back to article GCHQ director blasts free market, says UK must be 'sovereign cryptographic nation'

Speaking this morning to CESG's Information Assurance conference, Robert Hannigan, director of GCHQ, declared that Britain was a "sovereign cryptographic nation" and reproached the free market's ability to provide adequate cybersecurity. The claim was delivered to a cybersecurity shindig attended by government employees and …

Page:

  1. Anonymous Coward
    WTF?

    What?

    We want you to have encryption, we don't want back doors, but we do want access?

    So how does that work then?

    1. Blofeld's Cat
      Black Helicopters

      Re: What?

      "So how does that work then?"

      It's complicated, and often sub-contracted out, but it essentially involves an orange jump-suit, a plank, some buckets of water and, occasionally, a short rubber hose.

      1. Blank-Reg
        Alert

        Re: What?

        "Rasputin, bring hither the skindiving suit with the bottom cut out and unleash the rampant Wildebeest"!

        1. Will Godfrey Silver badge
          Unhappy

          Re: What?

          What they do is sprinkle fairy dust and powdered unicorn horn round the back door portal so the bad guys can't see the way in.

        2. Kane
          Happy

          Re: What?@Blank-Reg

          Silence, Scum!!

          1. Blank-Reg
            Joke

            Re: What?@KANE

            SHUT UP!

        3. Michael H.F. Wilkinson Silver badge
          Joke

          Rasputin?

          "Rasputin, bring hither the skindiving suit with the bottom cut out and unleash the rampant Wildebeest"!

          Shouldn't that be Igor?

          Yeth, Marthter!!

    2. Tom Chiverton 1 Silver badge
      WTF?

      Re: What?

      How does it work ?

      Lawyers. In secret.

      Now might be a good time to join the Open Rights Group and get this sorted out, before it sneaks past and into law, no ? https://www.openrightsgroup.org/join/ if you please :-)

    3. Old Handle

      Re: What?

      Actually I think the recent advice to encrypt voice calls with ID-based encryption is a perfect example of what they're talking about. It doesn't have a back door, true, but by design it requires a third party to have a copy of all the private keys.

      1. dd88ddd

        Re: What?

        If a third party has all of my keys, that is essentially a 'back-door'. It's a way for someone to have exceptional access, circumventing the protection provided by the encryption. I call that a back-door. Besides, you can't stop people from using systems/cipher-suites that have perfect forward secrecy.

    4. John Smith 19 Gold badge
      Unhappy

      We want you to have encryption, we don't want back doors, but we do want access?

      So how does that work then?

      Surprisingly simply.

      A UK user is asked to produce their encryption keys and they can be sent to prison for up to 2 years if they don't.

      Oh, you mean without any evidence of wrong doing or a Judge issuing a warrant.

      1. dd88ddd

        Re: We want you to have encryption, we don't want back doors, but we do want access?

        And if the key was ephemeral, generated on the fly, by the computer, and discarded when the session ended, and I don't know it, and even if I did it would be useless?

        Stupid law.

    5. dd88ddd

      Re: What?

      It doesn't, it's now clear that the intention is for keys to be retained, and he thinks that makes sense.

      someone should tell him about perfect forward secrecy, he'll blow his lid!

  2. Anonymous Coward
    Anonymous Coward

    Thanks

    My household is already a sovereign cryptographic nation.

  3. Anonymous Coward
    Anonymous Coward

    what, backdoors, moi?!

    Front doors, patio doors, windows, vents, skylights, cat doors - it's only fair! Sewers, well, you would, wouldn't you! Likewise air waves, cables, drone comms and pigeon routes. But BACK DOORS?! Never!

  4. DavCrav

    "People and business in the UK should use encryption to protect themselves."

    "information needed for national security and serious crime purposes should not be beyond the lawful, warranted reach of the state"

    These two statements are mutually contradictory. We could call it the doublespeak paradox.

    1. Roger Varley

      >>People and business in the UK should use encryption to protect themselves."

      >>"information needed for national security and serious crime purposes should not be beyond the >>lawful, warranted reach of the state"

      > These two statements are mutually contradictory. We could call it the doublespeak paradox.

