Snoopers' Charter Could Mean Trouble For UK Users of Encryption-Capable Apps 174
An anonymous reader writes with a story at IB Times that speculates instant messaging apps which enable encrypted communications (including Snapchat, Facebook Messenger and iMessage) could be banned in the UK under the so-called Snooper's Charter now under consideration.
The extent of the powers that the government would claim under the legislation is not yet clear, but as the linked article says, it "would allow security services like the Government Communications Headquarters, or GCHQ, and MI5, or Military Intelligence Section 5, to access instant messages sent between people to and from the country," and evidently "would give the government right to ban instant messaging apps that use end-to-end encryption."
That might sound outlandish, but reflects a popular and politically safe sentiment: "'In our country, do we want to allow a means of communication between people which we cannot read? My answer to that question is: "No, we must not,"' [Prime Minister] Cameron said earlier this year following the Charlie Hebdo shooting in Paris."
The Charlie H killers were roommates (Score:5, Insightful)
They planned their horrific act over a kitchen table. They had no need for instant messengers, e-mails of Skype to talk from one end of the apartment to another.
Re:The Charlie H killers were roommates (Score:5, Funny)
Never underestimate the laziness of a person with a smartphone!
Re:The Charlie H killers were roommates (Score:4, Insightful)
They also have no way of distinguishing codes used in furthering their goesl. For instance we could nickname components of a bomb recipe the same as foods. "I'm having a party, what can you bring that we can put on the grill" could be a code for lets bomb something, got any explosives. And the response "nothing but i have plenty of eggs and bacon if I can stay over" could mean I'm in- no explosives but lors of ammo and guns. Someone else could chime in with "i need to stay over too and i have plenty of beer and some beef for the BBQ" could mean I'm in and have these components of explosives.
And all that can be determined over the kitchen table or in another country or whatever in advance. No amount of listening in will catch that before something happened and would be a shaky guess only pointing to a connection between people after the fact.
Re: (Score:3)
A long-established military practice. It's known as an 'idiot code,' and was vital for secure (or secure-enough) battlefield radio communications before encryption technology became practical for field use.
Re: (Score:2)
The chair is against the door.
Re: (Score:2)
It's an example of a code, pure and simple. (As opposed to a cipher.)
Re:The Charlie H killers were roommates (Score:4, Insightful)
See, we must have cameras and recorders in all homes to insure our safety. Freedom is just another word for less safe.
Re: (Score:2)
In addition to this - if you want to exchange sensitive information then do that in messages using steganography. Key messages on activities can be attached covertly to images or other bodies of text.
So the bad guys will still be able to get their messages through while good guys messages regarding commercial secrets may end up being leaked.
Re: (Score:2)
Re:The Charlie H killers were roommates (Score:5, Interesting)
"'In our country, do we want to allow a means of communication between people which we cannot read? My answer to that question is: "No, we must not,"' [Prime Minister] Cameron said earlier this year following the Charlie Hebdo shooting in Paris."
Cameron is asking the wrong (or a misleading) question.
The choices are communications you (GCHQ/MI5/etc) may not be able to decrypt, or communications that anyone may be able decrypt.
There is no 'secret sauce' method of making communications secure against common threats while simultaneously making them insecure to the government.
If the government can read the communications, so can any other interested party including, terrorists, foreign intelligence agencies, rival/foreign businesses, journalists, etc etc.
Including Cameron's own political enemies.
He may not like it if he gets what he's advocating for.
Strat
Re: (Score:2)
Do you really think there won't be an exception for the government to use secure communication? As the western world moves right on the political spectrum, we'll see more and more secretive governments who demand to know everything about their subjects. Been watching it here in Canada ever since the Conservatives got voted in (on an open government ticket). Expansion of police and spying agencies powers including blanket immunity from breaking the law. Increasing secrecy in the government, often using auste
Re: (Score:2)
Do you really think there won't be an exception for the government to use secure communication?
Not everyone for whom it is vital for politicians to communicate securely with are in government. Also, government does not operate in a vacuum. There are all manner and sorts of private contractors, suppliers, etc etc.
And this is without even discussing the effect on the security of online banking, e-commerce, and interactions between individuals and government.
It is impractical and self-defeating, as unless the exceptions are so broad they are meaningless, the whole thing is unworkable.
In other news, Came
Re: (Score:2)
Strategic partners of the government such as certain lobbyists will also be immune (or continue to interact in person as they do now to avoid any written records) and things like banking will be tapped at the server so communication over the internet will still be secure. Same with interactions with the government. What will be blocked is person to person encryption as well as communication with organizations who are not in the governments good side.
