>Why would we want to design such a system, given that implementing a golden key would be a disaster? ... I think having a good escrow plan ready is better than having none and being forced to design one on the spot.
I disagree with this premise. I think it's dangerous to publicly and unashamedly discuss how to build a broken system like this, because it reduces the cost of performing that design in the future.
For example, if you run an online service, you should spend your time building a system that makes it impossible to spy on your users, not writing an internal procedure that describes how you would spy on your users if someone forced you to.
That said, I think the best argument against escrow for those who trust the FBI is that it will chill innovation and free speech, and push consumers and businesses to purchase from companies that don't do escrow (because they're outside the jurisdiction of whoever does it).
There's a slippery slope argument here as well -- i.e. once built, the natural human desire for convenience will slowly erode security features within the system.
Imagine if someone asked for a way remotely administer a nuclear power plant over the Internet. It's possible to build a reasonably secure system -- VPN, one-time passwords, company-issued hardware, etc. But security isn't exactly intuitive to a lot of people and there are a bajillion ways to screw this up. So given the dangers involved with a nuclear power plant, the smarter approach is to simply insist that nuclear power plant control systems be air gapped from the rest of network rather than to figure out a 'good enough' way to secure remote access.
I think the question of how to make something reliably accessible, but very difficult to access covertly is an interesting one.
How about a system where you need n of m pieces of data to obtain a key, for suitably large n < m. Then you can split your key into m subkeys, and give each one to a different trusted third party, who would only reveal the key if presented with a warrant.
Then in order to decrypt the data, the government would have to subpoena, say, 20 out of 40 separate public organizations. It wouldn't be an easy thing to do, so hopefully they wouldn't do it often (and we would know if they did), but in extreme cases where someone's life depends on it, and everyone in the world agrees that it's necessary, it could still be done.
This system could also be made difficult to compromise if every week or so you would generate a new set of subkeys and send them out to the secret keepers, who would then delete the old keys they had for you. Then even if someone got one of the key stores, it would become useless after new keys were sent out, since all the other keys necessary to use it would be permanently deleted. To steal a key, someone would have to compromise all n of the key stores at the same time.
Something like this may even be useful for things that you want to be able to recover yourself. Say I have my bitcoin wallet stored securely on a flash drive, but if I lose it, I can get it back through this method by verifying my identity to say five organizations that I trust. Does anything like this exist already maybe?
I think that could be a reasonable trade-off for some things (especially if it's opt-in!), but in the current environment I more or less expect the NSA to have bugs and/or moles at 40 of those 40 separate organizations. At which point, it devolves to regular "hand your key to the govt" key escrow.
On which side are you on? Seriously - someone (WaPo) brings up a totally unaccecptable method and then someone brings up a slightly less unacceptable method. This sounds to me exactly the way some politics scheme works.
"There’s my least worst idea. A per device backup key, split in pieces, stored on paper in underground silos."
Again, no thanks. Any form of key escrow is a backdoor.
The paper really isn't _that_ secure. A large fire in a paper archive is only really a once every 50 years phenomenon, tops. Besides, look at the already-existing boring-as-hell absolutely-paramount-to-nat'l-security nuclear missile program to see the grunts running it will be easy social engineering targets. None of them will care.
Be careful with your wishful thinking.
You want a least worst escrow? How about an escrow where the keys aren't written down. How about you just restrict your salt to N, N+1, .., M and have the TLAs brute force it? Actually trust no one.
Great idea. If the assumption is that only a handful of keys will be needed pet year, it is much less expensive to require the government to brute force a key solution than storing and securing all the keys.
Just choose a key strength that costs about $10,000,000 to brute force it, and keep increasing key strength as more efficient methods are found.
How about we design our systems such that Law Enforcement (up to and including the FBI) cannot break into them, and therefore also lock out criminals as well?
That's what I want to see happen. Key escrow/giving law enforcement a foot in the door of our personal lives? No thanks.
"But what about criminals? And TERRORISTS?!"
Law enforcement has already been pretty effective at solving crimes without these capabilities. Statistically, terrorism is a minor risk.
(I would also like this to apply to end-to-end authenticated encryption between parties as well.)
Where does it stop though. FBI, NSA, CIA will all want access. And local LE. And the UK, France & Germany. Then Russia will want it. And with the inroads finally made in China, Apple might have to share or risk being left out of the worlds largest market again. Of course the key is completely insecure now and we are left vulnerable to hackers and potential corporate espionage.
the simple truth is that any back door, whether secured with a golden key or not can be broken in to
Planning such an awful system gives it false legitimacy.
