back to article UK admits 'spy clause' can't be used for scanning encrypted chat – it's not 'feasible'

Sanity appears to have prevailed in the debate over the UK's Online Safety Bill after the government agreed to ditch proposals – at least for the time being – to legislate the scanning of end-to-end encrypted messages. In response to questions regarding the technical feasibility of scanning securely encrypted messages and the …

  1. Mike 125

    "...draw a discreet veil over the devices with potential for surveillance supplied by large technology companies that people have indeed cheerfully installed in their houses."

    And in which they cheerfully drive around.

    I love it when politicians are *finally* forced to accept a scientific and mathematical truth.

    1. Dan 55 Silver badge

      ... until civil servants start pushing the same thing yet again about a year into a Labour government.

      1. Anonymous Coward
        Anonymous Coward

        While it's fun to blame civil servants I think in this case it's the politicians who want this... or at leats want to publicly say 'Look at me, look at me. We beat down those nasty techies, even when they said it was impossible and now we're saving the children. Hoorah for us!'

        1. Dan 55 Silver badge

          Here's an example of a civil servant with a bee in his bonnet about something over something which happened about 15 years previously.

          1. NeilPost

            That seems like a particularly obscure and specious example and does nothing to support your point - you sound like JRM talking bollocks about ‘The Blob’.

            1. Dan 55 Silver badge

              "The Blob" is about civil servants frustrating government policy, this is not that.

              If you're unable to see that the arguments Cameron made about nobbling E2E encryption in the lead-up to the IPA 2016 are exactly the same as those made in the lead-up to the OSB, I can't help you any more. The policies aren't hand crafted each time, it's the same policy seven years later. Each time there's an attempt to put it into law, although each time it fails due to maths.

          2. sabroni Silver badge
            Boffin

            Upvoted by the hard hard of thinking. Not the pat on the back you think it is.

        2. Cliffwilliams44 Silver badge

          It is the Security State that wants this.

    2. Pascal Monett Silver badge

      They didn't "accept" anything. They're just waiting for it to be "technically feasible".

      Which proves that they don't understand that it is not feasible, technically or otherwise.

      This is just basic political maneuvering. Move the goalposts, look like you're doing something.

      1. Version 1.0 Silver badge

        So has AI been upgraded to start scanning encrypted messages? Maybe not yet, but next week probably.

        1. Wayland

          Logical fallacy of cracking encryption

          Unless there is a mathematical breakthrough (quantum?) then is not possible to crack current encryption. Were it to become possible then that same mathematical breakthrough would again produce uncrackable encryption.

          1. Cliffwilliams44 Silver badge

            Re: Logical fallacy of cracking encryption

            They don't want to crack it, they want a government "back door" and they believed they can keep it safe. That's what the industry convinced them of, "that they cannot keep it safe"

            Once the global Fascist police state is implemented, they won't have to worry about "keeping it safe"!

          2. staringatclouds

            Re: Logical fallacy of cracking encryption

            So the police rock up to your door saying "Our AI powered decryption tool has decrypted your message & it says this 'some really nasty CSAM' so we're arresting you"

            You: "It says nothing of the sort"

            Police: "Prove it"

            1. Dr Dan Holdsworth
              Mushroom

              Re: Logical fallacy of cracking encryption

              To which you then say "Right then, we shall be having our day in court then, you and I" closely followed by the police getting sued for defamation of character, false arrest and so on.

              1. Elongated Muskrat Silver badge

                Re: Logical fallacy of cracking encryption

                Except that this "day in court" will be in a star chamber type court for "terrorists" due to "national security".

      2. Ken Hagan Gold badge

        I disagree. We can agree that any encryption that is scannable in this way is not fit for purpose and sane heads in government recognise this but cannot say so out loud for fear of angering the Daily Mail. Therefore ... they have come up with a formula that (to anyone with a clue) permanently rules it out but (to a DM reader) appears to rule it in as soon as possible. Everybody is happy.

        1. simonb_london

          Just checked a DM article about this subject from April and it would appear that both the article and the reader comments after it express the view that intercepting private communications is a bad idea. Just like the rest of us, really.

      3. JimboSmith

        They didn't "accept" anything. They're just waiting for it to be "technically feasible".

        Which proves that they don't understand that it is not feasible, technically or otherwise.

        This is just basic political maneuvering. Move the goalposts, look like you're doing something.

        My mum accepts that it isn’t technically feasible and she exceeds the age of most (Bill Cash MP excluded) Members of Parliament. I did have to explain why you couldn’t backdoor encryption but she got it very quickly. She’s no technology expert but understands the concept perfectly and is a WhatsApp user as well.

