UK Government Says App Developers Won't Be Forced To Implement Backdoors (betanews.com)

← Back to Stories (view on slashdot.org)

UK Government Says App Developers Won't Be Forced To Implement Backdoors (betanews.com)

Posted by samzenpus on Wednesday October 28, 2015 @07:05PM from the keeping-it-secure dept.

Mark Wilson writes: The UK government is sending mixed messages about how it views privacy and security. Fears have been mounting since Prime Minister David Cameron wondered aloud 'in our country, do we want to allow a means of communication between people which we cannot read?' — his view obviously being that, no, we don't want to allow such a thing. Following the revelations about the spying activities of the NSA and GCHQ, public attention has been focused more than ever on privacy and encryption, Cameron having also suggested a desire to ban encryption. Today, some fears were allayed when it was announced that the government was not seeking to require software developers to build backdoors into their products. That said, the government said that companies should be able to decrypt 'targeted' data when required, and provide access to it.

51 of 86 comments (clear)

Min score:

Reason:

Sort:

David Cameron is not very intelligent by Anonymous Coward · 2015-10-28 19:35 · Score: 5, Insightful

Unfortunately, Mr Cameron lacks even basic knowledge of technology, so is unable to appreciate that his expectations of making encrypted data readable by the NSA/GCHQ/Stasi, are completely unrealistic. Cameron should keep his slimy far right persona out of areas that he can't understand - since that appears to include most areas of government, maybe he'd be better seeing employment that is more fitting for his level of ability - perhaps as a clown or jester.
And, to answer Mr Cameron's question as to whether we want to allow means of communication between people which can't be read by the secret police - I think anyone supporting of democracy will be screaming 'yes - of course we do'. This is fundamental to any democratic society. Cameron might want some kind of despotic right wing regime, but most people here don't. Remember - Cameron was elected by a very small minority of the British people (~20%), because of the way the antiquated electoral system has failed. He most certainly has no democratic mandate to rule.
1. Re:David Cameron is not very intelligent by Kkloe · 2015-10-28 20:11 · Score: 1
  
  I think they are talking about getting data that passes the server of said company that would have master keys to unlock it
2. Re:David Cameron is not very intelligent by 91degrees · 2015-10-28 20:20 · Score: 1
  
  Remember - Cameron was elected by a very small minority of the British people (~20%), because of the way the antiquated electoral system has failed. He most certainly has no democratic mandate to rule.
  What would you consider a mandate, and what British PM has ever achieved that sort of level of support?
3. Re:David Cameron is not very intelligent by Hognoxious · 2015-10-28 23:57 · Score: 1
  
  Your figures are off.
  http://www.bbc.com/news/electi...
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
4. Re:David Cameron is not very intelligent by Jamu · 2015-10-29 00:28 · Score: 2
  
  24% of the electorate voted for a Conservative candidate. 0.08% voted for David Cameron.
  
  --
  Who ordered that?
5. Re:David Cameron is not very intelligent by AmiMoJo · 2015-10-29 00:40 · Score: 2
  
  Don't underestimate Cameron. The upper class twat persona is just a mask. He is extremely careful to be bland an inoffensive at all times, speaking only in generalities and vague benign sounding ideals.
  For example, on this issue he always talks about safety. No-one opposes safety, right? Safety is good. He avoids being too specific or saying anything too ideological.
  He is a dangerous opponent, because he turns people to apathy. They vote for him because he stands for nothing specific, so they fill in the blanks themselves and assume he agrees with them.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
6. Re:David Cameron is not very intelligent by 0123456 · 2015-10-29 01:41 · Score: 1
  
  Ha-ha. You think Cameron is 'far right'.
  He's at best a cuckservative, and even that is debatable.
7. Re:David Cameron is not very intelligent by Shortguy881 · 2015-10-29 01:49 · Score: 1
  
  Clown or Jester is the perfect job description for the modern politician. Look at the U.S. They are about to elect Trump.
  
