UK Government Apparently Hoping It Can Regulate End-To-End Encryption Out Of Existence

from the sure-hope-'the-children'-are-grateful-for-the-shitty-future-being-handed dept

Politicians — those motivated by the notion of “doing something” — want to end encryption. They don’t want this to affect their communications and data security. But they don’t see the harm in stripping these protections from the general public. Often, the argument is nothing better than “only criminals want end-to-end encryption,” something they trot out as a truism despite plenty of evidence to the contrary.

But these politicians (and government officials) are cowards. They refuse to call a backdoor a backdoor. They come up with all sorts of euphemisms while pretending compliance with proposed laws won’t result in the creation of backdoors that can be exploited by everyone, not just the “good guys.” They also deploy other euphemisms to attack encryption that protects millions of members of the public, referring to good encryption as “warrant-proof” or “military-grade.” Those terms never survive examination, but the narrative persists because most members of the public have no interest in closely examining falsehoods uttered by governments.

The UK government has expressed an unhealthy determination to undermine encryption for years now. It has the fanciest of plans to undo protections enjoyed by UK residents for reason ranging from “the children” to “the terrorists.” The underlying intent never changes even if the name on the office doors do. Regulators come and go but the desire remains. Even the bills get renamed, as though a different shade of lipstick would make the UK’s anti-encryption pig any more desirable.

Rebranding from “Online Harms” to “Online Safety” only changed the tablecloths in the Titanic’s dining room. The UK government wants encryption dead. But presumably “safety” sounds better than “harms,” especially when the government affirmatively wants to harm the safety of millions of UK residents.

The Internet Society has taken a look at the revamped and rebranded bill and has delivered a report [PDF] that explains exactly where on the Internet doll the UK government plans to engage in inappropriate touching. There’s no mention of backdoors or broken encryption, but complying with the law means possibly doing both.

The draft Online Safety Bill places a duty of care on service providers within the scope of the draft bill to moderate illegal and harmful content on their platforms, with fines and penalties for those that fail to uphold this duty. The only way for service providers that offer end-to-end encryption to comply with this duty of care would be to remove or weaken the encryption that they offer.

That’s the end result of these demands. But the politicians and regulators pushing this are unwilling to directly refer to the harms the bill will cause. There’s no ban on end-to-end encryption. There’s no mandate for backdoors. Instead, the bill hopes to achieve these ends by applying regulatory pressure that makes both of these outcomes unavoidable.

Service providers deploying end-to-end encryption obviously cannot see the content of communications between users. The UK government says that’s no longer acceptable. Providers need to be proactive in preventing the spread of certain content. That leaves them with only one option.

Ofcom can require that service providers use “accredited technology” to identify harmful content and “swiftly take down that content”. To comply with this requirement and fulfil their “duty of care”, service providers will likely need to resort to upload filters and other mechanisms that may interfere with the use of end-to-end encryption.

Basically, the same thing that saw Apple catch a considerable amount of heat will be expected to be standard operating procedure for any tech company doing business in the UK. Client-side filtering is the most efficient way to prevent the uploading and sharing of “harmful content.” Shutting it off at the source means either invading devices or removing at least one end of the end-to-end encryption. And once those options are available, it will only be a matter of time before the UK government starts demanding access to unencrypted devices and/or messages.

And the UK government has specifically cited Apple’s now-defunct plans to strip protections it previously extended to users and device owners as evidence the proposed law is a net gain for society.

[I]n the Daily Telegraph article announcing the Safety Challenge Fund, Home Secretary Priti Patel points to Apple’s client-side scanning proposal as a positive example, raising concerns about the criteria for evaluating Challenge Fund proposals.

In its quest for easy wins, the UK government is ignoring the long-term fallout of these demands. While it may have no problem stripping UK residents of strong data and communication protections, it may find it more difficult to talk powerful businesses into accepting less-than-solid protections for their financial interactions and transmission of sensitive proprietary info. And government employees still rely heavily on third-party contractors for communication services and data transmission/storage. These same employees also rely on devices and cell phones manufactured by companies that will now be forced to make their products less secure for everyone who uses them.

Everyone loses. But the people who will lose more and lose it faster simply don’t matter. Before the cold reality of broken encryption hits home for politicians, they’ll have already collected the PR wins needed to secure more terms in office. And with more time comes more power. Eventually, the UK government may find a way to exempt it from the impositions placed on the private sector, elevating them above the people they serve. In the end, very little will have actually been done to address the problems (child exploitation, terrorism) cited to justify these impositions. The only guarantee is that devices, communication services, and the internet at large will be expected to make huge sacrifices in service to the UK government’s talking points.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “UK Government Apparently Hoping It Can Regulate End-To-End Encryption Out Of Existence”

Subscribe: RSS Leave a comment
33 Comments
This comment has been deemed insightful by the community.
PaulT (profile) says:

"But presumably "safety" sounds better than "harms," especially when the government affirmatively wants to harm the safety of millions of UK residents."

