So, we're back to square one again
We've already had this discussion, we've heard all the arguments, we've seen all the rebuttals.
And UK Gov is starting it all over again.
Is this insanity, or are they just suckers for punishment ?
Apple has joined the rapidly growing chorus of tech organizations calling on British lawmakers to revise the nation's Online Safety Bill – which for now is in the hands of the House of Lords – so that it safeguards strong end-to-end encryption. "End-to-end encryption is a critical capability that protects the privacy of …
hmmm, like Daylight Savings, introduced as an emergency law during WW1, and we got stuck with it. There was also the 'Defence of the Realm Act' which gave us restricted opening hours for pubs, to 'luncheon' and 'supper' hours, and that only took 74 years to amend.
Drama was made subject to state censorship in 1737 in Britain to 'protect public morals' in response to satirical attacks on the government in plays by dangerous domestic terrorists like Henry Fielding (author of 'Tom Jones'). Sound familiar? It lasted until 1968.
Drama was made subject to state censorship in 1737 in Britain to 'protect public morals' in response to satirical attacks on the government in plays by dangerous domestic terrorists like Henry Fielding (author of 'Tom Jones'). Sound familiar?
It’s not unusual
Mine’s the one with the red dragon on the back.
I think it returns roughly every seven years.
Total Information Awreness, the Clipper chip - you name it.
The basic argument is that we must all install easily pickable locks in millions of houses so the police can briefly digress from their institutional problems and chase the ten or so troublemakers (compared in volume) while simultaneously enabling thousands of others to do the same, but undetected. It's almost like employment protection if it wasn't for the fact that simple statistics and frequent events suggest that there are quite a few dodgy ones hide amongst that force itself - which will then have a much easier life too.
Basically, allowing this idiocy will amplify crime to the point of having to return to cash-in-hand transactions.
Brexit and now this again tells me is that standards of education and analytical thinking in politics have declined to the point that Idiocracy is heading towards becoming a documentary, but without as yet any sight on a happy ending.
This post has been deleted by its author
Something must be done! and they want to be the ones seen to be doing something against whichever particular group of undesirables is currently top of the list. If they can spin this as a way to stop migrants in the English Channel, you know they will. Maybe they'll try anyway.
Add it to the list of reducing government waste, ensuring growth, etc.
When your parliament (any western democracy) is majority comprised of wash-up ex-lawyers then the only policy you get is new laws. It's all they know.
The controversial draft law, which the government claims will make the UK "the safest place in the world to be online,"
Only someone so tech illiterate could make the statement that "<physical location> will be the safest place in the world to be <somewhere that is absolutely not location dependent> and can be accessed from anywhere"
It's the same old cabal of data fetishists, so many of whom seem to be Oxford PPE graduates.
Many of these high level civil servants are are in the Intelligence community (Policy, not operations. IRL the equivalent to "Thomas Brian Reynolds" in Enemy of the State) so are used to putting out a cover story to hide what they want and why.
They don't give a s**t about kiddie fiddlers, except as a useful lever to control their behaviour of course. The C in MICE.
Their real "heroes" are
a) Francis Walsingham and his reputed ability to read every letter posted in England.
b) Cardinal Richel Richelieu and "Give me six lines written by the hand of the most honest man, I will find something in them which will hang him"
It's a very inefficient way to catch sexual predators.
It's an excellent way (if you can remote update the "suspect words list," and you can bet any system they mandate will require such a mechanism) to spy on the whole population.
It's an excellent way to spy on a whole population
"and rumour has it Microsoft was actively involved in the Cloud Act (although I have as yet not seen any evidence of that"
You must have missed the reporting at the time it was passed. Microsoft pushed them into it by insisting on warrant in a case where the data* was held in an Irish data centre. Logic would suggest that it would have made an even deeper cleft stick for them as it would still mean ignoring the need for an Irish warrant. Did they protest about that? No, they welcomed it.
* Existing international agreements would have enabled this if the USian PTB had been prepared to seek one in ireland.
Safest for the government they mean. Sort of like the Chinese system but with a couple of words like "responsible" and "reasonable" chucked in make it sound normal. Don't know why they don't just cough up the cash for Pegasus* like everyone else does or is it just a bit too targeted.
