There are some interesting ways around government crypto restrictions.
Ciphersaber [1] is designed so that you can memorize how to write a program to
implement it. Bruce Schneier proposed Solitaire, [2] which is designed to be
carried out with playing cards rather than on a computer. (Later, Paul Crowley
discovered some weaknesses [3] in Solitaire.) Diceware [4] is a method of
generating secure passphrases with (you guessed it) regular dice.
The history here is non-intuitive; I'll try to explain it. I was living in DC during the Crypto Wars of the late 1990s and covering them as a reporter (I've since shifted to working on http://recent.io/, of course).
The SAFE Act as originally introduced in the House of Representatives was designed to be generally pro-crypto by relaxing export controls. But as it made its way through the various committees, the anti-crypto forces got their hands on it and turned it on its head. It became a ban-non-backdoored-crypto bill instead.
More precisely, in 1997, a House committee approved a ban on domestic encryption without backdoors for .gov access. Here's an excerpt from the amended anti-crypto version of the SAFE Act:
"After January 31, 2000, it shall be unlawful for any person to manufacture for distribution, distribute, or import encryption products intended for sale or use in the United States, unless that product [...] permits immediate decryption of the encrypted data..."
Here's how one of the anti-crypto politicos, Rep. Bill McCollum, who went on to be Florida's attorney general, justified it while debating the House Judiciary version of that bill:
"Because this bill will promote greater use of stronger encryption, law enforcement may not be able to gather evidence that it can use to investigate and prosecute cases. Imagine a situation where the police with a search warrant seize the computer of a terrorist but cannot decrypt the list of people and places that he intends to strike next. Or the situation where the police seize the computer of a purveyor of child pornography but cannot decrypt the files to download the images to prosecute him."http://www.techlawjournal.com/cong106/encrypt/19990324mcc.ht...
So yes, you're right that sec. 2804 in one version of SAFE eliminates mandated key escrow. But other versions, including the one approved by that House committee in 1997, went exactly in the opposite direction.
Section 2804 refers to products manufactured and used in the US. But section 2803 is pretty clear:
"New section 2803 will make it unlawful after January 31, 2000, to sell in interstate or foreign commerce any encryption product that does not provide duly authorized persons an immediate access to plaintext capability, or immediate decryption capability."
and
"Sec. 2803. Unlawful sale of encryption
Whoever, after January 31, 2000, sells in interstate or foreign commerce any encryption product that does not include features or functions permitting duly authorized persons immediate access to plaintext or immediate decryption capabilities shall be imprisoned for not more than 5 years, fined under this title, or both."
I don't know what this document is, or what it's relevance is, but that was my reading.
A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."
"18 U.S. Code § 2703 - Required disclosure of customer communications or records
(a) Contents of Wire or Electronic Communications in Electronic Storage.— A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section.
(b) Contents of Wire or Electronic Communications in a Remote Computing Service.—
...
(c) Records Concerning Electronic Communication Service or Remote Computing Service.
The first statute you're quoting, 47 USC 1002, was part of the 1994 CALEA legislation. A basic principle of legal interpretation is that newer laws trump old ones if that is clearly the legislative intent.
So if the 1997 ban-strong-crypto bill had been enacted, it would have overriden that portion of CALEA -- effectively repealing it -- to the extent it was in conflict.
Put another way, if Congress has the power to say X one year, they typically have the power to say not(X) the next year.
Could someone please post a comment or link on the state of constitutional protection for strong encryption?
I think I've read that the courts have ruled that dissemination and use of strong crypto algorithms is protected by the First Amendment, but I'm not sure of that.
Many are quick to jump and state that we should all have 100% privacy, and that governments should not look into our communications. At the same time we are asking for the government to protect us. Something like 9-11 happens and we blame our national security officials. Something like the Boston Marathon happens and we do the same.
At some point we have to choose: Natural Freedom or Societal Freedom, but we cannot have both.
I for one believe that we should TRULY consider recording every message we send/receive.
We should have a very high threshold for using these communications against people, and making sure they can only be used for matters of the people's security.
> Something like 9-11 happens and we blame our national security officials. Something like the Boston Marathon happens and we do the same.
Lots of people might, but a lot of the younger generation most certainly doesn't - these are black swan events. Given that they don't happen more often, I'd say the Government have more than enough power - you can't stop 100% of terrorism, just like you can't stop 100% of crime.
> We should have a very high threshold for using these communications against people, and making sure they can only be used for matters of the people's security.
We already have laws which empower the Government with additional powers in cases of "national security". The result? Suddenly, drug busts are national security.
Now, that's not to say the Government should not have some well-thought-out powers to combat terrorism if they actually need them. What they have now, and what you are proposing, is not well-thought-out.
I am baffled as to why you think a criminal or terrorist would follow the rules set forth by the US Congress and not use unbreakable encryption in their communications. The only people that would be successfully watched would be law-abiding engineers of products and law-abiding users of those products.
