back to article UK gov says new Home Sec will have powers to ban end-to-end encryption

During a committee stage debate in the UK's House of Lords yesterday, the government revealed that the Investigatory Powers Bill will provide any Secretary of State with the ability to force communication service providers (CSPs) to remove or disable end-to-end encryption. Earl Howe, a minister of state for defence and deputy …

Page:

  1. Version 1.0 Silver badge

    A legal work around?

    OK - so they want to ban encryption via communication service providers, aka phones I guess. But they can't stop the apps or be too zealous, otherwise on-line banking and a lot of other services are dead in the water.

    If it's breakable encryption then it will be broken quickly, if it's unbreakable encryption it will take a little longer.

    1. Anonymous Coward
      Anonymous Coward

      Re: A legal work around?

      > If it's breakable encryption then it will be broken quickly, if it's unbreakable encryption it will take a little longer.

      The only thing that will brute-force AES256 that most "strong" encryption uses, if it has a good passphrase, is a working quantum computer with more than a handful of QBits (256 Qbits, perhaps? I'm not sure how they work) as well as a very high speed, which as I understand it is unlikely. However, all of this ridiculousness about banning encryption, to me means one or more of:

      1. They DON'T have a quantum computer powerful enough to break even the most basic encryption, and they won't for some time. They are worried that the terrists will get the upper hand, and they think they can legislate it away. See #4.

      2. They DO or very soon WILL have one, and the plan is to gently break the internet and force businesses to find some alternative before quantum computers become commonplace and completely bugger up everything. I personally believe this is NOT the case.

      3. Whether or not they can break it, They just want to fuck with you. Whoever complains the loudest must be a terrorist/paedophile/dissident. Welcome to Theresa May's Police State.

      4. They simply haven't a clue. This may be true of Amber Rudd, but I think May is much more canny. Rudd on the other hand famously didn't know the difference between a (generating) power station and a transformer substation, despite being secretary of state for energy. As Home Sec she'll just do exactly what she's told by May.

      In summary: Welcome to New Britain. As I said before the brexit: The one politician who benefits the most from voting leave was Theresa May - even ignoring the fact that it made her into PM with a sock-puppet Home Sec - the main thing holding her back was that the EU had a nice moderating effect on would-be totalitarian states. Now that we've "Taken back control", she can do whatever she likes. No more Human Rights Act, and no more pesky appeals to the ECHR. Soon we'll have indefinite detention without trial, like they have in the States, a ban on anonymity online (swipe your government ID card to access the internet, all posts with your real name please) and obviously a ban on hiding anything from government scrutiny, i.e. encryption. And anyone who objects too loudly will get a knock on the door from Theresa May's National Crime Agency.

      Anon, while it's still legal.

      Actually I just looked up what it would take for a Quantum Computer to break AES256 and apparently it is quite hard. Basically it would take a quantum computer just as long to crack AES256 as a normal computer takes to crack AES128, which is a very long time..

      1. m0rt

        Re: A legal work around?

        Thing is, it is like saying "You may not blaspheme!"

        It will be ignored. You can't ban something that is made to make communications basics work. Either you will be ignored by those out of your jurisdiction, which results in you being left behind in the tech stakes. Or you will be ignored by those who commit crimes. Which means you will be laughed at. A lot.

        So...

        As you were. Say what you like, governental eejits. You are about as effective as the policies you deem to be worthy.

      2. Anonymous Coward
        Anonymous Coward

        Re: A legal work around?

        > They DON'T have a quantum computer powerful enough to break even the most basic encryption, and they won't for some time.

        That's speculation - and to continue in that vein, they probably can't crack AES256 today but I would not put money on that being the case and they may not need to crack it if they have a backdoor. Backdoors can take many forms...

      3. P. Lee

        Re: A legal work around?

        I know this thread is going to go in the wrong direction, if it hasn't already.

        The target is comms providers - those providing the e2e capabilities. There is no ban being proposed, "only" the ability to decrypt sessions. That means what they want is the ability to tell comms providers to subvert their client functions on demand.

