David Cameron's Plan to Ban Encryption in the UK

In the wake of the Paris terrorist shootings, David Cameron has said that he wants to ban encryption in the UK. Here's the quote: "If I am prime minister I will make sure that it is a comprehensive piece of legislation that does not allow terrorists safe space to communicate with each other."

This is similar to FBI director James Comey's remarks from last year. And it's equally stupid.

Cory Doctorow has a good essay on Cameron's proposal:

For David Cameron's proposal to work, he will need to stop Britons from installing software that comes from software creators who are out of his jurisdiction. The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available, and thanks to things like cryptographic signing, it is possible to download these packages from any server in the world (not just big ones like Github) and verify, with a very high degree of confidence, that the software you've downloaded hasn't been tampered with.

Cameron is not alone here. The regime he proposes is already in place in countries like Syria, Russia, and Iran (for the record, none of these countries have had much luck with it). There are two means by which authoritarian governments have attempted to restrict the use of secure technology: by network filtering and by technology mandates.

Posted on January 13, 2015 at 2:07 PM • 129 Comments

Comments

lazloJanuary 13, 2015 2:25 PM

I'm really curious if he's honestly proposing that they go to amazon.co.uk and tell them to turn off SSL or get out.

A Nonny BunnyJanuary 13, 2015 2:34 PM

You'd think Cameron could think of an easier way to kill the British banking industry, and other financial institutions.
Criminals will have a field day when electronic banking has to do without proper encryption.

richJanuary 13, 2015 2:38 PM

The thing you have to remember is that this guy is a product of the UK elite. He's been raised with what they call in the UK "a silver spoon in his mouth". The UK is not a meritocracy in any sense of the word. Instead guys like Cameron are just handed well paid jobs and immunity from consequences solely because they are in this tiny elite.

It doesn't matter if he's smart or dumb - in the UK, you'll notice that the higher up any organization you go, the dumber the people become!

In the UK, the most important thing for anybody in any position of power either in government or private industry is not to rock the boat and keep the cash flowing to all the connected insiders.

In all likelihood Cameron does not even know what encryption is and has never even used a computer let alone installed an app.

He has his job because he went to the right school and because of family connections. It doesn't matter anyway because his post is largely ceremonial - as virtually all UK law is made in Brussels and imposed from there.

So probably best not to waste too much time parsing the inane statements this utter nonentity.

.January 13, 2015 2:50 PM

Yes and if we follow that logic all the way through, then GCHQ should not be allowed to use encryption, nor the military, nor the government. If it truly is something ONLY used by terrorists then it should be universally banned. So "And it's equally stupid" pretty much sums it up :)

AlexJanuary 13, 2015 2:52 PM

Cryptographic encryption in Russia is not banned yet.
Moreover it is legally required in some areas (for personal data storage and processing, for example).

John HenryJanuary 13, 2015 3:05 PM

I seem to recall that they tried to do something like this to PGP back in the 90s and one of the arguments against was the first amendment. That is, we have pretty absolute freedom of speech. Much more than the British.

One of the things the first amendment gives us is a right to communicate in obscure languages. If Bruce and I wanted to communicate in some backwoods version of Tibetan that only we could understand, that is protected speech.

It is only a short jump to say that encrypted speech, that only Bruce and I understand, is also protected.

As I say, I remember hearing this in the PGP debate but since that was resolved on other grounds, I don't think the argument ever went very far.

It sould be interesting to see if encrypted speech is First Amendment protected speech. It is speech that 1A protects, not the right to understand it.

ANd good luck to Cameron with this. Cliches may be cliches but they are often true. If encryption is outlawed, only outlaws will have encryption.

John Henry

A Nonny BunnyJanuary 13, 2015 3:06 PM

To be fair, Cameron doesn't want to ban encryption, but "just" cripple it so the government can read everyone's communication like they're the Stasi.

Of course, any dedicated "criminal" with a browser can just run an encryption algorithm in javascript. And for good measure hide those encrypted messages steganographically in the noise of an image.
So, as we've come to expect, it will only really have an effect on the safe communication of everyone that isn't a "criminal".

And the funny thing is, this all started over the right of freedom of expression!

Sancho_PJanuary 13, 2015 3:49 PM


I’m a bit concerned about the basic idea behind “banning encryption”.

Encryption is kinda language.

To ban my language because it isn’t understandable comes close to banning my thoughts.

Bob S.January 13, 2015 4:05 PM

Cameron's bras attack on electronic privacy and security likely has wide support of the British people, else he would have not made the proposal. Note the opportunistic timing...days after the French event. (ANYTHING for SAFETY)

Likely Obama through Comey will launch a similar attack soon. My sense of it is, many Americans support more mass surveillance (1/3?), even more don't know about it or care and a small minority are strongly opposed (

Many other countries are likely to follow suit.

Governments do not want the people to have secrets from them, of any kind. It's for your own good, so they say.

SparkyJanuary 13, 2015 4:09 PM

So lets assume any crypto that the "security services" can't read (requiring a warrant) becomes illegal. Now what if the "terrorists" use it anyway? Then the government will only find out the can't read it after getting the warrant, right? I know I'm not fooling anyone, but lets just assume the will actually get a warrant before trying to read it; only then will they find out they can't. The only way to "solve" this, and thus to enforce the new law, would be to try to read all encrypted communications long before there is sufficient other evidence to get a warrant, and go after anyone whose data they can't decipher.

This means people would be prosecuted for things the government agencies can't read because of their incompetence, and also for anything that isn't actually encrypted but they can't understand anyway, so sending a file in an obscure binary format would pretty much be An Act Of Terrorism (tm). At the same time, everyone's data would be read without a warrant just to check if they can (and of course they would use the data anyway), and using strong crypto will not be a sign you're a terrorist, it will probably be re-defined as An Act Of Terrorism (tm) in itself!

Shadow FirebirdJanuary 13, 2015 4:23 PM

@Bob S:
"Cameron's bras attack on electronic privacy and security likely has wide support of the British people, else he would have not made the proposal."

Err… no. You are attributing him a level of competence and statesmanship that… just, no.

Also: no bras were involved, I hope…

Clive RobinsonJanuary 13, 2015 4:29 PM

@ Rich,

The UK is not a meritocracy in any sense of the word. Instead guys like Cameron are just handed well paid jobs and immunity from consequences solely because they are in this tiny elite.

As far as I remember the only real job Cameron had was as a "PR Wonk" because his only real abilities are to schmooze and brown nose. Thus like many sociopaths he "networked" his way up the greasy pole and then slimed into politics. He has the Eaton Hide which makes that of a rhino look as thin as tissue paper, and the articulative whit of a spiv. What hurts him however is that he has a desperate need to be seen, denying him that is like geting a tight grip on his windpipe. He "talks at people" but "he does not listen to people" thus his conversational ability is quite limited and he can rarely answer an unexpected question.

I don't know if he is stupid, ill informed, or being played like a cucould by others on the make in the IC, but it might just be a "oh I've got to say something that sounds profound" moment infront of a "nodding dog" audience.

He has however presided over the "White, male and stale" must go reorganisation of the Conservative party. Thus the real political heavy weights and intellectuals in the party who rejected the ideas of ID cards etc are no longer their to put him back on the right track.

Thus I suspect he is going to get calls from the likes of his Google and Apple advisors pointing out that it's a realy bad idea not just for them, but other businesses and thus the Conservative party coffers.

It will be interesting to see if the press will just let it go or back him into a corner and thus force him to come out fighting or back peddle with some "techno babble" about "coming through the front door" or "golden keys" or other such nonsense.

We have a general election in the UK in just a few months and sadly the opposition have proved themselves compleatly inept when it comes to privacy and had started the ID Card system the old Conservative heavyweights killed off.

The problem is that to many UK MPs that get ministerial positions have a "make it so" ineffectual management style which puts way way to much power into unelected civil servant hands, which the "revolving door policy" tends to suggest means they are not acting with impartiality but out of self interest, at best "feathering their nests" at worst "filling their boots" with brown envelopes and the like.

For instance the previous head of GCHQ was whittering on about the lack of security in some bio-metrics on mobile phones the other day. He was interviewed by various supposadly impartial news organisations who lapped it up as though the corner of the secrecy vail has momentarily twitched. What the old goat did not tell them is it's a problem that's been known in the public security field for some time but he now has a company pushing some other bio-metric soloution (that is just as lame but different).

MoikeJanuary 13, 2015 4:38 PM

Bruce: you know yourself as a former big wheel at BT about the effects of RIPA. "Give us your secret key" "No" "Go to jail for two years. Do not pass 'Go'".

From the country with the most CCTV cameras per head in the world.. from a government that dislikes its citizens.. I expect nothing less. We will continue to encrypt everything possible. I am glad that this government will likely be gone in 3 months.

Clive RobinsonJanuary 13, 2015 4:48 PM

@ Flotsam,

He's Prime Minister because he got the most votes in the last election.

Err no his personal share of the vote was quite small even for a safe seat, likewise the Conservative party had less elected MP's than the Labour Party. It was only by forming a coalition with the LibDems that the combined number of MP's outnumbered that of the Labour Party. And finally he is PM not for any of those reasons, but because he was the leader of the Conservative party which has the most number of MPs in the coalition. As the advert says "Simplles".

And the reason I know this was I made the mistake of forgetting it and somebody reminded me so I went and checked.

stevenJanuary 13, 2015 4:55 PM

These measures would hamper serious crime or terrorism the least; more likely aid and encourage it. I don't assume him to be this stupid, only that he's lying about his real motives to try to justify something nefarious. It sounds like tightening restraints on freedom of speech, expression and association of the general populace, using modern technology as the tool, as we see happening in every corner of the world.

The US co-opted its most successful IT corporations in this pursuit, so the UK government may try to extort them for that same level of access, to social networks and personal data in the cloud; as well as forcing indigenous ISPs and mobile networks to share the private communications they carry.

And still, bad people will anonymously communicate with stolen phones, travel freely with fake identities, and meet up in private to prepare attacks or harm others.

CallMeLateForSupperJanuary 13, 2015 5:07 PM

“The question remains: are we going to allow a means of communications where it simply is not possible to [intercept it]? My answer to that question is: no, we must not.” - David Cameron

It should prove amusing, watching Cameron try to distance himself from himself.

"Independent computer security expert Graham Cluley said: 'It’s crazy. Cameron is living in cloud cuckoo land if he thinks that this is a sensible idea, and no it wouldn’t be possible to implement properly.'"

"The UK’s data watchdog has also spoken out against 'knee-jerk reactions', saying moves could undermine consumer security."

