Signal will withdraw from Sweden if encryption-busting laws take effect Signal CEO Meredith Whittaker says her company will withdraw from countries that force messaging providers to allow law enforcement officials to access encrypted user data, as Sweden continues to mull such plans. Whittaker said Signal intends to exit Sweden should its government amend existing legislation essentially mandating …
Sounds like "We don't care about the laws of mathematics, the laws of [insert country here] take precedence."
In the case of the UK, if "our brightest and best" work for GCHQ, why don't they break the encryption (answers on a postcard, please); if they don't work for GCHQ, why not?
"why don't they break the encryption"
They probably already have given "popular" forms of encryption are designed by NSA or former NSA employees. They will never publicly admit that, of course. They are just covering themselves for the future when someone comes up with something they can't get into.
https://www.bis.doc.gov/index.php/policy-guidance/encryption
Be very afraid of any government trying to see what you don't want them to. It's the end of democracy.
Imagine, just for a second, if in the early 1990's, the regulations regarding allowing access for the security services to wiretap telephone switches in the UK had been extended to electronic communications at that point in time. We'd live in a totally different world...
The UK had that right and it was easy to access the data as most things were in plaintext. It was only by the mid 2010s after Snowden that encryption became a problem and other laws were necessary.
Well, sort of.
It makes maths for pretty much anything except drawing circles a lot more difficult, because integers cease to exist as a concept, unless defined as a ratio of the radius of a circle to it's circumference... In the simplest possible terms, "One" apple is a difficult concept, because it would be slightly more than a single apple.
According to the BBC, the Minister of State for Security, Dan Jarvis, said: "What I can say is that the suggestion that privacy and security are at odds is not correct; we can and must have both."
So clearly, the laws of mathematics do need to be repealed.
https://www.bbc.com/news/articles/c1kjmddx2nzo
If GCHQ are interested in you enough to want to eavesdrop on your comms, and you don't have the resources of a nation state behind you, you are essentially f***ed. This is about catching things in the dragnet rather than highly targeted, people-heavy surveillance and intelligence work.
And who is to say that at least one of the big agencies around the world hasn't already fatally compromised your encryption method of choice? It wouldn't be the first time. There's a reason the likes of NSA and GCHQ employ so many mathematicians and practical physicists. RSA had already been invented by GCHQ in 1973 years before Rivest, Shamir & Adleman got around to it, a fact which only became public knowledge in 1997.
It's not a maths problem.
There's no need to create a third key, you just copy the users private key at the time of creation and hand it over when required.
Now, I think this is a terrible idea. I'm not defending it. But you can't win this battle using motte and bailey arguments.
I see, you didn't understand how the process works.
When your device picks it's secret number it can simply share that with apple, gov, whoever, along with the large prime.
As I said, there's absolutely no need for a third number to work here.
If you still don't get it, post your private key on the internet and see what happens. Same thing.
I understand how key escrow works (or rather - how it is meant to work). My point was that the determined user has options that mean that intermediatories do not get the opportunity to see the private key.
If you rely on the intermediatory's off-the-shelf application to do all your key set-up then, yes, this could include an escrow facility.
Time and time again, the Swedish government has excused large scale Internet data collection and retention by saying it is only used for serious crimes. Once they got people to swallow that excuse, they immediately started using the data to detect and prosecute crimes which are trivial in nature. The current Swedish data collection regime has been declared as illegal according to the ECJ, but nothing has been done to force Sweden to stop what they are currently doing.
Obviously emboldened by the ECJ's lack of enforcement action, now they are going after all E2EE services.
Shame on the ECJ for not demanding that the Swedish government respects the right to privacy!
If the currently tabled laws are passed by parliament, Swedish citizens will be even more treated as suspected criminals without any evidence to support that. They will lose their right to have a private conversation and the criminals will simply switch to using E2EE messaging applications which the Swedes cannot make demands upon. Honest people lose and the real criminals will be unaffected.
Sadly, this is pretty much standard operating procedure for Sweden's politicians.
