Real people don't need end-to-end encryption says UK Home Secretary
uk.businessinsider.comBasically she's saying chat apps in the UK shouldn't be allowed end-to-end encryption.
So the terrorists will setup a chat system that look like payments.
In the mean-time, the UK government will use our chat to identify harmless political dissidents, groom them online and then fail to incite them to violence. Given previous performance, they will meet some of their targets, get a few pregnant and then get sued 20 years later when someone reports on how idiotic the police and spies really can be while everyone sane scratches their heads about the targeted pro-solar-power "terrorists", who happened to piss off Lord McOil who had a quiet chat with his Eton buddy in GCHQ which got them classified as dangerous.
After 5 years, Boris, our new PM, will decide to give government departments access to find benefit cheats and illegal immigrants. The system they'll build will cost more than they recoup and will be a drop in the bucket compared to what they could have recovered if they had spent 1/10th of that money chasing rich tax dodgers.
A couple of years later, they will give councils access to the whole country's chat to try and catch some fly-tippers.
In this time, the civil servants will actually use the system to stalk ex-girlfriends, random crushes and celebrities or spy on wives and husbands.
Eventually, some civil servant will accidentally leave a hyper-storage-cube on the bus containing the last 5 years of everyone's chat and it'll turn up on 4chan.
The resulting misery and damage will be justified by the government because they once caught a "terrorist" who was standing in the street screaming "Allah is great" and stabbed a policeman. In reality he was a normal guy who had suffered from Bipolar Disorder but the NHS couldn't afford to treat him and classified him low risk, so ended up having a breakdown.
Say a smartphone app ran both an https client and server. For users to send each other messages, they connect to each others servers. That's end to end encryption, right? And looks identical to the type of encryption they'd still allow right? What have I missed?
I guess once it gets popular, they just force Apple and Google to remove it from the apps store. So it has to be a web site with all the http server running in javascript/web assembly. I guess you still need a central server to let clients find each other in the first place. They could block that at the DNS level.
I'd use bank accounts, PayPal or money transfer with small transactions and a one time pad to signal. They'll never ban bank accounts and it'd be hard to find signals amongst the noise. Or you could just use pgp and paste it into whatever app you want. Pandora's box has been opened, its remarkably naive to try to ban secrets at the same time as hoarding an unprecedented number of signals.
Obviously you can't intercept signals from someone using outlawed encryption, a one time pad or no direct messages. I'm not sure the stated goal (stop evil terrorists) is the real goal though - reading almost all communications and selective leaks is just such a useful tool for things like subverting democracy, throwing elections and controlling politicians.
> reading almost all communications and selective leaks is just such a useful tool for things like subverting democracy, throwing elections and controlling politicians.
Maybe someone out there needs to air her dirty laundry secrets that she's projecting on the rest of the population?
> I guess you still need a central server to let clients find each other in the first place.
Would you? Couldn't you have a list of servers stored in localstorage, and bake the initial list in a bunch of seed copies?
Alternatively, use pastebin or imgur or something like that for your "central store" to pull from initially, then store everything in localstorage after.
The follow up bill which makes it mandatory to have government spyware on all https servers?
They can't do that because it would require major open source web servers to be forked. There's no way they're going to persuade operators in other countries to run UK government spyware.
> They can't do that
Well, it works for China, so I don't see why it wouldn't elsewhere.
As a techie, I'd like to believe that there are limits to what can be passed as law, but the history shows that it is not so. Just because something is technically impossible doesn't mean it can't be required by law, with all the consequences for not complying. It's uterly futile to go against the people in power with technology or even science alone. The best you can hope for is for you and me, personally, avoiding problems. For a time.
Kazakhstan already did it. All they have to do is force browsers to accept a CA that then MITMs everything.
Yes, UK can just enforce that all SSL certs come from their CA. If they find an invalid SSL cert, they come arrest you, shut you down, or confiscate your equipment (or all 3!)
:) The Black Mirror of HN comments
Black mirror is fiction.
https://www.theguardian.com/uk/2012/jan/20/undercover-police...
