Meltdown & Spectre for non-techies

As you’ve probably heard by now, a very serious CPU bug was disclosed a few days ago. Lots of folks have tried to explain it in non-technical terms. I’ve not been satisfied with any of these, and as someone who believes it is a solemn responsibility of experts to make important topics accessible to all, that bugs me. So I spent some time reading up on the issues and coming up with my own explanation by analogy.

Continue reading

Crypto as in Crypto

Is crypto short for cryptography or cryptocurrencies? Grab your pitchforks!

I’ve ranted against crypto-means-bitcoin since I first heard it. But the last few days have me wondering if we, the greying and already-grey cryptographers, should just accept it. At the very least, when prominent VC Fred Wilson keeps calling it crypto, we have to realize we are losing the battle very rapidly.

Cryptography is a lot more than Blockchain

100 years ago, cryptography was mostly secret codes. It’s become a lot more than that over the last 40-50 years. It’s public-key encryption, signatures, identity-based crypto, deniable encryption, homomorphic encryption, zero-knowledge proofs, secure multi-party computation, program obfuscation,  … and yeah that’s a lot more than Blockchain, even if Blockchain is a fascinating and novel combination of techniques in its own right.

Think of a transaction, any transaction, be it financial or data, where a trusted third-party mediates interactions between participants who don’t fully trust each other… now think of doing it without the trusted third-party. That’s cryptography. Don’t have a perfectly honest courier who can confidentially and securely transport your private messages to your friends? You probably need public-key encryption and signatures. Don’t have a perfectly honest vote counter whom you’re willing to trust with the tallying of your election without anyone else verifying? You probably need some kind of secure multi-party computation, possibly implemented with physical processes like sealed ballot boxes and statistical audits.

Put another way, cryptography is how people get things done when they need one another, don’t fully trust one another, and have adversaries actively trying to screw things up. The less you want to “just trust someone” with a portion of that transaction, the more cryptography you need. 

Fans see in Blockchain a lot more than Blockchain

Interestingly, the vast majority of people who are now discovering Blockchain via cryptocurrencies — thus calling it “crypto” — think that Blockchain is exactly the thing I described above. It’s “trustless computing!”

In fact, Blockchain is a very specific kind of secure multi-party computation in a very specific trust setting with very specific incentives that keep participants motivated. But those are sufficiently complex and subtle distinctions for everyday conversation, so instead everyone talks about Blockchain like it is the entire field of computation without a trusted third party. It gets even more confusing because some of the more advanced blockchains (e.g. zerocash) use zero-knowledge proofs for added privacy, which many fans seem to believe didn’t exist before blockchain, so when cryptographers say “crypto is a lot more than blockchain, for example it’s zero knowledge proofs,” the blockchain crowd’s answer is “oh yeah, we’ve got ZK proofs, aren’t they awesome?” while cryptographers roll their eyes in disgust and mutter something about lawns and young whippersnappers.

Why can’t we all just get along?

Blockchain fans have accepted Satoshi as their Lord and Savior. They believe Blockchain is single-handedly providing groundbreaking “trustless” computing. And they call it crypto.

Cryptographers see Blockchain as one very neat application of some aspects of cryptography. They think the field of cryptography is the rightful owner of all these trustless computing innovations. And they call it crypto.

What if we all simply call it crypto and agree to disagree on year 0 and the Messiahs? We are all into crypto, some of us are just more into the blockchain flavor than others.

Also, use case

Whatever we call it, we still need a use case for full trustless crypto. The reason you find many cryptographers skeptical of Blockchain as a major new technological framework (Internet 3.0!) is that many of us have tried to pitch and develop trustless business models before. And all of the use cases we had in mind have consistently been better served by more centralized, higher-trust alternatives. So we look at Blockchain with a feeling of “we’ve tried this before, and it’s not clear there’s anything sufficiently new to make users want this.”

Maybe we, the greying cryptographers, are just old men screaming at clouds. Maybe Blockchain makes trustless computing easier to deploy. Maybe the times we live in call for more distributed, more trustless solutions that customers will adopt. I’m dubious, but maybe.

Either way, it’s probably best if we all call it crypto, because we’re actually all talking about the same thing, even if we strongly disagree on year 0.

Blockchain and Voting

Blockchain and Bitcoin may prove to be amazing innovations that change our daily lives, but I doubt they will materially impact how we vote. Here’s why.

