Governments appear determined to end online banking and shopping. I find that strange; but, oh well...
Look who's joined the anti-encryption posse: Germany, come on down
Germany has joined an increasing number of countries looking to introduce anti-encryption laws. Speaking on Wednesday, German interior minister Thomas de Maizière said the government was preparing a new law that would give the authorities the right to decipher and read private encrypted messages, specifically citing encrypted …
COMMENTS
-
-
Friday 16th June 2017 06:10 GMT Voland's right hand
Do not think so.
If it is "via access to device" that is only on individual subjects and most likely authorized by court order or an equivalent procedure as required by the local legal intercept laws. This is not breaking encryption in general and mass surveillance. So it does not do anything to Internet banking, etc.
It is what it is: mandate phone vendors to support legal intercept. It also makes technical sense - the phones now are so smart that they are a component of the network in itself. If implemented correctly it can be locked down so it can be accessed only via the carrier device provisioning system.
It is also fairly easy to circumvent - just get a foreign phone and enjoy the abolishment of roaming fees in the Eu.
-
Friday 16th June 2017 07:06 GMT Baldrickk
accessed only via the carrier device provisioning system.
Yeah sure. This is no better than adding remote access to my device - that I have no control over.
What happens if there is a flaw in whatever method they use to implement this? What if someone gets into the carier's sytem and gets access to the key/s? What about a rogue technician in the carrier? Suddenly everyone's device is wide open.
No no no no no. None of this is good.
They want / need access to my device? fine. They can get a court order, and come take it. I'll even unlock it for them, I have nothing to hide. But to force remote access tools onto user devices that can't be controlled by the user? No.
-
-
Friday 16th June 2017 10:16 GMT Dazed and Confused
Re: accessed only via the carrier device provisioning system.
> What happens if when there is a flaw in whatever method they use to implement this?
You mean when the civil servant leaves the documentation, including the keys, on the train or when the minister is photographed walking into a office holding a piece of paper with all the details on it?
No things like that never happen, never not even once.
-
-
-
Friday 16th June 2017 10:15 GMT Loyal Commenter
If it is "via access to device" that is only on individual subjects and most likely authorized by court order or an equivalent procedure as required by the local legal intercept laws. This is not breaking encryption in general and mass surveillance. So it does not do anything to Internet banking, etc.
In practice, law enforcement agencies won't know what devices a 'terrorist' is using until after the fact, so what they must want, in order to be able to do this, is to install this software on all phones, and then have a court order to use it (or to use the evidence gathered by it). There are myriad technical and practical reasons why this is fundamentally insecure, not least of which is the fact that if there is a 'master' key that allows access to unencrypted data, the most efficient way to obtain that key is not by hacking, but by repeated application of a short length of rubber hose tot eh right person until the key is obtained. In other words, there is always a weakest link, and criminals tend to have a much lower threshold of what is considered acceptable in order to break that link.
-
-
Friday 16th June 2017 11:31 GMT Nattrash
Sorry to point the finger at your click-bait headlining, Kieren, but maybe you shouldn't rely so much on Google Translate...
After reading some material of your German cousins (heise.de) and some respected German news sources (Frankfurter Allgemeine Zeitung, Süddeutsche Zeitung, dpa), it turns out you didn't get your facts straight. On top of that you made it all a bit more juicy. Just like Mr. Spock said: “I didn't lie, I implied.”
https://www.heise.de/newsticker/meldung/May-und-Macron-wollen-Zugang-zu-verschluesselter-Kommunikation-3743918.html
https://www.heise.de/newsticker/meldung/Innenminister-wollen-Messenger-wie-WhatsApp-ueberwachen-3743669.html
https://www.swr.de/swraktuell/ausdehnung-der-ueberwachungsstrategie-wenn-ermittler-bei-whatsapp-co/-/id=396/did=18724184/nid=396/1nsqi22/index.html
http://www.sueddeutsche.de/news/politik/innere-sicherheit-mit-musterpolizeigesetz-gegen-terror-und-kriminalitaet-dpa.urn-newsml-dpa-com-20090101-170614-99-849430
http://www.faz.net/aktuell/politik/inland/innenminister-de-maiziere-will-zugang-zu-whatsapp-nachrichten-15055364.html
According to these, Thomas de Maizière never spoke of making encryption illegal, breaking encryption, backdoors, or something similar. In addition, it's also probably stretching it, to suggest that the UK, France, and Germany now stand side-by-side, acting similarly.
No, according to the local language sources I read, de Maizière, during a local meeting, spoke at a gathering of Ministers of the Interior of the German Bundeslander (states with their own full government, budgets, elections, and independence, which make up the Federal Republic of Germany – https://en.wikipedia.org/wiki/States_of_Germany). Here, he stated that in order to fight heavy crime, security services should have access to all communication, including services encrypted services like Whatsapp and Telegram. This statement is another statement in an already old issue, which involves the legality, and potential legislation of the "digital/ online search (warrant)" (TKÜ - Telekommunikationsüberwachung).
That's all. Nothing about making encryption illegal. Or banning the use of encrytion. Actually, de Maizière is reported to have said:
„Wir wollen, dass Messenger-Dienste eine Ende-zu-Ende-Verschlüsselung haben, damit die Kommunikation unbescholtener Bürger ungestört und sicher ist.“ (FAZ)
which translates as “We want that messenger services have an end-to-end encryption, ensuring that the communication of respectable citizens is undisturbed and secure.”
Also, as reported by ElReg:
"Speaking on Wednesday, German interior minister Thomas de Maizière said the government was preparing a new law that would give the authorities the right to decipher and read private encrypted messages, specifically citing encrypted messaging apps such as WhatsApp and Signal."
seems a rather rubbish quote.
