nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
G20 calls for 'lawful and non-arbitrary access to available information' to fight terror

Anonymous Coward

Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.

16
3

Equal rights for everyone

I'm all for this - as long as every citizen in the world gets the same right, including access to all G20 governments' communication.

25
0
Silver badge

The governments of the 'free' world want access to all communication occurring over the Internet

For this discussion, it really doesn't matter why they want this access or under what circumstances (e.g. whether directly or indirectly; whether with or without a warrant).

What matters is that they are asserting that such access can be achieved while maintaining the security of the communication being accessed and that is just a not truthful claim.

The tech industry has been pointing this out ad nauseam but our governments are, privately, undeterred. The reason they are undeterred is because they don't seem to care if they cripple encryption because they want access to this data more and view any detriment to public security and privacy as a lesser concern.

Our governments know (they must) that it isn't possible to provide this ad hoc, on demand 'illumination' without fundamentally weakening encryption as a whole so they are attempting to legislate their desired end-result, leaving the 'tech industry' to make it work.

The problem is that - as everyone should know - it can't work they way the governments are assuring us it will and the tech providers will have to cripple encryption to give the governments what they are demanding.

The tech industry will be forced to break encryption to fulfill the legal requirements the governments impose and the governments will then wash their hands of any responsibility - claiming that the decision to weaken encryption was all on the companies.

* - It really doesn't matter for this conversation.

14
0
Silver badge

Except they won't, because they can't

Encryption is maths.

If WhatsApp introduce backdoors, then people will simply move to Signal, or Bimble or Maytalk or F-U-G20 or or or or or....

The cat was out of the bag in the 1970s. It's had over forty years to deposit mouse heads behind the furniture, and it's not going back.

17
0

Re: Except they won't, because they can't

"If WhatsApp introduce backdoors, then people will simply move to..."

And how will people know that? From a press release?

1
5
Silver badge

"Our governments know (they must) that it isn't possible to provide this ad hoc, on demand 'illumination' without fundamentally weakening encryption as a whole"

I'm not sure that they do. As a group they include few with any technical nous and probably reckon that the experts are telling them it can't be done simply because it's a bit hard and they, the experts, just don't want to be bothered doing it. After all, they, the governments, are legislators and fully entitled to say what has to be done, the rest is just implementation for the ordinary people to get on with.

2
0
Silver badge

Re: Except they won't, because they can't

> And how will people know that?

Well if they switch from the signal protocol to something new without the public discussions about whatever weakness they see in what they currently use, it's time to be suspicious.

0
0
Silver badge

unless governments adopt The Middle Kingdom's authoritarian approach to enforcement.

Please don't give these fools ideas. They may think that it is a viable option. I am sure that they have people working in the background to make this appear palatable.

5
0
Silver badge

The problem is not even so simple. Yes they can block, for example, WhatsApp servers, but they would be stumped by any alternative app that simply used encryption over other channels such as SMS or email and banning those would be a step too far for even our muppets due to the impact on pretty much everything else.

It would also be pretty trivial to write a word-substitution app so the resulting cypher text had similar statistics to plain text and so would not be found by looking for high-entropy test.

4
0
Alert

The only way this is going to go away is if someone(s) in the tech industry authors a very public, and very descriptive impact statement of the implications behind what they're asking for.

Write it in terms that Joe Q. Public can understand. Highlight the risk to loss of personally identifiable and/or financial information. Highlight the risk to small and innovative businesses that only exist due to the safe, robust and easy way to currently trade online without the need for expensive brick-and-mortar shop frontage.

Most importantly, write it in a way that shows everyone that regardless of intentions, there is nothing to stop the (nominal) targets of this legislation from authoring and using their own encryption tools that don't suffer from the limitation of being breakable. Highlight the fact that they are essentially insisting on putting an axe through the fabric of the internet for precisely nothing.

10
0
Silver badge

No point, no-one in government could be arsed to listen to someone who knows what they're talking about. Why should they? - blind prejudice, gut-feeling and unfounded belief is so much more reliable when making policy.

Interesting that a former head of GCHQ has just said it though. Bet they ignore him too. La-la-la-la, I can't hear you!

