UK Government Apparently Hoping It Can Regulate End-To-End Encryption Out Of Existence
from the sure-hope-'the-children'-are-grateful-for-the-shitty-future-being-handed dept
Politicians -- those motivated by the notion of "doing something" -- want to end encryption. They don't want this to affect their communications and data security. But they don't see the harm in stripping these protections from the general public. Often, the argument is nothing better than "only criminals want end-to-end encryption," something they trot out as a truism despite plenty of evidence to the contrary.
But these politicians (and government officials) are cowards. They refuse to call a backdoor a backdoor. They come up with all sorts of euphemisms while pretending compliance with proposed laws won't result in the creation of backdoors that can be exploited by everyone, not just the "good guys." They also deploy other euphemisms to attack encryption that protects millions of members of the public, referring to good encryption as "warrant-proof" or "military-grade." Those terms never survive examination, but the narrative persists because most members of the public have no interest in closely examining falsehoods uttered by governments.
The UK government has expressed an unhealthy determination to undermine encryption for years now. It has the fanciest of plans to undo protections enjoyed by UK residents for reason ranging from "the children" to "the terrorists." The underlying intent never changes even if the name on the office doors do. Regulators come and go but the desire remains. Even the bills get renamed, as though a different shade of lipstick would make the UK's anti-encryption pig any more desirable.
Rebranding from "Online Harms" to "Online Safety" only changed the tablecloths in the Titanic's dining room. The UK government wants encryption dead. But presumably "safety" sounds better than "harms," especially when the government affirmatively wants to harm the safety of millions of UK residents.
The Internet Society has taken a look at the revamped and rebranded bill and has delivered a report [PDF] that explains exactly where on the Internet doll the UK government plans to engage in inappropriate touching. There's no mention of backdoors or broken encryption, but complying with the law means possibly doing both.
The draft Online Safety Bill places a duty of care on service providers within the scope of the draft bill to moderate illegal and harmful content on their platforms, with fines and penalties for those that fail to uphold this duty. The only way for service providers that offer end-to-end encryption to comply with this duty of care would be to remove or weaken the encryption that they offer.
That's the end result of these demands. But the politicians and regulators pushing this are unwilling to directly refer to the harms the bill will cause. There's no ban on end-to-end encryption. There's no mandate for backdoors. Instead, the bill hopes to achieve these ends by applying regulatory pressure that makes both of these outcomes unavoidable.
Service providers deploying end-to-end encryption obviously cannot see the content of communications between users. The UK government says that's no longer acceptable. Providers need to be proactive in preventing the spread of certain content. That leaves them with only one option.
Ofcom can require that service providers use “accredited technology” to identify harmful content and “swiftly take down that content”. To comply with this requirement and fulfil their “duty of care”, service providers will likely need to resort to upload filters and other mechanisms that may interfere with the use of end-to-end encryption.
Basically, the same thing that saw Apple catch a considerable amount of heat will be expected to be standard operating procedure for any tech company doing business in the UK. Client-side filtering is the most efficient way to prevent the uploading and sharing of "harmful content." Shutting it off at the source means either invading devices or removing at least one end of the end-to-end encryption. And once those options are available, it will only be a matter of time before the UK government starts demanding access to unencrypted devices and/or messages.
And the UK government has specifically cited Apple's now-defunct plans to strip protections it previously extended to users and device owners as evidence the proposed law is a net gain for society.
[I]n the Daily Telegraph article announcing the Safety Challenge Fund, Home Secretary Priti Patel points to Apple’s client-side scanning proposal as a positive example, raising concerns about the criteria for evaluating Challenge Fund proposals.
In its quest for easy wins, the UK government is ignoring the long-term fallout of these demands. While it may have no problem stripping UK residents of strong data and communication protections, it may find it more difficult to talk powerful businesses into accepting less-than-solid protections for their financial interactions and transmission of sensitive proprietary info. And government employees still rely heavily on third-party contractors for communication services and data transmission/storage. These same employees also rely on devices and cell phones manufactured by companies that will now be forced to make their products less secure for everyone who uses them.
