back to article Spies still super upset they can't get at your encrypted comms data

The Five Eyes nations have told the tech industry to help spy agencies by creating lawful access solutions to encrypted services – and warned that governments can always legislate if they don't. The UK, US, Canada, Australia and New Zealand - which have a long-standing intelligence agreement – met in Australia this week. In …

  1. Alister

    Tide, stop coming in!

    Tide, I said stop!

    Please stop the tide, my feet are wet.

    bubble-bu-blub-blub-blub.

    Yeah, go on, try legislating encryption out of existence, see how that goes for you!

    1. DuncanLarge Silver badge

      Re: Tide, stop coming in!

      I would think that the tide came in years ago, they didnt notice and just recently fell overboard wondering where the beach went.

      1. swschrad

        Re: Tide, stop coming in!

        too much snooping, too deep, and that's what happens, buttercup. you made the mess yourselves.

        1. bombastic bob Silver badge
          Big Brother

          Re: Tide, stop coming in!

          A mandatory back door to encryption just opens wide for fishing expeditions and criminals who somehow get the key.

          Yeah, THAT never happens [recent news stories regarding _serious_ FBI corruption at the highest levels and a 2-tier'd justice system notwithstanding, right?]

          If "they" want to "find something" on you, and have a crypto back door AND unlimited funds and resources, they WILL find something. It can be ANYTHING, including a "process crime" for you "lying" to them. "I wasn't doing a self-pleasuring sex act to online pr0n!" "we have your webcam photographing you doing this with a time stamp and XXX minutes of video, courtesy of your encrypted file system with a back door". And so on. You lie to them about it, it violates the law 'making a false statement to a federal officer', and they JAIL YOU for it, or force you to plead "guilty" to some B.S. made-up "crime" instead...

          because they CAN, and you happen to be on "their" radar. And they have the back door encryption keys, and they can fish for "illegal" activity whenever they please.

          Yes. Reasons _NOT_ to allow this crap. Clear substantiated proven and undeniable evidence for this kind of abuse from top members of the DOJ in the U.S., and the methods they use to HARASS people into a conviction, is on the news, every night. No, not THAT news, the OTHER news...

          1. StargateSg7

            Re: Tide, stop coming in!

            I don't have to worry about THAT ANYMORE! I've got friends in VERY HIGH PLACES NOW !!!!! And I can now say DO WANNA SEE WHAT TWENTY TRILLION TONNES LOOKS LIKE? Like ... AS IF you're gonna fight against THAT!

            I dare ya! NO! I double Dare Ya! Say What ONE MORE g'dam time!

            1. Anonymous Coward
              Anonymous Coward

              Re: Tide, stop coming in!

              Now, I really want to believe StargateSg7 and I'm always entertained by them but I find the timeline unrealistic for the emergence of a Canadian Musk with a genuine volcano.

    2. James 51
      FAIL

      Re: Tide, stop coming in!

      The point of going out to stop the tide was to show his court that while he was king, there were limits to Canute's powers. Lesson not learned.

    3. David Shaw

      Re: Tide, stop coming in!

      Does this means that all those nice spooks and spooky-assistants who are embedded(*) in the many & various tech/telecom international standards development groups are finally going home?

      (*)Many open source reports of this, as I couldn’t possibly comment!

      Sigh. So much more to say, but just no point when half of the conversation is with an antique rigidly militarized system that doesn’t even accept the need for unlinkable pseudonymity, on occasion, for certain groups. I’m happy with you ‘cracking crypto’ for ‘catching terrrrsts’ but someone will always mention Gladio etc you have lost rather a lot of trust recently. /rant

    4. R 11

      Re: Tide, stop coming in!

      If they legislate to mandate a back door, you think Apple, Google and Microsoft will choose not to comply and will stop selling in all those countries?

      Certainly they won't legislate backdoor-free strong encryption out of existence, but I dare say its use would return to the sort of level that PGP had in the mid-90s.

    5. John Smith 19 Gold badge
      FAIL

      Rule 1. Intelligence agencies don't give a s**t about laws. Why would they start now?

      You can legislate that pi = 3.

      Won't make it so.