"Eris Industries, which uses open-source cryptography, has said it is already making plans to leave the UK if the Conservative party is re-elected with this policy in its programme."

http://www.theguardian.com/technology/2015/jan/13/david-cameron-encrypted-messaging-apps-ban

FlotsamJanuary 13, 2015 5:13 PM

Clive Robinson

Cameron won his seat comfortably with 58.8% of the votes and positive swing of 9.4.

UK General Election 2010 by seats

Tories: 298
Labour: 191
LibDems: 43

Popular vote

Tories: 9,931,029
Labour: 7,042,398
LibDems: 6,076,189

Percentage

Tories: 39.6%
Labour: 28.1%
LibDems: 24.2%

Clive RobinsonJanuary 13, 2015 5:43 PM

@ Flotsam,

Hmm I've had a scan around and the figures differ depending on where you look. For instance wikipiedia has it as 304 MPs, which is more than you give.

Further other sites give his personal votes not as a percentage of votes counted but of those registered to vote.

Hmm revisionist history in action on the Internet...

What I personaly remember from the time was the impression Cameron had won but the press saying that Cameron did not have sufficient MPs to form a Government, Gordon Brown not leaving No10 and a week of behind the scenes negotiations mainly by civil servents ending with the coalition and Cameron going to see the Queen to form a Government.

I actually said as much on this blog some time ago but was told I was incorrect, hence as I said going and checking in a couple of places at the time.

Hmm time to dig a little.

albertJanuary 13, 2015 6:05 PM

I don't know about the UK (and frankly, don't care) but here in the US, we always have 2 choices: Tweededumb and Tweededumber.
.
According the Max Keiser, the UK is doing a fine job destroying their financial system with or without Camerons help.
.
It sounds like a knee-jerk reaction to seed the public with the idea that 'we need more security' by having less security. Does that make sense?
.
When you think about, look at the last several 'terrorist' attacks. How many of them can be said to be total surprises? Where there was absolutely no prior intelligence on the perps? No inkling of potential trouble? Terrorists use encryption, so let's eliminate it, thereby eliminating terrorism? Why not eliminate guns and bombs instead?
.
It's laughable to think that terrorists wouldn't stop using email, etc. if encryption was known to be breakable. Sure, it's harder to organize and plan, but if you really believe in what you're doing....
.
BTW, There were about 1000 killings by police in the US last year. Wouldn't ya know, the FBI doesn't _require_ police participation in compiling those statistics. I'd hazard a guess that more than 17 of those killings were unnecessary, and totally preventable.
.
Gimme a break...

SkepticalJanuary 13, 2015 6:14 PM

The Director of GCHQ from last November:

To those of us who have to tackle the depressing end of human behaviour on the internet, it can seem that some technology companies are in denial about its misuse. I suspect most ordinary users of the internet are ahead of them: they have strong views on the ethics of companies, whether on taxation, child protection or privacy; they do not want the media platforms they use with their friends and families to facilitate murder or child abuse. They know the internet grew out of the values of western democracy, not vice versa. I think those customers would be comfortable with a better, more sustainable relationship between the agencies and the technology companies. As we celebrate the 25th anniversary of the spectacular creation that is the world wide web, we need a new deal between democratic governments and the technology companies in the area of protecting our citizens. It should be a deal rooted in the democratic values we share. That means addressing some uncomfortable truths. Better to do it now than in the aftermath of greater violence.

The devil is in the details, but as I said then: to ignore the legitimate concerns of law enforcement and intelligence agencies of free nations is ultimately not in the interests of anyone's security. The perfectly secure system - secure against everyone - will be swept away the moment it is used to perpetrate an act sufficiently outrageous to the public. Snowden's dreams of binding down humanity in encryption to prevent abuse of power are politically naive and unhinged from history.

Keep in mind that Cameron's words are the reaction to recent attacks in Paris which, while horrific, did not approach the scale of 9/11, and which, so far as I have seen reported, were not failed to be prevented by an inability of a government to decipher the terrorists' encrypted communications or stored information.

Should that day ever come, when we witness a terrorist attack of large magnitude which evaded preventive measures because the terrorists involved used a readily available and perfectly secure (or within the relevant neighborhood of perfection anyway) information or communications system, the countermeasures put in place will likely go further than needed.

Far better to address these concerns now, when things are relatively calm, than later.

I don't think simply "banning encryption" is likely to be practical, or wise, but I have little doubt that better proposals can be shaped that can give weight to the concern that the police, with a lawful warrant, be able to search effectively to safeguard the public, while at the same time providing adequate protection for the privacy rights of everyone.

The solution can be a fully open one, designed in part (or in full) by security researchers and engineers of many different perspectives - or it can be a mostly closed one, depending on who takes initiative.

It's not an easy problem. It's a wickedly complex problem, and no single answer is likely to find the full endorsement of any audience, which means those who approach it will need, in addition to technical brilliance, undaunted moral courage and sufficient standing to withstand the criticisms that will come from all quarters and from under every shade of hat. Even should you succeed in designing the best solution, many will fail to see it and many will harshly criticize you even in success.

Perhaps we simply don't make the kind of person willing to take on that kind of challenge, as we once did. Or perhaps I simply have it all wrong and there's an easy way out.

RickJanuary 13, 2015 6:21 PM

@ Sancho_P:

"To ban my language because it isn’t understandable comes close to banning my thoughts."

I submit that the worldwide array of TLAs salivate at the prospect of monitoring thoughts, and, indeed, will ban them (by force, even) if the technology exists to make it affordable to do so. Convincing the masses to accept such a practice is the easy part, as infuriating as that is for me to now accept.

The following individual was director of a small CIA-funded lab to research the concept. Funds were cut in 1995. Despite small successes (the discovery of sidereal time as a statistically significant independent variable in anomalous cognition experiments) yet overall mission failure, it is interesting to note that the US Government was willing to legitimately fund this research 20 years ago. James Spottiswoode: http://jsasoc.com/library.htm

I don't argue the aforementioned research so much as I wish to point out that the TLAs around the world are definitely serious about monitoring/controlling thoughts.

My two cents: technology distills power, power corrupts absolutely; therefore the reigns of technology must reside within the domain of the people, and never with government. Long live digital encryption methods!

AlanSJanuary 13, 2015 7:13 PM

A quote from Boris Johnson, Mayor of London, and Cameron's old Bullingdon Club drinking buddy, speaking at a demonstration in support of Paris at Trafalgar Square: "I’m not interested in this civil liberties stuff. If they’re a threat, I want their emails and calls listened to."

"Mr Johnson called the displays of support in London, Paris and around the world “stunning”. He spoke as the Tricolore was flown from the National Gallery, and its red, white and blue coloured the fountains of Trafalgar Square."

Very pretty, but did it ever cross his small brain, one wonders, to consider that the cartoonists at Charlie Hebdo died exercising their civil liberties satirizing those who oppose such liberties and that the majority of the people demonstrating were deeply concerned about the "civil liberties stuff"?

Clive RobinsonJanuary 13, 2015 7:19 PM

@ Skeptical,

Or perhaps I simply have it all wrong and there's an easy way out.

You forgot the "no way out" option, which is actually the answer.

From a technical point of view there are two major hurdles that need to be resolved otherwise any frontdoor / golden key / backdoor is pointless for the claimed problem.

The first is the "Russian Doll" problem of codes within codes within....

The second is insufficient context to derive a meaning from the message contents.

Both of these can be shown to be impossible to solve if the message participents want them to be. And the second issue is a plaintext issue not a ciphertext issue, so importantly would continue to work even if encryption was not used in the communications.

There is a bunch of papers about subliminal communications in plain text with the model being two prisoners communicating privately through the warden who carries the messages from cell to cell and thus can see all the communications and ensure they are neither encrypted or in a recognizable code.

Any terrorist who can read and think, and can be bothered to look can work this out from public domain information going back to WWII if not earlier.

Afterall various criminal organisations have worked out ways to do this years ago even when being under properly warranted observation / wire taps etc. And provably some of them did not read any academic papers on it because they were doing it long before the papers were written...

It's also the reason why traffic analysis or monitoring communications meta data provides more reliable intel than the actual message contents, especially when using automated systems, (because there is insufficient human resources etc).

Importantly even with encrypted message contents the point to point nature and handshakes of TCP generaly leave the metadata in plain sight.

It's only when you start using effective anonymisation techniques that you can hide the metadata, and currently the likes of The Onion Router are not sufficiently effective.

JonKnowsNothingJanuary 13, 2015 7:53 PM

I proudly wear my "conspiracy hat" because, after you live long enough, you find that all those conspiracy "theories" aren't "theories" after all.

The blood wasn't even dry on the pavement when the first salvos from the 3Letter Crowd started circulating, testing the waters. "Were the killings enough? Do we need another?"

They even floated a horrendous stories about children having bombs strapped to their bodies and being herded into crowed places and blown up, describing them as: "Suicide Bombers". The bombing are real, that a 8-9-10 year old girl willing becomes a "Suicide Bomber", especially coming from countries were females (of any age) are "not valued".

It just boggles.

Things I noticed during those horrenous day's activities and have not seen any information on is: exactly how did these guys get the weapons? You don't waltz around France with an AK47 or grenade launcher. The only people in France with such weapons are the Government or the Military. The French Secret Services have a VERY good handle on everyone in France. EVERYONE. Nothing goes down anywhere that they don't know about it, long before the participants do.

Additionally, they had the entire life story of each of the 3 men and the woman ready to go with extraordinary detail. At least the FBI claims they need days for such revelations but they don't wait too long to reveal them. The details were just "amazing" and one can hardly imagine that with such details, they didn't happen to notice the guys buying AK47s and loads of ammo and flack jackets at the local super? DOH

In other historical circumstances, conspiracies seemed to be WAY OUT THERE... but 20-30-40 years later and 50,000 dead US Soldiers, we found out: It was all a lie. The incidents were worse than faked, they just made them up because it suited "their purposes".

It won't suprise me if the NSA/GCHQ with some Weapons Dealer Friends orchestrated the entire thing, just like they did with "baby incubators on the floor of the hospital in Kuwait".

You can be 100% sure the DiFi will simply claim "They LIED to me!" If we all live long enough.

WillJanuary 13, 2015 7:56 PM

As some have said, how does he propose to get me to remove my remailer that runs on a server in The Netherlands? Fools in government.

JonKnowsNothingJanuary 13, 2015 8:17 PM

There are technical details beyond the average person's ability to implement to maintain anonymous communications but one area the US Agencies are desperate to access are the ginormous corporate tracking databases. While they need "some kind of warrant" (and it's not much of a warrant really as we now know), to "force" the information from a corporation, they can simply "buy it" like any other corporate exchange.

Those corporate databases collectively hold far more information about each of us than probably the NSA data center does, even the one in Bluffdale.

