Interestingly, such a law does nothing against proper criminals. People that know they have incriminating evidence will either not carry it on their phones or uses some form of steganography to hide it perfectly. In the worst case, they will have some form of wipe-me passphrase that cleans the device before unlocking.
Normal people, on the other hand, do not have these kind of (mental, time) resources. They will be forced to unlock their phones and something incriminating (for instance regarding "hate speech" or "intellectual property rights" or just "traffic violations") will be found. I consider this approach one step more in the direction of keeping every citizen an on-demand criminal. There are so many, sometimes incomprehensible, laws nowadays that pretty much everyone is not compliant.
>such a law does nothing against proper criminals. People that know they have incriminating evidence will either not carry it on their phones or uses some form of steganography to hide it perfectly.
I oppose such a law, as it appears to be very poorly written, but it's pure fantasy that criminals won't do crime via their phones, or will use some sort of advanced steg. Maybe some very talented criminals will do such things, but most criminals are just people: they either don't understand technology well, or else simply engage in risky behaviors.
I agree. Most criminals are not very bright, and in the case of large organized crime, you still need to be able to communicate with employees that aren't very bright. Custom stenography comes at a cost to your organization in terms of troubleshooting and reliability...
The drug dealers are probably just using whatever encrypted app they hear works well, which is why there was that big successful sting using an FBI controlled app recently.
That was far more than just some encrypted messaging app. It was custom secure hardware running on its own (tunneled) network. The manufacturer and operator turned out to be law enforcement in this case though ...
Food for thought: Attending a diplomatic dinner where EU liaisons from various police forces were also present, the head investigator of that country—which I shall not name—told me that their country's biggest outflow of crime to other European countries, were high tech economic crime such as card skimming, money laundry, and white collar crimes. I.e. things that require at least some technical understanding to perform.
There are hundreds of criminals who are not tech savvy (or not tech savvy enough) who will not have any of the mechanisms you postulate, who are frequently caught by the police and are very much "proper criminals".
I don't agree with this law but to say it doesn't do anything against proper criminals is patently false.
> What's the point of a law against breaking and entering? A criminal will break and enter anyway!'
Laws are about justice not prevention.
Other laws are enforced without the criminals cooperation or consent. For example you stab some one, cop finds the knife with your finger prints and the victims blood case closed your off to jail.
This law would be like the cops requiring you to hand over the bloody knife and if you say no then the cops will have no evidence and little recourse but to arrest you for the lesser crime of lying to the police, not very effective.
You said "Can't you say this about all laws?" implying that laws are redundant since criminals won't follow them and obeying citizens don't need them. But that's only true for Criminal law, not for other types of law because people might be breaking the law unintentionally that's why we need it.
To give a trivial example, killing someone would be an example of a Criminal law and you would be right. But tearing down a supporting wall in a block of flats to expand the living room would be an example of a law that needs to be written down because it's not obvious and clear to everyone.
I never said that laws where redundant I argued that any law that requires cooperation to be effective is inherently in-effective on anyone that won't cooperate, namely criminals.
> I don't agree with this law but to say it doesn't do anything against proper criminals is patently false.
It’s not false, we see this with gun control laws 100% of the time. Handguns being illegal in Chicago yet it being rather easy to get one. The laws are followed by noncriminals but criminals don’t care and only get caught after they do something. If at all. So the laws reduce freedoms for noncriminals and criminals just get charged with something else when/if they’re caught. And mind you the criminals don’t care what or how many crimes they’re charged with. At best it deters law abiding citizens, nothing more.
> such a law does nothing against proper criminals.
Doesn't sound right to me; The intersection between criminals and people with good information opsec is tiny(mostly because the latter category is tiny anyway).
I agree the law is problematic, but not for that reason.
Out of curiosity. Why do you mention the latter group (people with good information opsec) is tiny when the former group (criminals) is probably an order of magnitude smaller?
Honestly I thought you were way off base and that the number of criminals would be orders of magnitude higher than infosec workers, but apparently I'm wrong.
"in 2020, there were 1.8 million people in prison" [1]
"[in 2019,] the country’s total employed cybersecurity workforce is just 716,000" [2]
"There are about 465,000 open positions in cybersecurity nationwide as of May 2021" [3]
> is tiny when the former group (criminals) is probably an order of magnitude smaller?
How did you arrive at that? Even a significant fraction of people I know who do security work would agree they don't in general have good info opsec, because it's a pain in the ass. Most of the technical people I know wouldn't even know how to do it properly.
"Criminals" is hard to define precisely, but some small integer percent is at least a reasonable lower bound. Afaics people who are actually good at info opsec don't number in the millions.
So even if we simplify by assuming the rough magnitude of both groups is the same, you still have the intersection of two small groups -> tiny. This is probably complicated a little bit because criminals have more incentive than average, if not more experience.
(Not OP) It does not really matter: if someone is a criminal (however tiny that group is), and we make the (reasonable?) hypothesis that criminals are not more (nor less) informed that the general population, the intersection is really tiny.
But not everyone in infosec have good security because it is a pain in the ass. I would say people with good personal infosec is at most the same order of magnitude as criminals but probably fewer.
It’s an apt description for broadly-scoped criminal laws with highly deferential and selective enforcement. I’d bet a prosecutor could look at any given cellphone and find something to charge the owner with.
Edit- It reminds me this first amendment wonk who pissed off local police and was then ticketed for failure to register his bike: https://m.youtube.com/watch?v=28w6xvRj9EM
True only normal people will feel compelled to give their passwords to authority. A criminal won't give a shit there is nothing an authority can do to compel a criminal to incriminate themselves. I mean what can they do arrest them? I think criminals have made their peace with that.
Normal people, on the other hand, do not have these kind of (mental, time) resources. They will be forced to unlock their phones and something incriminating (for instance regarding "hate speech" or "intellectual property rights" or just "traffic violations") will be found. I consider this approach one step more in the direction of keeping every citizen an on-demand criminal. There are so many, sometimes incomprehensible, laws nowadays that pretty much everyone is not compliant.