Internet Firms To Be Banned From Offering Unbreakable Encryption Under New UK Laws

Retron writes: Despite statements from the minister for internet safety and security Baroness Shields last week that the UK government would not require software developers to build backdoors into their products, the Telegraph is reporting that the UK Government is going to ban companies from offering 'unbreakable' encryption, effectively requiring a backdoor in products from the likes of Google and Apple. The reasons given are that they don't want the likes of terrorists and paedophiles to communicate in places the Police can't reach. A Home Office spokesman said: “The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts."

Sigh

[MPBoulton]

Is this the sort of thing that the EU could override?

Re:Sigh

[JaredOfEuropa]

They could. It depends on who wins. The industry lobbyists (extremely influential in Brussels) who don't give a rodent's behind for your privacy but do not want the risk and hassle that comes with a ban on crypto. Or the hawkish commissioners and their backers in national governments, who do not give a rodent's behind for your privacy and who would absolutely abhor "clear oversight and a robust legal framework" around surveillance.

And don't think for a second that this is about terrorists and paedophiles. There are enough crypto products for them to choose from already.

Re:Sigh

It's the sort of thing that both the commons and the lords could override because contrary to the sensationalist Slashdot headline it's not actually a law, it's a proposed law, and that means it has to both be debated and pass in both houses. That wont happen because the Lords are out for blood right now and the Conservatives don't have a majority there.

I'm actually willing to bet money that this clause will never make it into the final bill that is signed into law and as much as Slashdot babies will piss, cry and moan "ORWELL CCTV OMG FASCIST UK" they'll be missing the actual point - that's exactly what the likes of Theresa May want. Propose something really bad that will never pass, and watch the less bad (but still not wanted) stuff slide through under the radar because all the civil liberties activists and people like Slashtards were too focussed on the thing that was never going to make it through anyway whilst the MPs play the heroes for "compromising" in giving way to us on something they were always going to have give way to us on anyway.

Luckily May has the likes of The Torygraph making it easier for her by stirring up the fears because if it's in a newspaper then it must be true that this will become law right?

Re:Sigh

[Coisiche]

Coming soon, the campaign for Brexit which is the word already being used for the campaign for the UK to exit the EU. Obviously the Daily Mail and the Daily Express will be full champions of it and have been seeding discontent with the EU among their readership for years. I'm not sure how the rest of the media are going to line up but the unfortunately the result will be decided by the high population concentration of the south-east of the UK who outnumber the rest of us and seem particularly susceptible to "it's all Johnny Foreigner's fault" thinking. And I don't think that's a sweeping generalisation.

Re:Sigh

[gweihir]

Also, by definition, no encryption is unbreakable, you just need a few thousand years to crack it.

Untrue. Encryption may be "Information-Theoretically secure". These cannot be broken with just enough computing power. For example, for ordinary text, this is even true for the venerable Enigma if less than 4000 Bits (if I remember things correctly) of ciphertext are available and the key was chosen at random. One-time pad based encryptions are never breakable, the only information you get is the maximum number of Entropy in the message, nothing else.

You wrong statement is one of the often-repeated untruths about encryption.

Re:Sigh

[Zocalo]

While you are right on the voting demographic and media bias/propaganda, I think there's possibly a major wrinkle in the debate coming that's going to seriously upset the applecart for the exit campaign. The Scottish are collectively much more pro-EU than the south of England, and the Scottish National Party are in the process of putting together a set of criteria that will trigger another referendum on their own independence from England. I'm fully expecting to see "UK voting to leave the EU" being right at the top of that list of criteria when it's announced, and if there's one thing that is likely to upset the anti-EU crowd more than remaining in the EU it's the very likely prospect of Scotland leaving the UK shortly afterward if they win.

What, you thought the US had the monopoly on turning politics into a car crash TV event?

Re:Sigh

The existing UK laws assume guilty if you do not hand over your key when law enforcement ask for it. It's been like this since the late 1980s.

