The irony here is that simple one-time-pad solutions (OTP) will continue to be available to securely encrypt the sort of messaging that's of use to terrorists (relatively short infrequent messages), instead it's the general communications (including for banking) that the rest of us perform online that will be made vulnerable.
You don't even have to program or use a computer to create these OTP solutions, for limited messages you could just flip a coin to create the OTP if necessary (although there are lots of more automated solutions available as well.)
Airgapped computers at both ends provide another way 'round restrictions for more sophisticated actors. Their backdoors won't be accessible (remotely.)
So taking away secure encryption from the rest of us is just security theatre; a destructive, narcissistic legislative exercise designed to make it look like the pompous powerful doing something when they're doing nothing of any real use while creating terrible risks.
This is why, I think, legislators have consistently ignoring logic and math from professionals such as the OP - they don't care. They know perfectly well they're pissing into the wind doing nothing useful; that it's all theatre; they just think the fallout is going to land on someone else's pants after they're out of office. But tech works (and fails) faster than that.
[Counterargument: if everything else is breakable, securely encrypted messages really stand out. One answer: But very short messages (in an unknown format) aren't generally breakable, anyway, and that's the likely case.]
> the sort of messaging that's of use to terrorists
It seems increasingly apparent that recruitment and radicalisation are done in the open. After all, political speech is free speech.
Then people either self-radicalise (go on a murder spree without coordinating action with a larger group; e.g. many mass shooters), or they meet up in person. Lots of radicalised people go to the Middle East where they can't be surveilled by western security forces.
There's remarkably little evidence that terrorists are making routine use of strong encryption.
> There's remarkably little evidence that terrorists are making routine use of strong encryption.
Even if they were, we Americans have a fundamental right to strong encryption, protected under the Second, Ninth & Tenth Amendments to the Constitution. I'd go further still, and argue that everyone in the world (who's not a prisoner or otherwise unfree) has a right to strong encryption.
> So taking away secure encryption from the rest of us is just security theatre
Even more importantly, it's a power grab of the powerful (which mostly translates into "the rich", and vice versa) aiming to further dominate and manipulate the remaining population ("the 99%") in order to secure and increase their dominant situation.
>But very short messages (in an unknown format) aren't generally breakable, anyway, and that's the likely case.
Hell, in most cases they wouldn't be detectable!
With so much random data flying around today, you could encode short messages in just about anything. comments on reddit or hn or one of the alternatives, image metadata, etc...
If you are looking to hide data on the scale of kilobytes, your options are basically unlimited.
Well, 'they' allowed door locks to be easily broken by anyone with minuscule knowledge in lockpicking because that is the type of locks 'they' like on doors.
It's going to be no different for "crypto" solutions.
*Part of the FBI's job was to harrass anyone they considered a dissident or counter to their view of what US citizen should be or how they should behave. I doubt they changed at all. It's already documented and well known one of their favorite tactics was to break into people's homes while they're sleeping, or away, move things around... mess with their belongings or persons, etc... Expect it to be the same for crypto solutions "post quantum", if not already "pre quantum".
Picking locks requires physical presence. Stealing bank credentials online can be done from another continent using public wifi. It's not a great comparison because the number of criminals with access to your computer is much higher than the number of criminals with access to your front door (multiple orders of magnitude), and their ability to distance themselves from the act (both geographically and forensically) is also orders of magnitude higher.
We're talking about the security of the lock guarding the door irrespective of the criminal history of a person with the motivation to break-in. The FBI, who have been known to break-in to people's residences were not found guilty and therefore are not considered criminals by law.
Convenience really does play a part here though. The easier it is to be secure the more people will take advantage of it. Good for the most part - but bad from the FBI's perspective when a criminal uses it to hide their misdeeds.
The likelihood for a criminal to use a one time pad is extremely low. The likelihood of them having an encrypted cell phone with useful information is much higher. It would be tough to argue that a law against cell phone encryption wouldn't be effective for this purpose.
More valid criticism is its disproportionate impact on lawful uses.
> The likelihood for a criminal to use a one time pad is extremely low. The likelihood of them having an encrypted cell phone with useful information is much higher.
Maybe that's the case right now, but how can you be so confident that these actors won't switch to OTP if such a law is enacted?
Encryption wasn't mainstream at all back then and, more crucially, digital surveillance was still in its infancy. The most popular chat app in the world right now implements full E2E encryption. Go back 10 years and having a "chat" consisted of sending your friends SMS messages.
Exactly - and yet most criminals were happy to use that insecure and broken SMS. I'd love to see a study on the proportion of criminals that even know what encryption is. I expect it to be extremely low.
Exactly what? My point is that encryption is fairly common right now, even for average consumers. If political activists use Tor and Signal quite regularly, why wouldn't criminals do the same? I still don't quite understand why you're comparing what criminals did back then to what they could do right now.
I'd expect that currently, most criminal use of encryption is accidental. That is, everyone switched from SMS to whatsapp, criminals just did what everyone did.
Sure, there might be exceptions for high-level criminal conspiracies. But most crime isn't of that kind. For terrorist, I imagine there is a large spectrum of covert abilities.
> That is, everyone switched from SMS to whatsapp, criminals just did what everyone did.
How are you so confident that this was what happened? Do you have some concrete data and/or stats to back this statement? What if most criminals are using something like Signal? Besides, I personally wouldn't trust WhatsApp if I were partaking in illicit activities.
Building the software that automates it all isn't hard, including the random number generation - and such an app could go on airgapped computers. It wouldn't be harder to use than a faucet. After the random part (not hard) it's just XOR, some of the simplest programming imaginable.
Of course, that perfection is achieved by shifting all your risk to key distribution.
I think of OTPs as a form of time-shifting. Think of it this way: if you and your correspondent have viable OTPs, that implies that, at some point in the past, you securely communicated that OTP. Since it is (at least) the length of a future message, you could have just passed a secure message then. Instead, you passed something that enables passing a secure message now.
Imagine implementing your amazing solution in real life.
I don't see a situation being frequent where you'd know the message weeks or months in advance of when you send it. If we follow your scheme, there's no encryption; we just meet up when we need to communicate. What if we're on opposite sides of the earth? If we had exchanged keys months earlier, this wouldn't be a problem.
I must have explained poorly. I was not proposing "just communicate securely in advance". I was highlighting the problem with OTPs.
The fact that your key material is the same size as the message means all your security is in the key, thus in your key distribution method. Among other problems, this means no rekeying without replicating your original hand-off - you can communicate exactly as many bits as your previously securely exchanged, no more.
Speaking of points, I can't tell if you're intentionally missing mine, but either way this is unproductive. If you're sincerely confused, please read up a bit. The Wikipedia page isn't a terrible place to start.
No I mean I understand where OTP falls short, but you're either really bad at conveying your viewpoint, or you're simply plain wrong.
Yes, with OTP you need to exchange keys and this shifts all of the security to key exchange, and while this wouldn't be a problem in other ciphers, it's a problem in OTP because of its other properties and shortfalls.
So at most I feel as though it's a security/convenience tradeoff; a tradeoff that's substantial or even dangerous in certain situations.
Indeed. I'm about to have a form of that conversation with a client today. Just encrypting columns in your database is of some value, but having the symmetric key in an environment variable (a common practice) is not going to prevent a breach when the data and the key are compromised at the same time.
Just think of the outrage if the government required master keys to everyone's homes?
I know there is a difference, but it's not a huge leap to compare the two. We don't want the government to have such easy access to our homes because we can't trust every government employee not to abuse it. I think the same goes here. No mater what safe guards you put in place it's a scary thought that you simply can't keep the government out of your affair's. Sure now you think you have nothing to hide. But what if your political views become criminal, what if your religious views become hate speech? We're not there yet but times can change quickly.
The reason government doesn't have or need keys to every house, because no matter how many lock you put on your door, government (SWAT team, for example) can break in anyways, if deem necessary.
So for this reason alone if they truly want to... every house can be and will be open to them, no matter what.
Meanwhile here the locks are based on sophisticated math.. and that math is smarter or more complicated than the largest compute power they can get hold of.. hence make your virtual locks unbreakable. I think that's the whole issue they have here.
I am reminded of a quote from The Princess Bride: "...you cannot track it, not with a thousand bloodhounds, and you cannot break it, not with a thousand swords." And that just infuriates the prince, to the point where he just has to go destroy something beautiful, out of spite.
People put locks on their homes to keep criminals out. It does not matter if the government can break those locks, until the government itself begins to act like a criminal. At that point, it becomes necessary to build locks that even a government cannot break.
The Snowden alarum showed us all that a portion of the US government has become functionally indistinguishable from an organized crime ring. So, sorry Comey, but perhaps the FBI should focus for a while on investigating and burning out the criminal corruption within its own umbrella organization before we talk about maybe allowing it the power to intrude upon our personal lives at will, in the name of the greater good.
By the house metaphor, law enforcement is more like vampire legends. The vampire has the strength to batter down any door, but if it crosses the threshold without first being invited inside, it loses its power. Except the cop-vampire can also be invited in by a magistrate who issues a warrant.
And perhaps even that is too lenient. Maybe our warrants should be issued by a grand jury. Allowing them to be issued by a sole judge, or panel of judges, seems an invitation to erect secret, rubber-stamp courts like those used for FISA warrants. Maybe your secret keys should be protected by an M-of-N consensus algorithm using about 30 cryptographically-random peers. The government then has to convince a bunch of presumably reasonable strangers that it should be allowed access to your keys. Should be no problem if you're a dangerous criminal, but impossible if the state just wants to sniff around in your dirty drawers.
Disclaimer: I agree with you but I always struggle to convince people that this line of reasoning makes sense.
The government can already enter anybody's home upon receiving a warrant to do so. If you don't let them in, they can bust through a door or tear down a wall. We trust the government not to do this without court oversight. We trust courts to provide good and honest oversight. It is far from a perfect system, but we set up lots of human-level checks and balances to keep power distributed enough that this basically works.
The problem with strong encryption is that this is impossible. Even if there is a very good reason signed off by an honest court, it is impossible to get in. This breaks that human-level checks-and-balances system. What replaces it?
Another difference from the metaphor is that busting down doors is visible and obvious, and doesn't scale.
Imagine if the government busted down a quarter of all doors in the country - that's a lot of industrial-scale police work, and it's very visible to all citizens. On the other hand, the government can tap half of all phones in the country, or intercept half of all emails sent by US residents, and we're not even legally allowed to know it happened, so we can't even argue against it in a public court of law.
Atomic-grade offense requires atomic-grade defense. We will have un-breakable encryption, or we will be crushed by secret intelligence agencies with immense power and no public accountability. It's a whole new game.
Anyway, I'm not too worried, strong encryption is open source and widely available already (even if not used in nearly all the circumstances it should be yet). This cat isn't going back in the bag.
My preferred analogy is paper shredders. Imagine if any criminal could just walk into a store and buy a paper shredder so effective that it's impossible for the FBI to piece the data back together, with or without a warrant, no matter how many resources they throw at it.
Clearly the solution is to require every paper shredder to be equipped with a camera to scan documents and upload them to cloud.gov before shredding. Of course, nobody would be authorized to look at the data without a warrant, and we should trust that nobody working for the government would ever break this law.
I agree that this effectively counters the lock and door analogy, and that it's better to avoid these analogies all together when making the case for strong encryption.
Another line of argument is to emphasize the extent that our digital economy and national security rely on strong encryption. If you outlaw it, then all of our online banking and shopping, corporate and government secrets, and more are vulnerable to hackers and foreign governments. And just as the conservative gun advocacy argument goes, outlawing it won't necessarily take encryption out of the hands of criminals, only law-abiding citizens.
I actually agree with you that this is an issue. However, key-escrow has some issues that warrants don't have.
The first, as others have mentioned, is how easy it is to use an escrowed key without detection.
The second is the fact that strong encryption remains available. This means you need to outlaw strong encryption, at which point steganography comes up to hide the encryption.
Finally, key-escrow is a massive increase of the attack surface of encryption. It's almost as if the government mandates we all use TSA locks on our doors.
It's not the government I fear with this concept, it's that anyone with a brain can steal the master keys from the (generally inept) government and break into your house - and you can't prove who it was.
Personally I think you can make it a crime not to produce a key if a warrant has been issued to search what ever you've encrypted.
That is a lot more out in the open than a "back door". When the government bashes through the door at least it's in plain site and the house owner knows it's happening. But with encryption how would you know if the government has used their access?
How do you plan to prove that a person can unencrypt certain communication and is not simply an intermediary?
What if a hacker plants "secret encrypted documents" on your computer, and then the government demands that you produce a key for them? This situation has allegedly already played out with child porn[0], and planting drugs is not unheard of by unscrupulous police officers[1]. Essentially, you're back at the issue GP describes - we don't trust government employees with this much power over our lives.
How is this different to getting a warrant to search say a safe deposit box at a bank? Is there something about encrypted data that should be beyond the reach of the law?
The difference is that the physical box at the bank is not subject to being stolen by foreign adversaries remotely. With information that is stored in databases or on phones that may be lost or stolen there is no border. And when you start to consider the critical national infrastructure that is managed by private companies and individuals, it becomes clear that on balance Americans are safer if the FBI cannot read Tony Soprano's email because any tool they can use to get his data can be used by sophisticated adversaries to get at the emails of the CEO of the nuclear power plant and more. While I do not have a link at the moment to share, Retired General Michael Hayden, the former NSA and CIA director, says the same thing.
I already have so many different accounts on various websites that I regularly forget a password, the same can happen with an encryption key. Should that be a crime?
We already require corporations to preserve all their email, voice, and other electronic communications in case the government wants to investigate it. Maybe you're irresponsible for losing your key, and need to be held accountable.
We also require people to document their finances to accurately tax them. You're presumed 'guilty until proven innocent' in the sense that you're taxed on income unless you can document that it's untaxable(a business expense). There are penalties for failing to document things. What's wrong with requiring you to document your private keys, along with your receipts?
If you sell apples under the name "Loving Apples", you have to pay your state government to register that name. You can be fined for not registering your name, and your bank or other financial provider will want to see the government approval document. You could have the government maintain a central registry of all private keys, and make it a crime to encrypt a document with a key not documented in a state agency.
If you receive a document that is encrypted, you may be further required to tell the government who gave it to you, to ensure compliance with the encryption law; similar to how giving someone money requires you to tell the government about the transaction for compliance with tax law.
Wouldn't the same reasoning apply to all communication? Do you keep transcripts and/or recordings of all private conversations you have (in meatspace) so that you can hand those to the government when they show up with a warrant? Would you like to live in a society where not keeping such records is a crime? If not, why should communication "on a computer" be held to a different standard?
"One man's modus ponens is another man's modus tollens"
Which direction of the implication you take is a matter of preference. People who agree with giving the government full power(and trust them not to abuse it) or who agree with not giving the government any of this power are both logically consistent with my argument.
I'm only attempting to rule out people who are okay with all of the existing documentation requirements, but balk at documenting their encryption keys.
The main difference is that devices store and transmit tons data that would never be stored in a safe deposit box, and which has always been inaccessible to law enforcement anyway, such as one-off drunken quips between friends.
A "better" way to do this would be to use key-escrow where a key only you have access to is needed to unlock the escrowed key.
If your personal escrow key is government mandated, and well-protected, that prevents the issue of you forgetting passwords (Estonia already has something like this). It also fully ensures that the government accessing escrowed keys requires you being informed.
I still don't support this plan, but it is the best thing I've seen.
Not to mention the chance that a buearocrat loses their copy of the master key, or has it stolen or secretly copied, and before you know it thousands of criminals have access to every home in the country. After the damage is done, we go through a large expense to re-key every house with new locks and the process continues.
Government already has master key to anyone's home. They'll just break the door, it can be done easily. Proper encryption is a different beast, you just don't have that option to break the door.
Breaking a door is not the same as having its master key. It's a flaw of the door. Encryption can be broken as well, but everyone has encryption that is better at not breaking than most doors.
Maybe there needs to be a publicly accessible/downloadable/searchable registry to which all warrants issued by any court in the us gets logged? Who has the mandate to create such a requirement?
Does anyone here remember the clipper chip? If you don't, I'd recommend boning up on this chapter of the crypto wars.
The 'because terrorism' excuse falls a bit flat with me.
Thought experiment: how hard would it be for a terrorist organization with access to 100's of millions of dollars (eg. ISIS) to come up with a secure communications scheme? One time pad. A reasonable cipher that hasn't had any 'help' during development. Even run an encrypted channel over a backdoored product. I'm sure many of us could come up with something in a day (with decryption over an airgap). How about a hostile government with multi-billion dollar budgets (and who have been using OTP already for decades).
Is this about terrorists, or is this about citizens? My bet is on the latter.
It's a grave mistake to demonize a single politician you dislike: if it were that simple, they'd have dropped it as soon as that one person left office. In reality, there's a large community pushing for things which they perceive as making their job easier and that persists across administrations — that started well before Clinton ran for office and certainly didn't end after he left.
You are putting words in my mouth. I demonize no one.
My feelings about them (The Clintons) have indeed declined over the years. I mostly have huge respect for Al Gore. But my personal feelings have absolutely nothing do to with their material involvement with the Clipper Chip. Nor do I care when it started. They all carried the baton of government key escrow which is not something I am going to forget. It is a grave mistake to not hold people accountable for their actions, to not take a stand while the bureaucracy pushes you along with the current.
“paws” isn't a neutral term – it has strong negative connotations.
My point was simply that while, yes, Bill Clinton ultimately owns his official actions, it's naive to ignore the massive weight of the entire U.S. intelligence apparatus, especially coming off of the Cold War footing, on a subject where he was hearing from a lot of experts in government and business saying this was a good move.
If you disagree with someone, the right thing to do is to put forward your own side of the argument. It isn't polite to simply disregard what someone says because of your conceptions about where that belief is coming from.
I'm going to have to go back to listen to the entirety of the Senate hearing at some point. With so much talk about Russia hacking and influence and then they flip the switch and want backdoors into encryption even though any mandated tool the government demands for so called lawful intercept can be hacked by or ordered by the judges in Russia! There is a strange disconnect and I think it hurts us that the public discourse is security vs privacy rather than being about the personal security off all citizens.
I did my Extended Project Qualification (EPQ) [1] on this issue, and it actually surprised me how many people think that the governments are right in this debate.
When presenting the work, I had a chance to ask ordinary people, and they all pretty much agreed that the government should be able to "break" encryption with a warrant.
This is a scary prospect, and I feel that educating citizens as well as the government is important.
Access is under no risk whatsoever. Encryption is math. It is open source. It will always be there. What is at risk is the legal right to use it, the government's permission for the public to use that math. My point: people with good reason to fear the government will still access and use encryption. This therefore isn't about terrorists. It is about watching the everyday people who want to abide by the law.
The greatest problem right now is our hardware, not our software. We can always devise secure encryption schemes without backdoors. Nobody can do anything against it.
Our hardware on the other hand... is probably backdoored already.
It isn't just our privacy at issue. With more and more critical infrastructure on the internet, having unbreakable encryption is a major national economic and national security requirement.
It's unrealistic to think that if there is a means for access by the government, that foreign enemies and criminal organizations won't be able to access it, too, and cause havoc.
This is not a battle they can win. Most American's DGAF if their shit is encrypted, until the PSA campaign fighting against laws like these tells them the government is taking away their rights and able to snoop on their lives. Just like SOPA and others this will be defeated.
I would not be so sure of that. I really believe the President's guiding principle is to do whatever it is that will enrage liberals the most. If Republicans see that liberals want strong encryption, they might decide to oppose it just to piss off liberals. It's amazing to me that a lot of the same people advocating gun rights are also the ones that support government mandated encryption backdoors.
Eh.. it's messy isn't it. Politically motivated libertarians strongly support both 2nd amendment and oppose back doors. Generally speaking, the govt is always seen as the biggest threat to guard against.
Probabaly the ones supportive of backdoors are as you said, simply "trusting" of the current leader they voted for but would immediately oppose the same policy coming from a Democrat.
...which is the exact impulse and logic that should push all partisans to distrust government power to snoop on communications. There will always be someone in charge somewhere that you don't trust.
Are you sure? Yet again, privacy is being challenged, and it'll continue to be challenged. It seems like a battle with entropy, lost whenever a bill squeaks by under the public's consciousness.
Regardless, I derive emotional sustenance from your optimism.
It is worthwhile to fight the battles. But ultimately, there is no assurance that privacy will remain a legal right. I think that we need to be prepared for civil disobedience in some circumstances.
For congressional consumption, I suspect arguments like this need to be dumbed way, way, down.
Tim Cook's "software equivalent of cancer" is an example of an effective dumbed down take on it, but it need not be the last one. The more ways the point can be re-worded concisely so that lay people will understand it, the better.
Encryption will never be intentionally backdoored on a large scale.
I think one of RSA argued this, basically "Do you really think the government will want to review and approve everything on the app store?"
Forcing big players to divulge data, making accused people decrypt their devices -- those are things the government could do. Encryption per se isn't in any danger.
I don't think it is the encryption protocols at risk really. Secure protocols exist now, they will continue to exist. It is the future hardware implementations and closed source software implementations that we will no longer be able to trust.
The government doesn't review every app on the app-store to check whether it complies with CIPA (Children Internet Protection Act). And yet, most apps do comply. Why? because people don't like to break laws, especially when the fines are rather large.
I read that Sen. Diane Feinsetin is supporting an anti-encryption bill. It's never been completely clear to me if she, and those like her, fall more on the stupid side, or more on the evil side.
But the arguments against this aren't that difficult... so I have to guess it's the evil. Power corrupts.
The US Department of Defense arguably runs the most extensive key escrow system in the world. Every DoD employee and many contractors have Common Access Cards (CAC) that contain email encryption keys that are escrowed with DISA.
A better example of work that Congress might be interested in would be Schneier and Kerr's writeup on encryption workarounds showing government tools they have available with legal considerations of current or expanded ones. That's the kind of practical stuff that can influence powerful people's opinion as they're always looking at grey areas to balance many conflicting interests.
Um, what? You have linked to an explanation of why it's not fine. This mistake is getting more and more common, even among educated people. It's quite embarrassing/funny because it stems from a belief that "I" is inherently more "educated", and the result sounds anything but. I know us English speakers can't speak any non-English languages, in contrast to the rest of the educated world, but it's really not too much to ask for us to be able to comprehend the concept of subject of a sentence. Our parents' and grandparents' generations managed it fine, in fact would have been mortified to make a mistake like this.
This is actually one of my fury triggers whenever the spouse is watching trashy reality shows on television.
I recall from my early public education that my peers and I were all taught incorrectly. They told me and my classmates to use "I" rather than "me" in all compound nouns, rather than to use the correct pronoun. This is burned in my memory. It happened. Don't try to gaslight it. At least one teacher taught every last one of their students the wrong grammar.
For instance, this would be correct. "She and I [1] went to the theater, and the ticket-agent told her and me [2] that matinee prices ended at 4 PM." Countless fools would put "her and I" in position [2], sparking a righteous, impotent rage in my soul.
Also, it's "I know we English speakers can't speak...". Try taking out the descriptive. "I know us can't speak..." versus "I know we can't speak..." Select the correct pronoun, then put the descriptor back in.
Haha fair enough! And thanks for pointing out that it's actually been propagated by school teachers sometimes. I definitely deserve to be corrected publicly on the "us English speakers" thing. I could try to defend myself on the basis that I was deliberately affecting a more popular mode of speaking at that point, at the expense of correctness, but the truth is I've never said or written "we X doers". I'll bear it in mind for the future!
Wait does he have a Masters in Information Security from the College of Computing at the Georgia Institute of Technology???!
Joking aside, unfortunately it takes deep problems to motivate people/the US to change. It'll swing this way, and there will be dramatic consequences. Only then will things swing back the other way.
It's too bad there isn't any balance here -- it does make sense in many situations that the police/courts should be able to gain access to information. But encryption doesn't care about the situation. Encryption doesn't care who you are. Encryption has no contextual morales of its own.
If data had physical weight, where things that were important we're really hard to steal, then it'd function like the real world. But data does not, and it's too easy to download gigs of data one should never have access to. It's very difficult to gain a middle ground as suggested by Pelosi. I don't know if she understands that.
You make fun of someone for stating their credentials but you do the same in your profile. I guess your joke is that his credentials are laughable compared to the credentials of other people (e.g. MIT grads). Or is the joke that he stated it so clearly so early in the letter? I'm not sure.
Hey, so you could write an even more credible letter :)
Also, data does have "weight". The more data that you move, the more obvious the movement is. And the more you obfuscate the connection, the less bandwidth you have.
It looks like you forgot to pay your Squarespace bill: "This account has expired. ( http://empiric.al )"
Joking aside, I guess you're saying that leading with credentials in an article is unnecessary if that article is relatively short and you've got a bio blurb at the bottom of the page?
That's actually a good point. I originally wrote this as a private message to each of the Congressional candidates in the Georgia 6th district and in that format there was not the bio and all the surrounding blog template. It feels weird to be to lead with it too, but I'm trying to answer real quick to a politician who does not know the science why he or she should read on to the next paragraph.
I think you're discovering that text written for one medium might benefit from revision when published elsewhere. :-)
Also, I think it's reasonable these days to write hardcopy letters that look more like websites -- multiple columns, a bio section, etc. Don't restrict yourself to obsolete and arbitrary etiquette.
You could have made that criticism in a more kind tone. As a researcher on interacting with strangers on the internet, I'd expect you to be more cautious that your comments aren't accidentally read in a negative light.
I've updated the page to remove the references except for in the bio. I got tripped up with the open letter format as a blog post when I had written most of it previously for private email use. I do appreciate the feedback and hopefully this revision will make it stronger when members of Congress do read it. As for the significance, it's the relevant degree that I have to the content of the letter.
I'm not trying to cast doubt on your credibility. The content speaks for itself. It was just funny to me to see it listed so many times and have it open that way.
You don't even have to program or use a computer to create these OTP solutions, for limited messages you could just flip a coin to create the OTP if necessary (although there are lots of more automated solutions available as well.)
Airgapped computers at both ends provide another way 'round restrictions for more sophisticated actors. Their backdoors won't be accessible (remotely.)
So taking away secure encryption from the rest of us is just security theatre; a destructive, narcissistic legislative exercise designed to make it look like the pompous powerful doing something when they're doing nothing of any real use while creating terrible risks.
This is why, I think, legislators have consistently ignoring logic and math from professionals such as the OP - they don't care. They know perfectly well they're pissing into the wind doing nothing useful; that it's all theatre; they just think the fallout is going to land on someone else's pants after they're out of office. But tech works (and fails) faster than that.
[Counterargument: if everything else is breakable, securely encrypted messages really stand out. One answer: But very short messages (in an unknown format) aren't generally breakable, anyway, and that's the likely case.]