Re: (Score:2)
Do you really think there won't be an exception for the government to use secure communication?
Sure, for official government business. But what about communications within the Conservative party? Do you think that everyone at every level is going to be allowed unbreakable encryption for party use? What about for communications between MPs and their mistresses/corporate overlords/racist backers? Scandals become a lot easier if you can decrypt everything that MPs send and receive, and even easier if official business is all done encrypted but unofficial things are insecure.
Re: (Score:2)
He might not be taking about weakening encryption. He might mean banning apps where the service provider isn't involved in the crypto and thus can't decrypt messages on demand. Like Skype for example - it's basically secure crypto-wise, but since everything goes through Microsoft servers they can (and do) eavesdrop on any conversation they like.
Of course it's vulnerable to the server being hacked as well, but the crypto itself can remain "secure", you just can't choose who you share the keys with.
Re: (Score:2)
He might mean banning apps where the service provider isn't involved in the crypto and thus can't decrypt messages on demand. Like Skype for example - it's basically secure crypto-wise, but since everything goes through Microsoft servers they can (and do) eavesdrop on any conversation they like.
A weak implementation of crypto is just as bad as week crypto, though. In the case of Skype, for instance, Microsoft can force clients to (silently) downgrade from p2p crypto to server-mediated crypto for eavesdropping. Even if you consider the Russian and Chinese governments (who have access to this capability [google.com]) to be good guys this MITM capability is always at risk of being used by others.
Also there's little they can do about plugins like OTR [cypherpunks.ca]: they don't need to access a server so they can't be blocked, it
Re: (Score:3)
"The choices are communications you (GCHQ/MI5/etc) may not be able to decrypt, or communications that anyone may be able decrypt."
Actually I think that's exactly what he was gunning for, having followed the original announcements and speech. This Australian IBTimes article seems to be putting a completely different interpretation on what was said at the time.
At the time, Cameron was talking about increasing funding and tools for the security services, as such, it seemed pretty clear he was talking about bol
Re: (Score:2)
Cameron is a prick, there's no doubt about that, but he isn't stupid. Even he knows a ban on certain applications would never work.
Are you sure about that? Plenty of very intelligent people have blind spots with respect to aspects of computer technology. I wouldn't be at all surprised if Cameron fundamentally doesn't understand the problem, or if he does, he doesn't understand the consequences for the UK IT industry and online economy.
Re: (Score:2)
If the question was being asked of Gordon Brown when he was pushing the same thing back in 2009, I'd agree, he had no clue. But the thing to bear in mind with Cameron is that he's surrounded himself with tech advisors - from Ian Livingstone, BT's old boss, to Martha Lane Fox, founder of lastminute.com. He's also quite close to Google, having been a key driver in involving them with his Silicon Roundabout initiative. He's also spent a lot of time with Berners Lee on the open data initiative, so whilst I real
Re: (Score:3)
Re: (Score:2)
They planned their horrific act over a kitchen table. They had no need for instant messengers, e-mails of Skype to talk from one end of the apartment to another.
In that case we must ban kitchen tables! Just think of the children!
Re: (Score:2)
It's all theater.
Or something more sinister.
Re: (Score:2)
Dear Britons (Score:1)
Get in touch with your representatives and whack them over the head until they see sense. TA.
Re: (Score:1)
No, the voters want this. They are the ones who need a *damn good whacking*. And we should never let the majority vote away our rights anyway.
Cameron is a moron. (Score:1)
Do you want zero expectation of privacy in every aspect of your life, Mr. Cameron? Well, do ya? PUNK?
The end of on-line banking and shopping (Score:5, Insightful)
I sure as hell won't be giving any sites my credit card details if I can't encrypt them. No crypto, or easily defeated crypto means that ANYONE, not just the "good guys" can read my traffic.
Re: (Score:3, Insightful)
Someone ought to let manufacturers and vendors know that people will refuse to buy products shipped with holes in them.
Considering the number of international partners that the U.K. has in ALEC, it's not the citizens communications that most need to be exposed.
Re: (Score:2)
Re: (Score:2)
Someone should step out of this strange fundamentalistic limited capitalistic thinking that only companies can provide encryption products. The best encryption software is open source: GnbuPG for email, TextSecure and Redphone / Signal for chats and calls on Android cq iOS, SMSSecure provides a secure SMS solution. Sourcecode is freely available, no government backdoors present.
Re: (Score:1)
And, who, exactly is going to pay me to install such back doors in my applications?
Re: (Score:2)
it's not a case of paying you, you'll do it or you won't be allowed to operate in the jurisdiction, simple as.