      I don't think that they are. I would have no issue with lawful, warranted access. All we need to agree on now is who is going to issue the warrant, (Hint: It's not politicians)

      1. DavCrav

        "I don't think that they are. I would have no issue with lawful, warranted access. All we need to agree on now is who is going to issue the warrant, (Hint: It's not politicians)"

        Right, but then how do you get the information? If you have end-to-end encryption there's only two places to get the data: the person you are investigating and the person they are communicating with. The second person might well be out of UK jurisdiction, so you get the heavy mob to go round to the target's place to seize computers. Now it's tell us your passwords or else time, and we run into another law that people round these parts don't like, the requirement to give up passwords.

        There are serious contradictory statements around here: you cannot have all of the following:

        1) strong encryption that governments cannot break;

        2) warrants, signed off by anyone you want, politicians, judges, the Queen, whoever, that are enforcable;

        3) the ability to refuse to hand over passwords.

        1. Doctor Syntax Silver badge

          One thing that needs to be clarified. If a password is demanded and given then any attempt to use the data obtained via that password should be counted as self-incrimination and not usable as evidence against whoever gave it.

          1. Anonymous Coward
            Anonymous Coward

            The government would argue (and would have a point) that giving up the password knowing it would provide access to self-incriminating evidence would be construed as a waiver of said right. Indeed, such an argument has a chance of passing Constitutional muster in America.

          2. Adam 52 Silver badge

            Extremely unlikely. For two reasons - English courts, unlike US ones, typically allow unlawfully obtained evidence and because the point is to find evidence. It's no different to giving up your house key and expecting the cannabis factory inside to be inadmissible.

            1. Michael H.F. Wilkinson Silver badge
              Black Helicopters

              So what if you encrypt in such a way that password A gives access to some innocuous data (maybe embarrassing enough, or personal enough to want to encrypt, but nothing illegal), and password B (possibly in combination with A) gives access to the real deal. If you hand over password A, could law enforcement know about the extra payload, especially if the payload has a limited number of bits compared to the other content?

              The above scheme is hardly rocket science (or even computer science for that matter, more like a simple form of steganography). If I can think of a way of circumventing a law requiring me to hand over passwords in 60 seconds, so can many others. This does make me feel that laws like that are either simply ill though through, or just a matter of lots of sound and fury to show people the government is taking ACTION!!!!! whilst signifying nothing in real terms. Could be both, of course.

          3. Anonymous Coward
            Anonymous Coward

            And if deniable encryption is in use, nothing of any utility has been revealed anyway.

      2. Ben Norris

        "I don't think that they are [contradictory]. I would have no issue with lawful, warranted access."

        How do you provide warranted access to truely secure encryption if the parties involved don't want to give up the key? Your opinion on whether it is reasonable is irrelevant, without a backdoor, it is impossible. That is the contradiction. Either it is secure from everybody including gov or its not. Backdoors are there for everyone, if gov insists on some type of masterkey hackers and foreign powers will have that in no time because how will it be possible for gov bureaucracy to use that key(s) without passing them around (and losing them)?

      3. dd88ddd

        What you think is irrelevant. Encryption is either compromised, or not compromised. If law enforcement can access my data with a warrant. Then someone can also access it without a warrant. Hackers, disgruntled employees, unscrupulous individuals.

        If they have the keys, they have the keys. It doesn't matter if they're supposed to have a warrant, hackers/criminals don't care, by the very definition, these are people who are breaking the rules.

        Besides, it's not technologically feasible. It's extremely commonplace to use ephemeral session keys, and systems with perfect forward secrecy.

    2. Anonymous Coward
      Anonymous Coward

      lawful, warranted reach of the state

      lawful, warranted reach of the state

      Sure. No objections. Make it a search warrant. Signed by a judge. NOT ONE SIGNED BY A MINION OF THE SPECTER SITTING IN THE HOME OFFICE!!!

    3. Paul 195

      The two statements are not contradictory. What we need to do (somehow) is return to the status quo as it was in the good old days of landlines. The police/secret services could get a warrant to run a line tap and listen in to what the bad guys were saying. Most people would except this was reasonable. The problem now is we have on the one hand agencies like NSA/GCHQ wanting to hoover up all information (unreasonable and undemocratic), and on the other hand strong encryption can make it hard to listen to the guys they do want to listen to.