Your communications may be encrypted (or not) but your life is an open-book from the corporate data-harvester side.

Both sorts of "snooping" need to be addressed because they do exactly the same thing. Removing encryption may be the method for the 3Letter Crowd to "not pay for the privilege".

I would guess, that even General Hayden's personal details have been harvested. He certainly carries an encrypted cell phone and has loads of "back up" but he's still vulnerable to the every day corporate spying that goes on, CCTV capture and monitoring; the works.

iirc the Pleb-Gate mess in the UK had CCTV coverage of the incident at Downing Street. So, Cameron gets harvested along with the rest of the "plebs".

Without encryption their details are open to anyone too.

Maybe it will be: Encryption for Me but not for Thee.

SelbstdolchstossJanuary 13, 2015 8:20 PM

Tonight we have Skeptical straining at stool to imagine an attack that is much, much worse than shooting an obnoxious guy like cops do ten times a day. It is as bad as 9/11! Just think of it!

What's more, this imaginary conceivable (and who knows, perhaps even possible!) hypothetical counterfactual 9/11 happens not because criminal government scumbags called off the FBI, but because the terrorists used - Gasp! - encryption. What this proves - or would have proved, if it could happen, or ever did happen, or maybe even might happen - is that you have to let government read anything you ever thought or said whenever they want NOW NOW NOW before it's TOO LATE.

This is how stupid these beltway tax parasites are. They think and think and this is the best they can do. Can't wait till they finally get that war they want with Putin and Xi and the سپاه قدس guys that took Iraq from them like taking candy from a baby. It is going to be the most hilarious, slapstick rout in history.

AlanSJanuary 13, 2015 8:26 PM

@Clive and others on representative government in the UK

Maybe the most interesting aspect of UK politics is the Scottish issue. It didn't go away with the independence vote in September, in fact it hasn't come to a head yet.

Cameron's party has held no more than 1 seat out of 59 in Scotland for the last 18 years. For a while after 1997 they held no parliamentary seats in Scotland. During the Thatcher years they started with around 20 and that shrunk to 10. It's hard to overstate how much Thatcher was detested by the Scots but she unintentionally made the process of increasing Scottish devolution possible.

The Scots aren't too happy with Labour either after last year. If the Labour starts losing seats to the SNP in Scotland it's hard to see how they they will win a UK election (See Labour set for a bloodbath in Scotland). And Cameron is using the Scottish issue as a wedge with English voters. If you are English, especially English in the so called "North", or Welsh or Northern Irish, and want something other than Cameron's party, you may be dreaming. The UK is coming apart at the seams.

Chris AbbottJanuary 13, 2015 8:36 PM

@Skeptical

Clive is right about the no way out thing. The source code for all of this stuff is already out there all over the world. You could never get rid of it all. Even if for some magical reason you could, you could always write your own 'burner crypto' (i.e. amateur crypto that's just complex enough to use once and then destroy the source code, insert laughter here).

If you make back doors compulsory, then you end up in a situation where legitimate people fall victim to eventual attack, while the criminals still use good encryption. Like they say about guns in the US "When guns are outlawed, only outlaws will have guns" (not trying to say anything either way on the whole gun debate, just an analogy).

@Clive

Your right about the metadata. It can be more revealing than the data itself. It reveals the difference between calling your mom or calling Planned Parenthood or a suicide hotline. That's why proper targeting is important.

@Skeptical, @Clive

When it comes to terrorists, if you have the metadata, you don't necessarily need to grab the contents because you can get a pretty good idea about what they're saying anyway. You could grab the plaintext with malware if you wanted, and we know that isn't necessarily hard to do, at all.

packagedblueJanuary 13, 2015 8:59 PM

XXXX Blair showed understanding problems about the Y2K problems in his good book, A Journey.

ThothJanuary 13, 2015 9:45 PM

@all
Correct me if I am wrong that David Cameron from UK was the first to annonunce anti-crypto/anti-sec measures after the Paris terror attacks instead of France (the victim country) should have been the one to throw out a knee-jerk reaction and to my knowledge France have not shown signs of knee-jerk reaction (via anti-crypto/anti-sec measures) yet ?

We have not had any details on the Paris terror attacks yet on how the terrorist conduct his plans and if any encryption was used at all (very doubtful if there is any proper OPSEC).

I think we can put it this way that many politicos up there have already long lost sight of their goals and tries hard to push for nonsense into a legal system and hopefully get through.

We just need the public to kick in and enter into self-heal mode on the system and wash out the nasties via proper knowledge, power and resource.

aJanuary 13, 2015 10:58 PM

This discussion clearly shows the different views between the technical and the political community.

Technical community: (see all the arguments in this thread why it can never work)
=> encryption cannot be banned for logical reasons, enforcing such a law would cripple the internet and terrorists could still communicate.

Politician/Security Services: Good law. We can sentence anyone we like to sentence, and of course will use the law responsibly and never abuse our power.

This kind of stupidity cannot be fought with technical arguments. All of us here are wasting our time to discuss the technical issues, which don't matter for the public discussion.


Political problems need political answers.

-If the police can read it, Russia can spy on us, too.
-This is exactly what the Nazis would have done.
-Cameron is computer illiterate, any child knows that ...

We can leave the technical problems to our students as a homework exercise.

Let's come up with some political statements why this is stupid.

House CatJanuary 13, 2015 11:27 PM

@Sancho_P


I’m a bit concerned about the basic idea behind “banning encryption”.

Encryption is kinda language.

To ban my language because it isn’t understandable comes close to banning my thoughts.

Some parts of this are true, but this defines encryption too narrowly.

Imagine sending a photo of your house key to someone. All the recipients then have the means to enter your house, and thus have control over your property. If it's encrypted, then only the ones with the encryption key have that power.

Encryption then is a means to secure property, both of the intellectual and also of the physical kind.

A law that limits or negates a person's power to exercise control over their property has the consequence of reducing the market value of that property. Like zoning laws, a law against encryption is a taking of property through regulation.

DanielJanuary 13, 2015 11:32 PM

Skeptical writes, The perfectly secure system - secure against everyone - will be swept away the moment it is used to perpetrate an act sufficiently outrageous to the public. Snowden's dreams of binding down humanity in encryption to prevent abuse of power are politically naive and unhinged from history.

You are wrong. You are wrong for the reasons that Clive and Chris point out--the world has changed, there is no where left to run except to the stars and that is not feasible yet. We are caught up in the birth of a new era of history.

I don't doubt for a moment that when another 9/11 or worse happens the public will once again be outraged. Yet their outrage will become increasingly irrelevant. The underlying truth is that we have reached a point in our cultural development where the pace of technological change is outstripping the ability of deliberative democracy to deal with it. It used to be that society had centuries to adopt to inventions like the bronze spear, the wheel, or the arch. Today we have decades, at best.

It not Snowden who has become unhinged, it is history itself. The losers will be those who tie themselves to history rather than technological progress.

SkepticalJanuary 13, 2015 11:38 PM


@Clive: From a technical point of view there are two major hurdles that need to be resolved otherwise any frontdoor / golden key / backdoor is pointless for the claimed problem.

The first is the "Russian Doll" problem of codes within codes within....

The second is insufficient context to derive a meaning from the message contents.

Yes, which would put the police in the same place as if they had been able to overhear the would-be terrorists discussing plans. That's considerably better than not being able to overhear them at all. I say this because things like "idiot codes" won't suffice over the phases that accompany an attack on a scale of 9/11. They might have worked for the Paris attacks though.

@Chris: If you make back doors compulsory, then you end up in a situation where legitimate people fall victim to eventual attack, while the criminals still use good encryption. Like they say about guns in the US "When guns are outlawed, only outlaws will have guns" (not trying to say anything either way on the whole gun debate, just an analogy).

That depends on the nature of the back door, doesn't it?

Ideally we'd want lawful access to have these features along these lines (just off top of my head):

1 - enabling features not easily, or perhaps not possibly, reproducible, e.g. reliant on particular location in network infrastructure in conjunction with device to work;

2 - failures - breaches - detectable immediately -> multiple factors and channels, along with heuristic monitoring to determine breach or compromise;

3 - robust system -> the failure or compromise of one back door will not lead to compromise of all

4 -> System is easy to change, modify, or shut down, provided sufficient independent authorities certify at controlled terminals

5 -> System resistant to abuse (warrant certification, extensive auditing, logging, perhaps film of users at controlled terminals, perhaps sufficient data saved so that, should we desire, we could re-create what any actor did on a VM using that data.

6 -> Regular pen tests by government; and encouraged, controlled, virtual venues are also provided in which private researchers may probe for vulnerabilities given certain forms of access (all within a VM), and evaluate vulnerabilities they've found and the extent to which they can be leveraged - all for a handsome bounty. Disinformation and counterintel possibilities here too.

7 -> system would provide access fast upon verification of true warrant, but with full auditing and logging, along with the policies and laws that would need to be added, to enable abuse to be detected and proven after the fact.

8 -> while I disagree with Sancho's idea to reward all hackers for attacks on actual targets, I do like the creativity of the idea, and it can be modified. Imagine this:

Someone - DHS, NSA, etc. - sets up a virtual "shooting gallery" of systems likely to be probed anyway by APTs. Should someone successfully hack one of these systems, in the virtual environment, then DHS, NSA, etc., will immediately have a record of the hack and can contact the company to patch or, in extremis, shut down operations - depending on the system hacked, a reward ranging from modest to large will be given. If the hacker is able to suggest a successful fix, the reward doubles, depending on level of detail re fix provided.

etc. etc. etc.

Some of these ideas pull at opposite directions, which will make it all the more challenging.

But you package it together with a set of specifications that, for the first time really, offers average users control over their information (full transparency as to what data is leaving the phone - real time tracking by the OS of access to designated sensitive data and attempts to copy, move, encrypt, hash, and otherwise exfiltrate such information from device without user's explicit consent - highly minimal and extremely specific app permissions - institution of a spectrum of security standards that can be made meaningful to consumers, allowing markets to segment themselves naturally and giving those who wish to sell higher security products a better chance of doing so.

There can be, surprisingly, a net gain for both security and privacy if these two things are rolled together. Consumers achieve better overall privacy, and government retains, under tight controls, access to communications that it might have lost otherwise.

There are all the bad ideas born in the rich hours before dawn to a person who thinks a shell is something one finds on a beach.

But... it's enough to convey what I have in mind, I think.

JonKnowsNothingJanuary 14, 2015 12:22 AM

@Skeptical


Point 1
Ideally we'd want lawful access

Point 2
... you package it together with a set of specifications that, for the first time really, offers average users control over their information (full transparency as to what data is leaving the phone - real time tracking by the OS of access to designated sensitive data and attempts to copy, move, encrypt, hash, and otherwise exfiltrate such information from device without user's explicit consent

This is an oxymoron suggestion:

If I don't give you "explicit consent" you will take the data anyway without my consent using "lawful access".