        My guess this would be something like: on a given signal, the client should turn into a comms tap or (if both ends are under the comms provider's control) (also?) use a "trusted provider's" key which can be intercepted and decrypted.

        The targets are Apple, Facebook and the like, not Joe Bloggs with his FLOSS. This really isn't any different from the existing PSTN arrangement where telco's can tap on demand.

        Moral: Do your own encryption.

        1. Mark 65

          Re: A legal work around?

          Moral: Do your own encryption.

          Not in the literal sense hopefully. Use something like gpg but certainly never "your own encryption".

          The whole thing is just mouth flapping nonsense from people who have zero understanding of IT.

          1. Michael H.F. Wilkinson Silver badge

            Re: A legal work around?

            I have said it before, and will say it again, but politicians never listen: One-time pads are fundamentally unbreakable, and really not hard to make. The argument that CSPs are making a "safe haven for terrorists" is flawed, because it is rather easy to roll your own

            1. Anonymous Coward
              Anonymous Coward

              Re: A legal work around?

              "One-time pads are fundamentally unbreakable, and really not hard to make."

              BUT hard to SECURE. All the plods need to do is demand the pads, failure of which means two years in gaol, repeat ad nauseum.

              1. Chicago

                Re: A legal work around?

                Once you've used the pad to decrypt the cyphertext, roll it up and smoke it.

                If its digital, just make sure it has been scrubbed. You can't turnover something you do not possess.

        2. Peter Fairbrother 1

          Re: A legal work around?

          The ostensible target may be comms providers - but the actual target is "relevant operators". It includes a whole lot of other things apart from internet and phone providers (and Apple and Facebook).

          "Relevant operators" are persons who provide "any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service) [... including] any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system."

          That would include many commercial sites who use SSL/TLS. If you put a "contact me" link on your web pages, you are a "relevant operator". Gimme your SSL keys!

          That's what the Bill actually says, if you read it carefully. Like RIPA, it is opaque beyond the point of obscurity, and it takes a lot of reading.

          Good points? Only encryption which has been applied by a "relevant operator" is affected - at least until the Home Secretary makes regulations otherwise (which she can do).

          Bad points? It doesn't do anything at all against the clued-up terrorist or criminal. It decreases security for legitimate actors and businesses.

          BTW, things said in the Lords (or Commons), even by Government spokesmen, have approximately zero legal significance. What the Courts look at is the wording of the Act.

    2. Xamol

      Re: A legal work around?

      It wouldn't break online banking because it's not a 'zero knowledge' system. i.e. the banks already hold the encryption keys so can already provide access to the unencrypted messages.

    3. Chicago

      Re: A legal work around?

      You are absolutely correct. If you outlaw end-to-end encryption, then you put amazon.com out of business. If you legislate a nanny system (backdoor) for end-to-end encryption, you've put every newsroom out of the Investigative Journalism business. If you destroy end-to-end encryption, you've just put barbarism back on the table for the so suddenly elegant criminal underbelly of society.

  2. alun phillips

    A suggestion

    Ministers, should be forced to show a basic understanding of a subject before commenting, then we would be spared the time and energy of being incensed by this BS suggestions.

    1. Graham Cobb Silver badge

      Re: A suggestion

      The "safe spaces" aren't going away, whatever the government might do. That cat is well out of the bag. And it is a good thing too: it is a small step towards restoring law enforcement's powers back to historical norms. The last decade has been a complete aberration in police/spook intrusion.

      But, even if they don't agree, there is nothing they can do except make life hard for ordinary people. All this will do is massively reduce the UK's international competitiveness -- great idea at the time of Brexit!

    2. Steve Evans

      Re: A suggestion

      They should show a more than basic understanding of a subject before being paid to be the minister of it, not just commenting on it!

      The amazing thing is that all these speeches and sound bites are written by a team of civil servants in the particular parliamentary offices... None of whom seem to have the slightest clue!

      Let me summarise it for them...