First, the Germans are not putting their money on breaking encryption, making it illegal, or forcing backdoors.
"Software die laufende Kommunikation eines Verdächtigen auf einem Gerät mitlesen, bevor sie verschlüsselt wird. Beide Instrumente sollen bald in der Strafprozessordnung geregelt werden. - FAZ"
Actually, as they have done before, they are talking about the approach where they can introduce software on the device of suspect, which will give insight before encryption happens. From this one can also read that this does not imply a mass surveillance approach (US, UK), but a targeted one, most likely after the issuing of a search warrant.
I'm sorry I've to point this out. Your piece stuck out like a sore thumb, especially since I work here for a while and by now am familiar with the pretty strict, generally cherished, and completely different from the UK, Datenschutzgesetz (https://en.wikipedia.org/wiki/Bundesdatenschutzgesetz). I suppose that those fundamental legal and social differences make the number of CCTV cameras between the UK and Germany so illustrative, and the discussion about blurred properties on Google Streetview so interesting...
-
Friday 16th June 2017 12:29 GMT Anonymous Coward
Japan has just passed a 5-eyes law
from slashdot
"someone in Japan can now catch a terrorism-related charge for even planning or discussing on social media the acts of: Copying music; Conducting sit-ins to protest against the construction of apartment buildings; Using forged stamps; Competing in a motor boat race without a license; Mushroom picking in conservation forests; Avoiding paying consumption tax. " (lots more random stuff)
potentially as the profits might be used to fund terrrr
-
-
Thursday 15th June 2017 19:08 GMT Snowy
Hahahahah
[quote]Force the companies providing the encryption to introduce backdoors.[/quote]
A backdoor in encryption is an open door making encryption less than worthless. Look at how NSA failed to keep their tools locked up.
Mandating encryption backdoors is like making all knives sold (including cutlery and letter openers) to be sold blunt with a large ball welded on the end, with a large fine or jail time for anyone who sharpens or removes the ball.
-
Thursday 15th June 2017 19:09 GMT Anonymous Coward
1 Force the companies providing the encryption to introduce backdoors.
2 Focus huge computing resources on a specific set of encrypted messages in order to crack the encryption.
3 Force the operating system and mobile phone companies to come up with a way to grant third-party access to someone's device so they can pose as the user and bypass encryption.
Well, the cheapest one for governments is option 3, and that's the closest to the system used for telephone networks. They'll go with that.
Enforcement against OTT services based outside jurisdiction is harder, but it's easy to go after the advertisers and assets.
And if we're to pick up ideas from the USA, extra-territoriality of law isn't such a big problem. The Americans seem to have no problem with the concept...
-
Friday 16th June 2017 02:36 GMT Mark 65
It is clear from the German interior minister's comments that it is focusing on the third, most pragmatic solution: gaining access to someone's phone or other device.
It is also clear that such behaviour will rapidly lead to wide availability of a Qubes style OS for smartphones in order to prevent said pricks from installing shit on everyone's phone because, as we all know, they just simply cannot help themselves when it comes to mass rather than targeted surveillance.
-
Tuesday 20th June 2017 21:07 GMT Anonymous Coward
When you finally wake up its going to be too late!!!
Today's "government-approved" encryption systems were designed to allow for the efficient collection and brute-force cryptanalysis. The security paradigm was DESIGNED to be a big back door.
Consider this:
1. Most commercial encryption today is standards based and "government-approved". Today, knowledge is power. You really think that those in the intelligence services would allow a major strategic advantage to disappear just like that? You're a greater idiot than you thought. There's no better way to get intelligence than to make someone believe that they are safe. That's how one creates a killing field. Mass processing.
2. Security in the cloud - good joke - this is just the solution to ensure that your data is easily accessible - collecting vast amounts of data requires storage. Why not get the masses to pay for the privilege of storing their own easily accessible data - kill two birds with one stone.
3. All commercial encryption systems have a natural back door - its called the equivocation depletion problem. Its how Turing knew that he could break Enigma, just today we haver far more powerful processing systems. That's why keys are kept a fixed length. Despite equivocation being defined by Shannon, all academic cryptanalysts avoid it like the plague - it shows that their security solutions have no security - no equivocation. Todays commercially available crypto solutions have no scientific basis for their security. It's mathematical bullshit. As mentioned, the techniques used by Turing to break Enigma are equally applicable to AES-256 or whatever cipher you use.
4. Our random number generators are pseudo-random, therefore our encryption is pseudo-secure.
5. Then there's the blatant joke of security being based on assumptions of mathematical complexity!!. We shower the inventors with accolades - despite the solutions having no scientific merit. Its an assumption of security - goes against basic logic, one must assume insecurity until security is established scientifically.
6. Standards are there not to ensure security, but to allow for cryptographic "killing fields" to be created. They ensure that the cryptographic solutions have fixed dimensions. Fixed keys, fixed operations, fixed code pages, fixed message preambles - get the picture?
7. More mathematical bullshit about how factoring prime products will take millions of years - Can we be so sure that a rapid solution wasn't invented before asymmetric encryption appeared? Note there are more than 9 rapid solutions for factoring primes existed even before the concept became public.
8. Ever wonder why no security company guarantees the security of their encryption algorithms? Its because they know that they are crap. They do not even satisfy Shannon's requirements for practical secrecy systems - the worst kind.
9. Despite the one-time pad being absolutely secure, scientifically secure - are we to believe that no-one in almost 100 years has fixed its issues so that it can be practically implemented in a digital framework?
Someone has gone to considerable lengths to bullshit the general public, because todays encryption systems do not even satisfy basic security - its merely safety. We're being electronically enslaved, and we don't even know it, for without out privacy, we are merely slaves. And now A.I. promises to be our saviour - yeah, right.