  --
  Brilliance without wisdom, power without conscience. Ours is a world of nuclear giants and ethical infants.
8. Re:David Cameron is not very intelligent by BranMan · 2015-10-29 08:35 · Score: 1
  
  No state servant HAS subjects! W. T. F.
9. Re:David Cameron is not very intelligent by 91degrees · 2015-10-29 11:10 · Score: 1
  
  He got less than 50% of the popular vote and only about 37% of the voting population picked him. And he's the most successful PM since the war.
I thought NSA and GHQ had backdoors by invictusvoyd · 2015-10-28 19:40 · Score: 1

in every major encryption algo. So why do they worry?
1. Re:I thought NSA and GHQ had backdoors by AHuxley · 2015-10-28 20:09 · Score: 1
  
  AC by shortening of the keysize. What one section of a gov gives away in public, another ensures will revert to plain text :)
  
  --
  Domestic spying is now "Benign Information Gathering"
2. Re:I thought NSA and GHQ had backdoors by AHuxley · 2015-10-28 20:19 · Score: 1
  
  The US and UK have 3 areas to worry about.
  Open source efforts produce a good new method thats free, accepted and upgraded.
  Some neutral nation outside the US and UK direct academic influence sells, creates or offers good working encryption at a low price.
  A brand installs harder than average encryption responding to market forces that does not decode easily in realtime in consumer hardware or software.
  Most of the above are fixed with big cash offers, international treaties or a nice chat.
  
  --
  Domestic spying is now "Benign Information Gathering"
3. Re:I thought NSA and GHQ had backdoors by gweihir · 2015-10-29 02:32 · Score: 1
  
  They do not. Really not. That would be a catastrophe waiting to happen. (Then, we still have enough nukes at the ready to destroy the planet several times over, so that may not be much of a deterrent.) But it seems highly unlikely that they can break modern crypto like AES or indeed any of the other finalists for a number of reasons. In addition, the continued failure to force companies to make their software more secure does deliver a host of vulnerabilities all the time. I am not sure this is an accident.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Reveal a plot so fiendish by AHuxley · 2015-10-28 19:48 · Score: 1

Any data flow could be of interest to the UK gov at some time for some reason and UK staff will have to provide gov/mil access when demanded.
A brand thinking their data sets will not be of interest and not build in UK ready traps doors or back doors would be offering a "means of communication between people which we cannot read".
By default UK based brands will have to build in trapdoors, backdoors just to cover that UK gov request eventuality ie "companies must be able to provide targeted access"".

Nobody Expects the targeted data request.

--
Domestic spying is now "Benign Information Gathering"
Bottom line by 93+Escort+Wagon · 2015-10-28 19:57 · Score: 5, Insightful

The politicians deciding these rules have no idea how this stuff works. "We're not asking for back doors. Back doors are bad. We just want a way to access the contents of encrypted messages when we deem it necessary."
It'd be funny if the stakes weren't so high.

--
#DeleteChrome
1. Re:Bottom line by Kkloe · 2015-10-28 20:05 · Score: 1
  
  ?, as a developer I cant see how you cant build so the cant be unencrypted if it passes the servers we have control over, like apple, they have encryption on the phone that apple cant crack but when that message\data is passed\synced through apples servers they can allow other access to it.
  this is what they probably are talking abou
2. Re:Bottom line by drinkypoo · 2015-10-28 20:18 · Score: 1
  
  as a developer I cant see how you cant build so the cant be unencrypted if it passes the servers we have control over, like apple, they have encryption on the phone that apple cant crack but when that message\data is passed\synced through apples servers they can allow other access to it.
  this is what they probably are talking abou
  Please explain your rationale for believing that.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
3. Re:Bottom line by Kkloe · 2015-10-28 20:29 · Score: 1
  
  http://mashable.com/2014/09/18...
  
  There's a catch, though: even if Apple is unable to hand over the data from your phone, it can (and will, if asked via a court order) hand over the data from your iTunes or iCloud account
  maybe
4. Re: Bottom line by Kkloe · 2015-10-28 20:56 · Score: 1
  
  so does it affect anyone in the end?, because beside some people that really wants to really avoid getting their info handed to the gov the general populace, businesses\organisations and governments will know about this and still use that software because there is no other option or is the best economic option vs security
5. Re:Bottom line by drinkypoo · 2015-10-28 21:01 · Score: 1
  
  as a developer I cant see how you cant build so the cant be unencrypted if it passes the servers we have control over, like apple, they have encryption on the phone that apple cant crack but when that message\data is passed\synced through apples servers they can allow other access to it.
  this is what they probably are talking abou
  Please explain your rationale for believing that.
  "There's a catch, though: even if Apple is unable to hand over the data from your phone, it can (and will, if asked via a court order) hand over the data from your iTunes or iCloud account"
  The government can already get your unencrypted transmissions, because they have tapped all backbone links in the USA, and probably everywhere. But the only way that Apple can provide the data from your iTunes or iCloud account is if there's a back door in the encryption system.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
6. Re: Bottom line by Dog-Cow · 2015-10-28 22:57 · Score: 1
  