Re: (Score:2)
Sensible. I go by the airgap solution for large amounts of data, otherwise for short messages, there's always the London Radio pad.
It will be interesting to see how much financial data diverts away from the Wharf if/when this does pass into law. I'm guessing most of it.
Re: (Score:2)
Your customers of course. At least it'll be fair as your competition will also have raise their rates to pay for the back doors as well.
Re: (Score:1)
Weak encryption, be it by using weak algorithms or blatant backdoors, is about as effective as no encryption at all.
E.g. WEP as security for your wifi. It's about as secure as an open network.
Re: (Score:3)
The point is that it doesn't matter. Either communications are secure, or they are known to be vulnerable. If they are known to be vulnerable, every trader and financial service on-line is now vulnerable to the resulting lawsuits, every professional identity thief and fraudster is going to have a party with UK citizens' data, and the UK on-line economy will collapse as a result.
The one thing I find reassuring is that actually going ahead with plans as absurd as the way the Snoopers' Charter is being describ
Re: (Score:2)
(Sorry, I missed an editing screw-up in the above. It was meant to say that either communications are secure or they are vulnerable, but if they are known to be vulnerable then those consequences follow.)
Re: (Score:2)
even significant parts of Cameron's own party are likely to vote against it and block the legislation.
Never underestimate the stupidity of politicians. Especially if they're being bribed, coerced or threatened (I don't know how UK politics works but here in Canada, going against the party line is a good way to get yourself backbenched.)
Re: (Score:3)
I don't know how UK politics works but here in Canada, going against the party line is a good way to get yourself backbenched.
That depends a lot on the circumstances here.
The Conservatives have a handful of very high-profile MPs, including at least one former leadership contender, who have consistently stood by their principles on this sort of issue. All of them would almost certainly rebel again this time.
On top of that, the Conservative government has a wafer-thin majority, and there are plenty of back-benchers who would not be sorry to see the Cabinet members given a bit of a bloody nose at this early stage in the new administr
Re: (Score:2)
Re: (Score:2)
Except that we already have massive data breaches via security holes that weren't intentionally-created government backdoors. Why would anyone but an idiot believe that the same group of criminals won't also be able to discover and exploit the ones put in intentionally?
They have no intent to ban Whatsapp and others ... (Score:5, Interesting)
They know that a ban on Whatsapp would be immensely unpopular and would make millions of people realize how stupid their drive against encryption is.
Instead, their intent is to force Whatsapp and others to voluntarily hand over the communications of their users, much like Blackberry (reportedly) agreed to do for countries with regressive regimes.
Re: (Score:2)
People will just move to messaging systems where the vendor never has the key. There are plenty of choices already available.
We have seen this happen already with mass surveillance. The more they tighten their grip, the more people fall through their fingers.
Re: (Score:2)
No, that's the point. The reason why iMessage, Facebook Messenger and SnapChat would be banned is exactly because these are messaging platforms where the vendor does not have the key.
The government wants to ban such messaging platforms.
Re: (Score:2)
Re: (Score:2)
Blocking WhatsApp would be done by blocking their messaging servers. Preventing the software from entering the country is, of course, impossible. But if you can't send any messages with it it's useless.
Re: (Score:2)
Until WhatsApp counter with a decentralised network.
Re: (Score:2)
Which they won't do. They'll either comply (probably by just disabling the encryption layer,) or pull out completely.
Remember, WhatsApp (and other such companies) aren't in the business of social reform. They're in the business of making money. The only way they would go to the effort of decentralizing their software (or any significant change) is if they thought it would provide a reasonable ROI (which may be in the form of stifling losses as opposed to producing profits.)
I have significant doubts that
Re: (Score:2)
Some will comply. Some won't. It's not just the UK that poses such an issue for them - if the UK starts, every repressive country in the world will be hurrying to copy, starting with China and followed quickly by Russia. It's not practical to comply with many different laws in different countries, and the inability to promise confidentiality means a loss of business contracts - not a big deal for WhatsApp, but a big problem for Skype.
Re: (Score:2)
Absolutely, which is why "pull out" is another option if they feel they can't comply. My real point is that attempting to subvert the law is probably not going to be the choice they make. Taking that tack is a lot of risk for very little payoff, which may be worthwhile for political reformists but less so for businesses.
Though that brings up a more interesting issue -- what happens if they decide to comply in some way other than "no encryption?" Do they now have to figure out ways to generate separate ke
Re: (Score:2)
On this issue, I honestly wouldn't be surprised if the tech companies stood side by side and said "fine, the UK gets no chat apps if the UK won't allow end to end encryption".