*Other sneaky scumbag software is available.
Too true, Pegasus and Predator etc. are already viewing everything that you can see on your phones and machines. The only real way for secure communications is to have an offline device do the encryption, send it to your smartphone or computer and then send that encrypted message to another internet enables device which relays the message to an offline device where the message is then encrypted. Comfortress by Kralos is a new player n the encryption game.
A very good paper was written on the subject way back in 2008 by Ben Laurie and Abe Singer: "Choose the Red Pill and the Blue Pill". Surprisingly, no attempt was ever made (that I know of) to put it in practice.
For the curious:
As an American currently residing in a bottom ranked state (yeah yeah I know), I feel obligated to challenge your claim. My current representative is truly astoundingly stupid. Every time I think, "No one could be that stupid," he proves me wrong and doubles down.
Are you thinking of Nadine I don’t know what I’m talking about Dorries?
For those who don’t know she was what’s known as the Minister for Fun (aka the Secretary of State for Culture, Media and Sport) who has the regulator OFCOM in their remit. Amongst other gaffes she made one of her priorities to privatise Channel 4 one of the five major terrestrial tv channels. She appeared before a select committee & discussed this claiming that Channel 4 was in receipt of public money. She was corrected by the chair of the committee who pointed out they are a commercial broadcaster who take adverts not public money. It is alleged that she had it in for Channel 4 because their flagship news show was very hard when interviewing members of the government.
A colleague is involved in this story. When the news reached the HoC committee, a committee member asked "why didn't you say anything before ?"
The industry answer is there is so much fucking hot air from "the government" over this that and the other, that there is fuck all point in investing any time and effort until you know it's serious.
That, dear regtards, is the sign of a deeply dysfunctional government. No one trusts it enough to invest in engagement, so rather than carefully thought out laws that actually make sense, you descend into this pantomime run-in between ideology and technology.
Mind you, last time there was a "consultation" it was painfully clear that it was really just a "sign off on what we have decided" exercise. Again not a good use of time, money or reputation.
In a battle with Google, Microsoft, Apple, plus significant players like Signal, the UK can only lose. No matter what the TeleMailExpress report.
The UK is a sinking ship that continues to inflict pain on itself.
Mostly this absurd legislation with the absurd Orwellian NewSpeak discussions ("We believe E2EE can be safely backdoored whilst keeping users' privacy") is meant to disguise the utter incompetence of the UK Government and its politicians in cleaning up the mess Brexit has caused. Britain is becoming poorer by the minute and the politicians are helpless to do anything about it.
> We believe E2EE can be safely backdoored whilst keeping users' privacy
Politicians genuinely believe their laws (words on paper) can alter the nature of reality. It's still soothsaying and sorcery just this time in bespoke Saville Row tailoring.
It's obvious that the less a politician actually knows and understands technology, the more they take for granted they can invoke it as a magic handwave solution to any problem, especially those they've created for themselves.
For example, at the time of Brexit, the claim that any problems created due to the border issue in Northern Ireland could be quickly and easily fixed by the application of modern technology. Despite anyone who actually understood the technology in question warning that it would be hugely more complicated than they imagined and take years rather than being an overnight solution, if it was possible at all.
"For example, at the time of Brexit, the claim that any problems created due to the border issue in Northern Ireland could be quickly and easily fixed by the application of modern technology."
Anyone with any intelligence would have realised that three mutually incompatible requirements created a problem beyond fixing other than by entirely removing one of them which was a political impossibility given that the third requirement was the one HMG had introduced.
Well, Norway and Sweden manage a virtual border between them just fine (Norway being EFTA, and Sweden being EU), but in the case of NI, everyone threw a strop over it because it meant they would have to reduce the number of border crossings (and there are not meant to be any border crossings between Éire and NI as per the GFA) to be able to put up the scanners as the lorries go by.
So what remains? The physical border in the sea. Which the "we're part of the grand British Empire, how dare you cut us off" dunces from the DUP threw a strop about and told May that that was not an option. The EU would probably have been ok with the Nordic stuff between the island and us, but May's successor, Mr "I've an oven ready deal" Bunglec**t didn't want to upset his Norn Iron blackmailers so he said no, and the model as it stands was negotiated.
