GPS data is pretty accurate outdoors, but the second you step inside a store the trace goes completely haywire and bounces round hundreds of meters in all directions. So any warnings will end up so broad as to be useless. Even if just 0.1% of a population are infected, you’ll end up with everyone getting multiple alerts everyday. How does that improve our situation?
I live in a high rise. Every time I am in my garage, find my iPhone thinks I am in the building next door. If I am in my kids bedroom, it thinks I am across the street.
What if the person above me is in their kitchen at the same time I am in my kitchen?
Some nuance, but still a biased hit piece. Particularly ugly is when the author dismisses Glenn Greenwald's journalist status, which is beyond doubt, and designates him a mere digital-privacy activist.
The Economist have a history of publishing polarising articles, for and against, regarding Snowden. This book review is likely the work of Edward Lucas (TE's Energy Editor) who has himself written a book alleging Snowden has ties to the FSB (Russian intelligence, formerly the KGB).
I dream about a tool like this every time I need to look something up, which only happens about a hundred times every day. I NEED THIS IN MY LIFE.
But reading the kite.com/privacy doc is absolutely gutting. They copy and keep all your code, permanently. That's fine for an open-source project, but it's a deal breaker for anything else. So thanks for the brilliant idea, but I'll wait for it to be implemented in a way compatible with my everyday workflow.
They're really hitting the "nobody should be above the law" talking point hard. How fortunate for us — it sounds good but doesn't survive even casual scrutiny. Crypto might interfere with investigations, but that is very different from being above the law. There are huge numbers of cases where some perp used encryption and was still bought to justice.
The best analogy I can think of is the document shredder. As a society we accept that individuals can protect their personal privacy and safety even if this occasionally frustrates law enforcement investigations. Shedder manufacturers aren't forced to limit how good a job they do to potentially aid LE as this would do more harm than good. And, after all, if you banned shredders, criminals would still be able to just burn their incriminating papers.
Banning the shredders is not a solution, you're right. The correct thing to do would be to legally require every shredder producer to include a little scanner right above the blades. This scanner would then take a copy and wirelessly send it back to a server, where it gets stored for 3 months. If there is no internet connection, the shredder must refuse to work. Living the dream!
It stinks that the case ended like this — without setting a sensible precedent — but I think there is still some upside:
FBI director Comey's "Going Dark" narrative no longer holds water with anyone who's paying attention. He cried wolf so loud he's been heard on every continent. If and when he tries this again, he'll get a ton more blowback.
Similarly, Obama's jibes about security "absolutism" now appear ridiculous. As are his criticism of impenetrable black boxes protecting child molesters. What he really wants is for the Emmental-like extensions of our brains to have even more holes. That's an obviously un-winnable argument.
Also, the bar for proving you've tried all possible alternatives for gaining access just got a lot higher in applying the All Writs Act. It took three months plus a month of major international news stories specifically about this court case to gain entry — something that might really be impossible to achieve next time. But now everyone knows when they swore under oath many times in multiple public venues that they couldn't gain access, what they really meant was "not yet" and not "it's impossible".
Finally, Apple should now be motivated to remove themselves as the weak link in their security ecosystem. System updates shouldn't be possible without first wiping the information needed to derive the encryption key or first supplying that key. I can also dream about them open sourcing their code to allow security researchers to bug hunt (an impossible dream). And maybe they'll change their minds on bug bounties. Whatever happens, it's now beyond doubt that foreign entities are exploiting vulnerabilities in the iPhone and we all expect Apple to beef up their security accordingly — regardless of how this may hinder law enforcement.
The supposed middle ground is that you force the naval engineers to, against their will, build the submarine with just a few extra holes.
Security is only as good as the weakest link. If you can bypass actual crypto and fallback to the world's justice systems, you've made a catestrophic compromise somewhere. In such a security system any crypto is pure deception. This is untenable in 2016.
I am deeply disappointed by President Obama's remarks:
> President Obama echoed those remarks on Friday, saying technology executives who were “absolutist” on the issue were wrong.
We can't always look at two extremes and try to go the middle way. If someone said asbestos causes cancer and someone else said but it is a good insulator and I need approval to put ten feet of asbestos in the walls of the school, we don't automatically try to say "well, ok apparently it is toxic so what about five feet?" No, we'd say we can't put asbestos as it is bad.
It sounds very nice to be fair and balanced but sometimes the middle ground is not a good outcome. Not to mention seeking the middle ground in everything leaves us susceptible to Overton window. I don't know what to say other than that I am deeply disappointed.
