potential child sex abuse offenders on Facebook
Isn't everyone who isn't a sex offender a potential sex offender?
The British government is preparing to launch a full-scale policy assault against Facebook as the company gears up to introduce end-to-end encryption across all of its services. Yet the backlash has already begun, showing that officials face a tooth-and-nail fight against their attempt to derail the rollout of end-to-end …
Welcome to the world of political spin ... Word it as vaguely as possible to make it sound as bad as possible to get away with as much state surveillance as possible whilst still insiting that free speech, pricacy and data security are "their" main concerns. Be it e2ee, mass surveillance or selling medical data to the highest bidder, it all comes down to states making sure their free populous are toeing the line and making the lives of the incumbunt powers-that-be as comfortable as possible.
I do have things to hide. I wear clothes in public, keep blinds on windows, and don't say everything that pops into my head. Hiding things is literally the most socially normative thing, and it's universal across all cultures and time periods. Pretending otherwise is absurd. It begins to sound like ducks <=> witches if you actually talk through the "...if you have nothing to hide..." logic that governments use.
See, there used to be a system called BT Cleanfeed which would intercept and mess with peoples internet connections, relying on the fact that there was plaintext HTTP in use to discriminates between safe and unsafe URLs. When HTTPS came out, that had to change to IP blocking instead. But then came the cloud, so that had to change to hostname interception instead. But along came TLS 1.3 with the ability to encrypt the hostname and cert details (encrypted SNI), so they had to start implementing DNS-level checks… so when Mozilla wanted DNS-over-HTTPS, they cried and said how evil Mozilla was… and they lost!
With private companies now offering end-to-end encryption to further bolster protection against data protection liabilities, the only loopholes left in the end will be based on government surveillance groups attacking the client software, rather than the backend servers themselves. This is a heck of a lot less convenient for mass surveillance programmes while making tailored operations much more expensive. Besides, every week, static analysis tools, fuzzers, sanitisers and many other automated tools detect and assist in the cleanup of bugs to the point where every program crash bug is now given a CVE; that is how good the quality of software is getting.
Keep calm and carry on rejecting backdoors. We will win!
Logically the correct course of action is not to ban E2EE but ban Facebook instead.
Part of me is screaming "yes, yes - ban facebook". But that itself would be oppression/control-freakery by government just as much as the CCP is trying to do away with the Uyghur Muslim religion.
In a free society we have to allow people to do and believe things that we think are wrong or stupid.
Yep, all you need is just one contact/friend who has the Facebook app on their phone and Facebook will have harvested all of their contact details, including yours. This will include your name and phone number, and any other information that is recorded against you - address, date of birth and so on. You are not in control of this data harvesting, it's someone else giving your details to Facebook and it only requires a single individual do to this - if there are multiple people with your contact details then it, of course, enhances the data validity.
So it's a hole with your name and contact details against it. It's rather creepy really, but very simple.
The data for credit agencies is specifically provided by other organisations - essentially, a cartel which goes along the lines of "you must provide all of this information otherwise we won't provide services for you"). In other words, demanding customer information.
The contact data hoover is individuals unwittingly or uncaringly providing information on others, essentially peers providing information on each other.
It begs the question: *why* do they want so much data? I don't have a Facebook account, and I've never been contacted by them, and any advertising I've suffered (which is partially Google too) has either been absolutely irrelevant or something I've just looked at - which I don't see why they'd need my details for.
Is it just that there are some data fetishists at Facebook who collect data for its own sake?
Obviously anyone in their right mind would agree with tracking down and prosecuting these child-molesting fuckers.
However, of course this wouldn't be limited to child abusers. Governments around the world would start to use it against their bogeyman groups. Uighurs in China? Gays in Eastern Europe? Pregnant Texans discussing abortion? Opposition support groups in many African countries?
So, basically government snooping coming soon to a FB Group near you...