16
0

...nothing to stop the (nominal) targets of this legislation from authoring and using their own encryption tools that don't suffer from the limitation of being breakable

And I am sure this is well underway. Pick your favourite "state sponsor of terrorism" (Russia, Saudia Arabia, China, The Great Satan, Iran, ...): they all have plenty of smart computer scientists who can create a secure encrypted messaging system, with secure distribution (and, probably, a reasonable cover story for using it - like building it into a "community values dating app" or something).

Those who are not terrorists, but who may fear interference from major vested interests (political monitoring, state industrial espionage, etc) need an equivalent.

It is time we, in the global open source community, really invested in creating an open equivalent, where you can be confident that (i) if the endpoints are secure messages cannot be decrypted, and (ii) if the servers are secure metadata is also secure. And make it federated (so you can communicate with people on other servers if you want to, at the cost of possibly exposing your metadata).

Bitmessage was a good attempt, but does not scale. It is time we created a project like the Tor project to do secure messaging properly.

4
0
Silver badge

"It is time we, in the global open source community, really invested in creating an open equivalent"

The guts of this, PGP, or GPG if you prefer, already exists. The trouble is that it isn't mandatory in any protocols.

2
0

Sure, PGP is great. But the remaining very hard part is the infrastructure that goes around it. Particularly ease of use, key management, and avoiding leaking metadata. PGP-encrypted email, for example, makes no attempt to hide the source and destination, the length of the email and most implementations don't even drop all the optional clear-text headers (such as Subject).

Also, messaging, as it has evolved from chat to today's messaging apps, has very different design priorities from email (such as little interest in store-and-forward or the large amount of metadata in email headers, and a tolerance of centralised or federated servers instead of complete decentralisation).

The lack of an open-source version of WhatsApp, Telegram, etc is proof that PGP is not enough and we have a lot of work still to do.

1
0
520

Uhhh

> The lack of an open-source version of WhatsApp, __Telegram__, etc is proof that PGP is not enough and we have a lot of work still to do.

Telegram IS open-source. You can find the code here: https://telegram.org/apps

2
0
Silver badge

@grahamcobb

Signal is open source too and guess who uses that.

1
0
Silver badge

"But the remaining very hard part is the infrastructure that goes around it. Particularly ease of use, key management, and avoiding leaking metadata. PGP-encrypted email, for example, makes no attempt to hide the source and destination, the length of the email and most implementations don't even drop all the optional clear-text headers (such as Subject)."

That was my point about it not being part of the protocols.

Take, for instance, key management and email. There's nothing in SMTP that provides for it If a hypothetical ESMTP were to replace SMTP and specified a requirement for hosting the public key (e.g. on the server pointed to by the MX record) and the mechanisms for setting and retrieving it then existing email software would be extended to provide that ease of use.

In the absence of anything to mandate the infrastructure encryption will remain an awkward add-on at best to popular email clients and mostly unused because nobody knows anyone who uses it because nobody knows anybody who uses it.

0
0
Anonymous Coward

I just hope those pesky beardy terrorists don't learn how to write words, use envelopes and stamps along with basic math, who will save us then?

12
0
Silver badge

We will be calling on the biro and paper industries to work together with law enforcement agencies to provide access to such information in order to help keep our communities safe.

2
0
Anonymous Coward

Australia ...

Friends of Paedo Priests and Enemies of Liberty.

4
0
Bronze badge
Flame

Lawful my ass..

Lawful only correctly applies to Common Law, not imposter laws like legal statutes, despite state legal BS!

E2E encryption totally fracks up in-line interception because that is the dialectic for it's existence and use, and statist technocrates exposed abuse caused it's use to explode, but frustrated statists keep spouting useless, sophist, rhetoric! Tough, cryptography is deliberately build from solid mathematical rules to be secure, and no amount of illiterate wishful thinking, tantrums, BS, and authoritarian demands will change this!

As the ex-GCHQ boss said, they can now only seek to try to compromise the end point devices.

If they attempt to force an end point compromise by businesses offering E2E services, this will get leaked and those businesses will go out of business, and people will then only trust vetted OSS E2E!