I'd have to disagree. Black mirror is gradually being shown to be fact.
How could they prevent terrorists to develop their own end-2-end encrypted chat app?
... or connecting with SSL to an overseas server under their control ?
Jailed for use of an illegal encryption scheme. Welcome to the future.
Not just the future: https://en.wikipedia.org/wiki/Illegal_number
They can't but if they catch you they can throw you in jail regardless of whether they can decrypt what you've transmitted or not.
So you have the choice of either getting thrown in jail or to give up the keys.
that was beautiful.
I wonder how many whatscrap groups are there for fly-tippers.
The problem is largely the UK's lack of a constitution. There are no checks or balances in the UK. Parliament can literally do anything they want. The courts can't block Parliament. Parliament can just abolish the courts. The house of lords can't stop the house of commons, the commons can just override the lords. The queen won't veto the commons because she fears parliament will just abolish the monarchy.
I'm really not trying to be pedantic, but that's not true. The UK has no written constitution but it does have a constitution. It's important to make the distinction because it is entirely possible that this proposal is unconstitutional (and I wonder if that's why the Home Secretary is asking for companies to voluntarily adopt it rather than passing legislation).
It smells unconstitutional to me because it is an attack on individual sovereignty and the right to privacy. I would love to hear an expert or two give their opinion on the matter.
There's no entrenched right to privacy in the domestic constitution. The Human Rights Act has, though, brought Article 8 of the European Convention on Human Rights into UK law:
> 1. Everyone has the right to respect for his private and family life, his home and his correspondence.
> 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
[Note the exceptions, which are (by design) wide enough to drive a bus through]
An Act of Parliament restricting end-to-end encryption for the expressed purposes of preventing crime and preventing terrorist atrocities would fairly clearly be constitutional, I think. Even if it was ruled incompatible with the ECHR, the courts have no power to overturn primary legislation - just to punt it back to Parliament with a declaration of incompatibility.
If a minister tried to do it without Parliament under the royal prerogative or secondary legislation, I think the chance of it being overturned as unlawful are somewhat higher.
I'm a political scientist, not a lawyer, mind.
I broadly agree with what you're saying. I think both cases could be argued as constitutional because they both protect sovereignty in different ways: the right to privacy protects you in your own home, the right to gather intelligence protects you in public (or so the argument goes).
I think the larger problem is that the British people either don't care about - or don't understand the implications of - losing encryption. Either they don't believe their privacy will be affected or they don't imagine that they have anything to hide from the 3rd parties, be it the authorities, corporations, or criminals.
I suppose one could argue that the British constitution is working correctly as it is malleable enough to flex with attitudes, but we also know that the attitudes of politicians are diverging quite substantially from the people they claim to represent.
I also wonder if the constitution itself has become increasingly weak and irrelevant, and if it has, is that because the Monarchy, whose sole purpose is to live and breath the constitution, have become increasingly weak and irrelevant.
The commons can withdraw from the ECHR. I am not saying that Parliament is not a check on ministers. I am saying that there is no check on Parliament. A simple majority of parliament can pass anything and there is no entity that can stop it from becoming law.
The Queen.
A withholding of assent could bring a constitutional crisis, but it's possible [1].
"on the advice of her ministers"
Sure, but couldn't a single cabinet member advise the Queen to withhold assent? As long as they made a compelling argument, the Queen could do so. I'm not claiming this is likely or desirable, only possible in the most extreme situation.
It's generally thought she can exercise her reserve powers precisely once, before they (or the monarchy) are removed for good. Personally ordering the armed forces not to take some antidemocratic action demanded by her ministers in a time of crisis is the most likely scenario, I think.
As with much else in the constitution, the 'on the advice of her ministers' is normally (binding) convention rather than statute.