Re: (Score:2)
Right, but what will actually happen (hopefully) is that the law will come into force, and WhatsApp, SnapChat, Apple, Google and Facebook will all say "okay, well, all your chat apps are now unavailable, sorry".
As you rightly point out, that'll make the law immensely unpopular, and hopefully it'll get repealed.
Re: (Score:2)
Correct - the way the UK repeals a law is to make a new law saying "sections x to y of the blah blah act of 2015 shall be held delete".
Re: (Score:2)
British people who want to continue to use WhatsApp can continue to use WhatsApp by moving to China. British people will still have a choice.
Re: (Score:2)
What about medical records? (Score:5, Insightful)
Re: (Score:2)
Fax?
Other than that.. hand-waving and magic. Government officials (in every country) that come up with these plans seem to be under the impression that its possible to have a government back door while still being generally secure against everybody else.
Its dreadfully obvious that these people don't know the first thing about computer security, but unfortunately only to people who DO know the first thing about computer security. The Dunning-Kruger effect [wikipedia.org] is in full force when it comes to politicians creat
Access (Score:3, Insightful)
Get an interception warrant. The government has access to enough legal vehicles for dealing with people obstructing justice and it's not as if there isn't a case for encryption already. It is illegal to open mail that is not addressed to you. The difference is that where an envelope reminds the holder to respect another persons privacy, encryption enforces a persons right to privacy.
Governments are not too happy with things that put peoples rights firmly with the people who own the government in the first place.
Re: (Score:1)
The people don't own the government. They sell it off to the higher bidder in the biennial auction... errr. I mean election...
Not a Call for Insurrection at all! (Score:5, Insightful)
Just ten or twenty years ago a sitting politician saying this in a "democracy" and expecting to keep his job would be unthinkable.
Re: (Score:3)
Just ten or twenty years ago a sitting politician saying this in a "democracy" and expecting to keep his job would be unthinkable.
Oh really? CALEA is 21 years old in the US and yet neither Bill Clinton nor anyone in Congress lost their jobs over it.
Re: (Score:2)
Thanks for the info; I knew there was only one place to get training to become a police chief, but I didn't know why -- I assumed it was simply survival of the fittest (school.) A duckduckgo search on "calea" filled me in.
Re: (Score:2)
But yet it will not hurt his chances of keeping his job any. People care little for their rights, they take them for granted. The electorate has changed greatly in the last 4 decades. Scandals that once destroyed political careers are now shrugged off.
Re: (Score:2)
I put "None of the above, they're all criminals" in the margin. So don't blame me.
If you're not doing anything wrong... (Score:2)
Don't worry. If you're not doing anything wrong you have nothing to worry about, until the government decides to ban whatever it is you're doing.
Re: (Score:2)
There are legitimate reasons to have secrets. If i came into a bunch of money, I wouldn't want every crack addict knowing it. If my wife cheated and we worked it out, I wouldn't want everyone knowing about it. If i was looking for aother job, i wouldn't want my employer to know about it until I gave them notice. If the government has a back door, it is only a matter of time before others have access to it too.
Re: (Score:2)
What kind of phone does Cameron use? (Score:5, Insightful)
In our country, do we want to allow a means of communication between politicians which we the citizens cannot read? My answer to that question is: No, we must not.
Re:What kind of phone does Cameron use? (Score:4, Insightful)
The government is damage (Score:1)
We must work around it, circumvent it any way we can. When our rights can be voted away, majority rule has hit a brick wall
Call it what it is (Score:4, Insightful)
Re: (Score:2)
Maybe Pooper Snooper. Has a good ring to it.
Re: (Score:2)
Snooper's Charter sounds even more ominous to be honest. At least a "firewall" has some implication of protection even if everyone knows its true purpose.
"Snooping" on the other hand has pretty much purely negative connotations since early grade school for most people.
Then again, its kind of refreshing that the government is at least being honest about the purpose of the program. If it was in the US it would be called PINKUNICORN or some other absurd backcronym created purely to sound "nice" in print with
Re: (Score:2)
Then again, its kind of refreshing that the government is at least being honest about the purpose of the program. If it was in the US it would be called PINKUNICORN or some other absurd backcronym created purely to sound "nice" in print without giving away its sinister underpinnings
The government calls it the Communications Data Bill, Snoopers' Charter is the name given to it by the press.
It can never happen (Score:2)
For all the good reasons already posted here. Which just goes to show how out of touch most politicians are.
What's really funny is that "Joe Poster" imagines that it will happen and thinks up endless ridiculous scenarios.
Encryption is a human right. (Score:2)
Re: (Score:2)
Protection from self-incrimination is an individual right.
Your turn, Internets.
