Slashdot Mirror
Internet Firms To Be Banned From Offering Unbreakable Encryption Under New UK Laws (telegraph.co.uk)
Retron writes: Despite statements from the minister for internet safety and security Baroness Shields last week that the UK government would not require software developers to build backdoors into their products, the Telegraph is reporting that the UK Government is going to ban companies from offering 'unbreakable' encryption, effectively requiring a backdoor in products from the likes of Google and Apple. The reasons given are that they don't want the likes of terrorists and paedophiles to communicate in places the Police can't reach. A Home Office spokesman said: “The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts."
Is this the sort of thing that the EU could override?
I am sure the ones to oversee this is the Ministry of Truth.
Don't fight for your country, if your country does not fight for you.
it just might take a while ...
Everything else goes, right?
Replace "terrorists, paedophiles and criminals" with "people" and you get what this is really about: People must not be allowed a “safe space” online. Nobody wants that, except the rich elite in their mad power grab towards global tyranny.
Everyone should be aware that the majority of paedophile rings that have been busted were found to be passing material amongst themselves by sending encrypted DVDs (and originally VHS tapes and photographs etc.) using services such as USPS/Royal Mail signed for etc. Physical mail can't be interfered with without a court order, is secure, cheap and reliable. I would imagine terrorists do much the same.
This is plain and simply the gubberment desperately trying to keep all windows of the Panopticon open. Clueless old 19th century minds trying to legislate against the future and maintain their failed baboon style pyramid hierarchy.
It will be a total failure.
This gives Apple and Google the power to decide whether or not there will be a revolt in the UK.
I'm not sure the politicians have thought this one through all the way. But, good, from a meritocracy perspective.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
There was a Slashdot poll a few years ago, asking the question "What percentage of your traffic is encrypted?"
The answer that stuck in my mind was from a guy who said, "all of it. My WiFi has WPA2."
I knew I needed to stop reading Slashdot and finish my PhD when I started to miss articles by Bennett Haselton.
So basically, no encryption at all, since if it's breakable by one person it's breakable by anyone.
Encryption is only one way mathematical difficulty can be harnessed. There are others. Encryption is great for making large amounts of data unreadable in a way which is independent of the data. But procedures can be learned by rote, and executed in a human brain before deciding whether and how to interact with a machine. By compromising encryption, the government will stimulate criminals to both probe the detection network with false information, and to develop methods of using whatever legal encrypted communication exists so that messages go unnoticed. If two people agree a convention, such as using two spaces rather than one in a tweet, padding a 130 char tweet to 140, and have a mentally computable way of indicating whether the content has special meaning, and a dictionary of codewords, we are back where we were before the second world war, with cryptic crossword techniques being used. One shot conventions [ consider if I say that when I send messages on Twitter if you append 'FluffyBunny', md5sum the result, and then treat specially if the first three hex digits are 3f4, whilst trivially breakable if you know the scheme, and who will transmit with it, if you don't, brute force will swamp you with false positives, and what if this convention is only used once between people ]. Just as antibiotic use has bred superbugs, this action by the UK government has the potential to set off an evolutionary arms race, where many terrorists will be caught, but those who are not will have by chance have developed means of secrecy beyond the security services. Passing laws declaring the existence of unicorns, or banning gravity from acting, are foolish. We have, in digital technology, an enviroment which we as humans must adapt to, not try to adapt it to us. Laws like this do the latter, but such attempts will eventually succumb to the problems of computational inefficiency.
A brand outside the UK and 5 eye nations offers an openvpn https://en.wikipedia.org/wiki/... file to user in the UK ensuring a less easy to log internet connection.
That hop is from within a domestic like network after the providers "modem" like product.
Will the UK ban, track, investigate and demand credit card payments to VPN providers be blocked in the UK?
With "no plans to ban encryption services" that will be very cheap and simple way around the most simple provider level logging.
Why is the UK not interested in the networking solution thats a way out of the UK thats simple and cheap?
