Lets start by making all UK politician's calls and messages public.
Perhaps then they might see the issue.
The UK’s chartered institute for IT has slammed proposed legislation that could see the government open a “back door” to encrypted messaging. BCS, formerly the British Computer Society, has warned that weakening encryption of secure messaging apps in online safety legislation would damage public trust in technology. The …
> Nothing to hide, nothing to fear?
Please, we all have curtains; don't trot this out.
Privacy means being able to choose the audience, timing and manner of revealing something, or choosing to keep it secret forever.
HT Cory Doctorow
"Please, we all have curtains; don't trot this out."
Sarcasm detector offline?
Cory does a magnificent job of explaining the difference between privacy and secrecy. His talks are always enlightening. (Dwarves might find them "endarkening").
at this point considering the amount of piss thats been taken by tories (PPE mate bundling, tax avoiding, etc)
The laws about any MP doing any slightly dodgy fucking thing, needs the right punishment . at the moment they have no incentive to do the right thing.
So I propose "hanging by the neck, then Head on pole outside parliament", once some of the fuckers heads are on poles the rest might think a bit more about not ripping off the public.
The problem is that we've been whacking this mole since 1996 or earlier and politicians have never understood the elementary fact that anything good guys can do, bad guys can do better.
The television is already listening and watching. To further the cause you should all have to install cameras in all bedrooms. A lot of violence is committed in the bedroom. Therefore, it is only just to make sure that it gets recorded and used as evidence against you perverts. The listening and viewing cars roaming the streets will make sure that every bad act, physically or verbally, is appropriately punished. Close all dark alleys. Make sure you are being controlled.
And don't forget to blow up parliament.
So this is only to be used to catch criminals? Won’t work.
Sure, you might get a few technologically inept petty criminals - but you won’t get the big guys. The terrorists. The kingpins of drugs, trafficking, pornography etc. Those guys are already on the dark web, those guys are already using messaging systems rolled for the purpose, built using open-source encryption algorithms - algorithms which will continue to exist outside of this legislation, and hence still inaccessible to law enforcement.
The only thing you can absolutely guarantee will happen from this legislation is that you will make the lives of the criminals easier, and I’m not just talking about governments. Those backdoors won’t stay secret for long, and then organised crime will have a field day mining the data that we all thought was private.
But surely Oversec will be subject to the same rules as Whatsapp and Signal? Either they'll have to remove them from the (UK) app stores, or they'll have to add backdoors.
Sure, there will be people who compile their own encryption apps and side-load. So they'll be after them next. But I suspect most people won't bother: they'll quietly accept their loss of privacy and security.
"they'll quietly accept their loss of privacy and security."
At least initially since "they have nothing to hide". Once they get burned or somebody they know has something bad happen to them, that's the end of that. A few others may become concerned when it's found that some dark government agency has been scanning and flagging millions of communications a day and keeping lists.
Oversec would most likely be categorised as a messaging app: its job is to encrypt data to be sent to other people, as its own website clearly describes, and there's no meaningful way to use it otherwise.
Banking websites don't need to break E2E encryption. The traffic is already decrypted at the server side, and if govt decided they need to monitor people sending messages through banking sites, they would do it there.
Hard drive backup is covered by existing powers that say you can be jailed for not revealing your encryption keys to plod on demand. Very recent example here.
I think the underlying point is: even though plod *can* get at encrypted data on your device today (without even grounds for suspicion, if they mention the word "terrorism"), they still need physical access to your device. The new powers are so that plod can do this remotely, and as a bulk trawl across *everyone's* devices.
yes, it will (or rather 'would') be interesting to see the developements in this particular case, i.e. whether he'll be kept in as a 'suspect in a terrorist case', or released on bail, or quietly put on the eurostar and told to never ever come back? Because, as I see it, the question of his refusal to hand over the 'passcode' to his phone has not been resolved, either by him cracking uder pressure, or... access gained otherwise.
On top of which, it's great to see this famous English 'understatement':
The Metropolitan Police said a man had been arrested over obstruction. - I don't know whether this is on top of the Schedule 7, or a 'plain English' way to describe it. The gentleman doth protest too much, methinks"?
"Obstruction" is similar to the US "wire fraud" - if you don't do as the Police ask that's obstruction...
As for "The gentleman doth protest too much..." I He's a journalist/publisher so we expect them to be more like canaries in a coal mine.
Interestingly, given what we now know about mobile phone security, I suspect they have already accessed the memory of his phone, handing over the access codes just enables them to publicly use what they have found as evidence without having to gain a warrant etc.
>Banking websites don't need to break E2E encryption. The traffic is already decrypted at the server side...
However, if the server is in a foreign country... Best to be safe and ban encrypted communications.
sarcasm/
Perhaps this is a good application of "AI", I'm sure AI can be trained to recognise encrypted communications and thus proactively block them by dropping packets.
/sarcasm
The answer to that is to forcibly install a scanner on your device (see the hoo-ha about doing this on iPhones a year or so ago). Not all devices are phones so that will have to apply to PCs as well. Of course the scanner will only be looking for Bad Stuff so that's OK. And it really won't be gobbling CPU cycles like 3 anti-virus scanners all running at once so that's OK. And there'll be no possibility of a supply chain attach that might let it steel banking creds so that's OK. No, nothing to worry about at all.
I believe the bill criminalises any content OFCOM can't read
So the bad guys will go old school, the time & date of messages will be the message, innocuous phrases will be the message, it'll all be readable but no one but the bad guys will understand what's being said
Of course that'll just be bad guys within the UK
Those that live elsewhere or visit the UK from countries that allow encryption or happen to be UK MP's will blithely continue to use encryption OFCOM can't read
Meanwhile the Government will be able to see our banking transactions
That's part of my argument. Let's assume we trust the Government of the UK to not abuse this (bear with me, I know it's a stretch...). So UK Govt, police, MI5 can read our messages but that's OK, because they're the "good guys". America sees this and enacts similar legislation, so they now have access to the back door. Hrm, Ok, but we're at least allies, so that's not too bad... Then China. Then Russia. Then a corrupt regime which is repressing its populace and arresting/killing dissidents. If you aim to allow the "good guys" access but not the "bad guys", you have to make moral judgements which companies are notoriously bad at.
Once you've hit that breadth of access, the backdoor isn't secure and the entire system is being snooped by, well, just about everyone.
As you say, anyone who is vaguely tech savvy will have a better, secure solution immune to these back doors.
