Slashdot Mirror
UK Gov Says New Home Sec Will Have Powers To Ban End-to-end Encryption (theregister.co.uk)
An anonymous reader writes: During a committee stage debate in the UK's House of Lords yesterday, the government revealed that the Investigatory Powers Bill will provide any Secretary of State with the ability to force communication service providers (CSPs) to remove or disable end-to-end encryption. Earl Howe, a Minister of State for Defence and the British government's Deputy Leader in the House of Lords, gave the first explicit admission that the new legislation would provide the government with the ability to force CSPs to "develop and maintain a technical capability to remove encryption that has been applied to communications or data".
This power, if applied, would be imposed upon domestic CSPs by the new Home Secretary, Amber Rudd, who was formerly the secretary of state for Energy and Climate Change. Rudd is now only the fifth woman to hold one of the great offices of state in the UK. As she was only appointed on Wednesday evening, she has yet to offer her thoughts on the matter.
This power, if applied, would be imposed upon domestic CSPs by the new Home Secretary, Amber Rudd, who was formerly the secretary of state for Energy and Climate Change. Rudd is now only the fifth woman to hold one of the great offices of state in the UK. As she was only appointed on Wednesday evening, she has yet to offer her thoughts on the matter.
Just checked the calendar. It is 1984.
So how will things like netflix work without end to end encryption?
Does this mean the end of https and secure transactions?
Looks like, as usual, the politicians do not understand the technology.
... so much for anybody ever using a British ISP for anything. Aren't "conservatives" supposed to support corporate interests, instead of killing businesses outright?
Again, idiots in government finds new ways to turn law abiding citizens into criminals, or even terrorists.
Yeah I'm sure that's going to work.
ssh+talk/write
Thermorectal cryptoanalysis for Britain?
This is so disappointing for an American. We Americans have always been a little insecure about our accents, our education level, etc, and we look at the British, with their smart-sounding accents, and their large vocabularies, and we just intrinsically KNOW that they are smarter than us. And then something like this happens that shatters our illusions, and tells us that British people can be just as dumb as anyone else.
Proverbs 21:19
Are they going to force Google, Microsoft, and Mozilla to add in British-government-controlled certificate authorities to their browsers distributed in the UK? Or force hardware vendors to provide access to decrypted data on end-users' machines? I don't think they've thought through how little control over the process CSPs have.
I'm also wondering - does the financial sector get a pass from these directives? If not, good luck keeping London as the de-facto headquarters for the financial sector in Europe. If so, I wonder how they plan to restrict encryption to only the financial center?
The only way is to make the ISPs to drop encrypted packets into Null Island.
“He’s not deformed, he’s just drunk!”
End-to-end starts and ends at the device.. What exactly do they think an ISP is going to be able to do if the data is already encrypted when it hits their network? I suppose they could block the traffic, but that's so trivially simple to get around, it would be pointless..
Is it the same country?
Be or ben't
force CSPs to "develop and maintain a technical capability to remove encryption that has been applied to communications or data".
So they are going to mandate ISPs perform man-in-the-middle attacks to break end-to-end encryption?!? That would be quite the technical feat! Who knew hard encryption could be so easily broken by mandate.
If someone like an ISP can remove an encryption, it is not end-to-end encryption in the first place.
then your all pwned ill publsh some nce lil bits to all the baddies and you all can enjoy NO ENCRYPTION
A big thanks to UK Gov. In following their US overlords and Russian compatriots into the realms of data-fascism they close the door to fiscal certainty of their own tech industries and open one in support of all the open source or offshore industries offering e2e encryption to bypass their pointless provincial rules. To restate an great man (if you replace Cyberspace with Internet):
We have no elected government, nor are we likely to have one, so I address you with no greater authority than that with which liberty itself always speaks. I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear.
Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours. We did not invite you. You do not know us, nor do you know our world. Cyberspace does not lie within your borders. Do not think that you can build it, as though it were a public construction project. You cannot. It is an act of nature and it grows itself through our collective actions.
You have not engaged in our great and gathering conversation, nor did you create the wealth of our marketplaces. You do not know our culture, our ethics, or the unwritten codes that already provide our society more order than could be obtained by any of your impositions.
You claim there are problems among us that you need to solve. You use this claim as an excuse to invade our precincts. Many of these problems don't exist. Where there are real conflicts, where there are wrongs, we will identify them and address them by our means. We are forming our own Social Contract. This governance will arise according to the conditions of our world, not yours. Our world is different.