"Revealed: how US and UK spy agencies defeat internet privacy and security" http://www.theguardian.com/wor... (6 September 2013)
Did Cheesy Name and Tempora advance to a level that the UK feels confident to trace the entry and exit of any VPN service?
Re 'a duty on companies to be able to access their customer data in law" will be interesting for any UK brand offering services. Who gets the keys and when can government officials make the request? The term "prevent criminal acts" sounds like realtime and collect it all even with any oversight.
Domestic spying is now "Benign Information Gathering"
If they bend the knee and make country-specific images for the UK, it's over for them. Every country will expect them to be able to do a custom build for them too. The other is that we need the federal government to take an openly nationalist position such things. If you ban our legal products from your country for stuff like this, we'll ban yours without a hesitation. For the UK, that would mean the feds could tell Google and Apple to blacklist all apps produced by UK-based corporations from their stores; for China their handsets from vendors like ZTE couldn't be legally sold here.
Internet Firms To Be Banned From Offering Unbreakable Encryption Under New UK Laws
The reasons given are that they don't want the likes of terrorists and paedophiles to communicate in places the Police can't reach.
Then in the great British tradition, they'll just Do It (Y)Themselves. It's not like "internet firms" - whatever that means - have a monopoly on mathematics.
systemd is Roko's Basilisk.
Free WiFi for everybody [[[who knows how to get it]]] in the UK!
Both companies should just cease all official product sales and support in the UK. Neither company should be forced to make multiple products just because the UK demands this, but to be compliant that's exactly what they will have to do. There will be a "UK Model" IPhone, with pre broken encryption all ready to go. Of course this will horribly backfire once criminal ID theft people start exploiting this purposely weakened software. And no real criminals or terrorists will use any of these pre-cracked systems anyway, so the UK's main thrust here will do nothing but enable more ID theft. Good job, UK!
If unbreakable encryption is outlawed, only outlaws will use unbreakable encryption.
Strong (not to say "unbreakable") encryption is out there. It will be used. The question is whether you want it to be a weapon used by all or only against you.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Currently it is fair to say 50% of people using TOR have something illegal to hide. The other 50% being paranoid.
But with such legislation they are pushing typical users to install TOR. And soon 99.9% of TOR traffic will be casual Internet browsing, yet undistinguishable from the 0.01% of illegal activity. Making TOR even a 'safer place' for 'terrorists, paedophiles and criminals'.
Congratulations politicians, you have yet again proven yourself complete idiots. Time to hang yourself. And I mean it. Or we will hang you.
Ah, the no-true-encryption fallacy.
All encryption is breakable, given enough time. Conversely, ROT-13 is encryption, even if it's rather poor.
So, if you are a terrorist or a paedophile, join the police. That is the only safe place for you. As a plus, you get enterprise grade access to other terrorists and paedophiles.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
Please simply make a law that requires terrorists to register with the government and acquire a proper license before launching any attacks. Problem solved!!!1!
The draft bill is expected to be published tomorrow.
If you are in the UK please write to your local MP. Even a one sentence letter.
It will be too sad if this happens and we did not even try.
Dear UKians: Please vote for BREXIT. At least until you fix your broken government.
After this, I'd welcome you back!
This is plain and simply the gubberment desperately trying to keep all windows of the Panopticon open. Clueless old 19th century minds trying to legislate against the future and maintain their failed baboon style pyramid hierarchy.
Indeed, this smells like government either not understanding technology and where it's moving, and/or conspiring with spy agencies to get (keep?) their fingers in everything - including where they shouldn't be.
Unfortunately for them, there is no middle ground here. If the plebs can use general-purpose computers, there will be ways to get strong encryption software on it. If it's agreed you should be able to have a strongly secured connection between you and your bank (or your webmail, or your doctor, or a business partner, etc, etc, etc), then you can have such a connection between you and say, some 3rd party outside the country. If there even were a way to 'allow what goes through the pipes' (other than a North Korea-like totalitarian regime), only allowing weak encryption would make a lot of present-day applications impossible, to the point where businesses would be forced to set up shop elsewhere. Of course we all know that even a government with a half a brain cell wouldn't let that happen.