And being stroppy over what that deal really meant for quite a while cost quite a bit because people like M&S and Tesco suddenly found themselves unable to supply NI shops, until several years and two prime ministers later, Sunak (to give him his credit) arranged the 'green-lane-red-lane' system with the EU. Of course, the ability to smuggle things through the green lane still exists, although just like at the airport, if you're caught, it'll cost ya.
Yes but when you say "Nordic stuff" you need to remember that Norway is not just in EFTA but also the EEA...
Form the Norwegian Ministry of Foreign Affairs website:
Through the EEA Agreement, Norway, Iceland and Liechtenstein are equal partners in the internal market, on the same terms as the EU member states. This includes having access to the internal market’s four freedoms, the free movement of goods, persons, services and capital. In addition, the Agreement covers cooperation in other important areas such as research and development, education, social policy, the environment, consumer protection, tourism and culture.
Which makes things significantly different to the self-inflicted dog's dinner of NI.
You missed out that Johnson wanted to leave the Single Market which messes up the "Nordic Stuff" idea. Staying in the Single market would have solved all sorts of other problems too. And had that been the plan and inititiated back in 2016, I double anyone would have been speaking about it past 2017.
Politicians are towering intellects, compared to technologists surely?
At least, in the politicians minds.
As someone who has actually talked to one for a while [Dorries], I quickly realised it was a case of "the doors open but nobody is home"
We believe E2EE can be safely backdoored whilst keeping users' privacy
I had to explain to my Mum a short while ago that end to end encryption underpins a lot of the modern world. “So why don’t they include these back doors all the politicos talk about then?” Well because if you do that and someone discovers this back door and works out how to open it, you’re screwed. So online shopping and banking would be totally impossible without E2E. WhatsApp (and Signal) both use it too etc. She now accepts that we can’t ditch it nor backdoor it.
She’s retired and has been for a good few years so has been around a lot longer than the average MP. She did no science at school because she was female and they didn’t back then. She’s got children and grandchildren so has thought of the children thank you very much. If she can understand this…………..
As Upton Sinclair observed "No man's ignorance is so great as a man whose livelyhood depends on his ignorance"
And if you're playing the TOTC card you don't want to hear anything about "No you can't have "unsecure encryption on demand," which is basically what you want. It doesn't work that way. It's all or nothing. The mathamatics of cryptography trumps your belief that we can do this."
Put aside "We believe E2EE can be safely backdoored whilst keeping users' privacy"....
What happens when a non-UK messaging app company just refuses to compromise E2EE?? There's nothing UK gov CAN do, particularly if it's stand-alone and open source (no UK stores / users / revenue to target), except try and mandate government control of all the apps someone has installed on their phone, ie they would have to not only to backdoor the messaging apps, but Android and iOS. Good luck with that, chaps!
The bottom line is, not only is it technically impossible to ban what they want to ban without huge negative consequences, but it's also trivial to sidestep and impossible to police.
The funnier thing is that, although they could enforce the inability to use the app on UK iPhones by forcing Apple to not allow UK phones to install it, the EU is busy working on Apple allowing alternative app stores of which overseas ones not affected by this would be perfectly fine.
Dealing with the "We believe E2EE can be safely backdoored whilst keeping users' privacy" comment for a moment... I once dealt with a head of marketing who trotted out a line like this at me. I replied that she could believe what she liked, it didn't make it true.
I agree with your last comment as well - this will be impossible to police. The thing with laws is that only law-abiding people follow them. Criminals, by definition, don't. Anyone likely to be dealing in prohibited material just won't use the back-doored apps or services, or will add their own layer of encryption over the top.
The UK government has already had experience of precisely how much notice Apple and Google take of their views during the time that COVID-19 contact tracker apps were being set up. The UK produced a horrible pile of rubbish which the two tech companies looked at, and flatly refused to have anything to do with. They then produced their own rather more elegant and much less intrusive options and presented these to the UK government as a fait accomplis, take it or leave it.
The UK government then accepted the inevitable and took this option.
