back to article A new US-UK data agreement is worrisome but it won’t give access to encrypted comms

A new treaty between the US and UK will require social media companies like Facebook to hand over private messages but, contrary to recent reports, will not break end-to-end encryption or force them to add backdoors to their software. That’s the upshot of a weekend of frantic commentary and debate over the CLOUD Act, which …

  1. don't you hate it when you lose your account Silver badge

    Future trade deals?

    Doesn't bode well as far as I can see.

    1. NoneSuch Silver badge

      Re: Future trade deals?

      If the companies are using American approved encryption for export, I'm they have access regardless.

      1. doublelayer Silver badge

        Re: Future trade deals?

        They're all using basically the same encryption, not a specifically American algorithm. The export regulations on cryptography were removed in the 1990s when someone in the government realized that they were stupid. That doesn't prevent spy services from trying to break, backdoor, or at least intercept everything they can, but they so far can't mandate that a company start to use an algorithm they've done that to.

  2. LDS Silver badge

    The problem of the CLOUD Act is it is one-sided.

    It's a US law which allows foreign country to enter some kind of agreement, but still totally controlled by US, and with clear advantages for US.

    It's not an international treaty to exchange information based on a common agreement among peers.

    Actually, European countries instead of kneeling to US bullying should force US into a real treaty.

    1. macjules Silver badge

      Re: The problem of the CLOUD Act is it is one-sided.

      And when exactly has any "mutual" law between the USA and the UK ever benefitted the UK in any way?

      it will give the UK authorities the right to issue a request that is equivalent to that of a US court; and the US authorities to do the same for a UK court.

      Nice that we will have "the right the issue a request" but I should think that that will be all we will be able to do.

  3. Blockchain commentard

    And when the companies, mentioning no names, claim the data (as well as their sales team) is in Ireland, what then?

    1. LDS Silver badge

      The CLOUD Act gives the US government the right to access the data held by US companies abroad regardless the foreign state where the data are stored has an agreement or not. If a state is regarded "not safe" it may not enter an agreement at all, while US can still force its companies to cough up data.

      There's a big gray area about what happens when the act is unlawful under that state law.

      A state can enter an agreement to get something in return - but the relationship is very unbalanced in US favour - it's far more easier for US to access data abroad than vice versa.

  4. Anonymous Coward
    Anonymous Coward

    Added complication ... data of EU citizens

    How will the UK square this "how high sir ?" approach with the EU requirements on citizen data that will be needed if UK companies wish to trade with the EU - you know, where 80% of our business is ?

    Hard to see how it won't evolve into two separate parallel systems. Although luckily that's probably never been a problem anywhere in the IT world ever.

  5. Anonymous Coward
    Anonymous Coward

    Start worrying folks

    If like me, you eschew the social media platforms like ZuckFart etc, they will use their AI controlled bot to invent a profile for you and a total posting history just in case you do something wrong. It will be so believable that no matter what you say, no one will believe your protests. After all, what gets posted on Social Media is 100% real and truthful isn't it...

    This is the world we are sleepwalking into. With our current (sic) blonde hairded leaders we have no way to stop the march towards a Big Brother world. How long before someone proposes a law to add an hour to the clock so it really does strike 13?

    1. IB2

      Re: Start worrying folks

      ...Sunday, 3 November

  6. mark l 2 Silver badge

    This will only help catch stupid criminals and get used to monitor people putting the rubbish in the wrong bins etc, Organised crime will simply use messaging apps and services based outside the US/UK to discuss their illegal activity so will be unaffected by such laws.

    1. Anonymous Coward
      Anonymous Coward

      Re: Organised crime will simply use messaging apps

      I doubt they have phones for a starter.

      There was a reason Bernardo Provenzano managed to stay hidden for 43 years, and it's not because he used military-grade encryption. Quite the reverse.