Which simply leaves the other option: strong encryption in the hands of the public, possibly outside of the reach of government, law enforcement or spy agencies. Not to mention that if not allowed, technology together with the public will find ways around that.
Which would force those parties to either accept a more reasonable approach, attack encryption-using criminals through the legal system, social engineering and such, or attack implementations and endpoints of encryption use. Oh wait.. wasn't that the easiest method anyway? lol :-))
The British government is filled with luddites. So those of us who have legitimate use for encryption have to put up with insecure tools while terrorists just use some software they get from their terrorist friends. Clueless government.
Doesn't that defeat the purpose of using encryption in the first place?
"they don't want the likes of terrorists and paedophiles to communicate in places the Police can't reach."
Considering that the majority of terrorist organizations and pedophile rings are linked directly to the ruling elite, this isn't really surprising.
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
Why do no politician even think that a backdoor may be used by a terrorist or a paedophile? A paedophile may take advantage of any vulnerability on an underage person's connected device, and those politicians want to ensure there be at least one? The same can be said about a terrorist getting info about British nationals which may pose threats their security and to the country's as well. Criminals use backdoors too.
Linux is for people who don't mind RTFM.
With breakable encryption, criminals can edit your banking records and pedophiles can see all the "private" pics of your children. Do you really want breakable encryption?
It seems to me that by doing this, the people of the UK are literally trading security for security. Or perhaps trading BOTH freedom and security for security. Not a good deal.
Please elaborate on how to break a simple XOR-OTP. Bonus points if you can prove that your decrypted text actually matches the plaintext.
What this will do is generating a list of ways to divide the communication systems in layers, and offer the ability to add plugins on each of them.
Which will mean, that the users will be able to add whatever they want on it.
The software doesn't offer any encryption at all, however, the user is able to add it if he wants.
The pandora box is already opened.
Did they specify a timeframe how long it has to take to break the crypto?
If not, well, any crypto is breakable given infinite amount of time.
Which makes the law effectively useless as nothing changes.
Atari rules... ermm... ruled.
First unbreakable is a vague term. Just how could the English government know that other spy agencies have not broken a code? So they must mean a code that they can not break that others may have broken. Then there is the issue of not being able to govern other nations. So what their government must really mean or want to do is punish any of their subjects for using an unbreakable code. Really what we are seeing is that no government wants to allow people to freely communicate. The US has gone so far as to declare that very strong codes are munitions and that if such a code gets into public hands it is a serious crime. What people need to know is that many encryption programs are probably put into public hands by our spy agencies. We can not trust encryption to convey messages at all. Codes that were secure five years ago are probably not secure at all with more modern computers and software testing them. One wonders just how many months or years a spy agency would run a super computer trying to crack one message. Such an effort might generate millions of dollars in expenses and in this twisted world dredge up nothing more than grandma's cookie recipe.
V for Vendetta, great comic, great movie and so very relevant to today's society.
I wouldn't call ROT-13 encryption, because it doesn't have a key. Perhaps you could call ROT-n encryption, where n is the key.
Call me a paranoid if you want, but this 'new law banning unbreakable crypto thing smells rotten
1. The very mention of unbreakable crypto might give people some false sense of security to think that they still have something that can stop NSA / GCHQ from prying into their files
2. The very word 'unbreakable' is misleading - as nothing, absolutely nothing - is unbreakable, in the tech scene
3. The entire thing could be an attempt by some one high up (even higher than the politicians) to instill the impression that the Western governments (including their respective spy agencies) are weak, useless and clueless - which we already know, is not the case
if given an infinite amount of time.
Looking at some of the powers in the Investigatory powers bill reminds me strongly of the GCHQ's Tempora project and other capabilities. Snowden's whistle blowing has created a lot of debate and the main response by politicians seems to be to codify these once secret programs into law with barely a nod to oversight.