The same will happen with encrypted comms apps; the government will be quietly ignored by all and sundry and will eventually bow to reality and confine themselves to making the tax code ever more complicated.
the utter incompetence of the UK Government and its politicians
To be fair, the utter incompetence seems to be an Anglosphere wide problem. As a reminder, back in 2017 the Oz PM at the time, Malcolm Turnbull, stated clearly about encryption that "the laws of mathematics don't apply in Australia".
It's getting to the ridiculous stage where I'd not only like to see a hung parliament at the next election, I'd happily pay for the piano wire.
I have to wonder whether we've ever had a competent government that actually defended our freedom and served the people. We do have a history of pushback and Great Charters and suchlike in this country, but I would be surprised whether enough of our MPs know what is or what it meant ("it's just about Barons and entitlements hehehe..." read past the first few clauses you fanny).
Even Boris let this abomination of a bill slip through under his premiership, and he once claimed he'd rather eat an ID card than be issued one. I wonder what changed for him, or was his objection simply because the Other Party had suggested ID cards? Stopping it could've been the One Good Thing he did in office, if he really believed that.
I don't know what's going on, while I welcome the inevitable kicking coming at the next election, I wonder will the Other Party deliver for our online and civil freedom?
Boris would and will say anything that he thinks will further his own interests with whoever he's talking to. H may well believe it until he has to say the opposite to someone else in a hours - or minutes time and will be entirely unaware of having contradicted himself. One of the things which slipped out when some of his staff started describing their time working for him was that they kept trying to stop him talking to anyone, at least when they weren't there.
the Other Party will deliver EXACTLY the same bill, because "think of the children!!!" works on huge majority of voters, because majority of voters a) have children, or grandchildren, and b) they don't give a flying about 'encryption', etc. And no, when confronted with, 'so what about banking apps?', they'll uh-uh and come up with a classic gem: 'oh, they'll figure something out, I'm sure!' Like they did with brexit, I'm sure.
"so rather than carefully thought out laws that actually make sense, you descend into this pantomime run-in between ideology and technology."
It's more between ideology and reality!
So they make E2E encryption without some way of monitoring it illegal. What are the dodgy image distributors and terrorists going to do? Clearly, they are going to find a method of communicating which still offers full encrypton (the dark web will no doubt offer plenty of options) - probably also involving servers outside of UK jurisdiction.
Very obviously, people who are already doing things which are illegal are unlikely to be bothered about using communication tools which are also illegal.
Even politicians as technologically clueless as this lot must understand this, which demonstrates that 'think of the children' is just the usual, tried and tested despots' excuse. It won't stop those who it's claimed to be aimed at, but will pose massive security risks for the bulk of the population.
But the government will get to spy on millions of people, so that's all OK then.
quote: It's more between ideology and reality!
Well, so was Brexit, and that happened. The fact that the NIA wasn't compatible with it didn't stop them. That the world is now made up of trading blocs and failed states. That it was always going to take down the economy (25% off Sterling, extra costs of borders and lack of labour) didn't stop them. They just wreck things and declare victory. There is no way back from Brexit and there will be no way back from the Brexinet, with most services locking out UK users. Our digital future is Viewdata and will end at Dover. Prepare for another chunk off Sterling and record the postal addresses of your online friends. Maybe they will send you food parcels.
This country has completely gone to hell under the Tories - well, 85% there and buffering. Thatcher must be spinning in her grave. The deal she got us in the EU tossed out, the economy and City of London broken, Sterling degraded. Food rotting in the fields for lack of labourers to harvest it. Putin could never have done that much damage, and the Tories haven't finished yet.
Quote: "....Ofcom will have the power to instruct chat app makers and other tech companies to monitor conversations and posts...."
Privacy? So lots of interweb providers will be monitoring throughput:
- service providers running server-based services
- app providers giving users (or selling) apps to run on the user's own equipment
- "other tech companies".......whatever that means (Palantir, perhaps?)
This is not unforeseen: here's a link from 1999: https://www.wired.com/1999/01/sun-on-privacy-get-over-it/
Well....I for one have not "got over it". Why is it not clear to everyone that ANY use of interweb services (Signal, Telegram, WhatsApp)...any use of these services is a single point of failure for privacy?