      Dear idiots,

      Banning end to end encryption would disable ecommerce. Yes, that little padlock on your browser, that's encryption... It means your credit card information to amazon/ebay etc is safe from prying eyes.

      End to end encryption is how VPNs work... So no working from home any more... You'll all have to come into the office... Or take the information home on a USB stick, which can be left in a taxi.

      The bad guys will still use it. There are a million ways to transmit hidden information, some of it obvious, some of it less so like image steganography. Ebay could be (and might be) full of listing with secret messages in the item pictures, and you'd never know.

      But I'm sure you'll still waste a huge amount of our tax money employing "experts" to research this, and maybe even try to implement it, before it all collapses like almost any government IT related project.... Just make sure you give the contract to one of your "mates" ok...

    3. Anonymous Coward
      Black Helicopters

      @Alun

      Unfortunately I think some understand perfectly well, the real problem is often that we're not being told what their true goal or purpose is. Simply put: would they apply this to themselves? I think not :/

    4. kdd

      Re: A suggestion

      Well, it's good to know what they'd *like* to do, keeps the issue on everyone's mind that you can't trust them with your communications. Otherwise, people will get lazy and not bother to protect their data, forgetting that it's all being archived somewhere for the convenience of such despots.

    5. lorisarvendu

      Re: A suggestion

      "Ministers, should be forced to show a basic understanding of a subject before commenting, then we would be spared the time and energy of being incensed by this BS suggestions."

      I've been in IT since the 1990s and it has taken me some time to get my head round the mechanics of encryption, so the chances of any Govt Minister (who is after all only an MP elected through a 5-yearly opinion poll, not an expert in any particular field) being successfully brought up to speed within a week of gaining a Cabinet post are laughably small.

      But anyway, no matter how ill-informed their comments seem to be, I refuse to believe that the Civil Service department they are in charge of doesn't include people who do understand the subject. The Home Office may be headed by a person whose tenure is likely to be no more than 5 years, but the "cockroaches of government" (to quote Torchwood's Mr. Dekker) have years worth of experience in Finance, Foreign Affairs, Economics and IT.

      Which is why statements like this never get past the sound-bite stage before the people who actually do the work say "sorry, what you ask is impossible, no can do."

      Note that these yearly pronouncements (on both sides of the Atlantic I might add) always focus on the Criminal aspects, claiming that encryption is the tool of the terrorist, and never ever mention how it underpins almost all secure financial communication on the interwebz. All the electorate seems to be told is that SCIS (aka "So-called Islamic State" - I hereby trademark this acronym!) use encryption to communicate their nefarious plans, therefore encryption is bad. However in the next breath they tell us that Crims and Fraudsters are trying to steal our credit cards and bank details, and thank God we have encryption.

      It's non-joined up Govt spin, vote-grabbing and stroking the electorate, (90% of whom know as little about the technicalities of encryption as most MPs).

  3. caffeine addict

    Once again, UK.gov thinks that the impossible is possible, and that the internet is something that has to comply with random UK laws.

    I'm so glad that we've now got a PM who knows better than... oh. Oh bugger.

    1. TheOtherHobbes

      I think we need a purge of clueless fuckwits from high office.

      Some kind of basic test would do - something equivalent to the 11-plus, but for STEM.

      Can't pass? Don't get the job. Do not pass go. Do not get a pension. Do not collect a knighthood and a stupid hat from the Queen.

      1. Ken Hagan Gold badge

        "Can't pass? Don't get the job."

        I think the problem is defining the job.

        For civil servants, requiring some sort of qualifications in whatever it is they are administering sounds like an excellent idea, perfectly consistent with normal employment practices, the only barrier is that all those PPE and Classics graduates would have to retire because there are no jobs for those, ahem, skillsets.

        For politicians, getting elected pretty much *is* the job. Sadly, with party structures being what they are, that's a terrifyingly low bar. Perhaps we need to re-think what their role is once they get into office. I like the principle that we can put *whoever we choose* into a position where they have oversight over everything the experts do. I don't like the fact they tend to grab hold of the reins of power and start telling the experts what is and isn't possible.