Basically, they realised that "for the children" isn’t working, so they decided to pretend that making people scared of their bank accounts is a better angle.

"Priti Patel points to Apple’s client-side scanning proposal as a positive example"

But, of course she did, the poor deluded fascist.

Let’s translate that – the best "positive" example that can be given as an alternative to users proactively protecting themselves is for a foreign corporation to spy on everything they do. Which is, of course, perfectly fine so long as they’re on the side of the people currently in charge. They’ll change their tune the moment that someone does the exact same thing but is not aligned with their politcal or financial goals.

"In its quest for easy wins, the UK government is ignoring the long-term fallout of these demands"

It’s my experience that it’s a mistake to assume that any idiotic move on the part of the Tories is related to short-term planning, ignorance or otherwise that they don’t know what they’re doing. More often than not, they know exactly what the consequences are, they just choose to ignore it so long as they or their friends can profit and reasonably expect to escape the long term consequences on a personal level.

ECA (profile) says:

really wonder

Who is pushing this?
90% of the phones really dont use Much encryption in the first place, and If there is some, Most has been cracked already.
This is more to the Idea of intercepting calls, in the middle. It has little to do with the phones, unless there is real encryption NOT designed in the phone in the first place.

Logic
If every phone had different encryption, they couldnt talk to each other. So even the Apple phones Must have a standard for encoding(NOT encryption).

But Where in the system is anything Encrypted, beyond encoding? Or is this a boondoggle to grab attention and do nothing.

Anonymous Coward says:

Re: really wonder

Encryption protects the message, which is carried between devices by a separate communication protocol. So long as both ends agree on an encryption protocols, and can securely exchange keys, the fact that other devices on the network don’t know where to start to read the messages being exchanged is an advantage in protecting privacy.

ECA (profile) says:

Re: Re: really wonder

AC.
Its called protocols. and every phone can have keys, but the Book was written publicly. Its the same code and key system in every phone. Then you get info from the Corps about how they Init the code, generally is specific, they use ???? for the code of their phone, then a ???? that is this or that, and then MAYBE ???? which is the MAC address of the phone. Go look in your ABOUT FILE.

You cant make it Hyper complicated.
Do you understand WHY?
IT SLOWS EVERYTHING DOWN.
Ever listened to a person talking to fast and NOT in a monotone? THE PHONE GOES NUTS, trying to encode it and send it. And when it gets to the other side, it sounds like Garbage.
Iv had to STOP people from talking and explain this.
Hate hearing the phone cut out and Cut off the top and bottom of the voice. Worse then noise cancellation.
AND corps are not installing Anything More then they NEED, BASICALLY.

This comment has been deemed insightful by the community.
James Burkhardt (profile) says:

Re: really wonder

If you don’t understand public/private key encryption, you are in good company with the UK government.

Your point is one Techdirt repeatedly makes. Encryption is math. There is no such thing as encryption that can only be decoded by the recipient. As has been true throughout history, encryption (or the codes/cyphers that proceeded it) is only as valuable as the encryption key. Modern Public/Private Key encryption is almost universally based on Diffie–Hellman key exchange, a method for exchanging "public" encryption keys whose encryption is than decoded by a "private" key held by the recipient.

Security comes because these keys should be very large (>= 1024 bits, about 300 decimal digits), each one should be unique, and there is no practical means of factoring very large numbers quickly, a key step in breaking the encryption. Even if the encryption is broken, it only breaks the encryption between those 2 specific people.

The Proposals at question insert a 3rd encryption key into the mix. That 3rd key will be universal by design – a skeleton key for governments and law enforcement. This presents the very problem you are concerned about – once you can break encryption with that key once, you can break any encryption that accepts the law enforcement key. And once you have the single point of failure, even an impractical brute force approach becomes valuable.

Encryption only ‘encodes’ data. Ever. That is all encryption ever does. its just a much more complex math behind the code. In the end Encryption’s results are just a more complex form of Enigma. I don’t know how to say any different. While your phone is locked, the contents are encrypted. This prevents low effort data dumps and obscures the contents of the phone if a dump is achieved. This encryption would be strong but various exploits are known that allow phone cracking tech to work, not to mention cloud backups storing encryption keys. End-to-end encryption deals with data in transit. Absent exploits, Duffie-Hellman Key exchange with a unique RSA-1024 or better key is currently near impossible to crack. ARSA-1024 key has not yet been publicly factored and is not expected to break for at least a few years, barring some major breakthrough.

Anonymous Coward says:

Re: Re: really wonder

Absent exploits, – i feel this is a very good point worth highlighting. Much of the way that "encryption gets broken" is not by breaking the encryption itself, but by exploiting a flaw in implementation, or flaws in an operating system that allows reading of the key when it is used normally.

As phone-cracking and malware-spying companies have shown, what we absolutely don’t need are flaws built into the encryption itself.

nasch (profile) says:

Re: Re: really wonder

There is no such thing as encryption that can only be decoded by the recipient.

There’s one exception, and that is one-time pad encryption. However, that is cumbersome and very difficult to do correctly.

