I really sort of expected that by the time I reached my age that we'd have more policy makers that understood tech a little better. I feel like in the last say 25 or more years ... the needle hasn't moved.
This article is explicitly about how J.D. Vance (age 40) & others at the White House are forcefully advocating for preserving E2E encryption. Arguably not for the right reasons, but still.
I'm not sure what you mean by "more" but what you are asking for is in fact happening.
The U.S. also attempted to force Apple to add a back door just a decade ago.
> Tim Cook, the C.E.O. of Apple, which has been ordered to help the F.B.I. get into the cell phone of the San Bernardino shooters, wrote in an angry open letter this week that "the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create." The second part of that formulation has rightly received a great deal of attention: Should a back door be built into devices that are used for encrypted communications?
Apple has since confirmed in a statement provided to Ars that the US federal government "prohibited" the company "from sharing any information," but now that Wyden has outed the feds, Apple has updated its transparency reporting and will "detail these kinds of requests" in a separate section on push notifications in its next report.
Apple's hidden at least one warrantless backdoor in their systems for the purpose of federal surveillance. I have no reason to believe the exploitation stops there.
Apple and Google had no choice but to comply with the National Security Letters demanding access to user's push notification data.
They also can't refuse to comply with warrants demanding any such unencrypted data that is stored on their servers.
That's not the same thing as adding a back door to allow access to encrypted user data that is stored on the user's device.
It's also different than storing encrypted user data on your server, when you have purposefully designed a system where you don't have access to the user's encryption key.
Encrypted user data backup is the feature that Apple disabled access to in the UK rather than comply with the order to insert a back door in the OS.
To clarify: When you get an NSL, not only is it impossible to refuse and stay in business, it is also impossible to talk about it. That's the scary bit.
Certainly. At least with a normal warrant you can publicly speak out and notify the user(s) involved.
I would also point out that it was Senator Wyden who initially informed the public of how much the government was already spying on their unencrypted communications.
You'd better hope you're right. Nobody is auditing Apple who can hold them accountable. The lack of transparency is how we ended up on this slippery slope in the first place.
Good security models typically don't hinge on being lucky.
You need to think about what they don’t say with these matters.
He said Apple does not have and won’t create a backdoor. That was well crafted and means exactly what he said, any implicit meaning is an artifact of your brain.
I might postulate that while Rhubarb LTD absolutely doesn't hold and will never create a backdoor, Celery Inc does. Ignore the fact that Celery is staffed by some of Rhubarb's senior engineers working part time. Ignore the fact Celery are contracted to do security assessments so have access to all the source code, radio firmware and schematics...
I absolutely don't actually know anything about Apple, but I've seen some of the ways even small companies legally split themselves up to avoid tax or various forms of liability. Multiple phone numbers to the same phone, multiple domains and email providers to the same laptop. Multiple denials that you've ever heard of the other company let alone happen to share the same office space...
There's a massive difference between a truthful statement and an honest one; anyone that works with code should understand that.
I don't think anyone's surprised by that. Our emails have literally been used to target ads at us since like 2006. Cell phone carriers are happy to mine voicemail, call logs, SMS, etc. in the hopes of finding a revenue stream that doesn't involve them having to do irritating work like running fiber to cell phone towers.
This leaves contact mining as the odd one out, but given how many apps want to see your contacts, you know that those are being sold by at least one of those apps.
None of this stuff has ever been end-to-end encrypted, so there can't be any way people expect it to be private.
That's not a revenue stream at any cell phone carrier I've seen. They do what they are legally obliged to do, and while they do get paid for it, it's a fraction of the actual cost of providing the data. The state tends to drive the hell of a bargain. The service providers, such as Facebook, Google and Apple though, that's entirely different.
Emails and GSM calls yes, obviously. But e.g. Signal communications? You need a Pegasus-tier exploit for that, which means that unless you're high profile enough you should be safe.
Extraordinary claims require extraordinary evidence. If you really have access to secret information of that significance and you really are under an NDA that prohibits you from talking about it then why are you casually posting innuendo about it on HN?
