UK infoseccer launches petition asking government not to backdoor encryption A UK infosec bod has launched a petition asking the government if it would please drop its plans to install backdoors in end-to-end encryption. Application security specialist Sean Wright's Parliamentary petition comes as an expression of uneasiness at long-signalled plans for British state agencies to sidestep encryption and …
The predator Wilson was traced using the age old 'follow the crumbs' approach giving enough circumstantial evidence for a search warrant. His phone was then found & seized, this was enough (easily identified endpoint) for another warrant requesting ISPs,Carriers & social media firms to hand over the logs. At this point, it wouldn't take very long to identify all of his victims and direct evidence from victims gives an easy conviction.
At no point did reading the live messages need to be done, unless plod is saying that they were already doing this to everyone already (how else could they find him?) and no complaint was made by a victim or online child protection group before they took an interest in his activities.
If this is the level of argument that the NCA comes up with as an excuse for removing any serious security from personal communications its pathetic, they can already find out easily enough all the details relating to any message (except the actual content) for the last year and proceed from that with warranted activities for the rest.
I was merely pointing out the current 'legal' position where ISPs etc. must keep all data for a year should plod come calling with a warrant, so plenty of opportunity for legal investigation.
If the ISPs choose to to keep data for longer, that's a commercial decision. If plod collects and keeps data forever that won't make any difference to the backdoored encryption debate.
As we've been implementing it (miscellaneous banking industry) it not only stops data from being provided in any kind of information requests but also from being user-searchable past the forget-about-me date, though it will linger forever in the database (or its backups) and can be retrieved by IT at any given time - following proper channels, hopefully.
I know that it can be very tempting to think of the ISPs and the State being some sort of shadowy organisation that is in cahoots to spy on and do down the little man, but quite honestly this is not the case. ISPs are businesses, and as such they have to make a profit. Storing customers' data indefinitely does not give them any profit, so pretty much all ISPs will comply with the very letter of the law and that is all.
They will also have done a quiet cost/benefit/punishment assessment over what the fine might be for not keeping the required records, or having done so on a disk which subsequently turned out to be broken, and so on. Be assured that only precisely one year of data will be retained, and that will be retained on the cheapest, crappiest NAS box money can buy.
The other way to look at it is that ISP 's are businesses and will look to monetise any asset they control so they are probably selling that data, theres a reason they started squealing about mozilla adding DoH support https://www.theregister.com/2019/07/10/ispa_clears_mozilla/
All he has to do is talk to Sir Graham Brady and Sir Ian Duncan Smith and Steve Baker and all the Tory MPs who are currently fuming at the authoritarian attacks on our freedom and human rights that are the covid restrictions.
They will of course instantly understand that backdooring encryption is also an attack on our liberty and rights, and will organise a rebellion to ensure that any proposal to backdoor encryption will never get through Parliament.
Won't they?
All he has to do is talk to Sir Graham Brady and Sir Ian Duncan Smith and Steve Baker and all the Tory MPs who are currently fuming at the authoritarian attacks on our freedom and human rights that are the covid restrictions.They will of course instantly understand that backdooring encryption is also an attack on our liberty and rights, and will organise a rebellion to ensure that any proposal to backdoor encryption will never get through Parliament.
Won't they? ...... smudge
smudge, re the question, Won't they?, is easily resolved by simply asking them whether they be already ready, willing and able to perform such a Sterling Stirling Service for the home nation and similarly threatened allies should it prove to be necessary and unavoidable ‽ .
Then any opposition can have aforesight of what would be certainly a less than friendly competition and surprisingly competent foe if parties get their intelligence acts together to harry and dash and exhaust and extinguish the common enemy and an enemy of the Commons too ...... and thus be not unaware of the fight they be destined to lose and can never ever win win against.
Would you be a fool and think to try triumph against all of those odds against you? Would you both claim and blame madness for fatal miscalculation?
Call me a cynic - they won't. They are politicians. Two out of the 3 are Knights of the Realm. That leaves 1 whom the whips and party management can get to toe the party line with the promise of a Knighthood. A politician with a Knighthood would be looking for a carrot in the guise of a Peerage.
This measure, being based on 'noble' sentiments, may well gain traction during these times of a punch drunk compliant parliament. Few MPs are likely to understand the technical issues involved or to bother getting up to speed. The large Conservative majority makes passage of legislation almost inevitable. Labour MPs wearing 'decency' on their sleeves could support it; perhaps some will indulge in the same inane kneeling gesture they did for BLM.
