/ Cory Doctorow / 12 am Tue, Jan 13 2015
  • Submit
  • About Us
  • Contact Us
  • Advertise here
  • Forums
  • What David Cameron just proposed would endanger every Briton and destroy the IT industry

    What David Cameron just proposed would endanger every Briton and destroy the IT industry

    David Cameron says there should be no "means of communication" which "we cannot read" -- and no doubt many in his party will agree with him, politically. But if they understood the technology, they would be shocked to their boots.

    What David Cameron thinks he's saying is, "We will command all the software creators we can reach to introduce back-doors into their tools for us." There are enormous problems with this: there's no back door that only lets good guys go through it. If your Whatsapp or Google Hangouts has a deliberately introduced flaw in it, then foreign spies, criminals, crooked police (like those who fed sensitive information to the tabloids who were implicated in the hacking scandal -- and like the high-level police who secretly worked for organised crime for years), and criminals will eventually discover this vulnerability. They -- and not just the security services -- will be able to use it to intercept all of our communications. That includes things like the pictures of your kids in your bath that you send to your parents to the trade secrets you send to your co-workers.

    But this is just for starters. David Cameron doesn't understand technology very well, so he doesn't actually know what he's asking for.

    For David Cameron's proposal to work, he will need to stop Britons from installing software that comes from software creators who are out of his jurisdiction. The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available, and thanks to things like cryptographic signing, it is possible to download these packages from any server in the world (not just big ones like Github) and verify, with a very high degree of confidence, that the software you've downloaded hasn't been tampered with.

    Cameron is not alone here. The regime he proposes is already in place in countries like Syria, Russia, and Iran (for the record, none of these countries have had much luck with it). There are two means by which authoritarian governments have attempted to restrict the use of secure technology: by network filtering and by technology mandates.

    David Cameron has already shown that he believes he can order the nation's ISPs to block access to certain websites (again, for the record, this hasn't worked very well). The next step is to order Chinese-style filtering using deep packet inspection, to try and distinguish traffic and block forbidden programs. This is a formidable technical challenge. Intrinsic to core Internet protocols like IPv4/6, TCP and UDP is the potential to "tunnel" one protocol inside another. This makes the project of figuring out whether a given packet is on the white-list or the black-list transcendentally hard, especially if you want to minimise the number of "good" sessions you accidentally blackhole.

    More ambitious is a mandate over which code operating systems in the UK are allowed to execute. This is very hard indeed. We do have, in Apple's Ios platform and various games consoles, a regime where a single company uses countermeasures to ensure that only software it has blessed can run on the devices it sells to us. These companies could, indeed, be compelled (by an act of Parliament) to block secure software. Even there, you'd have to contend with the fact that other EU states and countries like the USA are unlikely to follow suit, and that means that anyone who bought her Iphone in Paris or New York could come to the UK with all their secure software intact and send messages "we cannot read."

    But there is the problem of more open platforms, like GNU/Linux variants, BSD and other unixes, Mac OS X, and all the non-mobile versions of Windows. All of these operating systems are already designed to allow users to execute any code they want to run. The commercial operators -- Apple and Microsoft -- might conceivably be compelled by Parliament to change their operating systems to block secure software in the future, but that doesn't do anything to stop people from using all the PCs now in existence to run code that the PM wants to ban.

    More difficult is the world of free/open operating systems like GNU/Linux and BSD. These operating systems are the gold standard for servers, and widely used on desktop computers (especially by the engineers and administrators who run the nation's IT). There is no legal or technical mechanism by which code that is designed to be modified by its users can co-exist with a rule that says that code must treat its users as adversaries and seek to prevent them from running prohibited code.

    This, then, is what David Cameron is proposing:

    * All Britons' communications must be easy for criminals, voyeurs and foreign spies to intercept

    * Any firms within reach of the UK government must be banned from producing secure software

    * All major code repositories, such as Github and Sourceforge, must be blocked

    * Search engines must not answer queries about web-pages that carry secure software

    * Virtually all academic security work in the UK must cease -- security research must only take place in proprietary research environments where there is no onus to publish one's findings, such as industry R&D and the security services

    * All packets in and out of the country, and within the country, must be subject to Chinese-style deep-packet inspection and any packets that appear to originate from secure software must be dropped

    * Existing walled gardens (like Ios and games consoles) must be ordered to ban their users from installing secure software

    * Anyone visiting the country from abroad must have their smartphones held at the border until they leave

    * Proprietary operating system vendors (Microsoft and Apple) must be ordered to redesign their operating systems as walled gardens that only allow users to run software from an app store, which will not sell or give secure software to Britons

    * Free/open source operating systems -- that power the energy, banking, ecommerce, and infrastructure sectors -- must be banned outright

    David Cameron will say that he doesn't want to do any of this. He'll say that he can implement weaker versions of it -- say, only blocking some "notorious" sites that carry secure software. But anything less than the programme above will have no material effect on the ability of criminals to carry on perfectly secret conversations that "we cannot read". If any commodity PC or jailbroken phone can run any of the world's most popular communications applications, then "bad guys" will just use them. Jailbreaking an OS isn't hard. Downloading an app isn't hard. Stopping people from running code they want to run is -- and what's more, it puts the whole nation -- individuals and industry -- in terrible jeopardy.

    (Image: Facepalm, Brandon Grasley, CC-BY)


    / / / / / / / /

    Notable Replies

    1. (My emph). Do you include the 1%? I think they have minions to do their communications for them.

    2. Like most Conservative policy it is unworkable, ethically inexcusable, ideologically driven and palpably theoretically flawed to anyone with even a passing knowledge of the subject. But as with Conservative policy on immigration and austerity, it's not about trying to find knowledge-driven, practical solutions to perceived problems, it's about trying to generate enough easily-digested headlines to ensure that they and their cronies can continue to asset strip the country for another five years.

      It's a terrible piece of legislation but as a piece of Politics, it's outstanding, if so incredibly cynical it makes me embarrassed to have chosen this username.

    3. As a somewhat impertinent aside to Cory, could you submit this to the Guardian if you haven't already done so, please? You're preaching to the choir here but their current analysis is dominated by the sort of pro-privacy arguments that are easily dismissed by shouts of "but terrorists and paedophiles!" and very little analysis of why this is such a monumentally stupid idea from a technological standpoint...

    4. I can never quite decide if Cameron is dumb enough that he achieves a life outside of an assisted-living scenario purely through malice and low cunning; whether there is, in fact, a terrifyingly-state-power-backed childish wish fulfillment fantasy running 24/7 behind that gormless, squishy, face to the exclusion of all else; or whether he's sharp enough but has deliberately bound himself to a depraved mockery of epistemology where the only truths are poll projections and power.

      My money is on #3; but I can never quite shake the other two.

    5. I think you have it all wrong.
      What the esteemed David Cameron is proposing is that we implement the oft-neglected RFC3514

    Continue the discussion bbs.boingboing.net

    74 more replies