"Look, guys, I'm not saying New Earth Creationism is right; I'm just saying we should have all our scientists talk about it and find arguments in favor of New Earth Creationists."
The proposed scheme would carry substantial expense compared to a single key. If Apple (for example) hosts the escrow keys, then who pays that cost? Who has the right incentives to build a very costly but more secure system?
I'm not saying it wouldn't be a good use of money, but it might make it difficult to build support for the idea. A cheaper solution which preserves much of the security would be to use cryptographic key-sharing rather than physical sharding. The escrow keys would still be created uniquely on a per-device basis, but now Apple, the FBI, and the Justice Department must each provide a fragment of the key. Perhaps the system could be designed to release keys only when provided with a valid warrant requesting a specific key... but this would probably require warrants to be better digitized.
> The proposed scheme would carry substantial expense compared to a single key. If Apple (for example) hosts the escrow keys, then who pays that cost? Who has the right incentives to build a very costly but more secure system?
I understood that was the whole point.
If you're going to build a key escrow mechanism that isn't prone to universal, zero-effort abuse, there are going to be all kinds external factors that need to be considered.
Ted's article lays out the requirements to show just how bad the idea of key escrow is, including the measures that would be necessary to make it acceptably insecure. (Key escrow is - and remains - defective by design.)
I love the approach that some perspectives consider this a problem waiting for a solution so we should at least try to be inventive and consider possibilities. The problem is everything about this is contingent upon perspective and there are too many to have a solution that captures all concerns. When your category is "Every Person In The World", or the not-so-tiny pool that is "Apple Customers", the only solution that fits all would be one that empowers the individual because it shifts off the burden of competing perspectives.
The problem is compounded by the fact a golden key scenario only works with the current web services model we've become dependent upon. What happens when encryption is the default everywhere all the time and computation is performed by blind services or smart contracts mapped together over a trustless network a la bitcoin style? Everything about the experience could feel the same with the exception being control over your data is shifted from a third party to you.
One possible solution would be to establish computational governance. At least at that point you have a communal opt-in which gets you away from the problem of perspective. In the same way all motorists agree to a set of rules for a given area, you could be given access to use services if you agree to a set of policies. One such policy would be to have access to your data shared to a third party if a reasonable process is followed (a dumb example would be if a majority of your peers agree that you should be investigated). Probably another can of worms but at least then we're operating from a workable premise.
None of this matters. If (when) Apple/Google choose or are forced to implement backdoors, then smart people that care about privacy will confine their communications to apps that do not have them. Apps also have the added benefit of not exposing activities to phone companies that will readily turn records over to law enforcement. Even a simple web chat app accessed via Tor browser on a mobile device would bypass nearly all of our concerns about backdoors, pen registers, etc.
I'm surprised how infrequently this is viewed from the monetary position. We would embargo a phone with a known back door for China's law enforcement because we tend not to trust their government. Similarly, nobody trusts ours. A law requiring unfettered US government access to US designed hardware would possibly remove us from that sector of the global economy.
[+] [-] aftbit|11 years ago|reply
I disagree with this premise. I think it's dangerous to publicly and unashamedly discuss how to build a broken system like this, because it reduces the cost of performing that design in the future.
For example, if you run an online service, you should spend your time building a system that makes it impossible to spy on your users, not writing an internal procedure that describes how you would spy on your users if someone forced you to.
That said, I think the best argument against escrow for those who trust the FBI is that it will chill innovation and free speech, and push consumers and businesses to purchase from companies that don't do escrow (because they're outside the jurisdiction of whoever does it).
[+] [-] andrewfong|11 years ago|reply
Imagine if someone asked for a way remotely administer a nuclear power plant over the Internet. It's possible to build a reasonably secure system -- VPN, one-time passwords, company-issued hardware, etc. But security isn't exactly intuitive to a lot of people and there are a bajillion ways to screw this up. So given the dangers involved with a nuclear power plant, the smarter approach is to simply insist that nuclear power plant control systems be air gapped from the rest of network rather than to figure out a 'good enough' way to secure remote access.
[+] [-] dullcrisp|11 years ago|reply
How about a system where you need n of m pieces of data to obtain a key, for suitably large n < m. Then you can split your key into m subkeys, and give each one to a different trusted third party, who would only reveal the key if presented with a warrant.
Then in order to decrypt the data, the government would have to subpoena, say, 20 out of 40 separate public organizations. It wouldn't be an easy thing to do, so hopefully they wouldn't do it often (and we would know if they did), but in extreme cases where someone's life depends on it, and everyone in the world agrees that it's necessary, it could still be done.