"I am leaving it as I found it. Take over. It's yours." Ellis Wyatt
If you feel you're being compelled to act immorally, remember non-compliance — whatever the immediate consequences to yourself — is the only acceptable course of action. When we decide to spend our days building powerful tools, we enter into an implicit agreement not to let them fall into the wrong hands. If the government comes knocking, BURN IT DOWN. Make good on your debt to humanity.
> remember non-compliance — whatever the immediate consequences to yourself — is the only acceptable course of action
Seriously, can we get away from these fine-sounding (but otherwise utterly useless) slogans and clarion calls? There has to be a better response than a scorched-earth policy.
I'm a software developer based in the UK currently working on an app which will probably be affected by this bill. Apart from destroying the product and/or risking jail-time, are there any sensible options? Can I incorporate somewhere else in the EU and run everything from overseas? What if I am not a UK company but a DE company and everything happens from there?
I realise it's early days, but I'd hope HN could come up with some informed suggestions.
I think the only viable option would be to leave the UK. Not just you physically, all bank accounts and insurances too. When you have set up the company somewhere else (maybe netherlands, germany or sweden) you would have to renegotiate all contracts with all your clients, have new laywers, new accountants, etc...
I can not think of any way other than leaving, that will not compromise either your product, your customers or your integrity.
This is 'scrorched earth' if you will, without 'fine-sounding, useless slogans'. Consider this: If this crap becomes law, you certainly won't be alone when leaving. And when a critical amount of developers and entrepeneurs leave the UK permanently, the economy will suffer... greatly I think. And that, sad as it may sound, might be the only argument politicians would consider, when it comes to signing this bill.
> And that, sad as it may sound, might be the only argument politicians would consider, when it comes to signing this bill.
Sorry to be this guy, but you do realize you're talking about UK, right??
IF you have pay attention to anything that comes out of UK politicians and being actually implemented in the law, you would have a hard time believing that UK citizens' disobedience, not matter how loud, will change ANYTHING AT ALL!
Sadly, they're doomed and I cannot find a friend who left years ago and never looked back.
> Sadly, they're doomed and I cannot find a friend who left years ago and never looked back.

Is your double negative the right way round there? That means your British emigrant friends are looking to [move back to?] the UK.
I'm British, and recently left. I've met about 6-7 British people in my new country (I haven't been seeking them) and none have any intention of returning. Of course, they visit family and so on, but at present there's no reason not to.
I wasn't particularly looking to move here, though it was a country I'd thought about. Then someone forwarded a job advert to me, and I ended up with an offer I couldn't refuse :-)
Anywhere in the EU is easy to move to, and easy to move away from if you don't like it. The big differences are probably the ease of getting a job, speaking the language (or not needing to) and meeting local people.
I feel Scotland would do well to start hinting that tech startups may want to start there, given the likelihood of a successful referendum to leave the UK when it happens.
I'd suggest that everyone come join the party in the U.S., but then I realize that we have equally stupid politicians trying to run everything, too.
I get the sense that reincorporating in Bermuda, Gibraltar, or one of the Channel islands might help in some way, but I can't quite figure out just where in my brain that idea came from. Maybe it was one of those foil hat ideas that I had to discard because it only worked for Commonwealth citizens.
It would take a careful reading of the law to discover the most appropriate loophole. In the U.S., that often takes the form of having no meaningful penalty or enforcement for breaking a law. So, basically, companies just ignore it. But UK law works differently, so I can't say for certain whether that means a judge could invent an appropriate penalty or not.
Or better still, set up a foreign company, the sole shareholder of which is a trust of which you are a non executive beneficiary. Then make yourself a contractor to said company with an explicit contractual requirement that you must affirm that you have not been compelled (legally or otherwise) to author anything (code or otherwise) that may materially effect said company.
The govt will still probably try to find a way around it but at least you've made it very difficult for them.
The govt wouldn't give a squat about what contractual agreements you have made they can still compel you.
By your logic I can make the same deal with an explicit contractual requirement that I cannot be detained by the police and then go on a murder spree and say sorry I got a contract that says you can't arrest me...
As long as any entity related to the company has a UK address they'll get pinched the only way to "circumvent" the law is not to have any business in the UK.
>Setting yourself up in that manner would mean if it needed to be taken to court, it would be difficult for the UK govt to win.
I don't think you understand how the legal system in the UK works, or anywhere else for that matter.
You can't have contractual agreements that go against the law as it would constitute an illegal contract.
If you have a clause in the contract that requires you to either break the law outright or not to comply with it it will not be enforceable and will be considered void.
Not necessarily, what would happen in this case is that once you are compelled your contract to work on the code is terminated. Nothing illegal about such a contract.
You effectively are your employer (via a contract for services rather than employment per se). So by them giving you the notice they are also informing your employer.
