RE: Rule of law from Rob Trainer on 2016-02-18 (public-credentials@w3.org from February 2016)

From: Rob Trainer <rob.trainer@accreditrust.com>
Date: Thu, 18 Feb 2016 14:06:08 -0500
To: "'Timothy Holborn'" <timothy.holborn@gmail.com>, "'Dave Longley'" <dlongley@digitalbazaar.com>, "'W3C Credentials Community Group'" <public-credentials@w3.org>
Message-ID: <00fc01d16a7f$6d295070$477bf150$@accreditrust.com>
https://stratechery.com/2016/apple-versus-the-fbi-understanding-iphone-encryption-the-risks-for-apple-and-encryption/ 

 

Rob Trainer | Vice President of Technology

Accreditrust Technologies, LLC

C: 410.303.9303

E: rob.trainer@accreditrust.com <mailto:rob.trainer@accreditrust.com> 

W: www.accreditrust.com <https://www.accreditrust.com/> 

 



 

From: Timothy Holborn [mailto:timothy.holborn@gmail.com] 
Sent: Thursday, February 18, 2016 1:50 PM
To: Dave Longley <dlongley@digitalbazaar.com>; W3C Credentials Community Group <public-credentials@w3.org>
Subject: Re: Rule of law

 

Reviewing the TOS[1] I always find interesting, 

Yet essentially, the issue remains including but not exclusive to service operators / device vendors, et.al <http://et.al> .

Whilst I entirely agree, accountability is v.important for law-enforcement, and, I'm not American, don't get to vote in the US, so, I prefer local context that enables me to lobby for changes to law should that be necessary; rule of law, kinda needs to be supported...

The identifiers in this case include particular FBI representatives on particular machines carrying out particular tasks for a particular case, with particular court approvals, on a particular phone that has an array of other identifiers both identifying that Phone to be unique, and that it is indeed associated to the court-order related suspect (person).

So, IMHO, there's enough keys there to make those old films scenes of the two keys turned simultaneously to launch the weapon, whether in submarine or otherwise, look kinda antiquated.

You could put additional requirements, like sensor requirements - it needs to see a specially encoded 2d barcode, within a particular GPS location, etc. etc.

It's not all or nothing, and any president would want it that way I imagine. We all want phones that don't get hacked, but we are subject to rule of law for which we are all accountable, no matter who we work for or what we do. Isn't that the theory? 

I also note, online child sexual exploitation law enforcement teams locally, apparently couldn't use semantic / image analytics to automatically flag content. If Interpol made that capability available, would you allow processing for specific use? Perhaps if the gov issue them a credential to including specified capabilities for which citizens have a right to fair trial / court / access to justice, etc.

Is it Apple, Facebook, Google who that makes the decision about how image processing can be used? Do you need to send them your blood sample to have it checked? What ads do you get after you've got your blood tested? Insurance offers the same? 

Market based 'knowledge banking' providers, with really good outlines for data ownership. 

Yet if the law says 'you've been sent to war'.... If a judge says open it. Then to say it's all or nothing, seems incorrect...

We've been working on solutions here... I guess they'll say, no solution currently available to market can solve this problem, or some similar thing? 

Meh.


[1] http://images.apple.com/legal/sla/docs/iOS91.pdf

 

On Fri, 19 Feb 2016 at 5:29 AM, Dave Longley <dlongley@digitalbazaar.com <mailto:dlongley@digitalbazaar.com> > wrote:

On 02/18/2016 12:50 PM, Timothy Holborn wrote:
> So,
>
> I assume apple[1] can decrypt it.

I think that's a big assumption. Have they said that? I don't know how
they do their encryption, but if they are using symmetric encryption
where the key is derived from a password only the user knows, then, no,
they can't decrypt it. Unless the password is easily guessable, it's not
feasible to brute force attack the encryption.

> So, the issue is how to trust gov? Locally or internationally?
>
> Couldn't a bunch of approved credentials be used to present something
> at the phone that in-turn allows that device to say, recognise the
> president said - executive orders - open it.

You could do two forms of encryption: one for the user and one using a
public key owned and protected by the government. Of course, then the
government can read everyone's private data.

I suppose you could require a credential from a court (signed by the
court's public key) indicating a court order was granted to the
government in order to use their key to read the data ... but it's all a
little unclear as to whether or not these protections would actually be
followed, or rather, if they weren't, that a violation of them could be
easily detected.


--
Dave Longley
CTO
Digital Bazaar, Inc.
http://digitalbazaar.com
Attachments

image/png attachment: image001.png
Received on Friday, 19 February 2016 14:02:12 UTC