Did David Cameron Just Say He Wants To Undermine All Encryption In The UK?
from the not-thinking-it-through dept
Techdirt has recently reported on New York's top prosecutor calling for laws against strong encryption on smartphones. This is part of a larger move by the authorities on both sides of the Atlantic to demonize this technology, as we noted before. In the wake of the murders in Paris, many of the same politicians and officials have lost no time in calling for more surveillance, again in both the US and Europe. One of those doing so is David Cameron, who said that, if re-elected in the UK general election in May, he would bring in an even more intrusive version of the Snooper's Charter -- one that sought access not just to everyone's metadata, but to the content of their messages too. This is how he phrased it:The question is are we going to allow a means of communications which it simply isn’t possible to read. My answer to that question is: no, we must not.Leaving aside the fact that Cameron seems to be saying that he wishes to make privacy impossible and/or illegal in the UK, one key question here is: how does he intend to do this? Neither the UK government nor the Conservative party offered any clarification about this election "promise," which has inevitably led to speculation. For example, The Independent newspaper wrote as follows:
David Cameron could block WhatsApp and Snapchat if he wins the next election, as part of his plans for new surveillance powers announced in the wake of the shootings in Paris.None of those programs was mentioned by Cameron in his speech. But many other news outlets have taken that speculation and reported it as if it were certain; others have interpreted his comments to mean that Cameron aims to ban or perhaps backdoor all strong encryption. It's quite possible that Cameron and his advisers have not thought this through, and simply assume there must be some clever way to give access to the content of encrypted services without undermining them. But as Techdirt has emphasized before, there is no "golden key" that can be used by just the authorities and no one else.
The Prime Minister said today that he would stop the use of methods of communication that cannot be read by the security services even if they have a warrant. But that could include popular chat and social apps that encrypt their data, such as WhatsApp.
Apple's iMessage and FaceTime also encrypt their data, and could fall under the ban along with other encrypted chat apps like Telegram.
UK services and users can be forced by the Regulation of Investigatory Powers Act (RIPA) to hand over whatever encryption keys they have. Most of the main online services come from US-based companies; some may choose to comply with UK warrants, but others probably won't. And then there is the extremely important class of open source encryption programs -- things like GnuPGP, OpenVPN and Tor: these don't always have companies that can be threatened with legal consequences. So what would Cameron do about those? Make their use illegal for all UK citizens? Even the increasingly-common HTTPS for general web servers is problematic: if they are located outside the UK, there is no way to force them to hand over their keys. So will Cameron forbid people from visiting millions of websites, just in case they allow some form of communication that can't be monitored?
Clearly, trying to implement this scheme will cause huge damage to the British public and to UK businesses, who will be more vulnerable to online attacks. It will also harm the UK economy, since startups with digital products or services will find users in other countries unwilling to use products that have been forced to insert backdoors for the UK intelligence services. And it will further harm the UK's already battered reputation as a civilized country, since Cameron's call to abolish all online privacy goes beyond even the worst oppressive regime (China must be delighted by his speech.)
However, there is a small consolation to be drawn from this extraordinarily stupid and dangerous call by Cameron. The fact that something so controversial is being proposed at all confirms one of the most important points made by Snowden: encryption works.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, communications, david cameron, encryption, end-to-end encryption, mobile encryption, privacy, surveillance, uk
Reader Comments
Subscribe: RSS
View by: Time | Thread
Assume the worst
As long as they don't go too overboard, I think they're actually on the right track here. A statement like his is incredibly worrisome, without some hard, verifiable statements to clarify just what he meant, I think they should assume the absolute worst case scenarios, and work from there.
This forces him to either stay silent, and confirm the speculations, or try and 'clarify' things, and make it clear just what exactly he did mean, which will, assuming the UK press has a bit more spine than the US press, allow them to dig in to just what exactly he plans on doing if re-elected regarding the issue.
[ link to this | view in chronology ]
Re: Assume the worst
Governments are nothing but huge voyeuristic organizations that sit around waiting for someone to crew up... and while this is exactly their job, they take it way to damn far and quickly to point of tyranny as fast as the citizenry allows them too.