    2. LDS Silver badge

      Many criminals are more stupid and less tech-savvy than you think. Catching stupid ones easily leaves more time to hunt for the less stupid ones.

      About the German police raid of yesterday, I was reading one of the links to Krebs' site about the Spamhaus DDoS. Well, the main culprit was later caught thanks too to one of his fellow crooks who posted an image on on a public forums to boast about their DDoS capabilities, just a good part of the Skype name of the botnets owner was well visible in the upper right corner also...

  7. This post has been deleted by its author

  8. Pascal Monett Silver badge

    "it won’t give access to encrypted comms"

    Well duh, they're encrypted.

    I think that law enforcement should totally be able to obtain messages exchanged between suspects, especially in cases like poor little Lucy, but if those messages are encrypted then the law will just have to find the means to decrypt them.

    No backdoors.

    1. Yet Another Anonymous coward Silver badge

      Re: "it won’t give access to encrypted comms"

      For now.

      2020; we already have routine access to all US/UK messages and email, there are just these few that are encrypted. It's really just a minor administrative matter to require them to also be supplied in a.more convenient form.

    2. LDS Silver badge

      Re: "it won’t give access to encrypted comms"

      Sometimes all you want to know is the senders/recipients of the messages.

    3. martinusher Silver badge

      Re: "it won’t give access to encrypted comms"

      Of course it will access to encrypted comms. It just won't be able to decode them.

      Well, maybe it will. All the interest in Quantum Computing is really focused on a single problem which could be succinctly summed up as "routinely breaking public key encryption". This is the mechanism that validates users and exchanges automatically generated session keys so once its broken we're back to old fashioned key distribution methods (themselves unreliable, the primary weakness since Enigma and before). This might be some ways off except there was a little informational whoopsie from Google/NASA this week about a "Quantum Computing Breakthrough" -- an announcement that disappeared, itself quite ominous. So maybe they'll be reading our mail in a bit (I'm too far down the food chain to be very interesting.....but give it time......).

    4. Anonymous Coward
      Anonymous Coward

      Re: "it won’t give access to encrypted comms"

      They don't need the encrypted comms. The UK has a law that can bang you up for not handing over the keys.

      Why prove guilt when you can simply incriminate someone for not doing something, right?

  9. Doctor Syntax Silver badge

    This 1980s law? Does it require warrants from a court? If that's so I see nothing wrong with it. There's a lot to be said for being old-fashioned.

  10. Graham Cobb Silver badge

    No UK court or process involved?

    So, when a US trade authority decides it wants to find out how much a UK company has bid on a contract it can now just access all mails and messages, with no UK court checking that the request is legitimate and reasonable?

    That is the day-to-day reality - not child murders. As mentioned in the article, that criminal was found guilty without the need for Facebook messages. We live in a day of unparalleled open information and access for law enforcement (cameras, social media, ANPR, ID checks -- without even mentioning things which require a formal process to access).

    What we need is not even easier access to more information with fewer controls but better protection against unreasonable fishing expeditions, unauthorised access, politically motivated investigations, petty bullying by officials, etc. We need more court involvement and clear limits on official access, not less.

    1. Yet Another Anonymous coward Silver badge

      Re: No UK court or process involved?

      The US already gets all the spies data on UK and EU companies, that's the 'special' relationship

  11. Anonymous Coward
    Anonymous Coward

    but it won’t give access to encrypted comms

    now, for that secret annex...

    WHAT secret annex?! Secret annexes to international agreements are a myth, fake news, ask Mr Molotov,!

    ...

    Yeah, that's right, I can confirm it's a myth and fake news.

  12. Anonymous Coward
    Anonymous Coward

    So, if I use a VPN from Norway, and a messaging service hosted in Germany; which set of laws apply to comms between the US and UK via those services?

    1. jmch Silver badge

      "if I use a VPN from Norway, and a messaging service hosted in Germany..."