You then get to fire yourself; it is definitely a burn it to the ground strategy, but this type of strategy has happened before and no doubt will happen again even if infrequently.
> Setting yourself up in that manner would mean more challenges and making it difficult for the UK govt to win in court.
But would it, really? This fails the same logical test as the warrant canary - it sounds comforting, but is absolutely useless in the real world.
You still have the same choices - you can follow the request, or ignore it. You can tell the world, or keep it secret.
In every scenario I can think of, this idea of "affirming you have not been compelled" provides absolutely no protection.
Are you able to provide an example that demonstrates how this off-shore/contractor setup would protect you from the UK equivalent of a NSL with a non-disclosure clause?
If you physically move to Germany, perhaps, but it appears you would need to discontinue all operations in this country. Nobody employed here, no bank accounts, etc.
Another person posted a somewhat insightful excerpt from the draft which covers this situation:
Supposed you work for a company in DE and UK gov try to compel you, just have someone outside the country revert changes.
Also, isn't the government bound by the Computer Misuse Act (and it's European and other foreign equivalents). That would make the coercion an illegal act.
Dare say there would be amendments intra UK but we'd need pan-European changes to be able to lawfully compel someone to access a [foreign] computer without authority
I agree, but it's likely to change nothing. I'm not being defeatist per se, but I went through all this with the RIP Act in 2000 and it was futile, even though the Conservatives went through some posturing in defence of civil liberties. But now they are introducing worse legislation and Labour can hardly say "this is unprecedented" or whatever, since they were so gung-ho about it fifteen years ago. I wrote many letters and got no decent responses, just boiler-plate reiterations of why it was "necessary."
Well from the theme of this thread an open letter in the Times signed by a large proportion of the CTOs of Silicon Roundabout saying "we'll go to jail or leave the country if this goes into effect" will probably at least get some face time with a minister over this.
Funny you mention the Lords ... I wrote a position paper for the Conservative front-bench spokesman for Trade and Industry about the RIP Act 2000. Worked better than letter-writing and meeting my MP. All this because I happened to play cricket with him occasionally.
The threat of a scorched earth policy needs to be strong enough for governments to either not consider these types of actions or suffer the consequences.
I can understand it not being practical for the people involved though, and I sympathize.
Can't you get a digital citizenship in Estonia and perhaps transfer you company to there?
Frankly it seems like a very good solution if the problem is laws in the UK. This program was launched specifically to attract entrepreneurs and offer them the means to launch tech businesses from anywhere in the world in Estonia.
You need to leave the UK. No amount of corporate charter red tape or offshore server hosting will let you get away with developing a secure product if Theresa May doesn't want you to.
The thing is, the actual probability of being asked to comply with this for a small company is fairly small: it's aimed at Facebook and Apple. And perhaps privacy-orientated services like Lavabit. Your best option is to retain a really good ECHR lawyer, because that's where the fight is going to be.
> being asked to comply with this for a small company is fairly small
This may be true for now, but I have seen far too many laws beeing used in other contexts than what they were intended for.
For now it maybe used in cases of 'terrorism'. In three years your products will get compromised because the state wants to catch a drug dealer. In 8 years, they also want to catch regular burglars, and in 10 years these laws may be used against you, because you forgot to mention a $100 bill on your tax declaration...
There is money to be made. When it comes down to making money by putting in backdoors or shutting it down and making none, the backdoor will be put in every time.
When London fails to become the "Fintech capital of the world" like it wants to be, because any fintech moving there has to main its own security and every potential customer knows it.
When UK companies are continually hacked and ripped off because the bad guys KNOW there's backdoors in every one of them, all they have to do is find them.
When the UK economy has taken enough of a beating. Then they might change their minds. Maybe.
I think quite a few people would not mind being a martyr.
The problem is that the most likely reality is that you will go to jail, your business will be shut down, you will never find another job again, your whole family will be added on all the government shit lists and nobody except your friends will know what happened.
There is a star system to martyrdom too. For 1 Snowden, there are probably thousands jailed and forgotten.
Martyrs more often than not seek out situations to sacrifice them self under rather than people who make the "right" call when pressed.
No right minded person in the world would rather go to jail than comply with this, the few that would really have an existential dilemma about this issue would most likely opt out to preemptively avoiding it than be the ones who sit at their desk with a gun in their hand and a bulletproof vest.
The government actions are immoral. When an entrepreneur has raised capital from investors, his personal reputation is on the line to be a good shepherd for their investment. Shutting down their company destroys the entrepreneur's personal investment and betrays their ability to keep their investors investment safe. This all comes back to the immorality of the government's actions in this area.
This times a million. It is better to pay the price for doing the right thing than to turn against your morals because of your comfort. And if enough people and companies do the same, things will change.