Well, in China, they've had some laws for quite a few years now, that if you want to enter the country (as a foreigner), you have to hand over your mobile, including 'access', and they DO scan it. Obviously, you're not forced (not yet) to give them that access, it's just that you don't get to see the (other) Land of the Free. As to those inside, shrug, they're already covered by numerous internal laws, and 'laws', and 'we tell you what the law is - laws'.
>Let's assume we trust the Government of the UK to not abuse this...
Now add in the "special relationship" - if the UK Govt have your data, so do the NSA et al.
Add in what we know about US intelligence security and distribution [See:Jack Teixeira ] and we can be sure both Russia and China will also most probably have some form of access...
"Those guys are already on the dark web, those guys are already using messaging systems rolled for the purpose, built using open-source encryption algorithms - algorithms which will continue to exist outside of this legislation, and hence still inaccessible to law enforcement."
Kids will do the same thing. Banning software in one country isn't going to mean that it's not accessible from some other country. The one thing about kids is they have lots and lots of time to work on this sort of problem. If they know that something is being monitored or that their most private communications will be intercepted, they have plenty of free time that adults have to spend at work.
It's a parent's responsibility to raise and look after their children. If they are going to abdicate this task to the government, the world is lost and they shouldn't have had children in the first place. I know my parents would never have allowed me to have a computer connected to the internet in my room. I doubt they would have allowed me a mobile and certainly wouldn't have paid for it. Of course, I'm a bit older from "a better vanished time" when there was only one TV in the house and my dad chose what was on (I was the voice actuated remote control). I survived and believe I haven't done too bad. My sister and I did our school homework at the dining room table after school and had to complete it before going out to play. That was pretty good motivation to get it done and class was just hours previous so the material was still fresh in our heads.
I enjoy most of Doctorow's novels, but I couldn't finish Little Brother. I was constantly enraged while reading it, even knowing full well it was fiction and finding it utterly unsurprising. (That's not a dig at Doctorow's plotting – I just thought the novel was completely believable.) I have a literature degree; I've read a lot of novels that depict agonizing situations. But LB was just too much.
"the big guys. The terrorists. The kingpins of drugs, trafficking, pornography etc"
Terrorists tend to use simple technology - the Paris attackers used SMS to communicate. Even if they are on a watch list and have phones and emails tapped (and the emails are in plain english) nothing happens as there simply isnt the manpower to deal with this volume of information. The killers of Lee Rigby are a good example of this - they were known risks, their phones and computers were bugged, they made no secret of what they were doing, and yet were able to walk up and murder the guy.
Yes. For a couple of decades in the US we've been listening to the government scaremongers preach about "terrorist masterminds" and the like, but the simple fact is most of these people are rubbish at conceiving operations, planning, and operational security. When you're spending most of your conscious cognitive resources believing in some ideology really hard and trying to convince your minions to do the same, and your minions are drawn from the pool of people least capable of critical reflection, you're not exactly building a think tank.
The best actual terrorist plan executed to date in the US, in terms of sustainability and efficiency, was the Beltway Snipers. Muhammad and Malvo had the DC area freaking out for three weeks with a team of two people and a budget that covered one crappy old car, one rifle, ammo, and food and gas. They could have taken that show on the road and gotten the entire nation's panties in a twist basically for years, if they hadn't decided to start boasting about it. And that was an extremely simple plot. Every more-complicated one was either less effective or far more expensive and inefficient, or both.
There are a host of ideas in the terrorist playbook which these "masterminds" apparently never think to try. Coordinated arson attacks, for example, which could tie up all of a city's firefighting resources.
Basically, terrorists are to a first approximation idiots. The delta in terrorist plots you'll defeat by outlawing secure communications is negligible.
The same likely holds true for most other criminal activity.
Quote: "....weaken encryption...."
But whose encryption would that be?
Here at Linux Mansions all commumication with my buddies uses private encryption:
- Diffie/Hellman
- 30,000 bit safe primes
- Multiple encryption passes
- So....in case you need to to be told....NO PERSISTENT OR PUBLISHED KEYS anywhere
How is the government going to "weaken" encryption and decryption which ONLY OCCURS ON OUR OWN end point devices?
OK....we sometimes send out privately encrypted messages over Signal or WhatsApp......but we really don't care if those services use "weak" encryption..........
......because (obviously) when the spooks decrypt Signal or WhatsApp.....all they find is our privately encrypted messages (see above!).
We can't see a problem. Perhaps someone out there can explain.
Doesn’t affect me so I don’t care?
That is childish, and foolish in the extreme. There are a lot of reasons someone so *clever* as you should care:
1) If you find yourself in a society where encryption is banned, and you’re one of the only ones not sending plaintext, youll be very easy to see and as only criminals and kiddie fiddlers would need to, you may find yourself having trouble explaining what you were doing, with no way to prove innocence.
2) You might have friends or family who are harmed by personal, formally thought to be private communications made public or used for blackmail or ransom
3) Once this is allowed, it’s very easy to extend the powers by just saying “look we already do this here and here and it’s fine, so yes we’re going to scan every electronics device and find those creeps still hiding”, at which point you’ll need to up your game and start writing your own firmware and trusting your counterparts are doing it correctly too, because you will not be able to trust your devices as they come, regardless of software
4) Yellow stars - have some compassion, it’ll probably put you on the right side of history
@claimed
The AC does make an interesting point.....namely that some group or another using their own technology.....is scarecly being "childish"!!!!
Perhaps the point is that it's "childish" to rely for privacy on a single point of failure (e.g. Signal).....
....as opposed to taking personal responsibility.....and not subcontracting the responsibility to Signal (or GCHQ!).
It's a curious argument that people who take personal responsibility for their own affairs are automatically to be regarded as "creeps".
Just saying!!
"The AC does make an interesting point"
I need to give you a hint here: if you intend to sound like you agree with a point from someone else, you're going to have to write in a less distinctive style and one that's a little different from when you posted the first time. Even if, by some miracle you aren't the person who posted the first point, you've imitated their style, which doesn't look like anyone else, so well that I'm not the only one who will assume you're one and the same.
"some group or another using their own technology.....is scarecly being "childish"!!!!"
And also, if you want us to take you seriously, you need to read what you want to rebut. They didn't say "rolling your own technology is childish". They said that not caring because it doesn't affect you is childish. You appear to still be doing that, which suggests you also didn't fully understand their correct explanation of why it does affect you. For example:
"It's a curious argument that people who take personal responsibility for their own affairs are automatically to be regarded as "creeps"."