      4. StrangerHereMyself Silver badge

        No it isn't. This is just some foobar to get them out of a rock and a hard place. Although the threat still looms, they'll never dare to use it since the consequences will be dire: WhatsApp, Signal, Facebook Messenger and Apple's iMessage will become unavailable in the UK. This would enrage the British public and calls will be uttered for someone to be hanged.

        1. Anonymous Coward
          Anonymous Coward

          WhatsApp, Signal, Facebook Messenger and Apple's iMessage will become unavailable in the UK. This would enrage the British public and calls will be uttered for someone to be hanged.

          I think that would be called "Doing our nation a big bloody favour..."

      5. Cliffwilliams44 Silver badge

        Some of them know it is not "technically feasible".

        They are waiting for the time when they have the power to say "You will implement the back door, and you will make your app available where we tell you or we will confiscate your company and you will disappear!"

        Which already happened in China! (The model the western Leftist/Fascist want to replicate)

        1. Richard 12 Silver badge

          Though they haven't yet understood that the multinationals will simply finish their move across the Irish Sea, leaving nothing whatsoever for them to confiscate.

        2. parrot

          For clarity, do you mean to say all the left wing are fascists, or refer to some left wingers who demonstrably are?

          1. Elongated Muskrat Silver badge

            I think he either doesn't understand what leftism (i.e. socialism) is, what fascism (which is inherently far-right) is, or both. One of the first things H_____r did when he rose to power was to round up the socialists, alongside all the communists, trade-unionists, rival nationalist groups, and anyone vaguely non-aryan. This wasn't done in order to give them all an ice cream and a job.

    3. JimboSmith

      Yeah I’m sure if you quizzed politicians in two different ways you’d get two different responses. (With apologies to Anthony Jay and Jonathan Lynn)

      You ask your average MP

      Q1. Are you concerned about children in the modern society we live in?

      Yes of course

      Q2. Are you concerned that children are exposed to technology from an earlier age than ever before?

      Yes I’m concerned.

      Q3. Do you think this exposure is harming our young people?

      Yes I’m sure it is.

      Q4. Are you concerned that these applications are allowing the sexual exploitation of children in this country.

      Yes I’m concerned.

      Q5. Do you think that there should be more regulation of mobile applications in this country?

      Yes that’s appropriate.

      Q6. Do you support the government having the ability to check the content of anything sent by messaging apps to prevent kiddie porn being shared?

      Yes obviously.

      Of course you’re going to say yes to those because you care about (or want to be seen to be caring about) our young people (future voters).

      But if you ask set of questions 2

      Q1. Are you concerned about the rise of surveillance in this country we live in?

      Yes.

      Q2. Do you think this increase in surveillance is intrusive in our lives?

      Yes it’s a concern

      Q3. Do you feel we should have a right to privacy in this country?

      Yes we should.

      Q4. Are you concerned that we’re seeing more intrusions into our lives by the government and the security services?

      Yes that’s was made obvious by Edward Snowden

      Q5. Do you think that this intrusion is unwarranted and unjustified?

      Yes my communications with my constituents should be confidential.

      Q6. Do you support the current government having the ability to check the content of anything sent by you on messaging apps?

      No! that’s a step or even several steps too far.

      Easily done and the responses you supply are going to lead you to two answers to the final questions which are polar opposites.

      The original is on YouTube here and in quotes here

    4. Prichy
      FAIL

      Unfortunately I don't think they have accepted it, only that this cannot be done *yet*. They still don't seem to understand the fundamental contradiction of a _secure_ end-to-end encrypted service, and one that can be scanned if necessary (but of course only by the good guys).

      From a BBC article on the "U-turn": The Internet Watch Foundation - which finds, flags, and removes images and videos of child sexual abuse from the web said that in its opinion it was already technically feasible to scan encrypted messaging systems while preserving privacy. It said: "We know technologies exist, now, which can do this - with no more invasion of privacy than a virus guard or spam filter".

      So because they can find images on the web, they've just made some wild leap that the same can be done for E2E encryption; after all, it's all just the interweb-thingy, isn't it?

      The BBC article goes on to quote: "... [the Bill] will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content - which we know can be developed," said a government spokesperson.

      So although they've conceded this cannot be forced this time around - they really still do not understand how fundamentally flawed/stupid what they're asking is :-(

      1. Cliffwilliams44 Silver badge

        It can be implemented but then it's not end-to-end encryption, its end-to-middle-to-end encryption and they now this.

        That is the goal they want. Whether it is sold to the public as end-to-end or end-to-middle-to-end is the question.

        The government will surely want to lie about this, what is stopping them is the tech industry has no appetite for this lie, nor the appetite for the risk they would incur.

        They know it can be done because it's being done in China, but China doesn't have to lie, their people know they are being watched.

      2. Elongated Muskrat Silver badge

        You can have a virus scanner on your phone to protect you from "bad guys".

