back to article Euro ISP club: Sure, weaken encryption. It'll only undermine security for everyone, morons

The European Internet Service Providers Association (EuroISPA) has slammed calls for Facebook to drop its end-to-end encryption plans. UK, Australian and US officials have asked the antisocial network and other companies to delay plans to implement end-to-end encryption across their messaging services and provide law …

  1. Pascal Monett Silver badge

    Not a moment too soon

    It's about time somebody slammed the door on those stupid backdoor arguments once and for all.

    Law enforcement has everything it needs to obtain data on someone ; it's called a subpoena and it just has to be signed by a judge who agrees with it.

    You have no right to transform every petty police officer into a member of the NSA, capable of delving into people's private lives on a whim.

    And, talking about the NSA, the violation of people's private lives simply because you can is disgusting.

    1. Peter2 Silver badge

      Re: Not a moment too soon

      Law enforcement has everything it needs to obtain data on someone ; it's called a subpoena and it just has to be signed by a judge who agrees with it.

      Personally, i'm onboard with the idea of not producing data without a subpoena/search warrant and I think that pretty much everybody who could understand would agree.

      Designing things so that they can't provide data even if a subpoena/search warrant is issued however is a bit more dubious.

      1. John Sager

        Re: Not a moment too soon

        Guess why they are now designed that way. A lot of government overreach has had consequences for them.

        1. Claptrap314 Silver badge

          Re: Not a moment too soon

          Revealed government overreach has a lot to do with the politics of the situation but 0 to the technology. Security tech is simply not fit for purpose with these back doors installed.

      2. Anonymous Coward
        Anonymous Coward

        Re: Not a moment too soon

        I don't see a problem forcing Facebook to build a backdoor that the authorities can use - nobody should be using any Facebook owned or run app for anything they want to keep confidential (same with Google). There will always be other apps and systems that can be used for greater assurance of confidentiality.

        The way Five Eyes are going, only those wanting to keep their communications confidential for nefarious (aka criminal or terrorist) reasons will be able to be free from prying as they'll use systems that aren't meeting the governments' rules...

        1. The Central Scrutinizer

          Re: Not a moment too soon

          Seriously? Oh you're an ac. Never mind....

        2. phuzz Silver badge
          Stop

          Re: Not a moment too soon

          "I don't see a problem forcing Facebook to build a backdoor that the authorities can use"

          The main problem is; how do you stop everyone else from using the same backdoor without getting a warrant?

          We know that whichever firm has access to your data will probably try and monetise it. We know that employees at tech companies will use their privileged access to spy on people they know. We know that police officers will also use their access to do the exact same thing. We know that police forces won't bother getting a warrant if they think they can get away with it. And of course we know that when a programmer says that a system is totally secure, they're probably wrong.

          So yes, the idea of a system which would only allow access to our messages by the 'right' people, only when a proper warrant has been issued, is a great idea. It just there's so many potential problems, and ways for that system to go wrong, that most people think it's a dangerous pipe dream.

          1. Stork Silver badge

            Re: Not a moment too soon

            Also, which authorities? US, UK, Hungarian, Russian, Chinese? (In no particular order).

            And what if someone walks out with the key?

            I think the back door talk is overblown, most of interesting info can be found via metadata already

          2. tekHedd

            "Don't see a problem..."

            I'm afraid you've tried to reason with someone who said "I don't see a problem with" when what they really mean is "I WON'T see a problem with..." Regardless of how logical your response is, they stopped listening about halfway through hitting "Submit".

            1. Anonymous Coward
              Anonymous Coward

              Re: "Don't see a problem..."

              Actually, and it was my post, and I am quite aware that others will find ways to break into the backdoor. But, if people realised that anything posted there could be seen by others they might not be so keen to put private info there - and people need to realise that almost nothing is ever 100% secure.

              Putting backdoors into every system would be a problem but, it's just possible that the uproar caused when Facebook gets hacked people (not just those who actually understand the situation) might actually sit up and take notice - and politicians might realise insisting on backdoors everywhere won't get them re-elected.