All but the last group in your list have had national security implications in the not too distant past and as such were/are monitored by the security services due to the very small minority intent on doing actual harm, everyone else in these groups carried on with no impact on their life. - example - being a Communist/Labour activist didn't stop Jack Straw qualifying as a barrister (or bringing in the the R.I.P. 2000 act while he was home secretary*)
On the other hand local councils performing intrusive investigations into members of the public for 'offences' that only carry a fine is overstepping any reasonable boundary and any investigations arising from councillors personal animosity towards anyone should result in plod taking a serous interest (too often it doesn't).
*Irony lost on so so many.
Does anyone remember the number of organisations that could use RIPA?
It included Local Councils, making sure that you weren't putting rubbish in the recycling, amongst a very long list of unexpected organisations.
Example: Guardian article
Aha. Found the list for the IPA
RIPA: a very loosely worded bill that Tony Blair promised would never be used by anyone outside of its intended anti-terrorism purpose because that would be damaging to the validity of the bill.
It is now the blueprint for all bills, make them as vague as possible so they can be used by authorities as they see fit later.
I have no direct involvement with Facebook. Nevertheless before I give anyone, official or otherwise, extolling E2EE a hearing I want to see them publish the following:
Their name and address.
Their online banking credentials.
Any additional ecommerce credentials they may have.
If they think think those are things that must be kept hidden then they need to realise that I have similar things that need to be kept hidden and that's what E2EE is about.
Politicians are always exempt from these rules. Look at the snoopers charter that has a tail put on every single one of us, except politicians. I am still waiting on your internet history Alok you unrepresentative expletive. What are you hiding?
"Around 100,000 individuals are reportedly on the Sex Offenders' Register at any one time, while government officials suggested to the press that potential child sex abuse offenders on Facebook are greatly in excess of that number."
So the argument is that there are >100K potential sex offenders on Facebook without E2EE and the police are doing little to nothing about it unless they are really bad. If E2EE comes in then all that changes is that the police can't do anything (without a warrant) rather than just choosing not to do anything.
Or maybe the police are overstating their lack of action to highlight how bad their inability to act would be
Of course the 100000 on the Sex Offenders list are only those who have been caught and sentenced, and presumably includes people who didn't offend against children. Suppose we assume 0.5% of people are "potential offenders" and British Facebook users follow that proportion, then of the 42 million, we have 210000 on Facebook, way in excess of the Sex Offenders list. Pushing things a bit further we might project 3 MPs and 4 Peers, but investigations in that direction didn't come out very well.
As an aside, on a point of order, there is no such thing as the "Sex Offenders' Register" in the UK: there are merely people subject to notification requirements under the Sexual Offences Act 2003. I know it's not as catchy for a Daily Mail headline, but it's an important distinction: the UK does not have the same system as much of the US, and this is probably a good thing, as evidence shows it actually makes things worse.*
*As an aside to the aside, I suggest that any proposed "[$name]'s Law" is by definition a knee-jerk, tabloid-appeasing reaction that will have unintended consequences, and a more nuanced and evidence-based approach will almost always be a better solution to $problem.
Indeed - Cameron was bad enough, then May comes along. Then when you think it can't get any worse BoJo the Clown gets a crack at his ambition to be World King, so starts flag waving. Though he did have the
willyflag fixation from earlier when he was Mayor of London - a fact not lost on his IT Tutor
This report says he intends to go on and on - let's hope he jumps ship soon to make £££, but as ever, the country will be left to pick up the pieces of his vanity.
There is literally no use for it. FB has access to all data, and are the biggest offenders of harvesting data, so Encryption on FB is only lip service. OR maybe they are trying to get all the perverts onto FB for a false sense of security, or maybe one of those extremists elitist groups that runs the world are looking for new friends... Either way, it's all BS. There is no privacy on the internet.
While your post demonstrates a lack of understanding of what "end-to-end encryption" is supposed to mean, I can't help but agree with your skepticism/cynicism..
Facebook wouldn't be "throwing away" all that valuable data on what people are talking about.