"Swedish government respects the right to privacy!"
I was quite surprised when watching "The Are Murderers" on Netflix when the cop went to a school (following the murder of one of the students) and told everybody to write their password on a post-it, stick it to their phone, and then pop their phone into a bag for the local police to trawl through supposedly to look for evidence that might help them catch the culprit. I mean, WTactualF?
No government or globalist entity wants privacy for thee and me!
It's a game, you get prosecuted for breaking the law, they don't. When will people notice how the judiciary has become captured, i.e., compromised by the state? At the moment the state has to pretend there is equality in law, soon it will stop bothering.
“Conservatism consists of exactly one proposition, to wit: There must be in-groups whom the law protects but does not bind, alongside out-groups whom the law binds but does not protect. There is nothing more or else to it, and there never has been, in any place or time.”
- Frank Wilhoit
Saying "We like encryption so leave it alone" isn't going to be effective against the 'think of the children'-types. I think a better strategy is to point out that encryption protocols have been open source for decades and criminals can just encrypt their nefarious contents before sending it. Breaking encryption will only make the law abiding less secure, not the criminals.
The problem is that the powers that be see the general public as guilty of something, they just havent figured out or outlawed what it is though.....yet
Seems they are a big fan of ayn rand and have wholeheartedly went for the whole create vague and indecipherable laws so that no one can stay on the right side of the law
Seeing how the US is changing now is a great demonstration of why these draconian laws are such a liability for us as citizens - each authoritarian law, no matter how well-meaning it may be when it is created - is a stepping stone towards authoritarian rule, a tool in the hands of an authoritarian regime if or when they come to power. The more potentially authoritarian powers they have when they arrive, the less work they have to do and the less opportunity there is to resist them.
This has always been a strong argument for the least intrusive, least potentially-harmful laws, but seeing how every oppressive surveillance and policing law created in the US over the last few decades is now a weapon pointed at the American people makes it feel very real right now.
The road to hell is paved with good intentions....
(Also UK 'extreme pornography' laws outlawed what was already covered in the 1959 obscene publications act, but because the public and judiciary were becoming more permissive, that they often couldn't charge the publishers (and conveniently they had a white Christian mother grieving over her dead daughter to fuel moral outrage, where any suggestion this was consensual sex gone badly wrong was shouted down) they went after the general public in a very very 1984 thought crime esque way, particularly as many of the acts outlawed to be in possession of images of....are legal to participate in - shit show is an understatement frankly and the epitome of "something must be done!!! Doing nothing is not an option!!!" Aka the politician and preachers favourite refrain
"no matter how well-meaning it may be when it is created "
Even that depends on what's meant by "well-meaning". These laws* are nothing more than a means to enable law enforcement to avoid due process of law. I don't see that as well-meaning at all. Due process, remember, is there to protect the innocent. The claimed reasons are not well-meant at all; they're just excuses to provide short cuts.
* We have an epidemic of mobile phone thefts. Something must be done. Legislating to permit warrant-less searches of premises for stolen phones is something, therefore HMG believes it must be done. If that one passes then providing the police "suspect" your premises might contain a stolen mobile phone they can just roll up and demand entrance - and maybe break in if they feel like it. For stolen goods of any nature and value, terrorist arms and exploaives, illegal drugs or anything else a warrant has been needed as a basic protection of English rights since 1215 - an increase of mobile phone thefts and 810 years of precedent can be overturned.
Look I agree with what you say except ... so far Trump is far less authoritarian than the Dems were. Please go research what was happening and stop believing what the TV says. The so called liberals are not at all liberal. There was a private government being built, using taxes that was not of the majority.
Please go research what was happening
FFS, having a good Google then reading a load of bollocks clickbait articles that have only been written to increase likes, subscriber numbers and ad clicks does not count as frikkin' research!
It must be true, I read it on the internet...
Buddy, you do know that QAnon is all made up, right? It's just some randos who decided to start a cult for the lols and then realised a bunch of wine moms and do-your-own-research chumps were taking them seriously and turned it into a full-on grift.