Re: (Score:2)
in the United States, the individual right is protected by the Fifth Amendment. In England it is a protection guaranteed by Clause 29 Magna Carta 1297.
Your turn, Internets.
A question I've not yet seen answered (Score:1)
How does the government intend to prevent illegal encryption being hidden inside legal, weak-sauce encryption, without systematically cracking all of the latter? Note that such actions entirely pre-empt the promise to only handle private data with per-case permission from a court.
Re: (Score:2)
Back to telnet then.. (Score:1)
Bye SSH.
Re: (Score:2)
Who's going to be the one breaking it to the banks that they have to employ tellers again 'cause people can't use online banking anymore?
And, more important, may I be there to enjoy the reaction?
Re: (Score:2)
People could still use online banking under their scheme. It's just that all the certificates for bank servers would have to also be provided to the govt so that it can spoof the connection and execute a MITM if they want to intercept.
Re: (Score:2)
Just wait 'til word gets out that government can spy on all your online banking. I have a feeling a LOT of people will return to doing offline banking.
And trust me if I tell you that, banks do NOT want that!
Not only is this stupid... (Score:1)
if England wants to get off the net, just say so (Score:2)
because their no-encryption stance will force it.
oh, and internal communications in their corporations with encryption in the data centers... shut those boys down, they're criminals! GHCQ said so.
Shades of a color - er, colour. (Score:2)
Cameron sounds like the Donald Trump of the UK, except scarier - he's already been elected.
Camoron strikes again (Score:2)
I can't encrypt my data in the UK? Then I guess I have to take my business elsewhere.
Seriously, how long will you allow this idiot to cripple your economy along your privacy?
If encryption is illegal ... (Score:1)
Never (Score:2)
...underestimate the power of a one time pad and Radio Londres.
(not necessarily a radio, there's also the option of snail mail or just sending what appears to be nonsense strings via email or IM and using an OTP to decode...)
The point is you can encrypt using a non-repeating cipher AKA one time pad and in about oh, three seconds destroy that pad if need be.
"The pigeon has flown. Jack Bauer has bitten the ear off the dog. Leaky faucets trip horses."
^Decrypt that, motherfuckers.
Re: (Score:2)
The issue isn't that they will ban encryption- they can't for physical / mathematical reasons. But they CAN fuck with anyone trying to both sell a product, and add freely available encryption to that product. That's their attack point. It could be trivial to turn on a well documented open source algorithm, but the government leans on them until they turn it off and remove all user hooks. Once only techies can encrypt, it becomes much easier to strong arm them based on their encrypted traffic sticking ou
It is not about petty criminals (Score:2)
Such events bring countless tragedies to millions or even billions. And it is all about trying to und
Let's wait for some actual details (Score:2)
1) The recent government sponsored report into this matter [independent.gov.uk] came out very clearly against suggestions that encryption should be controlled. But, governments are good at ignoring reports which don't say what they wa
Re: (Score:2)
I wonder why successive governments seem to want to put themselves into this particular firing line. It's as if Obama periodically gets a call from the NSA saying "Hey, go call the limeys and make sure they're doing as we asked". Us Brits then have to "look busy" but then get these things defeated by a small margin so that we can say "we tried really, really hard".
Lets turn this around... (Score:4, Interesting)
Since governments have historically killed more people than any group (terrorist or not), shouldn't the law be that governments shouldn't be allowed to hide any communications from the people?
Exposing all the cases where government employees are "feathering their own nests" would be a nice side benefit.
Re: (Score:2)
If they have nothing to hide it shouldn't be a problem.....should it?
Re: (Score:2)
Or maybe a lot of government officials will go to jail.
Re: (Score:2)
It should be pretty easy to design meta-apps that encrypt the traffic of the mainstream apps, if those app makers cave to dumbass laws like proposed.
I imagine script kiddies will be able to assemble and distribute new variants of encryption meta-apps on about a 10 per day new ones basis, using proven open-source code libraries as the core encryption tech.
Re: (Score:3)
The reason people with a clue don't use this kind of method is that it's inefficient. Instead of collecting everything and sifting through it they concentrate on potential problems. That way they can intercept threats before they cause damage. With mass collection of everything they can't possibly know what they're looking for until after an event. Once damage has been done they go to their database and find what happened. Great for forensics but shitty for protection.
Re: (Score:2)
Mass collection. Think "landfill". You've lost something, and you think it MIGHT HAVE ended up in the trash can. Problem is, the garbage truck picked up the trash yesterday. You can go to the landfill, and search for it. In fact, you might even get the garbage truck driver to show you where he dumped the truck, narrowing your search considerably. Even then, good luck with that. So much for "mass collection".