What Blockchain Is and Isn’t

The common way to describe Blockchain is something like: it’s a database, only instead of being run by one central computer you have to trust, it’s run by many different computers around the world. Alternatively, it’s a distributed ledger. One linear set of events/transactions managed by a distributed set of computers.

These descriptions are true, but they’re also misleading in their oversimplification. It’s that oversimplification that leads some to think the Blockchain will solve all of our problems. Because … decentralized!

OK, but distributed databases are not new. We’ve known for a while how to replicate a database with a sprinkle of cryptography to distribute the trust. The Merkle tree, a key component of Blockchain that lets you verify consistency of a large dataset quickly, was invented in 1979. The Hash chain, another key component of Blockchain that lets you create a tamper-proof chronology of events, was invented in 1981 (it’s used in things like git). You can build a distributed ledger with Merkle trees and hash chains. We’ve been able to do this since the 80s. So … what’s new?

Blockchain isn’t just a distributed database, it’s a very specific kind of distributed database where

  • the database maintainers aren’t authenticated: anyone can be a blockchain maintainer without revealing who they are or having any kind of privileged relationship with other maintainers.
  • the set of maintainers changes over time. New maintainers come in, existing maintainers leave, without central planning or predictability. The maintainers of the Bitcoin blockchain 5 years ago are very different from the maintainers today.

In other words: anyone can become a maintainer of the Bitcoin blockchain at any time, without asking for permission, with nothing more than computing power. Just start up the software and join the club. This is pretty amazing stuff. It wasn’t obvious, before Blockchain, that it would be possible to design such a distributed database with an amorphous untrusted set of maintainers where you just need half good guys.

(There’s another really cool trick in Bitcoin, which is the incentive system for database maintainers: they get rewarded in Bitcoin for doing their database maintenance part, which makes the whole system self-sustaining. Super cool, but off topic for today.)

It’s important to realize that the true Bitcoin/Blockchain innovation is actually in this very specific trust setting of a dynamically changing set of database maintainers. If your use case doesn’t call for that, if you can designate the maintainers at the start of your protocol and have them authenticate to each other, then you don’t need the full Blockchain toolkit. You need only fairly standard cryptography and your use case was achievable 20 years ago.

What We Need to Vote Securely

In a typical election setting with secret ballots, we need:

  1. enforced secrecy: a way for each voter to cast a ballot secretly and no way to prove how they voted (lest they be unduly influenced)
  2. individual verifiability: a way for each voter to gain confidence that their own vote was correctly recorded and counted.
  3. global verifiability: a way for everyone to gain confidence that all votes were correctly counted and that only eligible voters cast a ballot.

Let’s say we have a Blockchain-style distributed database. How far does that get us to meeting these needs?

A distributed database of all cast votes, where everyone sees the same state of the world, would certainly be useful for (3) global verifiability and to some degree for (2) personal verifiability. That said, it won’t get us all the way there on those, and it won’t get us anywhere on (1) enforced secrecy.

Specifically, to combine personal verifiability with enforced secrecy, we need some mechanism that gives each voter enough confidence that their vote made it all the way to the tally, but not so much that they can sell their vote to a buyer/coercer. A public ledger of plain votes is a terrible idea, since that makes vote selling trivial. A public ledger of vote tracking numbers of sorts is better for privacy, though it doesn’t really provide actual verifiability that the contents of the ballot weren’t tampered with. Clearly, we need something more, and that something simply isn’t provided by a distributed ledger.

Then there’s the need to check voter eligibility, a critical piece of global verifiability. No matter what technology we use, we need a clear list of eligible voters, and each voter should get to vote only once. Ultimately, the list of eligible voters is set in a centralized way: it’s produced by the State. There’s nothing distributed about voter eligibility. Even when there is federation / delegation to individual counties, like in the US, there is a centralized effort to cross-check that a voter isn’t registered in multiple counties.

In real-world elections today, we get personal verifiability with in-person paper ballots that voters can verify and cast directly, followed by risk-limiting audits where all political parties play a role to ensure integrity at each voting precinct. Combined with publicly auditable voter eligibility lists, this process, verified by all parties, is also how we get global verifiability. There are end-to-end voting verifiability techniques (zero-knowledge proofs) that have been around in various forms for 20-30 years that can provide an even stronger sense of personal and global verifiability, though these aren’t implemented in anything more than the occasional pilot.