Encryption only ‘encodes’ data.

No, encoding and encryption are fundamentally different processes, because encoding and decoding requires no key. It serves a completely different purpose than encryption.

While your phone is locked, the contents are encrypted.

If your phone has that feature, and you have it enabled.

This comment has been deemed insightful by the community.
Anonymous Coward says:

Re: really wonder

Who is pushing this?

The Criminals in law enforcement and politics that don’t want to do their jobs and still retain them.

Law enforcement criminals that simply want to sit on their ass all day instead of doing real detective work, and push a button to "solve" the crime. ("Enhance that image!", "ZoOm In MoRe!", etc.)

Political criminals that simply want up to the minute reports on everything their opposition has done that day. So they can undermine them at every turn. (Yes, Telescreens, and no you will never be a member of the Inner Party.)

Banning of encryption is mandatory surveillance. They consider everyone a threat, and they want to make sure that threat is neutralized. Plain and simple. Reject it at every turn. Don’t fall for their nonsense. (Hint: If it sounds like bullshit after decades of debate it probably is.)

That One Guy (profile) says:

Re: Re:

On the one hand that seems like something so insane and outlandish that it couldn’t possibly be the case. On the other hand they’re trying to make everyone in the country less safe and their communications and data less secure, so it’s not like political espionage would be crazier than what they demonstrably are doing.

Anonymous Coward says:

Re: Re: Re:

Back in December, Labour said they would support it with no reservations so long as managerial liability was brought up as a core feature instead of a reserve power.

Heather Burns wrote about how it’s not the answer in this article: https://www.openrightsgroup.org/blog/online-abuse-why-management-liability-isnt-the-answer/

It’s effectively a hostage-taking law and the reason Labour wants it so badly? Because Nigel Farage left them to join Facebook and they view it as a betrayal.

That One Guy (profile) says:

Re: Re: Re: 'The briar patch again? You shouldn't have.'

It’s effectively a hostage-taking law and the reason Labour wants it so badly? Because Nigel Farage left them to join Facebook and they view it as a betrayal.

If one of if not the goal of this is to stick it to Facebook then this would be yet another case of shooting Facebook’s competitors while aiming at Facebook, because while large companies like them are going to suffer from liability like this smaller ones that might have competed with them will be destroyed due to not having the resources required.

PaulT (profile) says:

Re: Re: Re:3 Re:

Ah, apology accepted, although Clegg was the former leader of the Liberal Democrats who formed the doomed coalition with the Conservative party that led us into a lot of the current mess the country’s in. Labour was the party formerly in power that the coalition government ousted. Although by American standards they all count as "liberal", there’s many important differences.

I understand that this might all be confusing for people looking in from the outside, but there’s a huge difference in many ways and Farage is a unique enough cancer without confusing things further 😉

Blake C. Stacey (profile) says:

While it may have no problem stripping UK residents of strong data and communication protections, it may find it more difficult to talk powerful businesses into accepting less-than-solid protections for their financial interactions and transmission of sensitive proprietary info.

It’s gonna be interesting to see how the City responds to this….

Anonymous Coward says:

Stockbrokers bankers, rely on private communication data encryption apps and Web services to keep their customers data secure and private google and facebook have EU offices in Ireland the Irish government has never even proposed to ask messaging or finance apps to reduce encryption or make customer data less private. The UK had a bill to make all users register to to have acess to xx rated adult websites it collapsed because there was no practical way to make it work with all Internet users. The UK
intelligence services probably have acess to browsing data and txt messages and location data of UK Internet users,
It’s like the old legacy media company’s there are constantly
asking for new laws or acess to user data even if it brwls the Web or reduces user security and privacy

Anonymous Coward says:

Client-side filtering

The UK government are deluded of they think that client-side filtering is going to fix anything. Software can be modified. If filters are introduced, someone will make a hacked version of the client that either skips or fakes the filter check. Anyone who wants to avoid prying eyes will use that hacked client.

Of course, talk of client-side filtering could just be a ruse. "The boffins told us that the filtering won’t work, so the only option is to snoop on everything you say. Sorry!"

Raymondjoype (user link) says:

Где вести блог 12 удобных платформ Л

Dear gentlemen!
Systematically visiting the four hands massage for clients, you guarantee himself excellent sexual relaxation.
Sensitive touch rasprekrasnoy girls will flow through your body, dipping in depth boundless the ocean pleasure. In the quiet slip, donating your skin kisses, prelestress envelops the warmth of one's body. You will be surprised at, which sea bliss today it is possible to feel fromnude massage in Midtown.
In school sensual massage women will hold erotic 4hands massage. Similar swedish massage, as in principle, and relaxation, influences on some area human body, this give a chance male gain strength.
And while, french massage and not violates practically any prohibitions, for the reason it's not about sexual contact.

<a href=https://japanesemassage.evenweb.com/>Самые популярные блогеры Ютуба Тик Тока и Инстаграма 2021</a>
[—-]

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...