There's no benefit here.

@Skeptical, as it seems you are most likely a NSA shill, why don't you use some of your little grey cells to figure out why General Hayden's "question" isn't a question at all?

You might want to change jobs if you figure that out. You would much better serve humanity if you spent your time outside of the government. Governments come and go; Humanity lasts a bit longer.

I'll give you a hint on the solution: There is No Such Thing as Security.

It takes a bit of logic to unpeel the onion about why not as the "question" is cleverly disguised but the upshot is: You Will Never Have Security. Never.

All you will ever get is "control" and that is subject to a lot of variables. For starters: people don't like it.

keinerJanuary 14, 2015 2:00 AM

How would Mr. Cameron stop something like this:

http://www.theguardian.com/uk-news/2014/sep/04/woman-found-beheaded-edmonton-north-london-garden

...or this Paris shooting (if it wasn't a CIA job. Why did Mr. Obama stay away from Paris? Didn't want to meet Nethanjahu? Is he aware of the fake and doesn't want the CIA to blow up a nuclear device down town a US city and blame it on insufficient surveillance? Just asking...)

Why do NSA/CIA spy on companies each and everywhere in the world? Terrorism? And on each and every user of the internet?

After all, the USA (and it's poodle UK) is worse than USSR under Stalin, it's dark leaders such as Dick Cheney are untouchables on a mission to maximise wealth of a corrupt elite. How do we get rid of these guys?

Clive RobinsonJanuary 14, 2015 2:02 AM

@ Thoth,

... and to my knowledge France have not shown signs of knee-jerk reaction(via anti-crypto/anti-sec measures) yet ?

You may not know that for most of the last century using crypto in France was a crime, with an unlimited punishment. Thus it is still in quite a few of the older and perhaps wiser political heads, why they changed the law, and might not want to go back to the "old ways".

WinterJanuary 14, 2015 2:45 AM

The attackers had already been under surveillance for a long time. They were known risks. The French already eavesdrop on all communications.

I think what these attacks show is that the eavesdropping and surveillance approach simply does not work.

Let that sink in:
The attackers were known risks, had been under surveillance as terrorist suspects, in a country with a well developed surveillance technology infrastructure and a lot of police. And the attacks were not prevented.

Is there any other conclusion possible than that the surveillance approach to terrorist threats is an utter failure?

So, another way to see Cameron's proclamations are a flight to the front. To save whatever can be saved of the surveillance state. Because the surveillance is not targeting terrorists, but their own population.

As I have understood, the people have always been the real enemies of Whitehall (UK citizens can correct me if I am wrong).

RonKJanuary 14, 2015 3:08 AM

@ JonKnowsNothing

> There is No Such Thing as Security

Er, no. The logical fallacy you've fallen into is the ever ubiquitous "false dichotomy". Your utterance would undoubtedly be correct (but vacuous) if you had said "Absolute Security". Unfortunately, real-life security doesn't have a capital "S", so it is not binary (nor is it even well-defined in most discussions, leading to misunderstanding).

Note that this doesn't make Skeptical's utterances any less wrong, given the existence of steganography (and yes, steganography can be undetectable in practice --- you just have to not be greedy about your data rate).

Brian RJanuary 14, 2015 3:25 AM

I actually wonder of the push behind this is less to do with terrorism but more to do with civil unrest in the UK itself. I'm fairly sure that the UK security forces already have the means (via a warrant and enough suspicion) to force a citizen to relinquish encryption keys.

I'm fairly sure that one report (can't find it now amongst the sea of reports deriding Cameron for being a technologically incompetent fool) suggested that he was after the means to shutdown encrypted communications, presumably in response to some civic emergency. The ability to shutdown communication via WhatsApp etc. may be as much to do with curtailing the ability of protestors to react quickly to government agents.

In any event,any hint of a ban on encryption would simply force all communications onto different channels, making it ever more tricky to monitor. The banks and technological companies will presumably make their distaste well known.

DennisMJanuary 14, 2015 3:51 AM

He sounds too far fetched to be serious, but he's got those chinese porn filters to work so maybe he can step it up.

65535January 14, 2015 4:39 AM

“The attackers had already been under surveillance for a long time. They were known risks. The French already eavesdrop on all communications. I think what these attacks show is that the eavesdropping and surveillance approach simply does not work.” – Winter

I agree.

“Chérif was convicted of terrorism and sentenced to three years in prison, with 18 months suspended, for having assisted in sending fighters to militant Islamist Abu Musab al-Zarqawi's group in Iraq, and for being part of a group that solicited young French Muslims to fight with Zarqawi, the leader of Al Qaeda in Iraq...” – Wikipedia

https://en.wikipedia.org/wiki/Charlie_Hebdo_shooting#Suspects

Clearly the attackers were a known risks and the various “agencies” probably had them on a “list” but that did not prevent the multiple murders.

We are back to “Security Theater” funded by a section of society that was killed. This Security Theater seems to do little to no good.

“Encryption for Me but not for Thee.” – JonKnowsNothing

That is a good point. If I am reading Cameron statement correctly he is espousing keeping encryption for himself and other members of the upper-class and outlawing encryption for the average Joe.

That is the “one-way mirror” effect where the government can see everything that you are doing but you cannot see what the government is doing. It is a power grab – at a time when fear is running high. Don’t let it happen.

“We have not had any details on the Paris terror attacks yet on how the terrorist conduct his plans and if any encryption was used at all.” –Thoth

That is another good point. There is not evidence that encryption was used by the terrorist at any time – yet Cameron is already indicating encryption was a factor in this attack and must be outlawed. To repeat, where is the evidence that encryption was the cause of these murders?

I don't want to hear the worn statement that it cannot be revealed due to "National Security."

To specific items:

“…exactly how did these guys get the weapons? You don't waltz around France with an AK47 or grenade launcher.” - JonKnowsNothing

That is a good question. Where did they get the auto rifles, ammunition, and grenade launchers? I doubt if they manufactured them in their kitchen sink.

I would guess that gross mistakes in plain law enforcement occurred somewhere in the chain – to put it kindly. And, not to mention an 18 month suspended sentence – with poor parole procedures.

And, what about the “wife” of the attacker that seems to have gotten away? I would guess that she had some helpful information regarding the attack.

Tangentially, it seems a French police commissioner killed himself during the attack – oddly.

“On the night of 8 January, police commissioner Helric Fredo, who had been investigating the attack, committed suicide in his office in Limoges shortly after meeting with the family of one of the victims, while he was preparing his report.” – Wikipedia

Was this police death caused by remorse or something more damaging?

https://en.wikipedia.org/wiki/Charlie_Hebdo_shooting#Aftermath

It seems clear that both Cameron and the public don’t have all of the facts. It would be wise for high profile politicians like Cameron to restrain their remarks until all of the facts are known.

David CameronJanuary 14, 2015 5:14 AM

Dear Google,

You know that SSL encryption you add to YouTube and your search engine queries? Well, we were wondering whether you could break it and make it defective for all six billion world users, cause it would work out really nice for my political party here in England. If for some unfathomable reason you feel that this is not a reasonable request I'll have no choice but to ban all UK citizens from using YouTube and pass a law against googling things up. So, yeah. Well. Cheers.

Yours sincerely,

David Cameron

Cc Apple, Microsoft, Linux foundation, BSD, Cisco, Github, Intel, Wikimedia foundation

Stephen BrinichJanuary 14, 2015 5:55 AM

@Skeptical:

which evaded preventive measures because the terrorists involved used a readily available and perfectly secure (or within the relevant neighborhood of perfection anyway) information or communications system

Before worrying about the hypothetical scenario presented, I propose to deal with the very real scenario:

which evaded preventive measures because the police and security agencies were so inundated with noise as a result of their collect-it-all obsession that they could no longer hear signals (e.g. "Those Tsarnaev guys who traveled from your country to ours? They're trouble; if I were you I'd keep an eye on them.")

Clive RobinsonJanuary 14, 2015 5:58 AM

@ JohnKnowsNothing, 65536,

…exactly how did these guys get the weapons? You don't waltz around France with an AK47 or grenade launcher

You are probably not going to believe this or have your jaw dropping open for some time.

A short while ago the BBC interviewed live in Paris a French expert on terrorism. The expert was asked the same question to which he replied they were purchased in France probably from the drugs blackmarket for ten or twenty thousand euros ( apox the same as USD). He further went on to say that one of the terrorists had taken out a six thousand euro loan --from the French equivalent of a credit shop/union-- to buy the weapons.

Now please apply your hand under your chin and taking care not to trap your tounge push gently upwards untill your mouth is closed...

TomJanuary 14, 2015 6:46 AM

Has Camoron never heard of the Streisand effect?

Try to ban something and you make it more popular.

The terrorists who attacked Charlie Hebdo succeeded in increasing its circulation from 60,000 copies a week to 5 million this week at least.

If Camoron goes ahead with plans to ban encryption I'm sure the source code for GnuPG, OpenSSL etc will become much more widely distributed. I would even be tempted to start a campaign to put up billboards containing the entire source code of GPG for instance.

AndrewJanuary 14, 2015 7:02 AM

For anyone who is interested in the actual comments made by Big Dave, they were reported on the BBC website. http://www.bbc.co.uk/news/uk-politics-30778424

Big Dave did not mention banning encryption. What he did say is that in extreme situations and with a signed warrant, security services and the police should be able to obtain more detailed electronic information on suspected terrorists.

Please stick to the facts.

ThothJanuary 14, 2015 7:15 AM

@65535
Regarding the suicide of the Police Commissioner, I feel it's foul play. He must have found something very important and assassinated in cold blood by a State Actor. Either it is the French or British behind it (my personal guess). Lots of nations with cold blooded assassinations would attribute "suicides" to depression and stress ... the easiest excuses to make.

1.) France is also one of the big powers and have always been known to have very powerful spy agencies which they keep in the dark unlike BND/NSA/GCHQ which are well known.

2.) Sneaking weapons and a good ton of ammo into the country would be very obvious. The use of AK-47 might be a rouse to indicate it's Al-Qaeda since AKs are associated with enemies of Western power. Even so, if you want to sneak weapons in and carry it onto a transport and then reach your destination to start a massacre, you have to ensure that you don't reveal your weapon first in the public prematurely.

We need to know what variant of AK-47 they are carrying and how much ammo they bring. For those of us who have served in our country's military service before, carrying an assault rifle is pretty bulky and on top of that carrying actual ammo in significant quantities on your body would slow you down. A good way to carry rifles compact would be to stripe them into parts and move them but once you reassemble the rifles and load the weapon, it would become pretty obvious and charging the old AK-47s is a pretty loud one.