Bottom line: Blockchain can help a bit with voting, but it’s not doing the most important part of the work. It doesn’t help tally secret ballots in a publicly verifiable way. It doesn’t provide individual verifiability that a ballot was correctly encoded. And it’s not useful for voting eligibility, since that’s all about human authentication and a centrally produced voter list. At best, in voting, Blockchain can be a ledger that helps us track the voting metadata.

And here’s the rub: to track voting metadata, it’s questionable whether you need a full Blockchain. Ultimately, a distributed database run by all political parties, where the maintainers are known and authenticated well ahead of time, is plenty sufficient. We don’t need the power of Blockchain. We just need Merkle trees and hash chains. And we’ve had those for 30 years.

To sum it up, using Blockchain for voting solves a small part of the problem with an unnecessarily big hammer.

A Marketing Sidebar

It’s very possible that, though we’ve had the parts of Blockchain technology we could use in voting for a while, that Blockchain tech and the hype around it helps this technology “break through” to the voting universe. It’s possible we use just simple Merkle trees and hash chains, but we call them Blockchain, and Blockchain scores a win. Maybe this is about marketing, after all. I’m dubious — because Blockchain doesn’t begin to solve the most important parts of voting — but it’s possible.

the electoral college should reject Trump

Look, it’s heartbreaking that Hillary Clinton lost the electoral college while winning the popular vote by almost 3M votes, with as many votes as Obama won in 2012, while Trump won only 0.35% more than Dukakis. That said, the Electoral College is the name of the game, and, until we change it, we should live by its rules. I don’t buy the Trumpian argument that, had the rules been popular vote, Trump would have campaigned in California and NY and won that, too. I don’t buy that for a second. But it doesn’t matter: rules are rules, democracies follow rules, Trump won more electoral college voters.

But here’s the deal, if rules are rules, then let’s be clear that we should follow all the rules. And all the rules include, very clearly, the duty for electoral college voters to consider three things when casting their ballot next Monday:

  1. is this person fit for the Office of President of the United States?
  2. is this person a Demagogue?
  3. is this person under foreign influence?

Now, reasons 1 and 2 are, in my opinion, quite dangerous to push for, because they are incredibly subjective and I could easily imagine Republicans trying to argue that Hillary is “unfit for office.”

But reason #3 is not subjective. Reason #3 is a real problem with a very clear bright line: can the President-Elect be significantly influenced by foreign actors? Or, as the New Yorker explains, is the President-Elect already in violation of the Emoluments Clause of the US Constitution, which states, in part, that “no Person holding any Office of Profit or Trust under them, shall, without the Consent of the Congress, accept of any present, Emolument, Office, or Title, of any kind whatever, from any King, Prince, or foreign State.”

There is plenty of evidence that Trump is already significantly conflicted with his business ties around the world and his alleged large debts to foreign banks. The CIA is saying that Russia helped Trump win the election, and now Trump has nominated a particularly Russia-friendly Secretary of State.

So this is not OK. And it is absolutely reasonable to wonder whether Donald Trump is under foreign influence. Don’t let yourself be silenced by screaming Republican pundits claiming you’re a conspiracy theorist because you’re pointing out what is right there in front of your nose: Trump is massively conflicted with foreign holdings, he’s already leveraging his President-Elect position for influence, and world leaders are starting to use this situation to wield influence on the President-Elect. Oh, and Russia might have a metric ton of damning evidence – think RNC version of the DNC email hack – to blackmail Trump.

It is not unreasonable to question this. It is our duty. It is patriotic. It is UNpatriotic to ignore it. Republicans would be foaming at the mouth if half of this evidence had transpired against a President-Elect Hillary Clinton.

So I’m going to live by the rules of our Democracy. Trump won the the election, but he hasn’t yet won the Electoral College. And Electoral College voters have a duty to consider whether Trump is under foreign influence, and to vote against him if they believe he is. That is their Constitutionally-mandated job. And I know it’s probably hard. They’re Republicans, after all, and people like me are asking them to vote against their team. It’s not trivial. But it is about Country first. And once you get that, the rest is easy. The Electoral College should soundly reject Trump.

Are you with me to do something about this? Then follow these directions. Do it now. There is little time left.

We know what’s going on and we know what to do

Donald Trump is the President-Elect of the United States of America. What a catastrophe. I’ve been trying for days to write some thoughts. Every time, I am gobsmacked by yet another insane development. Bannon. The Muslim Registry. The “blind” trust. The business meetings interspersed with mild transition planning.

