What?
We want you to have encryption, we don't want back doors, but we do want access?
So how does that work then?
Speaking this morning to CESG's Information Assurance conference, Robert Hannigan, director of GCHQ, declared that Britain was a "sovereign cryptographic nation" and reproached the free market's ability to provide adequate cybersecurity. The claim was delivered to a cybersecurity shindig attended by government employees and …
Actually I think the recent advice to encrypt voice calls with ID-based encryption is a perfect example of what they're talking about. It doesn't have a back door, true, but by design it requires a third party to have a copy of all the private keys.
If a third party has all of my keys, that is essentially a 'back-door'. It's a way for someone to have exceptional access, circumventing the protection provided by the encryption. I call that a back-door. Besides, you can't stop people from using systems/cipher-suites that have perfect forward secrecy.
So how does that work then?
Surprisingly simply.
A UK user is asked to produce their encryption keys and they can be sent to prison for up to 2 years if they don't.
Oh, you mean without any evidence of wrong doing or a Judge issuing a warrant.
"People and business in the UK should use encryption to protect themselves."
"information needed for national security and serious crime purposes should not be beyond the lawful, warranted reach of the state"
These two statements are mutually contradictory. We could call it the doublespeak paradox.
>>People and business in the UK should use encryption to protect themselves."
>>"information needed for national security and serious crime purposes should not be beyond the >>lawful, warranted reach of the state"
> These two statements are mutually contradictory. We could call it the doublespeak paradox.
I don't think that they are. I would have no issue with lawful, warranted access. All we need to agree on now is who is going to issue the warrant, (Hint: It's not politicians)
"I don't think that they are. I would have no issue with lawful, warranted access. All we need to agree on now is who is going to issue the warrant, (Hint: It's not politicians)"
Right, but then how do you get the information? If you have end-to-end encryption there's only two places to get the data: the person you are investigating and the person they are communicating with. The second person might well be out of UK jurisdiction, so you get the heavy mob to go round to the target's place to seize computers. Now it's tell us your passwords or else time, and we run into another law that people round these parts don't like, the requirement to give up passwords.
There are serious contradictory statements around here: you cannot have all of the following:
1) strong encryption that governments cannot break;
2) warrants, signed off by anyone you want, politicians, judges, the Queen, whoever, that are enforcable;
3) the ability to refuse to hand over passwords.
So what if you encrypt in such a way that password A gives access to some innocuous data (maybe embarrassing enough, or personal enough to want to encrypt, but nothing illegal), and password B (possibly in combination with A) gives access to the real deal. If you hand over password A, could law enforcement know about the extra payload, especially if the payload has a limited number of bits compared to the other content?
The above scheme is hardly rocket science (or even computer science for that matter, more like a simple form of steganography). If I can think of a way of circumventing a law requiring me to hand over passwords in 60 seconds, so can many others. This does make me feel that laws like that are either simply ill though through, or just a matter of lots of sound and fury to show people the government is taking ACTION!!!!! whilst signifying nothing in real terms. Could be both, of course.
And if deniable encryption is in use, nothing of any utility has been revealed anyway.
"I don't think that they are [contradictory]. I would have no issue with lawful, warranted access."
How do you provide warranted access to truely secure encryption if the parties involved don't want to give up the key? Your opinion on whether it is reasonable is irrelevant, without a backdoor, it is impossible. That is the contradiction. Either it is secure from everybody including gov or its not. Backdoors are there for everyone, if gov insists on some type of masterkey hackers and foreign powers will have that in no time because how will it be possible for gov bureaucracy to use that key(s) without passing them around (and losing them)?
What you think is irrelevant. Encryption is either compromised, or not compromised. If law enforcement can access my data with a warrant. Then someone can also access it without a warrant. Hackers, disgruntled employees, unscrupulous individuals.
If they have the keys, they have the keys. It doesn't matter if they're supposed to have a warrant, hackers/criminals don't care, by the very definition, these are people who are breaking the rules.
Besides, it's not technologically feasible. It's extremely commonplace to use ephemeral session keys, and systems with perfect forward secrecy.
The two statements are not contradictory. What we need to do (somehow) is return to the status quo as it was in the good old days of landlines. The police/secret services could get a warrant to run a line tap and listen in to what the bad guys were saying. Most people would except this was reasonable. The problem now is we have on the one hand agencies like NSA/GCHQ wanting to hoover up all information (unreasonable and undemocratic), and on the other hand strong encryption can make it hard to listen to the guys they do want to listen to.
Ideally, we want eavesdropping possible with a warrant, while being too difficult and expensive to do otherwise. I don't think this is impossible; you need to be able to subvert the bad guys' hardware when you have a warrant. Or possibly you can break strong crypto given large enough computing resources (like the NSA/GCHQ) have, but it isn't feasible computationally to do it on the wide scale needed to monitor all of us.