      Ideally, we want eavesdropping possible with a warrant, while being too difficult and expensive to do otherwise. I don't think this is impossible; you need to be able to subvert the bad guys' hardware when you have a warrant. Or possibly you can break strong crypto given large enough computing resources (like the NSA/GCHQ) have, but it isn't feasible computationally to do it on the wide scale needed to monitor all of us.

  5. John Mangan

    Paging David Cameron

    "First is the myth that the government wants to ban encryption," said the head of GCHQ. "We don’t. We advocate encryption."

    Perhaps he should tell our beloved PM.

    1. Anonymous Coward
      Anonymous Coward

      Re: Paging David Cameron

      I read most of this as :

      "For gods sake shut that twat Cameron up, of course we're not complete morons but he is, and yes encryption is fine and not having back doors is fine, but the stuff that is protected, we'll find a way to get into that like always if need be, we are supposed to be spys you know"

      1. John Brown (no body) Silver badge

        Re: Paging David Cameron

        "For gods sake shut that twat Cameron up, of course we're not complete morons but he is, and yes encryption is fine and not having back doors is fine, but the stuff that is protected, we'll find a way to get into that like always if need be, we are supposed to be spys you know"

        Yes, this.

        We need GCHQ, MI5/6 etc. I've known many military types over the years and many, especially career officers really do believe in serving Queen and country and doing the best they can to protect the country from threat. The powers they have and the powers they need in this Brave New World are great powers and they do need them. But there MUST be checks and balances in place because great power comes with great responsibility and not every one can handle that, let alone the "rogues" who might get through. Then there's the politicians trying to use those powers to gain more power.

        I know at least one military type who told an MP to fuck off when he tried to wield power he didn't actually have but believed that he had the right to.

        The problem as I see it is letting the Police have almost unfettered access to the proposed data collection required the Draft Bill and the potential for fishing expeditions. The security services really are not interested in that stuff. But plod and local council officials are drooling over the the chance to see what they can find.

        1. ashdav

          Re: Paging David Cameron

          Upvoted you for the last sentence.

        2. Anonymous Coward
          Anonymous Coward

          Re: Paging David Cameron

          "and doing the best they can to protect the country from threat"

          It would have been better if that read "protect the country from people they perceive as a threat"

          Over time that has included Jews in post-war Palestine, all Irishmen, then a lot of Afro-Caribbean people, and now Muslims. Yesterday's arrest stemming from Bloody Sunday shows that this stuff doesn't go away.

          I am wary of assuming that the Military and Police establishments act in my interest.

          1. John Brown (no body) Silver badge

            Re: Paging David Cameron

            "I am wary of assuming that the Military and Police establishments act in my interest."

            Me too, but I was referring only to certain individuals who I have known over the years. The problem isn't the individuals on the whole, but the people at the top, the old school tie brigade and their political masters/friends etc.

    2. smudge
      FAIL

      Re: Paging David Cameron

      "First is the myth that the government wants to ban encryption," said the head of GCHQ. "We don’t. We advocate encryption."

      If that is really, truly, accurately what he said, then he needs to reminded sharpish that he is a civil servant, and is NOT the government.

      To save time, he could be done alongside that eejit general who was shooting his mouth off at the weekend.

      1. Graham Dawson Silver badge

        @smudge Re: Paging David Cameron

        Parse the sentence carefully. There's a change of subject from "the government" to "we". He never addresses the idea that "the government" wants to ban encryption, he only says that GCHQ doesn't want to ban it, presumably because suitably holed encryption is far better for GCHQ than no encryption. No encryption means subjects of interest make use of other, more secure means of communication. Encryption riddled with secret access tunnels means you get enough misplaced trust trust in the existing communication methods to give GCHQ a chance of nabbing someone.

      2. Neil Barnes Silver badge
        Black Helicopters

        Re: Paging David Cameron

        "First is the myth that the government wants to ban encryption," said the head of GCHQ. "We don’t. We advocate encryption."

        Of *course* they encourage encryption: what better way to encourage a sense of security while they find their way in through social programming or physical access.

