In my latest Guardian column, I talk about the real danger from the UK Tories' plan to ban effective cryptography: not the initial mandate forcing companies to help spy on their users, but all the things we'll have to do when that doesn't work.
But that’s just for beginners, because, having swallowed a spider, the UK security establishment is going to have to swallow a bird to go in and get it. That’s because smart terrorists will seek out software that can be independently verified. Instead of using Facebook’s in-built crypto (or Android’s, or Apple’s, etc), they’ll run a free, open, best-of-breed program like the Gnu Privacy Guard (GPG) to scramble their messages. They don’t even have to give up Facebook! Just encrypt the messages before sending them – job done.
So the state has to control your use of software. They have to stop you from gaining access to working crypto, which is some of the most widespread, widely used software extant today. Every time you see a little padlock in your browser bar, you’re using crypto. There’s really only one kind of crypto that anyone uses: crypto with no known defects. There’s really no such thing as “strong” and “weak” crypto. In the very early days when computation was literally billions of times more expensive than it is today, programmers sometimes used shorter keys to accommodate underpowered computers – but today, the best technical practice is to use keys of sufficient length as to make it impractical for anyone to break them through brute force. “Weak crypto” is like “slightly fatal.”
It’s a safe assumption that any criminal who represents such an existential threat to the UK as to warrant these measures would be sufficiently motivated to seek out and install working software. Otherwise, the Snooper’s Charter is only proof against lazy and haphazard terrorists. Installing software isn’t rocket science.
There are millions of packages, sites, products and services that have good crypto. Blocking all these sinister dens of iniquity – like Github and Ubuntu and Openssl and Cyanogenmod – makes China’s Great Firewall look trivial by comparison. The Great British Firewall: the bird that catches the spider.
But that’s not enough, either. A thumbdrive, passed from hand to hand, could carry all the crypto that anyone would ever need to communicate in perfect security; a VPN would let Britons tunnel outside of the Great British Firewall to get at working code. To stop this, computers need to be redesigned to run like Iphones or PS4s, locked so that they’ll only run software that’s (cryptographically!) signed by the manufacturer, who, presumably, would get permission from Ofcomp for each package in their stores, ensuring that everything is designed to fulfill the mandate of allowing the state to listen in on anyone’s communication, at any time. Computers that only run state-approved software: the cat that catches the bird.
David Cameron, the 'snooper's charter' will not make us safer [Cory Doctorow/The Guardian]
Tobias von der Haar, CC-BY)