As an anecdote related to this, there is a law that came into force in the UK in 2009 which made illegal drawings showing fictional characters who appear to be under 18 engaging in sex, or in the presence of sex. A similar law came into force in the United States (the PROTECT act), and it was stricken down by SCOTUS because a clause making illegal drawn pornography turns out (unsurprisingly) to violate the constitutional to free speech. Currently there are about 20 prosecutions per annum (and it is rising) under this law in the UK. I don't think this truly hideous law will be stricken down by a court (even the ECHR, which is May's sworn enemy) nor will it be repealed by parliament, because nobody cares about disgusting speech.
> As an anecdote related to this, there is a law that came into force in the UK in 2009 which made illegal drawings showing fictional characters who appear to be under 18 engaging in sex
So you're saying that watching most hentai is borderline illegal in the UK? That's crazy.
I wouldn't say most, but a good proportion is, even possession of it. The catch is that the character has to give the "predominant impression" of being a child, so they can have non-child like features (such as slightly larger breasts, antennae (as was mentioned during the debate) etc.) and still be counted under the law. And you think you can encrypt to get away from it? No chance! If you refuse to hand over your keys to an encrypted volume you can face a maximum of 4 years in prison.
> If you refuse to hand over your keys to an encrypted volume you can face a maximum of 4 years in prison.
The requirements for getting you to hand over your keys are a bit stricter than "they ask for them". The long and complex law is here: http://www.legislation.gov.uk/ukpga/2000/23/contents
The RIPA sentences for failure to handover passwords is either 2 years or 5 years. It's 5 years for child indecency cases, but the relevant laws are listed in subsection 7, and it doesn't include The Coroners and Justice Act of April 2009. (And that only applied to England, Wales, and NI. It doesn't apply to Scotland.)
It's not clear that most hentai is made illegal by the C&JA2009. See below.
http://www.legislation.gov.uk/ukpga/2000/23/part/III
I don't think RIPA mentions the Coroners and Justice Act, so I don't think they can force you to reveal passwords for those images. But maybe I'm missing some changes?(7)Those provisions are— (a)section 1 of the Protection of Children Act 1978 (showing or taking etc an indecent photograph of a child: England and Wales); (b)Article 3 of the Protection of Children (Northern Ireland) Order 1978 (S.I. 1978/1047 (N.I. 17)) (corresponding offence for Northern Ireland); (c)section 52 or 52A of the Civic Government (Scotland) Act 1982 (showing or taking etc or possessing an indecent photograph of a child: Scotland); (d)section 160 of the Criminal Justice Act 1988 (possessing an indecent photograph of a child: England and Wales); (e)Article 15 of the Criminal Justice (Evidence, Etc.) (Northern Ireland) Order 1988 (S.I. 1988/1847 (N.I. 17)) (corresponding offence for Northern Ireland).]http://www.legislation.gov.uk/ukpga/2009/25/part/2/chapter/2
I'd suggest it could be argued lots of hentai fails (c).(2)A prohibited image is an image which— (a)is pornographic, (b)falls within subsection (6), and (c)is grossly offensive, disgusting or otherwise of an obscene character.(5)“Child”, subject to subsection (6), means a person under the age of 18. (6)Where an image shows a person the image is to be treated as an image of a child if— (a)the impression conveyed by the image is that the person shown is a child, or (b)the predominant impression conveyed is that the person shown is a child despite the fact that some of the physical characteristics shown are not those of a child.Thank you for your clarification as to the law on key disclosure. I was sloppy when I said "UK" and I did not exclude Scotland. NI also has a separate law of their own for this, too.
> I'd suggest it could be argued lots of hentai fails (c).
I'm not so sure. Perhaps images that don't display any act of sex taking place, and just nudity or even swimsuit (e.g ecchi) would qualify, but most hentai does display acts of sex taking place. Either way, might the subject, being a "child" hold sway on whether it is considered "disgusting" or not? I'd think it would.
>the predominant impression conveyed is that the person shown is a child despite the fact that some of the physical characteristics shown are not those of a child.
Yes, this is the part that I was talking about when I talked about breast size and antennae.
Either way I am wholly opposed to such a law, and I think the arguments used to support it are weak.
