neuromancerThe U.K. Government Is Very Close To Eroding Encryption Worldwide
OlapUntil the US also mandates backdoors, the UK will back down. It may even attempt to pass this bill for the courts to fail to enforce it, as non-compliance will be off the scale. Open source projects in particular will not accept back doors. And have you ever seen anyone sued successfully over publically released code?
The Open Rights Group need our cash though, they are likely to attempt to defeat this in court. As you can’t ban mathematics, it will be fairly trivial to show technically this is nonsense. But the government won’t argue for that; they’ll argue that companies in control will have to comply with insertimg backdoors. This is harder to fight, but it is essentially disproportionate and indiscriminate, with high likelyhood of weakening all communication for specialist use cases.
The trouble is of course that prior to E2EE the government tapped things willy-nilly. And that tool is no longer available to them. I surmise we will see instead of minor players forced to surrender, Apple and Android having to insert backdoors. And this is why this bill will never pass: neither will do so unless the US forces them to
dust_acceleratorI really like your comment and agree with your position. Thanks for taking the time to write it out like that.
I do have two questions
The Open Rights Group need our cash though, they are likely to attempt to defeat this in court.
Do you happen to have a link or where does one go to support this specifically?
The trouble is of course that prior to E2EE the government tapped things willy-nilly. And that tool is no longer available to them.
In most all IT positions, both public and industry, we rely heavily on E2EE for everyday operations. Alone data privacy compliance is even made possible (see GDPR). Does this mean governments will have to provide the extensive resources to be the “data controller for all” with all obligations to be compliant with the rule of law? Considering the vast majority of affected users data is not going to be criminal activity.
And if course the security implications of punching holes in a security barrier - What are your thoughts on potential misuse of these backdoors by bad actors?
Ooh, a government mandated encryption mitm is a route I hadn’t considered. You could transparent proxy all comms at ISP level and force OSes to recognise your government ticket. Well that’s one route. But still doomed to failure: Apple and Android won’t accept these certs. And ISPs may do this, but have you ever run even a corporate proxy? Beefy boys. With loads of stuff out there not having the certs too. And they’ll be cracked sooner than the government cares for too. A mad approach
And of course with the ORG www.openrightsgroup.org
talOpen source projects in particular will not accept back doors.
No, but you gotta remember that a lot of people are just going to use a commercial service.
I remember when the US government made a collossal amount of noise over PGP. While PGP is available, few people actually use it, because it's a pain to use.
https://en.wikipedia.org/wiki/Phil_Zimmermann
After a report from RSA Security, who were in a licensing dispute with regard to the use of the RSA algorithm in PGP, the United States Customs Service started a criminal investigation of Zimmermann, for allegedly violating the Arms Export Control Act.[5] The United States Government had long regarded cryptographic software as a munition, and thus subject to arms trafficking export controls. At that time, PGP was considered to be impermissible ("high-strength") for export from the United States. The maximum strength allowed for legal export has since been raised and now allows PGP to be exported. The investigation lasted three years, but was finally dropped without filing charges after MIT Press published the source code of PGP.[6]
In 1995, Zimmermann published the book PGP Source Code and Internals as a way to bypass limitations on exporting digital code. Zimmermann's introduction says the book contains "all of the C source code to a software package called PGP" and that the unusual publication in book form of the complete source code for a computer program was a direct response to the U.S. government's criminal investigation of Zimmermann for violations of U.S. export restrictions as a result of the international spread of PGP's use.[7]
Essentially the US government lost that argument. Strong encryption is available worldwide, you can’t weaponise maths, and the internet exports all. I’d argue we don’t use pgp because easier solutions currently exist, nothing about legislation. If private companies have to weaken products, people will switch to open source. PGP can be made easier
I haven’t explored matrix too readily yet, is it a legislation resistant platform? Something is already waiting
This will only erode worldwide encryption if the app-makers do actually include a back-door right? (E.g. scan client side). I expect, at least some, to refuse (Apple comes to mind with their refusal to unlock iPhones in that one terrorist case*), so that would mean that worldwide privacy is still intact?
It may be made impossible (illegal) for the app makers to operate in the UK (how this stops Signal for tech-literate users I am unsure, they can sideload and potentially donate to signal just fine I presume? So, signal at least loses little from refusing). At worst, this would just further alienate the UK from the rest of the world, which is not a good thing, but not necessarily a direct issue for app users outside the UK (caveat, less trustworthy apps will totally comply without outright stating this, so it may be possible that some apps are comprised, but that option exists even without a law requiring backdoors)
*I seem to remember that apple refused/could not unlock aan iphone in US court which belonged to a (supposed) terrorist, but the details escape me. I may be completely wrong here, but I am fairly sure that Apple generally refuses to break encryption/safety on their products
Yes, Apple and Google would need to implement the backdoor. You would still be able to sideload apps and cryptography libraries, but that would make it significantly more difficult to use E2EE encryption, even more so because it requires both parties to do it.
I think the real threat is that it’s not only the UK who wants this, any backsliding democracy would want access to this. Apple and Google are probably not going to give into demands from just the UK government, but what if it’s the Middle East, most of Asia, and parts of Europe as well.
The world will not abandon encryption just because a few Englishmen are annoyed.
CliffjumperAs Apple, Signal, Element etc have stated.
The hilarious thing is most of our politicians use WhatsApp. Why that’s allowed I’ll never understand but, given the fact this bill is even still around, I’m assuming the level of security/tech literacy at the home office is pretty fucking low.
A world where we have illegal math
Do you have a license to possess those prime numbers?
Nothing good in the history of mankind has ever come from conservatism. Nothing at all. Anti-science, anti-education, anti-technology bigots should never be permitted to govern or legislate. Period.
Margaret Thatcher’s grave is a very lovely public urinal. That’s one good thing.
bufordtwhen they finally put you in the ground
I’ll stand on your grave and tramp the dirt down
UK gov will probably be as successful with this as with their porn ban.
lasagnaIf there’s a good thing about this government is that while they’re one of the most incompetent cabinet office we have ever had, that incompetence also applies to their cliche villain laws. I try not to be too hopeful but I wish in the next GE we get a decent gov that can focus on the right things and not bigotry.
VeganPizza69 ⓋWe’re going to have to build a web wall around the UK.
The great British Firewall.
When was the last time governments did anything for the people? Lately all I see are things that are bad for people.
They want 100% control and they won’t stop until we’re all in shackles living the slave life.
Fuck these clowns.
Can someone wake me up in 20-40 years when we decide again that fascists are an issue?
Basic summary because it’s a long-ish read:
_The U.K. Parliament is advancing the Online Safety Bill, which could potentially compromise the privacy of individuals worldwide by forcing messaging services to integrate backdoors, thereby undermining end-to-end encryption. _
forcing messaging services to integrate backdoors, thereby undermining end-to-end encryption._
Wouldn’t the only apply to messaging apps that do the encryption for you? I’m curious how this could be applied to something like PGP/GPG or SHA256.
This trend will grow like mushrooms all over the world. Sad state of affairs