We know what’s going on. We know who Trump is. He told us throughout the campaign, and he’s telling us again, every single day. He wants power and money. The truth doesn’t matter as long as he gets his way. He doesn’t believe in the Constitution unless it serves his purpose. Trump only believes in Trump. Truth is defined as what he says. Grace is defined as what he does. Reality is defined as what he sees. He can do no wrong. Oh also, he is a racist, a misogynist, an Islamophobe, and possibly an anti-Semite, or maybe he just surrounds himself with anti-Semites, you know it’s hard to tell the difference sometimes.

How did we get here? It will take a long time to really understand it in detail, and I’m no fan of rushing to judgment, though I get that it is satisfying to find a simple root cause to soothe the pain, uncertainty, and raw fear of the world we now live in. That said, we got here probably by some combination of economic anxiety, racism, sexism, Islamophobia, fake news, and voter suppression. Complex systems fail in complex ways [PDF]. And in  the end, fewer than 100,000 votes across three states made the difference.

Where do we go from here? I’m not sure yet. But I do know a few things:

  1. I will risk looking foolish and paranoid rather than risk not taking the Trump threat seriously enough. Now is not the time to play it cool, to be above the fray, to “let politics be politics.” I will fight. I will speak up. I will not be ashamed to stand for the values of Democracy and against Trump, for he represents the very opposite of our democratic values. And it starts by not being afraid to say that. If I’m wrong, all I’ve lost is a little bit of pride.
  2. I will not normalize. I will not let conversations I have, with family, friends, or strangers, ever veer towards normalizing Trump as just another politician. I will remind myself to read this post every month to make sure I do not let down my guard.
  3. Voter suppression is repugnant and I will remind people every day. I don’t know if I can help make people less racist or sexist, and I respect that many people felt economic anxiety and wanted to blow up the system. But the one thing that is unequivocally wrong and deeply disturbing is preventing people from voting. People who make it harder for others to vote should be in jail. It’s not fair game, it’s not another political tactic. It’s a crime against Democracy itself.
  4. I will take care of myself and my family. We’re two weeks in, and it’s emotionally exhausting. I will take time every day to disconnect and be with my family, distract myself, and generally stay sane, so that I do not run out of steam in this long fight.
  5. I will defend women, minorities, and anyone oppressed. In public spaces, online, at work, wherever I go. I will not cower. I will strive to be the very best version of myself, the version of myself I can look up to when all is said and done.
  6. I will do things that scale. I’m not sure what those are yet. Probably something around voting rights & technology. Crypto policy. Maybe some judiciously written software to help organize action against Trump.
  7. I will also do things that do NOT scale. I will call Senators, Congressmen, and political organizations. I will write letters. I will donate money to the right politicians and to organizations fighting for our civil rights. I will pay for good journalism.

The day after Trump’s victory, I told a few people about how my grandparents survived the Holocaust and how I was taught to “never forget.” I worried I was exaggerating a bit at the time. Two weeks later, it’s pretty clear those concerns are well warranted.

This weekend, I spoke with my dad, who spoke about how his mother – my grandma – became pregnant with my aunt in 1942, at the height of discrimination against Jews in France (and in French Algeria, where my father’s family lived.) My grandma’s brother chastised my grandpa, saying “are you serious, you’re having a child with everything that’s going on? That’s crazy.” My grandfather answered “don’t worry, the Americans will come and save us, and we will fight alongside them.” A year later he joined the North African Front against the Nazis. He lived to have two more children, to meet and teach math and reading to almost 20 grandchildren, and to see a few of his grandchildren move to the US, the country that saved his life.

He never lost hope, but he never stopped fighting. I plan to make him proud.

Voting Security Cheatsheet [2016 Edition]

It’s voting season! Which means everyone is asking questions like:

  • wait, why can’t I vote online?
  • how hard can voting really be?
  • shouldn’t this all be open-source?
  • isn’t it just as easy to hack paper voting as electronic voting?
  • is Russia hacking our voting machines?
  • why do we even need voting machines when other countries count by hand?
  • maybe there’s enough time to fix things before November 8th?
  • Hasn’t the blockchain solved voting already?

For your convenience, I have compiled this handy election technology & security cheat-sheet.