People may care about (what others may consider) disgusting speech, or they may find it disgusting themselves but they care because of the principle of free speech, but the problem lies in coming out and saying so. Defending drawn porn of minors is harmful to your career at best — for some it can mean the end of relationships, getting ostracised by friends and family, and being persecuted, slandered, and stalked online by people who feel very strongly about such topics.
Even for the most battle-hardened politician near the end of their career, this issue is a minefield.
I was about to mention this, but I thought it seemed too obvious. Nobody wants to come out and say that they are in favour of such material, especially to decriminalise it, except maybe a fringe party such as the Pirate Party. I have heard it may be similar to the law in Japan mandating that genitals be censored - no politician, Japanese or otherwise, wants to be "the one" to stand up and argue against it, I think anyway.
So perhaps "people don't care" isn't sufficient and a mistake on my part, though I have spoken to people who say that they are "not concerned" about the topic, despite being rather liberal in terms of freedom of expression otherwise.
The US has shown with the NSA and FISA courts that a constitution will not prevent practices like this.
It's a necessary but not a sufficient condition. That doesn't make it useless.
I think the US proves that the "constitution" as any mechanism for safety is absurd. It's ignored or abused when it's convenient.
The problem is that the protections of civil liberties work for for the times and contexts under which they were formulated, but they are not adapted to evolving technology and culture as frequently as efforts to circumvent them.
It's reverse hill climbing via million slippery slopes.
> The problem is that the protections of civil liberties work for for the times and contexts under which they were formulated...
The people who wrote the US Constitution and its Bill of Rights survived a time when the most powerful army in the world was marching through their backyards. I have no doubt they had that in mind when they were writing freedoms into law.
How is that relevant? The salient point in the comment you quote is "they are not adapted to evolving technology and culture." It doesn't matter how clever the founding fathers were, or how much foresight they had. They could not have anticipated the realities of today.
I wish I could give you more upvotes.
Right, because constitutions don't generally have a mechanism to be amended? And the judiciary in countries with constitutions don't tend to apply constitution to areas that they were clearly never intended e.g. encryption.
The idea that the UK parliament would abolish courts doesn't really need addressing, it's so absurd. I take it you're also aware that we regularly (some would say too regularly) democratically elect parliament? That's usually consider a check if not a balance.
The problem isn't the lack of a UK constitution or any of the other specious arguments. The problem is that a large number of people, very probably the majority, either agree with this idea or simply don't care. At the very least they don't care enough to make it an important issue in a general election and we've just had a couple.
Even if a large number of people want a particular restriction in the US it does not always become law even if passed by congress. This is never the case in the UK. If the commons passes something it is law. Amending a constitution is generally extremely difficult and requires a very high bar, and has to be approved by the court. It is not just the lack of a constitution that is dangerous in the UK it is the total lack of separation of powers. The courts are not really independent. Parliament passes laws that change how the courts work all the time. The constitutional reform act that created the supreme court of the UK was passed with a simple majority of Parliament, and it can be repealed with a simple majority of Parliament.
You should check out Venezuela's constitution
You should check out Israel's.
> Companies are constantly making trade-offs between security and 'usability', and it is here where our experts believe opportunities may lie.
Amber Rudd's "experts" couldn't prevent a simple brute force attack on her own parliament that would have easily been mitigated with 2FA (https://www.theregister.co.uk/2017/06/26/parliament_email_ha...)
> Real people often prefer ease of use and a multitude of features to perfect, unbreakable security. So this is not about asking the companies to break encryption or create so called "back doors". Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family? Companies are constantly making trade-offs between security and "usability", and it is here where our experts believe opportunities may lie.
lol what a terrible argument.
> suggesting that E2E encryption hinders usability
> points to the massive number of WhatsApp as proof
Actually I think it's a pretty devious argument. This is effectively saying that most people value convenience over security & privacy. Given the track record of corporate surveillance and ad supported content this is absolutely correct. After all WhatsApp users are already OK with Facebook collecting their metadata for advertising purposes.
