UK Politicians Getting Serious About Ending End-To-End Encryption

from the bad-news dept

Last week we noted that there was some fairly mixed up pressure mounting on UK politicians to block encryption from some confused charities which (falsely) thought that ending encryption would somehow protect children. We also noted that many of the politicians pushing to end encryption... were using encrypted messaging themselves in an effort to dodge public records requests.

And now more news is coming that the UK government is getting serious about ending encryption. UK Home Secretary Priti Patel -- who has been pushing to end encryption for a while now -- seems to be using the misguided statement from the charity mentioned above, the National Society for the Prevention of Cruelty to Children (NSPCC), as an excuse to bring about the end of true end-to-end encryption in the UK:

Patel will headline an April 19 roundtable organised by the National Society for the Prevention of Cruelty to Children (NSPCC), according to a draft invitation seen by WIRED. The event is set to be deeply critical of the encryption standard, which makes it harder for investigators and technology companies to monitor communications between people and detect child grooming or illicit content, including terror or child abuse imagery.

And then it will just be more nonsense:

During the event, the NSPCC will unveil a report on end-to-end encryption by PA Consulting, a UK firm that has advised the UK’s Department for Digital Culture Media and Sport (DCMS) on the forthcoming Online Safety regulation. An early draft of the report, seen by WIRED, says that increased usage of end-to-end encryption would protect adults’ privacy at the expense of children’s safety, and that any strategy adopted by technology companies to mitigate the effect of end-to-end encryption will “almost certainly be less effective than the current ability to scan for harmful content.”

The report also suggests that the government devise regulation “expressly targeting encryption”, in order to prevent technology companies from “engineer[ing] away” their ability to police illegal communications. It recommends that the upcoming Online Safety Bill – which will impose a duty of care on online platforms – make it compulsory for tech companies to share data about online child abuse, as opposed to voluntary.

As has become common with these things the language here is presented in a manner that pretends it's not the end of end-to-end encryption. They say things like "companies just need to provide law enforcement a way in" or that they will have a "duty of care to share data," ignoring that the only way to do this is not to use end-to-end encryption, but to completely break it in a way that makes everyone -- including children -- much more vulnerable.

Pushing back against this nonsense, the Open Rights Group (ORG) in the UK has called this out for what it obviously is: the UK's plan to kill end-to-end encryption.

If, as the Wired piece suggests, Government is inclined to compel Facebook to break encryption, then this will send a strong message to all of us – regardless of what messaging service we choose to use – about our rights to privacy and freedom from surveillance. It will send an equally strong message to companies providing communication platforms in the UK, whether large or small, about what they can expect from the UK government in the years to come.

The circulation of child abuse images, and the uses of tools by criminals, absolutely need to be addressed. However there are many options to deal with this effectively, ranging from targeted cracking of devices through to infiltration of groups, and at scale, the use of metadata analysis to find malicious actors; this latter technique is already employed by WhatsApp and many other companies relating to abusive material. While Government does need to ensure these methods work, it is far from obvious that equipment interference, and the acquisition of bulk communications data, are the only reasonable means to deliver its aims.

We have known for many years that it was not a matter of if, but when, the UK government and Home Office would seek to restrict the use of encryption. Their intentions have been publicly stated for quite some time, alongside similar gestures by other countries in the Five Eyes surveillance alliance.

The Wired piece also highlights a fear that the UK government might try to enforce all this in secret -- using a secret order (the equivalent of an NSL here in the states) to force the companies to break encryption while gagging them from talking about it. ORG is, quite reasonably, raising the alarm on that possibility too:

A company which is subject to a TCN is legally barred not only from discussing the specifics of the notice, but from disclosing whether the notice exists at all. Any employee of a company subject to a TCN who disclosed that one existed would be subjected to criminal penalties for breaking a gagging order. The powers also appear to apply to the use of “warrant canaries”.