  I don't think you really understand this Internet thingy and how it works.
7. Re:Bottom line by Kkloe · 2015-10-28 23:04 · Score: 1
  
  back door?, no they use their own keys to encrypt the stuff on *their* servers, thats not a back door, that is how it is
8. Re:Bottom line by Lakitu · 2015-10-28 23:13 · Score: 1
  
  like apple, they have encryption on the phone that apple cant crack
  If Apple can't unencrypt it on the phones, then they can't unencrypt it ever.
  
  but when that message\data is passed\synced through apples servers they can allow other access to it
  When the phone owner unencrypts his unencryptable data and sends that in an unencrypted message through Apple's servers, then Apple has the unencrypted data.
9. Re: Bottom line by mangobrain · 2015-10-28 23:32 · Score: 1
  
  Could you clarify? References to Skype may or may not be relevant, but direct end-to-end communications is most certainly not impossible. It may be difficult in practice with contemporary IPv4 deployments (most devices are not directly addressable from the public Internet due to NAT), but of course it can be done: as long as it is possible for two devices to connect (which evidently it is, or we couldn't have an Internet at all), there is no "magic" which mandates that one or other of those devices be a corporate-controlled central server.
  Central servers - effectively, brokers - do provide a lot of convenience: one place to publish & discover user presence, no need to bypass NAT at the endpoints because both connections are outbound, store & forward of messages for offline users, etc. But you *could* have a purely peer-to-peer network with offline exchange of contact details, or a central server used for nothing but storing details by which a user's device can be directly contacted.
  Unless you count "routers" as "servers" - but with suitably randomised addressing and strong encryption, all that router logs will tell you is "device A sent some data to device B", nothing about the *meaning* of the data or the people behind it.
10. Re:Bottom line by dkasak · 2015-10-28 23:43 · Score: 2
  
  Your data passing through someone else's servers doesn't automatically imply they have means of decrypting that data. Clients can generate keys themselves (or negotiate them securely with each other, in the case of asymmetric encryption) and keep them secret. Data encrypted in such a way can be stored wherever you want without the party owning the infrastructure being able to read it.
11. Re:Bottom line by mangobrain · 2015-10-28 23:44 · Score: 1
  
  That may be how it is, but it is not necessarily how it has to be. It is possible to build a system where the data is encrypted with per-user private keys, which never leave the user's device(s) - at least, not in the clear, and ideally only when being migrated/copied to other devices. Do all the crypto on the device, transmit & store it with private keys unknown to the owners of the infrastructure.
  For all I know, this might in fact already be how iTunes & iCloud work already; that certainly seems to be the implication in the statement that data is "placed under the protection of your passcode ... [therefore] it's not technically feasible for us to respond to government warrants for the extraction of this data" (from your mashable.com link). I'm pretty sure various online back-up services work this way.
  Of course, there has to be a certain level of plaintext metadata: the fact that you have an account is not secret, nor are the amount of data stored, the access times, and the network addresses of devices used to access it. But the data itself? A system in which the service provider doesn't have centralised private keys is absolutely, completely feasible.
12. Re:Bottom line by echnaton192 · 2015-10-29 00:57 · Score: 1
  
  Not true. This Data is not encrypted by the users password or a separate encryption key. iMessage is encrypted end-to-end.
  Emails, calendar, notes, address book, photos, unencrypted backup are not encrypted with a key apple has no access to on the icloud. You could encrypt the backup with a special password, the other stuff is NSL-able.
  You could use posteo.de or similar services for emails, calendar and address book and encrypt the stored data with the password for login. That is easy because apple uses standards (IMAP, cardDAV, calDAV) for these services.
  Notes were stored with IMAP up until iOS 8, so you could rescue it from GCHQ and NSA. This no longer works with iOS 9, icloud is obligatory. So one could only switch the app for taking notes and store ist elsewere.
  There is no way to securely stream your photos automatically that I am aware of. Switch it off or make them freely available, because icloud is not secure.
  I would not trust the backup to be safe at apple even if it were enrypted, this encryption surely is one of the main targets for the NSA, I am shure.
13. Re:Bottom line by gweihir · 2015-10-29 02:29 · Score: 1
  
  Probably the only real problem with democracy is that most voters are morons, but more so, most politicians are morons and with all shreds of personal honor, integrity or morality removed.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Analog storage crime nest by Anonymous Coward · 2015-10-28 20:06 · Score: 1

It's high time the governments of the world started cracking down on the terrorist nests that are analog books. It's impossible to know if thought crimes are committed with ink and paper. Perhaps a mandatory legal waiver of ones human rights with each purchase of writing materials?
It might be best to just proceed to the inevitable conclusion and burn every literate human being at the stake unless they agree to live with a government approved guardian overseeing their every action and thought.
1. Re:Analog storage crime nest by gweihir · 2015-10-29 02:26 · Score: 1
  
  +1000000, insightful. Sorry, no mod points. (Time to start reading those classics again. They become more and more relevant, unfortunately.)
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
This has always been a big pile of hysteria. by 91degrees · 2015-10-28 20:18 · Score: 2

David Cameron made a speech. He said the government wants it to be impossible for terrorists to hide from the security services.

Tech media sites assumed that Cameron knew exactly what he was talking about while at the same time having no idea what he was talking about. They concluded that the only way this would be achievable would be to ban encryption. In fact, given that pretty much everyone who talked about it mentioned WhatsApp and Snapchat, and no other services, it makes it pretty obvious they were getting this from each other.

Of course people took this speech as gospel and completely ignored other statements saying this was not going to happen, just like they'll ignore this

Nobody thought that Cameron didn't have a clue what he was asking for. Nobody considered that he does actually have the option to compromise; Cameron's actually pretty good at that. Everyone assumed that this vague speech was explicit unwavering government policy to ban WhatsApp and Snapchat based on a stupid echo chamber and ridiculous assumptions.
1. Re:This has always been a big pile of hysteria. by echnaton192 · 2015-10-29 01:30 · Score: 1
  
  How could this possibly be? How could we assume that he is an orwellian Big Brother, conpiring with the USA to build an orwellian, fascist surveillance scheme?
  Because of reports like this? https://theintercept.com/2015/...
  Because there is nothing holding back the GCHQ from intersepting everything including porn use to denounce any resistance? Because the GCHQ has already infiltrated legal NGOs to undermine and control those "terrorist" NGOs like Amnesty International?
  http://www.theguardian.com/uk-...
  Because after laying waste to the middle east he leaves the refugees to the other european countries?
  Because he already annnounced that if the european human right standards might hinder his orwellian fantasies, he considers abondoning these standards and replace them with his british version?
  http://www.huffingtonpost.co.u...
  Because he does not even think that UN human right standards might also apply to his government?
  http://www.welfareweekly.com/c...
  Under which rock have you lived since the release of the Snowden files?
  Every european country installed an orwellian surveillance scheme. But this government and his system to me as a foreigner seems to be by far the worst. They stop at nothing.
  That is why I highly doubt he will be able to really compromise. He uses 1984 as a how to manual, even going to war with changing coalitions to keep the system going. But even George Orwell was not foreseeing a time when people buy their bugging devices and waiting in line to get their bug.
2. Re:This has always been a big pile of hysteria. by 91degrees · 2015-10-29 01:33 · Score: 1
  
  Well, yes... Most governments want to spy on their citizens. I am not defending this.
  
  I'm just pointing out the idiocy of people who infer specifics based on a wild interpretation of a speech.
3. Re:This has always been a big pile of hysteria. by gweihir · 2015-10-29 02:24 · Score: 1
  
  David Cameron made a speech. He said the government wants it to be impossible for terrorists to hide from the security services.
  And that is the problem right there: The only environment where that even gets close to the truth is extreme Fascism. If there is even a bit of personal freedom left, terrorists can hide. Hence even extreme Fascism offers some possibilities for terrorists to hide, so you have to have things like concentration camps, wars and famines to keep them otherwise occupied. But remember all those people that hid Jews in the 3rd Reich? All these qualify as "terrorists" in the convoluted mind-set of Cameron and he wants such deeds to be made impossible.
  In the end, Cameron and his ilk want to remove all personal freedoms and have any action, and if possible, any thought by a citizen be subject to review by "the authorities".
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
How can you tell when a politician is lying? by Epeeist · 2015-10-28 20:53 · Score: 1

Answer: "When you can see their lips moving".
Cameron is an ex-PR flack who never lets truth get in the way of the message.
Re:Pointless by AHuxley · 2015-10-28 21:20 · Score: 1

A company is compelled to do the decryption on their own product at their own site :)
No outside legal advice over the warrant, staff are then doing the conversion back to plain text on their own private sector server.
All the cooling, cpu time, staff hours, costs, network changes can be pushed back into the private sector as they have to be fully compliant.
No more tricky private sector encoding ever again.
The cleared defence team is told in closed court the presented evidence is pure and direct from the company. No leaking of further methods in any court or further questions.