Yet one must question just how much damage this proposal actually could do if implemented. Commercial purveyors of social communication platforms within 'Five Eyes' jurisdictions shall be obliged to obey. For speakers of English and other European languages these platforms (e.g. Facebook) predominate. However, people intent upon conducting their private and working lives secure from intrusion don't use these means to socialise and to do business. Unencumbered encrypted communication shall continue using VPN, secure email services, and messaging applications procured from foreign sources. Long established open source tools for specific purposes, e.g. PGP, will continue in use as shall transfer of divers 'content' in compressed encrypted format. Then there is Tor and a number of distributed peer to peer networks all at advanced stages of maturity.
Internet recruitment and predation upon children must in the main depend upon mass social media. Hence, in theory neutering encryption on these media would accrue benefits. As for other criminal enterprise fruits from encryption back doors will be minimal in number and in terms of sophistication of crime; this because criminals along with sensible honest folk have other means to converse.
Even benefit from detecting crime against children is moot with respect to enacting back door access to 'conversations'. It might help gathering incriminating evidence against those already suspect but fishing expeditions into a huge accumulating pile of decrypted communications doesn't seem worth the bother.
Governments appear to place huge faith in technological solutions to problems better tackled by other means. We are seeing this now with respect to Covid-19: a pretty useless phone 'app', testing asymptomatic people, and the proposed "Operation moonshot". Concerning crime they would do better by increasing provision of traditional policing methods; when so, technology becomes a support rather than driver of activity.
Crime dependent upon the Internet is largely abstract until it impacts the physical world. Connection between the two realms is tenuous until people seek physical contact, pay for services with money, and deliver physical items. That recognition has enabled police forces to prosecute vendors and recipients of 'deals' transacted in the quite secure environment of Tor. Conventional policing through steady observation of nefarious activity with cross-referencing within and between Tor and the open Internet has enabled investigators to pick upon human errors by criminals which give clues to identity.
We must think of the children.
We need to ban cars. They enable criminals to get away.
We must ban all gatherings of people in pubs, parks, private buildings etc. unless the location is fitted with authorised monitoring devices.
Cameras must go too.
As must all sales of sweets, and cute puppies.
Everyone must converse in English!
All posted letters will be opened and photocopied.
GPS tags must be worn by all men over 18, and those under 19.
In other words, the criminals will adapt, the only people backdooring encryption will hurt are the law abiding citizens, who will now be less protected from the governments and those that wish to do them harm.
Sod the Children, wont someone think of the adults for a change
I'm thinking that a smaller state - let's say Australia, or perhaps a post-Brexit UK - passes this legislation. The tech industry gets together, and suddenly WhatsApp, FaceBook, Instagram, Twitter, Signal and Telegram are unavailable in the UK.
That would send a significant message to the government, which I think would be enough to kill the idea of anywhere else doing the same thing.
You'd need the majority of world governments to pass it simultaneously to make it work. Similarly, you'd need most tech companies to decide they hate that kind of regulation to make it stop. I can't really decide which of the two is the least likely, to be honest...
......backdoors don't make any difference if people ENCRYPT MESSAGES BEFORE THEIR MESSAGES ENTER A PUBLIC CHANNEL.
*
The spooks are welcome to extract this sort of encrypted message from their backdoor du jour:
*
19PD1d7y0Tea1k6n0AC21c2p0IsU0KMy1MLC0Znk
0SFi1BVb12uD0wdX0G8j0U1w0xMQ1DR51esn0vsS
0y7W0tzY1Nev1ZlP0r3q0uef0Q1b0hQA0pRY13nJ
1JZz0B$U12561YYy0Mhg1U9b1X6I0oGj0GLZ13vj
0AnB0bFO1YT51Ide0RKc0mPj1Ocz0UKL1LR$0ZhT
0bOF1MwO14f$1Ras1kSh1dWP0aHR1BJ71X$g1acw
1DK811mi0jtx07Iq0zfI0AYk0ytJ1UcO0Et21MS9
1Hs90Z800iDV0tId1S$d1cAb0hZH038$0JhI1G14
0JXH0XTs00zG04L=1ETk0nzx1lYg18W6052D1TOO
1AXp0kVW133g0yJn188A0kAz1Uar
*
How hard is this to understand?
And how many people will even know how. let alone why they should care :(
I've emailed all my contacts (I don't do social media) urging them to sign and pass it on with a link to this article and a brief description of why we should care, as most of them don't even know about this let alone the implications.