Because of that, we do not know how many TCNs have been applied to date under the Investigatory Powers Act, we do not know whether they have proven effective, and we do not know when they were suspended. TCNs are applied under a level of secrecy which, legally, cannot even be reported. The only thing you will ever learn about the insinuation that a TCN exists is in the annual reports of the Investigatory Powers Commissioner’s Office, who can only discuss the fact that they exercised oversight over one. No further details can be disclosed.

Quite simply, this means that if a TCN were to be applied, any private message exchanged on Facebook/WhatsApp could be subject to monitoring and surveillance, with no notice, recourse, or transparency, and the company would be legally barred from disclosing the fact that the surveillance exists.

As ORG requests, Parliament needs to demand transparency and accountability regarding what the Home Office is doing with regard to encryption, as it impacts the privacy and safety of everyone -- including those anti-encryption politicians who are still using encryption.

Filed Under: encryption, end-to-end encryption, priti patel, security, uk
Companies: nspcc

DOJ Boss Joins UK, Australian Gov't In Asking Facebook To Ditch Its End-To-End Encryption Plan

from the [stacks-exploited-bodies-higher]-MR-FACEBOOK-PLEASE dept

The DOJ seems to be handling its anti-encryption (a.k.a. "going dark") grief badly. I doubt it will ever reach "acceptance," but it is accelerating through the rest of the stages with alarming speed.

It went through shock first, personified by former FBI director Jim Comey, who insisted tech companies were offering encryption to:

A. Give the feds the middle finger
B. Enable all sorts of dangerous criminals
C. To act like children in a roomful of adults

"Denial" seems to have been bypassed completely. Instead, Comey (and others) repeated the "shock" stage, banging the table louder and louder in hopes of convincing everyone they were right.

They weren't right and encryption deployments continued.

The FBI and DOJ shifted quickly to anger. This was first displayed during the legal fight over the San Bernardino shooter's iPhone. The DOJ insisted a law nearly 230 years old gave it permission to force Apple to break encryption. Apple disagreed. The court disagreed. The FBI insisted this would be the death of us all and ignored outside offers to crack the phone while pursuing precedent it would never obtain.

The phone was eventually cracked by a third party and the FBI moved on, still clinging to its "going dark" narrative, even as vendor after vendor stepped up to provide phone-cracking tools. It also overstated the number of "uncrackable" devices in its possession by at least 6,000 devices. It has been nearly 17 months since the FBI promised to correct this count. It still has yet to provide an updated number.

The DOJ's new boss is carrying the (apparently unlit) torch for the FBI. He has demonized both end-to-end encryption and citizens who don't believe cops are blameless white knights standing between us and the collapse of civilization.

Now, he's moving the feds on to the next stage of grief: bargaining. A letter sent to Facebook -- sporting Barr's signature, along with other stalwart encryption foes like UK Home Dept. head Priti Patel and Australian MP Peter Dutton -- begs Facebook to please please please stop adding encryption to its services.

BuzzFeed obtained a draft report of the letter, which appears to be the charm offensive preceding the new US-UK data sharing agreement that targets encrypted communications. The letter contains some loaded language about child porn and its victims, suggesting Barr isn't done leaning on victimized children to advance his anti-encryption efforts. Hey, it didn't work for Comey, but maybe Bill Barr will get the horrific crime he needs to turn the public against their own best interests.

Here are some excerpts from the letter, as first published by BuzzFeed.

Dear Mr. Zuckerberg,

OPEN LETTER: FACEBOOK’S “PRIVACY FIRST” PROPOSALS

We are writing to request that Facebook does not proceed with its plan to implement end-to-end encryption across its messaging services without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.

So, this is a request for a backdoor. (But one no government agency will refer to as a "backdoor.") "Lawful access" is law enforcement slang for "backdoor," kind of like "officer-involved shooting" is slang for "homicide" and "detected the odor of marijuana" is slang for "Fourth Amendment violation."

