It's @enigmaconf time! I'm going to try to livetweet parts of this conference, but: a) video will be freely available and b) my wrists are tired from acroyoga.

First up! A panel about encrypted messaging with @Riana_Crypto, @mattblaze, @djweitzner moderated by @joncallas

@enigmaconf @Riana_Crypto @mattblaze @djweitzner @joncallas @Riana_Crypto is up first with an overview of crypto law in the US: Strong Encryption is Legal in the US (for now)

That wasn't always the case! Encryption was regulated like a munition, like a bomb. You could only export crypto which was like the decoder ring in a cracker jack box

CALEA statue mandates wiretappability for phone networks, because law enforcement was worried about "going dark" even with phone networks.

Important limits: gov't cannot dictate how to comply, just have to meet the goal.

Compromises in CALEA: carveout for information services (e.g. email, chat), even entities which are covered can encrypt and throw away the key (they do not need to decrypt unless they can)

So it doesn't require building backdoors.

These days, end to end cryptography is used by so many people (e.g. WhatsApp, iMessage)

Law enforcement have been chipping away at those carveouts ever since CALEA was passed, e.g. VoIP is a "communication service" now.

Law enforcement has a long record of not respecting compromises -- so be suspicious about leaning on those.

What about encrypted devices? No direct statutory authority. Up to 2015 DoJ used search warrants + All Writs Act. But there's a judicial opinion that said All Writs doesn't trump CALEA carveouts

(Brooklyn Apple v FBI 2016 case)

In San Bernadino, FBI tried to compel Apple to write new software using All Writs, but was dropped before ruling

Chat apps are information services. There's a Facebook Messenger case we only know through leaks where gov't (allegedly) tried to force Facebook to change Mess. enc

... but we don't know the reasoning or anything. We can infer that the government was ruled against because FB has been moving forward with more E2E encrypted services.

So if this is the state of the law, Congress could change the law e..g. EARN IT act of 2019 which would incentivize providers to change their encryption design "voluntarily" in order to avoid losing Section 230 immunity when it comes to CSAM 😱

Clever way to indirectly impose *huge* costs on providers for offering E2E without actually banning it or amending CALEA

Next up: @mattblaze

Veteran of two crypto wars. We didn't know we'd need to number them in the first one!

In #1 in the 1990s, the advocates of crypto&security were visionaries and had to have faith that the internet and its security was going to be important any day now.

@mattblaze Encryption was a pretty specialized thing when it was used, mostly military/gov't communication and some in industry with a 56-bit key. It was regulated as a munition under the arms control laws.

Perfectly legal in the US, but if wanted export a product would need a license like for weapons and they wouldn't give you the license if the crypto worked. (only <=40 bit keys, which you could brute-force search)

Need to change the law to allow interoperable standards. Gov't came up with what sounds like a beautiful solution, called the Clipper Chip (escrowed encryption standard). Vendors of products which used crypto could use this chip. 80-bit keys but the government had all the keys.

Crypto war 2 started at the end of crypto war 1, when the Clipper Chip failed. Shortly thereafter, FBI became the only organization complaining that computer security was too good. Advocated for some kind of mandate for key escrow.

In crypto war 1, the security people were asking for a change. In crypto war 2, we're fighting for the status quo, which puts us in a position of strength (which could change).

Why is the status quo the only tenable approach?

Everyone here probably believes that computer security is important and *not* too good. It's a mess and crypto is one of the few tools that works. Taking away/making more complicated & expensive would be a disaster

Any kind of key-escrow is going to be designed from the position of ignorance of the future of communication.

In 1992/3 when Clipper was designed/released, here's what was thought were good engineering tradeoffs:
* $20 was a reasonable price for a chip to use crypto -- so no software crypto!
* the killer app was voice communication on landline phones. Mobile phones were clunky and $$$

* <something about email, lost to Twitter fail, sorry>
* FAX machines were really important

All of these underlying assumptions proved to be laughably false. What are our wrong engineering assumptions now?

@mattblaze: The bad assumptions we would make now would totally hobble the future of computers.

@Riana_Crypto: this is the most Gen X thing ever: in the 90s you fought against the man and now you want to maintain the status quo.

@mattblaze @Riana_Crypto @djweitzner I get to be the conservative compared to @mattblaze here. We won crypto war 1, but the policy world has come to accept that there's real risk to messing with security (driven from the US), there's a bunch of other things happening outside of the US.

2010: India demands Blackberry provide exceptional accesss

2016: UK Investigative Powers Act "Snooper's Charter"

2018: Australia - Assistance and Access Bill

2020: India proposed filtering and decryption reqs on internet platforms

So in the US we think we've won, but the rest of the world is going in different directions.

In the UK can issue "Technical Capacity Notices" (demand to redesign to decrypt). But must be "technically reasonable" according to an advisory board. Evaluations and reqs are secret.