  6. Vimes

    'All the government is saying is information needed for national security and serious crime purposes should not be beyond the lawful, warranted reach of the state when the need arises."'

    Except that councils will also have access, And other bodies too. Not just the police, SOCA or any other related part of the government. Just look at how RIPA was abused if you need any evidence how this will end up. It's a nice statement of intent but doesn't reflect what will end up happening.

    Besides which, isn't that the purpose of encryption? To put information beyond reach?

    As for 'lawful' that has very little meaning when what is lawful can be so easily subverted. The people in a position in authority are the very same as those responsible for those that were caught out using UNLAWFUL practices (KARMA POLICE as one example?). Those same people can push through changes to the law to make what was previously unlawful suddenly and magically lawful.

    'Lawful' is a meaningless term in the context of any ethical consideration.

    1. John H Woods

      "Except that councils will also have access, And other bodies too" -- Vimes

      Yep: the Department for Work and Pensions; the Department for Transport;the Health and Safety Executive; NHS Trusts; the Department of Health; the Gambling Commission ... etc.

      Now, if it's to stop terrorism, only a small list is required: secret services; home office; etc. If it's to stop crime, only the police forces need to be added. Why the hell are all these other bodies on the list? If they have a need for the information to resolve crimes, why can't they go through the police?

      1. Julz

        The full list from the Draft IPB

        Relevant public authority

        --------------------------

        Police force maintained under section 2 of the Police Act 1996

        Metropolitan police force

        City of London police force

        Police Service of Scotland

        Police Service of Northern Ireland

        British Transport Police Force

        Ministry of Defence Police

        Royal Navy Police

        Royal Military Police

        Royal Air Force Police

        Security Service

        Secret Intelligence Service

        GCHQ

        Ministry of Defence

        Department of Health

        Home Office

        Ministry of Justice

        National Crime Agency

        Northern Ireland Office

        Her Majesty’s Revenue and Customs

        Department for Transport

        Department for Work and Pensions

        Common Services Agency for the Scottish Health Service

        Competition and Markets Authority

        Criminal Cases Review Commission

        Department of Enterprise, Trade and Investment in Northern Ireland

        Financial Conduct Authority

        A fire and rescue authority under the Fire and Rescue Services Act 2004

        Food Standards Agency

        Gambling Commission

        Gang masters Licensing Authority

        Health and Safety Executive

        Independent Police Complaints Commission

        Information Commissioner

        National Health Service Business Services Authority

        A National Health Service Trust established under section 5 of the National Health Service and Community Care Act 1990 whose functions, as specified in its establishment order, include the provision of emergency ambulance services

        Northern Ireland Ambulance Service Health and Social Care Trust

        Northern Ireland Fire and Rescue Service Board

        Northern Ireland Health and Social Care Regional Business Services Organisation

        Office of Communications

        Office of the Police Ombudsman for Northern Ireland

        Police Investigations and Review Commissioner

        Scottish Ambulance Service Board

        Scottish Criminal Cases Review Commission

        Serious Fraud Office

        Welsh Ambulance Services National Health Service Trust

        1. Bogle
          Joke

          Re: The full list from the Draft IPB

          > Welsh Ambulance Services National Health Service Trust

          Oh good grief. As far as I'm concerned *Welsh* is encrypted.

        2. Vimes

          Re: The full list from the Draft IPB

          Except that if you look at section 57 of the draft bill it looks like local authorities are also counted as 'relevant public authorities'. I haven't gone into detail, but if you look at the bill...

          From the bill: (emphasis added by me)

          57 Local authorities as relevant public authorities

          (1) A local authority is a relevant public authority for the purposes of this Part.

          (2) In this Part “designated senior officer”, in relation to a local authority, means

          an individual who holds with the authority—

          (a) the position of director, head of service or service manager (or equivalent), or

          (b) a higher position.

          (3) A designated senior officer of a local authority may grant an authorisation for obtaining communications data only if section 46(1)(a) is satisfied in relation to a purpose within section 46(7)(b).

          (4) The Secretary of State may by regulations amend subsection (2).

          (5) Sections 58 and 59 impose further restrictions in relation to the grant of

          authorisations by local authorities.