Everyone loses. But the people who will lose more and lose it faster simply don't matter. Before the cold reality of broken encryption hits home for politicians, they'll have already collected the PR wins needed to secure more terms in office. And with more time comes more power. Eventually, the UK government may find a way to exempt it from the impositions placed on the private sector, elevating them above the people they serve. In the end, very little will have actually been done to address the problems (child exploitation, terrorism) cited to justify these impositions. The only guarantee is that devices, communication services, and the internet at large will be expected to make huge sacrifices in service to the UK government's talking points.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, encryption, end-to-end encryption, going dark, online harms, online safety, online safety bill, uk
Reader Comments
Subscribe: RSS
View by: Time | Thread
"only criminals want end-to-end encryption,"
This says a lot about a government's own activities.
[ link to this | view in chronology ]
Re:
I had the same thought. So they're admitting that government is a criminal enterprise. How refreshing
[ link to this | view in chronology ]
Re: Re:
Bankers, apparently, are some of the worst offenders. Off with their heads!
[ link to this | view in chronology ]
The government folks
And the UK government has specifically cited Apple's now-defunct plans to strip protections it previously extended to users and device owners as evidence the proposed law is a net gain for society.
Big Tech
It's the cause of all of society's ills.
Except for this time, which is totally different.
[ link to this | view in chronology ]
"But presumably "safety" sounds better than "harms," especially when the government affirmatively wants to harm the safety of millions of UK residents."
Basically, they realised that "for the children" isn't working, so they decided to pretend that making people scared of their bank accounts is a better angle.
"Priti Patel points to Apple’s client-side scanning proposal as a positive example"
But, of course she did, the poor deluded fascist.
Let's translate that - the best "positive" example that can be given as an alternative to users proactively protecting themselves is for a foreign corporation to spy on everything they do. Which is, of course, perfectly fine so long as they're on the side of the people currently in charge. They'll change their tune the moment that someone does the exact same thing but is not aligned with their politcal or financial goals.
"In its quest for easy wins, the UK government is ignoring the long-term fallout of these demands"
It's my experience that it's a mistake to assume that any idiotic move on the part of the Tories is related to short-term planning, ignorance or otherwise that they don't know what they're doing. More often than not, they know exactly what the consequences are, they just choose to ignore it so long as they or their friends can profit and reasonably expect to escape the long term consequences on a personal level.
[ link to this | view in chronology ]
really wonder
Who is pushing this?
90% of the phones really dont use Much encryption in the first place, and If there is some, Most has been cracked already.
This is more to the Idea of intercepting calls, in the middle. It has little to do with the phones, unless there is real encryption NOT designed in the phone in the first place.
Logic
If every phone had different encryption, they couldnt talk to each other. So even the Apple phones Must have a standard for encoding(NOT encryption).
But Where in the system is anything Encrypted, beyond encoding? Or is this a boondoggle to grab attention and do nothing.
[ link to this | view in chronology ]
Re: really wonder
Encryption protects the message, which is carried between devices by a separate communication protocol. So long as both ends agree on an encryption protocols, and can securely exchange keys, the fact that other devices on the network don't know where to start to read the messages being exchanged is an advantage in protecting privacy.
[ link to this | view in chronology ]
Re: Re: really wonder
AC.
Its called protocols. and every phone can have keys, but the Book was written publicly. Its the same code and key system in every phone. Then you get info from the Corps about how they Init the code, generally is specific, they use ???? for the code of their phone, then a ???? that is this or that, and then MAYBE ???? which is the MAC address of the phone. Go look in your ABOUT FILE.
You cant make it Hyper complicated.
Do you understand WHY?
IT SLOWS EVERYTHING DOWN.
Ever listened to a person talking to fast and NOT in a monotone? THE PHONE GOES NUTS, trying to encode it and send it. And when it gets to the other side, it sounds like Garbage.
Iv had to STOP people from talking and explain this.
Hate hearing the phone cut out and Cut off the top and bottom of the voice. Worse then noise cancellation.
AND corps are not installing Anything More then they NEED, BASICALLY.
[ link to this | view in chronology ]
Re: really wonder
If you don't understand public/private key encryption, you are in good company with the UK government.