As for current security breaches, its amazing how the implementations get blamed. An now no-one wants our insecure security systems to be fixed - there's massive revenue generation cash cows out there. Now, even the software companies create their own back doors - hey, blame the implementation.
Even perfect implementations are insecure.
Here's the good news... equivocation augmentation has been invented and is patent pending internationally at the moment - practical scientifically verifiable encryption is here. It is provably secure against any future machine brute-force attack, has no back doors, and is the first encryption algorithm to break the "equivocation-barrier". A whole entire field of cryptographic security research - has just opened up.
It will be used to protect humanity.
-
-
Thursday 15th June 2017 22:59 GMT Daggerchild
The Irony Curtain
Do you know what Putin could do now to *really* *REALLY* piss off the West? Go straight!
The crown of Freedom and Justice is rolling around the floor right now as Trump stuffs his face in the trough and May shrieks from behind her barred door.
If I remember my history lessons correctly, proper law and order was only established after the elites started getting annoyed at the murders/corruption etc mucking up their neat empires, and began forcing it down from on high.
Putin could do that if he wanted to, he has the power and the personality. To steal the West's glorious name, their reputation - that would so horribly fitting right now.
-
-
Thursday 15th June 2017 19:14 GMT Bloodbeastterror
"The privacy of a terrorist...
...can never be more important than public safety"
A cack premise.
"The privacy of a terrorist can never be more important than the privacy of the entire populace" is the correct comparison. Or vice-versa.
Stupid soundbite-led politicians. Unfortunately followed by stupid soundbite-led voters.
-
Thursday 15th June 2017 19:15 GMT Duncan Macdonald
Offline encryption ?
If you encrypt/decrypt the messages on an offline system with no internet connection and use a good encryption package (eg OpenPGP) then there is NO way that the messages can be decrypted in real time. (The only decryption that can be done depends on forcing the the key from the recipient - for example by torture.)
-
Friday 16th June 2017 03:57 GMT Yet Another Anonymous coward
Re: Offline encryption ?
But as an effective means of communication that is up there with using a one time pad and leaving messages under stones in the park for George Smiley.
If you have a regular commercial phone or computer that is ever connected to the internet or GSM it could be logging any key you enter and sending it to the MMB
-
-
Friday 16th June 2017 11:38 GMT DropBear
Re: Offline encryption ?
The point is that it wouldn't be too hard to syphon off still encrypted content to a separate device (can be a smartwatch, PDA or even a small DIY gadget) that handles decryption / encryption, that would be presumed free of tampering by The Powers That Be. You couldn't "backdoor" that...
-
-
Tuesday 20th June 2017 21:12 GMT Helder
Re: Offline encryption ?
Please don't equate OpenPGP to security - it's safety, merely pseudo-security. Show me the scientific proof, not the assumptions of mathematical complexity and I'll believe you. It can be broken using the same techniques Alan Turing used in 1945. It does not even satisfy Shannon's basic requirements for practical secrecy. It's about 3 seconds of computing time. The NSA spends 2 Billion USD per year on computer chips alone. I wonder why. We need something better, something secure.
-
-
Thursday 15th June 2017 19:32 GMT Nolveys
BS
Any terrorist with even a modicum of competence could figure out how to communicate in a cryptographically secure way. A one-time pad, a pencil, a piece of paper and a grade-four education would be enough. Adding voyeur software to phones and breaking secure software isn't going to help catch terrorists.
The Five Eyes Neo-Stasi are pushing for this anti-encryption nonsense so they can spy on law abiding citizens, not to catch terrorists. Theresa Hymenolepis May is proof of this, if she actually gave a shit about terrorism then she wouldn't have made cuts to the one group that can actually do something against terrorism, the police.
I'm beginning to wonder if any politicians actually want to stop or even reduce terrorism. Terrorism has proven itself time and time again to provide our wonderful rulers with carte blanch to do pretty much anything they want. A few dozen people getting blown to pieces in exchange for a golden ticket is pretty cheap, yes? Especially since it isn't directly attributable to the politicians, it's not like starting a farce of a war or burning billions on blatantly idiotic projects.
The notion that any of these policies have anything to do with the public good is laughable.
-
Thursday 15th June 2017 21:26 GMT John Smith 19
"Any terrorist with even a modicum of competence could figure"
Again, what makes you think this really has anything to do with terrorism?
<gollum>
We wants it.
We musts have it.
The preciousssss.
</gollum>
Sounds like a mania to covet something beyond any rational need?
That's a data fetishist. *
*Icon not meant to disparage any other types of fetishists, who are generally quite nice people and don't want to spy on everybody else 24/7/365.
-
-
Thursday 15th June 2017 22:54 GMT Tom 38
Re: BS
Any terrorist with even a modicum of competence
Well thats the thing isn't it. Read the trials of the people caught preparing an attack; these are not competent people. I remember one trial where they were using an single letter substitution cipher for "encryption"! Look at the aftermath of the ones they didn't catch; competent people.
Counter terrorism relies on that most people who are disposed to terrorism are not usually particularly sound. The rest is just security theatre.
Encryption backdoors won't stop competent terrorists, just the incompetent ones, and we're already stopping them.
-
Friday 16th June 2017 07:38 GMT Spud
Re: BS
I'm still of the belief that the powers on high seem to think that the computers will be able to catch all the terrorists so they can reduce the number of real people doing real work. Of course once the cat's out the bag that you can be watched via your phone, you'll suddenly notice sales of beer and ice cream go up while people go into the real world and talk face to face like in the old days. Only they'll be nobody to watch them.
The more you tighten your grip ... the more things will slip through your fingers.
-
Friday 16th June 2017 12:25 GMT DropBear
Re: BS
" I remember one trial where they were using an single letter substitution cipher for "encryption"!"