6
0
Silver badge

One can only presume that if this were to pass, the bad guy/gals would be rolling their own encryption without a backdoor. So would that make any of us guilty of being a terrorist if we used encryption that was, say something older but un-backdoored ? I'm also believing that the governments would really like to read our thoughts too.....

5
0
Silver badge

" I'm also believing that the governments would really like to read our thoughts too."

Funny that you should say that ... https://www.theregister.co.uk/2017/07/10/darpa_brain_interface/

0
0
Gold badge
Joke

A G20 spokesman explains the groups position.

We wants it.

We needs it.

The precious.

I will not be taking questions, thank you for your time.

16
0
Silver badge

Re: A G20 spokesman explains the groups position.

Wasn't it more like...

We don't want the precious. That would not be free and democratic.

Silicon Valley must collaborate with us and show us the precious or else.

But we don't want the precious. That would not be free and democratic.

... and similar cognitive dissidence?

4
0
Anonymous Coward

Re: A G20 spokesman explains the groups position.

One backdoor to rule them all....

1
0
Silver badge

Not so bad....

They want access to 'available' information. If it's encrypted, without a backdoor, it ain't available. Discussion over.

8
0
Anonymous Coward

"non-arbitrary access"

that's the May/Rudd/Blunkett/Smith approach off the table, then?

6
0

We know that GCHQ, NSA, etc have plenty of secret tricks for compromising the endpoints of anyone they are interested in. So in the same way that you could get a wiretap in the past to listen to someone's phone communications, you can now still spy on someone of interest. In fact, you can probably spy on them more comprehensively since a compromised phone can be recording and transmitting all your conversations.

Wanting to compromise encryption has got much more to do with mass surveillance than targeting individual suspects. And you have to ask yourself what use mass surveillance is, as it must throw up huge numbers of false positives, further overstretching your ability to concentrate on what's important.

4
0
Gold badge
Gimp

" you can now still spy on someone of interest."

And that's always been the case.

The honest truth is the G20 just want to be lazy about finding the evidence that would justify the resources to compromise a specific device.

Police work is only easy in a police state (according to a former police officer).

IRL there are very few people who can completely secure a device. Android is incontinent with data by design for example. Exploits exist for iOS and WinPhones. The Snowden files show such software phone taps already exist, even without the assistance of the service providers. I guess it would depend on the encryption architecture if recorded data could be stored and a previous session key recovered and used to play it in clear. Once law enforcement software is loaded on the device everything going forward is compromised by being logged, at a minimum by having who they are talking to being logged, up to full recording of all outgoing calls and data and active infection of who's being contacted.

The security services (of any of the G20) are in much better shape to handle these issues than they want to let on, provided there is actual evidence that it would be worth their while to compromise the device.

2
0

So treat online like offline then

We affirm that the rule of law applies online as well as it does offline.

Thank goodness for that. I thought for a moment that they were going to suggest intrusive and excessive monitoring of private conversations.

Enough of this "Going Dark" nonsense: this is a pure power grab to try to use the online world to get a much higher level of surveillance than was ever possible in the past and eliminate freedoms we have had for the last century or so.

In the "offline world", private, unmonitored conversations are not only possible, they are the norm. Mass surveillance of private conversations is literally impossible and even targetted surveillance is hard, dangerous and very expensive: it involves placing spies very close to the targets, often in their personal lives, combined with sophisticated, expensive and often ineffective bugs. That cost is exactly the reason that we (society) allow it at all: we know it can't be abused too much because we deliberately limit the resources available so the authorities prioritise its use.

What the spooks see now is an opportunity to use the online world to completely remove those costs and barriers. Clearly they could do their jobs much more effectively if they could, in practice, have a tail and a bug recording every conversation on every man, woman and child 24 hours a day!

5
0
Silver badge
Flame

Cognitive Dissonance in a pure form

"You must ensure that these dark places can be illuminated by the law so that the freedoms you hold dear will not be stripped away by criminals"

Instead *we* (the government) want to be the ones to do it. Ignorant bastards.

It won't be long before they bring back a Phorm of SSL interception and signature re-write so you can't see it happening.

7
0
Silver badge

"In line with the expectations of our peoples we also encourage collaboration with industry to provide lawful and non-arbitrary access to available information where access is necessary for the protection of national security against terrorist threats."