As I have said in the past... there is currently NO NATION standing that is advancing the principals of "Liberty".
[ link to this | view in chronology ]
Well then, mr. Cameron, let us read your communications. Preferably starting with the secret international trade agreement negotiations, we are all very interested in that.
[ link to this | view in chronology ]
Cameron, thy name is 'Hypocrite'
[ link to this | view in chronology ]
Re: Cameron, thy name is 'Hypocrite'
[ link to this | view in chronology ]
Re: Re: Cameron, thy name is 'Hypocrite'
[ link to this | view in chronology ]
Re: Cameron, thy name is 'Hypocrite'
[ link to this | view in chronology ]
Re: Re: Cameron, thy name is 'Hypocrite'
We Americans are making it damn clear that Freedom of Press and Speech are antiquated values that need to go the way of the dodo.
The last 50 years of elections has been it clear...
Dear government, please remove our liberties... we don't even know what to do with them anymore!
Signed,
Americans
[ link to this | view in chronology ]
Re: Cameron, thy name is 'Hypocrite'
[ link to this | view in chronology ]
Re: Cameron, thy name is 'Hypocrite'
[ link to this | view in chronology ]
Sure China is bad, but can anyone honestly say that the UK is any better when it comes to censoring and pointless spying?
Most likely UKIP will get enough support and they will finally leave the EU. At least they would not force bullshit laws on the rest of Europe.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Given that he's outright said that the UK is worse than the rest of the worlds, how will leaving the EU prevent them from making things even worse. Surely if they have to abide by EU standards, they're forced to pay heed to rules that uphold standards of the other countries he's just said are better at upholding privacy or preventing spying than the UK are?
But, no "EU bad!" is their answer to anything. But, then, they usually are the people who believe the outright lies spread by the right-wing press in our country, even when the confession that they're made up is easily visible in the article itself.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Not that the problem is limited to him, Airstrip One as a whole simply is a lost cause for human rights.
[ link to this | view in chronology ]
Business as usual.
[ link to this | view in chronology ]
Onion encryption
Suppose I want to have a covert conversation with a friend, but all messenger services are either blocked or backdoored in the UK.
Now what we arrange a special protocol for exchanging keys and ciphertext, but instead of messenger providers we rather use filehosts/cloud/cyber lockers with no physical presence in the UK
When I want to say something important to my friend, I mail him the link to the cyberlocker, and he then downloads the file and decrypts it with his PGP key.
If both of us are careful and use eraser to wipe the ciphertext, it will be impossible to reconstruct what was said, and even a RIPA S.49 disclosure order will be toothless since there is no ciphertext or key to hand over.
The RIPA S.49 only applies to key disclosure where the government can prove existence of ciphertext, but if it can only prove that two parties once exchanged a link to a file on a cyberlocker which might already have been wiped, even proving that they had a covert conversation will be impossible.
One might also split ciphertext, keys and parts of the secret over multiple free online services and i.e (1) upload the ciphertext to a cyberlocker, use a service such a Onetimesecret to communicate the link and a third layer as higher obfuscation.
I already use a combination of Onetimesecret, Pastebins and cyberlockers to have deniable communicationm, not because I have something illegal to hide but only because it'is no government's business to know whom I talk to.
[ link to this | view in chronology ]
Re: Onion encryption
This is one of the enormous problems with ubiquitous surveillance: it makes it easier for intelligent bad guys to engage in secret communications without being detected, since most LEOs will be too busy looking through the easy data they have gathered to pay much attention to the cracks and corners where the serious criminality will take place.
[ link to this | view in chronology ]
Re: Re: Onion encryption
"Hi John, here to take my daughter out? Oh, I see you have an unapproved encryption app on your phone...."
[ link to this | view in chronology ]
Re: Re: Re: Onion encryption
However, if I were to try to take someone out who still lives with her parents and they screen her dates, I suspect that they would find it easier to just accuse me of pedophilia.
[ link to this | view in chronology ]
Re: Re: Re: Re: Onion encryption
Everyone knows file sharing sites create piracy, and encryption creates pedophiles.