The (partial) solution: use peer-to-peer messaging where the ONLY messaging software is resident on user end-points.....and the encryption protocols exist ONLY on the end-points. (So no dependencies on any third-party "service".)
Coming back to the quote above: peer-to-peer software seems to be outside the remit of Ofcom......and the nice people in Cheltenham and Fort Meade will have no big-dollar corporate support.
"Partial" privacy as I said...........but better than "get over it"!!
The (partial) solution: use peer-to-peer messaging where the ONLY messaging software is resident on user end-points.....and the encryption protocols exist ONLY on the end-points. (So no dependencies on any third-party "service".)
1. Protocols are fine but you need software to implement them. I suppose this was what you meant to say.
2. How do you get that S/W onto the endpoints?
3. How do the peers get in touch with each other?
4. Have you actually looked at Signal?
Good questions! Are you wondering how to do peer-to-peer with no central server
and hence no "master list" of peers?
(A2) As usual.....apt, dnf......I suppose there's a M$ equivalent as well!
(A3) The software is only on endpoints. Transport perhaps by email? (See "app password". Also item #b)
(A4) .....about that phone number requirement! ...about those central servers!
More generally, the assumption that E2EE requires a central single point of failure is false.
If (note "if") transport is by email:
(a) Every peer can use a different email provider
(b) Diffie/Hellman means that D/H tokens can be exchanged using plain text email
(c) Diffie/Hellman means that encryption keys are transient, random and never transmitted or saved
(d) Authentication can be inside the encrypted message!
(e) Of course, the encrypted message in transit can be read by a third party.
But given (a) (b) and (c) it's going to be many many times more difficult for third parties
because of the diffuse nature of the communications, and because every message uses a different key.
Nothing is perfect, and privacy is hard. But third parties have no constitutional right to see my messaging.....
......unless they have charged me and have a warrant! And until the law changes, our group will use
private encryption to keep (some of) our messaging private (see above).
Quote: "Have you actually looked at Signal?"
(1) See https://support.signal.org/hc/en-us/articles/4850133017242-Twilio-Incident-What-Signal-Users-Need-to-Know-
(2) Signal only supports Debian on Linux......pity about any other Linux users
(3) Then there's the telephone number.....
(4) ....and the servers......
Perhaps someone can tell me that the open source code for chacha20 and curve255519 hasn't been undermined somewhere (Fort Meade? Cheltenham? Moscow? Bejing?.........)
And apart from that....I know absolutely nothing about Signal....please enlighten me!!!
Well good luck with that UK gov, My PCs run Linuxand my phones Lineage OS so I doubt any client side scanning will be baked into my OS by the dev teams there.
And i am happy to VPN to change my location to outside the UK or sideload apps to ensure i get the international versions not any backdoored apps if they compel app stores to only allow compromised versions for those in the UK.
TBH though I can see this dragging on for another 12 months and then it will be getting towards GE campaigning and will probably get stuck in the Tory party manifesto for implementing if they win the next GE. Which looks doubtful unless Sunak can pull a miracle out of his arse within the next year, due to the cluster fsck they have done to the country over the last few years.
I'm a bit confused about the use of the phrase. It implies there is "weak" encryption, with a line drawn somewhere between the two. I'd be interested to know where the line is and if there is any consensus about where it is. I'd imagine that the security services would like to class anything above ROT13 as strong.
Can I suggest everyone stops calling it "strong" encryption? Strong encryption = encryption, any other form of "encryption" is meaningless.
Strong encryption is any encryption where the cost in money/time/effort to crack exceeds the value of the information retrieved.
Since the value of the information being protected is variable, the relative strength of the encryption used is also variable. ROT-13 is strong enough to protect my Christmas present shopping list from my children's prying eyes this year, but might not be strong enough next year.
Quote: "....the value of the information retrieved...."
There's a problem with this definition: the nice folk in Cheltenham and Fort Meade HAVE NO IDEA OF THE VALUE of 99.9% of the messages which they attack!!!!
....because they are on a mission to trawl EVERYTHING.......irrespective of "value"!! Paul Smith's privacy has zero "value" for them, but that doesn't stop the snooping!!!