Your point is one Techdirt repeatedly makes. Encryption is math. There is no such thing as encryption that can only be decoded by the recipient. As has been true throughout history, encryption (or the codes/cyphers that proceeded it) is only as valuable as the encryption key. Modern Public/Private Key encryption is almost universally based on Diffie–Hellman key exchange, a method for exchanging "public" encryption keys whose encryption is than decoded by a "private" key held by the recipient.
Security comes because these keys should be very large (>= 1024 bits, about 300 decimal digits), each one should be unique, and there is no practical means of factoring very large numbers quickly, a key step in breaking the encryption. Even if the encryption is broken, it only breaks the encryption between those 2 specific people.
The Proposals at question insert a 3rd encryption key into the mix. That 3rd key will be universal by design - a skeleton key for governments and law enforcement. This presents the very problem you are concerned about - once you can break encryption with that key once, you can break any encryption that accepts the law enforcement key. And once you have the single point of failure, even an impractical brute force approach becomes valuable.
Encryption only 'encodes' data. Ever. That is all encryption ever does. its just a much more complex math behind the code. In the end Encryption's results are just a more complex form of Enigma. I don't know how to say any different. While your phone is locked, the contents are encrypted. This prevents low effort data dumps and obscures the contents of the phone if a dump is achieved. This encryption would be strong but various exploits are known that allow phone cracking tech to work, not to mention cloud backups storing encryption keys. End-to-end encryption deals with data in transit. Absent exploits, Duffie-Hellman Key exchange with a unique RSA-1024 or better key is currently near impossible to crack. ARSA-1024 key has not yet been publicly factored and is not expected to break for at least a few years, barring some major breakthrough.
[ link to this | view in chronology ]
Re: Re: really wonder
Absent exploits, - i feel this is a very good point worth highlighting. Much of the way that "encryption gets broken" is not by breaking the encryption itself, but by exploiting a flaw in implementation, or flaws in an operating system that allows reading of the key when it is used normally.
As phone-cracking and malware-spying companies have shown, what we absolutely don't need are flaws built into the encryption itself.
[ link to this | view in chronology ]
Re: Re: really wonder
There's one exception, and that is one-time pad encryption. However, that is cumbersome and very difficult to do correctly.
No, encoding and encryption are fundamentally different processes, because encoding and decoding requires no key. It serves a completely different purpose than encryption.
If your phone has that feature, and you have it enabled.
[ link to this | view in chronology ]
Re: really wonder
The Criminals in law enforcement and politics that don't want to do their jobs and still retain them.
Law enforcement criminals that simply want to sit on their ass all day instead of doing real detective work, and push a button to "solve" the crime. ("Enhance that image!", "ZoOm In MoRe!", etc.)
Political criminals that simply want up to the minute reports on everything their opposition has done that day. So they can undermine them at every turn. (Yes, Telescreens, and no you will never be a member of the Inner Party.)
Banning of encryption is mandatory surveillance. They consider everyone a threat, and they want to make sure that threat is neutralized. Plain and simple. Reject it at every turn. Don't fall for their nonsense. (Hint: If it sounds like bullshit after decades of debate it probably is.)
[ link to this | view in chronology ]
They are setting up the situation where the opposition cannot discuss politics without those in power monitoring everything they say. That is ground work that makes establishing a one party state easy..
[ link to this | view in chronology ]
Re:
On the one hand that seems like something so insane and outlandish that it couldn't possibly be the case. On the other hand they're trying to make everyone in the country less safe and their communications and data less secure, so it's not like political espionage would be crazier than what they demonstrably are doing.
[ link to this | view in chronology ]
Re: Re:
Have you not noticed that whenever they think they can get away with it, governments want any and all political opposition spied on, especially any political movement outside of the established parties politics.
[ link to this | view in chronology ]
Re: Re: Re:
It's not the political espionage that's the extreme part, it's that usually they try to be a little more subtle about it.
[ link to this | view in chronology ]
Re:
Thing is the opposition back this bill and are saying it does not go far enough.
[ link to this | view in chronology ]
Re: Re:
Back in December, Labour said they would support it with no reservations so long as managerial liability was brought up as a core feature instead of a reserve power.