    6. Someone Else Silver badge
      Pint

      @Alister -- Re: Tide, stop coming in!

      Your post couldn't help but remind me of the "Bear! Stop eating my kayak!" clip...which resulted in the same general result.

      1. BebopWeBop

        Baars

        For anyone wanting some amusement (at someone else distrass - but it is funny! - try https://www.alaskapublic.org/2015/10/12/stop-eating-my-kayak-bear/

    7. StargateSg7

      Re: Tide, stop coming in!

      NOT A DARN THING they can do about it!

      I've got quantum resistant cryptography in my software-based toolkit which relies ON NOTHING but my own routines! I even write my own code for ALL edit-box, combo-boxes, drop-down menus, listboxes, keyboard/mouse entry, etc. I can PREVENT Keyboard, mouse-log, bios interceptions and whatever else they try -- I CAN DEFEAT IT!

      8192-bit 64x AES? I can do it!

      CAAST and Three-Fish at 8192 bits?

      I can do it on ANY text and video messaging system up to 60 fps 4K video on higher end systems!

      I can even do it on Facebook and ANY web-based email system! I will NOT give in to ANY authority! I will upload and distribute my source code with MY OWN platform-independent 32-/64/128-bit ARM/x86/ULTRASPARC/Arduino/POWER-series/etc. cross-compiler FOR ABSOLUTELY FREE IN EVERY LAND !!!!! I write my own cross compilers in high-speed assembler for MULTIPLE cpu/gpu chips!

      AND YOU CAN HAVE IT LATER THIS MONTH!

      1. Anonymous Coward
        Anonymous Coward

        Re: Tide, stop coming in!

        "I've got quantum resistant cryptography in my software-based toolkit which relies ON NOTHING but my own routines"

        Whoop de do..

        In this situation - you're the weakest link in this chain and probably breakable.

        Not sure why you need that level of encryption for day to day activities.

        1. Anonymous Coward
          Anonymous Coward

          Re: Tide, stop coming in!

          Erm, he/she/it is taking the piss actually, and very well done too.

    8. Prst. V.Jeltz Silver badge
      Headmaster

      butthurt

      what is this a youtube monster truck channel?

      Please dont regress to using that infantile phrase.

  2. J27

    Well, this is interesting, first we're going to see legislation, then business will comply, then everything will be hacked 2 weeks later. The lack of cryptographic understanding at a legislative level is very dangerous for businesses. They keep pressing for impossible goals, without any understanding of why those goals aren't possible with current technology.

    Government is supposed to consult experts in a subject before going off half-cocked, it seems like they're either not bothering or not paying attention because the lack of reality in these statements is rather worrying.

    1. caffeine addict

      They stopped listening to people who didn't say what they wanted before the whole David Nutt mess nearly a decade ago. They're not even pretending nowadays.

      1. vir

        I'll say it again: these guys have been watching too much Silicon Valley. They're convinced that eventually a group of nerds is going to be talking about who would win in a fight between Superman and a black hole and one of them is going to say "wait...but what if we just..." and create a NEW MATH that will allow only good people to decrypt message intercepts.

        1. Anonymous Coward
          Anonymous Coward

          "and create a NEW MATH that will allow only good people to decrypt message intercepts."

          And then what if the "New math" turns out to have an attack of the E M Forsters and decides that governments are not the good people?

          Turing thought that his government were on the right side till it turned on him. I think mathematicians - especially ones who didn't get indoctrinated at Sherborne - know better these days.

          1. bombastic bob Silver badge
            Black Helicopters

            What 'they' did to Turing

            Turing is a VERY interesting example of what gummints could (and maybe WILL) do once the "need" for an individual has passed. Turing was needed to win the war. Turing was also on someone's "undesirable" list. He wasn't hurting anyone, but for some reason he NOW 'lost favor' and was quite effectively mistreated.

            It is an example of "politics of the day" and those who do not conform to it, at the whim of those who wield power without accountability. Turing was a homosexual, and for some reason in the 1950's that suddenly became a problem (when it apparently wasn't in the 1940's because we needed him to decode Enigma and other coded messages). Turing should've gotten more respect. I have to wonder whose corn flakes he urinated in to suddenly cause "that" to happen...