Gee, I don't know - a scheme where you substitute every single letter with the same single letter sounds like pretty hard to crack (or decrypt). I'd say it's pretty widely used too - for instance, every password I've ever seen is encrypted like this - converted to the single symbol * right as you type it...
-
-
Friday 16th June 2017 08:47 GMT Tim 11
Re: "Any terrorist with even a modicum of competence"
Yes this is exactly the point.
There are arguments for and against of enforcing backdoors for use in extreme circumstances, just like there are for other government security powers, but with encryption it's too late to do it because the horse has already bolted - strong encryption has been invented and is in the public domain. Any debate about banning encryption is pointless because criminals already have it and we can never take it away from them.
-
-
Thursday 15th June 2017 20:01 GMT Paul Crawford
Short memories
Funny that Germany should come down in this way, given the still living memories of the Stasi and their love of spying on everyone. Maybe this is just election talk? Sadly there are enough stupid people around to buy the politicians bullshit.
As many have pointed out it is only the dumb one, and the mass majority of innocent public, who will be caught as so many options exist. It also remains to be seen how far Google & Apple are willing to bend over to support device compromise. Admittedly though so many Android devices are vulnerable anyway that installing backdoors should be simple enough without help from the USA end of things.
-
Thursday 15th June 2017 22:11 GMT Anonymous Coward
Re: Short memories
You are seriously deluded if you think this gets anywhere near as bad as the STASI were. Read your history.
In fact the reason for this kind of thing is precisely to avoid using the techniques of coercion, torture, secret detention and blackmail so beloved by the STASI. It is to give normal policing a chance of actually tracking down paedophiles, people who convince young men to become terrorists, drugs dealers, financial fraudsters, etc, before they cause too much harm to others, or at least make it considerably harder for them to carry out their acts unidentified or undetected.
People such as this make good use of the near guaranteed anonymity and privacy and convenient services offered by the likes of Facebook, Apple, Google, etc. Just because such people haven't come knocking on your door doesn't mean they don't exist.
-
Thursday 15th June 2017 22:29 GMT John Smith 19
"is precisely to avoid using the techniques of coercion, torture, secret detention "
You're not really getting this "freedom and privacy" idea are you?
A "nice" police state, where everything you say and do can be monitored at will 24/7/365 is still a police state.
It's a difference in methods, not in the philosophy that the individual is nothing and the state is everything, and must be protected (at all costs) from these dangerous (what's the word? Terrorists? Criminals?) citizens.
-
Thursday 15th June 2017 23:06 GMT Anonymous Coward
Re: "is precisely to avoid using the techniques of coercion, torture, secret detention "
You're not really getting this "freedom and privacy" idea are you?
You're not really getting this crime and policing thing, are you? Ever heard of policing by consent?
And you don't seem to realise that in a democracy the state is the people. If you don't like what a democracy is doing, either change it or put up with it. The reason why ideas like strong policing persist in democracies is because politicians found out a long time ago what happens to their jobs when the crime statistics go up dramatically during their term, or if they fail to respond to new trends in criminality.
So whilst there's headlines like "Google, the Terrorist's Friend" in the papers you'll have a very hard job persuading a majority of MPs that something like this new development shouldn't happen.
-
Friday 16th June 2017 08:39 GMT John Smith 19
"Ever heard of policing by consent?"
There is no consent in a police state.
The "consent" is the one you provided by being born there.
"The reason why ideas like strong policing persist in democracies is because politicians.. "
Are not "leaders" but being lead by opinion polls, which may well be manipulated to give them the answer they want.
I'm aware of the justification that all authoritarian politicians have. Tony Blair trotted it out. Roughly "People will complain if we have not been repressive enough."
But "terrorism" in the UK has killed 36 extra people in 12 years, equal to slightly over 4 hours of deaths due to smoking related deaths in NHS hospitals.
Incidentally you don't seem to get the irony you're posting as AC when such legislation would strip you of the privilege of anonymity. Why is that? Would a check of your other posts expose something about you that you would not like others to know? Perhaps your "unconventional" views on other subjects?
This is the secret terror of all authoritarians.
"Someone" could (not are, just could) be saying something I wouldn't like (not doing something, saying it) and I wouldn't know about it. I must know everything about everybody.
Does that not sound quite infantile to you? That's 3 "I"s in 2 short sentences. Can you not see this is not about "the greater good" but personal insecurity?
-
Friday 16th June 2017 11:00 GMT Marcus Fil
Re: "is precisely to avoid using the techniques of coercion, torture, secret detention "
I do so, so wish politicians were forced to read "The Lost Honour of Keterina Blum" before being allowed anywhere near the terrorist issue. Outlaw everything and we all become outlaws - and once we are all outlaws we might as well be hanged for a sheep as a lamb. Government by tabloid is not the way to go.
-
-
Friday 16th June 2017 10:26 GMT Loyal Commenter
Re: Short memories
You are seriously deluded if you think this gets anywhere near as bad as the STASI were. Read your history.
Unlike you (I suspect), I have actually been to the museum in Berlin built in the headquarters of the Stasi, and seen the equipment they used en-masse for steaming open envelopes and reading the contents. If you are unable to see the parallel, I can draw you a picture.
It was very enlightening, you should go.
-
Friday 16th June 2017 10:50 GMT Loyal Commenter
Re: Short memories
It is to give normal policing a chance of actually tracking down paedophiles, people who convince young men to become terrorists, drugs dealers, financial fraudsters, etc, before they cause too much harm to others, or at least make it considerably harder for them to carry out their acts unidentified or undetected.