To point out that your data isn't safe from law enforcement. Quite the contrary. I think everyone should be aware of the state we are in. And while I can't go into detail about how I know, I want others to be aware that anything on their devices is fair game. Now a day's with or without a warrant. Three letter agencies are operating with impunity. Using this very tech.
Again - extraordinary claims require extraordinary evidence.
It's no secret that there are groups actively looking for new exploits and that sometimes vulnerabilities are discovered that become zero days. It's a good bet that police and security services take an active interest in those vulnerabilities when they are found.
But that's very different to claiming the police can easily unlock any device any time they want to and there is a range of private companies around who provide that service to them.
It's not extraordinary at all. Ron Wyden, a US Senator subject to special briefings, basically repeated the same thing when asked about federal backdoors:
"As with all of the other information these companies store for or about their users, because Apple and Google deliver push notification data, they can be secretly compelled by governments to hand over this information," Wyden wrote.
Push notifications for e2e messaging apps carry e2e encrypted payload, which can’t be decrypted unless Apple reads the private keys from those apps sandboxes…
That document appears to be over 4 years old, predating the availability of Apple's Advanced Data Protection system that claims to provide proper E2EE on most iCloud back-ups. The latter was controversially the subject of a specific legal attack by the British government using the Investigatory Powers Act resulting in Apple withdrawing the feature entirely from the UK market rather than compromise the security of their system - according to public reports anyway. Before ADP much of the data stored in iCloud backups was not fully end-to-end encrypted and Apple itself did not claim otherwise.
I'm going to assume they are referring to any cloud backups of said devices. Since they are stored on servers managed by not you and are unencrypted, able to be accessed for "national security reasons".
There is nothing extraordinary about a claim that multiple commercial organisations routinely and reliably defeat the security of modern devices on behalf of law enforcement - something that would clearly undermine numerous public claims about the security and privacy of those devices made by their manufacturer? You and I have very different ideas of what is extraordinary!
Multiple vendors advertise and sell devices and software to crack iPhones, they have for years. In the US, any decent size city or county sheriff has access to one. State level forensics labs probably have several types.
The manufacturer provides the means to bypass many of the cheaper tools, but few people use them.
There are more exotic tools that can bypass security controls. These are more niche and not generally available to law enforcement. There may be some crossover when counter-intelligence interfaces with law enforcement. (Ie. FBI, DEA, RCMP, ICE, etc)
There are a lot of things that are publicly known but if he's signed an NDA he can't point at them or acknowledge their authenticity. Anyway Pegasus isn't even the correct ballpark lol.
Just about every confidentiality clause or NDA I've ever signed had a provision specifically excluding information independently in the public domain from its scope. I find it strange to the point of lacking credibility that someone working in a security-related field would have an NDA that required them to pretend to ignore even public domain information yet permitted them to post the kind of innuendo seen in this discussion.
Why should I disclose public domain knowledge when it’s public? The whole point was to point out there’s ways that aren’t public being used.
Believe it or not, I actually care about privacy. Innuendo is not my intent, no maliciousness here, only stating there are programs that have access to your data. Telegram/Signal/Encrypted or not. They don’t need access to your device. Only access to the Internet.
The whole point was to point out there’s ways that aren’t public being used.
For which you have provided not a shred of evidence here beyond the same type of innuendo you've been posting all along - even while implying that some of this is public knowledge that you could therefore cite to establish at least some credibility.
Your claims in combination appear to require that the technical foundation on which almost all serious security on Apple devices is built must be fundamentally flawed and yet somehow this hasn't leaked. That's like saying someone found an efficient solution to the discrete logarithm problem and it's in widespread use among the intelligence community but no-one outside has realised. It's theoretically possible but the chance of something so big staying secret for very long is tiny.
As I said before - extraordinary claims require extraordinary evidence. Thank you for the discussion but there seems little reason to continue it unless you're able to provide some.
Pretty sure no NDA ever says it's forbidden to discuss the subject of the agreement, but cute little internet innuendos whispered from behind a coy little fan are ok.
I mean Cellebrite has been a public name for a long time now, and LEO pays for that and similar devices which basically launder zero days and physical exploits to get your stuff.
The position of the US executive on encryption can easily shift depending on who holds the presidency and certain cabinet positions. I'm not sure the Trump administration actually has a coherent position on the subject.
