On the sisyphean task of regulating encryption.

I keep reading these news stories about the dangers of encryption. When it comes to history it seems only the names change. We keep scaling up the technological prowess without really learning anything. Perhaps this is due to the limited span of a human lifetime. Maybe if we lived in a more tolkien-esce world where life spans were measured in the 100s of years then we would learn. I digress; the task of regulating encryption is not unlike the task of sisyphus.

California, New York City, and others are missing the point completely. We do not need an easy way to decrypt devices, in this case phones. The main sticking point for this is a terrorist's phone. Despite what is claimed by the FBI already has everything they need to decrypt the phone. They just want an easier, less expensive, way to do it. It's already been acknowledged that there's most likely nothing of value on it. (With the resources of the government I'm sure they could find a way to copy the memory and try the attacks over and over.) Furthermore they had a VERY easy way in (iCloud) but they managed to screw it up (resetting the iCloud password). What this is about is giving the government tools to do whatever they damn well please. We've all seen the fallout from the Snowden leaks. Love or hate the man he really open our eyes. Prior this most people, myself included, did not believe the foil hat wearing "nuts" out there. Now they don't seem like nuts. Most security experts were pointing out all these flaws and not their standing over us saying "We told you so." The average person on the street may not know who Snowden is, but they've heard of some of the leaks. We're at a great changing point in history right now. For the first time ever the average person has in their pocket a device that is capable of accessing the entirety of human knowledge. The average person has the means to create truly secure and private documents and communications. Yet we use this power to argue with strangers and watch cats. If you're feeling ashamed go donate to Wikimedia and EFF.

I digress, the point that California, NYC, and others are missing is there's no stopping encryption. Encryption makes modern life possible. It's one of the few areas that there can be no middle ground.

Side note: The only reasonable solution of having a back door that I've read was a global community e.g. the U.N. in control of a universal encryption standard. The plan essentially says that servers in different countries would be in control of the keys and one that server does nothing other than act as an arbitrator. These admins from all over the globe and the arbitrator would have to all agree that this data needs be decrypted for it to be decrypted by someone other than the encryptor. If so much as one admin says no, then nothing can go forward. This alone should give you some idea on why encryption is so important. That the only reasonable backdoor would require global agreement to use is astounding. I can only think of one use case where we could get global agreement that that's people who harm children. I highly doubt we'll ever see a day when the whole of humanity agrees to a solution like this.

So why can there be no middle ground for encryption? Why must we agree to have everything readable by all or nothing at all? Right now we have many devices that have centrally managed encryption. This is mostly the domain of the enterprise class of business. We have requirements, ethical, lawful, and otherwise to secure data e.g. medical, intelligence, trade secrets, etc. These devices use software to encrypt them. The keys are stored in a directory. The admins can pull these keys and decrypt the data. Not only does that directory store all the encryption keys, it also stores all the keys to the proverbial castle. It is one of the most guarded parts of any enterprise. So what happens if that is compromised? Bad things.

Now let's scale this down to your own devices. Chances are, you do not use encryption on your devices. You most likely feel, I have nothing to hide so why bother? In that case I invite you take down the blinds in your living room and hand out copies of your bank statements, heck, even give out copies of your medical file. Seems rather extreme right? However that's the point. If you're not using encryption on your devices this is what you're pretty much doing. All it takes is for someone to compromise your device, steal it, or copy your data. Maybe your neighbor won't know all about you, but I promise you that your identity will be treated like a rented mule online. You will be bought and sold over and over without ever knowing it. Then one day, you sell your house and people come to move it. Only you didn't sell your house but your identity has. Good luck proving that one.

Now let's take this another step further. Let's say someone used your device, perhaps you left it logged in at a coffee shop, or a teenager jumped on. Let's say that you're stopped and searched by an overzealous LEO. You have nothing to hide so go ahead Mr(s). LEO look away. They power on your laptop and see something perhaps a joke in the wrong context, perhaps some questionable porn, who knows. Now you're in a lot of trouble and your life is in ruin. You could have prevented this by encrypting / passphrase protecting your devices. You have the 1st, 4th, 5th, and 6th on your side also watch Don't Talk to the Police.

To come full circle what these lawmakers are not considering there's plenty of software and other countries that can completely go around these laws making them moot. All it takes is someone to open source a full disk encryption product then bake it into a custom rom. Checkout the Black Phone.

We already have the sisyphean wars of drugs and terror. Do we really need/want to toss another stone in? Why not work to fix other actual problems like failing infrastructure, healthcare, etc?