Re: Sigh

[John+Allsup]

People often overlook the issue of verification. If you take a small structured dictionary which takes in, say, 128 bits, and outputs a nonsense poem using the words of the dictionary and some simple rules, you have a reversible procedure for turning 128 bit hashes into literary nonsense. Reverse the procedure and apply a simple procedure to the original 128 bit hash to see if it contains a message. The simple procedure may include things about the sender. The trouble for crackers here, is that there are many such procedures. A simple software example is to append 'Borg' to a message, hash it with shasum, and see if the first two hex digits are f7, say, else discard. Then using evolutionary programs to find a short procedure which generates indices recursively for words in a video file [ with feedback, so the second index requires having the correct video file on hand ]. Guessing a random 128bit passkey is bad enough, but guessing a random procedure is far worse. Having everybody just [ just! ] using aes128 will seem like paradise compared to the output of the computational arms race the UK government is inadvertently about to kick off.

I have fond memories of the old msdos program insults.exe. it has not escaped my attention that one can take a 128 bit number [ possibly the output of a sugared hash ] and use bits from it as indices into tables to generate phrases. There is much fun to be had, and so many variations. The paper from wayback about chaffing and winnowing will perhaps have more attention payed to it.

Re:Sigh

[AmiMoJo]

It might contravene EU rules on free trade. For example, I use a Swedish VPN service to prevent my internet browsing history and other activity records (metadata) being recorded by my ISP. If this law is to be effective, it would have to make using such services illegal. Otherwise there is little that they can do to force a foreign company to company with UK law.

Maybe there is an issue with trying to ban foreign services for not complying with UK law. For example, they can't ban foreign services because they don't comply with the UK Data Protection Act, as EU free trade is based on the idea that all member states have broadly equivalent protections for such things. As long as the VPN service provider complies with local data retention laws (of which there are none, they only apply to ISPs) I don't think they can legally ban them.

Re:Sigh

[flowerp]

Excuse me, you get ANY desired message by trying all possible one time pads.

The Bible
Hamlet
Andy Weir's The Martian

Re: Sigh

[John+Allsup]

Put another way, one limiting factor is the availability of a computational means to verify a correct guess. If the false positive rate is too high, as happens with a OTP, you have problems. Then using encoding schemes rather than just encoding textual data is not hard. If, for example, you only need 2000 different words for your messages, you could start with a basic forth and work thus:

( assume 'append' appends to a word list, and 'say' outputs and clears the word list )
: wHelp S" help" ;
: wThe S" the" ;
: wHomeless S" homeless" ;
: mHelpThe wHelp wThe ;
: mA mHelpThe wHomeless ;
: s1 mA say ;

Now we can map these definitions to 16 bit tokens, padding with random definitions, and store random definitions where the words go to get a non funtioning decode vector. Then to decode, we need a list of words and locations to insert them. One vector of 64k forth words could be used in many ways depending on which words are overwritten and what is put there. The 64k vector need not even contain the api, since we need only overwrite say v[435] with 'say', v[2789] with 'append', put 'S" help"' etc. in the right place and know that v[6789] is a correct code for mA. The secret code is in the modifications necessary, and without both pieces you have nothing. Just the vector and you have a random assortment of words defined in terms of other words.

The issue for GCHQ is not unbreakability, but that the above could be implemented in a few lines of Perl or PHP, and if it becomes widespread by some social media like a computational Twitter on acid, the effort required to search would be prohibitive given the potential for false positives and that most messages are for fun.

The Indiana Pi Law did not get passed, but many equivalently stupid laws have, and this will be yet another. You cannot pass a law requiring that maths magically become easy. Trying to causes collateral damage for no gain. But I guess politicians live in a different universe.

Re:Sigh

[aaaaaaargh!]

I'm assuming you're joking, but just in case you're not, allow me to explain.

You cannot brute-force an OTP without the key (or at least strong statistical cues for it), because every plaintext message of the same length is equally likely. If the OTP length is n that includes any part of that length of the works of Shakespeare, the Bible, the UK's constitution (if it still has one), and all texts or other messages of length n that have ever been written and will ever be written or transmitted. Likewise, any sequence of length n of the alphabet (e.g. 26 letters, 256 chars, or UTF16) is a valid key, so they cannot "ask" you for the key in any meaningful sense of the word.

Unfortunately, OTPs are of limited value in practice, since they key must be at least as long as the message.

Re:Sigh

[bickerdyke]

You wrong statement is one of the often-repeated untruths about encryption.

Which is true.

But as all these proven unbreakable algorithms require a secure channel to transmit the encryption key. But if you had a reliable secure channel, you wouldn't need any encryption to begin with. You could send the actual data over that secure channel instead.

