Apple/Microsoft have a master key to one product which is held by one private company. What you're talking about is a master key to all communications accessible by every government agency of every country provided (maybe) that they can demonstrate "just cause" (or some other nebulous concept). Surely you can see the difference in magnitude?
Just as importantly, they use that key very infrequently which allows for a great deal more ceremony around when it's taken out and a lot more restriction around who has access to it. I'd expect that the key is only kept on air-gapped systems, for instance.
In theory, the key could stay at the company and the communications is handed over upon lawful request.
To be clear, I am not supporting this. But this will be an argument being made by the other side thus a good reply should be prepared. NOTPetya already demonstrated that malware can come with software updates. But up to now there is no hard evidence that keys of big players have been leaked.
And even for professionals it's hard to keep up. I am using Signal. From time-to-time I am reminded by Signal (on Android) that I need to update taking me even to an update screen. How would I know that it is genuine? No other app I have does this.
It's either a lawful request from any country or none. Should corporations get to decide what a lawful request is? That's a horrible idea either.
FWIW, I am appalled by this constant call to weaken encryption. This is not worthy of any country who deems themselves under the "rule of law". It's even more appalling that they do the dirty work for the countries you listed...
> It's either a lawful request from any country or none.
My preference would be to group countries into categories that respect users and their privacy, and those who don't. And then don't pursue selling into countries that don't respect privacy. And no one gets "gold key" or "backdoor access". It is only a legal front door to the data the provider possesses in plaintext. Specifically, data residing SOLELY on the device would NEVER be in said provider's possession in plaintext form, if the user desired that.
But that will never happen. Because, growth markets, amirite? (Sad face)
> Should corporations get to decide what a lawful request is? That's a horrible idea either.
Agreed. Corporations don't get to 2nd-level guess the law (ignoring lobbing in this example). They either get to choose to operate within laws of the territories they do business in, or they don't do business in a said territory. This is my EXACT complaint against Uber, AirBNB, etc.
> FWIW, I am appalled by this constant call to weaken encryption. This is not worthy of any country who deems themselves under the "rule of law". It's even more appalling that they do the dirty work for the countries you listed...
In total agreement. Furthermore it is what is view as extremely easy. Of course the NSA/CSS/CIA/ABC/DEF whatever will always target and crack-open the endpoints. To do a double-duty and attack the crypto itself is just fucking annoying to me due to the collateral damage said efforts bring. They already own the endpoints. Just focus on that. Don't attack the math operations.