              1. Mike 16 Silver badge

                Getting re-elected

                Once the backdoors are in place (and Internet voting is mandatory) getting re-elected will be a doddle.

                People sitting up and taking notice will do nothing once the levers of power are in the "right" hands.

                Frog-boiling, anyone?

          3. Oengus Silver badge

            Re: Not a moment too soon

            when a programmer says that a system is totally secure, they're probably wrong.

            when a programmer says that a system is totally secure, they're probably wrong but when they say a system is probably insecure they are definitely correct.

            1. Michael Wojcik Silver badge

              Re: Not a moment too soon

              "totally secure" is a meaningless phrase, so anyone who claims a system has that property is automatically wrong.

              Security is not absolute. It's only meaningful under a threat model.

              Even under a threat model, to perfectly guarantee security under that model (aside from degenerate cases) a system would have to verify correct intent and correct information. Thus it would have to be omniscient, and omniscience is physically impossible.

            2. Anonymous Coward
              Anonymous Coward

              Re: Not a moment too soon

              A (good) programmer will never say that. Systems are simply too complex, and exploits can be found any any layer including bugs in libraries, OS or side channel attacks at the hardware layer.

              Sales and marketing on the other hand will have no problem saying it's totally secure.

          4. Kibble 2

            Re: Not a moment too soon

            I don't necessarily disagree with your general thought on this subject. The down vote is due to not enough people are aware of it being a dangerous pipe dream.

        3. walatam

          Re: Not a moment too soon

          forcing Facebook to build a backdoor that the authorities can use

          I'm not an expert but I guess if "the authorities" can use the backdoor, so can anyone else in time as a backdoor will become public at some stage - either maliciously leaked or because there are bugs in the backdoor.

          1. Loyal Commenter Silver badge

            Re: Not a moment too soon

            The problem of backdoors (or front-doors, or side-doors, or loft windows) is that they have to be at least as strong and well protected as the thing they are a back-door into, or they defeat it entirely.

            Imagine you have something worth protecting, and you build a bunker around it that can only be penetrated with great efffort. You need to get in and out, so you install a steel door, and make sure that this is at least as hard to get through as the wall. The weakest point is the key, because someone could beat you up to get hold of it. This is all well and good, and somewhat analogous to the protection provided by, for instance SSL.

            Now imagine that the governmanet decides it want sthe police to be able to access that bunker without getting a court order to get the key from you. Instead, they mandate that a second door is added to every bunker, and that this can be opened by a special police key. They also mandate how that door should be constructed, which turns out to have flaws (lets say they specify that it has to be provided by a specific door supplier, who is not an expert in security door construction, and makes then on the cheap out of plywood). This is analogous to software back-doors woudl work. You would have no knowledge of how well constructed that backdoor is, or how secure it is.

            You now have two additional vulnerabilities to your security - the badly constructed back-door which may at any point be compromised more easily than your steel front-door by any random bad-guy with a sledge-hammer, and the standard police-key used to open it which may be compromised and copied by any random bad guy, without your knowledge.

            1. Loyal Commenter Silver badge

              Re: Not a moment too soon

              Add to that, the fact that if the bad guys manage to reverse-engineer the lock on just one back-door, they can get into every bunker. They can do this without the owners knowing (as can the police) and potentially remove items, plant evidence, destroy things, or just take a good look around.

            2. DuncanLarge Silver badge

              Re: Not a moment too soon

              > the standard police-key used to open it which may be compromised and copied by any random bad guy, without your knowledge.

              Dont forget, this includes a bad policeman!

            3. John Sager

              Re: Not a moment too soon

              Ha, Ha, You've now just invented TSA approved luggage locks!

              1. Loyal Commenter Silver badge

                Re: Not a moment too soon

                Luggage locks have one purpose, and one purpose only - to stop the zips on your suitcase accidentally getting caught on something and opened. If customs want to do a spot-check, they will use bolt-cutters. If someone wants to steal from your luggage, and it is bolted, they will probably just stick something in the zip and force it open. Or steal the luggage.