The thing you need to combat those is not mass surveillance, it is evidence and intelligence-led policing. Mass surveillance of mobile phones would give you a very narrowly focused, but very large volume of mostly irrelevant data, which is essentially useless for 99.9% of police work. Much better value is to spend money on policing itself. In this country, there have been large cuts to police budgets, resulting in fewer police working longer hours who are also responsible for a wider range of tasks. There have also been cuts to police staff, including analysts who are the ones who can actually look at patterns of behaviour and evidence and direct the investigations towards the right people.
The important distinction between the police and the security services, is of course, that the work of the police is open to public scrutiny, whereas the security services are not. You can apply right now to your local force to go on a 'ride-along' with officers. You can go and attend court sessions and see what goes on. Complaints are investigated by an independent body (the IPCC), and warrants are issued by a court. There may be flaws here, and arguments that the system is not perfect, but it's a hell of a lot better than the mess that politicians want, who seem to be hell-bent on eroding the distinction between judiciary and legislature, and on doing things in secret with no oversight.
-
-
-
Thursday 15th June 2017 20:02 GMT Bucky 2
It isn't a difficult topic
Governments' objections to encryption all hinge on the presumption that governmental motives are fundamentally positive.
This is a false presumption. Even for so-called "enlightened" governments.
Look at what happened to the US in the space of a single election.
Yeah, getting past encryption would make the government's job easier, just like limiting freedom of expression, jailing without charges, bills of attainder, and so forth. The simple fact is that no government can be trusted with such powers. Not yours, and not mine.
-
-
Saturday 17th June 2017 09:40 GMT John Smith 19
"US? really? that's what you call "enlightened"?"
Historically the USG founded in the late 18th century actually was "enlightened"
By the standards of the time.
A written constitution. Y'know "we hold these rights to be inalienable.. No monarch at all" etc.
This was cutting edge stuff in the late 1700s. Very radical. Countries we're being torn apart by the "no monarchy" provision and the US was on good terms with France. They were viewed as a source of massive disruption.
Of course that was nearly a quarter of a Millennia ago.
-
-
-
Thursday 15th June 2017 22:05 GMT Captain DaFt
Re: New forms of "encryption" introduced EVERY DAY
"The bad guys will assume that you are reading the mail, and work something else out."
Well, I'm no evil genius, and here's what I came up with off the top of my head:
Use emojis as code characters and send messages in Mayan script.*
At least that way, those annoying little pictograms would actually be useful! ☺
*Seriously, give that page a read. Those Mayans really knew how to obfuscate their text!
-
-
This post has been deleted by its author
-
Friday 16th June 2017 10:25 GMT Seajay#
Re: Encryption Could Be A Moot Point In The Future
That's doesn't really change anything. Current encryption is nearly impossible for governments to break on a medium scale, future encryption might be completely impossible.
If the phones at both ends are sending regular screen grabs to the carriers then it makes no difference how great the encrypted connection between them is.
-
This post has been deleted by its author
-
-
-
Thursday 15th June 2017 21:02 GMT Daggerchild
Goddamnit
Here I am trying to be a good, responsible, law-abiding citizen, and it's getting harder and harder as it seems they also want me to be a gullible idiot.
So, I have to blow holes in my own shields, and hope nothing bad gets in, while being spied upon by multiple global entities all of whom have competing interests, some cripplingly corrupt, some paranoid with a hair trigger, some leaky as a sieve, some hosting 'guests' they know nothing about yet.
Not to mention that since my job can involve Defence against the Dark Arts I may indeed be discussing weaponising attacks against large corporates to see if we can break the shields. No avenue for misunderstanding there. Already avoiding trips to Arkham America.
Meanwhile at home I want to watch Expanse 2, or Game of Thrones, or something else my friends are watching, and each goddamn thing needs a different subscription to a different service I don't otherwise want in return for owning nothing while ultimately paying more. I have already had one cancel my subscription because they suddenly decided they now wanted more personal details than I wanted to give them.
And if I backup something I do actually own, seeing as I already own things that have degraded to death that I still want to watch, does that still make me a criminal? I've lost track! How long before purchasable physical media itself disappears?
Will streaming media encryption be exempt from the backdoor laws? Betcha 5 bucks it will be.
-
-
This post has been deleted by its author
-
Thursday 15th June 2017 22:46 GMT Anonymous Coward
That is the problem, the governments have not thought ahead on this at all.
Another aspect of it is that companies haven't thought about it either. I'll illustrate that point thus:
Fixed and mobile telephony, telegram and postal services, TV, radio and publishing have been heavily regulated by governments all over the world from the very beginning, purely to allow (when necessary) policing of their use. So what on earth was it about the over-the-top services providing similar functionality (WhatsApp, Facebook, YouTube, etc) that made the companies think they'd be immune to such regulation forever?!?!
There's not many excuses. For example, UK law makes it very clear, and very public, what a telephony company is obliged do, and has done for a long time. Maybe it's less clear in other countries, but even so. If you're offering a telephony-like service, don't be surprised if the government eventually catches on and insists on regulating your business...
Things are clearly brewing up for a major intervention into OTT services by governments all over the world. The difficulty the companies face is that regulation is very incompatible with the freetard, data slurping, ad funded business model they've grown fat on, and it will be virtually impossible for some hot new startup to, well, start up.
Worse still, their belligerence in the face of police requests means that the matter will be taken out of their hands by legislators. Laws will be passed and the companies won't have any say at all. If they want to negotiate what new laws governing their businesses look like, the time for doing that was a few years back.
And it's easy for many governments to get such laws through their legislatures. Especially given the companies poor and obstructive responses to police requests following actual terrorist attacks, revelations of private paedophilia groups on Facebook that Facebook didn't do anything about, etc. This is appallingly bad self inflicted publicity for the companies. The PR departments in these companies must dread reading the newspapers some mornings.