... so we don't know whether these UK notices have been exercises. Some orgs have canaries (they promise to take down a notice if given demands)

In Australia, the gov't can come to individual people with secret "Technical Capacity Notices". Law says that you can't introduce "systemic vulnerabilities" ... but HOW WOULD YOU KNOW?

Also the Australian law could run right into important security innovations like certificate transparency, binary transparency, key transparency, etc.

No transparent process.

These decisions reflect a decision by legislators to try to deal with a hard technical problem by punting it to a process. But they've made a secret process.

This shift in the debate is going to be permanent. It's a good solution (for the legislators).

What does the 'expert' debate look like?
* Susan Landau and Denis McDonough suggested looking harder at device encryption
* Carnegie Encryption Working Group suggests testing

Questions we don't know how to answer/

Tech:
* what is the right measure of "technical feasibility"?
* how do we know when a vulnerability is "systemic"? How can we assess the relative security costs?
* can security vulns be detected and evaluated in secret?

Policy:
* how do we assess the relative risks of exceptional access systems which could open up new vulns vs limiting law enforce. access?
* do all of these "assistance" requests have to be secret?
* what is the effect of secrecy on user trust and technical security properties?

@joncallas is up next: People Problems in an E2EE World

When I joined the ACLU they asked what I wanted to work on and I said "please not encryption backdoors"... and the world has found me.

@joncallas To start:
* it is a basic human right for two people to talk confidentially no matter where they are
* public posts are public. Integrity is important, availability is the whole point
* there's a huge grey area between private and public
* knowing the difference can be hard

@joncallas There is an underlying issue:
* today's crypto wars are driven by a need to solve real problems
* I'm going to lump them together as "abuse": child abuse, intimate partner abuse, elder abuse, misinformation, disinformation, attacks on accepted norms, validity of governance

They are the pretext for the crypto war and worth solving. There won't be a silver bullet.

@joncallas points out that: a) he's against CSAI and other forms of abuse and b) it's dumb that he needs to point this out

@joncallas CRYPTOGRAPHERS DON'T ROLL YOUR OWN UX

New considerations and work:
* new design principles: privacy and security by design; tools for the platforms, people themselves, caregivers; considerations for meta-abuse (abuse of the anti-abuse system)

@joncallas *rethinking how we do things: the internet was built because people were awful one way, but not people are awful in different ways: enable and constrain people

Mitigations:
* how to handle unsolicited contact?
* easier reporting/blocking
* voluntary ML advice on content; fact-checkers
* data provenance, limitations on forwards, group size
* social graph analytics, better profile handling

* rethinking UX friction, engagement, etc
* context-dependent behaviour based on personal status
* build on Screen Time etc. for analytics for caregivers

Question time!
Q: can you explain what you did with the Clipper Chip, @mattblaze?

A: found a simple vuln which allowed circumvention of key escrow part. Could prob. have fixed design flaw, but demonstrated crypto protocol design is really hard -- might have had other vulns!

There are fundamental problems with key escrow:
1. DB of keys. Really, really have to protect that and it's very, very hard.
2. Expensive as a design constraint, which made it much less expensive not to bother with encryption at all.

@djweitzner now they just say "you go figure this out" and claim "this should be solvable"

[ this is known as the "nerd harder" argument ]

@djweitzner @mattblaze has a failure mode of the backdoor being really crappy: it's only measured by whether it can serve law enforcement, not whether it actually keeps others out, like keys are 0, all the keys are in an Excel spreadsheet they send out. But that's successful to the gov't

@Riana_Crypto industry says they're geniuses when raising money, but now it's hard for legislators to believe that it's hard to believe you can't just "nerd harder"

@Riana_Crypto @joncallas has an evaluation of these proposals online, upshot is that you can work around all of this

@Riana_Crypto @joncallas @n2vi thanks people for working on this: I think of content encryption in the systems I build as fait acompli, but the metadata is still available. If they piss off the software designers sufficiently, then the metadata might start getting hidden..........

@mattblaze we're in this golden age of metadata and, unlike the content, doesn't lie about what you're doing. and protecting metadata is *hard* and expensive (e.g. Tor >= 3x times as expensive and only works for limited applications). We can't effectively do much about it.

@mattblaze But Law Enforcement has not been very satisfied with the metadata, want the content, too.

@Riana_Crypto interesting tension in the policy debate: safety valves in the conversation, where there isn't full protection e.g. Apple backups

@mattblaze @Riana_Crypto @joncallas There are technical issues to solve: we don't know how to pass digital objects down to one's heirs. Someone gets murdered and law enforcement can't open up the phone to help solve.

There are places we can nerd harder, but law enforcement has a specific problem to solve and it's not really "get rid of encryption without getting rid of encryption"

shout out to @ohemorange for insight that encryption is semantic not syntactic

@benadida makes everyone stop