> I'm not sure the Trump administration actually has a coherent position
That seems to be the most salient property of his presidency. His position on any issue is whatever he just said, with no regard to what it might have been yesterday.
For anyone that wants a good (and fair) example of this, check out his positions on the debt ceiling going back to 2012 (and then on every time it's come up since). When he isn't in power raising the debt ceiling is Unamerican, a political ploy and bad. When he is in power, it should be scrapped entirely and should be above politics. He was remarkably frank about it in an interview a year or two ago when he was running for president when he was pressed by the interviewer about the flip-flop, he smiled and said approximately "I wasn't running for president back then"
> When he isn't in power raising the debt ceiling is Unamerican, a political ploy and bad. When he is in power, it should be scrapped entirely and should be above politics.
It's too bad that when he is in power he does not actually make the latter happen, because it should be scrapped entirely.
The only other country with a debt limit set in an absolute amount rather than as a percentage of GDP is Denmark, and they sensibly have set theirs far above their actual debt so it becomes just a legal formality rather than a policy tool.
The problem with it in the US is that the debt ceiling limits government borrowing to pay for debts that have already been incurred. It doesn't control the amount of spending or the deficit--that is controlled by the budget that Congress and the President approve.
If we can't just scrap it completely, then at least the budget process should be changed so every budget bill must be accompanied by a raise of the debt ceiling by enough to cover whatever extra debt that budget will be adding.
Having observed this for a lifetime, and simultaneously watching the democrats be unable to call out the switch is so incredibly disheartening. It's like watching a cat playing with a mouse before it kills it.
Hey, even the worst person in the world is owed their right to privacy. Determining if someone is doing evil with their right necessarily undermines privacy for everyone.
I'm sure the police can catch child abusers the old fashioned way: by infiltrating cp networks and posing as kids online. This snooper's charter is in fact overreach and an invitation to build something like the Stasi.
If devoted half the resources to catching child abusers as we do to stop people from getting high after work, we'd have a whole hell of a lot fewer abused children. But, priorities!
> If devoted half the resources to catching child abusers as we do to stop people from getting high after work, we'd have a whole hell of a lot fewer abused children.
There are two problems here:
(1) We devote more resources to catching child abusers. There are all kinds of legal "if you see something, say something" requirements that make every doctor, nurse, and schoolteacher in the country part of the effort to do this.
(2) I see no particular reason to believe that additional resources would lead to a noticeable increase in detections. There are many, many circumstances where you're free to devote double the resources to something, but you'll see at best a trivial improvement in results.
> We devote more resources to catching child abusers.
You make this statement but provide no evidence. Because there's laws on the books, we "devote more resource" than, say the entire DEA, which unlike these laws has a gargantuan budget? That's nonsense.
> I see no particular reason to believe that additional resources would lead to a noticeable increase in detections.
Look harder? Read up on the topic? String operations work. More would work more often and catch more abusers.
Let alone the resources we could be pouring into children's mental health services (instead of kicking families off health insurance like the current administration has accomplished).
> In a combative speech at the Munich Security Conference in February, Vance argued that free speech and democracy were threatened by European elites.
> Trump has also been critical of the UK stance on encryption. The US president has likened the UK’s order to Apple to “something... that you hear about with China,” saying in February that he had told Starmer: “You can’t do this.”
> US Director of National Intelligence Tulsi Gabbard has also suggested the order would be an “egregious violation” of Americans’ privacy that risked breaching the two countries’ data agreement.
UK has a hx of pushing this - OP probably referring to efforts by the brits to put backdoors in comm standards like GSM and others back in the 80's and 90's
It's possible that their advocacy is well thought out but not based on the stated reasons. Say, Apple is actually under the control of the NSA and there are hidden back doors in the form of exploitable weaknesses as per Crypto AG. Then preventing the introduction of public backdoors would preserve the value of the current setup where Apple is widely considered trustworthy with respect to their customers.