This system could also be made difficult to compromise if every week or so you would generate a new set of subkeys and send them out to the secret keepers, who would then delete the old keys they had for you. Then even if someone got one of the key stores, it would become useless after new keys were sent out, since all the other keys necessary to use it would be permanently deleted. To steal a key, someone would have to compromise all n of the key stores at the same time.
Something like this may even be useful for things that you want to be able to recover yourself. Say I have my bitcoin wallet stored securely on a flash drive, but if I lose it, I can get it back through this method by verifying my identity to say five organizations that I trust. Does anything like this exist already maybe?
[+] [-] anon4|11 years ago|reply
It's really neat, actually and can be efficiently and easily implemented just going from wikipedia's description.
[+] [-] dllthomas|11 years ago|reply
[+] [-] spacefight|11 years ago|reply
On which side are you on? Seriously - someone (WaPo) brings up a totally unaccecptable method and then someone brings up a slightly less unacceptable method. This sounds to me exactly the way some politics scheme works.
"There’s my least worst idea. A per device backup key, split in pieces, stored on paper in underground silos."
Again, no thanks. Any form of key escrow is a backdoor.
[+] [-] arh68|11 years ago|reply
Be careful with your wishful thinking.
You want a least worst escrow? How about an escrow where the keys aren't written down. How about you just restrict your salt to N, N+1, .., M and have the TLAs brute force it? Actually trust no one.
[+] [-] mckoss|11 years ago|reply
Just choose a key strength that costs about $10,000,000 to brute force it, and keep increasing key strength as more efficient methods are found.
[+] [-] sarciszewski|11 years ago|reply
That's what I want to see happen. Key escrow/giving law enforcement a foot in the door of our personal lives? No thanks.
"But what about criminals? And TERRORISTS?!"
Law enforcement has already been pretty effective at solving crimes without these capabilities. Statistically, terrorism is a minor risk.
(I would also like this to apply to end-to-end authenticated encryption between parties as well.)
[+] [-] cma|11 years ago|reply
[+] [-] jdechko|11 years ago|reply
the simple truth is that any back door, whether secured with a golden key or not can be broken in to
[+] [-] natch|11 years ago|reply
[+] [-] wyager|11 years ago|reply
"Look, guys, I'm not saying New Earth Creationism is right; I'm just saying we should have all our scientists talk about it and find arguments in favor of New Earth Creationists."
[+] [-] natch|11 years ago|reply
It's not well written.
It doesn't propose a good system.
And yet sadly it succeeds in advancing the bad side of the argument, just by spreading FUD.
[+] [-] titanomachy|11 years ago|reply
I'm not saying it wouldn't be a good use of money, but it might make it difficult to build support for the idea. A cheaper solution which preserves much of the security would be to use cryptographic key-sharing rather than physical sharding. The escrow keys would still be created uniquely on a per-device basis, but now Apple, the FBI, and the Justice Department must each provide a fragment of the key. Perhaps the system could be designed to release keys only when provided with a valid warrant requesting a specific key... but this would probably require warrants to be better digitized.
[+] [-] bostik|11 years ago|reply
I understood that was the whole point.
If you're going to build a key escrow mechanism that isn't prone to universal, zero-effort abuse, there are going to be all kinds external factors that need to be considered.
Ted's article lays out the requirements to show just how bad the idea of key escrow is, including the measures that would be necessary to make it acceptably insecure. (Key escrow is - and remains - defective by design.)
[+] [-] rabbyte|11 years ago|reply
The problem is compounded by the fact a golden key scenario only works with the current web services model we've become dependent upon. What happens when encryption is the default everywhere all the time and computation is performed by blind services or smart contracts mapped together over a trustless network a la bitcoin style? Everything about the experience could feel the same with the exception being control over your data is shifted from a third party to you.
One possible solution would be to establish computational governance. At least at that point you have a communal opt-in which gets you away from the problem of perspective. In the same way all motorists agree to a set of rules for a given area, you could be given access to use services if you agree to a set of policies. One such policy would be to have access to your data shared to a third party if a reasonable process is followed (a dumb example would be if a majority of your peers agree that you should be investigated). Probably another can of worms but at least then we're operating from a workable premise.
[+] [-] alricb|11 years ago|reply
[+] [-] downandout|11 years ago|reply
[+] [-] inlined|11 years ago|reply
[+] [-] bren2013|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] natch|11 years ago|reply
No, let's not.
Key escrow is the magical happy pill for people who think that governments and other "trusted" organizations are incapable of:
* creating bad laws
* harboring rogue officials
* making mistakes
* becoming tyrannical, dictatorial, abusive, or corrupt
[+] [-] pronoiac|11 years ago|reply