        You can have a "CSE" scanner on your phone to "protect" you from yourself. If this wasn't government-owned, we'd call it "spyware" and that virus scanner would remove it.

        Your averagely intelligent paedophile with any tech savvy will find ways to neuter such software or not have it installed in the first place. As would anyone else with any tech savvy.

        It would also breach articles 8, 9, and 10 of the European Convention on Human Rights. Of course, the same people pushing for this nonsense are the same people pushing for our human rights to be removed, so we can be more like Russia and Belarus.

      3. Anonymous Coward
        Anonymous Coward

        The IWF are fudging the truth. They're echoing what Apple said they were going to do, e.g. scan items before they're encrypted for transmission. Just remember that Apple was villified for suggesting this.

    5. Anonymous Coward
      Anonymous Coward

      That headline is extremely misleading. Nothing has changed in the wording of the bill, and especially nothing has been "dropped".

      "If the appropriate technology does not exist that meets these requirements"

      In the government's minds it already exists, since Apple demonstrated it last year - and were in the process of rolling it out, but reversed that decision under public pressure.

      What they demonstrated was on-device scanning (pre or post sending), not breaking already-encrypted messages. The latter may be mathematically impossible; the former definitely is not.

      With this law, you can expect Apple to turn it on quietly in future iOS and macOS releases, along with similar from Google and Microsoft. At that point, your device (which you own) will be performing government-mandated scanning in the background, and reporting positive detections to the police.

      When your device is in the UK, then the law says it will only be scanning for kiddie porn - to start with anyway. If it's successful, I expect other forms of "serious crime" will follow in time.

      But you should also bear in mind that if you take your device abroad, it will be scanning for whatever the government in that country tells them to scan for. Are you LGBT? Do you have a document from an abortion clinic? You should be worried.

      This is the thin edge of an enormous wedgie.

      1. David Hicklin Bronze badge

        >> already exists, since Apple demonstrated it last year

        Not quite, Apple was going to scan what was stored on your phone before it got encrypted by the messaging app. This bill is about reading those encrypted messages.

    6. Tron Silver badge

      Distraction politics.

      They always knew it was impossible. But concerns over this have pulled attention from everything else in the Bill: the right to demand cash from GAFA for any upload they don't like, anywhere on the planet, financially breaking the Web 2.0 model, and other assorted acts of censorship.

    7. Anonymous Coward
      Anonymous Coward

      bit like the bee they had in their bonnet about online safety and porn the ludicrous idea of having to prove your age to access porn sites. We all knew it was utter bolloxs but they pressed on with it for ages before shelving the idea. Utterly clueless, still this is what you get when a large proporton of those in government did PPE rather than any form of science

  2. Andy The Hat Silver badge

    If they (set A: HMGov scanning only for the public good and not for snooping) can decrypt it then they (set B: any.body potentially decrypting it, certainly not for the public good and definitely for snooping).

    When does set(a) intersect with set(b), who is in that intersection and who controls them?

    1. Martin-73 Silver badge

      Set A is congruent with set B, inasmuch that set A is fully included in set B. I wouldn't trust the government as far as i could throw them. And as for 'won't someone think of the children'.... no, that's perverted

    2. Wayland

      If it does become crackable then they will have to keep it a secret or it will simply be secured again.

  3. Dr Paul Taylor

    No one would ever willingly let a complete stranger read all of your mail

    But they do!

    Increasingly nowadays I send URLs with /private/ and /drafts/, which are "Disallow:"ed in my robots.txt, but then find them in my logs accessed by Microsoft, Amazon, Google, Apple, etc, or obfuscated into "safe" links.

    These things have been explicitly enabled in the recipients' handling of incoming email. Or more likely by their pointy-haired Boss.

    Anybody know of a way of blocking such accesses on a website?

    1. Zippy´s Sausage Factory

      Re: No one would ever willingly let a complete stranger read all of your mail

      I suppose you could implement filtering by IP range or browser agent, or maybe both? Or perhaps password protect those sections? But that'll depend on what tools your web host provides I guess.

    2. Jellied Eel Silver badge

      Re: No one would ever willingly let a complete stranger read all of your mail

      Anybody know of a way of blocking such accesses on a website?

      I suspect the only viable solution is a very good lawyer and a very large stick. I also suspect the reason why this legislation is being walked back a bit its because law enforcement and security services can compel 'wire taps' already from Big Tech. Alternatively, just define messenger app providers as Communications Service Providers, and add them into the mix that are compelled to provide lawful intercept capabilities under national Communications Act(s).

      Biggest challenge is that doesn't allow bulk collection, but the FANGS already have that covered. Their marketing will tell you that your messages are encrypted, but only after their OS has taken a peek and/or copy.