  1. you can’t vote online for good reason. (a) We don’t know how to make sure the device you use to vote has correctly captured your voting intent – it might have been compromised such that when you vote for Alice, it votes for Bob instead. (b) Though we know of a number of techniques to tally electronic votes in a publicly verifiable way that also preserves individual privacy, we are far from deploying these at scale. Reason (a) on its own, however, is good enough not to vote online.
  2. getting voting right is really hard. Since everyone has a stake in the outcome, you can’t outsource the trust to any one person or organization. You have to preserve the privacy of individual votes even against the wishes of the voter herself, otherwise voters can be coerced, and yes coercion has been a concern throughout history and remains a concern today, in 2016, in the US. And you have to provide some process that everyone, even the loser, can trust. In other words, you need a process auditable by everyone, without placing much trust in any given person or organization, while deleting critical information (who voted for what).
  3. open-source doesn’t solve the problem. Yes, it would be cool if voting machines used only open-source software. But how would you know the software that was audited is the same as the software running on the machine? Doesn’t solve the problem.
  4. paper ballots collected and tallied at each precinct are vastly more secure. It’s quite difficult to corrupt a distributed counting process, where every precinct publishes its results and keeps paper records for recounts, all while being disconnected from the Internet. Massachusetts does this well. California does this less well as paper ballots are transported before they’re counted, thus leaving more opportunities for foul play, though it’s still pretty tricky to attack at scale. What matters in an election is scalability of attacks.
  5. yes, voting machines can be hacked. Usually it takes an in-person attack as these machines aren’t networked, but apparently some are and that’s just crazy. This is why you probably want paper records of all votes, and why optical scan voting machines are best, since they start and end with paper. But again, to hack voting machines requires being at the precinct, which isn’t scalable. Except of course if the machines are on the network, and again that’s just insane.
  6. you can’t count ballots by hand in the US because we vote for a dozen offices and ballot initiatives. If we just voted for one thing, e.g. President, then counting by hand would be highly preferable and plenty fast: just make piles. You could even weigh the piles to count them quickly. The process for counting up a dozen ore more questions on paper by hand simply doesn’t work at scale. This part is sometimes hard to believe, but it is the real issue, and the central reason why we have voting machines.
  7. the Blockchain doesn’t solve voting. At best it solves one part of the voting process, which isn’t even the hardest part. Combining vote privacy and tally verifiability is the hardest part, and Blockchain doesn’t solve that.
  8. it’s way too late to change anything for November 8th. The process for certifying new voting machines / processes takes years. If you want to make things better, start now for 2020.

What John McCain could say

[This is … hopeful fiction]

My fellow Americans,

When I ran for President in 2008, in the last stretch of the campaign, a woman at one of my rallies stood up and expressed fears about Obama because “he’s an Arab.” I could have stoked those fears, and many Republicans wanted me to. Instead, I chose to answer “no, Ma’am, he’s a decent family man, a citizen, that I just happen to have disagreements with on fundamental issues.” I chose decency over easy political gain and demagoguery. (Ignore for a moment the implication that “Arab” and “decent family man” are opposites.)

At some point we must all remember that we are Americans above all. That many of our brothers and sisters are Americans and Muslims, and that, thanks to our Constitution, there’s no conflict in saying “American” and “Muslim” in the same sentence. Captain Humayun Khan demonstrated the power of our Constitution with his ultimate sacrifice for his country. For our country, because he and I belong the same amazing country that doesn’t discriminate on the basis of your gender, race, background, or sexual orientation.

So let me get to the point. I have many disagreements with Hillary Clinton. I despise many of her policy proposals. But she is a decent woman with a long track record of helping her fellow Americans, even when I believe the type of help she’s providing is misguided.

Donald Trump is anything but decent. He is incapable of showing respect to anyone who doesn’t support him. He cannot see the humanity in others, because there is barely any humanity in him.

So today, my fellow Americans, I choose to place country above party. I revoke my endorsement of Donald Trump, and I urge you all to vote for Hillary Clinton. I don’t agree with everything she says, but she is a good person with a good heart and the drive to make America better. Her opponent is unfit for duty, unfit for political service, and unfit for American leadership.

-John McCain.

On Apple and the FBI

If you pay attention to tech/policy stories, then surely you know about the Apple/FBI situation. Though this story has been broadly covered, I don’t think we’re having the right debate. And the right debate is, of course, very subtle. So here goes my attempt to nail that subtlety.

What’s Going On?