Cyberspace consists of transactions, relationships, and thought itself, arrayed like a standing wave in the web of our communications. Ours is a world that is both everywhere and nowhere, but it is not where bodies live.
We are creating a world that all may enter without privilege or prejudice accorded by race, economic power, military force, or station of birth.
We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity.
Your legal concepts of property, expression, identity, movement, and context do not apply to us. They are all based on matter, and there is no matter here.
Our identities have no bodies, so, unlike you, we cannot obtain order by physical coercion. We believe that from ethics, enlightened self-interest, and the commonweal, our governance will emerge. Our identities may be distributed across many of your jurisdictions. The only law that all our constituent cultures would generally recognize is the Golden Rule. We hope we will be able to build our particular solutions on that basis. But we cannot accept the solutions you are attempting to impose.
In the United States, you have today created a law, the Telecommunications Reform Act, which repudiates your own Constitution and insults the dreams of Jefferson, Washington, Mill, Madison, DeToqueville, and Brandeis. These dreams must now be born anew in us.
You are terrified of your own children, since they are natives in a world where you will always be immigrants. Because you fear them, you entrust your bureaucracies with the parental responsibilities you are too cowardly to confront yourselves. In our world, all the sentiments and expressions of humanity, from the debasing to the angelic, are parts of a seamless whole, the global conversation of bits. We cannot separate the air that chokes from the air upon which wings beat.
In China, Germany, France, Russia, Singapore, Italy and the United States, you are trying to ward off the virus of liberty by erecting guard posts at the frontiers of Cyberspace. These may keep out the contagion for a small time, but they will n
I mean, the Queen has the theoretical power to have peoples' heads cut off, but she doesn't go around doing it.
I have a number of NHS Trusts among my customers. One reason they need to have end-to-end encryption is to secure patient identifiable data in transactions. If a reporting radiologist is on call, working out of his home, how is that traffic going to be sent across the Interwebs without breaking the rules in the Care Record Guarantee about keeping patient data safe, and only available to those who have a genuine clinical need?
Let's hope they never use these powers.
the new Home Secretary, Amber Rudd, who was formerly the secretary of state for Energy and Climate Change
FFS, same old story one day in charge of energy and climate change the next for day XYZ. This shit should be banned, no wonder we have so many SME's who know jack shit.
We already know, as a result of the US finding Osama Bin Laden, than those absolutely determined to do harm can find away around any time of security measures imposed by governments. So ultimately this will not target the factions in our world that are habitually used to justify draconian controls. On the other hand, the imposition of one new control often prompts society to respond by developing alternate solutions. Breaking end-to-end encryption might be viable when entities use the same master keys over and over [i.e. the certificates used to set up SSL encryption through the asynchronous handshake during the session setup. However, this is only one means by which encryption can be activated. Suppose 2 people want to use secure communications. They create an application that generates strings of random numbers which are printed on rice paper. Each person gets one identical copy of the booklet. Then, each time they want to set up secure communications, they use the next number on the pad. The moment the number is used, they eat that sheet of paper [hence use of rice paper]. As a technique it's not foolproof, but it would require physical access to one of the pads. If a session protocol was agreed that required each participant to disclose a key piece of information [securely, after setup] then each party would have a reasonable expectation of the identity of the other... In other words, those who are determined to do the most harm to society will find a way to defeat this, whilst those who may be vulnerable to political interference, may be the most vulnerable. And yes, we could absolutely say, "Hang on, the UK doesn't victimise those with differing political views as long as they are peaceful" [and would be quite correct] but it's the danger of the approach being used elsewhere that would concern me. Well, that and the fact that this is another example of the presumption of innocence being disregarded...
This power, if applied, would be imposed upon domestic CSPs [Communication Service Providers]
All this will do is ensure that anyone with a clue uses services based outside the UK. There will be no UK service providers providing encryption, because no one will trust them.
Politicians being idiots...but I repeat myself...
Enjoy life! This is not a dress rehearsal.
Crypto can be done easily in JavaScript with commonly available libraries. A simple Ajax script with one additional function call ( as in send(end(msg),key) rather than send(msg) and similar for decryption ) is all you need once you have your encryption library and a means of secure key exchange. How they will implement something which can be implemented in a simple php script with a common is library is beyond me.
John_Chalisque
Just use a VPN in a foreign country, and then send out your encrypted messages/whatever through it.
Trivial for geeks (and white collar criminals and terrorists), but ordinary folk won't know how or be able to do it, so they'll be the ones to suffer.
In related news, it is revealed that the minster of education will have the power to set the value of Pi to be exactly 3.
This law would require dispensations for credit cards, banks, point of sale software, (the government itself), and many more infrastructural e-orgs that cannot function without encryption.
It would also require makers of cell phones that encrypt, Facebook (soon), and increasinly many e-firms to recognize any device/account as being ENGLISH so that it can selectively stomp all over those peoples' freedoms.
It will also generate an *ungodfy* large amount of data that will swamp the GCHQ's resources and waste their time sifting through zottabytes of drivel, since BAD GUYS DON"T CHAT ON THE PHONE.
This policy is so halfass and dumbass that it'll be impossible to enforce.
How they will [ban] something which can be implemented in a simple php script with a common is library is beyond me.
It is rather easy actually, I'll lay it out step by step.
1. You, a UK citizen, create service with encryption.
2. The UK government sends you a letter advising you to disable the encryption for them or go to jail.
3A. You disable the encryption.
3B. You go to jail, the government seizes your service and disables the encryption.
Let's say I am an ISP and I have a data stream coming through my system. How do I know if the data is encrypted or not? Data is data. Neither IP nor UDP packets have an 'encrypted data' indicator. How would we differentiate between an encrypted data stream and a video stream in a new movie format? What's the difference between decrypting vs displaying a movie? Both processes are a conversion operation being performed on a data stream.
That was the turning point of my life--I went from negative zero to positive zero.
So instead of having product based encryption or system based encryption, we have encryption at the user level. It really was best when it was system based, that way you could have things like ecommerce. But sure, make the terrorists use their own encryption. Something out of the wild blue yonder. Hey! Better than that, they can use pass phrase substitution and steganography, that way they have complete plausible deniability, its wildly easier to use than having some 'code substitution something', the number of keys are in the trillions, and no amount of 'codebreaking' will be able to even suspect it, let alone detect it. Now I have to trademark this bit of snark: "Good job dumbass politicians!"(tm)
Because truthfully, that us what they are proposing. The banning of any mathematics where the formulas involved are both unknown and cannot trivially be reverse engineered.
File under 'M' for 'Manic ranting'
designed to placate technopeasants and convince them that government actually has control of this.
If someone wants to encrypt a message, they will, and there's nothing, really, that anyone can do about it.
Please do not read this sig. Thank you.
I know England longs for the good old days when it thought it ruled the world, but they're proposing a giant leap backwards to the stone age....
The "Extinction Event" Asteroid can't hit fast enough at this pace or rising government fascism around the world...
If experience is any guide, this will simply mean that Rupert Murdoch will be given carte blanche authority to insert advertisements into your personal emails.
If you RTFA, you'll see that the lords actually did get it, that compromising the "communication service provider" is futile, since that's a party who wouldn't have access to the key anyway. Here is where they take it to the next level:
"A company." Why would anyone use a crypto system from a company since they know that this other third party is so subject to coercion to make their products not work right? Just use Free Software and be done with it.
If people are reasonably competent (yes, I know you're already laughing) then there is really just one sensible face to point your gun at: the user. The user (not someone else) must be required to give up their key, or else you ruin their life as retaliation (a deterrent for the next user). And UK just happens to already have that law (RIPA). That's an evil law, but it also happens to address the situation about as well as you can, assuming you take a government-over-people attitude (which I expect any legislative body to do). Why are they bothering with this dumber, weaker law than the one they already have?
The only thing I can think of, is that they're counting on their adversaries to be incompetent (e.g. use known-bad software) and want to decrypt without using the $5 wrench (since that alerts the target that they're under attack, so they'll lawyer up, demand due process, etc). Counting on an adversary to be stupid-on-purpose isn't a sane security idea.
And so it comes down to this: the only reason for the UK government to propose an optional surveillance system, is if they're hunting different people than who they say they're hunting. If you don't want to be watched (i.e. you're a criminal, or a nerd) you'll opt out. If you don't care, you might opt in by default (e.g. use Apple's or Google's software instead of something intended to serve the user). And so that's who they're obviously targeting: people who don't care, i.e. regular noncriminal citizens.
The government also says (on page 39) that the new law provides nothing more than what is already present in the Regulation of Investigatory Powers Act (2000). It specifically refers to "the ability to remove any encryption applied by the CSP to whom the notice relates" (my emphasis), and not to end-to-end encryption.
Browser makers should just allow encryption plug-ins/extensions (just like they allow other extensions).
That way the browser maker is not responsible for the encryption and has no backdoor to it.
Where are we going and why are we in a handbasket?
Oh, just the people.
It's a good thing criminals don't break laws. This ban is sure to stop them!
4) Your customers all switch to a solution hosted in Costa Rica and ostentatiously protest that those bastards won't turn over the keys to the UK government.
Enjoy this little nugget on your way out!
The industry will vote with their feet, by leaving the country.
force CSPs to "develop and maintain a technical capability to remove encryption that has been applied to communications or data".
What if it turns out that it's technically impossible to do that?
The pope has also the power to 'ban' stuff, but there too nobody gives a shit.
Timmy Cook CEO Apple Inc. and Greatest human to ever be born on Earth is PISSED.
Timmy has $300 billion dollars burning a hole in his pocket in China. That money can buy the murder of anyone. One more move by Rudd and Timmy will unleash his "pocket monster".
Ha ha
The real "Libtards" are the Libertarians!
For anyone who didn't know, the UK also permits the law to operate retroactively...
"new legislation would provide the government with the ability to force CSPs to "develop and maintain a technical capability to remove encryption that has been applied to communications or data"."
Next, lawmakers will demand that companies develop telepathy and magic.
(Assuming, of course, they completely banned encryption, which is about the only way they could have delivered to them what they're demanding)
This will last precisely as long as it takes for the first time the UK Home Secretary gets their bank account drained, or identity stolen, because there was no effective encryption on the very much public Internet to protect their very much private and personal data from criminals. Furthermore, I can see how legislation like this would actually increase the likelihood of terrorism; terrorists often use profits from criminal activities as operating funds; removing (or crippling) encryption on the Internet will allow them to commit cybercrimes with relative ease, thus increasing their operating funds that much more.
Of course, policitians being the duplicitous creatures they are, they -- and the rich, no doubt -- will create loopholes allowing them to posess and use full, non-crippled encryption -- for 'security purposes', of course -- and the common citizens can go fuck themselves, so far as they're concerned.
Nice job, UK. Don't you dare mock and make jokes about American politics, not when your own political system and government are at least as much of a bloody bollixed-up mess as ours, if not more so.
MEMO TO UK POLITICIANS: Go take some gods-be-damned basic computer science courses, will you? Because you have NO IDEA what the hell you're doing!
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
I thought the whole premise of Brexit is that it would allow the UK to become more attractive to business.
The Government are going about this in a curious way.
"For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
Which leads to:
4. All businesses which require encryption moving out of the UK.
5. Hackers take advantage of the lack of strong encryption to decrypt data that needed to remain secure. (e.g. credit card information)
6. Criminals and terrorists use freely available strong encryption from non-UK sources.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
The UK is displaying a distressing tendency to enact police state laws. Now that the British are led by a bunch of mendacious clowns (with the court buffoon as their foreign representative) that tendency will acquire farcical overtones.
So, he's going to order ssh banned from the UK? Really?
Wonder how their MoD will respond to that. Or *any* large company.....
mark
Turkey, Iran, and Pakistan say welcome. now beat up your people and jail them in black holes for life.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Putin is doing it. It must be good.
As if creating absolute uncertainty for businesses with the Brexit, now this. What the hell is going on, is the leaving government trying to maximize damage, aka "if I can't play with it, nobody else should"?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So long as a first grader can be taught to encode and decode messages no intelligence agency can intercept armed with only a pen and pencil.
So long as people are able to meet and develop signals, code words and languages.
There will be end to end private communication. E2E has been with us since the very beginning of civilization . Not just the last few decades or the last few centuries but the last several thousand years.
These laws are designed for one thing and one thing only. To deny the masses secure communications regardless of the fact anyone with a specific need or desire for E2E will have it easily no matter what. The result is everyone continues to suffer from insecure systems because crappy governments have fear/power/legitimacy issues while only the most lazy and disorganized of bad actors are affected.
Wait... What...? Your credit card information is secure?
Two of my imaginary friends reproduced once
This would include speaking in a language that doesn't happen to be known to anyone in the government, which if the language is obscure enough is entirely possible.
Oh, and they would also need to outlaw the creation of fictional languages that are not released to public domain, since such languages could be used by criminals to covertly communicate and evade law enforcement where they could otherwise be detected.
File under 'M' for 'Manic ranting'
I like how you take a few examples and use it to characterize an entire group of people based on a few cherry picked samples.
Do you understand why that line of reasoning is exactly the same as in the bad old days when people would find, for example, a few particular black rapists, then use that as "evidence" to make statements about every black male?
There is no public asking for their government whose-salaries-they-pay to take away private communications.
It is all subterfuge.
Jesuit Vatican and Jesuit CIA
vs.
Israel and American Jewry
Start killing mother fuckers.
In the UK government at the moment,there is not one with any engineering degrees,or science degree above school level.
What we do have is a parliament and government that is composed of failed solicitors,barristers,estate agents.
Any university degree is usually politics,philosophy or the history of art.
I kid you not,not ONE sensible degree between 660 mp's and the seniour civil service that is made up of Oxbridge elitists is just as bad.
Idiots to the left idiots to the right,everywhere you look there are idiots, problem is,their in charge of the rest of us.
How will they force decryption of data. It just isn't technically possible. This reads like the wishful thinking of a Nazi dictator.
Anyone who wants encryption, will have encryption. Stupid law, or otherwise. Anyone who wants to decrypt any securely encrypted data is out of luck, regardless of the Nazi legislation.
It is very disappointing that our politicians are trying to legislate in the face of reality, and it reflects very poorly on them. I suppose they probably have useless, or even detremental PPE, law, or BA degrees. In the world of science and technology, clever wording can't bend the facts. Right wing politicians, in particular, seem to have particular trouble with the concept of reality.
Why does the British public allow their government to create these kind of crazy privacy invasive laws???
If I sent you my RSA public.key file several months ago, then you could use it to do this:
#!/bin/sh
/tmp/skey
/tmp/skey | openssl base64
echo +++
#build a session key
openssl rand -base64 48 -out
#encrypt the session key with RSA
openssl rsautl -encrypt -pubin -inkey public.key -in
#encrypt files with AES
for f
do openssl enc -aes-128-cbc -salt -a -e -pass "file:/tmp/skey" -in "${f}"; echo +++:
done
Mail me the output, and I'll get the original cleartext back. No key exchange.
Then this could happen
Similar to the cry of 2nd amendment people in the US.
.
The "Civilized World" jumped the shark ca. 1973.
As least in America. The UK might be different. Here in the States racism isolates the working class into easily manageable groups that can be picked of one at a time. It also creates voting blocks that the ruling class can use to push through legislation and single issue voters. It warps out entire political system.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I'm late to the thread but here's my two cents.
Sounds like a MitM attack to implement back-doors without judicial process. This is more reason to move to a key-ring arrangement where everybody has his encryption public key in an online registry. That means government must attack 2 points, the receiving computer (private key) and the online registry (public key), in order to spy on a data stream. That will get the government, half the conversation, since the data stream will not share encryption keys but each end of the stream will use his private key for sending data. That in turn is an incentive for public/private keys to be implemented as plug-able hardware on the motherboard.
Why is Apple the only tech. corp. implementing security in the hardware?
Damn you Obama!
to united states national security
What else would you expect? They just took back control of their country.
You don't know, what they have hidden in Bletchley Park.
Obviously the the UK govt doesn't understand what end-end encryption is, the ISP doesn't control the encryption, the individual does on his own device. Just so much bloody BS !!! Another bureaucrat trying to stop a flood with a sponge, sounds good but won't do the job !!
bandar togel
Agen togel
agen togel online
agen togel terpercaya
then only outlaws will have encryption.
Stupid old farts who know nothing about technology turning everyone into an enemy of the state. I say fuck them.
"the government revealed that the Investigatory Powers Bill will provide any Secretary of State with the ability to force communication service providers (ISPs) to ..." wave a magic wand and pull pink elephants out of a sock.
Strangely enough, "end to end" means from source to destination. The ISP is not party to either, as it merely sits between the two. Consequently the ISP sees and passes on encrypted traffic for which it does not hold the decryption keys, so the legislation permits the Secretary of State to oblige ISPs to perform the impossible.
Only by eliminating end to end encryption entirely could the implied objective be achieved, but that would pretty much stop e-commerce in its tracks.
The time is long overdue for government to make the effort to actually understand what it is legislating about before enshrining yet more wild fantasies into an already top heavy and self-defeating body of law.