  4. Aaiieeee
    Big Brother

    "if then followed by other nations with perhaps less security than ours"

    Surely then *we* become said nation will less security.

    Also it seems that "encryption" is perceived to be something that can be "solved" by implementing a "system". There will be nothing the CSPs can do with properly encrypted data other than block it - they can't magically decrypt it "because the gov rules so"

    1. Anonymous Coward
      Anonymous Coward

      Re: "if then followed by other nations with perhaps less security than ours"

      but they cant block it and they know it

      1. Charles 9

        Re: "if then followed by other nations with perhaps less security than ours"

        Not even with a whitelist and whitewashing of unencrypted data?

  5. Vinyl-Junkie
    FAIL

    I wait with interest...

    ...to see how they are going to impose this on my Czech-based VPN provider!

    1. Tom Chiverton 1

      Re: I wait with interest...

      Block SSL HELLO messages than use unknown keys.

      Just one way.

      1. Paul

        Re: I wait with interest...

        then all we do is use a different encryption wrapper so that the plain text part of the handshake looks different.

        if the government think and try to block unauthorised types of encryption, then the only people who will be affected will be the dumb and lazy and technically ignorant people, who are likely to be the least interesting.

        1. Anonymous Coward
          Anonymous Coward

          Re: I wait with interest...

          "if the government think and try to block unauthorised types of encryption, then the only people who will be affected will be the dumb and lazy and technically ignorant people, who are likely to be the least interesting."

          You forget that RIPA was the obvious and necessary response to 9/11 and all the other subsequent terrorist incidents it prevented, such as 7/7. Just like Snoopers' Charter #1 (struck down in Court by David Davis, you couldn't make it up), and now this, will be motivated after the fact by other perfect government prescience. But clearly you're one of those nay-sayers who think none of this was ever about terrorism.

          (/irony)

          Anyway, CSPs aren't close to the most dangerous parts of the IPB as drafted, because arguably its effects might include *promoting* terrorism. I hope I'm wrong on that, but that's the occupational hazard for hackers and governments alike when they develop rootkits, even "legislative" ones - anyone can exploit them. Including other governments and other players with access to our communications infrastructure.

          [oh, and read the brilliantly innocuous Civil Contingencies Act 2004. It's quite short. A little bit like an old-fashioned symmetric key to decipher not only all other Home Office legislation, but also the occasional unnerving event such as one of the government's responses to the GFC]

        2. Charles 9

          Re: I wait with interest...

          "then all we do is use a different encryption wrapper so that the plain text part of the handshake looks different."

          They then use DPI to detect if it's genuine or not and whitewash anything that can potentially not be kosher such as text, images, sound, and videos.

      2. Charlie Clark Silver badge

        Re: I wait with interest...

        Block SSL HELLO messages than use unknown keys.

        Well done, as if there is no way around that: Skype worked out how to do it over a decade ago. Switch ports, switch protocols, change the message form HELLO to EHLLO.

        If governments carry on with this nonsense all they'll be doing is effectively sponsoring invisible encryption with everything wrapped in dummy packets to look innocuous.

    2. Mutton Jeff

      Re: I wait with interest...

      They won't, they'll just cuff you for using it.

    3. fruitoftheloon
      Pint

      @Vinyl Junkie: Re: I wait with interest...

      VJ,

      It looks like one needs to start figuring out how this VPN thingy works, could you recommend preferred VPN providers?

      Have a bevy on me, it's Friday!!!

      Cheers,

      Jay

      1. Vinyl-Junkie

        Re: @Vinyl Junkie: I wait with interest...

        As I use Avast! Internet Premium I simply added their VPN package - seems to work okay.

      2. John Adam

        Re: @Vinyl Junkie: I wait with interest...

        Hey Jay,

        I am a small business owner and using business vpn of purevpn, Three main benefits of vpn are Security, Anonymity and Protection of online data.