If the data is encrypted as it passes through Facebook's messaging servers, that doesn't mean it can't be data-mined on-device (Apple style!) for trend analysis, social graph info, advertising impact analysis etc. Saves them a few compute clusters by outsourcing the electricity to your pocket if they do.
E2EE is kind of irrelevant when you completely control both "ends". Except it gives you a get-out-of-jail-free card (potentially) against government regulation.
With E2EE, Your data are safe (maybe) from the prying eyes of governments, but NOT from the (even more prying) eyes of Facebook itself.
That would be a variety of members of parliament & their advisors, lackies & hangers on.
If this is required, I'm sure our illustrious leaders will lead by example by making sure that all of their communications are freely available unecrypted to anybody requesting it.
If you have nothing to hide, you have nothing to fear - I'm sure that's ok isn't it? No?
I'm sure they're mostly there to be serving the country rather than self serving?
That would be a variety of members of parliament & their advisors, lackies & hangers on.
Sorry, that cannot be proven, due to a freak IT problem, the phone wiped itself and was replaced and the Google Drive backup disappeared.
There is a good argument to be made for 'proof of virtue' before* anyone can stand for public office,
however that would require legislation and I trust politicos as far as they obviously trust us.
* but as the maxim says, power corrupts.
The last quarter of a century, where legislation controlling police searches of digital devices and cloud storage failed to keep pace with technology, is a blip against a long legal and historical tradition that kept police on a short leash when it came to searches and seizures.
Very much this!
Remember in the good old days, "terrorists and paedos" were not caught by dragnet wiretapping of everyones phone. We don't have every pub in Britain recording every table conversation.
Imagine the outcry if the government announced that every letter sent through Royal Mail will be opened, scanned, copied, kept, and scanned for key phrases. ? But why not? Think of the children!
People seem to accept this stuff in the digital world. Unfortunately, this propaganda TV campaign will be quite successful unless it's countered properly.
@Charles 9 "Um...didn't that actually happen during World War II?"
No it didn't. Logistics alone would have prevent that. There would not be the man power :- "Royal Mail will be opened, scanned, copied, kept, and scanned for key phrases."
But they were able to without warrants, do that to mail they suspected. But even those restrictions in peoples rights required a country to be at war and fighting for their very survival. "Think of the children" hardly falls into that category.
> officials talking to the press raised the spectre of vulnerability disclosure by governments drying up as frustrated law enforcement agencies hoarded vulns for their own use, out of public sight or legal control.
Translation: "Our police forces are so out of control and lacking transparency that nobody has any idea what they're up to behind closed doors, so they might start doing even more bad things if we don't make life easy for them."
Our mobile phones are now powerful enough that is entirely feasible to use one time pads. All it needs is an app that makes it simple. Unless the phone itself is compromised (avoid android or iOS), it is unbreakable. The downside is you have to exchange them in person which could be difficult if you need to converse with someone a long way away.
Is not even wrong. OTP requires so few computational resources can be done with computer made of cardboard and string. Even if cardboard is wet and string is weak.
Problem with OTP is distributing the pad as you say. You must be able to do that securely or OTP is useless. So either you meet your friend secretly and exchange pad by some method which does not involve public network ... or you securely encrypt the pad and send it to your friend over public network who then securely decrypts it. But wait wait: if you must do that then you obviously have good encryption program on your phone-computer. Probably it will be nice fancy public key one so you do not have to share a passphrase with your friend. You could ... just use that program to exchange messages instead of the OTP.
The *only* case where OTP is useful is where you have a completely secret way of exchanging as much data as you will ever want to exchange secretly later: OTP is way of time-shifting the existence of a secret communications channel, is all. Is useful if you are spy and have very secret channel when you are living in big building near Vauxhall bridge with your spy friends but then later, when you are doing secret spy things in far-away countries you do not have secret channel.
