Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Firms To Be Banned From Offering Unbreakable Encryption Under New UK Laws (telegraph.co.uk)

Posted by samzenpus on from the let-us-in dept.

Retron writes: Despite statements from the minister for internet safety and security Baroness Shields last week that the UK government would not require software developers to build backdoors into their products, the Telegraph is reporting that the UK Government is going to ban companies from offering 'unbreakable' encryption, effectively requiring a backdoor in products from the likes of Google and Apple. The reasons given are that they don't want the likes of terrorists and paedophiles to communicate in places the Police can't reach. A Home Office spokesman said: “The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts."

10 of 418 comments (clear)

  1. Sigh by MPBoulton · · Score: 5, Interesting

    Is this the sort of thing that the EU could override?

    1. Re:Sigh by JaredOfEuropa · · Score: 5, Informative

      They could. It depends on who wins. The industry lobbyists (extremely influential in Brussels) who don't give a rodent's behind for your privacy but do not want the risk and hassle that comes with a ban on crypto. Or the hawkish commissioners and their backers in national governments, who do not give a rodent's behind for your privacy and who would absolutely abhor "clear oversight and a robust legal framework" around surveillance.

      And don't think for a second that this is about terrorists and paedophiles. There are enough crypto products for them to choose from already.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    2. Re: Sigh by John+Allsup · · Score: 5, Interesting

      People often overlook the issue of verification. If you take a small structured dictionary which takes in, say, 128 bits, and outputs a nonsense poem using the words of the dictionary and some simple rules, you have a reversible procedure for turning 128 bit hashes into literary nonsense. Reverse the procedure and apply a simple procedure to the original 128 bit hash to see if it contains a message. The simple procedure may include things about the sender. The trouble for crackers here, is that there are many such procedures. A simple software example is to append 'Borg' to a message, hash it with shasum, and see if the first two hex digits are f7, say, else discard. Then using evolutionary programs to find a short procedure which generates indices recursively for words in a video file [ with feedback, so the second index requires having the correct video file on hand ]. Guessing a random 128bit passkey is bad enough, but guessing a random procedure is far worse. Having everybody just [ just! ] using aes128 will seem like paradise compared to the output of the computational arms race the UK government is inadvertently about to kick off.

      I have fond memories of the old msdos program insults.exe. it has not escaped my attention that one can take a 128 bit number [ possibly the output of a sugared hash ] and use bits from it as indices into tables to generate phrases. There is much fun to be had, and so many variations. The paper from wayback about chaffing and winnowing will perhaps have more attention payed to it.

      --
      John_Chalisque
    3. Re:Sigh by Cow+Jones · · Score: 5, Funny

      No, you get an extremely small subset of the possible original messages.

      No, GP is correct. If you can choose the pad contents, you can trivially create any "decrypted" message you like.

      As you send more and more messages with the same pad

      one time pad

      "Hail Hitler". It showed in every single German message

      Unlikely. The grammar nazi in charge would have corrected it to "Heil Hitler".

      --

      Ah, arrogance and stupidity, all in the same package. How efficient of you. -- Londo Mollari
  2. Tools of oppression by Anonymous Coward · · Score: 5, Insightful

    Replace "terrorists, paedophiles and criminals" with "people" and you get what this is really about: People must not be allowed a “safe space” online. Nobody wants that, except the rich elite in their mad power grab towards global tyranny.

  3. Bullshit by Anonymous Coward · · Score: 5, Insightful

    Everyone should be aware that the majority of paedophile rings that have been busted were found to be passing material amongst themselves by sending encrypted DVDs (and originally VHS tapes and photographs etc.) using services such as USPS/Royal Mail signed for etc. Physical mail can't be interfered with without a court order, is secure, cheap and reliable. I would imagine terrorists do much the same.

    This is plain and simply the gubberment desperately trying to keep all windows of the Panopticon open. Clueless old 19th century minds trying to legislate against the future and maintain their failed baboon style pyramid hierarchy.

    It will be a total failure.

  4. Insecure WiFi for everyone! by UberVegeta · · Score: 5, Insightful

    There was a Slashdot poll a few years ago, asking the question "What percentage of your traffic is encrypted?"

    The answer that stuck in my mind was from a guy who said, "all of it. My WiFi has WPA2."

    --
    I knew I needed to stop reading Slashdot and finish my PhD when I started to miss articles by Bennett Haselton.
  5. No unbreakable Encryption by Anonymous Coward · · Score: 5, Insightful

    So basically, no encryption at all, since if it's breakable by one person it's breakable by anyone.

  6. How little they understand by Anonymous Coward · · Score: 5, Insightful

    Encryption is only one way mathematical difficulty can be harnessed. There are others. Encryption is great for making large amounts of data unreadable in a way which is independent of the data. But procedures can be learned by rote, and executed in a human brain before deciding whether and how to interact with a machine. By compromising encryption, the government will stimulate criminals to both probe the detection network with false information, and to develop methods of using whatever legal encrypted communication exists so that messages go unnoticed. If two people agree a convention, such as using two spaces rather than one in a tweet, padding a 130 char tweet to 140, and have a mentally computable way of indicating whether the content has special meaning, and a dictionary of codewords, we are back where we were before the second world war, with cryptic crossword techniques being used. One shot conventions [ consider if I say that when I send messages on Twitter if you append 'FluffyBunny', md5sum the result, and then treat specially if the first three hex digits are 3f4, whilst trivially breakable if you know the scheme, and who will transmit with it, if you don't, brute force will swamp you with false positives, and what if this convention is only used once between people ]. Just as antibiotic use has bred superbugs, this action by the UK government has the potential to set off an evolutionary arms race, where many terrorists will be caught, but those who are not will have by chance have developed means of secrecy beyond the security services. Passing laws declaring the existence of unicorns, or banning gravity from acting, are foolish. We have, in digital technology, an enviroment which we as humans must adapt to, not try to adapt it to us. Laws like this do the latter, but such attempts will eventually succumb to the problems of computational inefficiency.

  7. Interesting philosophical dilemma by swillden · · Score: 5, Interesting

    I work for Google. I build strong encryption in Android. The possibility of laws mandating back doors creates an interesting dilemma for me. Supposing such a law were to exist, and were effectively enforced so there's no possibility of sneaking in a non-backdoored system, what would I do?

    I see three options.

    1. I could run away from the problem, changing jobs to let someone else deal with it.
    2. I could accede, trying to build the tightest, narrowest, best-controlled backdoor possible, doing my best to ensure that only authorized government agencies could use it.
    3. I could refuse to build strong security systems at all, making it clear to everyone that their data is unprotected.

    What's the right thing to do? #1 is out, unless I have some reason to believe that someone else could make better decisions. #3 has some nose-thumbing appeal, but it means that everyone's data is accessible not only to government agencies, but to thieves, family members, spouses, etc. Also, this may be equivalent to #1, in that I'll be shuffled to another job and replaced by someone willing to build back doors.

    So, frankly, it's actually not much of a dilemma at all. I would do #2 (choice of number was not accidental). Well, and I'd probably also contribute to open source, possibly underground strong crypto implementations in my free time, because I strongly believe that the ability of people to keep secrets is critical to individual freedom and to societal progress. But such systems would only be used by a handful, seriously reducing their value.

    It's really, really important that we fight this sort of thing in the public, though. I've never been asked to build in back doors, and I never want to be.

    Oh, and by the way: Those of you out there who complain that you don't want full device encryption because it's slow? The slowness may be annoying, but it's well worth it. Not so much to you, now, but to everyone, in the future. Have a little patience with it. It will get faster over time as hardware gets faster and perhaps dedicated encryption hardware is added, but if we don't get it in now, setting the precedent that it's normal to encrypt everything, all the time, with the strongest crypto we can find and no back doors, there's a much greater risk that we may not be allowed to do it later.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.