>After all WhatsApp users are already OK with Facebook collecting their metadata for advertising purposes
They aren't either OK or not OK. The overwhelming majority of WhatsApp users simply don't know. They don't even think about it. In fact, the average user doesn't even know that WhatsApp is owned by Facebook, or even that it used to be a paid subscription
She's basically saying you could remove E2E encryption from WhatsApp and a significant number of people would still use it willingly. Most wouldn't even notice the difference.
And she's alarmingly right in that regard.
"So, there are options. But they rely on mature conversations between the tech companies and the Government - and they must be confidential"
i.e. backdoors. Trust us, we are the government!
That's such bullshit. If anything only government conversations conducted by public servants should be made public and private conversations should be, well, private.
Dear UK secretary: your department lost credibility to talk about "real people" needs when the UK police helped Murdoch's "News of the World" to hack into "real people" phones.
But I don't expect you to understand your own responsibilities so let's just wait until Vladimir Putin hacks into any server containing your private information. Then UK politicians will understand.
Nah, she's an "important" politician, so she's not "real people", she's allowed to use encryption. Phone hacking? Well celebs are not real people either, they should be able to apply to use encryption, in her mind.
Not just celebs:
https://en.wikipedia.org/wiki/Murder_of_Milly_Dowler#Voicema...
real people don't need UK Home Secretary.
Banning encryption won't hurt the bad guys since they can always use codes. I believe the Sept 2001 terrorists used terms like "birthday. Are", "candles" (for the WTC) etc.
It will simply destroy the privacy of ordinary people who set up a dinner or buy a birthday present for their kids
"Having two identities for yourself is an example of a lack of integrity" - Zuckerberg
Zuckerberg lecturing anybody on integrity is really weird.
I don't think her statement actually says "real people don't need end-to-end encryption". I'm not sure what she is saying though. Not banning end-to-end encryption, not asking for back doors, but having "mature conversations" that have something to do with trade-offs between usability and security. What?
These conversations are about being able to decrypt the conversations without using the term backdoor. The government will see them as mature if it is given access.
And I thought the BBC article was bad enough. This is just appalling.
"Real people" just use ROT13...
Real people keep their heads down, don't question authority, and don't cause trouble.
As demonstrated in this camera footage, terrorists do not use WhatsApp to plan attacks. They meet in person - without their phones:
http://www.independent.co.uk/News/uk/home-news/london-attack...
What politicians do not understand: - if we are forced to chat unencrypted, terrorists will communicate in "code": "the eagle will fly today" means "attack now!" - terrorists did successful attacks before the internet and before smartphones and do not need encryption - terrorists do harm because they are harmed. Stop harming them and they will leave you alone.
> terrorists do harm because they are harmed. Stop harming them and they will leave you alone.
That is a huge oversimplification.
Terrorists do harm because they see a political value in harming others. For proof, look no further than the domestic terrorists who have bombed abortion clinics and shot doctors who worked there, or who have threatened to do same. All while being backed by religious organizations, who are just as culpable for the results.
Sure, these people might not be called terrorists, because the FBI has to abide by laws of free speech, etc., but they are just as much a terrorist as any person looking to wage jihad.
----
See this article for the FBI's explanation of not calling a terrorist a terrorist: http://www.huffingtonpost.com/entry/fbi-terrorism-label_us_5...
It'll be interesting in 10-15 years when the US is one of the few countries left that allow unfettered access to encryption, VPNs, secure messaging, etc.
How does the saying go? "The dark night of fascism is always descending in the United States and yet lands only in Europe"
its only a matter of time before the USA outlaws these also. I know the agencies are itching for it. Even though it would be unworkable.
Doubtful. Much of this is protected by the 1st amendment, since code was recognized as speech.
https://www.eff.org/deeplinks/2015/04/remembering-case-estab...
Keep dreaming.
Forced to choose between the agencies and big business who do you think the legislators will choose? Sure they can side with the agencies but if business isn't on-board with that checks will get written and there will be new legislators.