The catch with OTP is that it's very resource-intensive and logistically daunting. The pad is consumed on a one-to-one basis against your ciphertexts, so it requires a very large pad or an easy means to regularly produce a new one at both ends. This raises the risk of an adversary getting wise to the scheme and eventually coming upon it. Another problem is that it requires perfect synchronization or the message gets lost in transit. An adversary in control of public lines of communication and aware of the use of OTP might intentionally introduce slight losses of data that can throw off that synchronization.
Basically, there's a reason OTP isn't used except in the most extreme of communication circumstances. Put simply, it's a headache.
You can, but it would not be of great value for privacy (assuming you are attempting to send a second OTP that is greater than one page) - see <https://forums.theregister.com/forum/all/2016/08/16/researchers_crack_homomorphic_encryption/#c_2945575>
In this case Eve would be able to capture both your [encrypted] transmission of OTP2 and your transmissions using OTP2. That allows the possibility that Eve could combine these two transmissions to leave her with a transmission that is repeatedly encrypted with the last page of OTP1 (effectively re-using the page and losing the "one time" nature).
The complexity for Eve will depend on how the OTP is used - but then you are starting to rely on encryption algorithms and you might be better off skipping the OTP bit and just using a decent algorithm.
Does OTP work if you start with an OTP which is only ever used as a means of sharing other OTPs?
My (possibly/probably naive) assumption here is that because you are only sending things with a very high level of entropy (basically long sequences of random numbers) with no meaningful clear text and, ((assuming the random number generation is halfway decent) no possible way of getting a knife into a metaphorical crack using frequency analysis or similar, so, as long as you only ever use the initial OTP for distributing further OTPs ((and don’t reuse those) it *should* remain secure…
But for one snag. OTP is consumed one-to-one with your data. It's a requirement for OTP;s strong data security (defined as the idea that a ciphertext encrypted using a OTP can literally be decoded to anything of that size or smaller). A 4K message requires at least a 4K OTP. This also makes it redundant to use one OTP to send another one: you use up the same amount of pad either way.
the cops are basically saying that they're doing nothing with the 100000 pedos on facebook and they want them not to use e2ee so they can sit still looking at everything while still doing nothing ? .. this is beyond idiotic .. if they know of crimes being committed and do nothing about it then they are responsible for what happens to the children they ( alledgedly ) want to protect . Do your job , take em down , then we'll see about this based on merit.
"Rather than being proactive, we're told, police forces would end up being reactive, responding to reports instead of proactively patrolling what they see as the digital streets of the modern era."
This is exactly how they should work otherwise we are in a surveillance state!!
An online variant of predictive policing is only going to expand.
> "Rather than being proactive, we're told, police forces would end up being reactive, responding to reports instead of proactively patrolling what they see as the digital streets of the modern era."
You mean like the proactive policing that replaced foot patrols with thousands of cameras?
The ad campaign will run online, in newspapers and on radio stations with the aim of turning public opinion against E2EE
Given that most of the UK population is very much anti-paedophilia and would be quite happy to see paedophiles dealt with in ways that the law just doesn't allow any more, it seems odd that the Government are going to run a propaganda campaign to persuade the populace that what they want to do needs to be done.
The only logical conclusion is that they know that the public don't trust their word (a) that removing E2EE is necessary and (b) that they are really thinking of the children.
My 2p: as the Saville case shows, quite often paedophiles are operating in plain sight and are getting away with it. No need for E2EE if you have a network of well-placed enablers to help out.
They were probably too old and highly placed to use computers.
So the police are being extremely fore-sighted and assuming that the new generation of DJs, TV presenters, politicians, minor royals who will become the paedophiles of the future will be more computer literate.
They can do that for Messenger, but they can't do it for Facebook itself. When you post something on Facebook, it is seen by more than one person. Either you'd have to encrypt 1000 times (meaning 1000 separate copies) if you have 1000 friends who might see your post, or more likely you'd encrypt it once and all your friends would have the same key to decrypt your post.
