back to article UK gov says new Home Sec will have powers to ban end-to-end encryption

During a committee stage debate in the UK's House of Lords yesterday, the government revealed that the Investigatory Powers Bill will provide any Secretary of State with the ability to force communication service providers (CSPs) to remove or disable end-to-end encryption. Earl Howe, a minister of state for defence and deputy …

  1. Version 1.0 Silver badge

    A legal work around?

    OK - so they want to ban encryption via communication service providers, aka phones I guess. But they can't stop the apps or be too zealous, otherwise on-line banking and a lot of other services are dead in the water.

    If it's breakable encryption then it will be broken quickly, if it's unbreakable encryption it will take a little longer.

    1. Anonymous Coward
      Anonymous Coward

      Re: A legal work around?

      > If it's breakable encryption then it will be broken quickly, if it's unbreakable encryption it will take a little longer.

      The only thing that will brute-force AES256 that most "strong" encryption uses, if it has a good passphrase, is a working quantum computer with more than a handful of QBits (256 Qbits, perhaps? I'm not sure how they work) as well as a very high speed, which as I understand it is unlikely. However, all of this ridiculousness about banning encryption, to me means one or more of:

      1. They DON'T have a quantum computer powerful enough to break even the most basic encryption, and they won't for some time. They are worried that the terrists will get the upper hand, and they think they can legislate it away. See #4.

      2. They DO or very soon WILL have one, and the plan is to gently break the internet and force businesses to find some alternative before quantum computers become commonplace and completely bugger up everything. I personally believe this is NOT the case.

      3. Whether or not they can break it, They just want to fuck with you. Whoever complains the loudest must be a terrorist/paedophile/dissident. Welcome to Theresa May's Police State.

      4. They simply haven't a clue. This may be true of Amber Rudd, but I think May is much more canny. Rudd on the other hand famously didn't know the difference between a (generating) power station and a transformer substation, despite being secretary of state for energy. As Home Sec she'll just do exactly what she's told by May.

      In summary: Welcome to New Britain. As I said before the brexit: The one politician who benefits the most from voting leave was Theresa May - even ignoring the fact that it made her into PM with a sock-puppet Home Sec - the main thing holding her back was that the EU had a nice moderating effect on would-be totalitarian states. Now that we've "Taken back control", she can do whatever she likes. No more Human Rights Act, and no more pesky appeals to the ECHR. Soon we'll have indefinite detention without trial, like they have in the States, a ban on anonymity online (swipe your government ID card to access the internet, all posts with your real name please) and obviously a ban on hiding anything from government scrutiny, i.e. encryption. And anyone who objects too loudly will get a knock on the door from Theresa May's National Crime Agency.

      Anon, while it's still legal.

      Actually I just looked up what it would take for a Quantum Computer to break AES256 and apparently it is quite hard. Basically it would take a quantum computer just as long to crack AES256 as a normal computer takes to crack AES128, which is a very long time..

      1. m0rt

        Re: A legal work around?

        Thing is, it is like saying "You may not blaspheme!"

        It will be ignored. You can't ban something that is made to make communications basics work. Either you will be ignored by those out of your jurisdiction, which results in you being left behind in the tech stakes. Or you will be ignored by those who commit crimes. Which means you will be laughed at. A lot.

        So...

        As you were. Say what you like, governental eejits. You are about as effective as the policies you deem to be worthy.

      2. Anonymous Coward
        Anonymous Coward

        Re: A legal work around?

        > They DON'T have a quantum computer powerful enough to break even the most basic encryption, and they won't for some time.

        That's speculation - and to continue in that vein, they probably can't crack AES256 today but I would not put money on that being the case and they may not need to crack it if they have a backdoor. Backdoors can take many forms...

      3. P. Lee

        Re: A legal work around?

        I know this thread is going to go in the wrong direction, if it hasn't already.

        The target is comms providers - those providing the e2e capabilities. There is no ban being proposed, "only" the ability to decrypt sessions. That means what they want is the ability to tell comms providers to subvert their client functions on demand.

        My guess this would be something like: on a given signal, the client should turn into a comms tap or (if both ends are under the comms provider's control) (also?) use a "trusted provider's" key which can be intercepted and decrypted.

        The targets are Apple, Facebook and the like, not Joe Bloggs with his FLOSS. This really isn't any different from the existing PSTN arrangement where telco's can tap on demand.

        Moral: Do your own encryption.

        1. Mark 65

          Re: A legal work around?

          Moral: Do your own encryption.

          Not in the literal sense hopefully. Use something like gpg but certainly never "your own encryption".

          The whole thing is just mouth flapping nonsense from people who have zero understanding of IT.

          1. Michael H.F. Wilkinson Silver badge

            Re: A legal work around?

            I have said it before, and will say it again, but politicians never listen: One-time pads are fundamentally unbreakable, and really not hard to make. The argument that CSPs are making a "safe haven for terrorists" is flawed, because it is rather easy to roll your own

            1. Anonymous Coward
              Anonymous Coward

              Re: A legal work around?

              "One-time pads are fundamentally unbreakable, and really not hard to make."

              BUT hard to SECURE. All the plods need to do is demand the pads, failure of which means two years in gaol, repeat ad nauseum.

              1. Chicago

                Re: A legal work around?

                Once you've used the pad to decrypt the cyphertext, roll it up and smoke it.

                If its digital, just make sure it has been scrubbed. You can't turnover something you do not possess.

        2. Peter Fairbrother 1

          Re: A legal work around?

          The ostensible target may be comms providers - but the actual target is "relevant operators". It includes a whole lot of other things apart from internet and phone providers (and Apple and Facebook).

          "Relevant operators" are persons who provide "any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service) [... including] any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system."

          That would include many commercial sites who use SSL/TLS. If you put a "contact me" link on your web pages, you are a "relevant operator". Gimme your SSL keys!

          That's what the Bill actually says, if you read it carefully. Like RIPA, it is opaque beyond the point of obscurity, and it takes a lot of reading.

          Good points? Only encryption which has been applied by a "relevant operator" is affected - at least until the Home Secretary makes regulations otherwise (which she can do).

          Bad points? It doesn't do anything at all against the clued-up terrorist or criminal. It decreases security for legitimate actors and businesses.

          BTW, things said in the Lords (or Commons), even by Government spokesmen, have approximately zero legal significance. What the Courts look at is the wording of the Act.

    2. Xamol

      Re: A legal work around?

      It wouldn't break online banking because it's not a 'zero knowledge' system. i.e. the banks already hold the encryption keys so can already provide access to the unencrypted messages.

    3. Chicago

      Re: A legal work around?

      You are absolutely correct. If you outlaw end-to-end encryption, then you put amazon.com out of business. If you legislate a nanny system (backdoor) for end-to-end encryption, you've put every newsroom out of the Investigative Journalism business. If you destroy end-to-end encryption, you've just put barbarism back on the table for the so suddenly elegant criminal underbelly of society.

  2. alun phillips

    A suggestion

    Ministers, should be forced to show a basic understanding of a subject before commenting, then we would be spared the time and energy of being incensed by this BS suggestions.

    1. Graham Cobb Silver badge

      Re: A suggestion

      The "safe spaces" aren't going away, whatever the government might do. That cat is well out of the bag. And it is a good thing too: it is a small step towards restoring law enforcement's powers back to historical norms. The last decade has been a complete aberration in police/spook intrusion.

      But, even if they don't agree, there is nothing they can do except make life hard for ordinary people. All this will do is massively reduce the UK's international competitiveness -- great idea at the time of Brexit!

    2. Steve Evans

      Re: A suggestion

      They should show a more than basic understanding of a subject before being paid to be the minister of it, not just commenting on it!

      The amazing thing is that all these speeches and sound bites are written by a team of civil servants in the particular parliamentary offices... None of whom seem to have the slightest clue!

      Let me summarise it for them...

      Dear idiots,

      Banning end to end encryption would disable ecommerce. Yes, that little padlock on your browser, that's encryption... It means your credit card information to amazon/ebay etc is safe from prying eyes.

      End to end encryption is how VPNs work... So no working from home any more... You'll all have to come into the office... Or take the information home on a USB stick, which can be left in a taxi.

      The bad guys will still use it. There are a million ways to transmit hidden information, some of it obvious, some of it less so like image steganography. Ebay could be (and might be) full of listing with secret messages in the item pictures, and you'd never know.

      But I'm sure you'll still waste a huge amount of our tax money employing "experts" to research this, and maybe even try to implement it, before it all collapses like almost any government IT related project.... Just make sure you give the contract to one of your "mates" ok...