They didn't say that, and in fact the two of you appear to agree that encryption shouldn't imply guilt and should be protected. You disagree about the viability of the plan you think ensures your security but does not.
"Childish" is attempting to argue that since a problem doesn't affect you personally, then it literally is not a problem. It is a fairly primitive mode of thought, typical of a child.
Also, it is not true that this doesn't affect you. If a limited number of people deploy strong personal cryptography in a context where most people send plaintext, that makes you extremely visible to traffic analysis, and automatically suspect in a sufficiently paranoid regime. At which point, lead pipe cryptoanalysis can be effectively deployed.
Finally, "the AC" is yourself. That is obvious to the point of embarrassment. This sort of message board shenaningans is also childish.
if your tech knowledge is good, using strong crypto, then you should be good enough to hide it.
eg, people regularly sharing pics between each other, looks normal, but subtle changes in the image are actually stored encrypted data, and they don't even have to direct send the images to each other, just post em on a normal image share
"childish" is pretending any of these laws are in anyway useful.
FYI - you should NOT have to "prove innocence". THEY *MUST* need to PROVE GUILT.
And the genie has been out of the bottle for a LONG time. A user-downloadable-from-anywhere APK for encrypt/decrypt with end-end capability would be very easy, using PGP even, hosted on github or gitlab and 100% open source.
The only way that politicians COULD EVER STOP threatening such things is when it becomes obvious EVERYONE will DISOBEY.
"Compliance" is what *they* rely on. Sadly, *they* will never stop TRYING these sorts of things.
"We can't see a problem. Perhaps someone out there can explain."
Do your buddies include your bank, any business you deal with online, any website you might log into online?
Or don't you use any such facilities (not even el Reg!!)?
Maybe you don't, although I'm still having problems believing the implication you don't use el Reg) but a lot of people do. They are entitled to a bit of privacy in their daily lives. And in any case if the requirement is to use pre-encryption scanning then this legislation might require you and your buddies to install that - are you happy with that prospect?
TL;DR You fail critical thinking.
.".....because (obviously) when the spooks decrypt Signal or WhatsApp.....all they find is our privately encrypted messages (see above!).
We can't see a problem. Perhaps someone out there can explain."
SPOOKS:
There is a high entropy data data block in this message, probably unapproved encryption. Send out the Black Helicopters.
For example, a French journalist is currently in jail because the Met decided to arbitrarily demand they unlock their phone.
No evidence or "probable cause" required, this institutionally racist, misogynist and homophobic organisation can simply decide to destroy you.
- So....in case you need to to be told....NO PERSISTENT OR PUBLISHED KEYS anywhere
[...] We can't see a problem. Perhaps someone out there can explain.
Well for one thing, Diffie-Hellman is subject to an active man-in-the-middle attack. Without persistent signing keys or some other means of authenticating your peer, you have no idea whether you're encrypting data to your buddy or to your adversary.
>We can't see a problem. Perhaps someone out there can explain.
You probably aren't familiar with the world of wide area communications from a few decades back when encryption was rare...
Okay traffic volumes were much lower, but because the majority of the traffic wasn't encrypted, the encrypted traffic stood out.
I'm sure there are ElReg readers who have experience of working in some countries where unencrypted communications were reliable (well during office hours) and encrypted communications always seemed to get a bad connection.
So, in the new word of unencrypted communications being the norm, if you wish to draw attention to yourself go ahead and use tools that create data blobs that are clearly encrypted... whilst I suspect you will get away with the occasional encrypted communication, repeated and regular usage will raise your profile...
some are intelligent enough to know that you can make encryption that doesn't look like encryption, so no suspect.
Gov's are powerful, but even they are not omnipotent. they can grab as much as they like, the more they do the more they have a problem making sense of it.
analysing the huge data feeds is a huge problem, even with the limited data they have now they miss loads of stuff, just look at any successful terrorist event/ school shooting for the USA
the last time they did this shit, people sent Mp's encrypted files, then informed cops that MP had encrypted messages and should be arrested if they couldn't provide the password, police then pretended that it wasn't applicable to them.
if you wish to draw attention to yourself go ahead and use tools that create data blobs that are clearly encrypted... whilst I suspect you will get away with the occasional encrypted communication, repeated and regular usage will raise your profile...
But that is the point. The government are claiming that this law (and their intent) does not ban encryption. It just insists that anyone operating an encrypted messaging service has to be able to decrypt it. But if a significant part of the population decides to use the not-really-encrypted-any-more commercial service to deliver encrypted messages then no laws are being broken. Most of those people won't care if it "raises their profile" as they are doing nothing illegal - the bad guys will easily hide amongst the noise.
So, as soon as this law goes in to place, many hackers will provide tools to make it easy to encrypt your messages and then send them using a legally compliant service and decrypt them at the other end. I would certainly use it for all my messages - which are mostly about what to buy for supper, etc. Many of us do that today with gpg-encrypted mail and given the popularity of messaging, and the pushback from all the messaging companies, it will very rapidly become much easier than using gpg for mail is today.
Pretty sure that it's not the harm, abuse and criminal behaviour that happens on the streets that is the problem. The police can in theory see that and do something about it (not as often as we wished perhaps). It's the harm, abuse and criminal behaviour that happens behind closed smartphone apps that is, with the tech firms carefully and mathematically provably looking the other way whilst it happens...
So you're banning curtains then?
Same argument.
It's long been known that the vast majority of abuse happens in the home, perpetrated by people living with the victim.
Will you fit cameras in all your rooms, continually broadcasting to your local police station?
Same argument.
" It's the harm, abuse and criminal behaviour that happens behind closed smartphone apps that is, with the tech firms carefully and mathematically provably looking the other way whilst it happens."
The smartphone apps are simply a way of criminals communicating, not of being criminals in the first place. They're criminals. They're already intent on breaking laws. It's sheer folly to believe that you'll inhibit them from breaking laws by either giving them more laws to break by installing illicit apps or do more than inconvenience them by making then communicate by other means.
With that, the lack of upside out of the way, let's look at the downside.
The criminals are in the minority. It's maybe difficult for those whose job it is to investigate crime to get their heads round* but it is so. The majority of app users are not only innocent but have a right and a need to communicate securely. People not only have things to hide, they have things which they are obliged to hide. If you don't believe me look at the T&Cs that you happily clicked through when setting up some perfectly legitimate online service - such as your bank. If you don't find a requirement to keep your password secure somebody has been negligent; but that, of course, is just a trivial example.