[+] [-] cogburnd02|11 years ago|reply
[1] http://ciphersaber.gurus.org/
[2] https://www.schneier.com/solitaire.html
[3] http://www.ciphergoth.org/crypto/solitaire/
[4] http://world.std.com/~reinhold/diceware.html
[+] [-] tbrake|11 years ago|reply
http://www.gpo.gov/fdsys/pkg/BILLS-106hr850rh/pdf/BILLS-106h...
[+] [-] declan|11 years ago|reply
The SAFE Act as originally introduced in the House of Representatives was designed to be generally pro-crypto by relaxing export controls. But as it made its way through the various committees, the anti-crypto forces got their hands on it and turned it on its head. It became a ban-non-backdoored-crypto bill instead.
More precisely, in 1997, a House committee approved a ban on domestic encryption without backdoors for .gov access. Here's an excerpt from the amended anti-crypto version of the SAFE Act:
"After January 31, 2000, it shall be unlawful for any person to manufacture for distribution, distribute, or import encryption products intended for sale or use in the United States, unless that product [...] permits immediate decryption of the encrypted data..."
Here's how one of the anti-crypto politicos, Rep. Bill McCollum, who went on to be Florida's attorney general, justified it while debating the House Judiciary version of that bill:
"Because this bill will promote greater use of stronger encryption, law enforcement may not be able to gather evidence that it can use to investigate and prosecute cases. Imagine a situation where the police with a search warrant seize the computer of a terrorist but cannot decrypt the list of people and places that he intends to strike next. Or the situation where the police seize the computer of a purveyor of child pornography but cannot decrypt the files to download the images to prosecute him." http://www.techlawjournal.com/cong106/encrypt/19990324mcc.ht...
So yes, you're right that sec. 2804 in one version of SAFE eliminates mandated key escrow. But other versions, including the one approved by that House committee in 1997, went exactly in the opposite direction.
[+] [-] new299|11 years ago|reply
"New section 2803 will make it unlawful after January 31, 2000, to sell in interstate or foreign commerce any encryption product that does not provide duly authorized persons an immediate access to plaintext capability, or immediate decryption capability."
and
"Sec. 2803. Unlawful sale of encryption
Whoever, after January 31, 2000, sells in interstate or foreign commerce any encryption product that does not include features or functions permitting duly authorized persons immediate access to plaintext or immediate decryption capabilities shall be imprisoned for not more than 5 years, fined under this title, or both."
I don't know what this document is, or what it's relevance is, but that was my reading.
[+] [-] yuhong|11 years ago|reply
[+] [-] slowmovintarget|11 years ago|reply
[+] [-] RankingMember|11 years ago|reply
[+] [-] strathmeyer|11 years ago|reply
[+] [-] known|11 years ago|reply
[+] [-] socceroos|11 years ago|reply
[+] [-] xnull2guest|11 years ago|reply
A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."
http://www.law.cornell.edu/uscode/text/47/1002
"18 U.S. Code § 2703 - Required disclosure of customer communications or records
(a) Contents of Wire or Electronic Communications in Electronic Storage.— A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section.
(b) Contents of Wire or Electronic Communications in a Remote Computing Service.—
...
(c) Records Concerning Electronic Communication Service or Remote Computing Service.
..."
http://www.law.cornell.edu/uscode/text/18/2703
[+] [-] declan|11 years ago|reply
So if the 1997 ban-strong-crypto bill had been enacted, it would have overriden that portion of CALEA -- effectively repealing it -- to the extent it was in conflict.
Put another way, if Congress has the power to say X one year, they typically have the power to say not(X) the next year.
[+] [-] honeybooboo123|11 years ago|reply
[deleted]
[+] [-] chernevik|11 years ago|reply
I think I've read that the courts have ruled that dissemination and use of strong crypto algorithms is protected by the First Amendment, but I'm not sure of that.
[+] [-] frostmatthew|11 years ago|reply
[1] https://en.wikipedia.org/wiki/Bernstein_v._United_States
[+] [-] rokhayakebe|11 years ago|reply
At some point we have to choose: Natural Freedom or Societal Freedom, but we cannot have both.
I for one believe that we should TRULY consider recording every message we send/receive.
We should have a very high threshold for using these communications against people, and making sure they can only be used for matters of the people's security.
[+] [-] vertex-four|11 years ago|reply
Lots of people might, but a lot of the younger generation most certainly doesn't - these are black swan events. Given that they don't happen more often, I'd say the Government have more than enough power - you can't stop 100% of terrorism, just like you can't stop 100% of crime.
> We should have a very high threshold for using these communications against people, and making sure they can only be used for matters of the people's security.
We already have laws which empower the Government with additional powers in cases of "national security". The result? Suddenly, drug busts are national security.
Now, that's not to say the Government should not have some well-thought-out powers to combat terrorism if they actually need them. What they have now, and what you are proposing, is not well-thought-out.
[+] [-] mhuffman|11 years ago|reply
[+] [-] chrisdone|11 years ago|reply
Speak for yourself.