He's proven himself to be more of an asshat than I'd hoped (see the Zelenskyy meeting), but he did come up in Silicon Valley venture capital. There's a lot about this administration that causes concern, but I'm glad to see him on the right side of encryption.
because Vance and his colleagues are breaking federal law for the retention of government records and as long as they don’t invite anymore journalists into the group chat they will get away with it
They're arguing with foreign countries. Meanwhile the federal government continuously working consolidate all data available under groups like DODGE or ICE or Palantir. Arguing to preserve a tech in a given situation but with other goals ... not sure the first part matters at that point.
Perhaps he likes the idea of E2E, but just for himself and his friends. I duno, but whatever it is, it's not about the important things after the fact.
While Palantir is a private company and shouldn’t have access to government data, why shouldn’t in theory all government data be accessible to the government?
DOGE is clearly operating illegally for other reasons - not distributions funds that were appropriated by Congress for instance. But data sharing isn’t the root issue. It’s spineless Republicans in Congress and a sycophantic Supreme Court.
And it’s possible to say both that if you are here illegally you should be deported and that it’s currently being driven by animus, cruelty and it should be easier to obtain legal residency especially in areas where we do need more workers and implement another program like Reagan did in the 80s
Different data requires different access controls, and government agencies that collect / deal with a given piece of data on a regular basis are equipped to enforce those access controls.
You don't want your local dog catcher to be able to look at your medicare records just because "he's the government, and medicare records are government data".
> While Palantir is a private company and shouldn’t have access to government data, why shouldn’t in theory all government data be accessible to the government?
Shouldn't everybody have access to government data, with a few exceptions?
I feel like you answered much of your own questions.
Beyond that many of the departments that this data is being extracted from have rules about who can access (no not everyone in the IRS has free reign) and what they can do with it. For good reason, IRS's job is to focus on what the law says they should do, not say punish political enemies and so on.
But transfer it to DODGE, ICE, Palantir, there are no laws at all regarding what they can do with that data.
I think this is a very dangerous deception. They understand.
When politicians say "we need a special key for police to stop child abuse" it's not that they don't know this means "a backdoor with no technological way to limit its use". On the contrary, they know it very well and it's exactly what they want to achieve under the guise of children protection. It's the public at large that don't understand it -- or so they hope.
Sadly, UK Parliament is made up of political careerists and art students, which is probably similar to most Western democracies. There's a saying 'those who can do, those who can't teach', it probably needs a final 'and those that can't teach, go into politics'.
Every time ukgov tries to make some sort of tech policy, it's embarassingly wrong, or naive, or both.
This comes from a country that effectively gave away ARM.
I'm a principal software engineer with a degree in history. You don't need a science degree to understand most of these issues sufficiently to legislate them. But you need humility and a willingness to learn. That, sadly, is lacking in too many governments and civil services.
Also, the people pushing for these measure (e.g., the U.K's equivalent of the NSA, GCHQ and most national-level police departments) understand these issues perfectly well.
Also, the people pushing for these measure (e.g., the U.K's equivalent of the NSA, GCHQ and most national-level police departments) understand these issues perfectly well.
Surely some of them understand the technical details. That doesn't necessarily mean they understand or respect the wider implications of a policy. This is why it's important to have a government that sets policy - taking into account all of the competing influences and potential consequences - and politically neutral technicians who then implement government policy.
No-one would dispute that if the government could examine every communication everyone ever sends then it could catch more very bad people and prevent more harm to innocent people. The problem is all the other stuff that also happens if you give a government that kind of power over its own people.
The leader of the opposition studied computer engineering (before going on to law). Sadly she used the knowledge gained to hack the website of the deputy leader of Labour Party.
I don't think it is a matter of really understanding the tech. It has to do more about how you envision the society regarding privacy and individual rights. It is indeed a political point of view on how much you want to control everything.
The people in office now were already old by the time the Internet and especially Mobile took off.
But it’s not like many young adults today who grew up with mobile phones understand computers either. At 51 growing up with computers in the 80s, I find myself explaining what I think should be simple computer concepts to both my parents generation and my adult children.
My 80 year old mom is not a stereotypical old person who doesn’t know how to use a computer. She is a retired math teacher and has actively been using computers since we had an Apple //e in the house running AppleWorks in the mid 80s.
When she was tutoring teenagers mostly as volunteer work after she retired, she had to teach them how to use Office/Gsuite.