-
-
Thursday 15th June 2017 21:45 GMT Chris G
@ Doctor Syntax, you mean you didn't know that every park bench in the Western world is bugged and part of the Alphabetty's private IoT?
Next is bugging every cheap cafe on the planet and finally inserting a chip with a mike into everyone at birth.
It may be time to learn a dead language, or invent a new one, I expect too many government nerds already speak Klingon.
-
-
-
This post has been deleted by its author
-
-
This post has been deleted by its author
-
Saturday 17th June 2017 09:51 GMT John Smith 19
" i have no interest in what other people do, so i assume privacy is a given for everyone, "
It's not about having an interest.
It's about continually collecting the information so that (if at sometime in the future) someone does have an interest in you they can simply look up all of your past online behavior at will.
After all it's all about keeping the
suspectscitizens safe.And with this system the authorities can find out exactly who feels safe whenever they like.
Doesn't that make you feel "safe"?
-
This post has been deleted by its author
-
-
-
-
-
-
Thursday 15th June 2017 23:45 GMT DeKrow
Option 3 - Limited to...
If Option 3 is the 'solution' they're aiming for, it could be a human-rights-friendly (or at least a less human-rights-violating) solution if, and only if, a warrant is required to alter the target's phone.
From what I've read, most of the recent terrorist attacks have been committed by people already on the radar of the various agencies (and this is it's own issue and probably more pertinent than the encryption discussion, but isn't the point I'm trying to make here). That being the case, could "being on a watch list" be a valid, minimally human-rights-violating, option for getting one's phone OS modified for the purposes of spying?
(also assuming that there can be scales of acceptability for human rights violations, and the 'slippery slope' and all that).
Of course, it gets into seriously blurry grey area once you start to list people that have been on watch-lists and no-fly lists and "harass whenever they cross the border" lists who would be 0% chance of performing an actual terrorist attack. That's where "trust" is a puzzle that's very difficult to put back together.
-
Friday 16th June 2017 00:00 GMT Anonymous Coward
A familiar name…
The German minister in question is Thomas de Maizière, the same idiot who pronounced last year …
…that he wanted to install lots of facial recognition systems and store everybody's face -- presumably to catch (likely in retrospect) the odd Very Naughty Person. Or, to mangle a Spockism, "The naughtiness of the few outweigh the rights of the many."
-
Friday 16th June 2017 06:19 GMT Milton
And of course, it just won't work
Lacking time to peruse all comments so I'm no doubt repeating what others have already pointed out: the very people you want to surveil will encrypt their data before slipping it on to the phone that's being used to transmit it. Given you're a technical audience I needn't even bother specifying the many ways this could be done because it's obvious, simple and effective.
Just one off the cuff: The outstanding resolution of phone cameras and displays suggests one immediate and easy route. One device, unconnected to any network of any kind, encrypts your message and displays it as an image. Your connected phone takes a picture of the other's screen. Steganography to obfuscate is an option, of course, and I'd guess you could easily use this method for messages of a few hundred characters at least.
The stubborn ignorance and stupidity of politicians never fails to exceed plausibility.
-
-
-
-
Friday 16th June 2017 13:33 GMT GrumpenKraut
Closets I can come up with: ETSI ES 201 671 (pdf) "Lawful Interception (LI); Handover interface for the lawful interception of telecommunications traffic"
-
Saturday 17th June 2017 10:07 GMT John Smith 19
"Lawful Interception; Handover interface..lawful interception of telecommunications traffic"
I don't think anyone should be surprised that such an interface exists.
The problem is how many lines can be monitored simultaneously and what amount of judicial scrutiny is needed to authorize it?
The German proposal seems hell bent on reducing that "judicial scrutiny" to nothing.
Joseph Wambaugh wrote "Police work is only ever easy in a police state."
This sounds like they want to make police work "easy." This should never be a goal of policy.
-
-
-
-
-
Friday 16th June 2017 09:29 GMT Dave 15
Aren't we living in the 'free' west?
Thought the 'west' was all about democracy, freedom of speech, freedom of movement etc etc etc
I thought the bad 'east' the other side of the iron curtain was all about intrusion, spying, a guy in the next room ratting you out to the authorities, predawn raids and locking people up for saying things the government doesn't like
Frankly the USA and Europe make North Korea and Stalins Russia look positively friendly. 'Ban encryption because it stops us spying on the people'.... what bollocks. Its time for a revolution to throw off these big brother police state fanatics.
-
Friday 16th June 2017 10:16 GMT Anonymous Coward
Re: Aren't we living in the 'free' west?
"Frankly the USA and Europe make North Korea and Stalins Russia look positively friendly"
While I agree with the sentiment I think you want to express, this is going much too far. I know very little about North Korea, but when it comes to Stalin's USSR, read one of these:
Bloodlands, by Timothy Snyder, or perhaps
Gulag, by Anne Applebaum, or perhaps Mart Laar's Red Terror.
The comparisons made in Bloodlands are quite frankly both horrific and compelling, and comparisons to the horrors of Stalin's USSR (or Hitler's Germany) are made far too often, which seems to me to somehow lessen the sheer terror conveyed by eyewitness accounts of cannibalism, mothers wanting to see daughters shot to protect them from rape gangs, deliberately planned famine, industrialised murders - and all of those done within the law of those lands. At times, this was with Western politicians looking the other way; even now, we have people who claim that the USSR "did some bad things but just look at it's achievements", a sentiment that seems a little like pointing out the benefits Genghis Khan had for the environment (sure, he killed tens of millions of people, but the forests grew back).
Please don't take this as criticism of the sentiment; I'd apologise for a very serious comment - but a subject I care about more than a little.
-
Friday 16th June 2017 13:47 GMT Kurt Meyer
Re: Aren't we living in the 'free' west?
@ AC
Thank you for posting that, Bloodlands was indeed "both horrific and compelling".