For details see Edward Snowden, 2013.
Well.....No! In this context the word "strong" does have a meaning, and is defined thusly:
- strong, adj. Used as a synonym for the phrase "cannot be decrypted in Cheltenham".
So if you get hold of a copy of Bruce Schneier's book "Applied Cryptography, 1996/2016" you can find an endless list of examples of (and code for) encryption protocols, many of which may not be "strong" today.
One good aspect of this is that some sorts of encryption may be "strong" simply because they are well designed AND are only used by a few, privacy conscious groups. Of course, if such a "strong" protocol were to attract heavy-duty attack, then the likelihood of it remaining "strong" is remote. C'est la vie!!
Your reference to Bruce Schneier's book reminds me of something I found amusing.
I put in a request to borrow a copy from my local Library.
When it arrived I noticed that the previous location was the Library at Gartree High Security Prison, which happens to be in the same county as I am.
I've often wondered whether anyone in that institution managed to get any further than I did before giving up because of the Maths.
I was thinking about this too.
Is the law banning transmission encryption (that the carrier cannot monitor the content of at all) or banning all encryption during transmission (carriers could monitor data but not decode content)?
For example implementing e2ee of a data stream containing a file would be illegal, but would sending a fully pre-encrypted file over an http connection?
I was also wondering where use of the https protocol stands in all this?
"I was also wondering where use of the https protocol stands in all this?"
I'd say it could be interpreted as being E2EE, given that it's a set of encrypted messages between one end of a connection (your browser) and the other (the web server) - and back again.
Just as "illegal" as any chat via WhatsApp, Signal, et al, therefore...
" It implies there is "weak" encryption, with a line drawn somewhere between the two"
There is ... or actually, was. I feel commenter is too young to know. An American invention, naturally, where software using longer than 40 bits of key length (of one spesific method) were classified as military secret and in export ban. Then Ylönen wrote SSH (protocol & software, for/in IETF, 1995) and it used whatever key length you wanted and published it into internet, making US programs with limited key length obsolete within months.
"Strong encryption = encryption, any other form of "encryption" is meaningless."
Nope and all of these government schemes (anywhere, not just UK) specifially try to introduce weak encryption. It *is* different thing and very real.
Latest NSA sabotage was an encryption method with hidden weaknesses they managed to force into standards: Specifially a modern example of 'weak encryption' in practise.
"There's a concern this all starts with tackling child abuse and terrorists – something with which the population won't generally have a problem"
I don't know who "THE POPULATION" is supposed to be because I have a problem with this method of " tackling child abuse and terrorists". There is a small teeny-eeny itsy-bitsy problem with using what is essentially spyware installed on the phones of terrorists and child abusers, and that is that the government doesn't know who the terrorists and child abusers are. What this bill is actually saying to the public at large is "you are all potential terrorists and child abusers and we will spy on all of your communications until we catch you". It's not a problem that it's a slippery slope starting with something innocuous that could potentially be abused later - It's highly abusive right from the start.
That's even ignoring the fact that it isn't going to be possible to reliably scan on-device without getting a bunch of false positives, which is guaranteed to end up ruining some innocent people's lives because "computer says so" will morph into "AI says so", and the AI is always right as any fool know!!!
Oddly enough they do tend to use the services they're attacking. They maybe don't realise they are encrypted because it's apt to leak out anyway - they leak it themselves whenever it becomes worth it to do so. E.g. handing it all over to a journalist to help them write their account of dealing with Covid.
Ah yes, I've mentioned it here before that I took part in the proofreading. Thick stack of paper. A floppy disk. On the diskette was the aforementioned stack OCR'd.
My (and many other volunteers') task was to proofread the code on the diskette. OCR back in the day was not great. Still, better than typing it in and still needing to have it proofread anyway.
...Buckle up for a return to newspapers, pen pals, paper catalogues, encyclopaedias, and 28 days for delivery. Plus you will be needing that chequebook after all. Because the least competent people in the UK are running the UK. I thought I hated the government as much as a person can, but I'm clearly going to be hating them even more soon.
See Simon Singh, "The Code Book" for a write up on book ciphers. Plain english: Yes. Easy to "decrypt": it varies!