  • The FBI wants access to a particular criminal/terrorist’s iPhone. They have a warrant.
  • The iPhone is locked, and if the FBI tries a few bad PIN codes, the phone will erase its data as a defense mechanism. Also, iPhones are programmed to slow down password attempts after a few bad guesses, which means that, even if the auto-erase feature were not activated, it would take the FBI years to laboriously try enough PIN codes.
  • Changing the iPhone’s behavior – say to allow as many PIN code attempts as fast as possible – is doable via a software update, but iPhones are programmed such that they accept only software updates blessed by Apple.
  • The FBI wants to compel Apple to program and bless this new behavior so they can software-update the phone and go guess the PIN code quickly and without self-destruct.
  • The FBI is happy with a very narrow solution: the updated behavior can be hard-coded to function only with that particular iPhone, and the FBI is willing to never touch that new iPhone operating system. They’re content with having Apple effectively extract the data for them.

Some say FBI could find other avenues

Is this the only way the FBI can get at this data? Is this data even that valuable? It’s a bit dubious, in my opinion. The FBI already has iCloud backups straight from Apple servers, phone call metadata and texts from Verizon, etc. Is there really some key data on the device left to discover? Doubtful.

Also, hardware-security experts are arguing that, given a few hundred thousand dollars, the FBI could find a way to bypass the iPhone’s restriction that a software update has to be blessed by Apple. This seems possible, though I can imagine how it might be difficult for the FBI to develop that specific expertise urgently.

All in all, I’d say it’s pretty clear the FBI doesn’t strictly need Apple to comply. What’s probably happening is that the FBI is using this as a test case for the general principle that they should be able to compel tech companies to assist in police investigations. And that’s pretty smart, because it’s a pretty good test case: Apple obviously wants to help prevent terrorist attacks, so they’re left to argue the slippery slope argument in the face of an FBI investigation of a known terrorist. Well done, FBI, well done.

So this is a backdoor? That bad guys can use, too?

This is where I break with other privacy advocates. It’s a significant overstatement to claim that the FBI’s request could provide them with the technical means to penetrate other iPhones. I call BS when Tim Cook says:

In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

The FBI has explicitly stated that they’d be happy with Apple performing this software update without ever shipping the software to the FBI, and, as an additional constraint, with Apple tailoring the update so it functions only on that one iPhone in particular.

There’s a key difference here between this FBI request – access to a single device in physical custody with a warrant – and prior demands from FBI/NSA – access to any encrypted channel, with or without physical custody of a device. The latter requires engineering all encrypted channels to provide law-enforcement access and is so complex that it’s almost guaranteed to create new security holes, especially with respect to foreign governments aiming for broad surveillance. The former is doable if Apple wanted to engineer this capability into their phones. Not completely without risk – in particular when devices are confiscated at customs and such – but much more doable.

So … slippery slope or not?

Technically speaking, I don’t think so. Apple granting this request will not technically enable the FBI to get into other phones.

But legally speaking? I’m a little bit out of my depth here, but from everything I’m reading, I’d say there seems to be a clear legal slippery slope risk. If Apple can be compelled to program and bless code that weakens the phone’s security, then maybe courts will force Apple to help in other ways. Update a criminal’s phone remotely, maybe, because that criminal is on the run? Or wholesale give the FBI the capability to perform software updates themselves? Which would then amount to the remote built-in backdoor and the introduction of unacceptable security risks for everyone.

So why are technologists all worked up?

So technologists are all worked up. I’m pretty worked up. This is a big deal. I’m on Apple’s side, but not for Apple’s stated reasons. We’re not dealing with a universal backdoor request, and we’re misleading the public if we say that.

The three reasons why this is a big deal are:

  1. there is that legal slippery slope, see above.
  2. starting with the PATRIOT act, the US government seems to be increasingly in the business of bypassing due process. National Security Letters, for example. What if the FBI’s next request to Apple is done in secret, with a gag order so Apple can’t talk about it? What if the FBI’s next request is for the all-out ability to update any phone with any software they choose, without looping Apple in ever again? Is this our one and only chance to stop this behavior before it goes dark?
  3. foreign governments making the same requests without due process because they have no such thing. Yeah. Oy. What do we do about them? Can Apple really be in the position of deciding which governments have reasonable due process?

What happens next?

Legally speaking, I have no idea, but I worry the FBI will win this one.