    3. Anonymous Coward
      Black Helicopters

      @Alun

      Unfortunately I think some understand perfectly well, the real problem is often that we're not being told what their true goal or purpose is. Simply put: would they apply this to themselves? I think not :/

    4. kdd

      Re: A suggestion

      Well, it's good to know what they'd *like* to do, keeps the issue on everyone's mind that you can't trust them with your communications. Otherwise, people will get lazy and not bother to protect their data, forgetting that it's all being archived somewhere for the convenience of such despots.

    5. lorisarvendu

      Re: A suggestion

      "Ministers, should be forced to show a basic understanding of a subject before commenting, then we would be spared the time and energy of being incensed by this BS suggestions."

      I've been in IT since the 1990s and it has taken me some time to get my head round the mechanics of encryption, so the chances of any Govt Minister (who is after all only an MP elected through a 5-yearly opinion poll, not an expert in any particular field) being successfully brought up to speed within a week of gaining a Cabinet post are laughably small.

      But anyway, no matter how ill-informed their comments seem to be, I refuse to believe that the Civil Service department they are in charge of doesn't include people who do understand the subject. The Home Office may be headed by a person whose tenure is likely to be no more than 5 years, but the "cockroaches of government" (to quote Torchwood's Mr. Dekker) have years worth of experience in Finance, Foreign Affairs, Economics and IT.

      Which is why statements like this never get past the sound-bite stage before the people who actually do the work say "sorry, what you ask is impossible, no can do."

      Note that these yearly pronouncements (on both sides of the Atlantic I might add) always focus on the Criminal aspects, claiming that encryption is the tool of the terrorist, and never ever mention how it underpins almost all secure financial communication on the interwebz. All the electorate seems to be told is that SCIS (aka "So-called Islamic State" - I hereby trademark this acronym!) use encryption to communicate their nefarious plans, therefore encryption is bad. However in the next breath they tell us that Crims and Fraudsters are trying to steal our credit cards and bank details, and thank God we have encryption.

      It's non-joined up Govt spin, vote-grabbing and stroking the electorate, (90% of whom know as little about the technicalities of encryption as most MPs).

  3. caffeine addict

    Once again, UK.gov thinks that the impossible is possible, and that the internet is something that has to comply with random UK laws.

    I'm so glad that we've now got a PM who knows better than... oh. Oh bugger.

    1. TheOtherHobbes

      I think we need a purge of clueless fuckwits from high office.

      Some kind of basic test would do - something equivalent to the 11-plus, but for STEM.

      Can't pass? Don't get the job. Do not pass go. Do not get a pension. Do not collect a knighthood and a stupid hat from the Queen.

      1. Ken Hagan Gold badge

        "Can't pass? Don't get the job."

        I think the problem is defining the job.

        For civil servants, requiring some sort of qualifications in whatever it is they are administering sounds like an excellent idea, perfectly consistent with normal employment practices, the only barrier is that all those PPE and Classics graduates would have to retire because there are no jobs for those, ahem, skillsets.

        For politicians, getting elected pretty much *is* the job. Sadly, with party structures being what they are, that's a terrifyingly low bar. Perhaps we need to re-think what their role is once they get into office. I like the principle that we can put *whoever we choose* into a position where they have oversight over everything the experts do. I don't like the fact they tend to grab hold of the reins of power and start telling the experts what is and isn't possible.

  4. Aaiieeee
    Big Brother

    "if then followed by other nations with perhaps less security than ours"

    Surely then *we* become said nation will less security.

    Also it seems that "encryption" is perceived to be something that can be "solved" by implementing a "system". There will be nothing the CSPs can do with properly encrypted data other than block it - they can't magically decrypt it "because the gov rules so"

    1. Anonymous Coward
      Anonymous Coward

      Re: "if then followed by other nations with perhaps less security than ours"

      but they cant block it and they know it

      1. Charles 9

        Re: "if then followed by other nations with perhaps less security than ours"

        Not even with a whitelist and whitewashing of unencrypted data?

  5. Vinyl-Junkie
    FAIL

    I wait with interest...

    ...to see how they are going to impose this on my Czech-based VPN provider!

    1. Tom Chiverton 1

      Re: I wait with interest...

      Block SSL HELLO messages than use unknown keys.

      Just one way.

      1. Paul

        Re: I wait with interest...

        then all we do is use a different encryption wrapper so that the plain text part of the handshake looks different.

        if the government think and try to block unauthorised types of encryption, then the only people who will be affected will be the dumb and lazy and technically ignorant people, who are likely to be the least interesting.

        1. Anonymous Coward
          Anonymous Coward

          Re: I wait with interest...

          "if the government think and try to block unauthorised types of encryption, then the only people who will be affected will be the dumb and lazy and technically ignorant people, who are likely to be the least interesting."

          You forget that RIPA was the obvious and necessary response to 9/11 and all the other subsequent terrorist incidents it prevented, such as 7/7. Just like Snoopers' Charter #1 (struck down in Court by David Davis, you couldn't make it up), and now this, will be motivated after the fact by other perfect government prescience. But clearly you're one of those nay-sayers who think none of this was ever about terrorism.

          (/irony)

          Anyway, CSPs aren't close to the most dangerous parts of the IPB as drafted, because arguably its effects might include *promoting* terrorism. I hope I'm wrong on that, but that's the occupational hazard for hackers and governments alike when they develop rootkits, even "legislative" ones - anyone can exploit them. Including other governments and other players with access to our communications infrastructure.

          [oh, and read the brilliantly innocuous Civil Contingencies Act 2004. It's quite short. A little bit like an old-fashioned symmetric key to decipher not only all other Home Office legislation, but also the occasional unnerving event such as one of the government's responses to the GFC]

        2. Charles 9

          Re: I wait with interest...

          "then all we do is use a different encryption wrapper so that the plain text part of the handshake looks different."

          They then use DPI to detect if it's genuine or not and whitewash anything that can potentially not be kosher such as text, images, sound, and videos.

      2. Charlie Clark Silver badge

        Re: I wait with interest...

        Block SSL HELLO messages than use unknown keys.

        Well done, as if there is no way around that: Skype worked out how to do it over a decade ago. Switch ports, switch protocols, change the message form HELLO to EHLLO.

        If governments carry on with this nonsense all they'll be doing is effectively sponsoring invisible encryption with everything wrapped in dummy packets to look innocuous.

    2. Mutton Jeff

      Re: I wait with interest...

      They won't, they'll just cuff you for using it.

    3. fruitoftheloon
      Pint

      @Vinyl Junkie: Re: I wait with interest...

      VJ,

      It looks like one needs to start figuring out how this VPN thingy works, could you recommend preferred VPN providers?

      Have a bevy on me, it's Friday!!!

      Cheers,

      Jay

      1. Vinyl-Junkie

        Re: @Vinyl Junkie: I wait with interest...

        As I use Avast! Internet Premium I simply added their VPN package - seems to work okay.

      2. John Adam

        Re: @Vinyl Junkie: I wait with interest...

        Hey Jay,

        I am a small business owner and using business vpn of purevpn, Three main benefits of vpn are Security, Anonymity and Protection of online data.

        Have fun ;)

        John

  6. Alister

    Maybe they should also include in the Bill, that the Secretary of State be granted the power to sit on a beach and tell the tide to stop coming in?

    It would be consistent, and equally as effective.

    1. Anonymous Coward
      Anonymous Coward

      Yep, the idea could only come from a bunch of Cnuts

    2. PNGuinn
      Happy

      @Alister

      Only if the bill also contains the following clause:

      "Secretary of State to be securely fixed to the beach for the full duration of the tide. See Annex A"

      "Annex A: No breathing apparatus to be provided or allowed"

      1. Anonymous Coward
        Anonymous Coward

        Re: @Alister

        Must also specify the Severn Estuary. Otherwise, they'll just pick a spot with weaker tides and be able to ride it out.

        PS. There's also the possibility the person in question is undead and therefore doesn't HAVE to breathe.

  7. MatsSvensson

    Well good for you UK.

    I guess now there is noting left

    but to enjoy your well earned comforts of everyday routine,

    the security of the familiar, the tranquility of repetition.

    Go tuck yourself in.

  8. Aaiieeee

    Additional thought:

    What do these people think encryption is for if they presume it can be broken and the contents read when required?

    Like.. it doesn't make any sense!

  9. Danny 5

    Wow

    They truly have no idea what this law would imply, do they?

