Slashdot Mirror
UK Gov Says New Home Sec Will Have Powers To Ban End-to-end Encryption (theregister.co.uk)
An anonymous reader writes: During a committee stage debate in the UK's House of Lords yesterday, the government revealed that the Investigatory Powers Bill will provide any Secretary of State with the ability to force communication service providers (CSPs) to remove or disable end-to-end encryption. Earl Howe, a Minister of State for Defence and the British government's Deputy Leader in the House of Lords, gave the first explicit admission that the new legislation would provide the government with the ability to force CSPs to "develop and maintain a technical capability to remove encryption that has been applied to communications or data".
This power, if applied, would be imposed upon domestic CSPs by the new Home Secretary, Amber Rudd, who was formerly the secretary of state for Energy and Climate Change. Rudd is now only the fifth woman to hold one of the great offices of state in the UK. As she was only appointed on Wednesday evening, she has yet to offer her thoughts on the matter.
This power, if applied, would be imposed upon domestic CSPs by the new Home Secretary, Amber Rudd, who was formerly the secretary of state for Energy and Climate Change. Rudd is now only the fifth woman to hold one of the great offices of state in the UK. As she was only appointed on Wednesday evening, she has yet to offer her thoughts on the matter.
Just checked the calendar. It is 1984.
So how will things like netflix work without end to end encryption?
Does this mean the end of https and secure transactions?
Looks like, as usual, the politicians do not understand the technology.
... so much for anybody ever using a British ISP for anything. Aren't "conservatives" supposed to support corporate interests, instead of killing businesses outright?
Again, idiots in government finds new ways to turn law abiding citizens into criminals, or even terrorists.
This is so disappointing for an American. We Americans have always been a little insecure about our accents, our education level, etc, and we look at the British, with their smart-sounding accents, and their large vocabularies, and we just intrinsically KNOW that they are smarter than us. And then something like this happens that shatters our illusions, and tells us that British people can be just as dumb as anyone else.
Proverbs 21:19
Are they going to force Google, Microsoft, and Mozilla to add in British-government-controlled certificate authorities to their browsers distributed in the UK? Or force hardware vendors to provide access to decrypted data on end-users' machines? I don't think they've thought through how little control over the process CSPs have.
I'm also wondering - does the financial sector get a pass from these directives? If not, good luck keeping London as the de-facto headquarters for the financial sector in Europe. If so, I wonder how they plan to restrict encryption to only the financial center?
The only way is to make the ISPs to drop encrypted packets into Null Island.
“He’s not deformed, he’s just drunk!”
End-to-end starts and ends at the device.. What exactly do they think an ISP is going to be able to do if the data is already encrypted when it hits their network? I suppose they could block the traffic, but that's so trivially simple to get around, it would be pointless..
Is it the same country?
Be or ben't
If someone like an ISP can remove an encryption, it is not end-to-end encryption in the first place.
A big thanks to UK Gov. In following their US overlords and Russian compatriots into the realms of data-fascism they close the door to fiscal certainty of their own tech industries and open one in support of all the open source or offshore industries offering e2e encryption to bypass their pointless provincial rules. To restate an great man (if you replace Cyberspace with Internet):
We have no elected government, nor are we likely to have one, so I address you with no greater authority than that with which liberty itself always speaks. I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear.
Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours. We did not invite you. You do not know us, nor do you know our world. Cyberspace does not lie within your borders. Do not think that you can build it, as though it were a public construction project. You cannot. It is an act of nature and it grows itself through our collective actions.
You have not engaged in our great and gathering conversation, nor did you create the wealth of our marketplaces. You do not know our culture, our ethics, or the unwritten codes that already provide our society more order than could be obtained by any of your impositions.
You claim there are problems among us that you need to solve. You use this claim as an excuse to invade our precincts. Many of these problems don't exist. Where there are real conflicts, where there are wrongs, we will identify them and address them by our means. We are forming our own Social Contract. This governance will arise according to the conditions of our world, not yours. Our world is different.
Cyberspace consists of transactions, relationships, and thought itself, arrayed like a standing wave in the web of our communications. Ours is a world that is both everywhere and nowhere, but it is not where bodies live.
We are creating a world that all may enter without privilege or prejudice accorded by race, economic power, military force, or station of birth.
We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity.
Your legal concepts of property, expression, identity, movement, and context do not apply to us. They are all based on matter, and there is no matter here.
Our identities have no bodies, so, unlike you, we cannot obtain order by physical coercion. We believe that from ethics, enlightened self-interest, and the commonweal, our governance will emerge. Our identities may be distributed across many of your jurisdictions. The only law that all our constituent cultures would generally recognize is the Golden Rule. We hope we will be able to build our particular solutions on that basis. But we cannot accept the solutions you are attempting to impose.
In the United States, you have today created a law, the Telecommunications Reform Act, which repudiates your own Constitution and insults the dreams of Jefferson, Washington, Mill, Madison, DeToqueville, and Brandeis. These dreams must now be born anew in us.
You are terrified of your own children, since they are natives in a world where you will always be immigrants. Because you fear them, you entrust your bureaucracies with the parental responsibilities you are too cowardly to confront yourselves. In our world, all the sentiments and expressions of humanity, from the debasing to the angelic, are parts of a seamless whole, the global conversation of bits. We cannot separate the air that chokes from the air upon which wings beat.
In China, Germany, France, Russia, Singapore, Italy and the United States, you are trying to ward off the virus of liberty by erecting guard posts at the frontiers of Cyberspace. These may keep out the contagion for a small time, but they will n
I mean, the Queen has the theoretical power to have peoples' heads cut off, but she doesn't go around doing it.
I have a number of NHS Trusts among my customers. One reason they need to have end-to-end encryption is to secure patient identifiable data in transactions. If a reporting radiologist is on call, working out of his home, how is that traffic going to be sent across the Interwebs without breaking the rules in the Care Record Guarantee about keeping patient data safe, and only available to those who have a genuine clinical need?
Let's hope they never use these powers.
We already know, as a result of the US finding Osama Bin Laden, than those absolutely determined to do harm can find away around any time of security measures imposed by governments. So ultimately this will not target the factions in our world that are habitually used to justify draconian controls. On the other hand, the imposition of one new control often prompts society to respond by developing alternate solutions. Breaking end-to-end encryption might be viable when entities use the same master keys over and over [i.e. the certificates used to set up SSL encryption through the asynchronous handshake during the session setup. However, this is only one means by which encryption can be activated. Suppose 2 people want to use secure communications. They create an application that generates strings of random numbers which are printed on rice paper. Each person gets one identical copy of the booklet. Then, each time they want to set up secure communications, they use the next number on the pad. The moment the number is used, they eat that sheet of paper [hence use of rice paper]. As a technique it's not foolproof, but it would require physical access to one of the pads. If a session protocol was agreed that required each participant to disclose a key piece of information [securely, after setup] then each party would have a reasonable expectation of the identity of the other... In other words, those who are determined to do the most harm to society will find a way to defeat this, whilst those who may be vulnerable to political interference, may be the most vulnerable. And yes, we could absolutely say, "Hang on, the UK doesn't victimise those with differing political views as long as they are peaceful" [and would be quite correct] but it's the danger of the approach being used elsewhere that would concern me. Well, that and the fact that this is another example of the presumption of innocence being disregarded...
This power, if applied, would be imposed upon domestic CSPs [Communication Service Providers]
All this will do is ensure that anyone with a clue uses services based outside the UK. There will be no UK service providers providing encryption, because no one will trust them.
Politicians being idiots...but I repeat myself...
Enjoy life! This is not a dress rehearsal.
Crypto can be done easily in JavaScript with commonly available libraries. A simple Ajax script with one additional function call ( as in send(end(msg),key) rather than send(msg) and similar for decryption ) is all you need once you have your encryption library and a means of secure key exchange. How they will implement something which can be implemented in a simple php script with a common is library is beyond me.
John_Chalisque
Just use a VPN in a foreign country, and then send out your encrypted messages/whatever through it.
Trivial for geeks (and white collar criminals and terrorists), but ordinary folk won't know how or be able to do it, so they'll be the ones to suffer.
In related news, it is revealed that the minster of education will have the power to set the value of Pi to be exactly 3.
This law would require dispensations for credit cards, banks, point of sale software, (the government itself), and many more infrastructural e-orgs that cannot function without encryption.
It would also require makers of cell phones that encrypt, Facebook (soon), and increasinly many e-firms to recognize any device/account as being ENGLISH so that it can selectively stomp all over those peoples' freedoms.
It will also generate an *ungodfy* large amount of data that will swamp the GCHQ's resources and waste their time sifting through zottabytes of drivel, since BAD GUYS DON"T CHAT ON THE PHONE.
This policy is so halfass and dumbass that it'll be impossible to enforce.
How they will [ban] something which can be implemented in a simple php script with a common is library is beyond me.
It is rather easy actually, I'll lay it out step by step.
1. You, a UK citizen, create service with encryption.
2. The UK government sends you a letter advising you to disable the encryption for them or go to jail.
3A. You disable the encryption.
3B. You go to jail, the government seizes your service and disables the encryption.
Let's say I am an ISP and I have a data stream coming through my system. How do I know if the data is encrypted or not? Data is data. Neither IP nor UDP packets have an 'encrypted data' indicator. How would we differentiate between an encrypted data stream and a video stream in a new movie format? What's the difference between decrypting vs displaying a movie? Both processes are a conversion operation being performed on a data stream.
That was the turning point of my life--I went from negative zero to positive zero.
Because truthfully, that us what they are proposing. The banning of any mathematics where the formulas involved are both unknown and cannot trivially be reverse engineered.
File under 'M' for 'Manic ranting'
designed to placate technopeasants and convince them that government actually has control of this.
If someone wants to encrypt a message, they will, and there's nothing, really, that anyone can do about it.
Please do not read this sig. Thank you.
I know England longs for the good old days when it thought it ruled the world, but they're proposing a giant leap backwards to the stone age....
The "Extinction Event" Asteroid can't hit fast enough at this pace or rising government fascism around the world...
If you RTFA, you'll see that the lords actually did get it, that compromising the "communication service provider" is futile, since that's a party who wouldn't have access to the key anyway. Here is where they take it to the next level:
"A company." Why would anyone use a crypto system from a company since they know that this other third party is so subject to coercion to make their products not work right? Just use Free Software and be done with it.
If people are reasonably competent (yes, I know you're already laughing) then there is really just one sensible face to point your gun at: the user. The user (not someone else) must be required to give up their key, or else you ruin their life as retaliation (a deterrent for the next user). And UK just happens to already have that law (RIPA). That's an evil law, but it also happens to address the situation about as well as you can, assuming you take a government-over-people attitude (which I expect any legislative body to do). Why are they bothering with this dumber, weaker law than the one they already have?
The only thing I can think of, is that they're counting on their adversaries to be incompetent (e.g. use known-bad software) and want to decrypt without using the $5 wrench (since that alerts the target that they're under attack, so they'll lawyer up, demand due process, etc). Counting on an adversary to be stupid-on-purpose isn't a sane security idea.
And so it comes down to this: the only reason for the UK government to propose an optional surveillance system, is if they're hunting different people than who they say they're hunting. If you don't want to be watched (i.e. you're a criminal, or a nerd) you'll opt out. If you don't care, you might opt in by default (e.g. use Apple's or Google's software instead of something intended to serve the user). And so that's who they're obviously targeting: people who don't care, i.e. regular noncriminal citizens.
The government also says (on page 39) that the new law provides nothing more than what is already present in the Regulation of Investigatory Powers Act (2000). It specifically refers to "the ability to remove any encryption applied by the CSP to whom the notice relates" (my emphasis), and not to end-to-end encryption.
That's not a "simple solution". That's something that a group of geeks know how to do, not generic, every person who has a phone gets private communication. Further to that, the fact that you're using ssh and talking over it makes it end-to-end encryption that's banned by this law.
Browser makers should just allow encryption plug-ins/extensions (just like they allow other extensions).
That way the browser maker is not responsible for the encryption and has no backdoor to it.
Where are we going and why are we in a handbasket?
4) Your customers all switch to a solution hosted in Costa Rica and ostentatiously protest that those bastards won't turn over the keys to the UK government.
The pope has also the power to 'ban' stuff, but there too nobody gives a shit.
The real "Libtards" are the Libertarians!
"new legislation would provide the government with the ability to force CSPs to "develop and maintain a technical capability to remove encryption that has been applied to communications or data"."
Next, lawmakers will demand that companies develop telepathy and magic.
(Assuming, of course, they completely banned encryption, which is about the only way they could have delivered to them what they're demanding)
This will last precisely as long as it takes for the first time the UK Home Secretary gets their bank account drained, or identity stolen, because there was no effective encryption on the very much public Internet to protect their very much private and personal data from criminals. Furthermore, I can see how legislation like this would actually increase the likelihood of terrorism; terrorists often use profits from criminal activities as operating funds; removing (or crippling) encryption on the Internet will allow them to commit cybercrimes with relative ease, thus increasing their operating funds that much more.
Of course, policitians being the duplicitous creatures they are, they -- and the rich, no doubt -- will create loopholes allowing them to posess and use full, non-crippled encryption -- for 'security purposes', of course -- and the common citizens can go fuck themselves, so far as they're concerned.
Nice job, UK. Don't you dare mock and make jokes about American politics, not when your own political system and government are at least as much of a bloody bollixed-up mess as ours, if not more so.
MEMO TO UK POLITICIANS: Go take some gods-be-damned basic computer science courses, will you? Because you have NO IDEA what the hell you're doing!
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
I thought the whole premise of Brexit is that it would allow the UK to become more attractive to business.
The Government are going about this in a curious way.
"For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
Which leads to:
4. All businesses which require encryption moving out of the UK.
5. Hackers take advantage of the lack of strong encryption to decrypt data that needed to remain secure. (e.g. credit card information)
6. Criminals and terrorists use freely available strong encryption from non-UK sources.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
So, he's going to order ssh banned from the UK? Really?
Wonder how their MoD will respond to that. Or *any* large company.....
mark
Turkey, Iran, and Pakistan say welcome. now beat up your people and jail them in black holes for life.
if this is supposed to be a new economy, how come they still want my old fashioned money?
When has it ever bothered a politician that a law is unenforceable. He's hard on terror! And we need something to distract from the horribly botched brexit vote. Stupid gits, who would've thought they'd actually vote for leaving...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
As if creating absolute uncertainty for businesses with the Brexit, now this. What the hell is going on, is the leaving government trying to maximize damage, aka "if I can't play with it, nobody else should"?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So long as a first grader can be taught to encode and decode messages no intelligence agency can intercept armed with only a pen and pencil.
So long as people are able to meet and develop signals, code words and languages.
There will be end to end private communication. E2E has been with us since the very beginning of civilization . Not just the last few decades or the last few centuries but the last several thousand years.
These laws are designed for one thing and one thing only. To deny the masses secure communications regardless of the fact anyone with a specific need or desire for E2E will have it easily no matter what. The result is everyone continues to suffer from insecure systems because crappy governments have fear/power/legitimacy issues while only the most lazy and disorganized of bad actors are affected.
Wait... What...? Your credit card information is secure?
Two of my imaginary friends reproduced once
This would include speaking in a language that doesn't happen to be known to anyone in the government, which if the language is obscure enough is entirely possible.
Oh, and they would also need to outlaw the creation of fictional languages that are not released to public domain, since such languages could be used by criminals to covertly communicate and evade law enforcement where they could otherwise be detected.
File under 'M' for 'Manic ranting'
If I sent you my RSA public.key file several months ago, then you could use it to do this:
#!/bin/sh
/tmp/skey
/tmp/skey | openssl base64
echo +++
#build a session key
openssl rand -base64 48 -out
#encrypt the session key with RSA
openssl rsautl -encrypt -pubin -inkey public.key -in
#encrypt files with AES
for f
do openssl enc -aes-128-cbc -salt -a -e -pass "file:/tmp/skey" -in "${f}"; echo +++:
done
Mail me the output, and I'll get the original cleartext back. No key exchange.
Then this could happen
Similar to the cry of 2nd amendment people in the US.
.
The "Civilized World" jumped the shark ca. 1973.
Because the British public does not understand what it is, duh.
Change is certain; progress is not obligatory.
As least in America. The UK might be different. Here in the States racism isolates the working class into easily manageable groups that can be picked of one at a time. It also creates voting blocks that the ruling class can use to push through legislation and single issue voters. It warps out entire political system.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
What else would you expect? They just took back control of their country.
You don't know, what they have hidden in Bletchley Park.
then only outlaws will have encryption.