Now with computers to help, this sort of cipher can be built on widely (internet) available dictionaries (like the file linux.words).
...and still plain english!!! ...and still "encyphered"!!!!
that sounds about right, although with the knowledge already out there, it would take 20 odd people in 4 or 5 teams to destroy the electrical grid in this country for a few days/weeks, I cant detail how for obvious reasons but its pretty easy.
So... how does my hypothethical terrorist network communicate in attempting to do more damage to this country than the tory government has already done.(bloody hard job... might have ask putin to send over a few nukes heh)
It wont be by farcebork secure messaging app thats for sure (or anything like it), simple dead drops and burner phones etc etc
As for 'having a backdoor' in strong encryption ... will someone send these idiots on a basic university mathemathics course and explain in detail about public/private key messaging and the algorithms behind it. there is no back door... its either secure or its broken.... and if its known that theres a way to break a messaging app you can be damn sure there'll be all sorts of people trying to break it
"As for 'having a backdoor' in strong encryption ... will someone send these idiots on a basic university mathematics course"
No. Just ask them to commission a proof of concept. It would, of course, have to pass scrutiny by independent experts to verify that the monitoring facility couldn't possibly provide any form of point of weakness.
It wouldn't take much coordination for millions of people to send a couple of messages a day that contain trigger sentences to completely overload whatever system gets put in place. Imagine every nick in the country getting told to go and investigate 90% of the local population for potentially being terrorists every day. It'd fall apart in a week.
Here’s a possible outcome if the lawmakers don’t watch out: Apple monitors everything and tells Ofcom “we found 13,279 cases of violations”. Ofcom: So who are these 13,279 animals? Apple: Sorry but your law didn’t tell us to record that. All we know is 13,279 cases. “
Apple has to report how many phone ids they handed to the police in every country. At some point they reported over 10,000 numbers to police in Brazil, absurdly high compared to all other countries. Turned out a truck with 10,000 iPhones had been stolen :-(
The whole bill is such a unworkable mess that it is likely to collapse under its own weight just look at the last UK age verification law that was delayed over and over again until it was quietly scraped.
There also the fact that Ofcom is likely to be super underfunded and unable to enforce 90% of the bill so its likely the rules will not be effective.
Perhaps Signal could make a restricted version that allowed SMS length messages and voice only, (no video or attachements). So no serious possibility of the content that is supposedly the target.
And if they did that, perhaps they could roll out a preview, so people see what they are going to get.
Let's get someone knowledgeable to run a lecture for the MPs pushing this. As they too would be affected by the weakened encryption - their beloved WhatsApp would suddenly become a security problem. If there's a hole, criminals will exploit it - and not just local criminals, but other countries that are constantly looking to destabilise the west will love it. A nice easy way to get the discussions of government ministers, unencrypted.
The entire concept would be scrapped if anyone with influence had an inkling about Bayesian statistics. The false positives will use up resources that would be far more effectively used elsewhere.
But, as others have implied, the media will have a field day with politicians...
I quote a witness:-
“These anti-democratic spying operations, and the abuses that resulted, were not the work of a few rogue officers – I hold some blame for the individual spies, but the real problem was the managers who tasked these officers, heads of the police, security services like MI5 who were recipients of the files and directed some of the targeting.”
This has been going on in our society for decades.
This bill facilitate the next generation of state corruption.
As security bods will tell you, having your network end-point the same as your security end-point is poor practice.
Adding scanning software that you do not control to your security end-point is sub-optimal too.
What backdoored encryption and on-device pre-encryption scanning do is make effective encryption more difficult, but for those who need to send properly encrypted messages, you have to ensure the encryption is done before being entrusted to a compromised communications medium. This makes it inconvenient, which is probably the point, as it means catching the ignorant and unwise who can't be bothered is made easier, and more sophisticated users of encryption stand out for further investigation, as it is difficult to disguise pre-encrypted data, steganography notwithstanding.
If you can't trust you phone or PC, you can fall back on manual methods, as described in this posting by Bruce Schneier.
Or use a One-Time Pad.
I would fully expect the use of effective encryption to at least be flagged up to 'the authorities'; and it could come to pass that use of effective encryption for any purpose is made illegal.
Steganography is susceptible to detection by statistical methods of increasing sophistication. An adversary might not be able to decode steganographically encoded data, but they cam almost certainly detect that it is there, so it is not a magic wand to make eavesdroppers magically give up and go away.
Currently the pendulum of response to the distribution of information that is illegal to own and distribute (such as CSAM, National Security related secrets, terrorist handbooks etc.) is swinging towards removing everyone's privacy, and possibly other freedoms. If one is to argue against that, one needs a good argument why it should be possible to distribute such material that stands up against the testimony of abuse victims and National Security requirements. Are you happy to be killed by terrorists who successfully concealed their plot; or have your children exploited for the perverse predilections of others? That's a 'big ask' for the ideals of personal freedoms and privacy. Are you willing to be a potential martyr or potentially ruin the lives of your children for the ideal of liberty? If you are, can you convince enough other people to feel the same way?
Personally, I like the 'freedom to encrypt', and to know that the full disk encryption on my PC is not backdoored. But I have not had to make a stark choice, and freedom to encrypt means some people will pay dearly for that freedom. As a society we need to decide how to deal with the question, preferably without emotion-laden debate. Politicians proposing laws is part of that process.
It might seem cold-blooded, but calculations about how much lives are worth are made all the time when determining the cost benefit of road- and railway- safety-related upgrades, and by NICE when determining if drugs should be made available for treatment. I think the same cold-hearted calculations need to be made about the freedom to encrypt. But I'm in a minority, and such a viewpoint is regarded at the very least as lacking empathy, and by some as positively sociopathic.
If the politicians do ban effective encryption, then the UK (or England & Wales) might be a grand experiment in finding out the cost to society of not being able to encrypt effectively. The outcomes are likely to be interesting for academics and other states wishing to do the same, even if challenging for the experimental subjects,
Quote: "...Are you happy to be killed by terrorists ... or have your children exploited ... and freedom to encrypt means some people will pay dearly for that freedom"
False dichotomy!! Choose one of:
a) Allow encryption and get criminal behaviour
b) Ban encryption and eliminate criminal behaviour
Of course this is a completely false choice!! There will ALWAYS be criminal behaviour.....irrespective of the existence (or not) of encryption!!
Please try harder.....false dichotomies may appeal to some, but that does not stop them being both false and misleading!
What is there to stop two people who really wanted to communicate securely from creating identical one-time pads and manually (so the OTP is not on the device) encrypting everything they send through their backdoored service?
All they will ever be able to recover is a ciphertext still encrypted with a one-time pad, and having the property that every possible plaintext is equally plausible and equally likely.
it's interesting how WE, the Plebs, can circumvent this, still potential, but soon to be actual law (summer time, good to bury the news). Perhaps linking signal account in dual-sim phone with foreign sim? But then, signal would probably drop any connection from / to / via uk's IP address, not to be chased by UK's courts. VPN? But then, surely 'They' would make it a crime to use / store / retrieve / look at / dream about 'any apps that do not comply with the SAFE INTERNETS-SAFE CHILDREN (SISC) legal requirements' anyway. The other day I've read that it's already illegal to use / store / retrieve / look at / etc 'certain type' of AI-generated content, so yes, such developement is also likely.
Hail free speech! hail privacy! hail Hitler! (isn't this phrase already banned?) Yes, yes, I know I sound trumpisty, but it seems there is some merit in their overall hysteria :(
The story was written in 1980 and the other articless and essays up to 1995
And f**k me sideways how much of the points raised and solutions suggested are still relevant close to 30 years later
You know, like charging for email sending with a crypto currency?
I need a drink. The same old stupidity over-and-over...and-over is too depressing.
They are like f**king cockroaches.
I saw Meredith Whittaker, of Signal fame, on C4 News this evening taking some Tory stooge to task over this. I’m now a little in love with this woman. She is awesome. When the Tory suggested Signal would not quit the UK if the law goes pear-shaped, she demanded to know if he was calling her a liar. And then she scolded him with his first name like she would when castigating a guilty child. Of course, the Tory had no real answer other than to carry on with his magical thinking.