    3. Geoff Campbell Silver badge
      Boffin

      Re: No one would ever willingly let a complete stranger read all of your mail

      If it's a private internal site, keep it private and internal. Set it up on a local web server, with access for people on the internal network. Remote access via VPN if required.

      GJC

    4. Jamie Jones Silver badge

      Re: No one would ever willingly let a complete stranger read all of your mail

      Putting "/private" etc. into robots.txt is akin to sticking a sign on your front lawn saying "Don't steal my diamonds when I'm out all day every Monday".

      Blocking by IP is almost as flakey.

      If you are unable to have proper protection on the content, at least just whitelist known safe addresses (and not the whole dynamic range of an ISP!)

      All major webserving software allows you to restrict URL's to a user/password without needing to do any HTML or coding

    5. Mike007 Silver badge

      Re: No one would ever willingly let a complete stranger read all of your mail

      We use a program called ScreenConnect (not using its new name!) to access client devices. One of the features is the ability to install the client by sending a link to an exe file which auto installs everything.

      We had a client working in a clandestine project and we set up a separate silo for the computers on the project. Then I noticed we had a "ghost" computer showing up on the system under that companies details. Windows 7 with the iffiest looking desktop ever. It came online and registered itself then disappeared.

      We had a 3 hour long all-hands meeting trying to figure out how we had been compromised. Then someone tried re-sending the install link to the client, and a second ghost computer showed up. It seems the o364 email filtering has an antivirus scan that involves spinning up a VM and executing the file...

      1. Killfalcon

        Re: No one would ever willingly let a complete stranger read all of your mail

        Sounds like something that could make the bones of a decent DefCon talk, to be honest.

        1. Mike007 Silver badge

          Re: No one would ever willingly let a complete stranger read all of your mail

          There were some interesting things like the OS reporting as either Windows 7 or windows 10 test edition which raised an eyebrow, because I'd just make my malware only run on Windows home or pro and it would never get detected by their scanners... but not enough interesting material for a whole talk.

  4. Dr Dan Holdsworth
    Mushroom

    To be honest I think that this Bill should be preserved as it is forever more, not because it might be useful but more as a warning from the past as to just how bloody stupid politicians can actually be.

    The American NSA have built a similar monument to stupidity, namely an enormous disk farm wherein encrypted communications that they want to decrypt and which might possibly be decrypted in the dim and distant future are stored against that forlorn and frankly laughable day.

  5. Headley_Grange Silver badge

    Not sure I understand this.

    I read about this yesterday and didn't see it such a positive light. My reading is that the scanning doesn't have to be of the encrypted message, just the message before it's encrypted and sent - similar to the system Apple proposed a couple of years ago. If I'm right the gov. can pass this law, then write scanning code, licence it as an approved technology then mandate it's incorporation into the messaging apps. If (somehow, maybe by using some of those stocks of unobtanium they have) they can do this without sending any elements of the pre-encrypted message online for processing, then the encryption argument goes away, debatably. Find a way to vault dodgy looking messages on the device so they can't be deleted and send the cops round to check them (which could become a sport in its own right).

    Or maybe I've just not understood.

    1. Mishak Silver badge

      Re: Not sure I understand this.

      Similarly, what does "only were technically feasible" actually mean? Is breaking into the end-to-end encryption chain not "technically feasible"?

      There were no words to say that any scanning had to meet minimum levels of security (which would render it "technically infeasible").

      I'm not convinced this isn't just subterfuge to get the bill passed in a form that allows the original intent to be enforced.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not sure I understand this.

        I'm not convinced this isn't just subterfuge to get the bill passed in a form that allows the original intent to be enforced.

        But haven't all the major tech firms promised to withdraw from the UK market if they're forced to break encryption? Money talks, especially so for politicians, so I'd imagine this threat will act to stymie the legislation in perpetuity.

      2. R Soul Silver badge

        Only where technically feasible

        Similarly, what does "only were technically feasible" actually mean? Is breaking into the end-to-end encryption chain not "technically feasible"?

        It means precisely what it says. Snooping will begin once it becomes technically feasible to break properly implemented end-to-end crypto: ie never. Well, OK - not until quantum computers eventually form Skynet to enslave humanity and take over the world. However for the "won't someone think of the children?" dimwits "only where technically feasible" suggests snooping won't be far away because the boffins are just about to make it happen.

        The soundbite a nicely crafted bit of Whitehall ambiguity. We'll snoop once it becomes possible has the obvious meaning for the clueful who know this isn't going to be happen without earth-shattering breakthroughs in crypto and/or computing. Which are unlikely. For the morons, it means snooping will happen around the time the next version of an iPhone comes out. Which the clueful realise is not going break E2E crypto. And the clueless don't. Because they lack clue.

        Result: everybody's happy because both sides think they've won. But only one of them has actually won.