Translation: people expect us to be up to no good.

4
0
Anonymous Coward

The solution...

Seeing as the UK Conservative Party have a WhatsApp group for their MPs, then don't we just get a nice friendly hacker to record and dump enough of that to embarrass at least a few of their MPs. After all, they seem to be perfectly happy with the tech companies *and* the other G20 governments having access to their internal discussions...

5
0
WTF?

Hmmm

Turnbull's speech singled out Whatsapp, Telegram and Signal, asking why they should “be able to establish end-to-end encryption in such a way that nobody, not the owners and not the courts, has the ability to find out what is being communicated”?

Well, maybe because that's the f'ing point of it. If I want you to know what's in my communications, I will copy you in, mate. Until that time, it's not yours or anyone else's business.

9
0
Silver badge

Re: Hmmm

Ironically, it's the same Turnbull* that was explaining in breakfast TV the merits of wickr a few years back.

*allegedly, it isn't entirely clear given his position on so many issues has changed in exchange for the top gig.

2
0

I did my best to explain that the laws of mathematics apply to all:

https://pursuit.unimelb.edu.au/articles/what-kind-of-rear-window-into-encryption-do-the-five-eyes-want

2
0
Silver badge

Nice write-up Vanessa. Salient points.

0
0

""You have created messaging applications which are encrypted end to end, they are being used by terrorists and criminals to hide their murderous plans. You must ensure that these dark places can be illuminated by the law...""

Forgive me for being blonde but ... surely if my sister Alice writes and encrypts a letter using a <insert funky cipher here>, and sends to via snail mail to her brother Bob who then decodes said letter using a previously agreed phrase/key the powers at be are quite simply royally shafted?

As far as I can see that is end-to-end (albeit slow, esp. given the UK's stunning postal service) encryption that simply cannot be broken assuming <funky cipher> is indeed decent.

Now, I cannot see that the authorities will a) know about said missive being sent, or indeed b) be in a position to intercept and read all communication (and in fact to determine my sister's ramblings are that of a mad-woman or a sophisticated "attack" on society).

Or have I have just given clue #1 to all the would be "terrorists" out there ?

5
0
Silver badge

...surely if my sister Alice writes and encrypts a letter

That is precisely how clandestine communications were conducted before the internet. Various embellishments were also widely known and used, like photographically shrinking the message onto a tiny piece of film, and putting it under the stamp. Of course, counter-intelligence agents learned to look for these tricks.

2
0
Happy

Yes

..and if you were going to use this mechanism, you would be best served using a one time pad cipher (AKA the perfect cipher) to make sure you can never be decrypted by anyone except your intended recipient.

0
1
Bronze badge

Re: Yes

the old chestnut. first distribute your (perfectly random) key material.

0
0

Why stop there?

By the same token sales of kitchen knives should be banned because terrorists use them to kill people.

3
0

I'm going to keep doing this...

...because it cannot be repeated enough. This remains possible. The content of the message isn't even important. Unless they're going to ban maths, this shit ain't going anywhere.