          Then when you follow this through to section 46 you end up with these reasons, some of which could end up with some quite trivial justifications (prosecuting litterers or checking school applicants anyone?):

          (7) It is necessary and proportionate to obtain communications data for a purpose

          falling within this subsection if it is necessary and proportionate to obtain the data—

          (a) in the interests of national security,

          (b) for the purpose of preventing or detecting crime or of preventing disorder,

          (c) in the interests of the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security,

          (d) in the interests of public safety,

          (e) for the purpose of protecting public health,

          (f) for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department,

          (g) for the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health,

          (h) to assist investigations into alleged miscarriages of justice,

          (i) where a person (“P”) has died or is unable to identify themselves because of a physical or mental condition—

          (i) to assist in identifying P, or

          (ii) to obtain information about P’s next of kin or other persons connected with P or about the reason for P’s death or condition, or

          (j) for the purpose of exercising functions relating to—

          (i) the regulation of financial services and markets, or

          (ii) financial stability.

          1. Anonymous Coward
            Anonymous Coward

            Re: The full list from the Draft IPB

            (g) for the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health,

            PIU - pleb in uniform, GM - govmt. minion

            PIU: I need to obtain authorisation as the subject is in serious possibility of damage to his physical health

            GM: what is the nature of this damage

            PIU:have you seen my boots, they is well hard

            GM:granted

          2. Asterix the Gaul

            Re: The full list from the Draft IPB

            From the above,it sounds like it's true that they are not after a 'back door' to intrude,just a 'BARN DOOR'!

            'Use & ABUSE' that's the motto inherent in this piece of STASI legislation.

        3. Omgwtfbbqtime
          Facepalm

          Re: The full list from the Draft IPB

          Surprised the Borders Agency didn't make the cut.

          The MOD Plod relevant?????? They've never been relevant.

        4. Anonymous Coward
          Holmes

          Re: The full list from the Draft IPB

          you missed Uncle Tom Cobbly, an all!

    2. Anonymous Coward
      Anonymous Coward

      Also, cleverly

      'Warranted' doesn't mean with a warrant. Yes, very clever wording.

  7. Dabooka
    Black Helicopters

    I may be wrong

    but surely the statement about not wishing for back doors etc is a)because they have them and they're lying or (more realistically for me) b) they have other ways, possible exclusive methods too. Encouraging greater encryption would likely as not would put them in the driving seat too as other less developed agencies would not be able to pry like they can.

    Of course I might be talking complete bollocks, what do I know?!

    1. Paul Crawford Silver badge

      Re: I may be wrong

      You forget that GCHQ, like most agencies, is not a simple creature with a single goal.

      What they should be doing is protecting the UK: that means defence, business and private lives, as they are all inter-related.

      On one hand that means stopping The Bad Guys(tm) from having access, and that means encouraging properly used encryption to make sure that information goes where it should and not in to the wrong hands. On the other hand it means having to break encryption to spy or assist the police for what should be the same goal, and there is an obvious conflict of interests there.

      Most will realise that both goals are justified, but given the evidence of past lying and political machinations bending of the rules, there is a serious mistrust of either goal. This is made so much worse by the clueless fuckwits calibre of politician we seem to get in charge of the situation.

      1. Asterix the Gaul

        Re: I may be wrong

        "On one hand that means stopping The Bad Guys(tm) from having access".

        Just who are the 'BAD GUYS'?

        From NOT just any potential wrongdoer,but millions of 'freedom' lovers too, it's a probable that GCHQ are,along with the 'authorities' within that draft bill,the 'real' villains of the peace.

        As ALWAYS, it's the Westminster trash that are constantly subverting the freedoms that were preserved with such loss of life in WW2.

        It is they who distort the facts & stand the truth on it's head by justifying the bill through making everyone a potential villain.

    2. werdsmith Silver badge

      Re: I may be wrong

      If there has been a quantum computing breakthrough and the people in the giant dough-nut are using it to routinely break encryption, then we are not going to know about it for at least 30 years, if ever.

      The old urban myths about oil companies buying and scrapping any alternative energy inventions that threaten demand for fuel, applies for real to any research into Quantum or other advanced method that can be used against encryption. It simply will remain a secret.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like