      If the messaging service hosted in Germany* is a fully German company, if US and/or UK want to access any of the data, they need to do it the way they do now - I'm not sure but presumably they need to convince a German court to get a warrant.

      If the messaging service hosted in Germany is the subsidiary of a US company, the US can get that company to hand over whatever data it wants. Of course, if there is a German law preventing that, US and Germany would have to find a diplomatic solution to sort out the mess.

      I would be interested to see a lawyers' take or that of someone with a bit more knowledge as to what constitutes a 'US company' in terms of the CLOUD act? eg if a company is quote don London or Frankfurt stock exchange and some or a majority of it's shareholders are American

      *You can presumably substitute any EU member for Germany here.

      1. Yet Another Anonymous coward Silver badge

        > if US and/or UK want to access any of the data, they need to do it the way they do now

        By a GCHQ fibre tap on Germany's main internet feed ?

  13. andy 103
    Big Brother

    It's about interpretation, not encryption

    It doesn't really matter whether messages are encrypted or unencrypted, or they can or cannot be read by authorities.

    What matters is how those messages are interpreted.

    If someone is suspected of doing wrong then it's a given that authorities may want to review messages they've sent. In the pre-social media days that's not much different to wiretapping someone's phone or other means of intercepting (non electronic) comms. It happens whether people choose to be aware of it or not. Even back in the pre-social media days authorities seized hardware, oftentimes it had unencrypted disks/memory. But that's not the worry...

    The worry comes when there can be some inference - without any direct evidence - based on what someone has said. For example if 2 people are messaging each other and one says they saw a story about fraud and didn't see an issue with it, what happens if that person is then suspected of fraud and appears in court? You can extrapolate this to other undesirable subjects.

    There's also the issue that if someone turns on encryption are they then seen as someone with "something to hide"? Again, the interpretation and inference of someone's activities is the most worrying aspect of all this.

    1. Anonymous Coward
      Anonymous Coward

      Re: if someone turns on encryption are they then seen as someone with "something to hide"?

      No question about it! Also, if they start using vpn AND they pay for it... I mean, sure, they might be the usual porn-fan, but we can never be too careful, can we, eh? The better the level of protection, the more clearly the "target" demonstrates his/her "intent" to evade scrutiny. So, they're going to be flagged and move up the system from the pool of "millions" (i.e. everybody) to to "a limited group of interest", a mere few thousands perhaps. By applying certain level of protection, you suddenly stick out like a sore thumb :)

  14. Dick Kennedy

    Re: Well if the US ships want the Chinese to keep out of the way

    There's a missing 'not' in that final par - a rather significant omission.

  15. Anonymous Coward
    Anonymous Coward

    Slouching towards nineteen eightyfour

    > A new treaty .. will require social media companies like Facebook to hand over private messages but .. will not break end-to-end encryption or force them to add backdoors to their software.

    And if you believe that, then I have a bridge to sell you.

    > it is equally ridiculous that in the internet era - where people’s use of social media is instant and seamless - that people investigating serious criminal matters cannot gain access to vital evidence”

    I think they can gain access, just not legally and not of the kind that can be used in evidence. If msgs use end-to-end encryption then why must they pass through a central server. I mean, if the encryption algorithm was deliberately weakened then the msgs stored on the server could be decoded at leisure. It would take a massive amount of computing power to do so. I also wonder what sinister purpose such power could be put to if the security people got out of control.

  16. anonynon

    They're only encrypted whilst in transit

    So as your Whatsapp and facebook messages are travelling over the information superhighway they're encrypted and as soon as they hit the end device they're decrypted and available to the relevant authorities

    1. DontFeedTheTrolls
      Boffin

      Re: They're only encrypted whilst in transit

      Not on iOS. The entire device is encrypted, the messages are stored within the encrypted device, so without the unlock code/fingerprint/face the message remains encrypted at rest. Read the iOS Security Guide.

      I'm not au fait with Android but I'll bet there are ways to keep the messages encrypted there too.