        Have fun ;)

        John

  6. Alister

    Maybe they should also include in the Bill, that the Secretary of State be granted the power to sit on a beach and tell the tide to stop coming in?

    It would be consistent, and equally as effective.

    1. Anonymous Coward
      Anonymous Coward

      Yep, the idea could only come from a bunch of Cnuts

    2. PNGuinn
      Happy

      @Alister

      Only if the bill also contains the following clause:

      "Secretary of State to be securely fixed to the beach for the full duration of the tide. See Annex A"

      "Annex A: No breathing apparatus to be provided or allowed"

      1. Anonymous Coward
        Anonymous Coward

        Re: @Alister

        Must also specify the Severn Estuary. Otherwise, they'll just pick a spot with weaker tides and be able to ride it out.

        PS. There's also the possibility the person in question is undead and therefore doesn't HAVE to breathe.

  7. MatsSvensson

    Well good for you UK.

    I guess now there is noting left

    but to enjoy your well earned comforts of everyday routine,

    the security of the familiar, the tranquility of repetition.

    Go tuck yourself in.

  8. Aaiieeee

    Additional thought:

    What do these people think encryption is for if they presume it can be broken and the contents read when required?

    Like.. it doesn't make any sense!

  9. Danny 5

    Wow

    They truly have no idea what this law would imply, do they?

    To think that ISPs can somehow control encryption is ridiculous and the idea of trying to enforce breakable encryption is one of the dumbest things i've ever heard. Why do governments have so little knowledge of how technology works? It's time these people get educated on the subject, because now they're just wasting time.

    1. Velv
      Terminator

      Re: Wow

      They watch TV and Moves.

      Let's face it there wouldn't be a good story if the hero couldn't break the unbreakable code.

      10 minutes into a real world movie...

      Hero: "might as as well just go home now, it's end to end encrypted with a secure cypher. Yes, I can break it, but you'll need to give me a few hundred years and access to a supercomputer"

      Fin

      <role credits>

      1. Haku
        Facepalm

        Re: Wow

        Reminds me of some tv programme about James Bond where someone in the props department got a call from the 'lets kill the bad guys' department of the government, very interested in the underwater breathing apparatus shown in Thunderball, wanting to know how long it would enable someone to breathe underwater for - the answer they received was 'for as long as the person can hold their breath...'

        Half makes you wonder if someone in the government thinks that a flesh covered metal man could come back in time to prevent a future global war from being stopped.

        Well I suppose it is possible, I mean there are already reports of security robots attacking people.

        1. Anonymous Coward
          Anonymous Coward

          Re: Wow

          'Half makes you wonder if someone in the government thinks that a flesh covered metal man could come back in time to prevent a future global war from being stopped.'

          Such a hypothesis would go a long way towards explaining our new Prime Minister.

        2. Roj Blake Silver badge

          Re: Wow

          See also the Chilcot Report, where it's revealed that the dodgy dossier's description of Saddam's bioweapons was lifted from "The Rock"

      2. Havin_it
        Headmaster

        Re: Wow

        ><role credits>

        Why just the role credits? Don't the crew and the catering truck deserve a mention too?

        Or did you mean "Roll credits"?

        (Agree with your thesis though.)

    2. Dan 55 Silver badge
      Flame

      Re: Wow

      I went and Googled Earl Howe's education. Guess what, it's not STEM. It's "Mods and Greats" and Latin verse at Oxford.

      He has no more idea about what e2e encryption and backdoors are than Larry the cat does.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wow

        I blame The Avengers myself. That bit in -I think it's- Age of Ultron where Tony Stark goes into that room "the whole internet goes through" and finds who's trying to break nuclear codes or whatever.

        Some twat saw that and believed that it was real, I'm sure.

        1. Adrian 4

          Re: Wow

          Of course it does.

          https://xkcd.com/908/

      2. Anonymous Coward
        Anonymous Coward

        Re: Wow

        > He has no more idea about what e2e encryption and backdoors are than Larry the cat does.

        Methinks you're being unfair to Larry...

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like