Grenade launchers, shotguns were also involved. That is a whole plethora of weapon systems and they are serious.

These stuff aren't so easy to lay your hands on like in the movies where you could air drop them off. We have no idea how the weapons got into their hands anyway.

If you are talking about smuggling a pistol or an AK-47 ... it is possible buy smuggling a grenade launcher and also a shotgun through the customs would have been bells and alarms. These are serious stuff.

It is curious how people would move to their scene of crime to commit their acts without being noticed (the bulkiness of weapons and ammo).

CCTV footage would answer those questions. No significant footages could be found on how it began.

On a hindsight, could certain State Actors supply them simply a few weapon system (since the total cost of weapons wouldn't be that huge) and ammo and sent them non their way ?

3.) Killing 20 people with an assault rifle (there are 2 of them) is a pretty low amount. If they have a magazine of full 30 rounds and walk into a crowded area and open fire, the death rate would have been much higher due to compactness of the crowd and bullets don't simply get lodge into the body of 1 person ... bullets do penetrate a person and strike someone behind. There were no mentions if they did use the grenade launchers and shotguns but these stuff are nasty. The death count would have easily spiked close to a hundred life taken. If they were doing a more serious "jihad", they might have stop yelling their slogans and simply got busy killing more and not indulge in their "execution style" of killing and simply do more serious damages by being more precise in their shots to do maximum damage since they should have figured that time is against them as the national troops and police would be moving in on them.

4.) Someone mentioned that the French could quickly bring up data regarding the attackers and people close to the attackers. How would they be able to know so much over just a few days ? Were they anticipating something and the attack was just a scheme ?

5.) The British were very quick to make their claims on crypto as though they were predicting something as well. Coincidence ?

I wonder if Al-Qaeda is now in the controls of (or has always been) certain State Entities and act as their scapegoat when needed.

These are just my few cents of wildly guessing around.

ThothJanuary 14, 2015 7:22 AM

I forgot to mention about the death of the Police Commissioner ... who would have access to a secured Govt facility like a police office ? Probably an inside or really a suicide ... either way it's very suspicious ...

Clive RobinsonJanuary 14, 2015 8:00 AM

@ Andrew,

According to the link you post to David Cameron made the following promises,

"That is the key principle. Do we allow terrorists the safe spaces to talk to each other? I say 'no we don't"
"I am confident the powers we need, whether it is on communications data or the content of communications, I am very comfortable they are absolutely right for a modern liberal democracy."

If Mr Cameron is not to "allow terrorists the safe spaces to talk to each other" whilst also gaining "the content of communications" how do you propse he go about it without restricting the use of encryption to terrorists, and by implication the rest of us in the UK?

Please note that under the currernt UK RIPA legislation you can be jailed for not revealing an encryption key you have access to for two years. And as quite a few trials have shown some people will not reveal the key or cannot reveal the key, with people actually doing jail time.

One defence against RIPA is to use a system whereby the keys are not made available to either the users or the designers of the encryption products. Such systems are relatively easy to design and build --and have been discussed here before-- and thus available to anyone who has the required coding abilitities.

When such a "privately coded" application is designed a "lawfull access" solution is not going to be included, and when used with the likes of anonymizing networks they will provide "the safe spaces" for terrorits and criminals and all sorts of other illegals "to talk to each other".

Without making the coding of such applications illegal and thus banning the use of that crypto technology, how else is Mr Cameron going to keep that no safe spaces promise?

Please don't re-rake the 1980's mandatory hardware crypto and key escro ideas, they have been thoroughly debunked and fail to the "Russian Doll" crypto within crypto within... ad infinitum problem.

ThothJanuary 14, 2015 8:30 AM

One of the model of encryption without user knowledge would be something along the lines of JackPair and probably in some sense modern asymmetric (wrapping key) + symmetric (content key) / PGP style. Generate your key exchange, negotiate the shared secret key and then forget them all once the session is over. Probably the use of long term signature keys would be undesirable since it would give a definite trace of identities somewhere if somehow any of the sessions got leaked.

I would say the "CALEA" stuff are just for show and are pretty useless honestly. No one likes these whatever doors they are called be it frontdoor or backdoor and the one hard counter to any "CALEA" system is the "Russian Doll".

Brian RJanuary 14, 2015 8:34 AM

Cameron's words were:

There should be no "means of communication" which "we cannot read", he said.

Make of that what you will,

WaelJanuary 14, 2015 8:36 AM

@Winter,

Is there any other conclusion possible than that the surveillance approach to terrorist threats is an utter failure?
Of course there is! It was allowed to happen ;)

WinterJanuary 14, 2015 8:42 AM

@Wael
"Of course there is! It was allowed to happen ;)"

'Never ascribe to malice that which can adequately be explained by incompetence.'
Napoleon Bonaparte —

WaelJanuary 14, 2015 8:46 AM

@Clive Robinson, @Andrew,

Please note that under the currernt UK RIPA legislation you can be jailed for not revealing an encryption key you have access to for two years...
Another defense is to rotate the key before the two year time span elapses. You'd never be in possession of the key for two years or more. Gives you an idea how stupid that requirement[1] is... I won't suggest a "better" requirement either!

[1] I based this assessment solely on your post. I haven't read the full "UK RIPA legislation", so it maybe inaccurate.

Alo presidenteJanuary 14, 2015 8:48 AM

If they hadn't told me that the statement came from Cameron, I would have sworn these were the ignorant, drunken ramblings of some totalitarian nutter like Hugo Chavez. It's funny what power does to people.

WaelJanuary 14, 2015 9:00 AM

@Winter,

At the time of Napoleon, "malice" and "incompetence" were mutually exclusive. These days, they are a pair like peas and carrots (as Forest Gump would say.) I say that tongue-in-cheek, so don't take it seriously. By the way, are you talking about this Napoleon Bonaparte? I bet that's something you didn't know about him! I wonder what Ali Bonaparte would have behaved today if he were alive!

Clive RobinsonJanuary 14, 2015 9:58 AM

@ Wael,

My bad, I could have worded it a lot better...

The jail sentance is upto two years (so far) the access to the key could have been "seen for a millisec or two in any form at any time in the past".

The problem for the prosecution is in the UK sentencing is usually concurent, and thus the suspect has a quite simple choice, if what they are hiding behind crypto will potentially get then a longer sentance then there is absolutely no point in handing over the key. Further judges don't hand out maximum terms from what I've read some RIPA terms handed down have been for 13 weeks or less, which the suspect may already have served on remand etc.

A Telco Security DweebJanuary 14, 2015 10:45 AM

(1.) An Upper-Class Twit named "David Cameron" -- a man wholly ignorant of how computer encryption technologies actually work -- is now demanding the implementation of a stupid plan to cripple encryption.

(2.) Said Upper-Class Twit is doing this purely and simply to score some cheap political points ("only those who are in favour of terrorism, will oppose my government's reasonable proposals") among the U.K.'s legions of technologically-ignorant voters, given that his Conservative Party is feeling the heat from an even more extreme right-wing party, namely the UKIP.

(3.) The proposal being advanced by said Upper-Class Twit is completely unworkable, and -- even if passed into law by a craven and cowed Parliament -- will have no effect whatsoever on "terrorism" (note that there is no evidence at all, that the Paris attackers used any of the technologies in question, here), but very well may cripple the competitiveness of the U.K.'s technology industry and might also leave its domestic IT infrastructure wide open to attacks by cyber-criminals and foreign intelligence agencies.

(4.) And we are surprised by the above... why?

As long as voters continue to vote for Upper-Class Twits like Mr. Cameron, we will be seeing the above in re-runs, forever and ever, until we will turn to watching the commercials, out of pure desperation.

WaelJanuary 14, 2015 10:51 AM

@Clive Robinson,

My bad, I could have worded it a lot better...
Hardly your bad!
You can blame the English language for that, as you did before!

malvcrJanuary 14, 2015 11:01 AM

Encryption is about the message´s "textuality". So, to eliminate encryption has nothing to see with the inner message protection and it is, of course, an useless measure when trying to find really well stored secrets.

Because there are infinite quantities of approaches to hide messages within messages without using encryption. The meaning of phrases in a poem, the way we move our eyes, and one having thousands of years of usage, communication through our hands bellow a table as Chinese people use for some type of business decisions.

And this is not my interpretation. It is clear for any person with a minimum knowledge on the field that this is not behind the criminal message interchange but behind everybody else communication, because "regular" people has no reasons to hide messages within messages and they would use cryptography with the only sake of privacy.

The main problem is that everything happens in the world carry us to the justification to execute police state measures and this is a really big problem. Instead of these "public" assertions, would be better for them to try to find correlations and to understand the context about what is happening there, to have really effective measures to prevent and to control this security problem.

BoppingAroundJanuary 14, 2015 11:10 AM

Thoth,

> and to my knowledge France have not shown signs of knee-jerk reaction (via anti-crypto/anti-sec measures) yet ?

Somebody posted a link on the comments regarding alleged French analogue of PATRIOT Act the other day. I think that was even before the attacks.

jdmurrayJanuary 14, 2015 11:33 AM

Cameron's statement is a distraction. No one in government wants to get rid of all encryption. Instead, they want to make all encryption transparent. However, to do this, significant changes must made that are acceptable to the public.

Scenario: In an effort to get public backing for transparent encryption, an edict is issued that will result in severely detrimental consequences (i.e., banning all encryption, thus destroying all eCommerce). The public outcry against this edict will be countered with a second-best solution--the making of all encryption transparent to only a few "trusted" ministries (agencies). The hope is that the public will be relieved at the alternative solution, accept it willingly, and go back to their normal, distracted lives.

Cameron himself may be an upper-class twit, but the people telling him what to say to the public aren't.

GonzoJanuary 14, 2015 11:42 AM

I suspect this sort of over the top statement is the low hanging fruit to let everyone freak out about, and that the "compromise" position will be forcing ADKs into every architecture. (Which is just as bad).

Interesting times, folks.

JonKnowsNothingJanuary 14, 2015 11:47 AM

@RonK

@ JonKnowsNothing > There is No Such Thing as Security

Er, no. The logical fallacy you've fallen into is the ever ubiquitous "false dichotomy". Your utterance would undoubtedly be correct (but vacuous) if you had said "Absolute Security". Unfortunately, real-life security doesn't have a capital "S", so it is not binary (nor is it even well-defined in most discussions, leading to misunderstanding).

Note that this doesn't make Skeptical's utterances any less wrong, given the existence of steganography (and yes, steganography can be undetectable in practice --- you just have to not be greedy about your data rate).