Either way I suspect Facebook could slip in a 1001th key, or 1001th copy of the same key. If for no other reason than that's the only way Facebook moderators would be able to do their jobs...
So law enforcement would still be able to subpoena records and Facebook would still be able to deliver them.
Thats what i thought ....well i thought it was just bs...
A thought did cross my mind though, about the hash functions on CSAM images being incorporated into the encryption algorithm ...such as to make it a massive flag...
Well i thought if they can encrypt a public forum like fb making CSAM images stand out like glow in the the dark sore thumb would be a walk...
What is interesting is now that fb trafic is ETEE how the goverment is spaffing ad money to chalange it ...yet when whats app was taken over by fb and claimed to maintain the end to end arrangement not a peep....
Apple wanted to do that (checking CSAM on the iPhone, before it was uploaded to iCloud), that kicked up such a stink about the sanctity of the personal device, that they have put the plans on hold, for now.
The problem isn't just CSAM, it is, if you start looking for CSAM, why not look for homosexual images for certain Eastern Block countries? Or anti-government posts in China? Or anti-royalist comments in Thailand? Anti-abortion talk in the USA?
Here, in Germany, the Constitutional Court backs E2EE and the state has to get a search warrant and install the "Staatstrojaner" on suspects devices in order to monitor messenger traffic.
and, presumably, driving home the message that encryption itself is something inherently bad.
Then all cabinet members communications should be open and transparent. And if encryption is inherently bad, could I suggest they start doing their online banking over http instead of https?
If that is successful for them, for say 18 months, we can then talk about banning it for everyone...
No? Didn't think so.
On the other hand, Germany has been saying that private communication is sacrosanct and should be encrypted. If the law wants to monitor suspects, they need to get a warrant and "tap" the devices of the suspect using approved trojan software, the "Staatstrojaner"
Officials suggested that the greatest threat to child safety from Facebook is that abusers can discover a safe space that normalises the sharing of CSAM and helps encourage depraved newcomers onto the platform.
I'm not a fan of Facebook and it can curl up and die, for all I care, but this is just stupid.
From all the recent big busts of paedophile rings that I've heard about, the images were swapped over their own forums on the dark net. The big scandal last year in Germany was a world-wide net run out of an allotment shed, with racks of servers. Those servers didn't belong to Facebook!
I'm sure some criminals and registered sex offenders are on Facebook. But, a lot of the actual CSAM material seems to be on private forums, from what I've seen in the news.
The way the terminology is used is a bit rubbish - I mean all encryption in transit has 2 ends and all VPN tunnels or transports have 2+ endpoints.
The only distinction is whether both ends are on users own devices or one end is controlled by a [social media] company.
Whenever governments or TLAs talk about this it always comes across as wanting all the benefits of VPNs for themselves just not in the hands of civilians.
It's silly as the you can demonstrate methods purely on paper so they ultimately arrive at defending a position where you say a particular branch or application of maths is not allowed, or at least "when you do this type of maths on a computer you have to let us see all your working on demand or else it's unlawful".
Besides I thought the various authorities has already decided they would have legally backed rights to gain access to data on a device after it's already decrypted and collect it in the cleartext there rather than trying to access it en-route.
"Think of the children" and if you don't then you must be hiding something.
Considering I've given the police a hand full of USB sticks with encrypted CCTV footage on it of our sites and then never had those fucking sticks returned annoys me. So I'd no longer be allowed to encrypt them? But I do it for security incase they loose those sticks. "But that won't happen, its the police". Really? So I stopped providing the sticks and made them supply them instead. What happened with the first stick they provided me? I checked if they'd bothered to secure wipe it as it looked used. Oh look, no they fucking hadn't and I was able to restore someone elses old CCTV footage of a crime, that had never been encrypted.
We used to have this group whose job it was to look after the children, I think they were called parents.
Of course, authorities have been overlooking real world child abuse for years, lest they be called "racist", so I guess we can see where their priorities actually lie.
