HN Distilled

Essential insights from Hacker News discussions

Civics is boring, so, let's encrypt something (2024)

Original Article

Hacker News Discussion

The Hacker News discussion revolves around a provocative proposal for regulating strong encryption, sparking debate on its feasibility, implications for privacy, and the fundamental balance of power between governments and citizens.

The "NOBUS" Debate: Technical Feasibility and Security Risks

A significant portion of the conversation centers on the concept of "NOBUS" (Nobody But Us) access mechanisms, which would theoretically allow only authorized entities, like governments, to decrypt data.

  • Technical Possibility: Some users, like tptacek, acknowledge the theoretical possibility of building systems with NOBUS access, stating, "NOBUS" isn't a fallacy. We can build systems that have access mechanisms that are for all intents and purposes NOBUS." He emphasizes that "computer science does allow for NOBUS-y access mechanisms."
  • Practical Compromise: However, others are highly skeptical of the practical implementation and long-term viability of such systems. AnthonyMouse argues that the problem lies not in breaking strong encryption (like 256-bit AES) but in the vulnerability of the authorization system itself. He highlights that the sheer number of individuals involved in government ("tens of thousands of judges... well over a million police and military") creates numerous points of compromise. "All it takes is one of them to be corrupt or incompetent or lazy and the bad guys get to use the skeleton keys to everything in the world."
  • The "Us" Problem: The core issue is identifying a trustworthy "us." Nemomarx questions, "What's your concept for preventing other bad actors from getting it though?" This sentiment is echoed by tialaramex, who notes that "Once you're multiparty that goes away, any other party can definitely betray you and then it's game over, your own integrity doesn't matter."
  • Global Implications: The international aspect is also a major concern. AnthonyMouse points out that if one government (e.g., the UK) mandates such a system, others (like Australia or China) will inevitably demand access. Even if Russia is excluded, the system would be a prime target. Kim_Bruning adds a cynical observation: "If 100 different governments think 'nobody but us have access', between 99 to 101 governments are wrong."
  • Real-World Examples of Compromise: The discussion includes examples of systems that failed due to breaches, reinforcing the skepticism. Kim_Bruning links to a news report about a global telecommunications hack where "The hackers were also able to access wiretapping systems used to conduct court-authorized wiretapping." ls612 also mentions "Salt Typhoon" as an event that undermines the idea of NOBUS, stating, "And then Salt Typhoon happens and suddenly it isn't NOBUS anymore and we are hosed."
  • Fragility of Technological Leads: Tialaramex recalls historical attempts at such systems, observing that "Historically NOBUS was about having a particular technological lead, that's very fragile and didn't work out long term." They suggest that if anyone has such a lead today, it's the Chinese, but "realistically nobody has such a lead."

The Proposal's Authoritarian Nature and Moral Objections

A strong undercurrent in the discussion is the condemnation of the original proposal as fundamentally authoritarian and morally reprehensible. Critics argue that it fundamentally misunderstands or dismisses the balance of power and civil liberties.

  • An Embrace of Totalitarian Surveillance: Users express shock and disgust at the potential implications of the proposal. bccdee labels it "the most authoritarian proposal for the regulation of encryption that I have EVER seen." They elaborate: "no nation on Earth has legal provisions so explicitly authoritarian as to require every civilian to maintain copies of all their communication in a form that cops can access after the fact." They also criticize a specific point about jailing individuals until communication is decrypted: "Unless this is a joke that's gone over my head, this is an open embrace of totalitarian surveillance."
  • A False Choice: Several users, including mattnewton, believe the proposal presents a false dichotomy. mattnewton states, "This article frames a false choice of either designing a system that allows government access to everything you do digitally... or having the government design such a system." They argue for a third option: a state where police rely on "good old fashioned police work" instead of pervasive digital surveillance.
  • Compelled Speech and Unconstitutional Overreach: The proposal's suggestion to criminalize the use of stronger encryption than consented to is also heavily criticized. bccdee points out a specific passage that "means, if you start a conversation with me in plaintext, I'm obliged to continue exactly as I would if we were talking through encryption. This compels speech, which is both unconstitutional in most places and completely untenable in practice."
  • Moral vs. Ideological Objections: The nature of objections to "NOBUS" systems is debated. While tptacek suggests objections are often "ideological," Nasrudith counters that they are "moral," stating, "They are literally choosing to keep vulnerabilities in place for others to discover under arrogant assumptions that they will be the only ones who will know." Dragonwriter offers a nuanced perspective, suggesting " 'ideological' and 'moral', as bases for objection, mean exactly the same thing."
  • Disgust and Disdain for the Proposal: The overall sentiment towards the proposal is overwhelmingly negative. OkPhysicist describes the ideas as "so basically evil that just holding them... renders the speaker forfeit of the basic 'shared humanity' level of comradery." They find the proposal "evil in a remarkably novel way" and are "disgusted in ways normally reserved for stumbling upon a group of neonazis chatting amongst themselves." hex4def6 attributes the thinking behind it to "a refined form of cynical misanthropy and tanky statism." Nasrudith express feeling "like throwing up after reading this crap and the gratuitous abuse of the term 'fundamental human rights' in ways that would make Orwell blush. It is utterly disgusting on a moral level."

Framing the Debate and the Role of Law Enforcement

The discussion also touches upon how the debate is framed, the current trajectory of government demands, and the capabilities of law enforcement.

  • Fighting Back vs. Conceding: JoshTriplett criticizes the framing of the proposal, stating, "The civics lesson is almost useful, except for the part where it treats the current demands as immutable rather than an adversary to be fought and defeated."
  • Encryption Strength as a Constraint on Freedom: Skygazer summarizes the author's framing: "it’s about building protocols in advance to weaken encryption for government benefit, before the government mandates it, and framing encryption strength has the length of time users are willing to rot in jail."
  • Law Enforcement Capabilities: Some users argue that strong encryption does not necessarily cripple law enforcement. Peawee suggests that "Any online service typically keeps some amount of logging. A fully encrypted online service can certainly hand over some amount access and account information, and in my experience that's plenty enough for law enforcement to go and do the normal police detective work they're used to doing." Mattnewton points to the case of Ross Ulbricht as an example where law enforcement was ultimately successful despite encryption.
  • International Treaties and Urgency: NoahZuniga expresses skepticism about the speed and urgency of international treaty-making processes, in response to a mention of a UN cybercrime treaty.
  • Historical Precedents: FuriouslyAdrift references past ITAR regulations on encryption export, highlighting that battles over encryption strength are not new.
  • Challenges to Current Systems: Tptacek also notes that "The idea that governments worldwide will uniformly solve this through international agreements seems fallacious, because some of the largest countries in the world have sharply different legal and political standards." He concludes that "cutting off law enforcement access to data isn't a long-term stable equilibrium; something will give eventually. But I think PHK is way overshooting how strong that argument is today."