The most dangerous drug
SO, what they are saying is that they do not want you to be able to protect your information from criminals, because if the Police have a way to break your encryption, than so do the criminals (including terrorists). And, what they are overlooking is that either no one has "unbreakable" encryption (for whatever value of unbreakable they are using), including the government, or the criminals will have access to "unbreakable" encryption, but not law abiding subjects. The end result is that criminals will have greater power.
The truth is that all men having power ought to be mistrusted. James Madison
In a way, OTP is not an encryption, as in fact you are sending only half of the information with an OTP encoded message.
If the government uses "unbreakable" encryption, does this mean they're terrorists and/or pedophiles?
Apple and Google or the UK when Apple and Google no longer sell their products there?
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
So what Apple is going to make a UK product and one for the rest of the world? Nope the UK market just ain't that big.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Careful, you may not like what you get...
I truly suspect that what they really want is backdoors put in...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
So basically this article: http://dspace.mit.edu/bitstrea...
The cat is out of the bag, that train has left the station and other sayings.
You cannot mandate against an idea, encryption is out there, we all rely on it increasingly to manage our very existence. If you mandate that industry weakens the end-to-end secure model then bad things will happen, first the public will make losses, then industry will loose customers and finally the industry donations to the pocket books of politicians and come election time, they will loose.
Which means any politician who suggests this is either a) deluded, b) working for the criminals, c) using it as a false flag to cover something else, in all cases they are automatically unelectable.
Make this clear to your MP that any suggestions like this are an affront to a free and democratic society and will not be tolerated.
These people don't care about securing the INTERNET. It's becoming so obvious it's just a power grab. We've got SCADA systems on the net with embedded accounts, and some group of people who can't even spell cryptography and probably cannot do single variable calc telling us they know how to secure things. It's about control. It's up to us to create and defend a safe & free INTERNET for all. Redesign it from the ground up if we have to.
But at least someone is thinking of the children!
Not entirely correct. The pad can be derived from a seed. Then you only need to transmit the initial seed, the ciphertext and keep track of the offsets.
Actually ROT-13 DOES have a key.
It's simply not transmitted with the message.
The key is...knowledge of the alphabet and the way ROT-13 works (letter substitution).
Chas - The one, the only.
THANK GOD!!!
I work for Google. I build strong encryption in Android. The possibility of laws mandating back doors creates an interesting dilemma for me. Supposing such a law were to exist, and were effectively enforced so there's no possibility of sneaking in a non-backdoored system, what would I do?
I see three options.
1. I could run away from the problem, changing jobs to let someone else deal with it.
2. I could accede, trying to build the tightest, narrowest, best-controlled backdoor possible, doing my best to ensure that only authorized government agencies could use it.
3. I could refuse to build strong security systems at all, making it clear to everyone that their data is unprotected.
What's the right thing to do? #1 is out, unless I have some reason to believe that someone else could make better decisions. #3 has some nose-thumbing appeal, but it means that everyone's data is accessible not only to government agencies, but to thieves, family members, spouses, etc. Also, this may be equivalent to #1, in that I'll be shuffled to another job and replaced by someone willing to build back doors.
So, frankly, it's actually not much of a dilemma at all. I would do #2 (choice of number was not accidental). Well, and I'd probably also contribute to open source, possibly underground strong crypto implementations in my free time, because I strongly believe that the ability of people to keep secrets is critical to individual freedom and to societal progress. But such systems would only be used by a handful, seriously reducing their value.
It's really, really important that we fight this sort of thing in the public, though. I've never been asked to build in back doors, and I never want to be.
Oh, and by the way: Those of you out there who complain that you don't want full device encryption because it's slow? The slowness may be annoying, but it's well worth it. Not so much to you, now, but to everyone, in the future. Have a little patience with it. It will get faster over time as hardware gets faster and perhaps dedicated encryption hardware is added, but if we don't get it in now, setting the precedent that it's normal to encrypt everything, all the time, with the strongest crypto we can find and no back doors, there's a much greater risk that we may not be allowed to do it later.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
This is exactly why we moved Invacio away from the UK, as the privacy rights were getting worse and worse, we only this week went in to open beta on Invmail (Zero-Knowledge, 3 way encrypted, digital communications platform, allowing secure email communication inc meta data), and are shortly launching our Voice/Video conference capabilities as well as messaging over Invmail in the coming months as we come out of beta, And then the UK go and pull a stunt like this....
They mention only companies, assuming power over them if they sell products in the UK. The capitalist status quo. So open source software or free software developed outside the UK can just ignore that law. Blocking services might be an option (Signal / TextSecure) or not (SMSSecure, pgp/GnuPG).
Apple and Google I think won't mind this too much. I suspect they wanted to force the issue that the government has to come out and say, we will search e-mails rather than putting the squeeze on apple privately to sell out their customers with secret deals. If they get caught like AT&T did, it makes them look like crap and it doesn't hurt their competitors equally. Now if apple turns over a message they can just say every does it because its the law, and that's a fact. The "unbreakable" encryption part was probably inconvenient for gathering data. Apple I suspect still wants data, to make siri smarter, and searches more relevant. Google wants data because using it to sell improved advertising is their bussiness.
Some drink at the fountain of knowledge. Others just gargle.
The summery was very surprising to me, I didn't know terrorists and pedophiles were working together.
Not really. Saying 'all encryption is breakable' is like saying 'all messages are guessable'.
If your scheme (think one time pad) has no authentication, you can decrypt it in as many different ways as you like- you'll never know which is the actual one.
Ever 'given enough time' is invalid - our current understanding is that the heat death of the universe will come before guessing a 256 bit key correctly.
I haven't seen any mention that they have to STORE all web traffic or other data, only that it can be decrypted (potentially in real time), so I don't know that they have to retroactively decrypt it.
If they wanted to be able to decrypt it, that's easy enough. the browser contain a list of trusted root certificates which are allowed to sign https certificates. They could add their own cert, or the government's cert, as a trusted root. That would allow the government to impersonate the bank or other https site. The browser (or ISP) would also be set to us the government's system as a proxy, so that the government would receive the connection, claim to be Bank.com (proved by their cert), and then forward traffic to the real bank.com. Easy enough.
A more courageous and simpler option would be to simply remove support for https in the UK model. When you try to use https, the browser instead displays the message "secure connections are banned in the UK. Contact your Minister of Parliament _here_ for more information."
for companies like Google, Apple etc to make their communication software accept plug-ins that perform end-to-end encryption on the emails or whatever.
For example, plug-ins that implement one-time-pad encryption or some other currently non-known-breakable encryption invented by any random "non-corporate" "amateur" with a PhD in comp sci. ?
Maybe that's what this law would encourage. The support for pluggable end-to-end encryption into common cloud/net apps.
Where are we going and why are we in a handbasket?
But if you had a reliable secure channel, you wouldn't need any encryption to begin with. You could send the actual data over that secure channel instead.
It appears several cryptosystems are designed to run over two channels: a reliable secure channel with low throughput, and a faster but insecure channel. This way, the parties run key exchange over the former and ciphertext over the latter. This is certainly true of quantum key exchange.
These devices are all broken except for the very latest smartphones. This law is about saving money by not having to develop or buy 0-day exploits for the latest iPhones, because Apple allegedly stopped "playing by the rules" of storing the encryption key or leaving a backdoor open.
Where you see "UK constitution" read "Magna Carta". True, much of the Magna Carta has since been amended away in various SLRAs, but the same is true of the U.S. Constitution.
As long as the VPN service provider complies with local data retention laws (of which there are none, they only apply to ISPs)
The idea would be to treat service providers offering VPN service to the public as Internet service providers, just using the customer's existing Internet connection as the last mile instead of DOCSIS or DSL.
When faced with a court order for information, apple can say "sure can do, just give us a quantum computer and 300 billion years"
That they are even declaring rules for "internet firms" holding customer data and facilitating communications and encryption means we have already failed. The network was intended to be a network of PEERS. Third parties should only be used for discovery they should not be relied upon to facilitate communication. The Internet will not "route around censorship" when the only thing left is a handful of content companies controlling everything.