Far too often people make comparisions between some nation of today and Stalin's Soviet Union and/or Hitler's Germany.
While the actions, or the intentions, of many of today's nations are both repellent and ultimately ineffective, they do not begin to approach the levels of oppression that existed under those two leaders/governments.
North Korea being an exception.
-
-
Saturday 17th June 2017 10:13 GMT John Smith 19
"ts time for a revolution to throw off these big brother police state fanatics."
Understand that the politicians are just the visible part of this "Coalition of the willing," as GW Bush put it.
You need to identify the cabal of data fetishist civil servants in the Home Office (or Interior Ministry in many European countries) and their allies in the spying agencies that are pushing this data fetishist agenda.
Without identifying them the (violent) removal of one bunch of sock puppets will simply be used as a pretext to justify more spying laws, as has each recent previous incident in the UK and France.
-
-
Friday 16th June 2017 10:05 GMT MK_E
Sometimes I wonder whether a simpler analogy might get through the less tech inclined's heads about why backdoors are a bad idea.
Imagine passing a law that requires all locks sold in the UK be openable by a special government skeleton key that the police would have a copy of (and naturally only used when allowed to by law, trust us) for use in protecting the public and investigating terrorism and fighting crime and all that good stuff.
Shortly afterwards, some shady individual manages to snag a copy of the official key and uses it to burgle houses.
Meanwhile, actual criminals just prop a chair under the door handle.
-
-
Friday 16th June 2017 14:09 GMT Anonymous Coward
> someone seriously suggested that all residents here in Germany be legally required to hand a copy of their house-key to the local law for emergency entry during absence
I used to work in the emergency services, and gaining entry to residential dwellings is never a problem. Most of the time, there is someone else inside apart from the victim, and they will open the door. When people live alone, very often a neighbour will have a key. That covers perhaps 70% of cases, in the other 30% there will be a window open or quickly and easily openable with minimum if any damage. And maybe there is 1-2% of cases where access needs to be gained and the urgency of the situation is such that one cannot waste any time--crowbars, fire axes, battering rams and even vehicles do the job very nicely in those situations but it's not very common to Rambo in like that.
The real problem is when the safety of the intervention team cannot be assured, e.g., when confronted with a deranged victim or where a crime is being committed and people are concerned about being caught. Opening the door with a key and casually walking in... I'd like to see that. :-)
-
-
-
Friday 16th June 2017 10:11 GMT Loyal Commenter
That stance reflects a very similar one taken earlier this week by Australian prime minister Malcolm Turnbull, who told Parliament: "The privacy of a terrorist can never be more important than public safety – never."
There was this guy you might have heard of, called Benjamin Franklin, who said, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
-
Friday 16th June 2017 14:18 GMT Anonymous Coward
> prime minister Malcolm Turnbull, who told Parliament: "The privacy of a terrorist can never be more important than public safety – never."
Notwithstanding that his comment is debatable, that the two are not mutually exclusive, and that dignity is something that must never be taken away from anyone¹, what about the privacy rights of the rest of the population?
¹ Last decade I was on the receiving end of an attack that left about twenty people dead, so my experience is not purely abstract, nor based on fear induced by mass-media and political coverage of these matters.
-
Friday 16th June 2017 19:32 GMT John Smith 19
"¹ Last decade I was on the receiving end of an attack that left about twenty people dead, "
Then I'd say that's a personal tragedy for you and everyone else involved.
It's also about 2 1/4 hours of smoking related deaths in the NHS for 2015.
Of one day, of one week, of one year.
Now just exactly how would your government having access to everyone's electronic communications 24/7/365 have prevented it?
Or were the perpetrators "known to the authorities" already. An increasingly familiar statement from UK authorities after the fact.
-
-
-
Friday 16th June 2017 10:39 GMT Lamont Cranston
"The privacy of a terrorist can never be more important than public safety – never."
That's a noble enough sentiment, I suppose (if you don't value universal human rights all that highly), but it quickly falls apart once you consider that these proposals will impact the privacy of everyone.
Good thing we only ever elect the best and brightest to political office, so I'm sure the powers that be will arrive at a satisfactory solution.
-
Friday 16th June 2017 11:24 GMT Seajay#
Answers to the usual nonsense
I'm not sure I like this idea but I think the debate is more balanced than the comment section usually suggests. Therefore in the interests of balance:
Terrorists can get round this with offline encryption. This will only affect normal people without having any effect on terrorism
Modern terrorists are not super villains living in hollowed out volcanoes, they have not been through KGB training. They are idiots who have watched too many jihad videos on youtube. They are not as technically sophisticated as you think (the Paris attacks were organised over unencrypted text messages). It's completely believable that this will catch some of them, especially those in the early stages who are just contemplating something nasty but aren't part of a formal terrorist organisation.
It will kill a multi-billion dollar industry as customers refuse to use these products.
Lawful Interception rules didn't kill voice telephony (or have any effect on it at all). This won't kill messenger apps because no-one (< 0.1% of people) cares.
This is illegal hacking by the government!
If they pass a law saying it's ok, obviously it's not illegal.
Police state!
Any state with a police force gives those police officers powers above those of other citizens. This isn't wildly different to giving the police the power to force entry in to my house or listen to my phone calls. If this is debated in parliament and, with due consideration to the views of their constituents, it's voted in I don't see how this constitutes a police state.
This renders encryption useless
Hardly. Governments already have the ability to lean on the root CAs and that's a problem but it hasn't rendered https useless. All that banking traffic is still working just fine.
It could even be accomplished without altering the encryption at all. Just order WhatsApp to store two copies of each message. One encrypted normally and one encrypted with the government public key. That won't work if the terrorists manage to compromise the client but that's beyond most people's ability and it shows where might be a good place to focus surveillance attention.