    To think that ISPs can somehow control encryption is ridiculous and the idea of trying to enforce breakable encryption is one of the dumbest things i've ever heard. Why do governments have so little knowledge of how technology works? It's time these people get educated on the subject, because now they're just wasting time.

    1. Velv
      Terminator

      Re: Wow

      They watch TV and Moves.

      Let's face it there wouldn't be a good story if the hero couldn't break the unbreakable code.

      10 minutes into a real world movie...

      Hero: "might as as well just go home now, it's end to end encrypted with a secure cypher. Yes, I can break it, but you'll need to give me a few hundred years and access to a supercomputer"

      Fin

      <role credits>

      1. Haku
        Facepalm

        Re: Wow

        Reminds me of some tv programme about James Bond where someone in the props department got a call from the 'lets kill the bad guys' department of the government, very interested in the underwater breathing apparatus shown in Thunderball, wanting to know how long it would enable someone to breathe underwater for - the answer they received was 'for as long as the person can hold their breath...'

        Half makes you wonder if someone in the government thinks that a flesh covered metal man could come back in time to prevent a future global war from being stopped.

        Well I suppose it is possible, I mean there are already reports of security robots attacking people.

        1. Anonymous Coward
          Anonymous Coward

          Re: Wow

          'Half makes you wonder if someone in the government thinks that a flesh covered metal man could come back in time to prevent a future global war from being stopped.'

          Such a hypothesis would go a long way towards explaining our new Prime Minister.

        2. Roj Blake Silver badge

          Re: Wow

          See also the Chilcot Report, where it's revealed that the dodgy dossier's description of Saddam's bioweapons was lifted from "The Rock"

      2. Havin_it
        Headmaster

        Re: Wow

        ><role credits>

        Why just the role credits? Don't the crew and the catering truck deserve a mention too?

        Or did you mean "Roll credits"?

        (Agree with your thesis though.)

    2. Dan 55 Silver badge
      Flame

      Re: Wow

      I went and Googled Earl Howe's education. Guess what, it's not STEM. It's "Mods and Greats" and Latin verse at Oxford.

      He has no more idea about what e2e encryption and backdoors are than Larry the cat does.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wow

        I blame The Avengers myself. That bit in -I think it's- Age of Ultron where Tony Stark goes into that room "the whole internet goes through" and finds who's trying to break nuclear codes or whatever.

        Some twat saw that and believed that it was real, I'm sure.

        1. Adrian 4

          Re: Wow

          Of course it does.

          https://xkcd.com/908/

      2. Anonymous Coward
        Anonymous Coward

        Re: Wow

        > He has no more idea about what e2e encryption and backdoors are than Larry the cat does.

        Methinks you're being unfair to Larry...

      3. TheProfessorY

        Re: Wow

        I think Larry would know quite a lot. Does No. 10 have a cat flap in the back door?

    3. Peter Gathercole Silver badge

      Re: Wow @Danny 5

      They don't have to control encryption as such.

      Before I go on, this is just a thought experiment, OK. I'm not actually suggesting the following.

      It would be perfectly possible for ISPs to block everything by default and whitelist allowed services, and then use DPI to see whether the allowed services were being subverted to tunnel encrypted traffic. That would mean as soon as you put traffic that was not allowed down your link, it would be quenched.

      They would also have to make sure that non-IP data circuits (dark fibre etc.) services out of the country were also banned. That would just leave bi-directional satellite services and point-to-point microwave/wireless across national boundaries (like the Northern Ireland border with Eire) to worry about.

      Mind you, the Internet in the UK would then bear no resemblance to what it looks like at the moment, and it would look more restrictive than China.

      Unfortunately, there is something in the Home Office that seems to make seemingly ordinary cabinet ministers and MPs adopt completely stupid ideas once they become Home Secretary. And we now have an ex-Home Secretary as PM, and a new one with the same ideas.

      We're doomed, I say!

      1. John Smith 19 Gold badge
        Gimp

        "there is something in the Home Office "

        There is.

        It's a cabal of senior civil servants who believe access to more data is always better data and access to all data (forever) is best of all. It has nothing to do with "security" "money laundering" or paedophiles.

        It has every thing to do power. the ability to find out at will what anyone, anytime has done online throughout their life.

        It is Cardinal Richelieu line about "Give me 6 lines from an honest man and I'll find something with which to hang him."

        1. Anonymous Coward
          Anonymous Coward

          Re: "there is something in the Home Office "

          Pedant's Corner @John Smith 19:

          Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.

          If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.

          Attributed to Richilieu; possibly derived from Quintilian.

          (Exploited by modern policing methods. That's why in the UK silence technically remains a legal option but leads to adverse inferences. Some terribly cynical defendants still think it's better to take the hit)

      2. Chicago

        Re: Wow @Danny 5

        Build your own damn mesh networks if this happens and forget public IP transit. No sense dealing with their policed packets.

  10. Haku
    Facepalm

    One word: RIPA

    Because we all know if authorities had the power to decrypt any 'private' communications they wouldn't abuse it. They'd be totally above board and responsible with such powers...

  11. Chris King

    Law of Unintended Consequences

    And when the rest of the planet stops trading with us because encryption is b0rked in the UK, will we be reduced to paying for everything with Postal Orders ? It's not like we can even guarantee personal cheques any more.

    1. Gerard Krupa

      Re: Law of Unintended Consequences

      Not once they classify envelopes as a form of end-to-end encryption

      1. Wensleydale Cheese

        Re: Law of Unintended Consequences

        "Not once they classify envelopes as a form of end-to-end encryption"

        Postcards only.

        After all, you've nothing to hide.

        Have you?

  12. Pen-y-gors

    Idiots!

    Breaking encryption - I don't think so.

    Blocking encrypted connections - that would be possible (but bloody stupid!)

    1. oldcoder

      Re: Idiots!

      Only if they can recognize it.

      Encrypted data can be embedded in any kind of traffic - and it will not be analyzed.

      1. Sir Runcible Spoon

        Re: Idiots!

        It *is* possible to 'break' SSL encryption by using something like a Bluecoat SSL Visibility Appliance that performs digital re-signing on the fly whilst passing on the actual data for malware analysis.

        Of course, the amount of equipment and bandwidth required to do that en-masse would bankrupt the country, let alone a comms provider.

        1. Anonymous Coward
          Anonymous Coward

          Re: Idiots!

          Only if you can install an SSL certificate on the client, or have a root SSL signing authority's keys.

          While Gov access to a friendly root CA's signing key (or mandating of installation of a 'Gov approved' root certificate) might be possible, mechanisms like SSL certificate pinning (HPKP) and NameCoin (http://www.namecoin.info/) would still leave websites broken where deployed.

          1. Tomato42
            Boffin

            Re: Idiots!

            not to mention that a CA which would sign certificate for the Blue Coat system would very quickly be removed from Mozilla's and Microsoft's trust stores

      2. Anonymous Coward
        Anonymous Coward

        Re: Idiots!

        "Encrypted data can be embedded in any kind of traffic - and it will not be analyzed."

        Not without tells, usually. Plus text can be whitewashed and graphics and videos mangled.

  13. Roger Varley

    A Proposal

    You aren't going to defeat this by arguing technical impossibility. If the last month has taught us anything then it's that politicians and facts are mutually incompatible, and that the British Public has "had enough of experts".

    We need a Daily Wail style campaign based on nothing more than vague hints and hand waving to suggest that not having encryption will cause really, really bad things to happen. The more outrageous the claim, the better. And then, we all need to spread the message amongst the witless and gullible as often and as loudly as we can.

    What could possibly go wrong?

    1. noboard

      Re: A Proposal

      "and that the British Public has "had enough of experts".

      Err if the last few months have shown anything, it's that the so called experts aren't experts at all. Everyone was just spouting crap to further their own agenda and I'm all for being through with that.

      1. Paul Woodhouse

        Re: A Proposal

        ex - as in past it...

        spurt - as in drip under pressure....

        there you go... experts...

        1. Sir Runcible Spoon
          Joke

          Re: A Proposal

          Your egg did what? Yukk!

      2. PNGuinn
        Headmaster

        Re:Expert

        I was given to understand by a cunning linguist that the word expert was derives from the Latin preposition Ex, meaning from or out of, and the Latin (or was it Greek) word Spurtis meaning from a drip under pressure ...

    2. jonathan1

      Re: A Proposal

      How about...

      "Government bill exposes your children to paedophiles and ISIS/Deash will steal your bank details"

      That ticks all the fear boxs right?

      Jonny

      1. Chris King

        Re: A Proposal

        If that's meant to be a Daily Heil front page article, you need to add something about it causing cancer, and possibly bonus points for weaving in something about evil false widow spiders because they really hate unpatriotic foreign insects.