Don't use third parties to facilitate communication. Communicate directly amoungst yourselves this way both parties to the communication always have a way to decrypt it.
It's not a safe space for them to communicate on a fixed line telephone or a mobile phone, we shouldn't allow the internet to be a safe space for them to communicate and do bad things
Since the dawn of civilization people have communicated in code to obscure their communications from others. This isn't a new phenomenon it is an ancient one. They did it on land line phones, they did it in hand delivered notes, they did it electronically with modems, they do it in the mail, on mobiles, telegraphs, in person. People leave hidden or obvious public messages which are only understandable by intended recipients. You can't prevent use of things like OTP codebooks even if you took everyone's computers away.
The difference is encryption today takes less manual effort to pull off than it has in the past and more people feel compelled to use it if for no other reason than to protect themselves from the hostile environment they find themselves.
I think it is absurd to suggest the police and the security services have a kind of casual desire to intrude on the privacy of the innocent
This is amusing governments grant themselves all kinds of powers to snoop around and spy on their own people then act surprised when nobody believe a damn thing they have to say. Enough people have access to the government codebook to know what the words "terrorist" and "children" really mean.
Yes Sir our code is breakable, you just have to brute force it for a few thousand years or have a REALLY fast collection of computers. Do you have that Minister? Oh, you don't? Well, it's still breakable, just not by YOU then :)
The pad can be derived from a seed.
If you do that, it isn't a one-time pad any more, and none of the "provably unbreakable" guarantees of one-time pads apply. All you have is standard symmetric encryption with a stream cipher.
A critical part of any one-time pad is the fact that each bit of the pad is independently and uniformly random. If you generate the pad from a seed then an attacker no longer needs to find the pad; they only need to find the seed. And as there are far fewer seeds than plausible messages, they'll probably be able to detect when they've found the right one.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
Maybe I'm missing something here... but why wouldn't a criminal just use easily obtained "illegal" unbreakable crypto obtained from a friend in the U.S. or anywhere else in the world?
yes but once its the law it becomes a criminal offense to facilitate control.
For keys of a few hundred bits, "enough time" means "far past the heat death of the Universe". AES-256 cannot be brute-forced with theoretically perfect quantum computers using all the resources in the Solar System.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Wake me up when the King can kiss the bride on her wedding day.
Since all encryption is breakable given enough time and compute (might take a few years), technically all are automatically in compliance with no change.
âoeThe Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts."
I'll tell you what, you put a system in place with clear oversight and a robust legal framework then we'll talk.
"Grab them by the pussy" -- President of the United States of America
Wow london. You have done it. You have successfully used George Orwell's novel as a template to create the perfect surveillance state. I hope your prime minister is proud of himself.
Until now the stories about the Investigatory Powers Bill have been hard to gauge as the bill was not published, but now it is.
The Slashdot title, "Internet Firms To Be Banned From Offering Unbreakable Encryption Under New UK Laws" looks to be wrong or at least misleading. The relevant part of the bill states:
So Communications Service Providers can have strong encryption, as long as they keep the key and hand it over when required as they are required already by the Regulation of Investigatory Powers Act 2000. The horse has already bolted.
The most dangerous drug
This is so veddy veddy British. They think they actually can decide for the world about encryption. I'm a not-very-good script kiddie and I sorta-kinda knew how to do (some) of the many methods outlined here. Anyone who wants can just encrypt whatever they want and mostly it's not at all breakable and the amount of effort if even 1% of internet traffic is encrypted by different ways becomes prohibitively tedious to do anything about.
Will there be a 'lame special' model especially for the UK? If there is, how hard isn't it going to be to jailbreak it to the international version?
Govt: "You're using unbreakable encryption." ISP: "No. We're not. We're pretty sure you can break it if you'd really want to." Govt: "We can't break it." ISP: "Don't believe you. You can break any thing with enough resources. What do you want us to do? Store data in plug Latin?"
Only boring people are ever bored.