I read most of this as :
"For gods sake shut that twat Cameron up, of course we're not complete morons but he is, and yes encryption is fine and not having back doors is fine, but the stuff that is protected, we'll find a way to get into that like always if need be, we are supposed to be spys you know"
"For gods sake shut that twat Cameron up, of course we're not complete morons but he is, and yes encryption is fine and not having back doors is fine, but the stuff that is protected, we'll find a way to get into that like always if need be, we are supposed to be spys you know"
Yes, this.
We need GCHQ, MI5/6 etc. I've known many military types over the years and many, especially career officers really do believe in serving Queen and country and doing the best they can to protect the country from threat. The powers they have and the powers they need in this Brave New World are great powers and they do need them. But there MUST be checks and balances in place because great power comes with great responsibility and not every one can handle that, let alone the "rogues" who might get through. Then there's the politicians trying to use those powers to gain more power.
I know at least one military type who told an MP to fuck off when he tried to wield power he didn't actually have but believed that he had the right to.
The problem as I see it is letting the Police have almost unfettered access to the proposed data collection required the Draft Bill and the potential for fishing expeditions. The security services really are not interested in that stuff. But plod and local council officials are drooling over the the chance to see what they can find.
"and doing the best they can to protect the country from threat"
It would have been better if that read "protect the country from people they perceive as a threat"
Over time that has included Jews in post-war Palestine, all Irishmen, then a lot of Afro-Caribbean people, and now Muslims. Yesterday's arrest stemming from Bloody Sunday shows that this stuff doesn't go away.
I am wary of assuming that the Military and Police establishments act in my interest.
"I am wary of assuming that the Military and Police establishments act in my interest."
Me too, but I was referring only to certain individuals who I have known over the years. The problem isn't the individuals on the whole, but the people at the top, the old school tie brigade and their political masters/friends etc.
"First is the myth that the government wants to ban encryption," said the head of GCHQ. "We don’t. We advocate encryption."
If that is really, truly, accurately what he said, then he needs to reminded sharpish that he is a civil servant, and is NOT the government.
To save time, he could be done alongside that eejit general who was shooting his mouth off at the weekend.
Parse the sentence carefully. There's a change of subject from "the government" to "we". He never addresses the idea that "the government" wants to ban encryption, he only says that GCHQ doesn't want to ban it, presumably because suitably holed encryption is far better for GCHQ than no encryption. No encryption means subjects of interest make use of other, more secure means of communication. Encryption riddled with secret access tunnels means you get enough misplaced trust trust in the existing communication methods to give GCHQ a chance of nabbing someone.
"First is the myth that the government wants to ban encryption," said the head of GCHQ. "We don’t. We advocate encryption."
Of *course* they encourage encryption: what better way to encourage a sense of security while they find their way in through social programming or physical access.
'All the government is saying is information needed for national security and serious crime purposes should not be beyond the lawful, warranted reach of the state when the need arises."'
Except that councils will also have access, And other bodies too. Not just the police, SOCA or any other related part of the government. Just look at how RIPA was abused if you need any evidence how this will end up. It's a nice statement of intent but doesn't reflect what will end up happening.
Besides which, isn't that the purpose of encryption? To put information beyond reach?
As for 'lawful' that has very little meaning when what is lawful can be so easily subverted. The people in a position in authority are the very same as those responsible for those that were caught out using UNLAWFUL practices (KARMA POLICE as one example?). Those same people can push through changes to the law to make what was previously unlawful suddenly and magically lawful.
'Lawful' is a meaningless term in the context of any ethical consideration.
"Except that councils will also have access, And other bodies too" -- Vimes
Yep: the Department for Work and Pensions; the Department for Transport;the Health and Safety Executive; NHS Trusts; the Department of Health; the Gambling Commission ... etc.
Now, if it's to stop terrorism, only a small list is required: secret services; home office; etc. If it's to stop crime, only the police forces need to be added. Why the hell are all these other bodies on the list? If they have a need for the information to resolve crimes, why can't they go through the police?