None of it is real. None of those things are happening. It was all just jokes. Pranks. Lols.
Was wondering how far down I had to scroll to discover the Republican fuckwit that looks from the outside at the dog inside the burning house saying "this is fine", and is convinced that Trump and Elon haven't been both unconstitutional, and also draconian with Trump thinking he's basically king and trying to pull a Putin in rewriting the Constitution so he can get a 3rd term, with Reds in the House and Senate saying he's not doing anything wrong yet.
Ignored fact that software is software, and people who want to encrypt will find that open source or even just "downloaded without regard to the country's laws" will install on their devices just fine.
The only people this stops from protecting their data from snoops are ordinary citizens - those with highly harmful illegal activities to hide willc just... keep encrypting it...
It'll soon be pretty irrelevant anyway If you put AI processors in the mobile devices which are able to look at what is going on in the screen or keyboard, the governments will just demand a backdoor in the AI system to give access to the data before and after the encryption has been done.
The backdoors are already there, designed in from the start for the use of Microsoft, Apple, Google, etc.
"your data never leaves your device" they say. It doesn't need to as they can just ask the AI if you have whatever they're looking for before sending round the heavies.
PGP.
Encrypt your message (or one-time pad) using your recipient's public key, and sign with your private key. Only the recipient can decrypt the message, and they can verify that it could only have come from you.
Humanity cannot un-invent encryption, however much authorities try to do so with legislation. It's just maths.
Then cut out the extra step and just use PGP, because you'll have the same security as just PGP if the message was intercepted. Using PGP also means you have the typical problems with key management and exchange.
Not that your underlying point is wrong. Encryption that doesn't fit with the assumptions that the law can bypass mathematics exists. Governments can't eliminate it, they can't detect it fast enough to block it, so all they can do is punish people for using it which would be a bad idea. As usual, politicians don't understand how any of it works or how pervasive it is on everything today and thus how hard it would be to take it away.
How do you distribute the one-time pad to whoever is supposed to get the message?
Quantum Crypto. That's pretty much the whole point of it; low-speed links are used for distributing keys, higher-speed ones for OTPs. Not a huge uptake, but BT has been running trials for years.
[note that this is entirely unrelated to post-Quantum Crypto, which has been in the news recently].
"How do you distribute the one-time pad to whoever is supposed to get the message? If that's intercepted you might as well not bother.”
Indeed a message encrypted using one-time pad, as long as it is truly random and the message is shorter than the length of the pad, is absolutely unbreakable. The problem is distribution of copies of the pad to your contacts, and what happens if a single copy falls into the wrong hands.
Encrypting data is fairly trivial, it’'s the key distribution that’s a bitch!
Why is this a problem? Surely they just need to add a disclaimer - 'Are you a bad guy then you can't use this backdoor we had put in, by order of the Government' Of course all the bad guys will take notice and stop accessing the data.
You have nothing to fear if you have nothing to hide. This is generally a known problem for authoritarian regimes, but take the super democratic USA. We have a backdoor and can access all your data. (As a purely hypothetical example). We trust Briden and he doesn't abuse the access, and won't allow anyone else in the government to do so. That is great < Time Passes > Trumpy is the new President and now has access to all your data along with his mate Nylon Muse. They set up 2 new departments - DOGE (Dept of Government Efficiency) and DOGR (Dept of Getting Revenge).
You sent a message supporting Briden and his replacement Parris, don't worry Trumpy and Muse aren't at all childish or thin skinned. Wait,why is there 50 people all wearing black assault gear outside the house? Why is that big tank driving over the garden towards the house?
Just remember you have nothing to fear as you were only using your 1st Amendment rights, honest. The Supreme Court will of course back you up, well maybe, if you voted Republican in the last election and were found guilty of storming the Capital
Don't forget Trump can do anything he wants and it isn't illegal if it is done as President, so that won't be a problem when you consider that if his lips are moving he is lying.