            4. Aussie Doc
              Joke

              Re: Not a moment too soon

              "...or front-doors, or side-doors, or loft windows..."

              Pretty sure we know that darn Windows is always a problem.

        4. Doctor Syntax Silver badge

          Re: Not a moment too soon

          People also do legitimate business over the internet. That requires that it should be possible to exchange information confidentially if that's required and essential to confirm a transaction reliably. By "reliably" I mean that it shouldn't be possible for some third person to intercept and amend the transaction, impersonate one of the parties, forge a transaction nor for one of the parties to repudiate their part in it. That requires an end-to-end secure system. Whilst that may upset some branches of government others, those concerned with trade and the economy, should be pressing for it.

          While personally I'd not want to use anything provided by Facebook for such a purpose the need for a secure, end-to-end secure messaging system needs to be met somehow and the best way to achieve it would be through an open standard defined, in the internet way, by an RFC with multiple, including FOSS, implementations available. Email ought to provide that but doesn't, not without add-ons. Either e replacement standard is required for that or a new standard is needed to sit beside it to provide for such messaging.

        5. This post has been deleted by its author

        6. Aussie Doc
          Holmes

          Re: Not a moment too soon

          You're Peter Dutton and I claim my $5.

      3. NoneSuch Silver badge
        FAIL

        Re: Not a moment too soon

        The legislation is to stop whisleblowers, the press and free speech. Nothing more.

        1. Michael Wojcik Silver badge

          Re: Not a moment too soon

          Oh, I'm sure the people pushing for it also have harassing their personal enemies in mind.

      4. Michael Wojcik Silver badge

        Re: Not a moment too soon

        not producing data without a subpoena/search warrant

        And what magical process would guarantee this requirement was observed? Or that if observed it was anything more than a rubber stamp? Here in the US, FISA seem happy to grant secret search warrants for nearly any request.

    2. John Sturdy
      Black Helicopters

      Re: Not a moment too soon

      I don't think that's what they're trying to get. This is more consistent with wanting to watch all data from all people, to find people who can be accused of something but who are not yet known to the authorities.

    3. DCFusor Silver badge

      Re: Not a moment too soon

      One door that needs slammed is this political "make it sound reasonable" BS. All we're seeing here is an extreme and obvious case of something that's been around for awhile - constantly getting worse.

      Let's try that balance argument in a sentence or two, shall we?

      How about:

      "We need to balance your right to life with my need for cannon fodder."

      "We need to balance your love of your children with my desire to have sex with them."

      "We need to balance your freedom with my requirement that you be easy to manage."

      Just for a couple of nasty ones. You could do this endlessly. In truth the correct "balance" for quite a number of these things is 0 or infinity - all one way or the other.

      We've gone far too far with the marketing of everything, spinning every desire in such a way as to sell it as reasonable. People need to learn to read backwards through that transformation without even thinking about it . It stinks as it's forced cynicism on anyone who wants the minimal accurate picture of events.

      1. sbt Silver badge
        Megaphone

        The private sphere needs to be defended, even though sometimes bad things happen in secret.

        I've said before that TPTB want you to forget that the time period in which it's been possible for them to monitor your private communications is incredibly short in historic terms; an abberation due in large part to the primitive nature and "wild west" development of telecommunications from the telegraph down (a century or so). Mass surveillance even shorter (a decade or two). It's not and should not be the norm.

      2. Anonymous Coward
        Anonymous Coward

        Re: Not a moment too soon

        "We've gone far too far with the marketing of everything, spinning every desire in such a way as to sell it as reasonable"

        That rhetoric is nothing new though, people have been spinning things in that way for as long as there have been politicians. Just look at ancient greece and rome.

    4. Tom 35 Silver badge

      Re: Not a moment too soon

      I think the line...

      "prevent future criminal activity,"

      tells you what they want to do. What could go wrong?