If you use a smartphone for work any such traffic is likely to be commercial in confidence at the very least. For someone like my daughter, working in clinical trials that's also a trivial aspect; her communications will very likely have information which concerns patients' personal and medical information covered by a slew of regulatory and statutory restrictions. The data may also affect the sales prospects of her company's clients' products and therefore their stock prices and so is also subject to financial regulatory concerns. Oh, and jI forgot to mention, not only does she have to communicate with the actual medics looking after the trial subjects, her employers are multi-national and almost 100% remote working so online communication is the very foundation on which their biusiness operates. Of course her company's communications need security - it would be stupid to think otherwise. And yet it's proposed to make it impossible to give them the legal protection that legal requirements demand.
And similar concerns apply more widely. Now go back and re-evaluate your communications security needs. They might not be exactly the same as my daughter's but they're likely to be there, might be equivalent and you'll certainly not need to look very far to find others to whom secure communication is essential for their legitimate employment.
That's why tech firms are "carefully and mathematically provably looking the other way". They have to.
* Very many years ago that was my job and even today I will sometimes look at something and realise how it might be a scam, or could be used for one.
@Groo_The_Wanderer
Quote: "... a UK company..."
Well......then there's companies in the USA, or in Israel, or elesewhere........companies which might have MUCH more clout than the British.
I think your revulsion for a specific country (the UK) might be a bit of a security distraction (for you!).
That's not the point they were making. It's not that every UK company supports this and is dangerous for that reason. Instead, if the UK companies are forced to use no security, then it becomes unsafe for a customer to deal with them, even if otherwise they'd be entirely trustworthy. It isn't a stereotype of the UK agreeing to this, but an extrapolation of the dangers of having this law apply to communications you initiate. If you are located outside the UK, then you have a choice of whether to initiate communications covered by this flawed legislation.
" Instead, if the UK companies are forced to use no security, then it becomes unsafe for a customer to deal with them"
And customers will take their business elsewhere. I was looking at buying a product last night and the company selling direct was using two payment processors I've never heard of. I decided that I'd rather not buy direct, but though a retailer that is also selling for roughly the same price and uses a payment processor I have heard of. I expect that plenty of consumers aren't as fussed about something like this as I am, but when it comes to B2B transactions worth much more money, it's a big issue.
When I opened an international investment bank account through a UK branch, a few days later I started to get targeted investment spam to my never spammed email address before. The sender email was not related to the bank.
UK regulators seem inept. Let them do their existing jobs well before they start to regulate something more serious.
"Are you saying you didn't set up a specific email address for that bank? That's email security 101."
And a really good idea to have your own domain so you can add and delete email addresses at will. I have a stack of email addresses. Some are used for specific things and others are throw away accounts that get deleted the moment they start getting spam.
>Put in security holes, and I do no business with a UK company for any reason what so ever.
>I will not compromise on my security to appease British bean counters and fools.
(looks at the legal control the US gov can and does exercise over US company owned servers, and wonders if we're to see a repetition of this statement...)
Pretty sure that it's not https that's the issue. Https is end to end from browser to server, but the point is that if the server is a commercial offering then it's subject to the local jurisdictions laws and warrantry systems. If they they want to see what you've sent to that server, they just go to the server. Pretty odd kind of server, if it's unable to decrypt one's requests of it.
For example, every single damn thing one does on Amazon or Facebook's websites is subject to US law enforcement requests (suitably accompanied with a warrant), regardless of where you are in the world (the US claims digital dominion over any US owned server anywhere in the world, and any web address ending .com, .org, .net (the original US TLDs).
This of course can conflict with other jurisdictions; there was an ugly stand off between Microsoft, the Irish government and the US government some years ago, with the US insisting Microsoft handed over the content of an account hosted by MS in Ireland, whilst Ireland made it very clear that to do so would be a breach of their laws. Poor old MS were between a rock and hard place. US won that one. The faintly disgraceful thing about the episode is that there were already in fact established channels for inter-jurisdictional requests, but the US snubbed Ireland by trying to not use them.
In the UK, it appears that services such as WhatsApp or Signal seem to be the target. Sure, one's messages might go through a server that is subject to a local jurisdiction, but it's not necessarily readable at that point. So, no one at all is policing what is being exchanged.
Is There Any Real Security Difference Between E2EE and Server-In-The-Middle Anyway?
I think it quite interesting to compare the two systems of messaging in use - E2EE such as WhatsApp, Signal, and server-in-the-middle-which-has-plaintext systems (such as BlackBerry Messenger was, all telephones systems are, etc).
With a server-in-the-middle, the security of a user's message rests with the security of the user device and the keys it contains and the security of the server and its copy of the keys. One is trusting the service provider to guard the keys, and also guard the credentials for their software build system to prevent their app binaries being compromised, and make sure there's no vulnerabilities in their software.
Compared to E2EE, the service provider this time isn't having to guard encryption keys on their servers. But that's all. They're still having to guard the credentials of their build system to prevent their app binaries being compromised, and they're still having to ensure they're not carrying any software vulnerabilities.
On the whole, I'm not entirely sure that there's a massive net security difference. I'm still having to trust the app / service provider to get an awful lot of stuff very right. If they can successfully manage access to and audit of source code / build systems, they can probably also manage access to and audit of message encryption key stores in their infrastructure.
At least with Signal, if they somehow weren't keeping an adequate eye on their source code / build system access themselves, someone else could probably spot that the app binary being distributed (with hidden functionality) didn't match the public source code (into which the attacker would not have put the source for their hidden functions).
But a closed source system like WhatsApp, if they didn't spot an in-house attack (lost creds, or just a rotten apple): who else would ever know?
Well criminals don't obey the laws anyway hence the name so what we assume they'll magically obey the laws when communicating with their peers? All this does it make it easier for us to fall prey to criminals, the ONLY mitigation is strong encryption and nothing else. Whoever came up with this legislation is a moron of apocalyptic proportions and too stupid to do anything other bang rocks together and they might even be too thick even for that.
"Whoever came up with this legislation is a moron of apocalyptic proportions and too stupid to do anything other bang rocks together and they might even be too thick even for that."
I've noticed that it's a tactic of many politicians to keep submitting proposed legislation until they get it passed. It doesn't matter if it makes any sense or can be implemented, they'll keep on hammering. If it won't stand alone, they'll attach it to something else that will pass in an omnibus package even if the matters aren't related. Be clear, I'm not saying this proposal is going to pass so get over it, I'm just pointing out what to keep an eye out for. They'll be a law making Pi = to exactly 3 at some point. There was a law regulating DiHydrogen Monoxide passed in the US that was quickly repealed when the joke was pointed out (small town).