      2. Anonymous Coward
        Anonymous Coward

        Re: A Proposal

        @jonathan1:

        "Government bill exposes your children to paedophiles and ISIS/Deash will steal your bank details"

        That's not funny. Unfortunately only one of those propositions is false.

      3. Nick Ryan Silver badge

        Re: A Proposal

        "Government bill exposes your children to paedophiles and ISIS/Deash will steal your bank details"

        That ticks all the fear boxs right?

        Close. Although you missed out immigrants. And gays.

        "Government bill exposes your children to gay immigrant paedophiles and ISIS/Deash will steal your bank details"

    3. Anonymous Coward
      Anonymous Coward

      Re: A Proposal

      "We need a Daily Wail style campaign based on nothing more than vague hints and hand waving to suggest that not having encryption will cause really, really bad things to happen."

      HEADLINE: "Not using encryption causes cancer!"

      STORY:

      Scientist, Dr. Makey McMakestuffup said that not seeing the little padlock picture on a the big letter E ("web browser") causes cancer of brain, so everyone using the intertubes needs to use the secret unlock code of 'https' to make sure they don't get cancer.

  14. Luke Worm

    Domestic?

    "This power, if applied, would be imposed upon domestic CSPs by the new Home Secretary"

    _domestic_ :-)

    It just applies to the UK part of the internet. How intelligent!

    1. Pen-y-gors

      Re: Domestic?

      Yes, but how easy is it to get an Icelandic ISP to provide a service to a dwelling in rural Cumbria?

      1. Soruk
        Go

        Re: Domestic?

        Easy. Dial-up.

        Note: This suggestion makes no attempt to determine whether the above solution is economically viable.

        1. Peter Gathercole Silver badge

          Re: Domestic? @Soruk

          Ummm. Who provides the telephone line for the dial-up service?

          One of the CSPs mentioned in the article. All the CSP needs to do is to put some traffic analysis on the line. If it looks encrypted, or even just unintelligible (like if you've created a new modulation technique), it drops the call, or just puts some phase modifying filters to corrupt the modulation.

          The result is that there is no data flow. With no data flow, there is no encryption.

          1. PNGuinn
            FAIL

            Re: Domestic? @Soruk

            "Ummm. Who provides the telephone line for the dial-up service? ..."

            Oh c'mon, everyone has decent broadband in the uk now, don'tcha know?

            After all those nice people at BT will have ensured that all the Members have such nice fast lines ...

            In reality. The *&^^@@~#s will probably have totally forgotten about diaalup. And YOU had to remind them.

            Oh well, back to the fax machine ... or TCPIPPCP.

            Although I seem to remember something about leaving audit trails in the RFC ...

          2. cbars Bronze badge

            Re: Domestic? @Soruk

            I see suggestions that only whitelisted traffic could be allowed, subverting attempts for encryption.

            The suggestions for OTPs are valid, steganography is possible. But I'd like to take this back to basics, in the event that only http was allowed, and traffic analysis etc was put in place with DPI, if you're allowed to say 2 things, you can say anything you like:

            HTTP Hello = 0

            HTTP GET = 1

            That there is all the ingredients you need for any protocol. Go nuts and implement SSL encoded on top of that and just send lots and lots of requests, you can even 'GET' different URLs to mix it up, sure it's slow, but it's possible.

            (Yes, an extreme and silly example, but the point is - idiots don't understand what communication means, it's all about interpretation.)

            1. Anonymous Coward
              Anonymous Coward

              Re: Domestic? @Soruk

              But one bit per message? And then traffic flow is limited. Plus unless you use flags that are actually part of the HTTP spec, extraneous data can be whitewashed, removing that possible communication channel.

              1. cbars Bronze badge

                Re: Domestic? @Soruk

                Yes, one bit per message - I said it was slow.

                It was not a practical implementation specification - it was to illustrate that you only need to be able to distinguish 2 'things' to build a protocol on top of anything else.

                @ Peter Gathercole

                You clearly didn't understand either. I was not saying fetch data over HTTP GET, I was saying interpret the messages that ARE allowed - as something else.

                e.g.

                If I post a stream of posts on facebook, and my friend likes some of them - I can interpret the 'like' as a 1, and nothing as a 0, then read that in chronological order and interpret that as a bit stream.

                If my friend and I know this, we can send encrypted messages using ANY medium that lets us distinguish between 2 different states.

                (That would be completely impractical - but I'm trying to illustrate a basic point, not propose a technical solution)

                1. Peter Gathercole Silver badge

                  Re: Domestic? @Soruk

                  OK, point taken. But I was assuming that you were looking for workable solutions.

            2. Peter Gathercole Silver badge

              Re: Domestic? @cbars

              "idiots don't understand..."

              But if they are in a position of power (as the CSPs are w.r.t data over their own infrastructure), what they don't understand, they can block, using the precautionary principal.

              And even if the data is fetched via a GET, it can still be DPI'd, and again, precautionary principal applies if they don't understand it.

              The only thing you can do is have some infrastructure that is not run by a CSP (I've never heard Communication Service Provider used as a term before, but whatever...) that runs over a UK border to a friendly neighbor, like a satellite link, direct wire, microwave link, or even a focused WiFi antenna.

              But that could be made illegal as well.

      2. PNGuinn
        Flame

        Re: Domestic?

        "Yes, but how easy is it to get an Icelandic ISP to provide a service to a dwelling in rural Cumbria?"

        Probably easier than getting a decent bandwidth out of BT.

  15. Anonymous Coward
    Anonymous Coward

    The algorithms are public domain so even if they manage to root out every copy of PGP from every computer in the UK they'll never get rid of it.

    I've never needed to use it yet, but I think I may start

    1. Teiwaz

      "The algorithms are public domain so even if they manage to root out every copy of PGP from every computer in the UK they'll never get rid of it.

      I've never needed to use it yet, but I think I may start"

      - Just hope it hits mass use, like torrents did in their day, otherwise they will just visit you early in the morning and with a little spin, public opinion will hardly turn from celebs, royal babies or brexit concerns to notice.

    2. Charles 9

      But then all they'll have to do is detect its probable use and demand whitewashing of plaintext and mangling of images, video, and sound to stunt stego.

  16. Anonymous Coward
    Anonymous Coward

    If they ban end to end encryption (or enforce backdooring which is the same thing as it isn't end to end encryption if it doesn't work) then they are banning the commercial use of the internet.

    Companies would no longer be able to communicate with branches over VPNs, voip could not be sent to call centres to discuss banking details, online payment would no longer be able to function.

    It would quite literally result in the end of the digital era. As we all know and most of the regulatory bodies in charge of corporate level security know, once you introduce a vulnerability into a system it's only a matter of time before someone breaks into it. The only thing worse than accidental bugs is intentional ones because everyone in the world will know that there is one, they just need to find it.

    And the password is probably 12345.

    1. Anonymous Coward
      Anonymous Coward

      And here's the thing if you suspect someone is a terrorist then hack their pc put loggers on it, physical key loggers, bug their phone, put them under surveillance, all that jazz. What they want is to be able to fish through everything,

    2. Flocke Kroes Silver badge

      password 12345 can be secure

      gpg encrypts mail with the recipient's public key. It can only be decrypted with the recipient's secret key, which is supposed to be a secret. The difficult bit comes from where the recipient keeps her secret key. If it is only on a device she controls and on a backup floppy disk in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying "Beware of the Leopard", then it is reasonably secure.

      Secret keys are often encrypted with password that the owner has to remember. If the password is 12345 and copies of the secret key are all over the internet then there is no security. If the password is something like "$>QeP{r:{s=6|b}VNJFt" and the owner types it into a device with a key logger or trojaned version of gpg then there is no security.

      Password protection on secret keys dates back to an age when computers were so expensive that they had to be shared, the system administrator could be trusted not to replace gpg with a trojan, and you could not be locked up for five years for not telling the police the password for your secret key. A more modern use of that password is to protect against accidents like a leopard enthusiast with a crow bar desperate for a pee.

    3. Charles 9

      "If they ban end to end encryption (or enforce backdooring which is the same thing as it isn't end to end encryption if it doesn't work) then they are banning the commercial use of the internet."

      And you think the people in charge consider this a BAD thing? The less power the plods possess, the easier it is to control them.

    4. Ken Hagan Gold badge

      "banning the commercial use of the internet"

      If you say that, they'll think online shopping. Instead, say "shutting down the City of London as a financial centre". Post-brexit, they might pay attention to that.