Barr (and his anti-encryption warriors) then attempt to call Zuck's bluff... um... I guess??

In your post of 6 March 2019, “A Privacy-Focused Vision for Social Networking,” you acknowledged that “there are real safety concerns to address before we can implement end-to-end encryption across all our messaging services.” You stated that “we have a responsibility to work with law enforcement and to help prevent” the use of Facebook for things like child sexual exploitation, terrorism, and extortion. We welcome this commitment to consultation. As you know, our governments have engaged with Facebook on this issue, and some of us have written to you to express our views. Unfortunately, Facebook has not committed to address our serious concerns about the impact its proposals could have on protecting our most vulnerable citizens.

And there it is. "Our most vulnerable citizens." Apparently that demographic group doesn't contain Facebook users. Facebook users will be fine, I guess, even if any number of malicious hackers/governments want access to communications no one on Facebook actually wants to share with them. "For the children" is the game here, and Barr forges forward with contradictory statements and terrible logic.

We support strong encryption, which is used by billions of people every day for services such as banking, commerce, and communications.

(But, pointedly, not Facebook communications.)

We also respect promises made by technology companies to protect users’ data. Law abiding citizens have a legitimate expectation that their privacy will be protected.

(Except from us.)

However, as your March blog post recognized, we must ensure that technology companies protect their users and others affected by their users’ online activities. Security enhancements to the virtual world should not make us more vulnerable in the physical world. We must find a way to balance the need to secure data with public safety and the need for law enforcement to access the information they need to safeguard the public, investigate crimes, and prevent future criminal activity. Not doing so hinders our law enforcement agencies’ ability to stop criminals and abusers in their tracks.

Ah, the famous tradeoff government officials always pitch, but one that isn't actually the tradeoff being made. It's not privacy vs. the security of the nation as a whole. It's personal security vs. government access that also grants access to criminals and state-sponsored hackers.

What people want is security. They're aren't really interested in trading security for government access. That does nothing for them. The government may solve a few more crimes, but the government was solving crimes long before cellphones, social media platforms, and end-to-end encryption.

Now, multiple governments feel they can't solve crimes without on-demand access to people's communications -- something they have never had in the history of crime-solving and communications. But here we are, listening to Barr and his buddies make a pitch for encryption backdoors while standing on the backs of child porn victims.

Barr makes this pitch while acknowledging that Facebook probably does far more than all US and UK law enforcement agencies combined to combat child porn.

Facebook currently undertakes significant work to identify and tackle the most serious illegal content and activity by enforcing your community standards. In 2018, Facebook made 16.8 million reports to the US National Center for Missing & Exploited Children (NCMEC) – more than 90% of the 18.4 million total reports that year. As well as child abuse imagery, these referrals include more than 8,000 reports related to attempts by offenders to meet children online and groom or entice them into sharing indecent imagery or meeting in real life. The UK National Crime Agency (NCA) estimates that, last year, NCMEC reporting from Facebook will have resulted in more than 2,500 arrests by UK law enforcement and almost 3,000 children safeguarded in the UK.

And yet, Barr wants to complain. Barr and his UK/Aussie counterparts want to claim this isn't enough. What's really needed is insecure communications on a platform used by billions. And to make this claim, Barr again points to something Facebook does as evidence that Facebook isn't doing enough.

While these statistics are remarkable, mere numbers cannot capture the significance of the harm to children. To take one example, Facebook sent a priority report to NCMEC, having identified a child who had sent self-produced child sexual abuse material to an adult male. Facebook located multiple chats between the two that indicated historical and ongoing sexual abuse. When investigators were able to locate and interview the child, she reported that the adult had sexually abused her hundreds of times over the course of four years, starting when she was 11. He also regularly demanded that she send him sexually explicit imagery of herself. The offender, who had held a position of trust with the child, was sentenced to 18 years in prison. Without the information from Facebook, abuse of this girl might be continuing to this day.

