserved for extreme circumstances—-will be vulnerable to hackers. A company that builds vulnerabilities into its encryption becomes an attractive target of attack to foreign governments, criminal hackers, and “drooling teenagers in basements,” said Matt Blaze, a noted cryptography expert and professor at the University of Pennsylvania. Because companies are increasingly turning to stronger encryption, the FBI is running out of tools to fight crime, Hess said Tuesday. A request for a wiretap—-one of the most powerful surveillance tools available to the FBI—-is a long and complicated process that requires an agent to supply an extensive affidavit stating that every less-intrusive method of surveillance had already been considered or applied, according to Kiran Raj, Senior Counsel to the Deputy Attorney General. But Hess said FBI agents will not apply for wiretaps if they think a suspect is using encrypted communication, because they are not willing to expend the time and cost of crafting the request if the odds of its success are slim. The FBI’s claim was largely met with a shrug from privacy advocates. “A warrant is not a right that the government has to get data,” said Jon Callas, CEO of Silent Circle, a company that builds encrypted communications platforms. “It is a right to perform a search, to attempt to get the data, and there may be a lot of reasons why it can’t get to it.” But even as privacy advocates clashed with law enforcement officials onstage over the form encryption should take in the tech community, the groups said they both have the same objective—security—in mind. “The polarization of this debate is really harmful,” Blaze said. “I think that in terms of the end goals, there’s a lot more common ground here than maybe the debate lets on.” _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography