>"Baker said encrypting user data had been a bad business model for Blackberry, which has had to dramatically downsize its business and refocus on business customers. “Blackberry pioneered the same business model that Google and Apple are doing now - that has not ended well for Blackberry,” said Baker.
Baker is incompetent. Blackberry's primary advantage was its encryption. It branded itself as a business device and supported enterprise use. As bring your own device became mainstream and as the app store markets grew, Blackberry fell behind, failing to deliver the diversity of apps that iOS and Android did. Sales of devices fell and hence they've had to lay off 1000s.
TlDr; Baker has it wrong; Encryption was a business advantage for Blackberry, until access to a diversity of apps mattered more.
It is touching that a NSA lawyer cares so deeply about Apple and Google's business model.
BlackBerry fucked up their business the old fashioned way -- by screwing up. They were an early player that listened too closely to their early adopter customers. These customers, including the banks and federal government, cared about stuff like keyboards and CAC integration.
I've worked in very large IT environments, and users of our networks occasionally commit crimes, including heinous crimes that disgust me. Either way, when counsel tells me that we have a lawful warrant, we have a duty to provide the data. The argument put forth by this clown is complete bunk.
This is exactly what I was thinking. It's incredibly frustrating that this guy is spewing complete garbage. Hopefully the public (probably not true) is starting to see through this crap and realize this is a last ditch effort to attack companies trying to do the right thing.
What Baker is trying to express is that companies like Apple could be shooting themselves in the foot with corporate sales if the data sitting on devices they're manufacturing can't be handed over when counsel tells you that there's a valid warrant. If Apple says the data on the phones is completely secure and not even the cops can get to it, then that means IT can't get to it when directed to, either. Management might not like that so much.
Apple and Google are merely absolving themselves of being involved in the legal matters of others.
The third-party doctrine basically forces third-parties to be legally culpable for discovery. Google and Apple don't want to be legally responsible anymore, so they've pushed the responsibility for complying with counsel to the end-user.
i.e. instead of law enforcement going to Google and Apple and saying "I have a legal right to search X. Hand it over.", law enforcement now needs to go up to the person whose papers and effects are being searched and ask the same thing.
Had the founding fathers been aware that the notion that one day third parties would become responsible for the papers and effects for millions of citizens, it's reasonable to assume the warrants would have had to be issued in a way where the subject of the warrant would at least have a right to know they were the subject of a warrant. With third-party doctrine, the government got the benefit of issuing warrants to entities unlikely to protest because protecting the rights of others incurs a cost.
Third-party doctrine has been a civil liberties disaster because it decoupled the recipient of the warrant from the subject of the warrant. That decoupling has lead to a scenario that deprives millions of people the right to contest a warrant in court because they might not even know such a warrant was ever issued.
It's not like Google and Apple are taking away the government's ability to issue warrants. They are just removing themselves as a third-party. The government now needs to go directly to the person who possesses the phone and issue a warrant to that person.
> i.e. instead of law enforcement going to Google and Apple and saying "I have a legal right to search X. Hand it over.", law enforcement now needs to go up to the person whose papers and effects are being searched and ask the same thing.
Which is entirely the wrong way to conduct a criminal investigation. How effective can the police really be when they have to go to suspect and say "We've got enough evidence to suspect you of a crime and get a warrant, but not enough to convict. Can you please hand over all evidence that would further incriminate you?"
> It's not like Google and Apple are taking away the government's ability to issue warrants.
Eh? Police do that routinely. How do you think they get evidence to prove a building was a meth lab or crack house? They get a warrant, bust down the door and go inside. How do you think they get internal business documents when prosecuting white collar fraud? They get a warrant or subpoena and force the potentially guilty parties to hand over documents.
I'm not sure why this seems like a radical departure. "The cloud" is a very recent phenomenon. Up until quite recently almost all interesting documents were held only by the suspect parties themselves.
The two situations aren't analogous - in both my cell phone example and your meth lab example the police need warrants, but they don't need the owner's permission to bust open the door to a meth lab, and they can't bust open the login screen on an encrypted iPhone without the owner voluntarily decrypting it.
I linked to some case law examples in a previous comment[1], but basically the cops can't force you to decrypt an encrypted device because of your 5th Amendment rights, except in the rare case where you've already admitted that incriminating evidence is stored on that device (thus waiving your right to not self-incriminate).
In your white collar example, they're not demanding the suspect turn over the documents, they're demanding the employer turn over the documents, which would imply that a third party already had access to the unencrypted documents and was willing to cooperate with the police.
I think they are analogous - police usually start by asking nicely if they can search your home, and only get rough if you refuse.
WRT decryption the USA is currently in a weird spot: some countries don't have the same hangups about forcing people to reveal encryption keys or unlock codes if there is a valid warrant or court order. I think the USA will go the same direction; if I understand American history correctly the purpose of the 5th Amendment was to avoid people being coerced into giving false testimony? It doesn't really apply to things like combination locks or passwords where there's no coercion risk so the original reasoning behind the amendment would not apply.
My white collar example was thinking about banks, anti-trust and other such things where the suspect is the organisation as a whole.
The self-incrimination clause in the U.S. Constitution is rooted more in preventing the government from using coercion than it is in concern over the veracity of any testimony obtained through that coercion (of course torturing people into confessing crimes they did not commit is a major historical motivation for the provision, but mechanistically, it is not concerned with truth).
When it comes to a locked safe, the U.S. Supreme court still muses about whether revealing the combination to a lock is testimonial. For instance:
The law is still developing here, but personally, I'd prefer that it develop in a way consistent with long standing principles.
The approach the police want is to be capable of spying on everyone, then making a mockery of the justice system by constructing a plausible case based on illegally gathered evidence.
I think that the NSA's has a national security responsibility that may justify the extraordinary power that they are invested with. The problem is that their close collaboration with law enforcement is causing their "ends justify the means" culture to leak into law enforcement. How can we expect law enforcement to enforce the law if we're ingraining contempt for the law into their operating process?
the cops can't force you to decrypt an encrypted device because of your 5th Amendment rights
I don't believe this is quite correct.
AIUI, they cannot demand that you hand over the password as such, because that is tangential to the case - it's a third piece of information that has no bearing. But they can sit your down and tell you that you must unlock it for them - enter the password yourself - under penalty of the law.
> but basically the cops can't force you to decrypt an encrypted device
While true in the US, this isn't the case in all jurisdictions. For example refusing to decrypt or supply keys in the UK can land you up to two years in jail.
That is exactly how you conduct an investigation. You gather evidence establishing cause to search, get a warrant to conduct the search and get your evidence.
When the police seize your property, you're going to be compelled to provide access, or you'll be held in contempt until you do.
It does make to harder for a traffic stop to turn into a fishing expedition, but that's the point of the 4th amendment.
Warrants have never been a guarantee of producing evidence. If a prosecution relies in information alone, and that information is impossible to obtain, maybe it's not a good candidate for prosecution.
If as a company, you aren't managing your devices, (trivial to do at low cost via MDM) there is no difference between encrypted/unencrypted -- you're reliant on the custodian of the phone to do the right thing when turning over the device.
Baker wants the US to have the same access to data that Saudi Arabian or Indian law requires, except in those countries there is actual law requiring this. NSA/et al prefers "gentleman's agreements" backed by some broadly defined law that is impossible to contest in open court.
> If as a company, you aren't managing your devices [...] you're reliant on the custodian of the phone to do the right thing when turning over the device.
Precisely - and companies aren't going to want to purchase phones that they can't manage. Of course, this might be a moot point; I've never seen a company-issued iPhone before, so maybe Apple doesn't even want to be in that market (I might just be hanging around the wrong people, though).
> NSA/et al prefers [...]
While encrypting data while it's transiting the internet might have an effect on the NSA, encrypting data stored locally (like with the iPhone encryption debacle) won't affect them at all. When was the last time the NSA had your phone in its possession? It will affect criminal investigations. I think Apple would have stirred up a lot less controversy if they had marketed their encryption as protecting the data on your lost phone from criminals instead of marketing it as protecting it from the cops.
The US tech industry as a whole has shot itself in the foot by being suspected of complicity with US spy agencies in providing back doors and overt assistance. Any government or enterprise that values autonomy relative to US policies would avoid US tech products.
Not to mention the news that Blackberry started giving Indian and Saudi Arabia governments access to their encrypted data actually hurt Blackberry's image in enterprise.
Also some countries are banning US tech companies now not because they encrypt stuff but because they give access to the US government to their citizens' data (including officials). Maybe it's true maybe it's not, but they have the right to question it and protect against it. If companies had end-to-end encryption and even they couldn't look at the data, I have a feeling those officials would trust them a little more.
I also find it hilarious that Baker is straight out suggesting "we should be more like China" when it comes to surveillance. How is he not being laughed out of the building?
Hm, maybe Apple can do that, but for Google not looking at the data is not an option, it's the core business. For facebook too. However maybe, just maybe, they can come up with a way to share with governments only a small fraction, protecting their customers/users. I don't see how, but their engineers are smart, they could figure out something that works.
It's not just NSA or the US here. These corporations are multinational, operating on many different countries. Once the NSA has officially stepped foot in Google's data so will do the EU, Japan, China, etc.
Subscription services are almost always more profitable than ad supported services. If encrypted gmail and hangouts were priced like the storage I buy from Google, I'd be a paying customer.
I personally prefer it as well, but I imagine that statement is hard to back up (although I wish it is true). Did you mean specifically profitable or income related?
IIRC Blackberry gave PIN-based/consumer/BIS messaging keys to those governments, and had key escrow for BES deployed in country, but when I took a US-BES Blackberry into UAE, India, KSA, etc., I still had end to end protection.
Blackberry did always support "decrypt at the BES" which meant essentially corporate key escrow. It did mean the system owner (company) had full control of everything, but it meant governments/carriers/etc. didn't.
It's a great security model for businesses. For consumers, allowing "3 of 5 trusted friends" to do key recovery for you, with a 7 day delay, might also be a good model.
I actually have no problem with key recovery/key repository type systems (reluctant to say "key escrow" when it's not mandatory) -- as long as the users are explicitly informed and given a choice. For 99% of users, some kind of key recovery usually is the right choice.
Blackberry is suddenly the posterchild for encryption? I thought Blackberry is this service where all your mail and communication is routed in cleartext through their services, a workaround from the days of 1G that they simply never got around to get rid of before smartphones flattened their business.
That is not encryption, if anything it is the direct opposite.
I thought Blackberry is this service where all your mail and communication is routed in cleartext through their services
That's how consumer BlackBerry worked (while other consumer services at the time that had no encryption whatsoever) but the enterprise version was as secure as they could make it.
Also, their encryption had the key feature that it could be easily run on low powered devices. It was a big deal to run AES on a phone 10+ years ago, but apparently (I dont have a source) the eliptic curve crypto was more efficient.
>Blackberry fell behind, failing to deliver the diversity of apps that iOS and Android did. Sales of devices fell and hence they've had to lay off 1000s.
BB had a string of embarrassing system outages that also didn't help.
"The crypto wars have about as much to do with the outcome of security as the Soviet-Finnish war of 1939 had to do with the outcome of WW2."
I've seen it argued that the Soviet-Finnish (AKA the "Winter War") actually had quite a large impact on the outcome of WW2:
- The difficulties the Soviets had in fighting the Finns made them re-organize their command structure of the Red Army, re-instating traditional rank structures and reducing the role of political officers
- It led Hitler to believe that the Soviets would be easy to defeat, underestimating both the size and quality of Soviet forces
So you could argue that if the Soviet-Finnish hadn't happened then Hitler might not have been quite so keen to invade the Soviet Union when he did and might have encountered a more poorly organized Red Army when he did.
NB The Finns put up an incredible defence of their country against apparently overwhelming attacks, including Simo Häyhä who as a sniper had 505 combat kills.
Perhaps we should be concluding that a small, skilled and highly motivated defence can blunt the attack of even the most powerful of enemies?
I've known Stewart Baker, the ex-NSA GC quoted in the linked article, for about 15 years--not incredibly well, but well enough that he'd show up at parties I held in my home when I was living in D.C. before moving to the SF bay area.
Stewart is extremely smart, should not be underestimated, and HN comments in this thread calling him "incompetent" reflect badly on the person making the comment. He's likely the single most capable adversary the HN/EFF/ACLU/Cato/Mozilla/etc. axis faces over encryption (if he ends up playing that role).
Stewart is correct that end-to-end crypto will "restrict [companies'] ability to sell" products internationally. And he is narrowly correct that "the market for absolute encryption is more limited than you might think" in a corporate environment. https://www.youtube.com/watch?v=ak4ZwLU3aX0 [8:45]
But these are merely clever rhetorical devices. Of course Apple/Google/FB/etc. know that HTTPS will vex snoophappy governments; at this point I suspect their CEOs may view that as a welcome side effect and in any case know their business better than a DC attorney does. And of course banks and brokerage firms don't want end-to-end encryption for their employees; they have likely have FINRA and other legal obligations to preserve correspondence.
Okay, Russia and China are snoophappy and banks may want access to employees' email. Now can we go back to talking about the NSA's bulk surveillance of law-abiding Americans?
Stewart's comments at 12:56 about Silicon Valley companies "picking fights" with the NSA are also misleading. In reality, the NSA was "picking fights" by bulk-tapping Google's interdata center links, subverting encryption standards, and (in the 1990s) defending export controls that weakened American companies' ability to compete. I posted more about this here:
https://twitter.com/declanm/status/529804398457651201https://twitter.com/declanm/status/529798596221095937
Today these companies -- and hopefully the startup founders here on HN -- are merely protecting their users by adopting encryption. At http://recent.io/, which I founded after leaving CNET/CBS earlier this year, our forthcoming Android and iOS apps use only HTTPS to connect to the backend. Naturally.
TLDR: You underestimate Stewart Baker at your peril.
> Stewart is extremely smart, should not be underestimated, and HN comments in this thread calling him "incompetent" reflect badly on the person making the comment.
Incompetent may be the wrong word. What people (including you) are getting at is that his arguments are unpersuasive upon examination. It's all just fear mongering.
There are two plausible explanations for this. The first is that he doesn't see the holes in his own arguments; that would substantiate the charge of incompetence. The second is that he does but makes the arguments anyway in order to mislead others who don't. That appears to be the case you're making. But I'm not sure scoundrel is a lesser charge than idiot.
Welcome to the delightful world of Washington, D.C. realpolitik!
A third possibility is that he honestly believes his position is the correct one--or is holding out the possibility of returning to a .gov/.mil job in this or a future administration--and (a) is using the best arguments for his case, however weak or (b) is on a conference panel, not in a courtroom, and is aiming for entertaining one-liners rather than a point-by-point argument that you'd find in a legal brief or congressional testimony.
I didn't find his comments especially entertaining, and I don't think my sense of humour is faulty, so let's rule out the court jester theory.
That leaves "using the best arguments for the case he truly believes in, however weak". This I think would correctly fall under the umbrella of incompetence. At some point, rational people are supposed to evaluate their own arguments and change their beliefs if they can't sustain them anymore.
In this case he has strongly implied that "tech people" with a libertarian bent are naive and their beliefs crumble the moment they're faced with the real world. Insulting the people you need help from isn't a good start. But regardless, I don't know of any tech companies that have real problems complying with a robust, trustworthy process that includes many checks and balances to ensure only people widely agreed to be criminals get investigated. The whole problem has started because that system has broken down over time and post-Snowden been revealed as nothing more than a political sleight of hand.
It can't be called incompetence if he makes the arguments he has been paid (and likely will again be paid) to make. The world is full of highly competent people who do exactly that, many of them lawyers. They're not called 'advocates' for nothing.
But this begs the question why otherwise self-respecting panels so often give a soapbox to propagandists. Perhaps instead of using the mindless daily news formula of pitting two self-interested views against each other to see who has better soundbites we should try to put rational, thoughtful people on the stage.
That's not a third possibility, but rather saying it might be the first ( = he honestly believes this) or the second ( = he doesn't, but either pretends he does for personal gain or is just stringing words together because hey, it's not like it matters).
"Welcome to the delightful world of Washington, D.C. realpolitik!"
I don't understand how the people who play these games can motivate themselves to get up in the morning.
Forget morality. I'm just talking about a sense that you're doing something worth doing at all.
I just couldn't do it. No matter how hard I tried, eventually the realization that what I was doing was meaningless backbiting bullshit would sink in and I'd blow my brains out.
Maybe it's the "secret to success in New York" joke. The joke goes that the secret is to be smart enough to play the game but not smart enough to figure the game out. My guess would be that applies to DC far more than NY.
>I don't understand how the people who play these games can motivate themselves to get up in the morning.
That's one reason I decamped to the SF bay area. I have friends still living in DC (or one of its inner 'burbs) who have been saying for over a decade that they want to escape the games and backbiting bullshit, but have never managed to do so. One reason is the compensation can be high: the DC area is home to the highest-income county in the nation[1]. Stewart is a senior partner at Steptoe, where the average partner income is approx. $1M[2]; as a very senior one he might be taking home $2M a year.
Plus housing prices are cheaper than SF or the peninsula, and if you're trained as a political fixer/policy wonk, where else do you go?
On a more HN-relevant point, working in DC means trying to get a bigger slice of a fixed pie. Silicon Valley companies and other startups around the world can make the pie bigger. For more realpolitik, check out this provocative essay on DC-Silicon Valley by San Jose-based Cypress Semiconductor cofounder/CEO TJ Rodgers (it's worth a read even if you disagree, I think): http://www.cypress.com/?rID=34975
I agree with at least some of what TJ Rodgers has to say, though it's a tad too Randian for my taste.
Using cigarette taxes as an example highlights an intrinsic problem with libertarianism: sometimes government is our only defense against "softer" forms of power. Cigarettes are chemically addictive, so selling them means essentially using mind control to generate repeat customers.
Some libertarians want to be free to create value, but others want to be free to con people. Typical Randians like TJ Rodgers don't see the difference, or they grossly overestimate the ability of free human beings to defend themselves against determined and clever con artistry. Much con artistry, such as financial swindling, is very sophisticated when compared with something as ham-fisted as addictive drug pushing. If humans were good enough to resist that kind of thing, there'd be no jobs for stage magicians. Everyone would spot their tricks.
If I were in government and were doing government's proper job, I'd feel good about my work. My feeling though is that quite a bit of government and its related business orbit isn't doing anything like that.
As I understand it, in America the legal system is designed to be 'adversarial' - meaning the lawyers for both sides are supposed to to raise every issue, advance every argument, and ask every question, however distasteful, which they think will help their client's case.
In other words, you aren't supposed to present both sides of the argument, you're supposed to present your side alone. It's up to your adversary to find the faults in your arguments - if there are any.
Stewart Baker, being a former lawyer, might simply be arguing in this tradition.
The role of the defense is much as you describe; to advance every conceivable argument, etc. The role of the prosecutor is intended to be a seeker of truth, however, which doesn't always mean aggressively seeking conviction.
In practice, however, your description is accurate; it's a rare prosecutor that doesn't pull out all the stops in an effort to convict, regardless of the evidence.
> Stewart Baker, being a former lawyer, might simply be arguing in this tradition.
Congress and the court of public opinion have no judges to sanction "lawyers" for misbehaving. The sanctions [are supposed to] come in the form of loss of credibility and people not listening to you anymore. The argument that everyone shouldn't stop listening to him because he's just arguing like a lawyer would literally break the entire political process -- which appears to be what has happened, and it needs to stop.
NSA old boy Stewart Baker is a fascinating character. Here's what he said at the Economic Warfare Institute at American Center for Democracy in 2012 (before Snowden leaks):
"We will map your social graph, compromise every computer and smartphone in your country"
He is a long-time proponent of export controls for cryptography and government mandated escrow-keys. In 1994, he wrote an article for Wired Magazine titled:
"Don't Worry Be Happy: Why Clipper Is Good For You". This guy is a cryptowars veteran.
So, in a sense--you're right, he's not incompetent. Rather, he is a professional ideologue: making the case against privacy rights that crypto-tech enables. If you have experience with KGB "agitprop" and "active measures", you'll be very familiar with the techniques that these sort of people employ for their cause. We should promptly react to his demagoguery by showing it for what it is--sophistry.
"Stewart is extremely smart, should not be underestimated, and HN comments in this thread calling him "incompetent" reflect badly on the person making the comment. He's likely the single most capable adversary the HN/EFF/ACLU/Cato/Mozilla/etc. axis faces over encryption (if he ends up playing that role)."
That someone is smart does not mean that whatever he says is true.
In fact some of the smartest people on earth use their intelligence to fool and mislead other people.
It is not very smart on this man when he talks about blackberry: "look were blackberry is today". Blackberry in fact did help governments with their encryptions keys.
In particular,people that worked for the NSA need to develop a habit of lying to everyone as a morning routine.
We know that while the CIA and the NSA were crying loud about how encryption was making them "blind", they were in fact spying on more Americans and non Americans than ever.
How do you feel about the assertion that the NSA et al were getting something for free, and all this hubbub about privacy and encryption is simply a smokescreen -- the Google's of the world want their pound of flesh.
They see a new and robust revenue stream where the product was being shoplifted, and they're correcting that business oversight. They will give the government what they want, but at a cost.
Be it in a dollar amount, backroom hand-greasing, political football, or other otherwise -- the government will pay that cost.
Increasing the costs of an undesirable activity effectively lowers the incidence of that activity. It's probably easier than trying to prevent it unilaterally, too.
I assume that Mr. Baker is a competent attorney, well-versed in the subject.
But the rhetorical device he used, attempting to pin the demise of Blackberry on their choice to encrypt, is found waiting.
Blackberry was defeated by market forces, not a willingness to encrypt user data. The iPhone and Android changed the firmament in the market where Blackberry had been dominant.
His attempt at using this aside, his use of "law enforcement needs access" is also found wanting because the NDA, GHCQ, etc are not law-enforcement.
Why does going to your parties make someone not incompetent? In any case his competence is moot, the man is a demagogue and as such should be avoided and ignored.
"Why does going to your parties make someone not incompetent?"
I read this as Declan saying that he and Baker were sufficiently acquainted for him to form a judgement of Baker's competence, with "he'd show up at parties I held" being to clarify the degree of their acquaintance. He's not claiming that they two things are causally connected.
And ignoring demagogues is not necessarily a good idea.
It's surreal reading what Baker is saying. Companies aren't generally afraid of their employees, and any competent IT department can manage BYOD. The reality is that privacy and security has become an extremely important differentiator, and I'm glad to see Apple and Google both capitalizing on it.
This was by far the scariest part;
"But I’ve worked with these companies and as soon as they get
a law enforcement request no matter how liberal or
enlightened they think they are, sooner to later they find
some crime that is so loathsome they will do anything to
find that person and identify them so they can be punished."
Seriously? Yes, just advertise your complete contempt for following due process, because, you know, it's easier to catch crooks that way. Thank you for proving within the article exactly why end-to-end cryptography is needed, so that we don't have to trust people like this to actually follow the law.
This is a fairly evolved astroturf argument which will likely be enjoyed by all powerful interests (government and private).
The battle is between powerful interests and the masses. The powerful interests gain a lot by controlling information and dissent. Surveillance is a useful tool to help achieve that.
I think his argument makes sense (just speaking with regards to encryption - they brought up a couple of things in the discussion), but you have to keep in mind that he's arguing from a completely different perspective than most of the folks posting to HN. Whereas it's usually in the best interest for a private citizen to have all of the data on his/her device encrypted and only decryptable by him/her, it's not the same case for corporate or government data, which is a huge portion of the market.
Baker is arguing from the point of view that a large organization needs to be able to monitor what its employees are doing because they're legally responsible for anything that those employees may do. Imagine having to secure a network where you couldn't look at the logs due to privacy concerns; or figuring out which disgruntled employee is siphoning data off to a competitor; or responding to warrant/subpoena when one of your employees is suspected of committing a crime. You're not in a very good position if the only one who can decrypt the data is the end user.
Not to mention that there are also situations, particularly in government, where it's in the best interest of the public to be able to investigate a government official for wrongdoing. If their IT department can't get to their e-mails when the Inspector General comes knocking, what's to stop that official from just saying "Whoops, I forgot my password." ?
I'm sorry if I wasn't clear. I wasn't meaning to limit my argument to data in transit - I was also including data at rest.
To answer your question though, end-to-end encryption of data in transit will obviously interfere with an employer's ability to log transactions.
I think Mr. Baker's arguments were more directed at the recent ubiquitous iPhone encryption controversy (in fact, after doing a quick search, he made almost the exact same argument in the NY Times directed explicitly towards Apple[1], although I think his wording could be toned down slightly). Since the decryption mechanism on the iPhone is tied to chip inside it, it limits a company's ability to hand you a corporate iPhone and still be able to monitor what you're doing with it, hand it over to the cops, etc.
Baker makes the further argument that while Apple can encrypt everyone's data to the chagrin of the FBI and the federal government is unlikely to enact any laws preventing it or hindering sales, Apple will have a much harder time doing the same in certain foreign markets. A country like China will likely have much more political will to push Apple out of the market if their cops can't decrypt people's phones. Maybe that will ultimately be a good thing, but by trying to send a message to the US government they might be opening up a much larger can of worms overseas.
I think I misunderstood your initial question - the I (well, really, Stewart Baker) was trying to make was that selling devices which are automatically encrypted with keys that can't be escrowed by the owning company (like the new iPhones) isn't going to be very welcome in a corporate environment.
> end to end Enron
I think you meant "end to end encryption". I'm guessing you're typing that on iPhone :)
That was Android's auto-incorrect. Evidently Google doesn't think I need end to end encryption either!
I understand your point, but key escrow and most corporate use cases don't overlap. You are better off not managing user keys, with or without key escrow, and, instead, securing your links back to your infrastructure with a VPN and encrypting your storage to secure data at rest. Key escrow gives you no more protection, or access. It's just more complicated.
Key escrow, therefore, is only useful for spying on individuals' interpersonal communication, and Baker knows this very well.
Just from the timber of the comments, i had guessed this was Stewart Baker. The man does not, IMHO, deserve to be viewed as an expert on anything other than playing political games.
I'm not sure how he got to where he was, but i'm pretty sure it had nothing to do with competence (and that's something i'll rarely say).
If you want to form an opinion, he posts quite often on volokh.com as a blogger.
this and the FBI's crypto wars redux both appear to be designed to divert attention and resources away from understanding and addressing surveillance-related abuses using the classic and surprisingly effective strategy:
The emergence of the NSA as America's secret police did not happen as an aberration but within the phenomenon of shrinking rights that I've noticed since my political awareness began in 1980 or so.
Since then, I have not seen any expansion of rights for anyone, except maybe for those living in the former Warsaw Pact and non-humans (e.g. pets) in the US.
I have however seen a relaxation of controls for groups such as law enforcement.
It may have started with the belief that "criminals have more rights than victims" that found expression in movies such as Sudden Impact. Such sympathetic arguments missed the point that the power of the state doesn't target victims.
Regardless of origin, law enforcement lobbied for - and usually got - exception after exception to the bill of rights until we reached the point where an actual trial hardly matters.
While the rights of suspects and law-abiding people shrank, the scope of the term "national security" grew, fueled by another belief - that the survival of the state mattered more than its' intended purpose - the protection of the lives and liberties of its' inhabitants.
Does all the protesting by security agencies actually mean much, in terms of a signal?
1) If these measures are effective and stop them doing what they perceive to be their job, they'd have to protest.
2) If they had access to the information by other means, they'd have to protest anyway, otherwise you'd be able to conclude we're in situation 1
My guess it's a bit of both, and they're mostly just losing their ability to mass surveil against low priority targets (e.g. populations), since cracking the encryption for absolutely all connections would be too much work.
The internet moves much faster than government and so the government can't control it. Information moves like water. Everybody is exposed for who they are and nobody can fake it. The whole world is in a big room and everybody can hear each other. Wars will no longer be violent and fought with weapons, they will be fought with software hacks.
I do wonder if Matthew Prince's faith may be a little bit misplaced here. I presume it was meant as a figure of speech, but mathematics is not an area where faith is especially dependable.
Baker is incompetent. Blackberry's primary advantage was its encryption. It branded itself as a business device and supported enterprise use. As bring your own device became mainstream and as the app store markets grew, Blackberry fell behind, failing to deliver the diversity of apps that iOS and Android did. Sales of devices fell and hence they've had to lay off 1000s.
TlDr; Baker has it wrong; Encryption was a business advantage for Blackberry, until access to a diversity of apps mattered more.