  17. Anonymous Coward
    Anonymous Coward

    "UK gov says new Home Sec will have powers to ban end-to-end encryption"

    No they won't. At best they give themselves the power to TRY to ban end-to-end encryption. They can try that, they can also try to repeal gravity or hold back the tides.

    Even if they could, what possible advantage would being the country with the crappest online security confer?

    Yet another attempted law that would greatly damage the many; and in this case it wouldn't even really benefit the few. Legislate what you want; but in practice, you can't fucking well have it.

    1. Anonymous Coward
      Anonymous Coward

      "They can try that, they can also try to repeal gravity or hold back the tides."

      Picture of Bojo dangling from a wire.

    2. Adrian 4

      Don't worry - it won't apply to people with money. Like banks, politiicians and terrorists.

  18. Chris King

    Knitting your own crypto...

    We've seen plenty of stories where criminals and terrorists have tried (and failed) to use cryptography properly, but you can bet that HMG breaking "normal" protocols will result in someone developing viable alternatives.

    All it will take is a few evil (or disgruntled) crypto experts, and the spooks are back to square one.

    1. Charles 9

      Re: Knitting your own crypto...

      Unless they just ban encryption altogether. It's actually pretty difficult to make encryption non-obvious, especially if you monitor potential side channels and whitewash them.

  19. AdamG57

    Powers <> Ability

    No need to cry May Day! Although of course I have nothing to hide from the authorities, cyber criminals, my family and my friends, or indeed anyone curious, and have entirely forgotten the notion of privacy, I do confess an academic interest in cyphers and codes. I believe that inherently all cyphers are in principle breakable given sufficient traffic to analyse and time enough to do so. Codes and other methods of disguising messages are perhaps unbreakable through intercept techniques alone.

    For those people who are paranoid enough to value any form of secrecy, I would suggest getting some tin cans and string...

    ...otherwise, I do wonder how - in practical terms - CSPs can be forced to break encryption systems which are built in to third party apps, especially if keys are exchanged other than by the same CSP, say perhaps through a USB stick passed by hand to your cell members containing some extremely long random digital key.

    Surely someone at GCHQ must have the nous to tell the New Boss that the more one drives intelligent bad people to understand they cannot communicate safely with any government approved tools the more likely they are to adopt well disguised unapproved tools?

    For those who feel they must stick with approved communication methods, sending a steady stream of gibberish which looks meaningful will at least distract those of Orwellian intent - even presenting a digest of the messages from AMANFROMMARS on EL Reg fora as an example of seemingly mystical nonsense which nonetheless may well contain nefarious instructions to the illuminati? After all, we all know folk who are convinced there are hidden messages in the Bible or Kabbalah or Tarot cards or political manifestos...

    I u cn d coed mah dit-dit-dit-dah, dit-dit-dit-dah, you will know how I felt about the Clash...

    1. Anonymous Coward
      Anonymous Coward

      Re: Powers <> Ability

      What if they just start blocking random-looking gibberish altogether?

    2. CustardGannet

      "sending a steady stream of gibberish which looks meaningful"

      ...I believe the Gubmint already do that for us. See quotes in article.

  20. Velv
    Pirate

    They can write anything they like into the law, at a practical level they haven't got a whelks chance in a supernova of enforcing it.

  21. Anonymous Coward
    Anonymous Coward

    remove or disable end-to-end encryption

    nevermind, we're INDEEPENDID AND STUFF!

    1. Peter Gathercole Silver badge

      Re: remove or disable end-to-end encryption

      I seriously suspect that being in or out of the EU makes not a jot of difference to these pie-in-the sky policies.

  22. Anonymous Coward
    Anonymous Coward

    politicians and the public are totally distracted by Brexit

    aka great times to bury bad news.

  23. seanj

    "We're not saying we want to ban end-to-end encryption...

    ... We're just saying we want to redefine what end-to-end encryption means..."

    Like Bill Clinton and 'sexual relations'.

    "What? My dick in her *is* sexual relations? Well I'll be darned!"

  24. Stevie

    Bah!

    Once Brexit has had its way with the economy, this law will complete the transformation of the UK into a third world police state.

    I wonder how long it will be before we see the Great Atlantic Firewall come into being?

    Azathoth on a bike.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bah!

      thing is we will never be leaving the EU so we will never be a third world police state, there will never be a Great Atlantic Firewall

    2. Chris King

      "...this law will complete the transformation of the UK into a third world police state"

      To quote Douglas Adams "There is another theory which states that this has already happened".

  25. Velv
    Big Brother

    Dear People who think we should get rid of the House of Lords

    If we didn't have a bicameral system with two houses then this would already have been law in its unmoderated form over a year ago.

    Now I'm no particular defender of the way the upper house isn't elected, but the fact we have the upper house puts a measure of control on the shite that is passed into law.

    Be very wary of an proposal to remove the Upper House. Reform it, yes. But watch for attempts to remove it.

    1. Anonymous Coward
      Anonymous Coward

      We should remove it and replace it with a second elected house. The elections for this upper house should be held mid-way through the electoral term of the lower house.

      After all, what could possibly go wrong with that system?

      1. Doctor Syntax Silver badge

        "We should remove it and replace it with a second elected house."

        The Commons will never approve of that. As things stand they can claim a legitimacy over the Lords that being elected brings. They're not going to give that up.

        For the rest of us the advantage of the HoL is that because its members don't have to depend on the party machines to keep their membership they can ignore party lines if they think those are wrong.

        I think the HoL needs some ex officio members other than the bishops. Say the presidents or equivalent of the Royal Society and the chartered institutes, maybe a few University VCs etc. If they have several acknowledged experts in a field explain why a proposal is bollocks they'd have to listen (assuming Gove doesn't get booted upstairs, of course).

        1. tiggity Silver badge

          Not Uni VCs

          Years ago would have been sensible, when VC usually meant a top academic too: These days many of the people getting VC posts tend to be those who left academia ASAP for lucrative commercial posts, so likely to have top skills in greasy pole climbing back stabbers, so ideal for politics but will have been a long time since they did independent, objective, analytical non agenda driven academic research.

    2. Lyndon Hills 1

      That was also one of the good things about being in the EU.

    3. PNGuinn
      Big Brother

      Reform of the Upper House

      How about this:

      1. No member of the Other Place (AKA House of Commons) shall be allowed to sit in the Lords until a period of AT LEAST 30 years has elapsed since they last sat in the Lower House.

      2. NO elected members to the Upper House - You'll still get a similar gene pool, only worse, those who either failed to get elected to the other place or the "mates" of those who did.

      3. No life peers. See 2. above

      4. Hereditary peers only, with the minor restriction that actually sitting in the Upper House be restricted to the next but one generation onward.

      That, in practice, might actually be MORE democratic

      1. Charles 9

        Re: Reform of the Upper House

        No, as long as they're in power, they can be influenced, usually under the table. It's simply part of the human condition. No matter what kind of power structure you put up, SOMEONE's going to find a way to corrupt it. Removing people from the direct influence of the people means it's easier to influence them on the sly, but making them MORE direct means the charismatic can dictate policy by appealing to the stupid.

  26. Anonymous Coward
    Anonymous Coward

    I think my neighbour uses encryption

    It's OK, I've reported him.....

  27. Haku

    ROT13 - the future of encryption in the UK?

    V shpxvat ubcr abg.

    1. Doctor Syntax Silver badge

      Re: ROT13 - the future of encryption in the UK?

      No, double ROT13, just to make sure.

  28. Anonymous Coward
    Anonymous Coward

    We might be BREXITing but

    AFAIK, we are not going to exit the European Human rights (As overseen by the ECHR) laws.

    I see that any laws in this space will be challenged in the ECHR and my guess (IANAL)is that HMG will lose.

    Interesting times. At some point those who voted leave might come to regret it.

    Laws of unintended whatsits and all that.

    1. Anonymous Coward
      Anonymous Coward

      Re: We might be BREXITing but

      I have a feeling we wont be leaving the EU but it will only look like we are

    2. Teiwaz

      Re: We might be BREXITing but

      Our new PM stated at one point during the Brexit campaign that she wanted to stay in the EU but leave the ECHR....

      Just think, that is the brain currently heading the country now.

      1. chris121254
        Meh

        Re: We might be BREXITing but

        funny thing is now she saying she does not want us to leave the ECHR...

  29. Teiwaz
    Mushroom

    Digital Britain...

    Coming soon 'Hadrians' Firewall of Britain. Encryption banned, pron surfing curtailed. So it's back to the BBC and it's endless drivel of 'come prancing' and and the coiterie of overpaid mindless 'celebs'.

