Microsoft Probably Has Your Encryption Key

Interesting although not unexpected.

Unacceptable, but hardly surprising, I'd say.

I had a whole long post halfway written, including a good-natured jest or two at people's handles here, but I realized I was being needlessly wordy.

If we could set a principled organization like the EFF up to be untouchable-by-gov't as a key escrow agent, that would evaluate warrants and act according to the law (the real, Constitutional law, not the recent bullshit) -- I would give them my key.

The US gov't? No. Microsoft? Hell to the no!

P.S.: This really is just another reason to build your own!

How about people just be responsible for their own encryption keys? I'm an avid Linux user.

Though a nice idea, in the current state of society and current laws, there is absolutely (cannot stress this enough) no way that any such organisation could exist, and if it did they would be lying to you. Regardless of their intentions, no such system can exist unless you yourself are in absolute control over your own keys.

Sorry :(

How about there are still situations where government -should- be able to get your key? What if they have legitimate evidence you're planning a bombing, but they don't know the details? I don't know about you, but I'm not an anarchist.

I totally disagree. I think such an organization is quite feasible, and if sufficiently open about their practices and actions, we don't have to worry about whether they are lying. I think that there are some very unconstitutional laws that on the surface would make this unfeasible (PATRIOT Act, warrantless wiretaps, etc, etc) -- but the important word there is "unconstitutional." Considering them to be an actual, permanent part of the legal system is to consider the Constitution irrelevant.

At which point any sane citizen would take up arms to overthrow the government-cum-tyranny (or leave, depending on personality/character/situation), as the founding fathers would have intended. And don't pull up the armed services argument -- I believe they are made up of the aforementioned sane citizens.

But to address the latter half of your statement -- absolutely not. You advocate anarchy. There must be a method to, within reason and law, decrypt an individual's communications. To take your argument to it's logical conclusion, one would also advocate for an absolute right for a criminal to deny a warrant to look into his documents, no matter what reason the police had. We have to balance a reasonable society's needs with an individual's basic rights.

There are people in this society who will murder, rape, plant bombs, commit tax fraud, and steal horses and/or cars. For the benefit of everyone, we empower the government to investigate those who appear from a logical/scientific standpoint to be committing or planning to commit crimes. We limit that power, finding a balance where the individual's rights can be paramount, and are, save when there is real reason to act otherwise.

Is our system perfect? No, of course not. But what we are seeing today is not predestined, is not set in stone. We still have a set of founding documents that can guide us in restoring our government to what it should be, and we still have the power to do that.

When we simply accept that "the system is too broken" we betray our fellow citizens.

This, unfortunately, makes my point. It is not possible because of those very reasons, 3rd parties can be forced without your knowledge and with gag orders to hand over, circumvent or spy on the governments behalf, all perfectly legal regardless of any constitutional laws that say otherwise. You also have to remember as well that the internet isn't in the US. The same can be done by any government with sufficient power.

Im not saying its right, or its the way it should be, im saying that no organization can exist in the current climate because they can be forced under current laws to do things they may not want to regardless of what they said they would do for you.

Have you seen the new laws being pout through in the UK. They do exactly what you want. There terrible and don't work.

I assume you are referring to my point that you should have absolute control over your own keys?

And you absolutely must. Will that make it impossible to prevent crimes, of course not. The laws to circumvent, intercept, break, and capture encryption keys has been around for decades, immediate and complete access to your encrypted traffic isnt required to solve crime. Standard police work works.

To give you an example of why your idea doesn't work for law abiding citizens. If your keys are stored by a 3rd party whos is entrusted to take care of them and only provide them to the government when handed a legal warrant, this is what would happen.

Government hands over warrant, almost any reason for the warrant can be given, the key holder isnt the decision maker, a judge is, and that decision has already been made, the key holder isnt required to know why, they have been compelled by the government to hand over the encryption keys and must now do so, without complaint, and without telling anyone that it happened.

the government now has your encryption keys, for everything. Not just for the specific piece of evidence they are looking at.. everything.

There's no anarchy involved. If the police come to my door with a warrant for my encryption keys i would eventually have to hand them over. Whats the difference then? I know full well the extent of what they are doing, as you would have normally. OK but this stops them spying on you to gain further evidence as your aware they have your keys, use other methods. There's nothing saying they couldn't get a warrant to run a man in the middle, bug your hardware or get the key from the recipient of your messages. The difference between the two is one allows for the mass misuse of citizens information and the other has to be targeted.

Now lets say your a smart criminal. The same thing happens, the government gets the keys to everything and what do they read? Encrypted text, they cant decrypt it because the criminal encrypted it with their own encryption first.

They cant do anything about it, encryption is a natural part of life. You cant ban it, or try and centrally control it. In the end the government has to go back to what they would have done in the first place, interception, surveillance, and investigative work.

p.s. long live one time pads!

Yeaaaa I'm amazed people are even surprised by this. You use someones encryption chances are they know it.

You don't have to hand them over. You don't have to follow laws that contravene the founding documents of the nation. The organization I propose can exist. And all because of one thing.

The government cannot force you to do anything. Ever.

Sure, you might spend some time in jail for refusing. Maybe a lot of time. But sometimes the only way to make yourself heard is outright civil disobedience.

I specified a principled organization. Organizations are just as capable of resisting injustice as we are.

I did, however, perhaps fail to make an important part of my point clear. This organization must play a role in the decision making process, and must feel empowered to simply refuse when appropriate. This is what I was getting at what I said "evaluate warrants and act according to the law." I did not mean simply "obey warrants."

Do you want this country and this world to get better, Eden? I do. If that means I have to disobey the government, a court order or what-have-you, then so be it. I would argue that that is the essence of being a "good citizen."

Oh course they cant force you to do anything, you'll just go to jail, or worse. But its your choice then.

Increasing the power of gag orders. The US already does this.

That would make it a government organization, and would in the end have to tow the line according to the law. They also already exist, its called judges, they are the people who are supposed to interpret the law and make those decisions.

Your idea is nice but flawed. The idea only works if you do what you said in your last paragraph, and you can only do that if you have control over your own life and data. Anyone else will be compelled to do as they are told by the government, if you think any organization will jepordise there company by refusing to cooperate with the government and not hand over your data, your wrong.

This is correct, and to do this you need to take control, not hand over your data to a third party.

@Eden You make good points, and I enjoy the conversation. However, I remain unconvinced. I do believe there is a place for escrow agents re encryption keys / law enforcement.

Back properly on topic, though -- that agent should not be Microsoft.