Here's what Barr thinks will happen if Facebook deploys end-to-end encryption. Facebook will no longer be able to "read" messages sent between users, which will result in an increase in abused children that authorities will be powerless to help.

Our understanding is that much of this activity, which is critical to protecting children and fighting terrorism, will no longer be possible if Facebook implements its proposals as planned. NCMEC estimates that 70% of Facebook’s reporting – 12 million reports globally – would be lost. This would significantly increase the risk of child sexual exploitation or other serious harms. You have said yourself that “we face an inherent tradeoff because we will never find all of the potential harm we do today when our security systems can see the messages themselves”. While this tradeoff has not been quantified, we are very concerned that the right balance is not being struck, which would make your platform an unsafe space, including for children.

"For children." That's the leverage. Barr wants Facebook to abandon its encryption plans to save children. Sure, that's admirable, if you're willing to overlook the considerable downside of creating a backdoor for governments or simply removing the encryption offer altogether. Facebook's encryption plans offer a whole new layer of security for lawful users -- some of which are targeted by authoritarian/corrupt governments. Many governments around the world pose as much of a threat to their citizens as criminals do. And a great many people believe their communications should be private, which means not being read/scanned by Facebook, much less any government that happens to stroll by waving some paperwork.

All Barr wants is for Facebook to abandon its encryption plans. He wants Facebook to be able to access the content of its users' messages. He wants every government in the world to be able to access the content of users' messages. He may only be aligned with three-fifths of the Five Eyes in this letter, but ensuring US/UK/Australian "lawful access" means giving every other two-bit dictatorship the same level of access to users' communications.

This isn't standard government bullshit. This is heinous, dangerous bullshit. This is a conglomerate of Western governments, on the eve of the deployment of a mysterious "data-sharing" agreement, portraying the implementation of encryption for communications as aiding and abetting the sexual abuse of children. This is a not-very-subtle smearing of every tech company that deploys encryption to protect its users from criminals and governments that behave like criminals. This is the abuse of the phrase "lawful access" to portray the possession of a warrant as a golden ticket to everything law enforcement wishes to obtain.

To be historically clear, a warrant has NEVER guaranteed access to communications. It has only allowed law enforcement to search for them. The implementation of encryption doesn't change this equation. But Barr and others keep pushing this in hopes of persuading the public -- and the tech companies they patronize -- that secret communications are something new and far more dangerous than anything law enforcement has ever encountered prior to the rise of social media and smartphones.

Filed Under: doj, encryption, mark zuckerberg, messenger, peter dutton, priti patel, privacy, security, snooping, william barr
Companies: facebook, instagram, whatsapp

DOJ Using The FOSTA Playbook To Attack Encryption

from the watch-out dept

For years now, the various DOJ folks pushing to break encryption have whined and complained that the tech industry won't even consider having an adult conversation about encryption. This, of course, has never been true. Indeed, in just the past few weeks we've highlighted two separate examples of attempts to bring together law enforcement folks and technology/cryptography experts to see if there are legitimate ways to move the conversation forward. That first one came up with an interesting and useful framework for judging any conversation about "lawful access" to encrypted communications, while the second demonstrated just how much various tech companies have been doing over the years -- in particular in helping law enforcement deal with the issue of child abuse.

And what do they get for all that? First, a horrific article in the NY Times that accurately highlights the awfulness of child sexual abuse online... but oddly frames the efforts that various tech companies have put into helping law enforcement as... evidence of not caring about the problem. And, of course, suggests that encryption is part of the problem:

After years of uneven monitoring of the material, several major tech companies, including Facebook and Google, stepped up surveillance of their platforms. In interviews, executives with some companies pointed to the voluntary monitoring and the spike in reports as indications of their commitment to addressing the problem.