        1. Wayland

          Re: Only where technically feasible

          If the government can find a way of accessing the message before encryption or of having a master key then they will bring that into law. They could require that all messages get CC'd to their spy server.

      3. Wayland

        Re: Not sure I understand this.

        You mean they could mandate breakable encryption? There was once a drive to have all encryption keys held by the government.

        1. Dr Dan Holdsworth
          Boffin

          Re: Not sure I understand this.

          It is quite possible to mandate breakable encryption. All that happens is that people layer in non-breakable encryption and "encrypt" the already-crypted message with the broken Government rubbish. This doesn't even need to be electronic in nature; a random one-time pad hand-written using a top copy and a literal carbon paper copy underneath would allow two individuals to communicate entirely securely even with known-broken Government encryption.

          Moreover, if you know the Government encryption is broken, you simply do not use it. Instead you post your crypt-text onto public forums like Usenet News; everyone can see it but only the recipient can decrypt it.

    2. Excused Boots Bronze badge

      Re: Not sure I understand this.

      It’s a fair enough comment but consider this.

      Assume, for arguments sake, that Apple’s iMessage system is designed to be truly end to end encrypted, ie the encryption, decryption, key exchange etc. all happens on the device(es) themselves. Also, let’s’ assume that it has been properly done and there are no (reasonable) exploitable weaknesses in the process. Well then any government, including the UK’s, can issue whatever legal (wire tap) orders they like, Apple*, in this case, simply cannot comply, it s just not possible to do so. No more than if a High Court Judge orders you to flap your arms and fly!

      So furthermore suppose, as you say, that the government write said scanning code, when then? They say to Apple, ‘right we insist that you include this secret code in the next version of iOS, oh and by the way, if you do this then every other government on the planet is queuing up to demand similar, except of course, for some regimes, they may have different priorities as to what to scan for, in some places, being gay is equivalent to being a bloodthirsty terrorist!

      So what do you think Apple would do, roll over, or simply say something along the lines of ‘screw you Stella**, the very first time we receive such an order, we are completely pulling out of the UK market, and will go out of our way to make sure that make everyone knows why? Let us know when you have decided to back down’!

      * and I only use Apple as an example because they have made a very, very public display of being privacy minded to their end users. The principle applies to every other operator out there.

      ** Insert name of the next Home Secretary here!

  6. alain williams Silver badge

    Scanning just hurts the innocent

    who risk having legitimate communications intercepted and undesirable things done with them.

    The real undesirables will just use an unbreakable encryption mechanism - regardless of how outlawed this is.

    1. Jason Hindle Silver badge

      Re: Scanning just hurts the innocent

      Erm, yes and no. Useless for things like spying and terrorism - you can hide a paragraph inside an misplaced apostrophe in a thankyou message for last night's lovely meal. OTOH, some people people really are thick enough to send illegal pr0nographic images using the likes of WhatsApp, Signal and Telegram. Tracking those down is fine in principle, but when I hear the tub-thumping, populist rantings of some of our politicians (I'm looking at you Cruella Braverman) I'm thinking I really don't want them to have that power.

  7. Pascal Monett Silver badge
    Facepalm

    Scanning has no use - no need to wait for feasible

    Did I miss something ? Didn't we just have an article proving that not backdooring encryption does not prevent the law from doing its job ?

    Can someone please take a cluebat and beat some sense into these people ?

    I'd pay to see that.

    1. Cliffwilliams44 Silver badge

      Re: Scanning has no use - no need to wait for feasible

      This is because they don;t want to do real police work. Like infiltrating the kiddy porn rings and actually finding them and developing a real case against them.

      But this has nothing to do with kiddy porn really, it has everything to do with tracking down their political enemies and eliminating them.

      1. Anonymous Coward
        Anonymous Coward

        Re: Scanning has no use - no need to wait for feasible

        Here's something else to think about: what about non-offending paedophiles?

        We know that the rate of paedophilia in the population has been constant for a very long time. Therefore there will be a very small percentage of the population whose sexual recognition is profoundly broken. Of these people, only a tiny minority ever actually offend. Most just stay silent and suffer desires they cannot act on; every year there are a number of otherwise unexplainable suicides which may be paedophiles who have simply had enough of life in general.

        How's about setting up a screening service that filters out people seeking androgen-blockers for nefarious purposes and allows the remainder to effectively switch off their sex drive for whatever reason they have chosen, no questions asked. That then takes a load of potential paedophile offenders out of the market for such material, and that then reduces the demand and thus the financial reward for such material.

        That's how illegal anything gets stopped: you reduce the demand for it first and then a lot of the distributors find it simply doesn't pay to carry on.

  8. Evil Scot Bronze badge

    Let us replace "Back Door" with "Fire Door"

    The BBC did a good story on how the Big Social Media sites were used for grooming.

