Continuing the US government's menacing of strong end-to-end encryption, Deputy Attorney General Rod Rosenstein told an audience at the US Naval Academy that encryption isn't protected by the American Constitution.
In short, software writers and other nerds: the math behind modern cryptography is trumped by the Fourth Amendment, and in any case, there has never been an absolute right to privacy.
This message came at the end of Rosenstein's wide-ranging speech on Tuesday, which repeated fixations heard in previous speeches.
In this week's speech, Rosenstein time-travelled from the American Revolutionary War to the tragic death of US student Otto Warmbier at the hands of North Korean authorities, before launching a volley into encryption.
Amid a rising backlash that's uniting some tech giants and developers, academics, and civil libertarians, Rosenstein still believes criminal investigators should be able to crack strong and so-called "warrant-proof" encrypted communications on demand without any legal headaches:
Encryption is a foundational element of data security and authentication. It is essential to the growth and flourishing of the digital economy, and we in law enforcement have no desire to undermine it.
But the advent of “warrant-proof” encryption is a serious problem. Under our Constitution, when crime is afoot, impartial judges are charged with balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement. The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns.
Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, especially when officers obtain a court-authorized warrant. But that is the world that technology companies are creating.
Those companies create jobs, design valuable products, and innovate in amazing ways. But there has never been a right to absolute privacy. Courts weigh privacy against other values, including the need to solve and prevent crimes. Under the Fourth Amendment, communications may be intercepted and locked devices may be opened if they are used to commit crimes, provided that the government demonstrates showing of probable cause.
Warrant-proof encryption defeats the constitutional balance by elevating privacy above public safety. Encrypted communications that cannot be intercepted and locked devices that cannot be opened are law-free zones that permit criminals and terrorists to operate without detection by police and without accountability by judges and juries.
Readers will surely be aware that the famed Daniel Bernstein spent nine years establishing that cryptography is free speech in the US, and therefore protected by the First Amendment, a notion that would have to be overturned for Rosenstein to get his way, we presume.
The remainder of Rosenstein's arguments will already be wearyingly familiar to followers of the debate: encryption can be and should be rendered accessible to law enforcement bearing warrants without weakening it for everyone; and allowing people to “go dark” – such as using cryptography and anonymizing networks – just helps criminals escape justice.
Rosenstein offered a list of what he called “responsible encryption” – in which messages are safeguarded from hackers and criminals yet accessible to authorized third parties – to prove his case, which we present so readers can dismember it in the comments.
“Such encryption already exists," the Deputy AG claimed. "Examples include the central management of security keys and operating system updates; the scanning of content, like your emails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop.”
Rosenstein concluded with:
There is no constitutional right to sell warrant-proof encryption. If our society chooses to let businesses sell technologies that shield evidence even from court orders, it should be a fully-informed decision.
El Reg will get the ball rolling by saying content-scanning middle-boxes are known to be insecure, so that's not a great example of "responsible" cryptography. We await your comments with enthusiasm. ®