Anonymous due relations with a controlled regime. Documents encrypted with Backdoors just means a shift by criminal operators to other means. keys not kept on the device, and then sent via encrypted services are probably not readable, but you can be compelled to divulge the key or face consequences.
All depends on 'them' being interested in you beforehand, or if automatic means cannot read, it may enable you as the needle to be visible in the haystack. Most 'crime' other than ideological crime (e.g. Pakistani guy's revelation of atomic bomb stuff to Iran) is done for 'money' or 'money's worth', selling of pictures, videos, drugs or bodies etc., thus starting with cash flows is always a better way to solve things.
Distributed cash flows in Bitcoin etc. is then more relevant. Communication by distributed means can also be done. Then investigation is back to start for 'real criminals' but other folk are followed in controlled regime fashion. Net gain to authorities is little at very much effort. As in the major very controlled regime at present; folk find ways around it for their thoughts, while it 'suppresses' mass out breaks of rebellious thoughts, it does not stop the small groups. But regime's cost in manpower/ capital and technology is immense (probably greater that the NHS {National Health Service} cost in UK as a proportion of GDP).
> the French man-in-the-middle'd an Encrochat server. From there police deployed malicious updates across the Encrochat network to dump unencrypted images of users' handsets back to servers they controlled, bypassing encryption altogether by simply reading off chats direct from user endpoints.
That is how. They do the same thing with the rather more popular and equally E2E encrypted Whatsapp. They are detain you and confiscate your phone, which is then imaged and the plain text message archive extracted from it, or they send you a nasty in one of various ways at their disposal and discreetly exfiltrate the data.
The only possible rational explanation for wanting to ban encryption is wanting to conduct mass surveillance, in spite of that being illegal. Until now, the only thing that differentiated us from the old iron curtain states was that liberal democracies did, by and large, refrain from breaking their own laws: spying was illegal in the iron curtain states too, which is why they had to do it more or less surreptitiously. It was their habit of doing it en masse anyway that set them apart from most of the West.
Mobile phone cloud backups are not encrypted with a key that we define and services like WhatsApp back up all conversation data using these cloud backups anyway. In addition to that, the Regulation of Investigatory Powers Act allows the cops to lock people up who refuse to make intelligible any data they collect through the use of a warrant,
So why do they feel the need to ask for more backdoors? I sense this is part of yet another psyop intended to convince the masses that the government can't easily dip in on our stuff through the equivalent of PRISM.
It's at least a way to educate MPs that a problem exists - so if anyone does sign it, might as well fire off an email to your MP to tell them.
Yes, I know MPs have no technical knowledge but bear in mind that - with honourable exceptions - most of them (and definitely most ministers or shadows) don't know much about any of the topics they actual deal with.
One of the major issues with this and other similar legislation brought in for police / security reasons is what happens when those responsible for bringing it in realise that it has cost a fortune to set up and / or run and is not actually producing anything near the benefits it was claimed to bring. So then the system is opened up for other Government or quasi government organisation to use “to maximise benefits”. So next thing the Tax authorities get permission to use the snooping facility and staff to root out suspected tax dodging builders, plumbers, car mechanics etc. who prefer to deal occasionally in cash and maybe avoid VAT payments (whether they are using encrypted correspondence or not). As a customer on their contact list suddenly all your correspondence is being monitored as well. Think about CCTV as a parallel. They were initially brought in to make people feel secure by acting as a deterrent or means to solve crime. In practice a current part of their use is for catching motorists who commit the cardinal sin of stopping for a few seconds in a prohibited area to drop off or pick up a passenger or goods without causing any delay to other road users or danger to pedestrians and other relatively minor traffic parking offences. These cameras are operated by staff from private companies with little training other than “if you see a car on a yellow line or in a bus or cycle lane report it” and nothing is taken into account of what the actual effects are on other road users or mitigating circumstances. They also have access to DVLA systems to trace vehicles from registration numbers. Other “security” legal provisions such as RIPA have allegedly been used in the past by Councils to inspect domestic waste to ensure it is in the right recycle bin, follow dog walkers to check they are clearing up properly etc. etc. That may have been reeled in somewhat now but officialdom will continue to look for opportunities to make their lives easier. By requesting powers to set up back doors into mainline encrypted services the powers that be are presumably already confident that they have the right to read all other non encrypted stuff. Or are they saying that only criminals and terrorists use encrypted correspondence and therefore need to be monitored? Think on – it is 5 years down the line we basically honest citizens need to be worried about.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