Evil prevails because good men do nothing. And this generation seem to be the masters at doing nothing.
A truly gutsy CEO would say screw you to an oppressive law or government. They'd be willing to die in prison for their beliefs, and shut the whole company down in the process. Take the story to media and watch the government's stupidity get them publically humiliated by the press and social media.
Things like this will only stop if they become political suicide for any party or politician that tries to implement them.
> Should the government be able to access citizen's digital data with a court order? And if so, how can that be enabled without compromising the general security of the device?
No. And that's both impossible and a massive compromise.
This case helps us tackle that first question. Here the murderer's personal phone and computer hard drives were destroyed — rendering them "above/beyond the law". Just because some data is digital doesn't place it in some special legal realm more important than shreddable/burnable paper or the air secret conversations were spoken into. There are fundamental limits to recoverability. If technology companies are to be forced to maintain vulnerabilities because governments see all their customers as potential terrorists, the industry is doomed.
The real problem here is although terrorism will never touch the average citizen anywhere near the extent of other tragedies like illness, accidents or natural disasters, the media treat it like it's the single most important issue — making people fear for their lives is good business. I'd die before sacrificing freedom of speech every time, but the news business just seems too like racketeering. We need to fight the fear.
> terrorism will never touch the average citizen anywhere near the extent of other tragedies like illness, accidents or natural disasters
This argument ascribes zero weight to the injustice of terrorist attacks. Your logic--that a death is a death--does not admit distinguishing between someone dying in a freak accident, someone being killed by a drunk driver, and someone being murdered in cold blood. It's all the same.
You're ignoring a very fundamental aspect of human psychology: people view a death very differently based on the intent of those doing the killing. Unlike murder, terrorism isn't just an attack on one person. It's an attack on the values, religion, economy, and lifestyle of a whole society. That's why people weigh it so heavily.
Possibly.
An individual murder means it is unlikely to have an impact to you. A serial killer will often impact a demographic in a city. A mass murderer will often impact a demographic in a large area or country. A terrorist will usually target a demographic in many countries, but on a much smaller scale than a mass murderer.
I currently think a mass murderer would be a greater threat to the world collectively, but the terrorist triggers the fear that any location might be attacked. Hence, while much less destructive, has the "me" factor that pulls heart strings of society at large.
They can search my phone and computer with a court order. What they should not be able to do is force companies to compromise proper encryption so they always have the ability to find something.
That's not the only angle here. Apple was asked to aide the FBI in attacking a phone, not to design bad crypto. (They may have also been asked to design bad crypto, but that's not what is happening here)
Except that the authorities do want companies to use bad crypto. The only reason they've had to fall back on demanding an attack vector is because they haven't yet been able to force their preferred solution (bad crypto) to be implemented.
Demanding an attack vector should be seen as the same concept as demanding bad crypto, because the intent behind the request is the same. They're trying to convince us that these are different requests, but the end result is the same. A workaround to attack good security is the same as having bad security to begin with. I can't imagine why anybody would think that "bad crypto" and "attack vector" are not very nearly the same thing.
But what you are forgetting is that Apple has been fully compliant and cooperative throughout this investigation. The problem with building a backdoor into a highly encrypted security system gives pathways for others to find the same backdoor. If other hackers knew there is a for-sure way to gain access and hack an iPhone, they will find that path. With today's plethora of technology, a line needs to be crossed in order to protect our privacy. We hold so many personal details inside of our phones and if by some chance the backdoor were to be released, chaos and panic would run ramped. I can understand completely why Apple deems this process "too dangerous".
The pathway is obvious- build a signed image that lets you guess unlimited passwords at maximum speed. Apple doesn't have to do it to make it apparent it would work. The avenue is already in use:
As many jailbreakers are familiar, firmware can be loaded via Device Firmware Upgrade (DFU) Mode. Once an iPhone enters DFU mode, it will accept a new firmware image over a USB cable.
The special "backdoor" Apple has access to:
Before any firmware image is loaded by an iPhone, the device first checks whether the firmware has a valid signature from Apple. This signature check is why the FBI cannot load new software onto an iPhone on their own — the FBI does not have the secret keys that Apple uses to sign firmware.
Because they can't. A court order can't let them fly. Nor can it compel you to build them wings. (Though you may have to buy them a can of Red Bull.)
The police were already searching you and your house so we enacted rules to try to control that. Those rules didn't enable the searching - they placed restrictions on the applicability of evidence to reduce the desire to search improperly.
If they can get in. Suppose your house is made of some material (10' thick steel?) which cannot be broken into without a use of a nuke (bear with me....). Is the government allowed to nuke that neighborhood just to get into the house?