Being a moron of apocalyptic levels has never been an obstacle to a political career, indeed in the American system it almost seems to be a requirement.
Being incapable of learning from experience and demonstrating resolute immunity to clue of any sort at all is also a political trait that most politicians share; British ones are not exception to this rule.
It is finally worth remembering that a lot of politicians, besides being stubbornly thick and often too idiotic for any other career, have extensive legal training if not legal experience. This tends to make them assume that reality its very self can be manipulated by act of law. Thus to make encryption develop random holes merely requires them to tell someone to do it, and this thing shall be done.
There must be a better way to run a country than by using politicians!
Home secretary : "A British Internet! What a great idea! Why did nobody think of this before? Let's take back control of the internet here too, we don't want to use this foreign muck anymore with its rules set by unelected non-British bureaucrats, let's pass a retained IP rules law to abolish them all, and make a nice insecure Britternet (for the plebs, not us, obvs). Pull up the digital drawbridge! Freedom to go our own insecure way!"
2 weeks later : "Hey, where's all the money in my online bank account gone?"
The proposed initiative is scary, because AI systems already demonstrate super-human ability to "connect points". So when messages are not encrypted, the system will be able to identify and track every person. Their plans, their personality, their weaknesses, their secrets. Guess what happens when some crazy politicians decide to take over the country?
Encryption is an important step to protect from totalitarian control.
Encryption is also a means by which totalitarian control can be enforced. Is anyone in China able to replace their gov-backed phone firmware with alternatives stripped clean of everything the state has put in? Nope - secure boot... Or at least, that's how I'd imagine the Chinese state would have done it.
Encryption is not half as important as engaging with political processes and ensuring that they're not used to let totalitarianism in. Sometimes that can mean thinking hard about what some things enable. For example, everyone's pretty sure that letting Russian trolls on Twitter is probably a bad idea for democratic processes, yet Twitter is allowed to offer the services it does with no strong measures to prevent such trolls taking up residence. Is that a good thing?
The Nazis were voted in on the proportional representation system that operated in German politics at the time, whilst absolutely everyone stood by and watched them do it... Totalitarianism does not need the full powers of a state to gain control of a state. Idealists can and have adhered to idealist principals, and set the scene for the outcome opposite to what they stand for. Perhaps, strength comes from aspiring to idealist principals, living them to the maximum possible extent, but also knowing when, unfortunately, some dirty work is required.
They used their early position as PR "king makers" to become coalition partners and then left forcing a new election, and used rhetoric to gain more seats next time. Pretty sure that in a FPTP system they'd always have lost their deposit and never get a seat in the first place, so could never have got into a position of forcing fresh elections and blaming it on everyone else.
PR always leaves democratic systems vulnerable to this kind of manipulation - it's happening in Israel as we speak. Which, given Israel's and Israeli history, is disturbingly ironic. Most modern implementations of PR have at least some popularity cut-off, whereas the PR system in place in Germany after World War 1 pretty much meant that if a 1 person party stood for election, they'd get 1 seat. They'd then become most important to the largest party that's trying to assemble a coalition with the minimum of coalition partners, and just like that they'd be in government, with the power to bring it down. Not a good idea.
What I think we're seeing in Israel is the PR system being completely overwhelmed by a minority of the population that's grown sufficient large enough to do so, and now any Israeli prime minister has to dance to their tune or there isn't a government at all. Ok, on the face of it there's personal reasons why the prime minister is seeking the judicial reforms being sought. However, there'll be a price to pay down the line, which the coalition partners (who'll be needed to get the reforms through) will set, and it'll be a high price. And, given who the coalition partners usually are in Israel, one fears we ain't seen anything yet. Having a prime minister who could go to jail if the coalition partners decide not to play along is extremely unhealthy for democracy. A threat of jail is not a hold one politician should be allowed to have over another. That is totalitarianism, right there. Probably better to have straight-up corruption instead.
If this is the history being taught in schools these days, we are fucked.
The process by which Adolf Hitler became Chancellor of Germany was entirely legal and followed all constitutional norms for Germany at that time. Obviously, once he was Chancellor, all that went out the window.
The process by which the NSDAP and its leader gained power in the Weimar Republic is well worth understanding, partly because:
1) People who do understand it use it as a playbook for use against people who have not learned from history.
2) It illustrates that the well-meaning 'good chap' theory of political constitution is subvertable, and much thought needs to go into how democratic processes can be made resistant to subversion. It is not easy.
NN
"That secret removable floorboard looks more attractive by the day"
I'm thinking of a motorized lift under a piece of furniture to stash things. There was just a story of a guy busted for having pistol making equipment not too far away. The 'equipment' comprised a couple of 3D printers, drill press and Dremel tools. After I read that I could see how big of a terrorist I am and that I need to get help (hiding my 3D printers, etc).
If possession of general purpose tools is a criminal offence, then they may as well start amputating opposable thumbs.
I hope we are missing a subtlety, and some other method of demonstrating a mens rea has actually been used, like, for example, existence of a a viable collection of custom-made parts that can be assembled into a firearm.
NN
"I hope we are missing a subtlety, and some other method of demonstrating a mens rea has actually been used, like, for example, existence of a a viable collection of custom-made parts that can be assembled into a firearm."
The person was making handguns, but the press release from the police emphasized that they had seized gun making equipment making it sound like specialized tools and machines rather than garden variety hobbyist tools. Everything in the photo they included could be purchased online or in a local shop. They even grabbed a case with a set of drill bits and some screw drivers.
Since an algorithm is a set of instructions to solve a problem, and the problem is kiddy porn, then why are all those 650 Mindless Programmers not writing code instead of yet another Act.
The Obscene Publications Act 1959 didn't work for the private circulation of photographs of child exploitation, I have no confidence that 60 years later our present batch of legislators have a clue as to what they are doing.
"If $FOO is outlawed only outlaws will have $FOO" is a problematic argument. You only have to look at it's best-known usage. The fact that it's convincing to the gun lobby but not to me shows the likely reaction of others who don't see encryption as a good thing. Yes, we know why they are wrong. But the gun-nuts know why I'm wrong too.
...is sure, why not?
But...
It applies to every person, company and government body with a mandatory jail sentence for those not using it.
With NO exceptions. None.
So - banks, the military, the police and every goddamn sleazeball of a politician.