There is limited use for these when a secure channel is available ahead of time, but even then the storage of the key is vulnerable to attacks. (photographs of the codebook, "rubber hose cryptanalysis", etc)

Not to start with the fact that any system that limits the amount of data that can be securely transmitted (by the size of the previosly exchanged key) and becomes vulnerable as soon as the key is used on one byte more than the keysize, it is not useable on the internet,

So, the original statement would be correct if it included the limitation that all practically usefull encryptions are somehow breakable.

Re:Sigh

[monkeyzoo]

A Home Office spokesman said: “The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts."

And the result will actually ensure that,... with clear oversight and a robust legal framework, the terrorists and criminals can access the content of communications of police and intelligence agencies in order to obstruct police investigations and commit criminal acts."

Lame, technologically ignorant legislators writing laws about technology and security are going to become a real scourge!

Re:Sigh

[ThatsMyNick]

No, you dont understand encryption. If nazis used one time pads, and ended every message with "Hail Hitler", you would still be 0% closer to solving the code. It does not simplify the code breaking. Each and every letter is independent of each other. The encryption key is random.

You dont get a small subset at all. You can literally get anything you want out the code. You want the hamlet, sure you can get it.

Re:Sigh

[Cow+Jones]

No, you get an extremely small subset of the possible original messages.

No, GP is correct. If you can choose the pad contents, you can trivially create any "decrypted" message you like.

As you send more and more messages with the same pad

one time pad

"Hail Hitler". It showed in every single German message

Unlikely. The grammar nazi in charge would have corrected it to "Heil Hitler".

Re:Sigh

[serviscope_minor]

Unlikely. The grammar nazi in charge would have corrected it to "Heil Hitler".

Brilliant! You deserve +5 funny for that.

Re:Sigh

[Jason+Levine]

Don't worry. They'll just make it against the law for any hackers to take advantage of the police back doors thus solving the problem forever.

"But..."

FOREVER!!!!

Re:Sigh

[Jason+Levine]

I actually like this argument. Sort of turns the "copyright is still a limited time even if it's 120 years long" argument on its head. If waiting 20 years to crack a phone's encryption makes the encryption "unbreakable" then why is a 120 year long copyright "limited"?

Re: Sigh

I have thought about this many times over the years. Evolutionary strategies could lead to some really obscure and bizarre cryptography schemes. Especially if you use real cryptographic algorithms at each layer. Even if not, this is utterly ridiculous. Your example of a poem highlights the greatest injustice of banning encryption - poems can mask layers of meaning even from the author, sometimes for years. It's time to end this whole charade IMHO.

Re:Sigh

[Xest]

Of course it's about mass surveillance, if it was about individual surveillance then they'd just get a warrant to MITM or similar a particular suspects PC exactly like they always have with physical mail and phone calls. They already have the powers to do that type of attack to get a target of a warrant.

They might argue that it's about retaining data so if they come back to someone they can investigate their communications retroactively, but that doesn't explain why they aren't getting all phone calls logged, and all physical mail photocopied and stored. They already can't get historical data of other communication mediums so there's no reason to think they suddenly need it for investigations using digital communications.

So the only thing this possibly can be about is mass surveillance given that they have all the tools they need for individual surveillance already.

Re:Sigh

[gman003]

You are absolutely and completely incorrect.

A one-time pad is an encryption method using a key length as long as the plaintext, never reused. Trying every possible key for a given ciphertext will produce every possible plaintext - literally every possible message with that length.

Even if you knew part of the plaintext, that would only tell you part of the key, and no bit of the key is used for more than one bit of the ciphertext. It tells you nothing you don't already know. The only possible cryptanalysis of a one-time pad is finding a flaw in the means used to generate the key - if it is not truly random, attacks are possible. But properly-implemented one-time pads are literally unbreakable. Only their difficulty of use prevents them from being universally used.

Re: Sigh

[aaarrrgggh]

Two things: security through obscurity... and 2^128 words is about 10^30 English languages.

Re:Sigh

[Hotawa+Hawk-eye]

China thanks the Home Office. With this proposed law foreign governments can access more easily the content of communications of police, intelligence agencies, and major corporations in the UK in order to commit espionage, both governmental and industrial.

Re:Sigh

[Yoda222]

As you send more and more messages with the same pad, or if the pads follow any kind of predictable pattern, or god forbid, one of your pads is discovered through other means, the encryption is severely weakened.

Basically you are saying that you can break one-time pad if the system used is not one-time pad.

Re:Sigh

[Cederic]

Yeah, I'm constantly amused that I keep getting asked to comment on information security at work.

My standard response is "here are some risks you need to mitigate, but please get a security professional in because this stuff is hard and I don't know what I'm talking about".

Although, maybe that's why I keep getting asked.

Re:Sigh

And don't think for a second that this is about terrorists and paedophiles. There are enough crypto products for them to choose from already.

It is relatively trivial to write and share unbreakable crypto with pre-shared one time keys/pads which are generated by good random generators. Key/pad distribution is difficult, but if we are talking about small groups of people then in-person key/pad exchange is realistic, so you can establish networks of people with essentially unbreakable 2-way encryption.

Anyone with even the slightest awareness of crypto would know that.

Also it is trivial to write and share unbreakable crypto that masquerades as people transferring a bunch of selfies to one another, so the arguments about making it easier to spot the terrorists because only they will be using crypto are false.

Anyone sufficiently motivated and of above average intelligence can and will use unbreakable crypto to avoid discovery.

Becoming reliant on monitoring of communications to generate investigatory leads will keep the police in steady supply of hapless would-be criminals which looks great on paper, but when it comes to the real insidious threats it is going to take real investigations following the evidence and not just trolling online communications.

I think the greatest concern here is that the police, intelligence services, their bosses and the public get lulled into a false sense that they are effective because the real criminals and real terrorists are throwing easy wins their way as a means of diversion and distraction.

Re:Sigh

[david_thornley]

If you're talking about brute force, no, that's not going to happen. It's not possible to test 2^128 possible keys using only the resources of the Solar System, and I consider that impractical. Assuming we develop quantum computers of the appropriate power (and I'm not convinced we can), they effectively cut the key size in half, so AES-256 could not be brute-forced without becoming something more than a Type II civilization.

The alternatives are breaking the cipher, which is not considered likely for modern ciphers like the AES variants (IIRC, DES became vulnerable to brute force, and hasn't been broken), or finding implementation problems. I suppose I should note that most ciphers are not proven to be NP-hard, and it's possible that P=NP, which means there might be a polynomial-time cipher breaker, but that's not considered likely (and the polynomial time might turn out to be just as impractical).

Who will oversee this?

[houghi]

I am sure the ones to oversee this is the Ministry of Truth.

Re: Who will oversee this?

[Falconhell]

No, supremo is correct as a reference from Yes Minister.. Although the real title in private was cyber muggins. :)

So, no one time pad

[ThatsMyNick]

Everything else goes, right?

Re:So, no one time pad

[AHuxley]

Ban entering or exiting the UK with paper, pens, maths books with crypto chapters on one time pads and big books.
Any holiday or sabbaticals could be cover for a face to face meeting to set up a one time pad system with near unlimited key material.
Years of messages could get total privacy after just one rendezvous.

Tools of oppression

Replace "terrorists, paedophiles and criminals" with "people" and you get what this is really about: People must not be allowed a “safe space” online. Nobody wants that, except the rich elite in their mad power grab towards global tyranny.

Bullshit

Everyone should be aware that the majority of paedophile rings that have been busted were found to be passing material amongst themselves by sending encrypted DVDs (and originally VHS tapes and photographs etc.) using services such as USPS/Royal Mail signed for etc. Physical mail can't be interfered with without a court order, is secure, cheap and reliable. I would imagine terrorists do much the same.

This is plain and simply the gubberment desperately trying to keep all windows of the Panopticon open. Clueless old 19th century minds trying to legislate against the future and maintain their failed baboon style pyramid hierarchy.

It will be a total failure.

Revolt

[bill_mcgonigle]

This gives Apple and Google the power to decide whether or not there will be a revolt in the UK.

I'm not sure the politicians have thought this one through all the way. But, good, from a meritocracy perspective.

Re: Revolt

[Midnight+Thunder]

It will be interesting if Google, Apple et al suddenly suspend service and sales in the UK. I wonder what the electorate would say.

Or maybe the British government will mandate that they can't cut them off? This would be reminiscent of when the Spanish government tried forcing Google to keep indexing the newspapers, when they had decided that Google was to compensate the papers for indexing them!? Maybe we need to have a hall of shame for "stupid tech laws passed by governments"?

Re: Revolt

[bill_mcgonigle]

> G+A will have a year or so to modify their service, or will withdraw certain services from the UK and competitors will step in.

It's not that simple. Overnight there will be no sync services, no updates, no app stores - Google and Apple both know that if they cave to the UK they lose the rest of the world like dominos - they cannot afford to keep the UK business.

It's not like every user will be buying a Windows phone over that year - in fact Google and Apple would be stupid to announce non-appeasement ahead of time and cede the business to MS. Instead there will be millions of people supremely pissed off at the Parliament when the day comes. Don't be there on November fifth. Don't take away the circuses if you value your power.

Re:Revolt

[DigiShaman]

I'm not sure the politicians have thought this one through all the way.

OH YES THEY HAVE!!!! This is a deliberate power grab! And they will push on the social hot button issues to whatever end to achieve the goal of control. This was never about you, it was always about power for them!

One thing has become apparent as I get older; either a cooperation/industry will buy out elected officials, or the elected officials will pull the rug out underneath said corporation/industry. It's always been a political war between those that have power and wealth. You, the little people, are just refugees caught in the cross-fire. In the end nothing new is happening; only difference is the organizational constructs at play.

Re: Revolt

[Jahta]

It will be interesting if Google, Apple et al suddenly suspend service and sales in the UK. I wonder what the electorate would say.

Or maybe the British government will mandate that they can't cut them off? This would be reminiscent of when the Spanish government tried forcing Google to keep indexing the newspapers, when they had decided that Google was to compensate the papers for indexing them!? Maybe we need to have a hall of shame for "stupid tech laws passed by governments"?

You can't force international companies to offer services in your country. Remember when the British music industry body (BPI) tried to shake down YouTube for royalties? YouTube just blocked all traffic from British domains and the BPI backed down swiftly.

Cameron may think that he can dictate to multinational companies and legislate for the world. But obviously he cannot. Apple and Google may not pull out of the UK entirely, but they are not going to break their own products just for one market either. They will probably publicly say that they cannot offer some services (or have to offer watered down versions) in the UK due to new legislation. Cue massive revolt from iPhone, Android, Gmail, etc. users. Then Cameron will back down, blaming American companies (and the pesky US constitution which actually guarantees ordinary people rights) for not being able to implement the ban.

Re: Revolt

[david_thornley]

Correction: the UK government can refuse to allow Apple and Google to sell certain products in the UK. They can't force Apple and/or Google to provide an insecure version. Both Apple and Google are large and secure enough to lose the UK market temporarily.

Re: Revolt

[CanadianMacFan]

And nothing stopping UK residents from popping over the channel and buying a phone over there. All phones need to have a common charger in Europe. Unless the UK government forces manufactures to mark the phones as made for sale in the UK, like Canada does with the CA Number for textile fibre products, then there's no way to tell where a phone came from.

Insecure WiFi for everyone!

[UberVegeta]

There was a Slashdot poll a few years ago, asking the question "What percentage of your traffic is encrypted?"

The answer that stuck in my mind was from a guy who said, "all of it. My WiFi has WPA2."

No unbreakable Encryption

So basically, no encryption at all, since if it's breakable by one person it's breakable by anyone.

How little they understand

Encryption is only one way mathematical difficulty can be harnessed. There are others. Encryption is great for making large amounts of data unreadable in a way which is independent of the data. But procedures can be learned by rote, and executed in a human brain before deciding whether and how to interact with a machine. By compromising encryption, the government will stimulate criminals to both probe the detection network with false information, and to develop methods of using whatever legal encrypted communication exists so that messages go unnoticed. If two people agree a convention, such as using two spaces rather than one in a tweet, padding a 130 char tweet to 140, and have a mentally computable way of indicating whether the content has special meaning, and a dictionary of codewords, we are back where we were before the second world war, with cryptic crossword techniques being used. One shot conventions [ consider if I say that when I send messages on Twitter if you append 'FluffyBunny', md5sum the result, and then treat specially if the first three hex digits are 3f4, whilst trivially breakable if you know the scheme, and who will transmit with it, if you don't, brute force will swamp you with false positives, and what if this convention is only used once between people ]. Just as antibiotic use has bred superbugs, this action by the UK government has the potential to set off an evolutionary arms race, where many terrorists will be caught, but those who are not will have by chance have developed means of secrecy beyond the security services. Passing laws declaring the existence of unicorns, or banning gravity from acting, are foolish. We have, in digital technology, an enviroment which we as humans must adapt to, not try to adapt it to us. Laws like this do the latter, but such attempts will eventually succumb to the problems of computational inefficiency.

Bye-bye, UK

[l0n3s0m3phr34k]

Both companies should just cease all official product sales and support in the UK. Neither company should be forced to make multiple products just because the UK demands this, but to be compliant that's exactly what they will have to do. There will be a "UK Model" IPhone, with pre broken encryption all ready to go. Of course this will horribly backfire once criminal ID theft people start exploiting this purposely weakened software. And no real criminals or terrorists will use any of these pre-cracked systems anyway, so the UK's main thrust here will do nothing but enable more ID theft. Good job, UK!

Re:Bye-bye, UK

[RockDoctor]

Does that mean. if you're a foreigner, you cannot bring your phone or laptop with you whenever you travel to UK?

Regardless of whether you're a foreigner or a Briton, the (encrypted) device in question would be contraband if you attempted to import it into the UK. This is exactly the same as if you were to buy something legal in the country you buy it in (a lock-knife; a gun; or an encrypted telephone) and attempt to import it into the UK, then you are committing an offence. As such you'd be liable to arrest and or deportation (at your own cost).

It doesn't matter if you're a Briton, or a foreigner, and whether or not the device belongs to you, your boss, or a "friend", if it is in your possession [*], and it is contraband [**], then it is your responsibility.

Notes : [*] this includes shipping agents for people like DHL I was working with one such last month. this is why they can seem like picky fuckers about the paperwork for shipping something.

[**] The Police, Border Force, and ultimately the courts will determine if something is contraband. It is your responsibility as an importer (personal, or through working for DHL or whoever) to find out what currently is or isn't contraband and to abide by that. (For example (see above) in many mainland Europe countries it is legal to possess a bladed tool or weapon with a folding blade which is held in the open position by a catch - a "lock knife" - which in Britain it is not legal to own or carry. If you don't know this, then you have a problem if you bring one in, either in your baggage or a pocket. Even if you come in by boat or train, or private plane and don't go through the normal security theatre.)

The law is written to be simple to enforce, not simple to comply with or to defend yourself against.

Re:I think they need to decide

[Dog-Cow]

Ah, the no-true-encryption fallacy.

All encryption is breakable, given enough time. Conversely, ROT-13 is encryption, even if it's rather poor.

Re:All encryotions is "breakable"

[serviscope_minor]

It's simply 100% mathematically wrong.

One time pad is information theoretic secure. It is impossible to break.

Totally unenforceable

[Alwin+Henseler]

This is plain and simply the gubberment desperately trying to keep all windows of the Panopticon open. Clueless old 19th century minds trying to legislate against the future and maintain their failed baboon style pyramid hierarchy.

Indeed, this smells like government either not understanding technology and where it's moving, and/or conspiring with spy agencies to get (keep?) their fingers in everything - including where they shouldn't be.

Unfortunately for them, there is no middle ground here. If the plebs can use general-purpose computers, there will be ways to get strong encryption software on it. If it's agreed you should be able to have a strongly secured connection between you and your bank (or your webmail, or your doctor, or a business partner, etc, etc, etc), then you can have such a connection between you and say, some 3rd party outside the country. If there even were a way to 'allow what goes through the pipes' (other than a North Korea-like totalitarian regime), only allowing weak encryption would make a lot of present-day applications impossible, to the point where businesses would be forced to set up shop elsewhere. Of course we all know that even a government with a half a brain cell wouldn't let that happen.

Which simply leaves the other option: strong encryption in the hands of the public, possibly outside of the reach of government, law enforcement or spy agencies. Not to mention that if not allowed, technology together with the public will find ways around that.

Which would force those parties to either accept a more reasonable approach, attack encryption-using criminals through the legal system, social engineering and such, or attack implementations and endpoints of encryption use. Oh wait.. wasn't that the easiest method anyway? lol :-))

Pathetic Government

[Going_Digital]

The British government is filled with luddites. So those of us who have legitimate use for encryption have to put up with insecure tools while terrorists just use some software they get from their terrorist friends. Clueless government.

Re:Pathetic Government

[AmiMoJo]

Everyone has a legitimate use for encryption. Everyone has a right to privacy. It's a human right. The ECHR says so, and the UK wrote most of it.

Defeats the purpose

[MagickalMyst]

Doesn't that defeat the purpose of using encryption in the first place?

"they don't want the likes of terrorists and paedophiles to communicate in places the Police can't reach."

Considering that the majority of terrorist organizations and pedophile rings are linked directly to the ruling elite, this isn't really surprising.

Terrorists and paedophiles

[Flavianoep]

Why do no politician even think that a backdoor may be used by a terrorist or a paedophile? A paedophile may take advantage of any vulnerability on an underage person's connected device, and those politicians want to ensure there be at least one? The same can be said about a terrorist getting info about British nationals which may pose threats their security and to the country's as well. Criminals use backdoors too.

Trading security for security?

[asylumx]

It seems to me that by doing this, the people of the UK are literally trading security for security. Or perhaps trading BOTH freedom and security for security. Not a good deal.

Re:Criminals and pedophiles

[fendragon]

With breakable encryption, criminals can edit your banking records and pedophiles can see all the "private" pics of your children. Do you really want breakable encryption?

The UK government still seem to be enjoying the delusion that they can choose who can break encryption and who can't. I didn't vote for them, don't blame me!

I Doubt It

[JimSadler]

First unbreakable is a vague term. Just how could the English government know that other spy agencies have not broken a code? So they must mean a code that they can not break that others may have broken. Then there is the issue of not being able to govern other nations. So what their government must really mean or want to do is punish any of their subjects for using an unbreakable code. Really what we are seeing is that no government wants to allow people to freely communicate. The US has gone so far as to declare that very strong codes are munitions and that if such a code gets into public hands it is a serious crime. What people need to know is that many encryption programs are probably put into public hands by our spy agencies. We can not trust encryption to convey messages at all. Codes that were secure five years ago are probably not secure at all with more modern computers and software testing them. One wonders just how many months or years a spy agency would run a super computer trying to crack one message. Such an effort might generate millions of dollars in expenses and in this twisted world dredge up nothing more than grandma's cookie recipe.

V for Vendetta

[fgouget]

V for Vendetta, great comic, great movie and so very relevant to today's society.

I smell a false flag

Call me a paranoid if you want, but this 'new law banning unbreakable crypto thing smells rotten

1. The very mention of unbreakable crypto might give people some false sense of security to think that they still have something that can stop NSA / GCHQ from prying into their files

2. The very word 'unbreakable' is misleading - as nothing, absolutely nothing - is unbreakable, in the tech scene

3. The entire thing could be an attempt by some one high up (even higher than the politicians) to instill the impression that the Western governments (including their respective spy agencies) are weak, useless and clueless - which we already know, is not the case

Re:I smell a false flag

[Kiaser+Zohsay]

2. The very word 'unbreakable' is misleading - as nothing, absolutely nothing - is unbreakable, in the tech scene

Yes, but anything that you can refer to as "breakable" encryption is really no encryption at all.

And even if you are paranoid, somebody might still be out to get you.

Re:I smell a false flag

[NostalgiaForInfinity]

2. The very word 'unbreakable' is misleading - as nothing, absolutely nothing - is unbreakable, in the tech scene

Cryptographic algorithms can be unbreakable using known technology. Implementations of cryptographic algorithms often have flaws that can be exploited and hence are breakable. What they are trying to ban is the use of cryptographic algorithms that are "unbreakable" in that sense.

3. The entire thing could be an attempt by some one high up (even higher than the politicians) to instill the impression that the Western governments (including their respective spy agencies) are weak, useless and clueless - which we already know, is not the case

How do "we" know that? The fact that Western governments can spy on your grandmother's E-mail communication doesn't mean that they have an effective spy program, only that they have an intrusive spy program. Their actual target groups seem to be quite good at using cryptography and other tools effectively.

Re:I smell a false flag

[interval1066]

To date AES-256 is still secure, at least the NSA doesn't confirm or deny they can break it, most researchers assume they haven't yet, although quantum decryption methods may change that, certainly. And of course one-time pads are by their nature unbreakable.

Re:I smell a false flag

[mark-t]

An encryption is considered unbreakable if it requires a copy of the original key to decode into the original message, and there is absolutely no way to ever tell whether any key you might try to use to decrypt it actually gives you the original message unless you knew in advance what the original message was.

They want criminals to have access to all info

[Attila+Dimedici]

SO, what they are saying is that they do not want you to be able to protect your information from criminals, because if the Police have a way to break your encryption, than so do the criminals (including terrorists). And, what they are overlooking is that either no one has "unbreakable" encryption (for whatever value of unbreakable they are using), including the government, or the criminals will have access to "unbreakable" encryption, but not law abiding subjects. The end result is that criminals will have greater power.

Interesting philosophical dilemma

[swillden]

I work for Google. I build strong encryption in Android. The possibility of laws mandating back doors creates an interesting dilemma for me. Supposing such a law were to exist, and were effectively enforced so there's no possibility of sneaking in a non-backdoored system, what would I do?

I see three options.

1. I could run away from the problem, changing jobs to let someone else deal with it.
2. I could accede, trying to build the tightest, narrowest, best-controlled backdoor possible, doing my best to ensure that only authorized government agencies could use it.
3. I could refuse to build strong security systems at all, making it clear to everyone that their data is unprotected.

What's the right thing to do? #1 is out, unless I have some reason to believe that someone else could make better decisions. #3 has some nose-thumbing appeal, but it means that everyone's data is accessible not only to government agencies, but to thieves, family members, spouses, etc. Also, this may be equivalent to #1, in that I'll be shuffled to another job and replaced by someone willing to build back doors.

So, frankly, it's actually not much of a dilemma at all. I would do #2 (choice of number was not accidental). Well, and I'd probably also contribute to open source, possibly underground strong crypto implementations in my free time, because I strongly believe that the ability of people to keep secrets is critical to individual freedom and to societal progress. But such systems would only be used by a handful, seriously reducing their value.

It's really, really important that we fight this sort of thing in the public, though. I've never been asked to build in back doors, and I never want to be.

Oh, and by the way: Those of you out there who complain that you don't want full device encryption because it's slow? The slowness may be annoying, but it's well worth it. Not so much to you, now, but to everyone, in the future. Have a little patience with it. It will get faster over time as hardware gets faster and perhaps dedicated encryption hardware is added, but if we don't get it in now, setting the precedent that it's normal to encrypt everything, all the time, with the strongest crypto we can find and no back doors, there's a much greater risk that we may not be allowed to do it later.

Re:Interesting philosophical dilemma

[clonehappy]

*looks over shoulder*

"Google. Is. The. Most. Ethical. Organization. In. The. World."

*looks back over shoulder*

Thank goodness they're gone.

Re:Interesting philosophical dilemma

[swillden]

Not in the scenario you described. Take as a given that laws mandating crypto backdoors are unethical. Then Google would be unethical for adhering to those laws

As opposed to building systems without any security, or as opposed to not building systems at all? Ethics is about choices between alternatives, it's not unethical to do a bad thing if all of the other alternatives are worse.

Capitalist indoctrination makes them blind

[johanw]

They mention only companies, assuming power over them if they sell products in the UK. The capitalist status quo. So open source software or free software developed outside the UK can just ignore that law. Blocking services might be an option (Signal / TextSecure) or not (SMSSecure, pgp/GnuPG).

Apple and Google welcome this I guess

[goombah99]

Apple and Google I think won't mind this too much. I suspect they wanted to force the issue that the government has to come out and say, we will search e-mails rather than putting the squeeze on apple privately to sell out their customers with secret deals. If they get caught like AT&T did, it makes them look like crap and it doesn't hurt their competitors equally. Now if apple turns over a message they can just say every does it because its the law, and that's a fact. The "unbreakable" encryption part was probably inconvenient for gathering data. Apple I suspect still wants data, to make siri smarter, and searches more relevant. Google wants data because using it to sell improved advertising is their bussiness.

Re:All encryotions is "breakable"

[Walking+The+Walk]

As someone pointed out already, OTP is not really an encryption, but a way to split the information in half.

No, OTP is symmetric encryption where the pad is the key. You take your plaintext, transform it with the pad, and that becomes your ciphertext. Then you apply the same transformation with the same pad to the ciphertext, and the result is the original plaintext. The information to be sent should not be used for any part of the pad.