    Escape to Europe? Get in fast, we're quickly becoming as welcome as 'that' guy who always manages to avoid buying a round.

    1. Anonymous Coward
      Anonymous Coward

      Re: Digital Britain...

      there will never be a 'Hadrians' Firewall of Britain, they cant ban Encryption and stop people looking for porn on the internet, and no we are not going back to the BBC,

      the internet always finds a way to get round all this

      1. Teiwaz

        Re: Digital Britain...

        "they cant ban Encryption and stop people looking for porn on the internet"

        - They've been giving both a damn good try to get through to law. Also I said 'curtailed' not banned on the latter, it used to be much harder to access without getting your credit card out.

        "the internet always finds a way to get round all this"

        - You make the internet sound self aware (scary). But you are right there will always ways to get 'round any imposed limitations, however, like unlocking your phone, only a few will use this option.

        If only a few, you are vulnerable to state censure on the matter if they can get hold of you, I wouldn't expect a mass rise up behind you unless a lot of others can be bothered to be incensed.

        All this, like my previous post was an exaggerated worse case scenario. I guess the internet always finds a way to get 'round that too.

      2. Anonymous Coward
        Anonymous Coward

        Re: Digital Britain...

        "there will never be a 'Hadrians' Firewall of Britai"

        fyi the firewall team at BT (based on Scotland) is called Hadrian.

  30. Anonymous Coward
    Anonymous Coward

    Welcome to Britains' Open Prison.

    I suppose it saves building anymore Prisons in the UK, because the UK just becomes one big Prison.

    Except those who can afford to keep their data outside of it. Pretty hard though, with the use of shadow Databases / Credit reference files that use your UK based Family and Friends, Businesses, Banks to fill the gaps/spaces, that you fail to.

    1. Anonymous Coward
      Anonymous Coward

      Re: Welcome to Britains' Open Prison.

      the UK has not becomes one big Prison but the US has

      1. Teiwaz

        Re: Welcome to Britains' Open Prison.

        "the UK has not becomes one big Prison but the US has"

        Usually with prisons, it's harder to leave than to get in to visit.

    2. Anonymous Noel Coward
      Boffin

      Re: Welcome to Britains' Open Prison.

      Oh cool; can I be Snake Plisskin?

  31. Milton

    The ignorance of politicians

    As the ongoing UK Cabinet reshuffle demonstrates yet again, complex and important departments in the running of a nation-state will be managed by people with no relevant experience, knowledge, expertise or qualifications. Any company that tried to operate this way would be bankrupt even before its shareholders could fire the entire board. If you wonder why policy and strategy are always such a mess, just look at the insane way Britain appoints ministers. Bad enough that they are mostly second-rate intellects, but they rarely have any worthwhile expertise for the job in hand.

    May showed no comprehension of the profound reasons why the 'government back-door' approach simply cannot work, and politicians generally seem simply incapable of understanding that the way encryption works makes their statements and policies look plain stupid. I'd like to think someone would spend a couple of days going through the math and logic with these idiots, but they often seem to relish their cluelessness. Like the US Congress, they actually prefer to look and sound stupid.

    As presumably everyone here knows, banning e2e encryption—even if workable, which I seriously doubt—simply guarantees a mushrooming of software comms tools with good crypto. And my guess is there will be a renewed interest in steganography, too.

    Let us be clear: the only people this hurts are the ordinary users. The bad guys have a zillion alternatives, which they will use.

    1. Sir Runcible Spoon

      Re: The ignorance of politicians

      "Any company that tried to operate this way would be bankrupt even before its shareholders could fire the entire board"

      I think you may need to remove that line for the sake of accuracy, because *most* large corporations are run in *exactly* this way.

      1. Milton

        Re: The ignorance of politicians

        Amusing, but respectfully, not quite true.

        If you're suggesting that most corporations are woefully badly run, I'd have to agree, and if you're pointing out that British management is the worst in Europe barring Italy, again I must agree.

        But in point of fact, most companies will expect board members to know something of their departments. The legal director will have law qualifications. The finance director will likely have an accountancy background. HR director will have a PhD in pretentious, meaningless management jargon. The IT director should have a good knowledge of IT (though at one major British airline I am sorry to report that the hapless incumbent has a marketing background—and everyone wonders why IT performs so abysmally).

        Yes, in the UK board members are mostly incompetent, short-sighted bonus-grubbers, but the general principle applies that the department is headed by someone who *ought* to know what they're doing.

        So I stick with what I said: the British method of ensuring cabinet incompetence is spectacularly stupid.

        1. Anonymous Coward
          Anonymous Coward

          Re: The ignorance of politicians

          "But in point of fact, most companies will expect board members to know something of their departments."

          No, what they know is how to FAKE it, as REAL experts in their field will likely find more lucrative and/or less stressful positions elsewhere.

  32. Milton

    The business opoprtunity

    Sorry, don't mean to be a verbose poster, but I want to throw this in the ring too. It's not original, but perhaps Theresa "Dolores Umbridge" May will read it ...

    The day after e2e encryption is forced off Apple phones (sold in the UK), and out of Facebook (UK) and WhatsApp (UK), how many new apps will spring up which allow you to—

    ⦁ Create a nice strong encryption key

    ⦁ Encrypt any data file, email, image, message etc that you wish

    ⦁ Allow you, if you wish, to steganographically embed the cryptotext in a picture or a song

    Or to put it another way, who is installing and testing such apps today, since there are loads of them already? Do any of the twits in government not understand that the serious bad guys have already got everything they need to render the whole 'ban e2e' and 'backdoors' proposals completely, perhaps even embarrassingly pointless?

    1. Anonymous Coward
      Anonymous Coward

      Re: The business opoprtunity

      Credits to milos they will be banned for download in the UK, as both the Apple Store and Google Play have region locks. And if you try to sideload, the encrypted traffic it generates will likely get detected, and any stego you attempt will get whitewashed by and/or in the cloud.

  33. Teiwaz

    Everyone here knows...

    "As presumably everyone here knows, banning e2e encryption"

    The General Public (and probably most Ministers) however are a different story. The recent Brexit campaign is a clear indicator that the General Public listen to fairy tails or fear stories than anyone they might perceive as an 'expert'. The Brexit camp eschewd experts for fairy stories and the remain camp so twisted the information from the experts they were calling on that it was clear they were trying to manipulate.

    With the brainless declarations of our MPs masquerading as sage authority the last few decades, maybe they are unable to tell the difference between genius and madness.

  34. Anonymous Coward
    Anonymous Coward

    Wait till blockchains become commonplace ...

    end to end encryption by default - and in several jurisdictions ....

    1. Anonymous Coward
      Anonymous Coward

      Wait until encryption itself is banned.

      And then they start mangling Internet traffic to squelch stego.

      And the plods probably wouldn't care if we went back to horse and cart--easier to enforce.

  35. Wolfclaw

    Putin must be peeing himself, laughing at the prats in UK Gov, who have no idea of technology and flap their lips, making PR sound bites, using the same old reason fir reducing person liberty. We escape the Fourth Reich aka EU, and now our PM is determined to create the Fifth Reich in Blighty. HEIL MAY !

  36. Anonymous Coward
    Anonymous Coward

    VPNs

    Encrypted VPNs that don't log access get around most of this provider interception bs and cost next to nothing to use...

    1. JimmyPage Silver badge
      Big Brother

      Re: VPNs

      and are trivial to create a criminal offence for using an "unregistered" one.

      1. Anonymous Coward
        Anonymous Coward

        Re: VPNs

        But they can still be DETECTED. And high-volume encryption is tough to hide in stego without tells.

  37. &rew

    All wonderful observations

    I am pleasantly surprised a the lack of downvotes in this set of comments so far - and I agree. All excellent points. Not many commentards today!

    1. Glen 1

      Point of order

      I thought we were *all* fellow commentards?

      Like Boffins, tis a badge of honour.

  38. Anonymous Coward
    Anonymous Coward

    Encryption is dead, long live encryption!

    Encryption traditionally involves a lot of math, a burst of data followed by more math and decryption at the other end. However we came up with that method in the days when transmission speeds were quite slow - these days it would be quite easy to build an end to end encryption system that operated in ASCII text by posting a large amount of data online.

    Just post something the size of War and Peace on a couple of thousand websites and all you have to do is send pointers - easily disguised as page sizes, word counts etc etc - you get the general idea. Under the proposed legislation this appears to be completely legal - no encryption at all.