But police records and emails, as well as interviews with nearly three dozen local, state and federal law enforcement officials, show that some tech companies still fall short. It can take weeks or months for them to respond to questions from the authorities, if they respond at all. Sometimes they respond only to say they have no records, even for reports they initiated.

And when tech companies cooperate fully, encryption and anonymization can create digital hiding places for perpetrators. Facebook announced in March plans to encrypt Messenger, which last year was responsible for nearly 12 million of the 18.4 million worldwide reports of child sexual abuse material, according to people familiar with the reports. Reports to the authorities typically contain more than one image, and last year encompassed the record 45 million photos and videos, according to the National Center for Missing and Exploited Children.

This is following the FOSTA/SESTA game plan. Highlight legitimately horrific examples of horrible things that people have done (in FOSTA's case, sex trafficking; here child porn). Then, follow it up by blaming the internet platforms and technology even if those platforms have actively helped law enforcement over and over again. Encryption is repeatedly suggested as truly evil.

Increasingly, criminals are using advanced technologies like encryption to stay ahead of the police.

"Advanced technologies"? And then:

Offenders can cover their tracks by connecting to virtual private networks, which mask their locations; deploying encryption techniques, which can hide their messages and make their hard drives impenetrable; and posting on the dark web, which is inaccessible to conventional browsers.

And again:

Tips included tutorials on how to encrypt and share material without being detected by the authorities.

Yes, encryption can be used to hide bad stuff. No doubt about it. However, it also protects the privacy and security of everyone else as well. There are real tradeoffs here to be discussed -- and we shouldn't forget that one element in that discussion is that law enforcement does have other tools to track down and find those involved in child porn. That encryption blocks some evidence does not mean there are not other ways for them to collect evidence -- as we've seen in many other cases.

But, given that Attorney General William Barr has been on an anti-encryption kick lately, as has FBI Director Chris Wray, it shouldn't be a huge surprise that they've teamed up for a DOJ "symposium" more or less building on the NY Times article (for which the DOJ appears to have been a major source), in which there appears to be an an entirely one-sided lineup of speakers to discuss the scary sounding:

Lawless Spaces: Warrant-Proof Encryption and Its Impact On Child Exploitation Cases

Barr is speaking, as is Wray. So is Deputy Attorney General Jeffrey Rosen, who also spent the summer trashing encryption. There are also two foreign speakers. There's Peter Dutton, the Home Affairs Minister from Australia, who lead that country's efforts to backdoor encryption with a bunch of ridiculously misleading claims about how companies that offer encryption should be blamed for anyone using it for illegal activity. Then there's the UK's Home Secretary, Priti Patel, who we had just mentioned earlier this week for her statements that encryption "empowers criminals."

There does not appear to be a single cryptographer on the program. There does not appear to be a single technologist on the program. There does not appear to be anyone who can provide even the slightest counterweight to the idea that encryption is just a tool for criminals. Contrast this to the sessions we talked about at the opening of this piece. The Carnegie Endowment and Stanford each actually invited people from a variety of different viewpoints and made sure to have actual experts involved. The DOJ is not doing that. This is pure theater as part of a public relations campaign to undermine the encryption that keeps us all safe.

Yes, you can point out very real and horrifying examples of people abusing just about any technology. But in a sane world, you then start looking at the actual size of the problem, the actual risks, the alternative approaches, and the costs and benefits associated with all of them. Not a single person on the DOJ's list of speakers seems equipped to do that. Given that we've quoted each and every one of them right here on Techdirt staking out an extreme anti-encryption standpoint over and over again, suggests that, unlike the tech industry, which has held and participated in various discussions, the DOJ just wants to set up scare mongering stories in the press before pushing for legislation that will destroy encryption and put us all at risk. For our safety.

As you'll recall, AG Barr himself had ominously warned that if the tech industry didn't "engage" then eventually there would be some sort of "incident" to "galvanize public opinion" against encryption:

Obviously, the Department would like to engage with the private sector in exploring solutions that will provide lawful access. While we remain open to a cooperative approach, the time to achieve that may be limited. Key countries, including important allies, have been moving toward legislative and regulatory solutions. I think it is prudent to anticipate that a major incident may well occur at any time that will galvanize public opinion on these issues.