            The entire concept of free speech is really about POLITICAL speech, particularly speech that 'those in power' don't want to hear. "Political Correctness" fascists seek to SILENCE those they don't agree with, including corporations like Google and Facebook, as evidenced by how 'Diamond and Silk' have been treated (among other things).

            And if you're law enforcement, and you look at someone's life for long enough, silently decrypting their files and data traffic and online history and so forth, until you find something 'questionable', you WILL find it eventually, ESPECIALLY when you have the unlimited resources of the U.S. Federal government and a _WILLING_ Department of "Justice" helping 'them' along and covering up the "2-tier'd justice system" abuses. You know, one justice for THEM, and another for YOU. That's a 2-tier'd justice system.

            We do NOT need back doors to our encrypted data, giving unscrupulous power abusing law enforcement and government spies the keys to our lives. It's too easy to abuse in a digital world, which is why people use the encryption in the FIRST place. It's not so much what they WILL do, more like what they COULD do, or THREATEN to do to you, leaving you always looking over your shoulder, justifiably paranoid, of being somehow caught in a 'Perjury Trap' by the F.B.I. when you thought you were telling the TRUTH...

            And WHO wants to live like _THAT_ ??? I'd rather be *FREE*.

          2. Adrian 4

            A 'new math' that makes current crypto irrelevant is quite likely to come along. But it won't solve anything, because it will also provide a new math for _doing_ crypto and the pattern will repeat.

            Governments have some great minds in their employment. If a solution that fits their needs can be created, they'd be among the people who would find it. So let them propose an actual solution with peer-reviewed mechanisms rather than pretending it's the industry's problem. Then they've got a realistic argument.

        2. Spanners Silver badge
          Black Helicopters

          @vir

          allow only good people to decrypt message intercepts.

          The trouble is that I do not always include the CIA, NSA etc in my list of good guys.

          Generally, I include them under "criminal organisations".

    2. vtcodger Silver badge

      70 or 80 years ago the Japanese and German Navies thought that their communications codes were unbreakable. Turns out they were both wrong. Granted, encryption technology today is vastly improved. But so, one suspects, is decryption technology. If you are going to send messages that might interest the CIA or its friends, I'd strongly recommend the use of one time pads.

      Otherwise, I'm far from convinced that encryption of non-financial material is worth the effort required to deal with the inevitable glitches. Personally, I still use paper, telephone, and face-to face for most financial stuff -- not because of concerns about encryption, but because most of the software I'm expected to use on line is really quite awful.

      1. JohnFen

        " If you are going to send messages that might interest the CIA or its friends, I'd strongly recommend the use of one time pads."

        I agree, but only with properly made and used one time pads. It's harder to properly generate those pads than it first appears!

        Outside of properly made and used ont-time pads, there is no encryption which is actually impossible to break. That's why the point of encryption isn't to keep a secret forever, it's to keep a secret long enough that by the time its revealed, it's worthless.

        That said, the greatest threat vector for the vast majority of the population who don't live in tyrannical states isn't from government at all, it's from corporations and criminal enterprises, and strong crypto is plenty effective against those. Taking protective measures is a great idea even if those measures aren't 100% effective.

        1. Anonymous Coward
          Anonymous Coward

          That said, the greatest threat vector for the vast majority of the population who don't live in tyrannical states isn't from government at all, it's from corporations and criminal enterprises,

          Maybe today, but consider the steady erosion of legitimacy of most "democratic" governments, and how the end of privacy will play out. In the UK context, what real legitimacy does Bagpuss May have, and had the last election had a similarly marginal but different outcome, what legitimacy would Comrade Corbyn have? The same questions could be posed in the US, Germany, France, Italy and a fair few other democracies. The populations are rightly pissed off, the PPE-equipped clowns of the political classes have no solutions, and regard the questioning of their competence and authority as outrageous, not to be tolerated.

          Given that erosion of legitimacy, what happens when government get universal access to all of our communications, and when every email or social media message (like this) can be linked back to a "citizen identifier" by a dodgy algorithm? I believe that we'd see vocal critics of government hounded - just as China does today. So they'd find labels for us proles to justify their actions - fake news spreaders, climate change deniers, supporters of terrorism, troublemakers, insulters of government, formentors of dissent, social irresponsibles.