    1. Anonymous Coward
      Anonymous Coward

      Re: Encryption is dead, long live encryption!

      Except they'll probably detect the gibberish as encryption and work from there. Try to use existing materials and the pointers you use will start to look like gibberish--bagged for using encryption. Try to hide things they'll probably start whitewashing and mangling.

  39. kryptonaut
    Stop

    Who pays for this nonsense?

    Quite apart from the frustrating and seemingly willful ignorance on the part of the politicians who want to implement this garbage, I am concerned about the cost of it all.

    Rather than splurge money - our taxes - on a pointless and futile exercise like this, wouldn't society benefit much more if the cash was given to some more deserving body? The NHS perhaps?

  40. Boris the Cockroach Silver badge
    Facepalm

    Wont be long

    before they ban the use of the Xor instruction in all computer programs

    After all "secret message" Xor "The key" can be seen as encryption especially since the bad guy at the other end can just go "encyrpted text" Xor "The key" to get the secret message back

  41. theOtherJT Silver badge

    SnoopersCharter

    -----BEGIN PGP MESSAGE-----

    Version: GnuPG v1

    jA0EBwMC4SoNhq0MkFpg0sAKAXaHo0m545FwVh2S44okpnkFWw2yLHnF4AvyxsL8

    l7sJB/JYhEP/zuzgw6rBSTRwHm79RZzr+oefBy/OFvaDozqkEKSmzZKy6u7PQ870

    ggnLBkqyYS85apEqkXPGOf8ZKFIrZbZROLhpxVvAJiajfFoWcXVFX1xjnmVBdLRn

    ja7Tpl/qe5itScecBLHLicJlB3VeU2uLb8mdoQvvHPrAGF/AaAvkY5Cf9vWOchfg

    eH5dwa+gR3FoV4qS7pRm8H0/bzJCugNNts9Isw==

    =wvuo

    -----END PGP MESSAGE-----

    Key => title.

    1. AndyTempo

      Good Idea

      ----BEGIN PGP MESSAGE-----

      Comment: GPGTools - http://gpgtools.org

      jA0ECQMCbD7onKh3O9Te0sA4AZjO0TD+5azoO9qXLAcbZjDLukIgSWssHcwsGJnw

      xOsjrgPuD+3idQZUgZ0oUCTLrM1yVzju0mS6+SQnPxBSVzPY/vTgJhkwMx0Gt01f

      cbdcw/YtJCqYD1RK2WdzmxNR0+bMvQAje2V7qQq51dB5i8uJp6lIVIJZkFHU9iKv

      SEsbtwS7NBqJbKa2Nr2gODY7wfwmowx0w0d4jGKAu5/dDJglMsZgSYheK2VI3mZR

      P7GFTVsFIaOY4AV4oaCEnG5Uyso3cCUYZGZ3ybkLzdb1+NwrsCqVZw5H8S4Wgv0l

      hkMzd47tYaWHsZ7Xg1LOmY4VKvCL8uTy7Rk=

      =U/uw

      -----END PGP MESSAGE-----

      see title

  42. sawatts
    Facepalm

    imbeciles.

    imbeciles.

    and cretins.

  43. Zakhar
    Trollface

    A new referendum?

    Why don't you do another referendum to leave or remain with encryption?

    I'm sure "Leave" will win!

  44. Cynic_999

    It's good legislation

    We need more legislation like this. I've often wondered why the government has not made a law to prevent car manufacturers from selling vehicles that are capable of transporting drugs and other illegal substances. As it is, we have a situation where serious criminals and terrorists are able to use cars with impunity in order to evade justice, which is even worse than the situation where nefarious characters can use the communications networks and intertubes to facilitate their unlawful activities.

    Something must be done!

    For those who complain that it is impossible to achieve, I say you are woefully ignorant of the existing standards. All that is required is for the government to make it a legal requirement for all ISPs to adhere to RFC 3514. It is, after all, the very purpose of that standard, and has been available for many years.

    It would be a good idea if the Home Secretary were to be informed of this simple solution so that the appropriate legislation can be enacted fifthwith.

    1. Infernoz Bronze badge
      WTF?

      Re: It's good legislation

      I assume you forgot to add a sarc. indicator, like the get my coat icon, because I can't take any of this nonsense seriously.

      RFC 3514 looks like it only makes only dubious sense for internal networks which are completely secure, I very much doubt that a MAN or WAN can be completely secure *, so that 'legal' argument will be incinerated! A network hub/bridge/router/firewall/gateway etc. compromise could easily clear the "Evil" bit! I suspect that this is a deliberate joke RFC.

      This nonsense contradicts the whole point of cryptography, which is security, a process which has to be made progressively harder to break because all attackers get progressively better at breaking it.

  45. DerekCurrie
    FAIL

    Citizens Rule The Government, Never The Opposite!

    There is and forever will be unbreakable end to end encryption. Anyone can do it at any time with free tools available worldwide. It's too late to pretend otherwise.

    Efforts at totalitarianism on the Internet are indications of governmental FAILure. Killing encryption is literally killing the safety and privacy of citizens, governments and businesses. Find other means of legally approved surveillance of crooks. There are plenty of choices. Understand the technology and stop being lazy!

  46. Thatguyfromthatforum

    An apt comparison

    In mainland China they banned direct access to the tor network. So the fine folks at tor developed and deployed bridges, then the Chinese gov got all the public accessed addresses of the bridges and blocked them. Tor now allows private bridges. The government blocked traffic that looked like tor traffic, so the tor project brought out "plug able transports" to make the traffic look like Skype data or whatever you wanted and developed obfsproxy to disguise the fact you were connecting to a bridge.

    What can we learn from this? Necessity is the mother of invention, and while there are technically skilled people, there will be people who work for freedom. You can take option a, but great minds will have options bcdef in the bag already.

    Glad I left the UK, looks like it's turning into a gulag.

    1. Charles 9

      Re: An apt comparison

      I doubt these pluggable transports can make tor information look perfectly like other packets. Next step is that the Chinese perform DPI of all random-looking traffic to see if they're real packets or covers. If they learn how to transcode transport packets, they can then mangle the streams to block inline stego, and so on.

      Whoever controls the networks carries the advantage of the Big Brother perspective. They can whitelist and restrict the whitelist even more as they learn more.

      1. Thatguyfromthatforum

        Re: An apt comparison

        doubt these pluggable transports can make tor information look perfectly like other packets.>> have you read the technical specifications? You're correct of course that whoever owns the physical network owns the data, but short of cutting off the internet there's little they can do against enthusiasts who fight for freedom.

        1. Charles 9

          Re: An apt comparison

          And they can do that. That's what the whitelist does: block off the Internet except for the stuff THEY deem worthy. If they try to create extranets, there will likely be tells.

      2. Anonymous Coward
        Anonymous Coward

        Re: An apt comparison

        Late post: the problem with Dpi is the sheer volume of traffic so it sets an upper bound on what you may elect to examine. DPI is not costless, which is part of the reason for the Great Firewall of China. To operate internationally requires available bandwidth. Guess Auntie May is making goo-goo eyes for a directorship at Cisco post-PM.

        1. Charles 9

          Re: An apt comparison

          But if you "Deny by default" then YOU dictate the pace of the Internet in your area, meaning it can never be faster than the pace YOU can inspect it.

  47. StevieD

    Gahh

    Utter cretins the lot of them.

  48. Emperor Zarg

    The good old days

    I can't help thinking that the Internet was a much nicer place before Governments stuck their big noses in it.

  49. albaleo

    reasonably practicable

    "there will be circumstances where it is reasonably practicable for a company to build in a facility to de-encrypt the contents of communication"

    It's a long time since I've seen the word "practicable" used. I learned it as meaning capable of being put into practice. In this context, it doesn't seem to make any sense. What circumstances?

    1. Adrian Tawse

      Re: reasonably practicable

      Will there? In exactly what circumstances will it be reasonably practicable? Desirable from the Government's point of view no doubt, but Practicable?

  50. HarryBl

    "Earl Howe stated that the government’s central point was that it did “not think that companies should provide safe spaces to terrorists and other criminals in which to communicate. "

    How about my bank providing a safe space for me to do business in? Can someone explain to these chimps how encryption works?

  51. Spaceman Spiff

    I'd call these govt. functionaries idiots, but that would be an insult to idiots. Ban end-to-end encryption? You have to be kidding me! ISP's cannot enforce this! No one can! I send an encrypted message to a colleague that only they have the key to decrypt? How much computer time do you have? A couple of millions of years if we use a secure algorithm and key? Really useful then, won't it be? Historically, perhaps. Message: what do you want for dinner? Answare: what about lasagna?