I concur that the proper phrase could be "Absolute Security" but that's not how General Hayden poses his question or expects the pre-determined framed answer. I doubt that Skeptical has figured out what it is that makes General Hayden's Question a false question, so I was trying to frame the hint in a way that would "sink in".

For those not familiar with General Hayden's Question or haven't heard it repeated by many many knowledgeable people in the media and in public office or seen it used as "justification" for "everything", here is a paraphrase:

If we halt what we are doing and there is another disaster like 9/11 (or even bigger than 9/11) and that disaster could have been stopped had we kept those programs, are you willing take responsibility for all the deaths and all the destruction? Are you willing to put your name on the order that said “stop”?

fwiw: The Question is cleverly framed and it takes a good bit of analysis to recognize that everything stated in it is designed to elicit only one answer. It's clever, it works and we are where we are because too many believe it's a question. It's not a question at all.

re: UK powers.

I believe the UK, Aussie and New Zealand police have the ability to detain/hinder anyone for unlimited lengths of time without trial, warrant or charge. They can hold you or put limitations on your activities and you are not allowed a lawyer or have a judge review your case.

One version in the UK is called "Pre-Charge Bail". There are others that are "darker": go direct to an undocumented cell in an undocumented prison for an undocumented length of time. In the USA we call these Black Sites or Gitmo (and no,... Gitmo is not closing). The US in also increasing the number of Black Sites - Poland is very happy about that.

ht tp://www.theguardian.com/uk-news/2014/dec/25/revlealed-police-using-pre-charge-bail-muzzle-protesters

(url fractured to prevent autorun. remove the space from the header)


re: Encryption and the Public

If encryption becomes "illegal" will they be incarcerating every member of the public that "accidently" connects to a service that encrypts stuff?

Will people go to jail because they logged in to their SWTOR accounts? EA encrypts passwords and recommends their security "authenticator" which could put players in a bad PVP Huttball match against the UK Security Services.

UK Law == No Lightsabers for You.

paulJanuary 14, 2015 11:54 AM

Back in the telegraph days, when every message was transmitted in the clear and read by many eyes, people were still able to communicate securely. Some spy rings even relied on messages published in newspapers. Being able to read the text is clearly not enough. So what we need is a process by which anyone who comes under suspicion will be required to explain to investigative authorities what each of their messages *really* means. And not released until the authorities are satisfied.

flip_flopJanuary 14, 2015 11:56 AM

@Rich
is not a meritocracy
Did you get the news about Santa yet? How about justice and equality?

@JonKnowsNothing
Very good deconstruction on "the question."

Rear D Form 4856 (Article 92)January 14, 2015 12:03 PM

Skeptical affects endearing modesty regarding his technical ignorance but he has not yet come to terms with the West-Point-athlete C- stupidity of his "lawful access" fixation. Skeptical thinks he can rely on lawful access by a state that committed millions of felonies with impunity, a state that managed to outrage even the servile asskissers on its contemptible FISC rubber stamp.

Skeptical will go far. When you're Marc Grossman or Doug Feith and you're looking for someone to audit the nuclear warhead inventory, you need somebody really really stupid, so stupid they won't notice that 30% of the pits fell off the truck. Then Skeptical's your man.

Dirk PraetJanuary 14, 2015 12:20 PM

@Wael, @Winter,

At the time of Napoleon, "malice" and "incompetence" were mutually exclusive.

So it was Napoleon who invented Hanlon's razor ?

Q: Is there any other conclusion possible than that the surveillance approach to terrorist threats is an utter failure?
A: Of course there is! It was allowed to happen ;)

Not necessarily. Even with surveillance done right, democratic countries may have insufficient legal means at their disposition to preventively arrest and detain high risk profiles. I tried to point that out in last Friday's Squid thread.

@ Thoth

These stuff aren't so easy to lay your hands on like in the movies where you could air drop them off. We have no idea how the weapons got into their hands anyway.

Yes, we do. An arms dealer from Charleroi, Belgium, yesterday tipped off the police that he had been contacted by Ahmedi Koulibaly, the supermarket terrorist. Although we have really strict gun control in this country, it's not that hard to lay hands on weapons if you know where to shop. In cities like Brussels, semi-automatic and even automatic guns go for about 1,000-1,5000 euro a piece, and an RPG you can get for about 2,000 . It's the same in every city where there is organised crime. Shortly after the fall of the Soviet Union, a standard AK-47 in the Russian quarter over here was sold under the counter for the equivalent of about 250 euro, and for that price you could even get two on board of Russian ships docked in the port of Antwerp.

ON TOPIC:

I think pretty much everything has already been said. Cameron's plans are nothing but populist drivel from someone who has no clue whatsoever what he's talking about. One of the many prerogatives of our political class. More surveillance and crippling/banning crypto is not the answer. Taking folks like UK hate preacher Anjem Choudary off the street would make much more sense.

DaveJanuary 14, 2015 12:22 PM

Again no proof there was any encryption used in Paris. As I understood it (Heard on news radio the other day) they assumed they were being eavesdropped on and borrowed their wives/girlfriends phones. The French were monitoring them and not their girlfriends who apparently chatted a lot on the phone.

vas pupJanuary 14, 2015 12:48 PM

@rich:"It doesn't matter if he's smart or dumb - in the UK, you'll notice that the higher up any organization you go, the dumber the people become!" When management and ownership are with different 'hands', your observation could be valid not only in UK. But, e.g. in Google/Facebook/other technology based businesses or organizations(e.g. DARPA, IARPA in US), that is quite opposite.
@all. It was some comparison with guns related to subject matter. As you may know DARPA & DOJ have joint program on development weapons which could be adjusted to particular purposes as lethal or less than lethal.
There are handguns available to general public and assault weapons which are banned for general public.
As option, spectrum approach to encryption tools should be as well, meaning level depends on tasks and functions. Gov institutions should have resources (human, technology, etc.) for decryption based on their assigned level related to security
tasks with strong oversight procedures to eliminate as much abuse of power as possible (yeah, I know in my dreams). My point is that digital approach all or nothing is counterproductive in practice (even looks good in theory).

albertJanuary 14, 2015 2:03 PM

@Dirk Praet

"...Even with surveillance done right, democratic countries may have insufficient legal means at their disposition to preventively arrest and detain high risk profiles....".
.
There are very good reasons why 'democratic' countries have laws against preventive arrest and detention. I would say that, in spite of those laws, said countries still do it. It's a non-issue. There is no 'legal' and 'non-legal' in the 'security'/'intelligence/law enforcement' machine.
.
@Everyone
.
These are political issues, regardless of whether or not the technical issues are understood. I think most of us agree that:

1. Giving governments access to our private communications is a bad idea.
2. Such access will have no effect in curbing 'terrorism'.
3. All-encompassing population control is the real goal, but it's not the answer, it's the endgame. (OK, some won't agree with this one :)
.
When it comes to terrorism, I think we all need to step back and look at the underlying causes, and the logical possibilities of mitigation. Clearly, 'we' (our governments) have an extremely poor track record at this sort of thing. For proof, I give you 'The War On Drugs'. 90 years on , we're still losing, and no end in sight.
.
It's time to end the Wars. The real question is this: "Is it possible to bring some common sense to bear on these things?"
.
.
I gotta go...

Clive RobinsonJanuary 14, 2015 4:00 PM

@ Paul,

So what we need is a process by which anyone who comes under suspicion will be required to explain to investigative authorities what each of their messages*really* means

That does not work very well with the "burden of proof", or even simple reasoning.

To see why, look at it this way, this is a snippet from a phone call,

1P : We should meet up this week.
2P : How about for a coffee?
1P : Yup, what day were you thinking of?
2P : How about Tuseday?
1P : Yes, what time?
2P : How about 11, that good for you?
1P : Yes, where were you thinking of?
2P : How about Aldo's in Greek Street?
1P : OK, see you there.

The two parties are observed by the surveillance team to keep the agreed apointment and drink coffee.

Is it what it seems or a code to agree to a drugs deal?

Even if it's the latter how are you going to prove it to a jury with the burden of proof being the weak "balance of probability" or the required stronger "beyond reasonable doubt"?

After a little thought you will realise the only way is via a very iffy plea bargain deal... And even then the jury is going to be a very tough audience to convince.

The problem with not being able to differentiate between innocent plaintext and apparent plaintext that is actually codetext is not one that can be resolved in any way unless those using the code make it overly obvious as such.

NobodySpecialJanuary 14, 2015 4:39 PM

“The question remains: are we going to allow private conversations where it simply is not possible to [intercept it]? My answer to that question is: no, we must not.” - David Cameron

Wasn't there a British book about being monitored in your home by your viewscreen ?


Chunt HetleyJanuary 14, 2015 5:04 PM

"Politician says something incredibly stupid. Morons who voted for him nod their microcephalic heads. Film at elev.." *click* zzzzzzzzzz

SkepticalJanuary 14, 2015 6:01 PM


@Stephen: Before worrying about the hypothetical scenario presented, I propose to deal with the very real scenario: ... the police and security agencies were so inundated with noise as a result of their collect-it-all obsession that they could no longer hear signals

I agree that more to process can mean fewer detected, given certain assumptions.

The problem in your scenario is efficient identification of candidates to maximize the use of available surveillance resources.

And, for all we know, the French had actually deployed them highly efficiently. The counterfactual - the French maintain tight net on this group, and therefore choose to loosen surveillance on another group - may be that the Paris attacks last week were prevented, but something much worse happens instead. Who knows.

But to the extent there were inefficiencies, hopefully there are lessons everyone can learn.

However, the hypothetical scenario I posit deserves attention too. Suppose that the information available to intelligence and police agencies began to drop as a result of more secure systems. Perhaps it reaches some ideal point of "volume" to analytical power, and then continues to drop. Police and intelligence services go from overwhelmed to perfectly busy to being much more in the dark than they once were.

Now of course there will be human sources who will provide some good intelligence, and there will be other means of detecting more probable terrorist operatives or plots in motion - but a large and significant amount would go dark if we reached the point where we could all rely upon perfectly secure (again, to within the relevant neighborhood) systems. And secure information and communication systems enable more sophisticated and coordinated attacks with less probability of detection.

In any case, I think conversations such as these are good to have. Even when they result in no agreement, they may help to clarify our own thoughts and feelings about the subject, leading us in time to greater insight.

Sancho_PJanuary 14, 2015 6:17 PM

@ Skeptical (13, 6:14 PM), a (13, 10:58 PM)

“Keep in mind that Cameron's words are the reaction to recent attacks in Paris …”

Yes, I do, and as you’ve noted correctly Paris had nothing to do with secure / encrypted / hidden communication.
Would you please admit that everybody connecting Paris and encryption is either ignorant or trying to make his dirty point in the shade of the massacre? (I’m asking in advance because others will follow)

Now Regarding the ban of encryption (in communication) or “escrow”:
- No, it is not possible.
- It’s not a wickedly complex problem.