          I wouldn't expect for one moment that we'd see 4am arrests and detention without trial - but I would expect deliberate attempts to mark people's cards, to harm advancement prospects, to besmirch their reputation. The battle for privacy isn't a battle of technology, maths, or rights, it is simply a manifestation of the exhaustion of legitimacy of the current party-based political systems, and an attempt by the political elite to exert control. On pure numbers, we're not threatened by terrorists - far more die every day from tobacco, drugs, alcohol, traffic accidents, suicide, etc. So any sane individual should be asking why the government are so keen on seeing an end to privacy, when the public benefits will be either scant or negligible.

          1. Anonymous Coward
            Anonymous Coward

            Can I book a early morning wakeup call ???

            Ledswinger,

            Trying so hard to be the 1st on the list of 'Subversives' to get a random early morning wakeup call from some nice men in black balaclavas !!! :) ;)

            P.S. Every word you wrote so so true !!!

          2. Anonymous Coward
            Anonymous Coward

            I fully expect to see arrests and detention without trials, or end, in my case. I won't give anyone my keys, ever.* I've also the background and experience in the field that I can make their work extremely difficult. After all, it was working on their systems that gave me both. I've only sharpened over the years; comes from the people that I associate with. The kind that live and breath secure technologies and solutions, for whatever level of secure you want to designate. It's not really the tech, it's the process that's important, never, ever an exception nor taking the shorter, easier way.

            Be that as they may, they really should be happy at my recalcitrant attitude. There's a ton of extremely classified data, and events, in this head that they really shouldn't want made available soon, if ever.

            *- Yep, torture would be a pain, literally, but I go through that day by day, all day. Brutal Level 10.

          3. Long John Silver
            Linux

            A broader consideration too

            The PPE should be rated a general degree consisting of three topics each followed to the level attainable by a first year undergraduate.

            A couple of years ago I quizzed a recent Oxford PPE graduate. He was bright and not intent on a career in politics. I wanted to understand the 'added value' of pursuing three intellectual strands, two of which intertwine, the remaining one (philosophy) only indirectly connecting with the others. Surely, I thought, it must be fine training for the mind by integrating the components into a coherent whole, all this under direction from the best thinkers in their fields. Not so, there is little attempt by lecturers and tutors to cross-fertilise from their disciplines. That's an obvious reality now that the days of the polymath have gone.

            So, I conclude the PPE to give a broad smattering of knowledge at fairly superficial level and training in reasoning and critical appraisal at most only so far as a first year undergraduate in any rigorous discipline.

            Perhaps the PPE was introduced for a different purpose. A major role of the ancient universities is enabling undergraduates to make influential and lasting social contacts. In order to fulfil this function, at some time past, a decision was made to offer the PPE to the less bright, or not academically inclined, sons of nobility, gentlefolk, and vulgarian wealthy. Thereby, sources of endowments were not excluded.

            The young gentlemen could spend a happy three years socialising, engaging in sport, and honing political skills in mendacity and back-stabbing through seeking office in the debating 'Union'. Oxford has the additional attraction of offering thoroughly disreputable 'exclusive' clubs, not least of which is the Bullingdon Club which appears to have particular attraction to porcinophiliacs.

        2. Alan Brown Silver badge

          "It's harder to properly generate those pads than it first appears!"

          The UK did pretty well with bingo hall technology in WW2 (rotating ball/basket with lots of balls inside) with problems only arising when the people making the pads cooked results because they didn't think they were "random enough" due to sequences repeating (it happens).

          The harder part with OTPs is making sure the pads _are_ only used once (the soviets failed miserably at this by giving identical sets of OTPs to different agencies), as reuse ends up compromising _all_ messages sent with that padsheet. (Similar failings were noted for the enigma systems, where near-identical text/differing cyphers or cypher reuse made the job of the allied codebreakers far easier than it should have been) -

          And of course there's the metadata aspect, where noting _who_ sends a message, where from and to whom is often as (or more) informative as the message itself, particularly when that metadata is compiled into a database of movements and interactions.