After all if you have nothing to hide...
Watch it go away then.
There's a technique called chaffing (with winnowing to undo) that gives secrecy(*) without encryption, just a requirement for higher bandwidth.
(*) To some level, the same as encryption.
This just gets us into a debate about definitions. Why isn't that encryption, since you still have a plain text message and a secret key that turns it into a private message and back again. If it does the same thing in a similar way, then why wouldn't it also be prohibited. I wouldn't count on that getting you out of legal penalties if the UK charged you for not revealing the encryption key and you tried to convince a nontechnical judge that technically, this has a different name so the key shouldn't be classified as an encryption key.
Why isn't that encryption, since you still have a plain text message and a secret key that turns it into a private message and back again.
There is no encryption and thus no encryption key. All messages are plaintext, readable by everybody so the prosecution would have to convince a nontechnical judge that a perfectly readable message in front of his eyes was not, in fact, a readable message. That would be a very interesting argument.
The key may not take the form of a nice portable string of bytes, but it's still knowledge, held by you and the person you're communicating with, which enables you to get a message out of a stream that others cannot unless they also have that information. If you embedded your message into otherwise random bytes, it would look like (and in my mind be) encryption even if all your plaintext bytes are found in that string. You also appear to be talking about embedding the message into something that looks like plaintext, thus using steganography. This will work well as long as nobody finds out that there is a message in it, but if they do, then they just have to show that proof to a judge to convince them that there is a hidden message in it and that you know how to get it out because you have secret information. If it ever comes up before that judge, I don't think arguing that the recovery mechanism isn't a key will be convincing, because they will regard that as a meaningless technical quibble. After all, the definition for encryption just involves making a message secret using a variety of mechanisms, and it doesn't exclude doing that by making the message much bigger.
If you were in a country that outlawed encryption and you still decided to encrypt, then this approach is still a good one because it makes getting caught much less likely. However, it is a safety mechanism for you, not a legal escape route. Lawyers don't care how clever you think your technical workaround is: they're the kind of people who think that law beats mathematics, so they will also think that law beats someone's definition of what encryption isn't.
I think you're missing the point. Chaffing is neither encryption nor steganography. There is no information hiding. It's more like propaganda – swamping the truth in lies. I can only suggest you read Ron Rivest's original paper[Warning: PDF] on it.
We dont need represive laws to protect children. All we need to do is mandate that all rooms in all houses have Alexa installed and running 100% of the time. Voice recognition works does it not?
So, now we can identify the cries of the children/wifes/husbands being abused and identify the perpetrators perpetrating.
All it then needs is to contract amazon to automaticaly send out the fines and we can reduce police numbers by 25%.
OK, so, cards on the table here, I have a PhD in mathematical logic, published a paper on secure encryption for voting schemes (not trivial, I discovered), so please respond in short, easy to understand sentences.
My problem: The proposed 'security of children' gained by having back-doored encryption for online communications was so that the communications of paedophiles and terrorists and drug smugglers and people traffickers etc. could be read by 'the forces of law and order', and their nefarious schemes brought to light, they would be caught and imprisoned. Safety of children while online was never mentioned.
There is a proposed (or actual) app which helps women walking at night to take safe routes, and there are tracking which I supposed could be used to keep an eye on children while they are outside. But this is different to having backdoored encryption on communications.
It is almost as if the politicians do not understand what they are talking about (I certainly do not).
Please help this bear of very little brain to understand WTF is going on.
The politicians have fucked up the country really badly this time, even by their standards, so the need to rally their core vote by any and all means possible. Blaming someone else (foreign techies) for everything and promising an easy fix is an example of such means. Other examples include "stopping the boats" and "stopping the votes". The children don't come into it. They don't vote, so no-one gives a stuff about them.
But you knew all that.
Some politicians really hate [insert type of criminal here] and would like those going after them to have every resource imaginable to catch them. The type of criminal could be something universally despised (terrorists, mass murderers, child abusers), or not, but that doesn't matter, because the politician is reasonably sure it won't ever affect him personally. Some others support the government-run spy systems that already violate any law in existence and will be the only group to actually use this new power, and would like to help them. All politicians like the ability to say that they've defended the country against those universally-despised groups, and more importantly, more so than their predecessor did. No politician has any understanding of what encryption is for or how it works, so they assume that it must be mathematically possible to lock everyone out perfectly except the people who are trusted, and don't ask any questions like "how do you specify who is trusted and who isn't", because they'll just shriek that someone who didn't fail their mathematics courses should be doing that boring geeky stuff.
If you've ever worked as a programmer, you've seen this at a smaller level. It's the thing where a nontechnical person comes with a demand for a new feature which doesn't make much sense, may be impractical or even impossible, and whenever you ask for a more detailed specification, they get annoyed that you can't understand simple logic. If it takes you more than one day to write, they complain that it only took them twenty seconds to explain to you (well actually about five minutes because you kept asking all these stupid questions until they said they had a meeting and ran away), so why is it taking you so long to explain it to a computer?
Ahh, so it is this thing called 'politics'. I should have known.
Oh well, that explains everything.*
*Quote from a Goon Show, I think it was 'The Million Pound Penny' after Bloodknock has been caught shooting fish by Eccles:
Bloodknock: Who are you? Explain away that tatty body and those Jacobean legs.
Eccles: I'm 'Mad Dan' Eccles.
Bloodknock: Well, that explains everything, but it doesn't help me at all.
OK, so, cards on the table here, I have a PhD in mathematical logic, published a paper on secure encryption for voting schemes (not trivial, I discovered), so please respond in short, easy to understand sentences.
Angle 1/2
I've zero direct knowledge, but my guess is that the consequences of such crimes are showing up in the support services that spot warning signs and / or end up picking up the pieces afterwards (NHS, schools, child care services, whatever successful arrests / prosecutions there are, etc), and these are showing intolerable increases. For instance, there are lots of care professionals for whom "think of the children" means dealing daily with some very damaged and abused kids, and they do collect and distribute statistics. Central gov would see those stats.
What the actual rates of harm are, I've no idea. However, the proposed solution has definitely got to count as being "contentious" legislation. Politicians don't like "contentious" legislation. It's a bad warning sign, all by itself. One way of making it less contentious is an automatic sunset clause. Another is if there's strong cross party support. I've no idea if these are planned, but I think that if there is strong cross party support, well I guess that we'd all be hoping that whatever grimness had prompted that would start to decline as a result of the legislation. Because if it didn't, that'd mean that some other idea would have to be tried instead, and that could be a much more significant thing.
On the other hand, strong political opposition would either be 1) an indication that there's no supporting stats, or 2) there are, but the opposition party was playing a very dirty political game on a topic that should be beyond mere politics.
Causation / correlation? Who knows, but if the consequences are getting really bad we perhaps cannot morally justify a genteel academic debate on the topic which likely won't conclude anything anyway, when doing something tangible may actually be beneficial. Criminals have always sought to have secure comms. Nowadays they probably all just use Signal or WhatsApp, and because those are free to use rather than costing a lot of money there's probably a bigger set of criminals exploiting them. There's never before been such a wide choice for the criminally minded, must be a real boon to their business. Taking that away, and coupled with the law that can already be used to compel someone to decrypt data, it could be quite difficult for even well funded and capable criminal groups to brew up their own OTT E2EE system that is safe for them to use.
Angle 2/2
Are They Tackling Just One End of the Problem?
One thing I do know was on the cards some years ago was passing on the cost of the NHS's increased mental health care costs (for children suffering the consequences of online bullying, grooming, etc) to Facebook, Twitter, etc. I don't think it came to anything, but it was reported in the newspapers at the time.
What interesting about that kind of thing is that it's more about identity of users, and less about what they've sent. What has been sent isn't in doubt - Facebook / Twitter are not E2EE - but proving it was a particular person is not something that some service providers are very good at.
I can see a case for a law that requires service providers to know very well who they're providing a service to, which would 1) likely stamp out the worst excesses of online bullying / abuse / grooming, because 2) if a line was crossed then there could be a proper reckoning for the perpetrator, more than a frozen account. But, no such legislation is in play? There probably should be, because that would help address your point that children need to be protected when they're online themselves, try and help stop them falling into bad situations in the first place. Prevention is better than cure.
Ah well, we'll see. Time to bring back BlackBerry Messenger?
It's much simpler than that. Politicians aren't looking at statistical reports being generated by different organizations. They listen to a few people who give them easily understood messages. For example, they listen to police who say that this one time we had a suspect's phone, and it was encrypted, and we're pretty sure there was evidence on it but we couldn't see it. Maybe that was even true, although they'd usually stop before the part where they did some more investigation and found other evidence. They want to have access to bypass the encryption, so they use this simple story and tell it to the politicians.
Think of this argument from the politicians' point of view. What makes more sense: this tool makes it harder for police, something that wasn't as common several years ago. That's an easy statement to understand, and it's accurate in those exact terms. Then a mathematician comes in and says that encryption can't be backdoored safely because of the following proofs, which take some time to parse even for us who work with equations frequently. The politicians don't have the ability to power through a proof; it's a bunch of numbers and Greek letters. It doesn't even take an idiot to believe this argument when ignorance and attempting to do everything quickly make it so easy to pick the simpler argument.
Similarly, they're not going to care too much when the rates of child abuse go up or down. Nobody will, because anyone who understands how the rates are calculated knows they're extremely unreliable and will work to make them as low as possible no matter where they are. Anyone who doesn't understand that, including politicians, will be easily convinced if there's a single anecdote of abuse that it's still terrible, which it is, and therefore something should be done about it. Since they don't know what that is, they'll ask the people who have the most contact. Those caring for abused children won't have a lot of simple, easily packaged and executed ideas, but police will have the same idea they always have: increase the powers of the police to investigate. So that's the path the politicians will take.
One thing I do know was on the cards some years ago was passing on the cost of the NHS's increased mental health care costs (for children suffering the consequences of online bullying, grooming, etc) to Facebook, Twitter, etc. I don't think it came to anything, but it was reported in the newspapers at the time.
Which was always a bloody stupid idea. FB etc would just point out that, in fact, well over 99% of participants (including kids) have a better quality of life and better consequences due to the existence of social media. Many, many more child suicides have been prevented than induced by the wider access to information, help, views and diverse experiences created by Internet services. I wouldn't want to go back to the days of school bullying with no access to online friends, help and other outlets.
And I say all this as someone who chooses not to participate in social media myself, except El Reg comments!
"Nowadays they probably all just use Signal or WhatsApp, and because those are free to use rather than costing a lot of money"
What if the bad guys use a whole bunch of those free services in rotation so the good guys would have to get all of the comms to follow a message chain? Throw in a couple of jokers such as PGP'd emails and physical postcards to make it even harder. If I send a postcard of the Golden Gate Bridge, Tower of London or any other hugely popular landmark where people are sending those postcards all of the time, it means something. The writing on the card can be anything or might have one word that modifies meaning.
I think the politicians do understand EXACTLY what they're talking about, it's just that you try to make a _logical_ connection because what they propose and 'safety of the children'. But the real connection is not logical, it's emotional. Politicians understand EXACTLY that talking about 'our children' works on their voters. Like with advertising, if 'think of the children' didn't work, politicians wouldn't use this argument over and over again.
Encryption was effectively illegal in the early days of the Internet as the import and export of hardware and software was restricted under regulations that covered weapons. I remember the arguments at the time about necessary levels of encryption to support effective e-commerce and the general reluctance to license anything more effective than DES. It was in 1993 that Phil Zimmerman came under criminal investigation over the alleged illegal export of PGP.
In 1996, the UK (in conformance with what was then EU policy) introduced proposals for key escrow which in the end got nowhere. Arguably, the wider tolerance of encryption schemes since has had more to do with protecting business interests (e-commerce and DRM) than personal data, though the EU position seems to have shifted more recently towards a greater enthusiasm for the protection of individuals - despite France maintaining significant controls on encryption until 2011.
Governments have always viewed ciphers with extreme suspicion and I suspect they view the current situation as a historical anomaly rather than a pattern for the future and will constantly be looking for an opportunity to "correct" it.
And when better to do it than when years of laissez-faire indifference means the criminal justice system is in meltdown and the police are terminally discredited and you have the opportunity to point the distracting finger of blame at foreign billionaires.
C1) NSA+Uncle Sam will secretly insert a covert backdoor into WA, Signal, Telegram etc
C2) Simple+transparent LE CC: key (see my earlier posts here) will enable governments to read messages. Necessary for public safety. If you want to know why, visit Paris and look at the paratrooper teams roaming the streets, complete with a combat rifle and a rucksack full of ammo.
https://www.theguardian.com/world/2016/apr/15/paris-attacks-operation-sentinelle-soldiers-patrolling-streets-france-safer
There's a joke in France that the only streets that get cleared of litter are the ones where there's known to be a protest brewing up. The authorities come in ahead of it and remove all rubbish, debris, to deprive the protest of hand bonfire material, things to throw, etc...
I was in France a week back, saw a massive convey of the CRS (their riot police) on the autoroute going somewhere. Last time I saw the CRS in France was they'd got called out for a local nurses strike that'd had turned into a protest on the local streets. That was quite entertaining to be in the middle of! I was there on holiday, when all hell broke loose in this small town. French nurses must be really quite something when on the rampage, if it requires the CRS to quell them. I made a note that, if ever under the care of the French medical services, to do exactly what they told me to...
"That was quite entertaining to be in the middle of!"
I'm french and I wouldn't say that, if I were you ! There are a lot of collateral damages in the Paris riot control method, since Macron and the period where the yellow jackets blew up his face.
This explains why they gassed kids being in Paris for last year (or the year before ?) UEFA finals ...
but isn't this violent protesting a 'traditional' French thing, where this or that government lets it happen every now and then, to have the plebs riot a little, let off their steam, feel they're in control, instead of letting them get together for a Mother of Riots that we know from the famous past?
"C1) NSA+Uncle Sam will secretly insert a covert backdoor into WA, Signal, Telegram etc"
For me personally, I could care less about those 'services'. You get what you pay for. More importantly is allowing them (randomagency.gov) to get a beachhead and establish precedent.
For some, Elon's revelation that there was direct government access at Twitter is really no surprise. I think most of us have been pretty sure of that for some time. Of course, it's seems rather stupid for him to be taking to the netwaves and bashing his own money losing company. Maybe his goal is to destroy it to be able to write off the loss after such a bad purchasing decision.
I could care less about those 'services'.
So you do care about those services. In fact you care so much that there is room in your heart to care about them a little, or even a lot, less than you do.
M'lud, the prisoner condemns themselves by their own words. The Crown demands the severest penalty available, pour encourager les autres—to say what they actually mean, lest they get themselves into hot water.
“Tech firms haven’t been held to account when harm, abuse and criminal behaviour have run riot on their platforms. Instead, they have been left to mark their own homework. If we fail to act, we risk sacrificing the wellbeing and innocence of countless generations of children to the power of unchecked algorithms.”
“Governments haven’t been held to account when harm homelessness and criminal behaviour have run riot on their streets. Instead, they have been left to mark their own homework. if we fail to act we risk sacrificing the well-being and innocence of children to the power of unchecked bureaucracy.”
the legislation WILL create a back door for governments. And once the powers are in, they will NEVER be reversed. After all, WHO would NOT want to protect our children with this absolute, at least 200% guarantee level of PUBLIC! SECURITY!
If I were said companies I'd simply ignore the law. If they enacted on it I'd simply leave the U.K., period.
Believe me, if WhatsApp leaves the U.K. it will stir up such a ruckus that the government will think twice of enforcing this law. It will become a paper tiger only.
Also, mind you that the U.K. already has laws (RIPA Part 2) that obliges telecommunications providers to intercept and unscramble encrypted messages. None of this has ever been used in practice.
Back when I worked in the public sector we needed to connect to the government secure intranet and extranet. You had to comply with a whole load of rules in order to connect. One of those rules was that no traffic passing across those networks could be encrypted. This didn't sound like a very good idea to us. So we asked the obvious question: Why?
The answer we received was puzzling. They told us that their networks were 100% secure as such no encryption was required. We were puzzled because there is no such thing as a 100% secure network and secondly and perhaps more importantly that's not an answer to the question why.
It seems that even way back then the reason was they they wanted to be able to see all the traffic traversing their network should they so choose. It was of no apparent consequence to them that there was a chance other people could see the traffic too. They thought their own network was 100% secure and they required that your own network was 100% was secure before you could connect to them. However their assurance that your network was 100% secure was based upon the answers to a questionaire.
In other words in their own minds the need civil cervix to snoop on network traffic far outweighs the risk of other people being able to snoop on that traffic.
... those of you in the USA (which does not include me), but maybe...
1: Have end to end no-back-door encryption once again put on the armaments list.
2: Point out the Second Amendment 'the right to bear arms' - surely if something is on the armaments list it's 'arms'?) to anyone in government who tries to ban it or insert a back door...
I know. It would never work. But:
A: People must be allowed to carry guns because Bad Guys(tm) might use them, so they need defense!
and
B: People can't be allowed to have encryption because some might use it to do Bad Things(tm)!
seem to work from mutually conflicting logic... but then, I'm an Idiot, so what do I know? :-)
Like many Europeans you're clearly ignorant why U.S. citizens have the right to bear arms. Americans see themselves as formerly oppressed who fought themselves free. The right to bear arms is to assure no government will ever put the chains back on!
The deaths from gun-violence are seen as the price to pay for freedom.
Oh yes there can. The Brexinet. It ends at Dover. Nothing in, nothing out. No freedom of data movement. 100% security from Johnny Foreigner, stopping them from coming over here (virtually) and using Great British bandwidth. None of those dangerously secure foreign apps or websites. Only British social media (Friends Reunited 2), British messaging (Royal Mail), British social media (phoning the pub on speakerphone), British music streaming (Radio 1) and British Netflix (BBC iPlayer). Why have contact beyond our shores - surely everything you want is available domestically on your world-beating Brexinet. And it is 100% safe because the police are monitoring it - especially all the female users who live alone.
Trouble is there is clearly a problem, so many closed groups with increasingly worrying behaviour due to them being private. It's not just criminals, it's people coming into touch with others and ordinary people becoming radicalised. Anti vaxxers are the best example.
Complain about the solution, but can you can offer another solution?
"...can you can offer another solution?"
Why only down votes? Even with my rudimentary understanding of encryption, governments, bad actors, etc., I can see (as most posters here would seem to agree) that any such legislation will be either or both of totally unworkable or have grossly unintended consequences.
So, instead of everyone proving how clever they are since they're professionals who Really Understand These Things by explaining that it won't work, then prove how clever you are by suggesting workable solutions.
(Ducks brickbats)
APTs, paedophiles and terrorists are very happy for E2EE to continue. For personal uses I can understand people not wanting to put their trust in ISPs, and commercially there is still a need for corporate VPNs. However it has come to the point where the need to counter malign use outweighs distrust of ISPs, and it is time corporate VPNs were registered, and all other VPNs restricted.
I appreciate that many are keen to continue with the Wild West approach to the internet, but we're now talking Fancy Bear, not Pattern Piggies.