So, technically speaking, I think what happens next is that Apple begins to engineer phones such that they can no longer assist the FBI, even if compelled by court order. Here’s my specific bet: right now Apple can update a phone’s entire software stack to reconfigure a particular phone’s behavior, including number of PIN tries and delays – the most secure parts of the phone. I bet Apple will move towards making the most sensitive parts of that stack updatable only in very specific conditions:

  1. wipe user data, or
  2. keep user data only if the phone is successfully unlocked first.

The interesting question will be whether Apple will be legally allowed to engineer their phones this way. This will be such a fascinating and critically important discussion.

And we, technologists, fans of civil liberties and freedom, privacy advocates, we should find more subtle arguments than calling everything a backdoor and, by the transitive property of backdoor evilness, calling every law enforcement action evil. Yes, law enforcement has broken the public’s trust time and time again. Yes, the FBI is clearly playing this one to set a precedent. And yes, we should be incredibly thankful that Apple and others are standing up for user security.

Yet we have important and real issues to confront. How does law enforcement evolve in the age of universal unbreakable encryption? What should be the law-enforcement role of third-party organizations, when those third parties have access to our most intimate secrets? If we do choose, as a people, to compel third parties to assist law enforcement when served with a warrant, I hope we also couple that with the extension of Fourth Amendment protections to data we choose to store with those third parties.

This isn’t as simple as “backdoors!” And it isn’t as simple as “terrorism!” Like Tim Cook said, I’m glad we’re having this debate in public. I hope it stays in public.

Letter to My Two Sons – November 13th, 2015

[this is a little bit raw… on purpose.]

My sons,

You are just 6 and 3, and so you don’t know what happened tonight. A group of suicide bombers killed 150 people in Paris, your father’s hometown. The feeling in my gut today is much like the one I felt on that Tuesday in September 2001, as I tried to get to my office in TriBeCa, shell-shocked people on the street walking past me, thousands of dead in the rubble. Profound sadness, deep anger, frustration, and powerlessness. And this nagging feeling that one of the victims could, under slightly different circumstances, have been me or… you.

That day in 2001, I got to the office just a few blocks north of the towers, just an hour or two after they’d collapsed. I logged into one of our web servers, found an unused IP address (that’s how we did it back then, kids), and built a manual list of “people I know are safe in NYC” (a poor man’s Facebook Safety Check). I frantically emailed friends and built up the list. The URL went around to a few dozen people. A few friends and friends of friends found each other and, hopefully, a small measure of relief. In retrospect, I realize I was coping by doing the only thing I knew how to do: contribute a small positive on a day of pure horror. I don’t mean to praise myself, I simply did what all decent people did that day: help any way I knew how. I knew HTML and web servers, and so that’s what I did.

Much will be written about today, November 13th 2015. Extremists on the right will embrace confirmation bias and recommend closing borders, arming the public, and generally distrusting brown people. Extremists on the left will also embrace confirmation bias and lay the blame entirely on the West’s foreign policy.

To be honest, I don’t really know what to think. Well, no, that’s not quite true: I think those extremists on the right (including many presidential candidates today) are idiots, maniacs, and shouldn’t be allowed within spitting distance of the seat of power. They stoke the fires of retaliation and intolerance, feeding on fear to push their agenda, the furthest thing from democracy and freedom. So yeah, I guess on some level, I do know what to think.

That said… might it help to fight at the source those who committed these awful acts so they don’t get the chance to do it again? Maybe. On the flip side, did we do things that others saw as acts of aggression, for which they then retaliated? Maybe that’s part of it. Are there suicidal/homicidal maniacs who will use anything as an excuse to hurt innocents? Probably. I don’t really know for sure.

So what do we do?

If there is one thing I hope to teach you, it is this: you will not always be safe. It kills me to say this, because I am biologically wired to protect you, and yet… You shouldn’t live your life seeking safety at all costs. You shouldn’t compromise your own freedom because madmen took lives, even if it’s dozens, hundreds or thousands. You shouldn’t compromise your own freedom the second, third, and fourth time something terrible happens, either.

What you can do is choose to be one of those people who help. One of those people who make the world better, in small or big ways. You will live through many more terror attacks, stupid governments, unnecessary wars. The human condition is, in many ways, heartbreaking. You cannot make the heartbreak go away. But you can choose to be a positive force. You can choose to be a helper. Even if it’s something as small as writing a bit of HTML by hand on a warm Tuesday in September, tears streaming down your face, because it’s the only thing you know how to do and because maybe, maybe, it will help one person.