Not possible:
The reason isn’t technical, it is simply because “encryption” is not clearly defined / definable.

The core of the problem is: We do not know whether encryption is involved or not.

We do not know if a “communication” or a “signal”, let’s call it a message, is encrypted or not so we can’t ban encryption without banning communication / signal / message [1].

No “escrow”:
The “escrow” would be possible for a particular type of encryption only, but any deviation from that “standard encryption”, let it be by error or by intention, would render the “escrow” useless.

- But the LE wouldn’t know until it gets the lawful warrant.

- And before they couldn’t check if the signal correctly makes use of “standard encryption” - or even is a form of @Clive’s “Russian doll”.

So the “escrow” would only make (little) sense for surveillance without warrant / reason.


The lawful warrant + escrow might be useful to get a handle in case a (more than) suspect (because of getting the warrant) does not use “standard encryption” in the first place / layer.
But would that be a reason to arrest or bringing them to court?

What to do when there is a second layer of encryption, say, LE doesn’t understand the “content” when decrypted by the “escrow”???

Could a “suspect” be convicted because the message doesn’t make sense to the LE?


[1]
As an example let me point at the Bibel or the Koran.
There are more books to interpret / explain what would be the message there than the message itself, and still it seems we don’t know the content exactly.
Would we call it encrypted?

Sancho_PJanuary 14, 2015 6:21 PM

@ Clive, Chris Abbott

Right, metadata is the better data.

However, could you ever convict someone on metadata (of communication) only?
Yes, the US can (NK) but that doesn’t hold water in court.

Sancho_PJanuary 14, 2015 6:24 PM


@ Skeptical (13, 11:38 PM)

Your point 8.
What you propose is the very first obligation for the NSA and such.
Chew on the words of “NSA” and you know what they should do.
Do not open another taxpayer’s sinkhole where those who already get payed watch others doing the job.

Sancho_PJanuary 14, 2015 6:42 PM

LE doesn’t need more signal intelligence (input), actually the system can not react (output).

We do not have to fight encryption / communication but the cause of terror.

It seems everyone has a feeling about but both points are not on the real agenda.

SkepticalJanuary 14, 2015 6:54 PM

@Sancho: As I said, I don't think banning encryption as such is practical, but I also don't think your argument (or anyone else's here) engages with the actual problem. The problem is not: how can we, with mathematical certainty, understand any communications that we want to understand and that we are legally allowed to intercept. Obviously we can identify numerous cases where merely being able to access the actual symbols that form the message does not gain us that understanding.

Rather the problem is: perfectly secure (to within a relevant neighborhood) systems render it harder to obtain intelligence even from proper targets, which significantly reduces intelligence on those targets and on any operations in any stage. Such systems would also enable better planning and coordination by any terrorists. At its worst, this would mean that intelligence services might miss plots of grave consequence before they're executed, and that those services would also have greater difficulty identifying and dismantling the network and group involved in the plot, which will likely heighten the negative psychological effects from a terrorist attack that causes a high magnitude of damage.

@Winter: The attackers were known risks, had been under surveillance as terrorist suspects, in a country with a well developed surveillance technology infrastructure and a lot of police. And the attacks were not prevented.

Is there any other conclusion possible than that the surveillance approach to terrorist threats is an utter failure?

No, it doesn't show surveillance is a useless tool any more than a successful burglar shows that perimeter defenses are pointless or that an escaped prisoner shows that locks and fences are useless.

Let's also remember that not all terrorist threats are the same.

Tentatively, I'd say that this attack had been carried out with minimal preparation by the terrorists. I base that guess on the inferences that they conducted little visual recon of the target area (they entered the wrong building initially), and that they had no contingency plan for a possible branch of events where the authorities identify them quickly.

This will be of a type more difficult to prevent than others, because it involves, by definition, little preparation and planning. This means among other things fewer opportunities for plotters to show something to any surveillance that would raise suspicion that an active plot was in motion. And, obviously if they were able to procure weapons without being noticed they were not under very tight surveillance.

Other types of terrorist plots, which do require lots of preparation and planning, are by nature more susceptible to being detected by surveillance. These types (such as that which 9/11 would fall into) are also far more dangerous than the recent attacks in Paris.

Clarify your thoughts and feelings about my two-handed redeyeJanuary 14, 2015 7:52 PM

Remember when Big Tobacco manifestly didn't have a leg to stand on, everyone knew they were killing hundreds of thousands of Americans every year and they were ruined, notorious worldwide as lying scum? Remember what they did?

They did exactly what skeptical is doing now. "It's very good to talk about it, it's good that we're having this talk, let's talk about it let's talk about it, talk and talk and talk and talk." Now, on behalf of despicable lying weasels who make Big Tobacco look honest, skeptical has obediently latched onto Big Tobacco's last-ditch sleazy trick in the faint hope of staving off the inevitable.

You can't talk your way out of this. We're going to blind you parasites. Then we're going to RIF your creepy doughy asses and make you beg the honest people you spy on for real jobs.

DennisJanuary 14, 2015 8:01 PM

@ Gonzo

I suspect this sort of over the top statement is the low hanging fruit to let everyone freak out about, and that the "compromise" position will be...

Not surprised to read this opening sentence in Bruce's linked piece:

What David Cameron thinks he's saying is, "We will command all the software creators we can reach to introduce back-doors into their tools for us."
But this is just for starters.

AlanSJanuary 14, 2015 8:05 PM

Theresa May's January 14th statement to the Commons on the Data Communications Bill (PDF): We must deny terrorists safe spaces to communicate. It's not in the video but the Guardian states that "she indicated that the Conservative manifesto will contain proposals to prevent encryption of internet communications".

She starts talking about communications around the 1:50 minute mark. The Conservative Party's coalition partners are blocking the legislation at the moment but if the Conservatives gain a majority in the May election that brake on the legislation may go away (see earlier post about the Scottish Issue above).

WaelJanuary 14, 2015 10:03 PM

@Frank Wilhoit,

There is no such thing as a political answer, therefore we cannot afford to have political problems.
Neither the premise nor the conclusion of this argument is true, therefore your argument is deductively invalid ;)

WaelJanuary 14, 2015 10:22 PM

@Dirk Praet, @Winter,

So it was Napoleon who invented Hanlon's razor...
I don't know, never heard of it. I looked it up after you mentioned it.

Not necessarily. Even with surveillance done right, democratic countries may have insufficient legal means at their disposition to preventively arrest and detain high risk profiles
I am listing it as a possibility without quantifying it's probability as a direct answer to the question posed.

WaelJanuary 14, 2015 10:38 PM

"its" -- not "it's"... Strange spell checker! Doesn't correct misspellings and screws up apostrophes. Sometimes I wonder if that's a side effect of a key logger...

Nick PJanuary 14, 2015 11:03 PM

Here's a radical idea: encourage criminals to use codebooks and physical meetings for most of their communications while sending indecipherable references to it over escrowed lines government controls. After enough shit happens, then we'll have a compelling argument that there's no benefit what-so-ever to government mandated backdoors for our protection.

"Leaks by whistleblower Emmanuel Goldstein show that drug dealers, kidnappers, pedophiles, and terrorists exclusively communicate via networks government has backdoored. Yet, we haven't seen anything change this whole time. Yet, 4chan has revenge porn coming from nsa.gov IP's all the time. They need to just cancel all this voyeuristic nonsense and put money into something that actually works." (Future Voter in Alternative Timeline)

DanielJanuary 14, 2015 11:45 PM

@Nick P

You don't mean your proposal seriously but I think they do. Why not? Rather than hacking Tor, just ban it; it's easy enough. Sure criminals will find workarounds but that isn't that the point? The point is (1) remove the temptation from the ordinary user and (2) increase the transaction and opportunity costs of the criminals by several orders of magnitude.

It's not an issue of security. It's not even an issues of control, as such. It's about being able to manage social risk. The goal isn't to stop everyone but to stop enough that the spooks can look like they are doing their jobs.

Here's the way I see it. So long as there are no backdoors or golden keys on encryption the spooks are going to claim after every cyber-attack that it could have been prevented by having a backdoor or a golden key. And they are not going to stop harping on this issue until they win. They view it as a war of attrition. So let them have their precious backdoors, if nothing else to shut them up.

(note: I don't actually believe this but I think they do).

Clive RobinsonJanuary 15, 2015 1:13 AM

@ DennisZ,

I think you confused by "encryption" and "obscurity".

It is not immediately obvious to what you are referring to as you have not been specific.

Encryption covers both codes and ciphers, codes come in many forms and for many reasons.

The generally held view of the purpose of encryption is to provide confidentiality of messages between two parties, in practice it's used more for authetication and integrity.

Obscurity has many meanings to many people, and generaly boils down to "not well known", thus it also covers codes and ciphers.

From the general perspective the main difference between a code and a cipher is that a code book is in effect an obscure dictionary, where as a cipher uses a well known determanistic process that uses a key to make the process sufficiently unique to each user.

Importantly codes can aditionaly be used to remove language redundancy and thus unlike ciphers additionaly serve as domain specific compresion functions.

Can you thus be a little more specific in what you see as the problem?

Andrew_KJanuary 15, 2015 4:48 AM

I learned Bruce's solitaire algorithm and I used it to silence nagging 6th grade children when I was kind of forced to babysit them. Childrens' thirst for knowledge can be impressive, especially when it comes to writing notes that teachers won't be able to read :)

Would that have been considered supporting crime? Or would that only have been supporting crime if one of them grows up to use this encryption to plan a terrorist attack?

In accordance with jdmurray:
Cameron's statement is probably false flag: Make a bold statement, let the mob (that's us) get angry. Then make a second, "well tought" approach -- say raising GHCQ/MI* funding or expanding their privileges -- and no one will care.

Regarding how they could get AK, ammo, and the grenade launcher -- don't forget how free one can travel through Europe these days. You probably want to use a unobstrusive car and some caucasian drivers and ... well, some social engineering skills will do the rest.

Going to the conspiracy place: The jihadists may have been real, but their preachers probably not. There are no better assassins than suiciders with a real backstory.

JarthJanuary 15, 2015 8:37 AM

I've missed quite a bit on the statement which triggered this blog post.and am no fan or adversary to D.C. in particular. Though I need to state I'm a firm believer in non-lethal resolution of issues at hand.

However, my understanding of "If I am prime minister I will make sure that it is a comprehensive piece of legislation that does not allow terrorists safe space to communicate with each other."

This statement could simply mean he thinks laws should be put in place prohibiting convicted terrorists or terrorism suspects from calling on any law to protect them from sharing encryption keys or other required information for decryption.

I've not read any or all comments so forgive me should I duplicate any priors.

JarthJanuary 15, 2015 8:42 AM

Besides given the statement this is part of a regime already in place in Syria, Russia and other countries I've definitely lost confidence there is no global conspiracy. Though a nameless and faceless one. Like most other times these people are most likely confident they're doing the right thing to the right people. A bit like a computer being programmed to believe it is an Artificial Intelligence, but this time the end-product is a humane being.

DennisZJanuary 15, 2015 11:01 AM

@ Clive Robinson

I was referring to his comment about Bible and encryption. I think "encryption" is more computational (by human or machine) where the process of decode/decipher/decrypt returns the original pre-encrypted input. I think "obscurity" is something less straight forward, that which require human analysis (e.g. contextual interpretation of lies, figurative speech, poor grammar, religious metaphors, the Bible, Shakespeare, et. al.).

d33tJanuary 15, 2015 1:22 PM

Me thinks that high technology has evolved far beyond the capacity of most leader's minds in terms of reasonable law and governance. Why would we keep people in office who so obviously have no idea what they are doing and saying daily? Dangerously ignorant.

Sancho_PJanuary 15, 2015 6:17 PM


@ Skeptical

Sorry, I did not understand what you want to say, probably there are too many words used for my simple mind.

What is the problem except the obvious?

Are you trying to say:
“They don’t want to understand the content, they only want it is not encrypted” ?


@ Nick P

You made a valuable point. It seems to turn into a pure political fight.
Therefore it doesn’t matter whether the escrow works or not.
This is somehow both in contrast and in line with @Skeptical’s proposal that just to promise “it’s not encrypted” would suffice.

I wouldn’t see any reason why the experts, who know better, wouldn’t stop Cameron from talking nonsense in public (however I’d see a reason with black Obama …).
Their experts know it won’t help but that’s not the point anymore, it is solely a matter of public submission to their authority.


@ DennisZ

OK, I think now I understood.
Two comments:

- I think initially the Bible wasn’t meant to “obscure” the meaning, let alone encrypt it. However we seem to have problems in it’s (detailed) understanding. The same could happen with my plaintext message and they will beat me to death because they don’t understand it and think it’s perfectly code-booked but it isn’t.

- You need at least an elephant when you try to derail @Skeptical from his track ;-)

DennisKJanuary 15, 2015 7:11 PM

d33t, Why would we keep people in office who so obviously have no idea what they are doing and saying daily?

The scary part is they know what they are doing and are very efficient at it. ;-)

My name is not importantJanuary 16, 2015 5:11 AM

What if Cameron does not want to "ban encryption" but only ban it to non-authorized entities?

The british government, of course, will continue using encryption. Will they ban themselves?

Corporations like Google, Amazon, and so on will continue using encryption (who cares? they are glad to be members of surveillance programs and will get an authorization).

Same about banks. British and Irish banks are, in a join effort with german government, the main actors in the economic war between United States and Europe (and they do not play on the side of Europe). How can british government damage the main business in the city? They are glad to be members of surveillance programs too.

Possibly end users and small business are the only ones who will not be able to use encryption legally. And large service providers (Vodafone) will help banning any encrypted traffic.

Sad, but it is the way I see it.

Clive RobinsonJanuary 16, 2015 6:19 AM

@ My Name...,

What if Cameron does not want to "ban encryption" but only ban it to non-authorized entities?

As I've noted on last fridays squid page David Cameron "has changed his tune".

Further it appears other Government types have jumped in and whilst early this morning he said "in extrimis we want to block their communications" the unnamed others are briefing it as only getting rapid access to services like Facebook etc. The slowness of the current process of accessing Facebook by the way has been used before to cover up the Security Service failings that the current UK Home Office Minister is tasked with over seeing. And the reason it's slow is the civil servants take their own sweet time over sorting out the legal paper work in the UK, have got it wrong and not liased well with either the US DoJ or Facebook or Google...

Further the words David Cameron parroted came originaly from the demands of the Home Secretary in her "snoopers charter" proposed legislation that has been blocked by amongst others the Lib Dems.

It makes me think that wiser heads have taken DC aside and "briefed against" the "mad old bat" and her anti-social, malign and disreputable behaviours. One can only hope she is heading for some politicaly ignoble end as rapidly as possible.

DennisZJanuary 16, 2015 6:56 AM

@ Sancho_P"The same could happen with my plaintext message and they will beat me to death because they don’t understand it and think it’s perfectly code-booked but it isn’t."

Is that a clever parallel construction or are you just glad to have used a better online translator?

MichaelJanuary 16, 2015 12:29 PM

David Cameron is a Luddite and will read whatever his advisor writes for him. IT companies in the UK have already laughed this off; one declaring that Cameron was in "Cloud cuckoo land".

He is doing it for his own party support in an election year; showing that he has some different policies from the over parties; that is all.

This will never happen.

d33tJanuary 16, 2015 1:13 PM

@DennisK

I hear ya ... Although after all that has been said, done and exposed, for me the evidence points to gross ignorance across most government guided by a heavy invisible hand that belongs to someone who is not living in the dark. That someone seems to be really worried about losing the power they have given themselves at great cost to regular people across the globe.

ljonesJanuary 16, 2015 5:30 PM

I must confess I am wondering how long it would be before this sort of thing would happen. Next up if cameron becomes PM in the next parliament I wonder if he'll decide to ban tor; I also note that he wants large companies such as google now to drop encryption (!).

I want to leave this thought here as well btw. If the quantum computer is ever invented, what is the betting that government will simply claim it for itself and ban everyone else from having or using one and then use it to spy on everyone?

The UK has long since been sliding towards totalitarian state in my opinion.

ljones

Nick PJanuary 16, 2015 5:49 PM

@ ljones

That's a distinct possibility. They actually do restrict availability of TEMPEST and Type 1 certified equipment. Further, highly secure (EAL6/7) systems are still under export control where they can arbitrarily kill the company's bottom line. Quantum key distribution seems to be allowed, likely because it's internationally available.

So, they're already doing it with many secure products. Quantum computers would just be another casualty of it.

ThothJanuary 17, 2015 6:29 AM

@Nick P
Any encryption or security products at a high assurance level (includes Secure Execution Environments) are restricted for export from the UK.

One good example is Thales and in particular the nCipher HSM line which is my daily tea (although I claim no expert at this HSM). One interesting part of the nCipher HSM is the SEE environment or Secure Execution Environment which allows you to load business critical codes into the SEE part of the HSM so that the codes are protected in the HSM. There is the "Restricted" license (for Universal useage) that prevents certain functions from being turned on (so they can more easily hack into the HSM) and there is an EU+10 version which is "Unrestricted" version for EU and 10 other countries including Japan and the rest I forgot. The SEE license restricts the application in a Govt context of any form (especially military) of foreign nations.

Let's put it this way, SEE or High Assurance Environment (HAE) sells very well with the exceptional clause that the restriction between countries are lifted.

Planning for sales of your HAE/SEE hardware/software probably requires you to setup distribution points in less tyrannical Govt countries or under auspices of certain powerful ones.

@ljones
UK has already slipped into a totalitarian state very long time ago and has had huge success at exporting and selling it's Law Models and Business Models of totalitarian regime to many of her current and former colonies / Commonwealth countries. Take a peak at the laws and business models of most current and former colonies of UK and you would be surprise the laws are very similar for the most part with exceptions.

ThothJanuary 17, 2015 6:32 AM

@Nick P
Forget to mention that the best way to doing EALs with High Assurances would be to lay out a concise and open design from bottoms up like what most projects are doing that way it belongs to no particular people but a community so trying to kill a community would be much harder than killing an individual or a company.

Nick PJanuary 17, 2015 12:20 PM

@ Thoth

That weakening of security adds evidence to the risk I was concerned with. I didn't see nCipher on their web site: just nShield, Datacryptor, etc. Might be because they bought it and have rebranded products. Found this datasheet. Where's the list of the permitted countries and restrictions?

On a related note: excellent breakdown of what to consider when choosing an HSM in Michael's answer.

JamesJanuary 20, 2015 1:15 AM

Sounds like PR trick. I personally can not see how Whatsapp or other end-to-end encryption applications will be banned. To ban something will requite some of kind of penalty, right?

MichaelJanuary 21, 2015 5:51 AM

German interior minister de Maizière also speaks out against strong cryptography during the opening of International Cyber Security Forum in Lille (France) on Jan 2015.

Randomized-passerbyJanuary 24, 2015 12:53 AM

@DenisM

Quote:
====
He sounds too far fetched to be serious, but he's got those chinese porn filters to work
====

No, he did not get them to work. (And they're not very chinese to begin with)

In fact, he failed miserably, like every single miserable fiend trying to implement porn filters.

And IMHO, failure of him and his is a good thing.

Tommy PedersenAugust 24, 2015 2:00 AM

With a universal ban on encryption we would faster come to terms with much corruption, as many corruption plans today goes over the internet or private connections and encrypted!
The empires has newer had so much power and control as they have today with the help of encryption of electronic communication. With the help of encryption they control your computer while you are not watching CPU uses and disk activity and netstat and connection lamp, etc.
With no encryption alowed anywhere official institutions would experience less infiltration, tax officials could better contribute to balance global economy, officials could better track illegal transports.
All users of internet using https and encrypted media streaming and other encrypted trafic all mixed over backbones helping to hide secret encrypted information is just senseless. We make it very hard for ourselves comming to terms with some of the worst and major crimes in human history, helping to hide it by using encryption over public channels like the internet.
If nobody used encryption we would better recognize if somebody tries to hide something. Honestly, what does common people have to hide? What personal messages or pictures or information is so confidential that it could not be revealed to the public (if done in its full and natural context). "We would usually have rational and social acceptance to help people with individual problems. And criminalizing common citizens is not really helpfull to the stability of a society."
And comming to agency and police organisation, encryption is not really that effective in itself. Criminals can still track signals of encrypted communication... "and worse, they sometimes have the same technology and a copy of your encryption key!"... combating crime is a serious intelligence game, you sometimes have to be both really creative and patient. "If any investigatives clame encryption to be effective in combating crime they are usually after the wrong people."

Dirk PraetAugust 24, 2015 5:23 AM

@ Tommy Pedersen

Unless this was an exercise in sarcasm, I have to congratulate you on what is probably the dumbest post I have ever read on this forum.

Clive RobinsonAugust 24, 2015 5:51 AM

@ Dirk Praet,

Unless this was an exercise in sarcasm...

You are one step up on me there ;-) I can not even make any sense of the post...

To me it looks like it's the result of hand retyping of the output of a bad language translation program... So much so I was fully expecting some spam link in the name field, and @Moderator removing it as such.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.