The value prop for the average user is also very weak for encrypting data. I am more likely to lose all my data than prevent some theoretical malfeasance, never mind the extra time and effort. I am not a secret agent.
Not enough, in my opinion. Where most people will fail is on the opsec side. They just don't understand security best practices. I realize that not all problems can be solved, but technology is not just encryption, it's understanding how the technology works so you can avoid leaking information in the hundreds of other ways that are possible on the Internet.
> Plus, let’s be real, end to end encryption doesn’t exist if you’re using any sort of pre-built app. It’s encrypted-looking to most people, but the people who matter always get back door access.
Why do you think this is the case? I know for a fact (with a reasonably high level of confidence) this is not so.
> any accident requiring recovery of my data is also probably going to lose the encryption key.
... why?
i'd hate encrypting too if I threw away all best-practices regarding it -- losing a key with the failed system is a "problem exists between chair and keyboard" type of issue.
Encryption protects your data from yourself, from your adversaries, from serendipitous grey-moral types, and from the prying eyes of over-zealous data-collection conglomerates.
You seem experienced in the field, so I won't presume what your best practices are -- but to be enthusiastic against encryption is a form of cheer-leading that I think I cannot ethically support; the longer I live and the more pervasive companies get to be with their data collection policies then the more powerful and required tools like encryption seem to become.
> There are schemes that would allow for your data to be encrypted and secure from even the cops except in cases where they have a acquired a warrant. The argument that there is no way to do so is more political than technical. This is a solved problem, cryptographically speaking.
It very much is not. All of the schemes that purport to do so involve a systemic risk that the master key is lost to a hostile foreign government or criminal organization, and they inherently prohibit forward secrecy.
> but it shatters the notion that strong commercial encryption has left no opening for law enforcement and hackers
Not sure what cave this guy was living in, unless he's using 'strong' literally (in which case the statement is wrong).
Biggest reason not to trust 'consumer-grade' encryption is that consumers aren't under constant attack, or aren't aware if they are. If I buy a car, I know when it breaks down. Consumer Reports can say if it sucks. There are way fewer 'educated consumers' for encryption technology.
> conflate E2EE to being the only encryption in the world
It is the only relevant one. Nobody who cares about protected messages would be satisfied with untrustworthy encryption.
Sure, technically even a messenger using Caesar cipher is encrypted, but most people expect more than a ticked checkbox.
No real user cares about what technically still counts as encryption, just like nobody outside of biology cares whether walnuts are actually nuts.
> Legislation won’t reduce the use of encryption by criminals and terrorists
Hmm, I used to think this, but now? Now I think most people are bad at tech and security. No reason to expect the average criminal would be better.
Of course, trivial for us to make it, or hide it in something that looks unrelated. And I expect serious organised crime to be able to afford a developer with no morals.
But normal crime? It probably will make a difference.
Not in the slightest. If you would rank all types of encryption by strength, this would be one of the weakest ones, right between writing the text upside down and choosing a custom font.
>You can never trust that your connection is end to end encrypted unless you run encryption yourself
I also can't trust that the meat I buy in the supermarket actually has in it what it says on the packaging technically speaking unless I slaughter a pig myself. Obviously this isn't a reasonable standard to treat anything by.
When a company goes out of their way to actually sell you E2E encryption and the company actually is fairly known and thus liable I can at the very least assume, for practical purposes that they're not lying to me until proven otherwise because they're risking their entire reputation and probably a very costly legal battle.
Do-it-yourself encryption isn't really realistic because it's not going to be used by ~99% of people.
> I mean, the same argument has been applied to other cryptographic tools. Why encrypt your messages, unless you're sending something sketchy? Why obfuscate programs, unless you're hiding something?
It's easy to argue that everyone has legitimate interest in hiding some things in data, but what would be a legitimate case for hiding things in code?
The value prop for the average user is also very weak for encrypting data. I am more likely to lose all my data than prevent some theoretical malfeasance, never mind the extra time and effort. I am not a secret agent.
reply