There was a very idealistic move in education to believe that younger students would be "digital natives" and self taught on typing, computer programs, etc. So we deemphasized classes on this, and now kids grow up on consumption oriented devices and can't type again. So it goes in circles I guess
Optimistic is probably the kindest, yeah. I don't think it was strictly a bad argument - it was easy to think of the classes as outdated and taught by a generation who knew less than the students. It just turned out to be a very short state of affairs. Hard to expect schools to have predicted the iPhone, right?
Sure he can. In an ideal world (from the US gov't's perspective), all communications everywhere would be encrypted, and only they'd have the workarounds to access the data anyway.
I'm not being sarcastic. For real, what major government wouldn't want that in their favor?
They care about maybe a maximum of five having that access, and I'm sure they realize that #1 on that list (PRC) won't need much time to become a peer on any given technology.
They're just against EU asserting any kind of control over American companies.
Reminder that he's funded by Thiel and friends with Curtis Yarvin, which goals include the end of democracy and the federal state and replace the system with tech CEO kings over feudal states.
I feel like the federal government continuously consolidating all data available under groups like DODGE or ICE or Palantir is about as anti privacy as it gets.
I don't think it's that nefarious. I mean, for some of them it might be, but for MOST of them they see a "law & order" issue that will resonate with stupid people ("cops can't get access to terrorist data / child molester info / human trafficking communications!"), and they just run with it without regard to downstream effects.
It has always been politics, not technology. Politicians and bureaucratic always want more power, and they rarely relinquish power they gained temporarily.
It has nothing to do with their technical knowledge. It has everything to do with human nature.
If you want to push back, the law is not on your side.
We've had a serious problem with policy-making in this country for a loooooong time, stretching right back to when RIPA was drafted, nearly three decades ago.
I think the ironic thing is that although everyone uses powerful technology on a practically constant basis, it is sooooo much more complicated that less and less people have even a clue. How many adults would know how to change their oil today versus back in the 70s? Changing spark plugs used to be a 30 minute task but now you have to take apart half the engine just to even gain access. Even though of us who make our living in tech are not immune. How would we verify that there isn't spyware or similar in the firmware or hardware on the computer we use daily?
I thought this too, but I think we misunderstood the extent to which various calls for censoring and regulating the internet where driven by a lack of understanding of the technology...
The scary thing about the UK regulators is that they seem to understand the stupidity of what they're doing, but believe it's worth it. You see this attitude everywhere in the UK – in our hate speech laws, our blasphemy laws, mass surveillance – the argument isn't that these things don't limit freedom and personal privacy. They'll agree that they do, their argument is that you shouldn't care.
With this encryption backdoor most wouldn't deny that it could be compromised, they just didn't think you should worry about it because they thought the benefits were worth it.
I think people on the internet in the 90s and early 00s were just weird people to be honest. We're very libertarian for whatever reason, and we wrongly assumed people our age were all as pro-freedom as us.
Policy makers change frequently and often radically. Federal lawmakers less so, but lawmakers are a small subset of policymakers, and not the ones who create international pressure; those are political appointees in the executive branch, and they change frequently.
> before we started getting people who know tech
reply
The politicians might not know tech, but the NSA, GHCQ, etc. that push for these anti-encryption laws most definitely do know technology, and is the main lobby against encryption.
It goes beyond just getting politicians that understand tech. We need politicians willing to rein in the intelligence apparatus put in safeguards, and checks and balances on their power.
I mean, yes many policymakers still struggle with the nuances of modern tech, but claiming that "the needle hasn't moved" in 25 years is an exaggeration. In the late 90s/early 2000s, encryption debates featured lawmakers who barely understood email. Since then, there are committees focused specifically on tech policy, even some lawmakers with backgrounds in CS or cybersecurity... and far more nuanced public debates about encryption, surveillance, and privacy.
I recently listened to some clips from a hearing with questions about zero-knowledge proofs, algorithmic transparency, etc...this was pretty unthinkable two decades ago. Some agencies and legislative bodies also now have technical staffers and some advisory boards with technologists. So, yeah it it slow and sometimes frustrating, but it's not static.
They understand the tech and so their advisers. You are assuming they want to do some do gooding in some sorts of naive and clumsy matter. No. They want control and they know perfectly well the implications.
