<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
(this is long and dry, sorry in advance, but I felt it was impt
stuff).<br>
<br>
So last week in DC I attended the <a
href="https://www.accessnow.org/page/content/crypto-summit/">Crypto
Summit</a>, put together by "Access". It was a series of panels,
one of which was an entertaining bloodbath. Watch that one here: <a
href="https://youtu.be/SZSr9Ao8zBY"><a class="moz-txt-link-freetext" href="https://youtu.be/SZSr9Ao8zBY">https://youtu.be/SZSr9Ao8zBY</a></a>
. This one as well had some funny moments:<a
href="https://youtu.be/A0OotbJoGSg"> <a class="moz-txt-link-freetext" href="https://youtu.be/A0OotbJoGSg">https://youtu.be/A0OotbJoGSg</a></a>
in which Matt Blaze said things like "Every day is 0day." and "I am
in the most incompetent field (security) of the most incompetent
field (computer science) of all of engineering". His point being "We
have a near-impossible job, and you are making it a lot harder by
even asking for key escrow, and the effect of that is not something
you actually want, because the results of us failing are
catastrophic for society and the rule of law".<br>
<br>
Nate's (EFF) argument as well was quite interesting. Over and over
the Justice Dept lawyers drilled home the idea that they should have
access to any data at rest where they have a warrant. Nate and
others' response was that the 4th amendment is not a limit on
freedom, but a limit on the intrusion of privacy BY the government.
In other words, the ability to get a warrant does not force everyone
to pre-place surveillance equipment in their house. Nate also knows
the history of physical safes weirdly well, and apparently there was
a brief time where people were creating tumbler safes that were
essentially uncrackable unless you knew the combination, and no laws
were suddenly created to outlaw them. This is only relevant because
the government is asking for that capability digitally, and in a
massively more intrusive area.<br>
<br>
The other major argument from this side is of course, "show us real
numbers and studies on how this is effecting law enforcement, rather
than trying to scare us with random stories of pretend kidnappings".
Marc Rotenburg pointed out that wiretaps are almost never used for
kidnapping, and in general that whole area is used for
counter-narcotics, which, if you've seen The Wire, is not news. It
does not help the DoJ that the only official reports on the subject
have a grand total of 4 times encryption has been uncrackable during
an investigation last year. <br>
<br>
From comments from other people in the audience, who had been to
similar meetings in Silicon Valley and elsewhere in DC and NYC, this
was in fact the most Key-Escrow-Positive summit they'd been to.
That's a telling statement, because the people from the Justice Dept
were relentlessly hounded by the other people on the panels and an
audience one step away from throwing rotten fruit. Telling also is
who the sponsors are: the Business Software Alliance (known for
their anti-'piracy' efforts), Microsoft, LinkedIn (!?!), and Google.<br>
<br>
The BSA is a pretty decently powerful lobbying group. Their take on
the matter is at 24 minutes into this: <a
href="https://youtu.be/_rD987SXoJI"><a class="moz-txt-link-freetext" href="https://youtu.be/_rD987SXoJI">https://youtu.be/_rD987SXoJI</a></a>.
It is worth listening to, to say the least. He's the first one to
talk about the Wassenaar "intrusion tools" regulations, and he is
not into the idea at all. By which I mean to say, the BSA is
fighting any increase in regulatory burden tooth and nail, and
that's no small thing. <br>
<br>
Having read the Coalition and EFF's responses to the Wassenaar
regulatory comment period along with all of the hackers who posted
theirs yesterday, I can say that having lawyers comb over and write
seventy pages in depth on the details of every word of a regulation
is a powerful thing. And the alliance against key escrow and the
Wassenaar regulations is broad indeed. Reread <a
href="http://hackingdistributed.com/2013/08/01/framework-for-surveillance/">this
article</a> from Emin Sirer to see why it matters, where he
discusses the elements that go into public policy in this area, as
split between government, business, and the populace.<br>
<br>
At one point during the Crypto Summit Carrie Cordero from the
Justice Dept finally spoke to the elephant in the room. The whole
time the DoJ side had been pitching "You better come to the table
and negotiate because otherwise we'll force the issue with
legislation". But after a frustrating hour of getting nowhere, with
the business and EFF side giving no ground whatsoever she exclaimed,
"This White House won't propose legislation on this issue because
they're in silicon valley's pocket, and until a new Administration
comes in that will, we're going to get nowhere on this issue."<br>
<br>
I don't think a Hillary Administration is going to be any more
Pro-DoJ on this issue. And knowing that, the DoJ and NSA are making
a massive mistake by even ASKING FOR KEY ESCROW AT ALL. It is stupid
counter-insurgency policy to piss the whole technical community off
for an issue you are going to lose anyways. And the business
community is extremely angry about these issues. It is hard to
overstate how abused they feel about the fifty years of rope they've
had around their neck on the cryptographic export issue, which has
been used to blackmail and control them again and again. <br>
<br>
People look at the Wassenaar stuff and always say "Well, SOME
regulation is going to happen in this area, so we might as well
design one for the government that hurts us the least!". But
additional regulation is not a given. Export control is a terrible
place to PUT regulation over software and ideas, and there is a vast
and powerful alliance against any additional regulatory burden in
this space that is going to force the government to "Just say no".
And it's one that you can and should be adding your voice to,
because this is going to be an ongoing struggle.<br>
<br>
<br>
</body>
</html>