[ link to this | view in chronology ]
Re: Onion encryption
There are a hundred thousand ways to get around this and unless the UK can shut down openssl and take back all of the distributed copies and shut down every single programming language capable of socket communication, it's not enforceable.
The problem isn't getting around this, that is trivial, the problem is that society as a whole my accept this. If it does, it doesn't matter that you can get around it... The internet as we know it dies.
[ link to this | view in chronology ]
Re: Re: Onion encryption
Anyone with enough knowledge regarding encryption knows that entire messages can be hidden within other pictures and messages and the only way to unlock them is to have a cypher.
The more stupid they make the laws, the more advanced and untraceable encryption will become.
[ link to this | view in chronology ]
Re: Re: Re: Onion encryption
There are effective methods of detecting such hidden messages, of course, and methods to evade such detection. The crypto cat-and-mouse game never ends.
[ link to this | view in chronology ]
Re: Re: Onion encryption
SSL/TLS relies on certificates, so if governments take over the certificate authorities they can run MITM attacks.
[ link to this | view in chronology ]
Re: Re: Re: Onion encryption
TLS uses certificates to establish identity and if a certificate authority is compromised (and they have been in the past by governments) it can case all kinds of havoc and allow an attacker to masquerade as the other party... BUT, and this is a big but, YOU get to choose who to trust and the certificate is only used to establish the person you are talking to is who they say they are. It isn't the key and doesn't allow for a decryption of your communications they were not a party to.
Basically a certificate is a statement saying "Trusted Company X certifies that Party Y is who they claim to be." It is ONLY for identification purposes. WHERE you connect to (the IP you are exchanging keys with) and the keys themselves have nothing to do with the certificate.
[ link to this | view in chronology ]
Re: Re: Re: Re: Onion encryption
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Onion encryption
"a certificate authority is compromised (and they have been in the past by governments) it can case all kinds of havoc and allow an attacker to masquerade as the other party" good thing you reminded me of what I wrote...
[ link to this | view in chronology ]
Re: Re: Re: Onion encryption
This is oversimplified, but not wrong. The easy way to avoid this is to not trust a cert just because a third-party CA says it is trustworthy.
On my own systems, I have my own private CA. No government can take it over without me knowing.
[ link to this | view in chronology ]
Re: Re: Onion encryption
Their counting on it
[ link to this | view in chronology ]
Re: Onion encryption
bing offers to go unencrypted...cameron tries to block google (which will soon remove all its unencrypted options), shit hits fan....government faces vote of no confidence, leaving 'dave' with the choice to either step down or bring in martial law (either because of 'terrorism' or 'for the children')...
[ link to this | view in chronology ]
Re: Onion encryption
[ link to this | view in chronology ]
not to be picky, but...
http://www.zazzle.com/those_who_would_sacrifice_freedom_t_shirts-235015783315023333
[ link to this | view in chronology ]
Today that "security expert" can correctly respond "Right back atcha!"
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Ban Prime Numbers!!!
[ link to this | view in chronology ]
Re: Ban Prime Numbers!!!
The **AA-holes want to ban certain very large numbers. (Like an mp3 file, or a video file.)
But there is an even better solution . . .
[ link to this | view in chronology ]
Re: Ban Prime Numbers!!!
[ link to this | view in chronology ]
Re: Ban Learning Math!!!
But disguise it. Let people learn math, but make sure that its presentation is dull, dry and boring enough that nobody wants to learn math. Next introduce a program that doesn't leave any poor performer behind by holding back the rest of the class to their level.
Naturally without math, interest in science will wane.
But not to worry. We will never need to worry about US students doing poorly in math and science.
Oh, wait.
[ link to this | view in chronology ]
Oh, it's such a fine idea
Interesting. So no HTTPS. No PGP/GPG. No OTR. No SSH. No SCP. No SFTP. No VPN. No IPSEC. No TLS. No SSL.
What could possibly go wrong?
[ link to this | view in chronology ]
Re: Oh, it's such a fine idea
[ link to this | view in chronology ]
Re: Oh, it's such a fine idea
Yeah. Smart move.