  2. big_D Silver badge

    Simpler

    This situation is simpler. The user has the keys, the user is being investigated, so the judge only has to sign off that the user has to hand over their keys...

    1. imanidiot Silver badge

      Re: Simpler

      But in the US the user CAN'T be forced to hand over their keys. Something stupid in their constitution gives them a right against self incrimination or something. That's why they want the option of forcing the carriers/services to hand over your data.

      1. big_D Silver badge

        Re: Simpler

        I don't live in America, so it isn't my problem. My data being p4wn3d by hackers because of backdoors and poor encryption is.

      2. big_D Silver badge

        Re: Simpler

        Also, AFAIK, that only goes for things in their head. If it is stored on a device, then they can get access - assuming it is fingerprint or face recog. locked. If they have to enter a password, they are safe.

        1. Mike 16 Silver badge

          Re: Safe?

          Would that be a definition of "safe" that includes "Just a bit of grievous bodily harm resulting from 'enhanced interrogation'"?

        2. Anonymous Coward
          Anonymous Coward

          Re: Simpler

          They can still hold you in contempt in the US for not entering your password when ordered to.

      3. Robert Helpmann?? Silver badge
        Childcatcher

        Re: Simpler

        The understanding of how this tech and our laws interact is still evolving. Here's a write-up of a fairly recent case:

        https://nakedsecurity.sophos.com/2018/11/01/passcodes-are-protected-by-fifth-amendment-says-court/

      4. Crazy Operations Guy Silver badge

        Re: Simpler

        " Something stupid in their constitution gives them a right against self incrimination or something."

        Given how recent administrations have been treating the Constitution, I wouldn't bet my life on the 4th through 8th amendments being followed... The Guantanamo Bay facility is the perfect demonstration that the US doesn't give a shit about their own laws.

        1. Tom 35 Silver badge

          Re: Simpler

          Well it's just that inalienable god given rights only apply to Americans, when they are in the US and not within 100 miles of a boarder and white enough.

      5. Ken Hagan Gold badge

        Re: Simpler

        That "something stupid" is based on two historical observations. Firstly, that vulnerable people can be bullied into remembering things that aren't true. Secondly, that the level of bullying can be raised as high as is necessary to make a person vulnerable.

        Nobody expects the Spanish Inquisition, but everyone remembers them.

    2. Natasha Live
      Alert

      Re: Simpler

      That is already the case in the UK. It is an offence under RIP Act 2000 not to produce any passwords that the police/courts ask for. It carries a built in NDA (you can't tell your boss if the police now have your passwords, etc) and jail term if you don't comply.

      1. Anonymous Coward
        Anonymous Coward

        Re: Simpler

        Which is way overreach. Especially given the "accountability" of anyone in any position of power on this island.

        1. Doctor Syntax Silver badge

          Re: Simpler

          on thisese islands.

          FTFY

          1. Dinanziame

            Re: Simpler

            For how long still?

      2. Anonymous Coward
        Anonymous Coward

        Re: produce any passwords

        My passwords are all brute-force password cracking algorithms. It's much easier than remembering weird strings of characters, but can be a little slow sometimes. :-)

        1. Anonymous Coward
          Anonymous Coward

          Re: produce any passwords

          My passwords are all mind worms. Are you sure it's safe for me to pronounce them?

          1. 's water music Silver badge
            Boffin

            Re: produce any passwords

            My passwords are all mind worms. Are you sure it's safe for me to pronounce them?

            I use the snowcrash data file for mine. Of course you can see it.

            PPE advised -------->

    3. John Sturdy
      Big Brother

      Re: Simpler

      Yes, but that's not the point. The point of warrantless tapping is to find something on people who aren't yet under specific suspicion.

      1. big_D Silver badge

        Re: Simpler

        And the reason why warrantless tapping in any civilized country is illegal.

        1. Fruit and Nutcase Silver badge
  3. The Central Scrutinizer

    Straya

    "Australian and US officials have asked the antisocial network and other companies to delay plans to implement end-to-end encryption across their messaging services and provide law enforcement with access to users' encrypted content."