Hoping I don't need to include Sarcasm marks above
Unless I'm very mistaken (and boy do I hope I am), the telecoms companies do not need to record every single call a person makes and store it for 2 years. They need to store who called what number and when.
I actually dont think there would be a problem for a similart requirement on the likes of Signal and Whatsapp. Person A sent a message to Person B on blah blah date and time. Done.
What cant read what the message was? Well you cant know what the telephone call they had was about either. Get off your bum and do some proper police work and stop being lazy...
Having access to all of the phone records, as well as the ability to tap a suspects phone calls in that magical period in the 90s before End to End Encryption kicked in, didnt magically end all crime, funnily enough. Even if you had the Backdoors you want, it's not going to end it now either. So bugger off and leave us our privacy!
I wonder if it will even be possible to stop people using Signal in any given country. If sideloaded, will it still prevent access based on IP addresses or something? I gather it's probably already banned in places like Iran (great role model there, well done), but I'm guessing people still use it.
Restricting IP addresses is relatively effective, except anywhere where VPNs work, so sideloading is an easy option in many countries, including Sweden. Telegram has some interesting tactics to evade IP blocks, but also stores data on servers, so is not the best option for real bad actors.
But the code for Signal is open source, so it's easy enough to set up your own version, wrapped in VPNs and effectively untraceable.
Not contact discovery, but initial account registration. You enter your phone number. They verify your phone number. They have your number at that time (and they keep it). If it starts with +46, they can reject the registration. Contact discovery pseudonymizes numbers, but since there is no need to reject numbers at that stage, that is irrelevant.
As far as I can see Signal do not actually need to change their software, just that the “official” UK version (and local infrastructure services) needs to comply with UK law. So it’s back to encryption basic’s thrashed out decades back: off shore development and “ownership” (ie. Stop using US/UK owned and host Git servers) , so it doesn’t fall under the US "munitions export without a license", or UK law.
Then UK users can side load Signal… If the government wish to de encrypt my messages they can come and ask directly.
Now you understand why Google is pushing its "play integrity api" that includes blocking apps from running when sideloaded, and also includes provisions so that apps using it won't run on suspected to be rooted devices, or even devices that don't have all the required backdoors, sorry, TPM chips. And the "play integrity api" will become mandatory from May 2025,
Except you almost certainly have stuff you're contractually obliged to hide. Just check out the T&Cs of any online services you use. You're obliged to keep those secure. If you rely on any such service to sync these between devices you can no longer do so securely.
You can force people to send unencrypted data but you can't force them to write things out in a readable way. Run the encryption locally, copy-paste into your document or whatever and off you go. All sorts of other ciphers exist, many of which aren't that hard to do manually. At the extreme end, you could even use any of the existing encryption algorithms and do the work manually with paper and pencil; math does not require a computer to be done.
I'll also point out that criminals and terrorists can send paper letter snail-mail to each other; should we also open every single envelope and copy the contents "just in case" there's a crime in there we find out about later?
I'll also point out that criminals and terrorists can send paper letter snail-mail to each other; should we also open every single envelope and copy the contents "just in case" there's a crime in there we find out about later?
Many years ago I applied for a job teaching engineering at Dartmouth Naval College. From the day I got a letter inviting me to interview, Every. Single. Item. which came for me by post was opened. There was no attempt to conceal it: parcels and envelopes were torn open ad sellotaped closed again. I withdrew my application. That was not a world in which I cared to live. Perhaps that was the point of the intrusion.
> Work out how much tax you pay and how much you get back in services.
That does seem to be the approach of HMRC: work out how much you are (perhaps) earning then suggest you a should be paying more tax. Obviously high net worth individuals don’t get troubled as they can afford to make the problem go away.
Obviously, the government, especially Tories are keen to minimise service whilst maximising payout to mates.
Is that really your reasoning? Wow, so nobody ever emigrated anywhere else, ever?
Speaking as an immigrant/emigrant (depending on your point of view).