It's not often that a side effect of seemingly providing the end user with enhanced personal security also effectually reduces the ability to police the users of such an anti-social media platform. Win-win kerching, assuming they can maintain a happy relationship with the advertisers. One more point, I might be missing something, but for an anti-social media platform like FB which operates by connecting people that know each other... how does E2EE and the ability to conceal identity/geographic origin enhance the anti-social media platform experience??? I must be missing something (I have a hunch this is about getting former FBers back... the ones that fled to Parler perhaps).
Quote: "The British government is preparing to launch a full-scale policy assault against Facebook as the company gears up to introduce end-to-end encryption across all of its services......"
My approach is to encrypt messages BEFORE THEY ENTER ANY CHANNEL.
And use Diffie-Hellman to agree a random secret key for every message -- WITHOUT ANY KEY EXCHANGE (see Diffie-Hellman, 1976). Unlike PGP, this method has NO PERMANENT PUBLIC/PRIVATE KEY PAIRS.
So........it DOESN'T MATTER if FB (or Twitter, or Proton, or Telegram) implement so-called "end-to-end encryption".....if there's a backdoor (of course there's a backdoor!!!).....then all the snoops will find is my IDEA encrypted message. It might be a photograph....it might be a birthday greeting.....and if the plod turn up and ask me what's going on, I can quite truthfully say the keys were randomly chosen by the software and were destroyed after the message was sent and/or received.
Does anyone really think that this sort of process is beyond the reach of the "bad guys"? So......as I've said before......simple misdirection. More snooping on the 99% of the citizens who are doing absolutely nothing wrong!!!
I wonder where. Surely not on the Zuckerborg, they couldn't possibly be paying the target of their ire could they?
According to research from fact-checking non-profit First Draft, 88% of the Facebook ads the Conservatives posted in the first four days of December were deemed misleading by Full Fact, one of the U.K.’s biggest fact-checking organisations.
Ban these evil organisations funding all this online harm!
to skirt around privacy laws
See how the Australians made available their trove to the FBI (who had the keys but not the data), by giving a 3rd country the data, but not the keys)
Quote: "Privacy laws"
Well.......privacy laws don't stop anyone using encryption BEFORE messaging enters any channel. So the message is encrypted AND the keys are private.
The users of this approach are perfectly capable of generating interesting keys using pathetic laptops. See below for a number which is the product of two very long prime numbers.......less than twenty seconds to identify two long primes and then multiply them together. I have no idea how long it will take the Aussie supercomputer to factor the number. Someone here can let me know. After that....the snoops need to determine the keys based on this long number............................
The more people will want it!
Government is missing 1 key thing here, people are sick of all the privacy scandals, being tracked and where X has been hacked and data leaked .. it's not only private or commercial website, it government as well...
So let them keep making it high profile, cause in the end, all they're is raising awareness - and as the famous saying goes, there is no such thing as bad publicity.
All of this is the governments own fault for abusing public trust for so many decades. Now people don't believe any of the "think of the children" narratives true or not.
The UK government lets bin men (seriously) have full warrantless access to your government records due to RIPA. Thousands of people get sexually stalked by council workers checking through their data every day. The government illegally sells data for the NHS, councils, banks etc whenever they can (and individuals such as the Chancellor personally pocket the profits as "wages" for work done)
Loyalty has been destroyed, trust is gone. No wonder the public is in favor of hiding their data.
Rather than encrypt comms, perhaps they could do something about the oodles of misinformation circulated on the platform. Or perhaps pass on the details of miscreants that is sees itself onto the security services? Rather than wallowing in the advertising revenue associated with it and coating their hands with blood.
I'd close the FB account down however it is the only universal means of connection I have for a lot of contacts.
I, as an American, find it difficult to believe that the British population isn't more critical and pushing back at government policies like these, which are clearly a road to intrusive and continuous mass surveillance of the population.
Brits have a misplaced trust in their government which is bordering on naive.