    2. This post has been deleted by its author

  17. Anonymous Coward
    Anonymous Coward

    McHugh case

    I'm not a FB messenger user so might be spouting drivel, but assuming like similar "chat apps", wouldn't there be records of what messages the victim received on victim device?

    Or do we assume either victim or, later, the killer scrubbed that data from victim device?

    Normally in the case of a suspicious death UK plod grab every possible device they can that may be in some way associated with victim (based on experience of mine with a different case hence A/C - every computer in the household was removed, including those never used by victim in case I have experience of). Also in my experience plod hopeless at handling non 100% windows machines, a dual boot Windows / LInux machine (with one of the Linux boot managers used, grub IIRC, not a standard windows boot) got returned as a windows only PC and appeared that instance was from a very old windows restore point on the local windows instance. I assume it was last restore point as that PC was used for Linux mainly, would have been ages since last boot into windows.Fortunately I had data backups

  18. DontFeedTheTrolls
    Headmaster

    "The NSA in the US and GCHQ in the UK have a long history of abusing ignoring the law"

    FIFY

  19. Anonymous Coward
    Anonymous Coward

    Does this open a way for US citizens to be charged under existing UK law for not revealing their passwords / private keys ?

  20. andy 103
    Boffin

    How do Facebook decrypt messages in a web browser?

    This might have got lost in the comments but please could someone explain this to me.

    If you login in to Facebook with a web browser, any of your messages are visible within the browser.

    HTTPS/SSL is irrelevant because this only covers data transmission between their servers and your browser.

    In this situation, where are the messages decrypted? I can't see this being done by the web browser. So surely, even if FB are storing those messages in an encrypted format, they also possess the keys or decryption algorithm to render them as HTML (unencrypted, human readable text) in a web browser?

    (I'm not talking about using their app. I'm talking about using facebook.com in a browser).

    1. doublelayer Silver badge

      Re: How do Facebook decrypt messages in a web browser?

      I don't use their messenger, but I don't think it's that hard. First, many messages they display wouldn't be encrypted anyway, as the article states, because encryption isn't on by default. The encryption key for those that are encrypted is likely stored on Facebook's servers in an encrypted form*. When you enter your password, it is used to obtain the key. Then, the messages can be decrypted either on the server or by javascript in the browser. Since Facebook doesn't store the plain text password, only the hash*, they wouldn't be able to decode the messages without you giving them the password to log in.

      *Although this being Facebook, it's also somewhat likely that they do store an encryption key and your password in plain text, and if they decide they don't want to tell anyone that they're doing that, they simply don't include the key file when they send your messages to a third party. Given their various security disasters so far this year, I wouldn't be using their system and expecting good cryptography on it.

  21. LeahroyNake

    Telegram

    After I dropped What's App when Facebook bought them most of my family and friends have now moved to telegram.

    It also has this very similar to What's App tagline pre buy out.. 'Telegram is free forever. No ads. No subscription fees.' and 'Help make messaging safe again – spread the word about Telegram.'

    How much do I trust them? More than Facebook, Google and assorted gov agencies.

    1. Anonymous Coward
      Anonymous Coward

      Re: Telegram

      How does Whatsapp (and similalrly Telegram) work?

      I have a 50 people in a work WhatsApp group.

      My client presumably doesn't do public key exchange with each of them, generate separate encrypted copies of the message for each recipient (as PGP email would).

      Or does it encrypt each message with a new key and then send that key to each recipient under some global shared encryption ?

      Either way it would be trivial for the app to add Facebook/GCHQ/NSA as a recipient to all groups without the user knowing.

      1. doublelayer Silver badge

        Re: Telegram

        And both institutions have requested just this. So far, the law allowing them to demand it hasn't been accepted. They might have tried, but I doubt they succeeded in getting cooperation from the companies involved without a law. So when this law gets suggested again, make sure you argue vociferously against it..

