The UK government continues to exhibit its historic, dangerous cluelessness about crypto. After promising to ban working crypto in the previous election campaign, the Tory government has advanced a nonsensical compromise: apps can use working crypto, but also have to be able to break that crypto on demand, without using backdoors.
Working crypto works. Once data is encrypted with a well-implemented algorithm, it can't be decrypted without the key. Ever*.
In order for app vendors to decrypt on demand, they would have to use broken crypto. There's no way to make all the crypto you use impregnable, but make some of it weak when you need it to be.
One possible "workaround" would be for app vendors to build their products so that they automatically accept software updates, even when the user tries to block them. The app vendor could push out an update that used broken crypto, and the next time the user entered their passphrase, the data would be re-encrypted in this broken fashion.
This is a form of back-door, something the Tories have explicitly said they're not seeking. But if they were to mandate (or accept) this solution, it would be a very dangerous outcome: software that forces updates over the network against user-wishes is extremely vulnerable. Any attacker who gained control over the app-vendor's update channel could, in one step, infect every single device that runs the vendor's software, all over the world.
Fitness to govern in the Information Age requires the ability to make good information policy; to not demand solutions where none exist, to not be indifferent to the consequences of accepting the "something must be done; there, I've done something" tautology. In every way, the UK's political classes have demonstrated their unfitness to govern in the 21st century.
Apple is just one of the companies to have said recently that it was technically incapable of decrypting encrypted messages sent between individuals. The minister for internet safety and security, Baroness Shields, expressed concern about the "alarming movement towards end-to-end encrypted applications". Addressing the House of Lords, she said:
The Government recognize the essential role that strong encryption plays in enabling the protection of sensitive personal data and securing online communications and transactions. The Government do not advocate or require the provision of a back-door key or support arbitrarily weakening the security of internet applications and services in such a way. Such tools threaten the integrity of the internet itself. Current law requires that companies must be able to provide targeted access, subject to warrant, to the communications of those who seek to commit crimes or do serious harm in the UK or to its citizens.
Making reference to ISIS, politicians pointed out that WhatsApp had been used to coordinate terrorist attacks, citing this as an example of why access to encrypted data was required. Seemingly oblivious to the weakening of security that would follow, Baroness Shields said: "It is absolutely essential that these companies which understand and build those stacks of technology are able to decrypt that information and provide it to law enforcement in extremis".
Almost immediately contradicting herself, when asked to confirm that the government has "no intention in forthcoming legislation either to weaken encryption or provide back doors to it", she said: "I can confirm that there is no intention to do that; that is correct."
UK government says app developers won't be forced to implement backdoors
[Mark Wilson/Betanews]
(via /.)
* Barring major advances in quantum computing; or very poor passphrase choices