--
Domestic spying is now "Benign Information Gathering"
Not forced by Anonymous Coward · 2015-10-28 21:41 · Score: 2, Insightful

NO developers were forced to add back doors to these apps, but most of them voluntarily chose to live peacefully with their families.
Re:This haiku's about another kind of backdoor by Dr_Barnowl · 2015-10-28 23:02 · Score: 4, Funny

Clearly you don't follow the news about our PM.
A better haiku would be

The Turgid Member,
Slipped into a dead pig's mouth,
Like he fucks the poor
contradictory statements by v1 · 2015-10-28 23:34 · Score: 1

Today, some fears were allayed when it was announced that the government was not seeking to require software developers to build backdoors into their products. That said, the government said that companies should be able to decrypt 'targeted' data when required, and provide access to it.
What's the difference here? Companies like Apple are designing their systems such that they never have the key to the data. They hold the data, but have no way to access it, by design. The UK is saying they're not going to require back-doors, (presumably this means "they won't be required to provide a way for us to decrypt the customer's data") but at the same time they're saying "we should have access to the data anyway".
The only three ways I see to reconcile these two statements is to do one of:
- not encrypt the data in the first place.
- use worthless encryption
- keep a copy of the key
Apple's current method of "we use strong encryption and don't have your key" would seem to voilate their requirement. But since the government wants to have a way in, without a back door, it means the company itself is required to have a back-door of their own built into the system, that allows the company access to your data. From there, the government can issue an NSL or something to force you to hand over the data.
So we're going from a back-door that lets only the government to have access to your data, to a "better model" that lets them have access to it, because the company also has access to it? How is this BETTER?
I say NO to both!

--
I work for the Department of Redundancy Department.
Not stupid by FrozenGeek · 2015-10-28 23:42 · Score: 2

The majority of the public won't understand that "should be able to decrypt on demand" is the same thing as a back door. To them, what he said was good and fair. This is just another case of a politician playing with words in order to manipulate the electorate.

--
linquendum tondere
psht by sociocapitalist · 2015-10-29 00:43 · Score: 1

Developers "Won't be forced" because they will otherwise be motivated (i.e. what just happened in the US where telcos get immunized against lawsuits in exchange for providing customers' private data to the Feds).

--
blindly antisocialist = antisocial
The government wants systems to be secure by DickBreath · 2015-10-29 01:17 · Score: 2

As long as they are insecurely secure.

In classic government oxymoronic style. Governments are full of oxymorons.

Some government "adult male" in their "arrogant humility" engaged in "a just war" wants us to "agree to disagree" to introduce "astronomically small" insecurities into our "insecurely secure" systems so that "military intelligence" can "read unreadable" messages.

It all makes sense.

--

I'll see your senator, and I'll raise you two judges.
smell the glvoe by PopeRatzo · 2015-10-29 01:23 · Score: 1

UK Government Says App Developers Won't Be Forced To Implement Backdoors

But if they know what's good for them...

--
You are welcome on my lawn.
umm what? by phishybongwaters · 2015-10-29 01:34 · Score: 1

So I'm confused. They won't make app developers put in a back door (to allow them to intercept communication) but will require them to have a method to intercept communication on demand. How exactly is that not a backdoor?
1. Re:umm what? by gweihir · 2015-10-29 02:15 · Score: 1
  
  Something needs to be intentionally broken if they can intercept and decrypt communications. That is a "compromise" of the security of the app, but it is not a backdoor, which is a command and control interface into the app. Intercepting and decrypting communication can be done by weaknesses in the Architecture, design and implementation, but may not require contacting the app at all.
  The distinction is purely technical though, the result is the same: A broken product that endangers its users.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
But they will be forced to lie about it... by gweihir · 2015-10-29 02:08 · Score: 1

This is really the best of both worlds: Force backdoors (which are insecure, of course) in there, but make it right again forcing the people involved to lie about it. Everybody that does not comply is obviously a terrorist and will go into an isolation cell in prison for his remaining lifetime.
In particular the British administration is lying habitually and pathologically and nothing they say can be trusted.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:Being able to decrypt the data is a backdoor by gweihir · 2015-10-29 02:11 · Score: 1

Well, not really, although it has the same effect. Weak keys, weak crypto, etc. all serve that purpose. I also have a nagging suspicion that legal approaches to make companies write more secure code are delayed or squashed in order to allow the GCHQ (and others of the same fundamental evil disposition) to continue to indulge their peeping habits.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:David Cameron Rules!!!! by gweihir · 2015-10-29 02:17 · Score: 1

While I agree on the sentiment, such a cancer can spread. Remember that Hitler was voted into office. (With a minority of votes, but still the largest share.)

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:So, almost like North Korea? by gweihir · 2015-10-29 02:33 · Score: 1

I don't think he ever had it in the first place...

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
How can you run a country. by RalphOstrander · 2015-10-30 12:55 · Score: 1

And not understand this cat is out of the bag and you will never be able to put it back in.