  52. Anonymous Coward
    Anonymous Coward

    I still can't work out

    If Home Office ministers are pathologically stupid when it comes to technology, or;

    If Home Office ministers are pathologically deaf when it comes to technology.

  53. TG2.2

    ...you keep using that word

    Too bad we can't post meme pics.

    Find the one that suits .. "you keep using that word .. I do not think it means what you think it means"

    Ban end to end encryption .. and how would you know which is *that* encrypted stream? I mean surely you don't mean to block HTTPS and make people insecure with their banking details and in public wifi areas, and what about client VPN connections?

    Tech, it don't work that way.

    1. Crisp

      Re: ...you keep using that word

      El reg would benefit greatly with reaction gifs

    2. Anonymous Coward
      Anonymous Coward

      Re: ...you keep using that word

      I keep that meme on all my devices even if rarely required.

  54. Peter Sommer
    FAIL

    Earl Howe doesn't understand his brief

    It is worth reading the Hansard transcript:

    https://hansard.parliament.uk/lords/2016-07-13/debates/16071337000437/InvestigatoryPowersBill

    It is particularly difficult to pass legislation when the government spokesman manifestly doesn't understand encryption or the clauses in the Bill he is supposing to promote.

  55. theloon

    fucking hilarious !

    omg this is so totally clueless .... good to see we have the brightest and best in the new cabinet and civil service.

    ffs

  56. Oor Nonny-Muss
    Boffin

    So...

    .... we're all busy compiling our 16384-bit encryption clients?

  57. Disgruntled of TW
    Facepalm

    May and Rudd ... not a cryptologist between them

    I used to despair at these regular announcements from May when she was Secretary of State, punting the Snoopers Charter/RIPA legislation. I am no longer incensed, nor surprised, at the dismal lack of understanding of the subject matter. I console myself with the knowledge that we may indeed introduce such legislation, note that it is unenforceable, then either ignore it or repeal it.

    The decimation of our financial economy is the primary reason that this nonsense will not prevail. The security consultants and knowledgeable crypto-folk, some of which comment here, are too few in numbers to make any measurable difference. The politicians play to the masses, who do not understand cryptology, or the risk this legislation presents to their freedom.

    That is why I no longer expect any response from my MP Greg Clark, who returns mere "thank you for your letter" diatribes, with no indication of understanding of the fundamental freedom his party is attempting to destroy. Perhaps in his new role as Secretary of State for Business he may give more of a pooh. You know who I am Greg.

    As I say to anyone who asks (I no longer offer this opinion without provocation on the RIPA subject), I would rather be poor and free, than rich and enslaved.

    Go May ... go Rudd ... you are a comical farce in my eyes while you ignore advice from true experts in the pursuit of this nonsense.

    1. Anonymous Coward
      Anonymous Coward

      Re: May and Rudd ... not a cryptologist between them

      "As I say to anyone who asks (I no longer offer this opinion without provocation on the RIPA subject), I would rather be poor and free, than rich and enslaved."

      Except in a cutthroat world, being poor usually means (a) you turn to crime and end up in gaol, or (b) you starve, and before you say you'd rather starve, what about all those under your wing as well? Would you condemn them to a slow, agonizing death for them as well?

  58. Anonymous Coward
    Anonymous Coward

    Banning encryption

    I hope common sense prevails as sloppy legislation in this area could lead to the exit of a lot of business from the UK or pointless, easily side stepped regulation. It strikes me that if they try to insist on encryption that is weak enough to be easily decrypted then criminals will benefit more than government.Alternately the cost of communications goes through the roof to pay for research and massive compute power for decryption. Either way not good nor the intended outcome.

  59. Adrian Tawse

    End to end, is end to end

    End to end is just that. It is a transaction between a sender and a receiver, no other agency involved. If I and Mr Nasty decide to use unbreakable encryption what the f*** is the Home Secretary going to do about it.

    1. Anonymous Coward
      Anonymous Coward

      Re: End to end, is end to end

      Perhaps throw you in gaol for five years for using untappable communications...

  60. Adrian Tawse

    Traffic Analysis

    Much has been made about decryption but in WWII more information was gleaned from Traffic Analysis than decryption.

  61. Brent Beach

    After passing this impossible law, the next law they want to consider is a gun law.

    Manufacturers must include a back door in all guns such that at a signal from the Home Office the gun will stop working. Then explosives - same idea. Then trucks - Nice setting the horrible example.

    If one back door works, why not insist on them everywhere?

  62. Milton

    Blocking all encrypted traffic? Nope.

    I popped back to this discussion to see what's new and note that a few people have suggested that the govt might try to block *anything* that appears to be encrypted traffic since that is, in fact, the only way they could possibly stop folks exchanging encrypted comms.

    I guess we all know that the govt doesn't realise that it cannot do this, because its ministers are poorly informed and, let's be honest, not all that bright. Some would say, thick as porkypoo.

    If you're a lawyer's office, or a university, or a school, or a contractor up to his eyes in NDAs or—well, you get the picture, if you are *anyone at all* who needs to demonstrate due diligence—you almost certainly already encrypt files you save to any cloud service. Let's face it, if you didn't, you're an idiot.

    If you use online shopping, banking, medical records, your company's VPN etc etc, or any website with SSL, you already use encryption. In due course there'll be more sites using SSL than do not.

    No government can tell these services to use plaintext. It would be insanity.

    You cannot tell good crypto from random bytes (it's the nature of good crypto) and you simply can't tell ISPs to drop every packet that seems random.

    Even if you take Terry Terrorist's iPhone away, he can setup a website—disguised as online shopping, or GoatWorld.xxx, if he likes—using SSL, and with quite simple code you have a dropbox for encrypted messages, indistinguishable from any other commercial traffic. (Once something has been encrypted, you cannot tell if it was already encrypted before, perhaps using some other, stronger algo.)

    I could go on, but readers here know this already. If the likes of Theresa 'Dolores Umbridge' May don't know this yet, it's because the spooks whispering in her ear don't want her to know. Why would they fib to her? Answers on a postage stamp, please.

    1. Anonymous Coward
      Anonymous Coward

      Re: Blocking all encrypted traffic? Nope.

      WHY wouldn't the government like to take the plebs back to the horse and cart and the days of face to face presence? Figure it would be easier to control us that way.

  63. Adrian Tawse

    These Idiots

    Do these idiots have the faintest glimmering of an idea what they are talking about. End to end is just that, end to end. If I chose to start an encrypted conversation with another party that is entirely between one end, my end, and his end and there is not a damn thing the Home Sec can do about it. This assumes I have the skills, but this hardly hard to come by. The home Sec could ban this from being offered as a service, but then if I want to keep my comms secret I am hardly likely to advertise the fact by using this service. The Home Sec would then have to start a system of licensing, or the banking system, for one, would fall apart.

  64. Infernoz Bronze badge
    FAIL

    Utter anti-security nonsense

    Any end-to-end encryption service which has a decryption spy facility would be much harder to verify secure against unintended attack surfaces including multiple exploits of the clients for the decryption spy channels too; any sensible e2e business would tell these state idiot spies to get lost.

    Any security aware person would use a direct, point-to-point, verified & signed OSS, chat client which doesn't use a 'cloud' server for any cryptography and instead used secure session public key exchange directly with the other client, with security verification at both ends to detect a Man-in-the Middle 'client' or a modified client software. It should also be possible to have a user side monitoring tool to detect less secure data transfer or decryption spy channels and instantly kill the connection.

    1. Charles 9

      Re: Utter anti-security nonsense

      You better also use home-built hardware as well that has guaranteed verifiable traces and so on, lest we forget the State is interested in subverting communications at the hardware level, beyond any userland level of detection, prevention, or intervention.

  65. RevK
    FAIL

    It is not about catching criminals - it is about ruining business!

    To be clear here - this only impacts legitimate UK based companies offering their users end to end encryption solutions. They may be (and can be assumed to be) subject to secret orders to maintain a capability to decrypt the communication and hence not be properly end to end. There is no way the bill bans open source, home made, non UK supplied (though bill tries, but has no jurisdiction), or even pen/paper/dice based solutions. Criminals and terrorists and anyone concerned over privacy can still communicated securely but UK businesses cannot sensibly make any crypto solution as all will assume they are subject to secret orders. This has impact on business, UK crypto business, and not on anyone else. It has no impact on criminals or terrorists, and does not look like it was every intended to. It is purely to hamper the UK industry and nothing more.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like