On 10/09/2015 00:42, Majken Connor wrote:
On Wed, Sep 9, 2015 at 2:36 PM, R Kent James <[email protected]> wrote:
On 9/9/2015 9:23 AM, Mike Hoye wrote:
"Any requirement that systems be designed or modified to enable
third-party access to encrypted data undermines user security. The goal
of computer security is to protect users' data from any access that user
has not authorized; any mechanism that allows the state to circumvent
the users' wishes can be co-opted and abused by other states or
non-state actors to do the same. The same is true of surveillance and
monitoring tools; it is impossible in practice to tell a lawful actor
with "backdoor" access from an unlawful one. Without the transparency
and accountability of open source software and open systems designed to
secure user data rather than facilitate third-party access, those
systems that states use are increasingly vulnerable to foreign and
non-state compromise."
There is an implicit assumption in the way this is worded that "MY
government is assumed to be benign, but YOUR government may be dangerous."
I don't read it that way, could you be more specific on what parts give you
this impression? I'd like to see if I can see it once you point it out. I
am reading with the context that I know Western governments are actively
trying to subvert encryption and create back doors.
I see two instances:
any mechanism that allows the state to circumvent the users' wishes
can be co-opted and abused by other states or non-state actors to do
the same.
which can be read to imply "the state" has a legitimate right to
circumvent the users' wishes, and "other states" do not, ie one is
"benign" and the other "dangerous".
I agree that there is little point in making this distinction unless we
are actively marketing towards governments who want us to assume their
goodwill/benevolence, which I don't think this paragraph needs to do. We
could avoid the reading I tried to explain by stating something like
"even if one assumes the need for and legitimacy of a mechanism to
circumvent the users' wishes for use by a 'blessed' actor, such a
mechanism can be co-opted and abused by other actors to do the same."
The other instance is:
those systems that states use are increasingly vulnerable to foreign
and non-state compromise.
Where I think there's a simple solution of just omitting "foreign and
non-state", and perhaps "that states use" as well.
Reading both the original and mhoye's version, both have the issue R
Kent noted. However, mhoye's version seems (to me) to be making a
stronger claim than the original in that it implies it is technically
*impossible* to make a 'backdoor' that can only be used by the "right"
actor, rather than a more vague slippery-slope-type formulation in the
original (that once we start with making these backdoors, we'll have to
make more of them, and that road isn't one we want to be walking).
I agree with the stronger point mhoye makes, but it's a more contentious
one (rightly or wrongly) and we should be conscious of, and willing to
make, that argument, if we incorporate it in the text.
~ Gijs
_______________________________________________
governance mailing list
[email protected]
https://lists.mozilla.org/listinfo/governance