I hope the agencies force the choice. It gives the legislators a chance to do all the things they should have done after Hoover left.
I really do hope you are right.
I do remember Big Business complained about HTTPS use, coz it blocked them "hoovering"/vacuuming up customer info. (excuse the pun)
Also, the Govt has liaison people with some of the Big Corps. Not to mention big corps give big checks to both sides, as routine, there is no financial hurt on the Pol Parties ever sadly. ATT for instance gets paid millions to give up the data.
Update: I just read Amber Rudd (UK Pol goon) created the "Global Internet Forum to Counter Terrorism with Facebook, Microsoft, Twitter and YouTube (Google/Alphabet, Inc.) and asked them to remove end-to-end encryption from their products "
Hilarious! Let's criminalize privacy and ask pointed questions to those who seek it.
Staggering double speak from Orwell's own land. Who would have thought.
Question: Is a terrorist more a threat to civilization or these closet totalitarians crawling out of the woodwork?
Orwell wrote 1984 as a warning. Not an instruction manual.
History shows real people don't think they need things like end-to-end encryption until after their government starts taking it from them.
I realize the article was about the UK, but this entire encryption/spying issue certainly applies to the US as well. My comments are regarding the US because I don't know enough about the UK's laws and general situation to speak on it.
The cat is out of the bag. End to end encryption that is very easy for the average user to use exists. There's no going back. These terrorists that they are so worried about are going to use it (if they have any common sense), even if it is outlawed somehow. Making it illegal or extremely difficult to use is the same as gun control - the criminals are still going to break the law because their end goal is a crime far worse and if they are willing to commit that crime then they are surely willing to commit the lesser crime of not getting a license for a weapon or possibly using end-to-end encryption.
In the US we supposedly have the 4th amendment to protect against this NSA spying criminality. The 4th amendment protects against both search and seizure. The giant dragnet they use to sweep up all communications over private channels is supposed to be a crime without a warrant. And when done in bulk it should be easily considered a mass, rank violation of the 4th amendment. For example, in the case of your cell phone, you agree to allow a private business to forward your data and communications. They theoretically can access it all, including your GPS because of the cell tower triangulation. That should be understood as necessary to providing the base service. But your agreement is only with the telecom provider, not the government. The government just decided to stick it's head in and declare itself to have a national security interest in the data of not just you, but everyone in the entire nation, and demanded access to it all.
What's worse is that these programs have not been proven to actually stop terrorists: https://theintercept.com/2015/11/17/u-s-mass-surveillance-ha... http://www.nbcnews.com/news/other/nsa-program-stopped-no-ter...
In fact, based on my memory, every instance of a thwarted attack has been the FBI actually communicating directly with alleged terrorists using undercover agents. This is how actual investigative work has historically been done. They followed up on tips, evidence, etc. and followed the leads and performed a real investigation and followed the proper warrant protocols. And doing it "the hard way" has yielded them more terrorists in handcuffs than the NSA.
The results are so abysmal for the PRISM program and it's siblings, that it begs the question whether or not stopping terrorists is even the real purpose. Personally, I have never thought it was the main goal. Sure, they might catch some, but I think the real purpose is to make sure no one poses a political threat. If anyone starts to get out of line or cause too many problems, they can just rifle through all their data they have on you and find something to use against you. How many people are clean enough to escape that? Ever, even once, downloaded an illegal mp3? Ever watch a movie on an illegal, streaming tube site or use torrents? Ever cheated, even a little on your taxes? Ever cheated on your spouse? Have a porn fetish that others may find unsavory? In the closet? Are you fully in compliance with every housing regulation? Have permits for every little thing that legally requires a permit? Have any secrets that aren't illegal but may be embarrassing? Done anything that isn't illegal but people would look upon with disdain? It might just be used against you.
E2E is only easily accessible to regular users because because you can install Signal straight from the appstore. It can be made much less easy by a sufficiently determined government.
Did she really use a "No True Scotsman" argument to say the Scots don't need privacy and security?
We the people will let you know what we need, servant.