Heather Burns wrote about how it's not the answer in this article: https://www.openrightsgroup.org/blog/online-abuse-why-management-liability-isnt-the-answer/
It's effectively a hostage-taking law and the reason Labour wants it so badly? Because Nigel Farage left them to join Facebook and they view it as a betrayal.
[ link to this | view in chronology ]
'The briar patch again? You shouldn't have.'
It's effectively a hostage-taking law and the reason Labour wants it so badly? Because Nigel Farage left them to join Facebook and they view it as a betrayal.
If one of if not the goal of this is to stick it to Facebook then this would be yet another case of shooting Facebook's competitors while aiming at Facebook, because while large companies like them are going to suffer from liability like this smaller ones that might have competed with them will be destroyed due to not having the resources required.
[ link to this | view in chronology ]
Re: 'The briar patch again? You shouldn't have.'
I feel this bill will go the way of the age verification law, get ready for a delay.
[ link to this | view in chronology ]
Re: Re: Re:
"It's effectively a hostage-taking law and the reason Labour wants it so badly? Because Nigel Farage left them to join Facebook and they view it as a betrayal"
Erm, what?
[ link to this | view in chronology ]
Re: Re: Re: Re:
My apologies, I got the name wrong. It's Nick Clegg.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Ah, apology accepted, although Clegg was the former leader of the Liberal Democrats who formed the doomed coalition with the Conservative party that led us into a lot of the current mess the country's in. Labour was the party formerly in power that the coalition government ousted. Although by American standards they all count as "liberal", there's many important differences.
I understand that this might all be confusing for people looking in from the outside, but there's a huge difference in many ways and Farage is a unique enough cancer without confusing things further ;)
[ link to this | view in chronology ]
It's gonna be interesting to see how the City responds to this....
[ link to this | view in chronology ]
Re:
The "residents" are likely shitting bricks, or demanding exceptions. The "local cops" probably don't think it goes far enough.
[ link to this | view in chronology ]
Government: Only criminals use encryption!
Public: Don't you and basically every large corporation use encryption?
Government: Like we said!
[ link to this | view in chronology ]
What are they thinking? I need a network to transmit my message, but I don't need to trust the network, and I don't need Apple or Facebook to perform encryption tasks.
SGVsbG8gd29ybGQ=
Anyone can read that (it's base-64) but nothing's stopping me from using AES.
[ link to this | view in chronology ]
Most Humorous!
@Tim Cushing: "as though a different shade of lipstick would make the UK's anti-encryption pig any more desirable."
very funny, and absolutely true!
Exactly similar to MicroFlaccid putting different color glitter on their steaming,... cow manure.
[ link to this | view in chronology ]
Thing is look at the last age verification law that was delayed over and over again until it was scraped because they just could not find a way to get it up and running, its also easy to see that this bill could also collapse and not work at all.
[ link to this | view in chronology ]
Stockbrokers bankers, rely on private communication data encryption apps and Web services to keep their customers data secure and private google and facebook have EU offices in Ireland the Irish government has never even proposed to ask messaging or finance apps to reduce encryption or make customer data less private. The UK had a bill to make all users register to to have acess to xx rated adult websites it collapsed because there was no practical way to make it work with all Internet users. The UK
intelligence services probably have acess to browsing data and txt messages and location data of UK Internet users,
It's like the old legacy media company's there are constantly
asking for new laws or acess to user data even if it brwls the Web or reduces user security and privacy
[ link to this | view in chronology ]
Client-side filtering
The UK government are deluded of they think that client-side filtering is going to fix anything. Software can be modified. If filters are introduced, someone will make a hacked version of the client that either skips or fakes the filter check. Anyone who wants to avoid prying eyes will use that hacked client.
Of course, talk of client-side filtering could just be a ruse. "The boffins told us that the filtering won't work, so the only option is to snoop on everything you say. Sorry!"
[ link to this | view in chronology ]
The demand for service providers to spy on and censor allegedly "harmful" communications is in and of itself a fascist move, even before considering that they would need to break security on everything to do it.
[ link to this | view in chronology ]