Relevant public authority
--------------------------
Police force maintained under section 2 of the Police Act 1996
Metropolitan police force
City of London police force
Police Service of Scotland
Police Service of Northern Ireland
British Transport Police Force
Ministry of Defence Police
Royal Navy Police
Royal Military Police
Royal Air Force Police
Security Service
Secret Intelligence Service
GCHQ
Ministry of Defence
Department of Health
Home Office
Ministry of Justice
National Crime Agency
Northern Ireland Office
Her Majesty’s Revenue and Customs
Department for Transport
Department for Work and Pensions
Common Services Agency for the Scottish Health Service
Competition and Markets Authority
Criminal Cases Review Commission
Department of Enterprise, Trade and Investment in Northern Ireland
Financial Conduct Authority
A fire and rescue authority under the Fire and Rescue Services Act 2004
Food Standards Agency
Gambling Commission
Gang masters Licensing Authority
Health and Safety Executive
Independent Police Complaints Commission
Information Commissioner
National Health Service Business Services Authority
A National Health Service Trust established under section 5 of the National Health Service and Community Care Act 1990 whose functions, as specified in its establishment order, include the provision of emergency ambulance services
Northern Ireland Ambulance Service Health and Social Care Trust
Northern Ireland Fire and Rescue Service Board
Northern Ireland Health and Social Care Regional Business Services Organisation
Office of Communications
Office of the Police Ombudsman for Northern Ireland
Police Investigations and Review Commissioner
Scottish Ambulance Service Board
Scottish Criminal Cases Review Commission
Serious Fraud Office
Welsh Ambulance Services National Health Service Trust
Except that if you look at section 57 of the draft bill it looks like local authorities are also counted as 'relevant public authorities'. I haven't gone into detail, but if you look at the bill...
From the bill: (emphasis added by me)
57 Local authorities as relevant public authorities
(1) A local authority is a relevant public authority for the purposes of this Part.
(2) In this Part “designated senior officer”, in relation to a local authority, means
an individual who holds with the authority—
(a) the position of director, head of service or service manager (or equivalent), or
(b) a higher position.
(3) A designated senior officer of a local authority may grant an authorisation for obtaining communications data only if section 46(1)(a) is satisfied in relation to a purpose within section 46(7)(b).
(4) The Secretary of State may by regulations amend subsection (2).
(5) Sections 58 and 59 impose further restrictions in relation to the grant of
authorisations by local authorities.
Then when you follow this through to section 46 you end up with these reasons, some of which could end up with some quite trivial justifications (prosecuting litterers or checking school applicants anyone?):
(7) It is necessary and proportionate to obtain communications data for a purpose
falling within this subsection if it is necessary and proportionate to obtain the data—
(a) in the interests of national security,
(b) for the purpose of preventing or detecting crime or of preventing disorder,
(c) in the interests of the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security,
(d) in the interests of public safety,
(e) for the purpose of protecting public health,
(f) for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department,
(g) for the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health,
(h) to assist investigations into alleged miscarriages of justice,
(i) where a person (“P”) has died or is unable to identify themselves because of a physical or mental condition—
(i) to assist in identifying P, or
(ii) to obtain information about P’s next of kin or other persons connected with P or about the reason for P’s death or condition, or
(j) for the purpose of exercising functions relating to—
(i) the regulation of financial services and markets, or
(ii) financial stability.
(g) for the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health,
PIU - pleb in uniform, GM - govmt. minion
PIU: I need to obtain authorisation as the subject is in serious possibility of damage to his physical health
GM: what is the nature of this damage
PIU:have you seen my boots, they is well hard
GM:granted
but surely the statement about not wishing for back doors etc is a)because they have them and they're lying or (more realistically for me) b) they have other ways, possible exclusive methods too. Encouraging greater encryption would likely as not would put them in the driving seat too as other less developed agencies would not be able to pry like they can.
Of course I might be talking complete bollocks, what do I know?!
You forget that GCHQ, like most agencies, is not a simple creature with a single goal.
What they should be doing is protecting the UK: that means defence, business and private lives, as they are all inter-related.
On one hand that means stopping The Bad Guys(tm) from having access, and that means encouraging properly used encryption to make sure that information goes where it should and not in to the wrong hands. On the other hand it means having to break encryption to spy or assist the police for what should be the same goal, and there is an obvious conflict of interests there.
Most will realise that both goals are justified, but given the evidence of past lying and political machinations bending of the rules, there is a serious mistrust of either goal. This is made so much worse by the clueless fuckwits calibre of politician we seem to get in charge of the situation.
"On one hand that means stopping The Bad Guys(tm) from having access".
Just who are the 'BAD GUYS'?
From NOT just any potential wrongdoer,but millions of 'freedom' lovers too, it's a probable that GCHQ are,along with the 'authorities' within that draft bill,the 'real' villains of the peace.
As ALWAYS, it's the Westminster trash that are constantly subverting the freedoms that were preserved with such loss of life in WW2.
It is they who distort the facts & stand the truth on it's head by justifying the bill through making everyone a potential villain.
If there has been a quantum computing breakthrough and the people in the giant dough-nut are using it to routinely break encryption, then we are not going to know about it for at least 30 years, if ever.
The old urban myths about oil companies buying and scrapping any alternative energy inventions that threaten demand for fuel, applies for real to any research into Quantum or other advanced method that can be used against encryption. It simply will remain a secret.