    Well, Australia currently has a government full of right wing, technologically clueless fuckwits. Our esteemed Minister for home affairs, Peter Dutton, once demanded that an unflattering picture of him posted on the Internet, be "returned".

    That's the level of technical knowledge we're dealing with.

    1. unimaginative

      Re: Straya

      And in Australia the PM said the law of Australia can change the laws of maths with regard to encryption.

      1. The Central Scrutinizer

        Re: Straya

        The direct quote was along the lines of "the only laws that matter are the laws of Australia", but just as stupid.

  4. dave 81

    The European ISPA is better than ISPA UK?

    Given that ISPA UK was instrumental in establishing EuroISPA, why does the ISPA UK says Mozilla is a VILLIAN for using encrypted DNS (DoH) and yet, EuroISPA comes out with this?

    1. Ordinary Donkey

      Re: The European ISPA is better than ISPA UK?

      I guess that EuroISPA was founded before ISPA UK was bought.

    2. Jimmy2Cows Silver badge

      Re: The European ISPA is better than ISPA UK?

      Ummm... ISPA UK have sold-out to a bunch of rabid data fetishists screaming "Won't somebody please think of the children?" whereas EuroISPA haven't...?

  5. Alistair Silver badge
    Windows

    Look at the thousands of arrests of pedo's and terrorists

    We've been making while all these things are unencrypted. Don't want to loose that ability....

    Oh. Right.

    1. TrumpSlurp the Troll Silver badge

      Re: Look at the thousands of arrests of pedo's and terrorists

      Spot on.

      There aren't enough resources to track terrorist suspects who have been reported by their own families.

      There aren't enough working courts to try people who have been arrested,

      Minor crimes are no longer investigated; crime number and claim on your insurance.

      This isn't about crime prevention.

      I wonder why they want it, then?

  6. alain williams Silver badge

    The public needs protecting ...

    from paedos, crims, etc.

    What about protecting from policemen, politicians, ... ? There are many examples around the world where the population are being obviously abused, start with: China, Turkey, ...

  7. John Sturdy
    Big Brother

    Learning about surveillance societies

    For those who are looking for somewhere currently off the beaten track for a holiday, I recommend going to Albania and visiting their Museum of Secret Surveillance (http://muzeugjethi.gov.al/?lang=en); or at least explore the online tour on their site.

    Then think how much more surveillance we are now under, and how much specialized spy technology has been rendered obsolete by the devices we now voluntarily (even eagerly) buy.

  8. Barrie Shepherd

    All this talk from governments of secure back-doors "that only they can access - not the naughty people" reminds me of the various, very secret, Seats of Regional Government from the cold war era. These were in secret locations, highly secure and apparently protected against atomic bomb attack. That did not stop a number of their locations being discovered and the installations being vandalised by "naughty people".

    Eventually all back-doors would be discovered, somehow, and everyone's security would then be compromised instead of just targeted individuals as now.

    Governments seem to have forgotten to include the concept of unintended consequences considerations in their knee jerk responses and law making.

  9. Anonymous Coward
    Anonymous Coward

    Backdoors are only temporary

    Why can't gubbermints understand that.

    Any backdoors put in to appease a gubbermint will be the target of every hacker in Russia, China, Iran and a few dozen other countries.

    1. Jimmy2Cows Silver badge
      Devil

      Re: Backdoors are only temporary

      Let me FTFY...

      Any backdoors put in to appease a gubbermint will be the target of every hacker in Russia, China, Iran and a few dozen all other countries.

      It's not just the current "bad guys" (TM) who'll be interested. Every government and nosey agency/council/NGO will go after them too.

  10. mark l 2 Silver badge

    I am a struggling to see why Facebook - a company that makes all its money from mining users personal data to sell it to advertisers - actually wants to implement end to end encryption and not leave it as it is now, other than to try and make gullible people believe they care about your privacy?

