/ Cory Doctorow / 4 am Thu, Nov 5 2015
  • Submit
  • About Us
  • Contact Us
  • Advertise here
  • Forums
  • British government will (unsuccessfully) ban end-to-end encryption

    British government will (unsuccessfully) ban end-to-end encryption

    Home Secretary Theresa May has introduced the long-awaited, frequently assayed Snoopers' Charter, and it is a complete disaster.

    In the new bill, May says that she will ban products that use end-to-end encryption, whereby the company that made the product can't tell how it's being used. She seems to think that all this will require is orders to Facebook, Apple, Google and perhaps a couple of smaller players to get them to re-engineer their products so that all messages get decrypted at their data-centres, re-encrypted and passed on to their recipients.

    She is wrong.

    End-to-end encryption can be accomplished with literally thousands of products, many of them free/open source software that can be downloaded from tens of thousands of websites, including websites like Github that are indispensable to UK industry and cannot be blocked without crippling the economy. Even the Chinese government was unable to block Github.

    This means that anyone who wants to communicate in a way that cannot be intercepted needs only to go on using the tools that they use presently. It means that anyone who wants to communicate in a way that the government can't intercept can download software from any of many, many, many sites and they're home free.

    It also means that law-abiding people who lack technical sophistication will have infinitely large troves of sensitive communications captured and retained by Internet companies. When those companies have a security breach (this is a when, not an if), those innocent and technologically naive Britons will have all of their sensitive, personal information ashley-madisoned all over the Internet.

    It gets worse. The Snoopers' Charter also legalises the security services' practice of creating and deploying cyberweapons, which means that they will be accelerating their practice of both introducing and hoarding security flaws in the technology that Britons use. Because these flaws are and will continue to be independently discovered and weaponised by foreign spies, criminals, voyeurs, etc, all of the services that comply with UK law by banning end-to-end encryption and by retaining sensitive personal information will be even more vulnerable.

    The government is insisting that every service provider stockpile massive quantities of unstable toxic personal information, and simultaneously taking measures to make those stockpiles much, much less secure.

    The government also admitted that MI5 had been spying on Britons for more than a decade without proper legal authorisation, and then used this as a pretense for the Snoopers' Charter, arguing that what was needed here was an expansion of spying power to legalise the practice, rather than an inquiry into why they were doing it in the first place.

    Cynically, the government has brought in measures intended to buy off Parliament. They will enshrine the Wilson Doctrine into law, banning the security services from spying on Members of Parliament. They will allow some judges to overrule spying orders by the Home Secretary, but remember that in the US FISA system, the judges with this power have virtually never exercised it, over decades and decades.

    This is the exact opposite of cybersecurity legislation. It's rules that will make things less secure for Britons, expand the potential for abuse of powers, and give security forces an incentive to go on weakening actual technical security.

    May wrong to say surveillance bill creates judicial authorisation for interception, says Liberty – live [Andrew Sparrow/The Guardian]

    (Image: Rt Hon Theresa May MP, Home Secretary, at 'The Pioneers: Police and Crime Commissioners, one year on' [Policy Exchange/CC-BY)


    / / / / / /

    Notable Replies

    1. So, they can't spy on members of parliament, but will have complete and fine-grained data on everything they did before they were elected.

      I also wonder how they plan to deal with the consequences of not using strong encryption for financial transactions. Or for corporate VPNs that transmit confidential information. (rhetorical questions. This woman and her cronies are about as technologically literate as baboons, and I'm guessing they just haven't thought that far ahead.

      Reading about this has inspired a great idea for a free phone app, that I might try to put together next time I take a vacation. It would take advantage of the fact that, under proper operating conditions, the least significant bit of each color from each pixel of a phone's camera (or any other digital camera) is genuinely random quantum noise. (This is pretty cool, since making random numbers computationally is actually really hard, if not impossible)
      The app would take advantage of that to make a few strings of random hex digits, of random length (within user-set limits), and send them to your, or other people's, email, whenever you activated it.

      It could, optionally, choose a suspicious subject line from a pre-generated list, like:

      Re: Those Pakistani nukes you ordered.


      d00d! I've got enough special K to kill an elephant.


      ISIS recruit party: 9:00 at Buffalo Wild Wings. Open Bar!

      It would take moderately widespread usage to have much effect, but if it did catch on, it would be totally awesome.

    2. SemTeK says:

      It's almost like they looked at 1984 and thought "Challenge accepted". End-to-end encryption is needed to make doing anything online safe, from making purchases to online banking. If you compromize that in any way you open the door for hackers.

      So to capture one or two terrorists and "make the world safe" they will take away all of your online safety and actually make your life much less safe.

      Also, technically this will just not work. Even if they manage to ban all the available software from not using end-to-end encryption, there is no reason why anyone with minimal coding skills would not still build software with encryption.

    3. renke says:

      One bag of popcorn? Implementing this law will be a reason to open the strategic popcorn reserves.

    4. To the best of my knowledge there is only one Conservative MP with a degree in comp sci (David Davis). Oddly (?) he is also a civil libertarian. And the Government won't let him near IT stuff, perhaps because he actually might understand it. (He also opposed the latest benefit cuts).

      Conservatism in both the US and the UK: the more you know about a subject the further they keep you from actually making government policy on it. Climate change, science education, security, IT all ruled by the most ignorant.

    5. This government are making the UK a laughing stock. They may as well try to ban cheese.

      I'll sit back and watch as they get defeated on tax credits (Tories in hit the poor shocker), Junior doctors working hours (who only work an average of 90 hrs a week the lazy bastards), the deficit (which is increasing), immigration (which is increasing) and now encryption which will only affect UK citizens????

      The only thing they have done is increase the number of jobs. Shame that these are all low paid and part-time.

      Total bunch of fucktards.

    Continue the discussion bbs.boingboing.net

    29 more replies