jA0EBwMCsfpb0np+H8Jg0usB+zF8Ob54g/g0/3ApM4xytr5GFfWacUmUaRrOTUgnAVNnNJ3lz268

YIDE8E1qYFzHALlLgBB2pyRXDwvmoaoazcYwM/L1mYrLhLQ6+qqfp7v6iZhIIm9OA0GUYvJhAvG9

1T3A0bklxlBETllqO/jErA4WgoS1k/j5vc7NCGlr4KX/di+tbH8ibRIZkNGxw67kugEpEvP6HGXO

dIYixCTVm0hpktr6drbR+JuSx8JY2ppsxMrZcXi1wRQi9qlYLSmDSb/hEXeMdNsyVUwLyjtvbs3e

g5zrtpmEnVFeKD5+yNKXaIZ4tFk23iVL/PwZmenHOzxHXLXxMhirk5SBmXx2OFsW6RAG0eJ5zbpP

qRfp8mJfEg8gnKaxjSSfpN1YpDXzSEQA6fj7UreKApopeEAF2kxuArfxHrh5ymClboPHa7v5obMi

+4j+7bioP1oE45XnuR+bdUzknIsHUcvUseF7iq9N2d+OU4tZej/QXYkQ6f/EX14DQ8qy9eFxeFmr

dGUSZEilrLJaSCl/xyvc8YbtGP9w2TkJtfu32m+1pvpp1zYC+XMYyG82DpONBMmYtC22EkVbFMuT

wqusWikF14qhUBl5xhQD1m9QomukLJoiQOO9NZjg5DY/q+tIBUupH+LaeXK28kMIg9BbOfb1vnAW

3UQIaUh3tO1iP4PLeUR0vH9kKhp/lIUcSbz30x8/RZtNOatM2qH0cSoSoW37Hrda8nmXDm/7j9WF

aEGgDeLo83Rn9IUaOJodKBa4PlyApree8/Cr+ohDM62CjT3U2aqIBcv9CuWcZDqIp1eCdWtW0GSx

SwY1GcXZNykpT4cpHndGF+hvG8L/zYS/1Mo78mhRiiQ3pzysoB9S++ExBLizbuaMmxk++BcJ6VGN

j/OYJIXMbHIBJtPlIVnJmHG1qLq9Bn1VOMLk6XQT1NRdnh3B27p0DAoM4M5SviBfk7pFIMDUhH7v

OTC+s39li3krK6MUONHIfjq8MSvi1chjnA45w0TFJUdagE8XHpxONG8WqXz4zyalZhRK2ERV5d+3

kxOZk3WmEZMGm17jEcu9dnNwexmKE8QHqayL0NKMFMzDbqrZU67yvSG2l/3KowPMGWKAb5/hfuMN

2TV2qObZE69RiIJrB71f2EMW9mgQmEkiXPSLay6TLLJu12NNAReLe8iNJz9c37BWSEAoKhlQ8qtr

b6xcz230WFMNQga17MorV6NP9l6tu9l79Y5IXfTeYJVjEdrsgJfYhxie4WFNjbIqSiAuRo7egSvs

P+t48b5rCTMOKn5dk45gU6s36ZpM3BrORmCYwtEjLRDbuKEMnSq+o3P1cL/xlAHXWWkfLQkr7LQO

2Kf6yCeU9PzK4G5YbdeAkRUrXxlov/YQ+3X91Gob93ARE6aiZryr/uRDQWWpccJEZbsI3Gx+apOx

IuGumM6FgfuY759uRCIRqHacrR8TYA1ZvRuYCZRi5qSpQFShexDdS9XiYb2E3giwG4Yqwl1/dqmB

Pb3mV3RWp+5l7w5H0HltlBL1YbOO39uWl2jObSM0TTlJvLORiER+nbSwC2+8seWY5KER37/rWvgc

Ddq1g08Zb7pLPm8utBZGzE9McMjh47yFrgiiu8gk7c/LN3BFQcMdImaPy9k93N+Fv6ROR1Y8PSS2

2yuwNOTzju1SIl0jFUN7NyRsEA8QFVpkB60PVuDO0ns5PDVFNOtz9lQ/PmkBiFggiBNvqTUeS6n8

1DGW+CglyJ/dHRcjmnDWSGAZTz9afr2PxrhpcwN+iv95HC7W4nvKsgFS0GGRsePWFM2GApDJeR20

VqCry1DID2qZivV5w6LXb+i+yOJ2rOl76VlMmxCj8IkvuHZ9XIlUTWo1iunmme7mEIe7tzn1JXFZ

6o1dVQGvpSZwd5fBHNnwQZmZnfqY5vEjJdP8Lnnrm7Yi+NGeGgC6pMBMKVy82Eob6lV63emd+u8j

3W+tph/r7lODvKCxcW5YxjtJlPVDqq2xLX7AECHqG/4mP3/Db4Lx61JbwNiZMhHZ2rCTaBWeu5fi

8MC8vv4aufLvbqdBpS2XFOi6MCk5q+z1jNn3vf02yWdpFEXYoc7OCJeeqYOm+hUrJlikr4SiAfEO

ZZDioFiD+Hp15kDCxKn6Rt19CFBllGtT77ylKgNy8nlHwMAzx+oy3byc8gdzafoJPHmcluN8El7P

D49HTtLj6IKh+otIZczHMP/svN9Nj7Z31/x6VIB1MM3i3hPe1UF8fIUKbPo3JGexoVNQLFL7NlMG

GJDz5UrWDPdfD2CHHZKNMx5vlB6SdlarWMSvkX0L41AQtXysbpzDPVvxveWUnJdP00iUGsI1IHbY

CkD09d8JzlMDKiqVpmtTcb610c76hv4Vowl0xYnEjadOmo/8omlf7ATG1KmrZrnZsDpeaQ4bRDa7

jvyNABfcQ0qNXTs8Of3qeRV3XIOE9zLnYhA0MK1BCILHjw5qQSjkWfB5TIen1Lqvskoh6hzN+TvB

TUbqOE6r6he6kauJTVtJusa18rNNyWiX+QOkDiUZpa5iQIlpcxybHQThQTjvghl5slBtnoLSNLsv

5TNkHgJMljETPzNBb9Wib6vNk7rNbCdFtio4OmqCne+vwqaT1W6lo/F0zlJ6UkaH5Xf9KdS+RDau