In fact, the terrorists will probably no longer be interested in the UK at that point because of the invisibility of their actions: even if they were to blow up the Houses of Parliament, nobody outside of London would ever know...
[ link to this | view in chronology ]
Re: Oh, it's such a fine idea
[ link to this | view in chronology ]
Re: Onion encryption
Most of the c commentariate on Techdirt can probably do it, and it would not be difficult to write a click and run solution for novice users.
I think the government by focusing so much on the communications data -- who is talking to whom -- is unintentionally accelerating a criminal evolution thereby making it difficult to track even the most stupid criminals.
Remember how Tor and encryption were preceived ten years ago, then only the geeks were using it, but now everybody can download the Tor Browser bundle.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Onion encryption
They don't have the will or infrastructure to keep deleted stuff but they are ideal as short term datadumps.
(1) Encrypt your 'business plan' with the recipient's PGP key and upload it to a cyberlocker.
Most such services are fremium and allow anonymous users to upload and download.
(2) Generate a onetimesecret url to the cyberlocker file.
(3) Communicate the onetimesecret url rather than the cyberlocker link to the recipient.
(4) Instruct the recipient to wipe the information -- the ciphertext, link and decryption key.æ
(5) Even if one of the links in the chain become compromised, you can rest assured that the government can only establish a chain of custody if it's very very lucky.
It isn't rocket science but something most can learn to do.
[ link to this | view in chronology ]
Re: Re: Onion encryption
While it is great that people who know nothing about the topic are throwing out there a bunch of harebrained schemes for getting around this law - you are missing the bigger picture here. Yes, anonymous, fully encrypted, deniable communication is very trivial as long as you practice good opsec - but why does that matter if society accepts that encryption is inherently nefarious?
[ link to this | view in chronology ]
I think that ship's already sailed...
[ link to this | view in chronology ]
Re: Onion encryption
There are no political solutions to government overreach, only technical ones.
However, the government would not dare to talk about greater powers if the tools were already widely used.
If Tor/I2P and FreeNet were built into all home routers along with onion encryption, even bureaucrats would back down -- not because they care about civil liberties -- but because the idea would already be uneconomical.
[ link to this | view in chronology ]
Re: Re: Onion encryption
There are literally thousands of solutions that already exist for plausibly deniable, fully encrypted (hell, even deniably encrypted) end to end communication out there.
There already exist technical solutions by the truckload - but that isn't what we need. We need political and social solutions so that society as a whole accepts privacy and personal secrecy [read: encryption] and so that laws banning these two key tenets of free society are shot down.
[ link to this | view in chronology ]
Where does it end?
What about window blinds? What self respecting terrorist wouldn't keep their doors closed and blinds pulled?
If groups of people larger than 1 wish to assemble together, shouldn't they be required to register so that the government has an opportunity to show up at the arranged time to ensure that bad thoughts are not being spoken?
At least with modern technology you no longer can hear the NSA breathing, listening in on the phone. So we should be thankful for that.
Where does it end?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Re: Onion encryption
The plan obviously fails if you don't do the wiping properly or if the endpoints are compromised.
But the government will have to work much harder, which is the crucial point.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
It would undoubtedly blow up in his face in spectacular fashion, and be a lot of free advertising for whatever business he goes after. After all, who better to trust with your personal information and privacy then a company that's got encryption so good it's illegal?
If a third world dictatorship did what Cameron proposes they might be able to get away with it, but not the UK.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
of dissonance and surveillance
I found this on p.379 &ff of Gab. Coleman's new book THE MANY FACES OF ANONYMOUNS
"What surveillance really is, at its root, is a highly effective form of social control," reads an August Riseup newsletter. "The knowledge of always being watched changes our behavior and stifles dissent. The inability to associate secretly means there is no longer any possibility for free association. The inability to whisper means there is no longer any speech that is truly free of coercion, real or implied. Most profoundly, pervasive surveillance threatens to eliminate the most vital element of both democracy and social movements: the mental space for people to form dissenting and unpopular views."
SEE ALSO:
http://motherboard.vice.com/blog/inside-the-effort-to-crowdfund-nsa-proof-email-and-chat-servic es
the same sentiment is also stated in Glen Greenwald's recent NO PLACE TO HIDE ( Snowden story ). On page 3:
"and history show the mere exstance of a mass surveillance aparatus, regardless of how it is used, is in itself sufficient to stifle dissent"
"It is error alone which requires the support of government.
The truth, can stand on its own."
- Thomas Jefferson.
the first step in cleaning up corruption is in exposing the truth. but government will see this as dissonance. this will be equated to "lies" or dis-information -- and suppressed,-- in order to preserve the"ordre public"
[ link to this | view in chronology ]
Re: of dissonance and surveillance
The results can be worse than that, it eliminates the moderating voices, and results in more extreme social movements, which is a problem in the middle east, and is affecting the whole world through extremist terrorism.
[ link to this | view in chronology ]
OK I'll bit
No problem as long as the Prime Minister is also willing to pay me for any money lost when my insecure communications fall into the wrong hands.
What sort of non-terrorist related communications could result in me loosing real money?
Financial info I share with my accountant
My next big idea stolen by a competitor
My bank logon credentials
My spouse finding out I'm having an affair with a man/woman/dog
My political donors finding out I like some fetish that most people find appalling
My homophobic boss finding out I am gay
I could continue but I have real work to get done.
So when he agrees to reimburse my financial losses caused by forced insecure communications then I will consider giving up my encryption.
[ link to this | view in chronology ]
No encryption? Great!
[ link to this | view in chronology ]
Obvious
Law will be drafted, passed, the fact it is unenforcable will be partly the point, a law you cannot help but break and probably can easily be shown to have been broken is mana from heaven for these morons.
This sort of rubbish comes up every few years.
Won't be illegal to use encyption, will be illegal to use _unlicensed_ encryption - businesses get a pass as the CPS will simply ignore them, won't be 'in the public interest', unless and until it is for a specific company of course.
And like copyright, laws banning ripping CDs etc, just about everyone will ignore it.
UK, crap at finding needles but by gods we have some haystacks.
Sorry for taking the piss out of America for all these years..
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I'll do it!
Sure, I am happy to stop using that pesky encryption thingy and let you read all of my communcations. I think it just slows stuff down anyway, amiright?
Oh while we're at it, will you personally (or at least your government) indemnify me for ALL LOSSES TO MYSELF that come about as a result of your great new law? Just the little things like my bank account being cleared out because my PIN number, account codes, passwords, etc will all be sent around the world in full view for anyone and everyone who cares to peek.
What's that you say, this doesn't affect financial transactions. But Mr Cameron, do you not understand that pesky encryption thingy is used in virtually all financial transactions carried out around the world as a security mechanism. But wait, you just asked "are we going to allow a means of communications which it simply isn’t possible to read". It's not that my financial transactions are impossible to read, it's just that silly ol' me doesn't want everyone in the world to read them.
I guess it's only fair that if you indemnify me that you'll need to do it for every other UK citizen also. I think Bob buys a lot of stuff online. He'll probably need extra indemnity because I know he buys a lot of fancy stuff when he shops. Oh and I guess Jerry my bank manager will probably want to talk to you about how much money there is in the bank he manages before and after the law comes into effect.
Ok Mr Cameron, I'll leave it with you. I look forward to receiving confirmation of my indemnity soon!
Cheerio!!
[ link to this | view in chronology ]
backfire?
Would he think this is so great then?
Hillary didn't like her emails splashed all over.
[ link to this | view in chronology ]
I'm sorry Dave, I can't do that.
[ link to this | view in chronology ]
David Cameron
NO!
So, he's not serious. Otherwise there would be kiddie porn.
[ link to this | view in chronology ]
Oh wonderful
[ link to this | view in chronology ]
Dagnabbit Cameron, the terrorists are winning now!
And then the terrorists laugh their asses off because this is exactly the sort of thing they want, to bring you down. It seems like the government is far more effective than a guy with a bomb any day. Perhaps the UK government should be labeled as a terrorist organization (or at least an organization supplying material support to terrorists) and be spied on by its citizens.
[ link to this | view in chronology ]
[ link to this | view in chronology ]