I want the authorities to need a warrant for access
Sure, me too. However, once they serve that warrant to WhatsApp, it needs to be technically possible for WhatsApp to comply. That can only be possible if you've put the spy infrastructure in in advance.
-
This post has been deleted by its author
-
Sunday 18th June 2017 12:57 GMT SloppyJesse
Re: Answers to the usual nonsense
> It could even be accomplished without altering the encryption at all. Just order WhatsApp to store
> two copies of each message. One encrypted normally and one encrypted with the government
> public key.
Many encryption models already support multiple keys for the same encrypted content - if you change keys on an encrypted hard drive it doesn't re-encrypt the entire drive, just updates the header information. Some zip programs allow a global key so an admin can unencrypt archives (e.g. if the user password is no longer available).
Not sure I would want a government agency to have similar powers over all communications that a corporation might have over communications within their organisation.
One big distinction that needs to be made is between 'normal' policing and covert surveillance. In normal policing the use of powers can be closely and publicly monitored, but in the v covert scenario we might assume that anything that is technically possible and logistically feasible will be utilised in any way the covert operatives see fit.
-
Wednesday 2nd August 2017 21:09 GMT Anonymous Coward
Re: Answers to the usual nonsense ... all wrong, sorry
"Any state with a police force gives those police officers powers above those of other citizens"
Basically a lie which looks like truth on the surface: Powers are given to a very limited degree and even then only when it's an emergency, not all the time and everywhere.
Police which has permission to do anything they want is by definition a police state, obviously.
And that is exactly what Police relentlessy tries to achieve: Absolute power, no responsibility, absolute money.
Britain is already very far in that path as police shooting random people dead in metro don't get the killer charged for anything, but is free to operate as a police with a gun.
That tells that how much value Police puts to peoples lives or property: Nothing at all. That's also one definitiön of a police state: Police doesn't give fuck about the People: They exist to protect _themselves_, like army.
-
Wednesday 2nd August 2017 21:19 GMT Anonymous Coward
Re: Answers to the usual nonsense ... all wrong, sorry
"Lawful Interception rules didn't kill voice telephony (or have any effect on it at all). "
Do we have any choice on phone? No.
And "interception" as you say, spying in real life terms, is mostly done illegally as no-one in Police gives a fuck: They call at operator and say that "we want phone records from these numbers" and operator delivers, no questions asked, ever.
Mostly these are used for spying spouses and colleagues or friends, not criminals. And you can bet the operator has no documents at all about this information given to anyone.
Nor the names of the requestors :That's the practise.
Illegal but who cares as illegally collected evidence is as good as any evidence in court so it actually encourages Police to wipe their collective asses with law. And they do exactly that, always the laziest way to win.
Police doesn't give a fuck about law, it never applies to Police. And that's a definition of a police state.
-
-
Friday 16th June 2017 12:00 GMT Anonymous Coward
What's more likely
1. Government's don't know terrorists and criminals will move to using offline encryption and therefore general decryption of traffic will be ineffective for the targeted people or
2. They don't care they want to decrypt everyday citizens data as it will help them with general population control.
-
Friday 16th June 2017 14:31 GMT Anonymous Coward
By the way
I wish we stopped calling everyone a terrorist these days. I am sorry, but a troubled person who, as said above, has been watching too many videos on YouTube and decides to assault other people of his own accord, without any support or specific direction from a politically-minded organisation, is a common violent criminal. That's how those cases were treated as recently as ten years ago.
If a government decides to put the terrorist label on such spontaneous, low-tech, undirected attacks, that is them making it a much bigger problem than it needs to be, and probably encouraging other similarly deranged criminals.
Knifing a few random plebs like us is of course very regrettable and should be prevented, but is not something that threatens the State in any realistic manner (again, unless the State *really* balls it up and makes it a problem).
-
Friday 16th June 2017 15:02 GMT Anonymous Coward
With apologies to Martin Niemöller:
First they read my txts, and I did not speak out-
Because I only txt Family and Friends.
Then they read my emails, and I did not speak out-
Because I only email Work.
Then they read my phone location, and I did not speak out-
Because I stay at home.
Then they read my bank transactions, and I did not speak out-
Because I have no money.
Then they read my medical records, and I did not speak out-
Because I did not know.
Then they came for me, and I could not speak out-
Because everything was monitored.
-
Friday 16th June 2017 15:34 GMT Alistair
TERRORISM
Is HAPPENING NOW!!!
We MUST have DECRYPTION at will on our systems to STOP TERRORISM HAPPENING NOW.
<to borrow someone else's tactics>
Lets just ask a question. How much are our governments spending on Anti Terrorist actions, both in legislative cost, and in real terms of boots on the ground and projects etc.
How many "Deaths" have been prevented by that spend?
How much has been spent on fire prevention standards enforcement?.
(I apologize to anyone in that apartment block, but the perspective is relevant. You have my utmost sympathy, and would have my open arms and willing hands if I was on that side of the pond)
-
Saturday 17th June 2017 07:46 GMT Jess
The cure is worse than the disease.
We have just had a demonstration of what a back door can do when made public.
In this case it was an accidental back door, kept secret by the NSA, easily patched by Microsoft, but it still caused havoc.
Now imagine a back door that can't be patched in every device. (Obviously this would have to be country specific, I can't imagine the US and Russia sharing the same system, for example).
When the key escapes (and it would be a far bigger target than patchable short life back doors), imagine a rogue nation or terrorist group bricking every device in a country, or corrupting data or sharing private information or a single country.
Haven't the idiots who propose this ever seen Blake's 7? (Or many similar programs).
They are basically proposing making Orac (i.e able to control any computer) technically possible.
(Even Independence Day should show the folly of a global back door.)