xQZgCcWuewP17ttqmBCzMoNKFcSliD7f6cLUNw6/nqeWqkGJ6HxJbdopJwqyh6+rboO487y1cO05

RSl3IKaZaQqtM9/MlMCbA84Bni/dPzBU+qxIMsoOj989Y6EAsaXAl0Bc2zslMXE7sJ/906dmMoMH

TBOn2WnGTiiT23Z6WEo2Sn+lmrT+SLATyy4wWKJEro0Dz5HMk6BRMxeXcIonhMFY6Z+kv7KZ07vQ

0iX01PlkuwhDhmII3UEJBvgmKiXNYJ4xTzs5/ej4m4pQpOA/FP8onTp6gCgWnqrgLA1+H7T4ft7n

n50zkyE3w3dHucpIEBcCGx7RKD0UPIXcTr/8SahrmabNd7anV51DvRCfxZLIkXwX1fc/BCxcmogd

X52qn9Thmo4tWafkrsnPMmjoWNHE7fd74FR86l8WK+d5bufNoVrTH3TPWZRmdAeOErewNC7qhSH6

4HJtMVMnpnufUEkEASxERzqD1BMvfFetGh3QW/UV4S8JSNLmZ5q5Y5MLQQqjZ78NCGuwFkDNVm4w

9ayOFjeTPumjszWMCF46JTt4OWI=

2
0
Silver badge

Re: I'm going to keep doing this...

I especially liked this bit:

7ttqmBCzMoNKFcSliD7f6cLUNw6/nqeWqkGJ6HxJbd

1
0
Silver badge

Taking them literally

"provide lawful and non-arbitrary access to available information"

The "available information" is the encrypted data, the decrypted plain-text is unavailable (due to the laws of mathematics); so just send them the encrypted data?

0
1

“You must ensure that these dark places can be illuminated by the law so that the freedoms you hold dear will not be stripped away by criminals your technologies have made undetectable.”

I don't understand the lack of embarassment that allows the expression of this inherent contradiction.

****

Turnbull's speech singled out Whatsapp, Telegram and Signal, asking why they should “be able to establish end-to-end encryption in such a way that nobody, not the owners and not the courts, has the ability to find out what is being communicated”?

This seems the argument of a police state, where the question in a free country is rather, "Why should the government be able to eavesdrop on private communications?" Scary.

2
0
Silver badge

"expectations of our peoples"

I am one of the "peoples" and, knowing a very little bit of maths, do not have such an expectation.

0
0
Anonymous Coward

Turnbull then went on to say...

The Stasi weren't bad, they were just misunderstood.

1
0
Big Brother

Re: Top Failure is MS Windows 10.

“You must ensure that these dark places can be illuminated by the law so that the freedoms you hold dear will not be stripped away by criminals your technologies have made undetectable.”

When I fear governments stripping away my freedoms far more than any potential criminals and they don't realise this / don't care about this (delete as applicable) it's time to seriously look into as much encryption as possible without adding too much burden to myself. Nothing to fear, nothing to hide bullshit in the extreme.

"Trust us, we have your best interests in mind." If that were true the world would be a far better place. Greed rules, greed and power.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing