UK Politicians Getting Serious About Ending End-To-End Encryption
from the bad-news dept
Last week we noted that there was some fairly mixed up pressure mounting on UK politicians to block encryption from some confused charities which (falsely) thought that ending encryption would somehow protect children. We also noted that many of the politicians pushing to end encryption… were using encrypted messaging themselves in an effort to dodge public records requests.
And now more news is coming that the UK government is getting serious about ending encryption. UK Home Secretary Priti Patel — who has been pushing to end encryption for a while now — seems to be using the misguided statement from the charity mentioned above, the National Society for the Prevention of Cruelty to Children (NSPCC), as an excuse to bring about the end of true end-to-end encryption in the UK:
Patel will headline an April 19 roundtable organised by the National Society for the Prevention of Cruelty to Children (NSPCC), according to a draft invitation seen by WIRED. The event is set to be deeply critical of the encryption standard, which makes it harder for investigators and technology companies to monitor communications between people and detect child grooming or illicit content, including terror or child abuse imagery.
And then it will just be more nonsense:
During the event, the NSPCC will unveil a report on end-to-end encryption by PA Consulting, a UK firm that has advised the UK?s Department for Digital Culture Media and Sport (DCMS) on the forthcoming Online Safety regulation. An early draft of the report, seen by WIRED, says that increased usage of end-to-end encryption would protect adults? privacy at the expense of children?s safety, and that any strategy adopted by technology companies to mitigate the effect of end-to-end encryption will ?almost certainly be less effective than the current ability to scan for harmful content.?
The report also suggests that the government devise regulation ?expressly targeting encryption?, in order to prevent technology companies from ?engineer[ing] away? their ability to police illegal communications. It recommends that the upcoming Online Safety Bill ? which will impose a duty of care on online platforms ? make it compulsory for tech companies to share data about online child abuse, as opposed to voluntary.
As has become common with these things the language here is presented in a manner that pretends it’s not the end of end-to-end encryption. They say things like “companies just need to provide law enforcement a way in” or that they will have a “duty of care to share data,” ignoring that the only way to do this is not to use end-to-end encryption, but to completely break it in a way that makes everyone — including children — much more vulnerable.
Pushing back against this nonsense, the Open Rights Group (ORG) in the UK has called this out for what it obviously is: the UK’s plan to kill end-to-end encryption.
If, as the Wired piece suggests, Government is inclined to compel Facebook to break encryption, then this will send a strong message to all of us ? regardless of what messaging service we choose to use ? about our rights to privacy and freedom from surveillance. It will send an equally strong message to companies providing communication platforms in the UK, whether large or small, about what they can expect from the UK government in the years to come.
The circulation of child abuse images, and the uses of tools by criminals, absolutely need to be addressed. However there are many options to deal with this effectively, ranging from targeted cracking of devices through to infiltration of groups, and at scale, the use of metadata analysis to find malicious actors; this latter technique is already employed by WhatsApp and many other companies relating to abusive material. While Government does need to ensure these methods work, it is far from obvious that equipment interference, and the acquisition of bulk communications data, are the only reasonable means to deliver its aims.
We have known for many years that it was not a matter of if, but when, the UK government and Home Office would seek to restrict the use of encryption. Their intentions have been publicly stated for quite some time, alongside similar gestures by other countries in the Five Eyes surveillance alliance.
The Wired piece also highlights a fear that the UK government might try to enforce all this in secret — using a secret order (the equivalent of an NSL here in the states) to force the companies to break encryption while gagging them from talking about it. ORG is, quite reasonably, raising the alarm on that possibility too:
A company which is subject to a TCN is legally barred not only from discussing the specifics of the notice, but from disclosing whether the notice exists at all. Any employee of a company subject to a TCN who disclosed that one existed would be subjected to criminal penalties for breaking a gagging order. The powers also appear to apply to the use of ?warrant canaries?.
Because of that, we do not know how many TCNs have been applied to date under the Investigatory Powers Act, we do not know whether they have proven effective, and we do not know when they were suspended. TCNs are applied under a level of secrecy which, legally, cannot even be reported. The only thing you will ever learn about the insinuation that a TCN exists is in the annual reports of the Investigatory Powers Commissioner?s Office, who can only discuss the fact that they exercised oversight over one. No further details can be disclosed.
Quite simply, this means that if a TCN were to be applied, any private message exchanged on Facebook/WhatsApp could be subject to monitoring and surveillance, with no notice, recourse, or transparency, and the company would be legally barred from disclosing the fact that the surveillance exists.
As ORG requests, Parliament needs to demand transparency and accountability regarding what the Home Office is doing with regard to encryption, as it impacts the privacy and safety of everyone — including those anti-encryption politicians who are still using encryption.
Filed Under: encryption, end-to-end encryption, priti patel, security, uk
Companies: nspcc
Comments on “UK Politicians Getting Serious About Ending End-To-End Encryption”
The UK really is running towards fascist police state with arms wide open ready to hug it.
Look at the "seriously annoying protest bill" they’re trying to pass.
and you can bet your ass that everyone, except those who wanna bring and end to encryption, will have to comply! government members, politicians, company bosses and all the associated friends and colleagues, the rich, the famous and everyone who can help the above will be exempt! no one will be able to know or find out what the fuckers are up to until it’s too late and whatever it is, it will be so that the ordinary person, the worker, the housewife etc can be kicked in the privates and be prosecuted if going after those on the ‘Elite List’! and notice how that 2 faced bitch Patel is loading the gun using the same old bullet, ‘look after the children’ as ammo! and those who use it, fall for it are fine until they cant get in touch with who they want, when they want etc, etc!
when are people going to actually wake up and smell the coffee, realise what it is that’s happening and that everything that’s occurring is to the detriment of us ordinary people? everything that is happening on the Internet, thanks to the thick, bribed, bought and paid for USA court judges is fast heading so it wont be accessible to anyone except those who pay members of the entertainment industries. the main reasons being, in my opinion, so that those who have been milking the public for decades can continue to do so without doing a single, deserving thing, not just until they pass away but until their children’s, children’s, children’s, children pass away in 200 years time! not only are vpns now under threat but the likes of youtube and twitter are as well. soon there’ll be no social platforms, no meeting programs, nowhere to exchange family snaps, nothing! and, as with most restrictive practices worldwide, it’s USA that’s responsible but condemn first and most when elsewhere does the same!
It’s not surprising that government people think end to end encryption and transient messaging services are only useful for crime since all that they use those services for is to talk about their crimes that they’d rather the public not know.
The problem with this approach is that it will only affect people who obey the law. Criminals will still have strong encryption available to them, and could hide their messages using Steganography.
Travel?
How do these politicians think that they will be able to travel abroad without their communications being monitored?
Actually, forget abroad. GCHQ won’t have any qualms reading Priti Patel’s communications. Or perhaps that has already happened and GCHQ is behind this push all along ("wouldn’t it be unfortunate if <unpleasant details> were to leak? Perhaps you need to give us more power").
Hey England, you okay? You’re having a bad case of hypocrisy.
UK: Let’s not implement the EU copyright regime because we respect our citizens’ user rights.
Also UK: Let’s hang end-to-end encryption so we can keep our citizens safe and ensure that they uphold the law.
Also also UK: Let’s use the end-to-end encryption system to discuss how to gut it. Debating the opaque ethics of the largest government-endorsed invasion of privacy in recent history out in the open is haaaaarrrrd.
Re: Hey England, you okay? You’re having a bad case of hypocri
Also also also UK: Surely you tech geniuses can come up with a way to break encryption without breaking it, just nerd harder.
Also also also also UK: We couldn’t possibly figure out any way to combat child abuse without breaking encryption.