I don't see why you think they don't understand the tech.
This is going to be heresy here, but honestly I think it's a reasonable position. Not one I would take, but reasonable.
For the first time in human history there can be large scale communication it is mathematically impossible for governments to have any access to. If you believe that governments are doing the job of protecting their citizens (and many do), it's entirely reasonable for them to want this type of access.
They have it with the postal service, and analogue phones and the world didn't collapse, and many criminals got caught.
But also for the first time in human history, it's possible to do large-scale surveillance without large-scale human effort. The power of the network goes both ways.
Phone wiretapping (until recently I suppose) and mail inspection required a human to take some action to listen in; you couldn't just monitor everyone's communications. Now you can.
I agree, there are many complex issues involved here. But I get annoyed at tech people (not saying you!) that it is self-evident that any kind of law enforcement methods of access is obviously wrong.
> I get annoyed at tech people (not saying you!) that it is self-evident that any kind of law enforcement methods of access is obviously wrong.
I don't think anybody is saying that the motivations are bad. We all want safety, right?
The closest thing I hear is, they feel that the cons often outweigh the pros. I think this correlates with their trust in authorities, given the countless abuses we see authorities perpetrating when granted power.
There's a reason "think of the children!" is literally a joke mocking safety-based pretexts for reductions in rights.
The analogue systems had fundamental limits on how many people could be surveilled, and still we had abuses of the system. The digital system makes you choose between "surveil absolutely everyone all of the time" and "surveil nobody".
Note that you mention the postal service. Remember the Horizon Post Office scandal, where there was a huge swathe of wrongful prosecutions?
Your subtle idea that the comprehension and understanding is the shortcoming of political apparatus is overlooks the million issues as basic healthcare not being addressed. The problem is not understanding, I can assure you of that.
In the distant past technical skill and knowledge was increasing as more and more people used personal computers. Then Steve Jobs invented the smartphone. This caused the world to get dumber and dumber.
>Then Steve Jobs invented the smartphone. This caused the world to get dumber and dumber.
Preposterous. Did the invention of the calculator make people dumber? A smartphone is another tool. Not Steve Jobs's fault people use it for TikTok or gooning instead of studying programming, math, medicine or whatever. Stupid people are gonna be stupid with or without smartphones.
Plus, we already had smartphones before Jobs, they were Pal OS, Windows Mobile or Symbian based.
It’s a difference in kind I think. Creation of any type of work - art, writing, programming, modeling, deep research, etc is much more accessible on a PC than on a smartphone. Not only because of the input devices available, but also the restrictions of the platform and OS.
Maybe it wasn’t intentional, but the form factor of the modern smartphone discourages creation.
When I was a young child me and all my friends would “use the PC together” just to open MSPaint and create shitty drawings. I don’t see anything similar today.
Sitting around in a room taking photos and videos is a lot less creative than drawing. It's possible to do strongly creative photo/video things with a phone but it's not most of the use.
If you make a list of creative activities that can be done on a computer or phone, a big majority are notably harder to do on a phone.
Imagining something that you to create is something anyone can (and does) do all the time.
Spending time learning how to actually create it, and then actually creating it is what makes someone an artist.
The children's "own way of creation", in your own words is to imagine what they want to create, and then ask something else to try doing what they want. If it's not what they want they complain and ask the system to try again.
I wouldn't be called an artist if I imagined a picture of myself riding a dragon, and then proceeded to commission a painting of that. Asking someone else to do the thing for you isn't being creative. It's being lazy. It's not making art "accessible". They couldn't do art before, and they still can't now. They just believe they can, just because they can "bark out an order at a slave".
>Spending time learning how to actually create it, and then actually creating it is what makes someone an artist.
Says who? Someone sold a white canvas with a banana taped to it, that a toddler could have done in 3 minutes. What's there to learn to do something like that?
>I wouldn't be called an artist
Pretty sure people do whatever they enjoy doing, and they don't give a f if some pretentious people call them artists or not.
This comment is a very narrow and elitist PoV, focusing on art specifically, which is a thing a lot of people would struggle to define, and also has nothing to do with the topic of using computers, since most people don't use computers for art but to make their lives easier, more efficent and more fun.