    (A well researched story in MSM????)

    Basically victims were invited onto another platform to share images. Platforms which are obviously outside of the law.

    The "fire door" would be a means of submitting a conversation to the correct authorities where the messages are signed as from the sender or senders device.

    1. cyberdemon Silver badge
      Holmes

      Re: Let us replace "Back Door" with "Fire Door"

      This already exists and works very well. E.g. whatsapp's "report conversation" feature, and CEOP's Panic Button

  9. DJO Silver badge

    Whitewash?

    Is this some sneaky deflection?

    Anybody in intelligence will tell you (possibly only when under duress) that the metadata is often the most useful thing - who contacted whom and when and how often is very revealing and is easy to automate most of the drudge work.

    Actually going through a zillion messages is much harder to automate so would require improbable staffing levels to do properly, of course if they only use it on specified targets then it's easier but there are already laws in place that can be applied to suspects where there is adequate probable cause to convince a judge to issue a warrant.

    1. StrangerHereMyself Silver badge

      Re: Whitewash?

      No this is BS. You can't prosecute anyone on metadata. At best metadata will give you some clues WHERE to look. It won't give you hard-evidence.

      1. Anonymous Coward
        Anonymous Coward

        Re: Whitewash?

        > You can't prosecute anyone on metadata

        That is not what most episodes of Vera (other, lesser, police procedurals are available) indicate.

        They keep on pulling phone records (i.e. metadata) and using it to prove that A did know B well before the murder happened, or that A was not on the phone to C because C was on the phone to D at the time, thereby ruining the alibi.

      2. DJO Silver badge

        Re: Whitewash?

        Golly, you better tell the intelligence services all over the world that.

        Actually as far as they are concerned "prosecuting" through the civil legal framework has never been a particularly high priority, they have other ways of dealing with people and they do not want their operatives to have to give evidence in open court.

        During WWII during the periods when we were unable to decrypt the Enigma messages the metadata (or "routing") was still used to good effect. - If axis command is suddenly sending a lot of messages to a previously quiescent location it's a fair bet something is going to happen there soon.

  10. Anonymous Coward
    Anonymous Coward

    When it becomes possible

    May I suggest a few more laws:

    1. When you get a time machine, kill Hitler.

    2. All perpetual motion machines must be connected to the National Grid and used for public good.

    3. When you can bring back the dead, it must be conducted in an orderly manner and in strict reverse order of death year.

    4. No telepathy without proper consent.

    5. Faster than light drives must be launched from Birmingham. No FTL is allowed to be launched near London.

    1. RockBurner

      Re: When it becomes possible

      Define "near".

      (in the context of FTL drives, London is slap-bang next to Tokyo, or any other residential area on this little blue dot).

    2. DJO Silver badge

      Re: When it becomes possible

      While he was undoubtedly an evil piece of shit the argument for strangling him at birth is mixed.

      Germany was racing to WWII anyway due largely to resentment of the Treaty of Versailles - with Hitler we got the Holocaust and a military failure, without Hitler we would probably been spared the Holocaust but with a competent military leader Germany could easily have been victorious.

      1. Ken Hagan Gold badge

        Re: When it becomes possible

        "without Hitler we would probably been spared the Holocaust"

        Not so sure. There was (and is) a lot of anti-semitism about. Also, the various European empires of Russia, Austria-Hungary and Germany had the side effect of suppressing a general feat/distrust/dislike of neighbours, which was suddenly unleashed when those empires were replaced with a load of smaller states, each of which had a clear local majority and a patchwork of minorities "on their turf" for historical reasons. Some degree of ethnic cleansing was almost inevitable. We see it even now almost anywhere where a large state breaks up. We also see the reverse effect where two antagonistic groups join a much larger body and have to abide by its rules.

    3. G.Y.

      Re: When it becomes possible

      I believe China makes it illegal to reincarnate without party permission; ask the Dalai Lama

    4. Cliffwilliams44 Silver badge

      Re: When it becomes possible

      1. A robot must never harm a human, or through inaction allow a human to come to harm.

      2. A robot must always obey the orders of humans except where to do so would conflict with obeying the first law.

      3. A robot must protect its own existence, except where to do so would conflict with the first or second laws.

      These worked out so well.

      1. DJO Silver badge

        Re: When it becomes possible

        The 3 laws were amended to 4 laws by R. Daneel Olivaw aka Eto Demerzel with the addition of the “Zeroth Law” – “A robot may not harm humanity, or, by inaction, allow humanity to come to harm.” and the original 3 were amended with "except where such orders would conflict with the Zeroth Law"

        But for your premise, even with the additional law it didn't work out too well for the meatbags. (I recently bought a new eink reader and to test it I ploughed through the entire Foundation series so it's all fresh - I then looked at the Foundation TV show which is extremely loosely based on a short synopsis of the books - OK as random SF but a lousy adaptation of Asimov's vision).

        I think Pratchett had a more logical approach than Asimov with the Golem chem: "A golem may not injure a human being or, through inaction, allow a human being to come to harm...unless instructed to do so by duly constituted authority."

        1. nonpc

          Re: When it becomes possible

          So ultimately when it is recognised that the biggest risk to humanity is humanity itself, our toys get taken away from us and we live in an AI driven care universe?

  11. Anonymous Coward
    Anonymous Coward

    About those bad guys......

    Matthew Hodgson, CEO of Element, said: "The government saying 'no scanning until it's technically feasible' is nonsense. Scanning is fundamentally incompatible with end-to-end encrypted messaging apps."

    Note the assumption: We (the lawmakers) ASSUME that the only encryption in use is that supplied by interweb service providers.

    Suppose I and my friends are encrypting everything BEFORE anything enters an interweb service. So (GCHQ, NSA).....scan away to your heart's content.

    We quite like D/H and TRIPLE chacha20 before anything is sent on the interweb. In our particular case scanning isn't "fundamentally incompatible" with anything at all!

    .......and how many REALLY BAD GUYS will be doing just what we are doing?

    1. nijam Silver badge

      Re: About those bad guys......

      > Scanning is fundamentally incompatible with end-to-end encrypted messaging apps.

      Scanning is fundamentally incompatible with security.

    2. KittenHuffer Silver badge
      Joke

      Re: About those bad guys......

      I already use ROT13 for just that purpose!

      But your point is good so I think I will double up my encryption to add another layer of security.

      1. suferick

        Re: About those bad guys......

        I'm twice as secure - I use ROT26

      2. Anonymous Coward
        Anonymous Coward

        Re: About those bad guys......

        jul qb lbh abg shpx bss naq naabl fbzrbar ryfr

  12. StrangerHereMyself Silver badge

    Dead

    So the Online Safety Bill (OSB) is effectively dead? I find it disconcerting that they're now downgrading the scanning of CP to "best effort" at the very last moment. They should've simply scrapped the text regarding client-side scanning and saved themselves a whole lot of hassle and poohah.

    I suppose the outlook of WhatsApp and Apple leaving the UK market was frightening even to MP's, who feared an uprising by their constituents.

    1. Adrian 4

      Re: Dead

      No, they're frightened of having to stop using them themselves, instead having to use a proper verified email system that's open to their party whips and future investigations.

      1. G40

        Re: Dead

        They’ve only just realised the bill refers to their WhatsApp…

    2. R Soul Silver badge

      Re: Dead

      I suppose the outlook of WhatsApp and Apple leaving the UK market was frightening even to MP's, who feared an uprising by their constituents.

      Has anyone ever found an MP who gives a shit about what their constituents think?

  13. Greybearded old scrote
    Facepalm

    No use at all

    So they are making the snooping clause law, but promising not to try to use it.

    Anybody know of something shorter lived than a politician's promise? I'm coming up blank.

    P.S, There's a severe danger that I might wear out your facepalm icon.

    1. R Soul Silver badge

      Anybody know of something shorter lived than a politician's promise?

      1) The uptime of Beardienet

      2) An extended warranty from Dixons

      3) The Liz Truss administration

      4) A money back guarantee from Ryanair

      5) Man Utd's hope of winning the Premier League

      6) The career of anyone winning X Factor/Britain's Got Talent/Bake Off/etc

      7) The interval between two Donald Trump lies

      8) A free pint in a Glasgow pub

      9) A Britney Spears marriage

      10) Any Microsoft patch install

  14. DS999 Silver badge

    They had no choice but to cave

    They are not the EU, they can't let their market size push tech companies to do their will. Not that I think even the EU could push this through, but they can make the tech companies dance far more than the UK can.

  15. TheMaskedMan Silver badge

    "they can't let their market size push tech companies to do their will."

    Which, in this case, would seem to be a good thing.

    Yet I remain uneasy. It has the appearance of a masterful piece of diplomatic flannel in which politicians save face and tech companies don't get to crow too much about being right, but that law will still be enacted.

    The demand for such a thing has been present for years, and it isn't going to go away. With the law on the statute books, those who want it are within sniffing distance of their dream. I can't help thinking they have something in mind to get them over the finish line.

    1. Graham Cobb Silver badge

      Yes. It needs to be removed from the law altogether. After all, when the technology unicorns arrive and solve the minor technical issues, they will be able to add it in a new bill.

      As it stands, it is still up to Ofcom to issue the regulation. By leaving it in the law, they just need to appoint a compliant head for Ofcom and have them issue the instruction. If it all falls apart they blame their stooge at Ofcom and try again 1 year later with a new stooge. There are plenty of people willing to be such a stooge for enough money (and the contacts & favours owed by even running Ofcom just for 1 year).

    2. Cliffwilliams44 Silver badge

      And the clause in the law will allow them to generate the funding to fund the Security States research into solving the problem.

      Will it solve the problem, who knows, but it will also fund a lot of the other nasty things they want to do.

  16. Adam Inistrator

    Https is end to end encrypted Web pages to allow private communications. Does the government propose snooping on our communication with our banks? Human stupidity is boundless.

    1. Cliffwilliams44 Silver badge

      The answer to your question is: YES

  17. Cliffwilliams44 Silver badge

    Why would the international cabal of pedophiles actually want to "protect the children" when they are passing laws to allow the grooming and mutilization of children.

    This is all about finding and identifying the "enemies of the state" so they can round them up and silence them.

    Does anyone really believe a Fascist state like Canada would use suck technology to "protect the children"?

  18. plasticbrush

    There are two main angles to this. The first is the breaking/backdooring encryption for the goodguys only, this is something which is very definitely not technically possible. The other is the client side scanning issue, this to me is more worrying.

    Using CSS we can compare a hash to an existing blacklist already. What we cant do is check for minor changes such as altering one pixel. It is very likely that AI could be trained to flag high probability CSE material although it probably wouldn't be able to run on the client device. So now you have a situation where I want to send image X to someone, I attach it to WhatsApp (or another app) which goes on to compute a hash for said image and compare it to the online blacklist, it comes back as not matching any known CSE material, to make sure the image is then uploaded to some portal somewhere where an AI instance can scan it to determine if it might be dodgy. So removing the client-side bit from client side scanning.

    Under this law the UK could concievably mandate that all communications software make use of the new UK AI assisted scanning system. It could even be reinforced with laws making it illegal to send electronic communications using non-(UK)compliant communications software.

    There is a rabbit warren of holes in the above proposal, AI accuracy, Redress against false positives, Opensource software, Mission creep (CSE today, Homosexuality tomorrow), and finally the simple fact that there is no privacy with such a system.

  19. arobertson1

    Smoke and Mirrors!

    You do not need to crack the encryption or read it in transit - you merely need to know the phone number and use SS7 to gain access to the phone. Once you have access you can just read the messages in plain text as the phone has the keys to decrypt the messages.

    All phones are back-doored - if the phone can do it, then they can do it. No amount of encryption, firewalls, permissions, domain blocking etc. will stop this. Your messaging apps, social media, SMS, contacts and photos etc. are all easily viewed remotely. Why exactly do you need to break the encryption in transit?

    Sim Toolkit exists even with eSIM’s, and combined with S@T Browser has access to your phone. Compatibility Test Suite can download “updates” to your phone and modify the phone temporarily in order to gain access. The same is true with the Dynamic System Installation Service. Managed Provisioning can remote control the phone. Maybe Opportunistic Network Services could connect your phone with my phone for access, or perhaps a buffer overflow bug in MMS could trigger code execution. Perhaps you use a predictive text service that checks the spelling by sending everything you type to a remote server to be “spell checked”. Or maybe you just use plain old WAP from yester-year which still exists today to modify ring tones on your phone or more likely install apk’s or shell code. Or maybe just push an “update” specifically for your phone over the air. I mean nobody is going to take the digital signal processor, pipe it to netcat going to a server and listen in on the phone, are they? What, even when your not using it? While you’re at it you might use the Easter Egg apk to modify the system permissions and send the print spooler all those supposedly encrypted files to an online “print service”.

    This is all smoke and mirrors much like you having to download an app that uses bluetooth to determine whether someone with covid was too close to you for an extended period of time. The phone companies already store all the data with triangulation - there was no need for a covid app, but that would bring too much attention to the data being collected on you every day. How do you think you can make uninterrupted phone calls while travelling - you’re connected to several towers at the same time and the strongest signal is selected. This allows accurate triangulation down to a square metre. See - no covid app was required, just like breaking end to end encryption isn’t required either. All your phones are open books in many, many ways.

    1. Anonymous Coward
      Anonymous Coward

      Re: Smoke and Mirrors!

      Quote: "....This is all smoke and mirrors ...."

      ....except for those of us who don't use smartphones....and don't use the mobile phone network for broadband.....

      Yup.....smoke and mirrors for all those other folk!

  20. Winkypop Silver badge
    Alert

    That square peg

    No matter the beating, just won’t fit into the round hole.

    1. TheMaskedMan Silver badge

      Re: That square peg

      "No matter the beating, just won’t fit into the round hole."

      To which the obvious (to a politician) solution is a bigger hammer. They are no doubt rummaging in their legislative toolbox even now.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like