Re: Re: Hey England, you okay? You’re having a bad case of hyp
Also the UK: "We can’t possibly prevent child abuse without commiting child abuse."
Just try demanding the police just "police harder", and watch the belly aching and excuses start.
*Word of caution: DON’T DO THAT IN THE US. Chances are they’ll start beating your ass (or outright shoot you dead) in addition to bitching about their plight.
Sounds to me like England is getting ready for it’s Second Great Wave of Emigration. You know, where the first one was to escape sovereign corruption, back in the 1600 and 1700s? Well, this time it’ll be to escape Home Office corruption, and like the last time, it won’t be pretty.
And why is it that all this talk about government secrecy keeps hitting my BS detector, sounding more than a little bit like our government’s Stingray fuckfest.
I guess 'no privacy at all' doesn't count as 'cruelty'
Well that’s telling. If the NSPCC is still pushing their anti-encryption position then I’d say they’ve made clear that at best they are so woefully ignorant of modern reality that they shouldn’t be trusted to advise anyone, with a less generous reading being that they’re just using the ‘exploited children’ for their own goals, in this case crippling encryption.
Yeah, like similar efforts elsewhere this has nothing to do with ‘protecting the children'(and won’t someone think of them?) and everything to do with ensuring that law-abiding citizens have no privacy available, no way to speak or gather that the government cannot listen in on, because as noted by an AC above it’s not like criminals are going to follow a law that makes their actions clear, they’ll still be using working encryption.
Those trying to cripple encryption are a greater threat to the public(which includes children) than any criminals might be, because why encryption might protect a comparative handful of criminals from easy notice it also protects a vastly larger number of innocent people.
Logic of the situation?
Umm, ya.
Why is there an agency that Thinks(or doesnt) that Monitoring EVERYTHING on the net is an ability?
Someone get me a 10yo, to explain how many ways he can talk to friends and everyone else, on the net.
Ask your kid if he knows All the people he talks to and where they live.
then lets ask What did we do before the internet, if we wanted to have a secret.
You would Probably need 1/2 the world to monitor the other 1/2 of the world.
Read every email, find every chat and forum, search every game chat and Steam, Epic, and everything else you can find.
Then consider that This can only be done on a server controled idea. UNLESS you have a way to track Client to client software, running threw a server but not using much of any of it to work.
you would need Data searches running over every data trace going threw every server, to see what it is. ANd SLOW every internet connection in the USA to 56k.
Re: Logic of the situation?
The problem with enabling government access to all information on you is that it is available should you come to their attention, by for example trying to organize an opposition political party. They will then trawl your history for anything embarrassing they can use to discredit you.
Re: Re: Logic of the situation?
Discredit?
Big word with a big meaning.
Discredit only means you Have done something you are embarrassed about.
Re: Re: Re: Logic of the situation?
"If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged."
–Cardinal Richelieu
But I have nothing to hide!
Whenever someone claims that they have nothing to hide, I ask them for their credit card numbers, social security number and mother’s maiden name.
Everyone has something to hide otherwise they would be dealing with identity theft every single day. The reason that on-line commerce is such a big thing is because of encryption. Take away that and large parts of the economy falls to fraud.
Governments want to ban encryption because they are afraid that someone is plotting behind they backs. They would be better off dealing with that insecurity than imposing insecurity on the rest of us.
Re: But I have nothing to hide!
Agreed completly. I think they are afraid that some other bigshots will realise they are completly incompetent as politicians. Take away the politics away from the politician and what do you get. Good for nothing low life that can’t provide for himself or his family and will probably sell you out for a slice of pizza.
Re:
State: Whats wrong with mass surveillance – nothing to hide, nothing to fear
Some dude: Agreed, which is why I’m leaking these top secret Government files online
Funny thing is, the UK prime minister very obviously has something to hide, and was not able to hide it. If you can’t hide stuff even with encryption available, then why bother outlawing it?
There seems to be a trend of people trying to prevent end-to-end encryption from being gutted… by suggesting alternatives that are just as bad or worse.
That kind of thing is very hard to target reliably, often requires reducing overall Internet security by accumulating libraries of zero-day vulnerabilities instead of getting them fixed, and is just generally a very dangerous tactic to be encouraging law enforcement to use.
Even ignoring the damage to infrastructure security, who’s going to authorize this "targeted cracking"? How are they going to know whom to crack before they’ve already done it? What does a "cracking warrant" look like?
OK… but this isn’t so easy, and it has been a huge source of abuse in the past.
"The use of metadata analysis to find malicious actors" is exactly the same thing as "guilt by association, targeted by applying statistical methods to the results of extremely intrusive mass communication surveillance".
This is not something you want to encourage.
Well, isn’t that comforting, now. Better hope you haven’t been sending WhatsApp messages to the wrong people, however innocent those messages may have been…
The real answer to this is just to accept that a certain amount of child porn (and copyright violation, which is what I suspect actually funds the anti-crypto propaganda) is unavoidably going to get passed around. Reducing the amount below a certain point is going to get unacceptably expensive in terms of civil liberties and controls on government abuse, as well as in terms of money.
You’re just not ever going to completely wipe out something like that, and the world you’ll create if you try is not a world you want to be creating. Nothing can be so important that it completely overrides all other concerns.
Re: Re:
Not acceptable to a politician, because next election cycle the opposition runs ads saying "Joe Smith voted in favor of child pornography and think it’s fine to let internet criminals abuse YOUR children! Vote for Cindy Jones, because she will fight for the safety of our kids!" Or substitute political parties for candidate names if that is how it works in your country.
How?
How exactly would an order apply to a warrant canary? The ones that I’ve seen say something along the lines of, "Through March 31st, 2021 I haven’t received any warrants." Then, if you do get a warrant you just stop updating the canary (or pull a TrueCrypt and kill the project altogether). Does the UK not have laws against compelled speech (which is why canaries work in the US)?
Re: How?
It would seem that it does, which makes the statement about warrant canaries rather confusing. Perhaps there is an exception for these secret orders.
https://ukconstitutionallaw.org/2018/10/16/jacob-rowbottom-cakes-gay-marriage-and-the-right-against-compelled-speech/
Re: Re: How?
Given the ability to notify people that you’ve received a warrant would defeat the point of the gag clause I would be very surprised if there wasn’t some sort of language included to the tune of ‘you must take reasonable steps(as defined by the government of course) to maintain the secrecy of the order you have received’ such that an act, or refusal to continue an act as it were would be treated as making the warrant known and therefore violate the gag clause.
It would be a garbage argument and a violation of any laws against forced speech but uttering the magic words ‘national security’ has allowed all sorts of terrible things to fester in the law.
Abdication of responsibilities
It is the responsibility of government (via judicial and law enforcement means) to enforce laws and prosecute people for breaking said laws. Whenever I see the "think of the children" argument from a government official it reads to me as nothing short of an admission that a government has failed in it’s duty and needs some new shiny toy that will totally let them solve a social/human problem that they have unsuccessfully "cured" for centuries, (via various means of punishment).
Their latest shiny toy is to stop trying to solve an unsolvable social/human problem and instead demand private institutions, not state institutions, successfully solve an unsolvable technological problem (and social/human problem) instead, or be held accountable for all wrongs committed by others.
The icing on the cake is that the private institutions will also be punished (directly and indirectly) if they fail to implement said technological solution perfectly (no data breaches, no unintentional access, no successful hacking of the system, no bribed employee giving access on the side, etc., etc., etc.).
It’s nothing less than "It’s too hard to do this right so it’s now your problem. No, we won’t pay you for it and if you fuck it up your 100% liable for all damages and costs. Heads I win, tails you loose. Nerd harder bitches!".
I know the quote is "any sufficiently advanced technology is indistinguishable from magic" but since fucking when was it apparently government policy to believe in magic?