    Surely from Facebooks perspective its better to offer server side encryption using TLS or similar so they can decrypt the data and still trawl through it to sling ads at their users, and then if plod comes knocking with a warrant they are also able to provide plain text copies of the messages since they know the encryption keys as it all done on their servers.

    1. John Sturdy
      Boffin

      That needn't affect them

      I don't know whether this is what they do (or plan to do) but they could do a (more limited) form of that analysis at the client end (browser scripts / mobile app) before the data is encrypted.

    2. Paul Crawford Silver badge

      "to try and make gullible people believe they care about your privacy?"

      You already answered your own question, methinks.

    3. tekHedd

      Why would Facebook, you ask?

      It's a legitimate question. Because nobody in their right mind trusts FB with their private communication now, do they? But if FB stands their ground, afterwards everyone *will* trust them. Then, later when the governments mandate backdoors, and they redesign their architecture to be client-server so that the NSA et al can put in hooks to grab that data (see also Skype), nobody will compain and they'll still treat it as secure and private. Everybody wins, except for of course nobody wins.

    4. Long John Brass Silver badge
      Big Brother

      I am a struggling to see why...

      Because it won't stop FaceBook from showing you the advertising that they make Beeeelions from?

    5. Crazy Operations Guy Silver badge

      That way they can lock ISPs / TelCos from also spying on people. The advertising industry is saturated, the only way to increase ad revenue is to muscle out everyone else wanting a piece of the pie.

      1. Long John Brass Silver badge

        Hadn't thought of that; In retrospect you are I think; Dead on :/

  11. FrogsAndChips Silver badge

    Because they know their users will quickly turn to other services if they don't. It's better for them to lose the contents of the conversations than to lose the conversations themselves. By Zuckenberg's own admission, they are much more interested in the metadata (and a f*ckload of that is still available even with end-to-end encryption) than in the silly messages "Hey, check this cool cat video, lol!".

    1. FrogsAndChips Silver badge

      This was supposed to be a reply to "mark l 2" 's question above, not a new comment.

  12. Anonymous Coward
    Anonymous Coward

    I believe this should be the key for the back door:

    Wenn ist das Nunstück git und Slotermeyer? Ja! Beiherhund das Oder die Flipperwaldt gersput!

  13. LeahroyNake Silver badge

    It could work

    If they want a backdoor or more recently requested front door (I actually did laugh out loud).

    They could ask the users for their private key or get a court order to make the user unlock the phone or device. They already have this in the UK and you can be locked up indefinitely if you refuse.

    Naaa we just want to look at everything just in case, if you have nothing to hide what is the problem etc.

    Example, my fingers got chopped off and I can't access my phone. Next 50 years in prison if you have even one encrypted file on your device. Guess I should ask nicely if they can dust my house for fingerprints and stick a good one on the sensor.

  14. FuzzyWuzzys
    Facepalm

    Wake up and smell what FB is shovelling!

    Ultimately FB wants to make you think they give a rat's arse about your privacy, but only 'cos big paying advertising accounts have threatened to pull out due to privacy concerns from their customers not 'cos FB actually give a monkey's toss about you or your privacy!

  15. williamsth

    I've said this before - you can't uninvent/undiscover maths.

    If you put a back door in, the terrorists move to another (or their own) platform using the same technology, leaving everyone else who's innocent open to prying eyes.

    Just because you make end to end encryption unlawful doesn't stop criminals from being criminals. Are these people thick?

  16. sportrunner

    "We must find a way to balance the need to secure data with public safety and the need for law enforcement to access the information they need to safeguard the public, investigate crimes, and prevent future criminal activity,"

    When have they ever been concerned with securing data? There is no way to secure a backdoor, it just proves that they don't even understand what they are asking for. The translation for this is simple: do as I say, not as I do.

  17. Roj Blake Silver badge

    I'm fine with backdoors...

    ... just as long as I also get back-door access to Boris Johnson's and Priti Patel's private messages.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019