Well, the industry was willing to engage and explain the costs of undermining encryption. But rather than understand that, it now looks like Barr is working overtime to manufacture that "major incident" to galvanize public opinion against their own security. It's a shame the NY Times decided to help.

Filed Under: child porn, chris wray, doj, encryption, fosta, going dark, moral panic, peter dutton, priti patel, william barr
Companies: facebook, google, ny times

No, The New Agreement To Share Data Between US And UK Law Enforcement Does Not Require Encryption Backdoors

from the sounds-messed-up-but-hardly-changes-anything dept

It's no secret many in the UK government want backdoored encryption. The UK wing of the Five Eyes surveillance conglomerate says the only thing that should be "absolute" is the government's access to communications. The long-gestating "Snooper's Charter" frequently contained language mandating "lawful access," the government's preferred nomenclature for encryption backdoors. And officials have, at various times, made unsupported statements about how no one really needs encryption, so maybe companies should just stop offering it.

What the UK government has in the works now won't mandate backdoors, but it appears to be a way to get its foot in the (back)door with the assistance of the US government. An agreement between the UK and the US -- possibly an offshoot of the Cloud Act -- would mandate the sharing of encrypted communications with UK law enforcement, as Bloomberg reports.

Social media platforms based in the U.S. including Facebook and WhatsApp will be forced to share users’ encrypted messages with British police under a new treaty between the two countries, according to a person familiar with the matter.

The accord, which is set to be signed by next month, will compel social media firms to share information to support investigations into individuals suspected of serious criminal offenses including terrorism and pedophilia, the person said.

The reporting here is borderline atrocious. The article insinuates that this agreement will force Facebook and WhatsApp to turn over decrypted communications or install a backdoor. It won't. The platforms may be compelled to turn over encrypted messages but all UK law enforcement will get is encrypted messages. The reporting here makes it appear as though social media platforms are being compelled to provide plaintext. They aren't.

Sharing information is fine. Social media companies have plenty of information. What they don't have is access to users' encrypted communications, at least in most cases. Signing an accord won't change that. There might be increased sharing of encrypted communications but it doesn't appear this agreement actually requires companies to decrypt communications or create backdoors.

Facebook has already issued a statement saying it opposes any plan that would require the creation of backdoors. It points out the Cloud Act does not mandate backdoors. While it does give the US government permission to engage in extraterritorial searches of US companies' data stores located overseas, it does not demand companies decrypt data or communications for it.

The other factor pointing in the direction of the UK law enforcement beneficiaries ending up with useless garbage is the Cloud Act itself. UK tech lawyer Graham Smith points out the Cloud Act requires agreements like these to be "encryption neutral," meaning neither side can mandate backdoors. Consequently, UK and US government agencies will get what they get when utilizing this new agreement. This means in some cases demands for data and communications will produce incomprehensible text, rather than anything useful.

That said, the UK government dream of encryption backdoors hasn't died. The Bloomberg article quotes UK Home Secretary Priti Patel, who has previously claimed encryption "empowers criminals." This is pretty much the same thing her predecessor, Amber Rudd, said. The less-than-implicit suggestion is that companies providing encrypted communications to users are siding with criminals, rather than the forces of law and order. Any perceived benefits of secure communications apparently pale in comparison to the government's "right" to access the content of communications.

This new accord likely won't (and probably can't) mandate backdoors -- no matter how the Bloomberg article skews it. But an international partnership created solely for the purpose of accessing communications and data applies a lot more pressure than parallel efforts from both sides of the pond.

Filed Under: cloud act, data sharing, encryption, law enforcement, priti patel, uk, us
Companies: bloomberg, whatsapp