Then again, when someone states that everything is corrupt, they may be better off staying home and pulling up the drawbridge. Or, alternatively, getting stuck in and seeing what part they can play in making things better. Maybe if enough of us did that things wouldn't be so bad for so many people, But, hey, nihilistic cynicism for the win, eh?
How much do you expect: something for nothing...nothing for something, or somewhere in between?
I'm not saying things are all roses, but whining is so easy, whilst doing nothing ourselves—because, as we all know, the shitty state of things is always some one else's fault, and/or responsibility.
Signal is distributed free of charge. What would prevent people from downloading the software from foreign sites and using it?
More worrisome shall be attacks upon VPN services. At present, VPNs are under scrutiny from copyright rentiers, these wishing to oblige VPN providers to block access to sites deemed to infringe upon their God-given 'rights'. Presumably, various state security agencies would like the ability to decrypt the traffic. Combined, these lobbies are powerful.
Regarding subscriptions to banned (or voluntarily withdrawn) services, shall there be an upsurge in use of non-legal-tender for transactions? For example, alt-coinage and shopping vouchers (e.g. Amazon).
VPN providers are... silly?
Let's look at the claims in their ads. They do not protect you from anything more than ssl already does, except now the VPN company can see which sites you are contacting (not the content, though). Before that it was you internet provider. Using a VPN service offers no "advanced protection"
The only thing it does is circumvent geoblocking for certain things, like streaming services, which is forbidden under the terms and services of the streaming service (sometimes because they just do not have the rights to show that movie in this jurisdiction, so if they do it then WB or whoever comes for them!).
VPNs do make sense when you are out of your office nad the other endpoint is in the company, or you are on the road and the endpoint is at your home. But this is not what VPN companies sell you.
Oh, and even if the traffic over those VPNs would be decrypted, it is still encrypted by the ssl connection that is tunneled through the VPN.
The main function of non-work related VPN's used to access company networks is to circumvent geofencing and somewhat obfuscate your own IP (though additional steps are still required to fully be anonymous)
Anyone expecting any more than that and believing the marketing that it's "more secure" is deluding themselves.
Not strictly true even though I fundamentally reach the same conclusion, there are a few minor benefits outside SSL if you trust the VPN provider (and intermediate networks it traverses) more than your ISP or intermediate networks that traverses.
Your content probably isn't being stolen but DNS may be, and even using DoH then SNI in TLS often discloses overall site but not content if you can't trust the network and value privacy. To say they can't see "anything" isn't strictly a true assumption. But you address that already, it's just a common misconception.
Generally have the ethos that [insert foreign 'peacetime enemy' country] are better to handle my data than [local or friendly country] because frankly they can do less to make my personal life hell and less vested interest in my comings and goings. Doesn't mean I wouldn't rather be a citizen of local country with local country sniffing my data than the other way around.
Generally, I don't bother. I use my home as a VPN for open and public (WiFi for example) networks and accept the risk of my ISP more so than a 1, 2, 10 employee VPN company handling my data and wherever they host their servers (when they clearly don't own the data centres). I just don't really agree it's objectively fact.
Doesn't do any good to block them. They'd have to block WhatsApp, iMessage and Google's proprietary encryption on RCS. I guess they are taking on the small fry first before they go up against trillion dollar tech behemoths.
AFAIK actual iMessage usage is pretty low in the EU so Apple could probably disable it (hopefully with a snarky message blaming their government) without too much fallout. But that's because stuff like Signal and WhatsApp is heavily used there, so going up against Meta will be a fight. Especially given that Zuck has been kissing Trump's ass since he won and will expect a return on that "investment". Which would probably take the form of tariff threats, since it seems like that's the only page in Trump's playbook.
Will the UK then ban the side loading of apps on Android devices? Will they ban VPNs? If they don't want anyone using user-friendly, E2EE messaging apps, that's what they'll have to do. ... but then I suppose they'll also have to ban flashing custom ROMs on Android devices ... and if you keep going they're going to have to ban GitHub ... and if you go even farther they'll have to ban semiconductors ... then the one-time-pad technique ... then writing implements ... ... and eventually math.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