  22. Peter Sommer

    There's an associated UK law already!

    The UK end of this attempt to speed up MLATs is already on the statute book - Crime (Overseas Production Orders) Act, 2019. What needs to happen now are the detailed protocols. Perhaps they'll be able to achieve that in a few weeks, but there are important issues of national sovereignty at play, plus the definitions and authorisations specified in this new Act vary from the structures set down in the Investigatory Powers Act, 2016.

    But you are right - encryption is specifically excluded in the the CLOUD Act

  23. Anonymous Coward
    Anonymous Coward

    "That said, it is equally ridiculous that in the internet era - where people’s use of social media is instant and seamless - that people investigating serious criminal matters cannot gain access to vital evidence because the company that offers the communication service is based in a different country."

    That's an argument that states like China will fully embrace. Given the way the US and UK are going with Trump and Johnson trying to ignore legal boundaries and calling opponents "traitors" - it has its dark side too.

  24. Anonymous Coward
    Anonymous Coward

    "Cannot gain access to vital evidence " Ha. Go back to investigation then, stop expecting to trawl back through history. Are you seriously surprised that encrypting everything is becoming the default?

    The "like a wiretap" argument. It's not. You had to get permission BEFORE the tap.

    Could you imagine the reaction if someone insisted that the Royal Mail hand over the contents of a letter that had already been delivered?

  25. Anonymous Coward
    Anonymous Coward

    https://simonsingh.net/media/articles/maths-and-science/the-beale-treasure-ciphers/

    *

    Two out of three Beale ciphers have remained secret for over a century. They are likely book ciphers.

    *

    All of the debate here is about the use of published, academically validated cryptography. But it's also clear that privately devised ciphers can be pretty hard to crack. And the users of such ciphers have immediate access to the message. While attackers (NSA, CCHQ etc) will need time, and maybe a lot of time, before they read the message, if ever.

    *

    What am I missing here?

    *

    0$po0kjs1qae01QG02360OiF0dIl0TjI16AY10io

    0rT10k0v1hoz0t8b0JJr15qP122E0wax1T0p00dX

    0mEI0V8s1hY10kWQ0zEV1Y5l0qXy0shi0TUE0MWH

    18Eb1i5K15UT1AnN0d9N0pht1UuD0vrq1qj91VpG

    1o4K0AzM0vRp0=ZC0sgM0Qjy1I6O13KM0Zv70bLe

    0Uor0GrR0pm51KkQ13Nc14XP03oi06cl1NRE0T3v

    0bMb0Vdh0rYV0dAk0zy4

    *

  26. FromTheRoot

    WhatsApp WARNING

    By default WhatsApp backs up to Google Drive and these messages and photos\videos are NOT encrypted so if you value your privacy its best to use another encrypted messaging app such as Wickr.

  27. John Smith 19 Gold badge
    Childcatcher

    Data release on production of a search warrant. Yes. Wholesale fishing expedition. No.

    And Oh look the classic "There was a 13 YO girl was abducted" Blah blah.

    What's more callus, my characterization of the case, or its cynical TOTC use by the data fetishists* promoting this law?*

    Because we all know that's not it's going to be used for.

    Due process.

    They've heard of it.

    *And I guarantee they'll have had some hand in drafting this. Not for clarity. For ambiguity. Lots of vague BS that can be interpreted as they see fit.

  28. Anonymous Coward
    Anonymous Coward

    WhatsApp has end-to-end encryption turned on by default

    The ends are:

    You <-> WhatsApp <-> Person you're messaging.

    You don't generate the encryption keys; WhatsApp does. Therefore WhatsApp can easily decrypt it en route. And if anyone seriously thinks that a company like Facebook paid 19Bn for WhatsApp without the intention of data-harvesting the crap out of every byte that passes theough, then there's something fundamentally wrong with you. Massive gullibility, to start with.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022