        3. James Wimberley

          Quantum cryptography works, you can use it to generate secure one-time pads over an open line, and IIRC you can readily buy the gear. The unbreakable part is guaranteed by physics not math. But it's pricey and too clunky for practical key distribution. Remember too the warning in the old PGP manual: there are other ways your enemies can get at your data, like burglary, kidnapping and torture. Security is always relative.

    3. fajensen

      Well, this is interesting, first we're going to see legislation,

      No. Eventually, after a long time and many tribulations, we are going to see legislation. Which is the proper way we do things around "here" - ass-about-tits.

      What the article actually says is that the TLA ghouls wants the tech providers to give them access *without* legislation. Kinda as a favour, like. It's not like the same TLA's would turn right around and skewer their new tech friends once their classified personnel records are in China or something and Congress for once wants to see someone under the bus over it!

  3. JimmyPage Silver badge
    Mushroom

    governments can always legislate

    So ? (Although I'd leave the UK out of this sweeping statement ....)

    Or rather, "So what" ?

    No amount of legalese will ever change the laws of mathematics and the principles that underpin encryption. You may as well complain that it getting dark at night is hampering your crime solving ability, and await a low making it illegal for the sun to set.

    A much better idea might be to go back to your elected overlords and suggest they think more carefully about what should - and should not - be "illegal".

    1. Tigra 07
      Meh

      Re: governments can always legislate

      They'll be trying to legislate Pi next...Oh...They did? *facepalm*

    2. nematoad
      FAIL

      Re: governments can always legislate

      "No amount of legalese will ever change the laws of mathematics..."

      Yes, didn't some Australian politician say that the laws of physics had to bow to the laws of Australia? I thought that he was a bit deranged but it looks like the contagion is spreading.

      1. David Gillies

        Re: governments can always legislate

        Perhaps someone should have thrown him out of a window and told him to repeal the law of gravity on the way down.

      2. Mike Lewis

        Re: governments can always legislate

        It was Malcolm Turnbull, our former Prime Minister, who said "The laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."

        1. ibmalone

          Re: governments can always legislate

          "The laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."

          It's an interesting distinction between the laws of physics (as misremembered) and the laws of mathematics (what he actually said). If he'd said the laws of physics, people might have spotted the problem more easily (the gravity example for one), but the laws of mathematics... who cares about those? All that boring triangles and x+1=2 stuff nobody ever needs right?

          Except, the laws of physics are just models based on empirical evidence and those of mathematics are the hardest form of logic devised by man and are in a sense more fundamental.

    3. Geoffrey W

      Re: governments can always legislate

      RE: "getting dark at night is hampering your crime solving ability"

      There is a solution to that one. Everyone is required to live at the Pole, and every winter is required to move to the opposite pole so they live in constant daylight. Nothing is impossible. Perhaps the encryption problem could be solved by some Californian start up inventing a time machine, (black worm hole travel) then speccy five eyes can go back in time and sneak a peek at the key as it is encrypted, or take a screen shot of the message before its encrypted. Nothing is impossible. Perhaps they could form a new military force to go with Space Force - Ghost Force comprised of real ghosts - then they could spy on their desired target up close without being detected. They already have "Spooks" - just push those spooks one step further and kill them, trapping their ghosts before they head for the light. They're patriots; I'm sure they won't mind.

      Or, again using their time machine when they invent it, send a spook back in time and stop mathematicians inventing encryption, or stop the naughty miscreant's parents from pro creating preventing the use of encryption at source, or prevent Jobs inventing the IPhone, and Gates from creating DOS, or prevent GOD inventing life, or create a huge beautiful wall along all the shorelines of the world preventing life from leaving the oceans, letting the fishes have a go they would only have blow fish encryption which I don't think is as good as what we now have. On the whole, I think time travel is our best option. The opportunities for a smart teenager are endless. Why all the cynicism?

    4. MachDiamond Silver badge

      Re: governments can always legislate

      "A much better idea might be to go back to your elected overlords and suggest they think more carefully about what should - and should not - be "illegal"."

      Not "should", but "can" be made illegal. Legislators (lawyers that couldn't make it in private practice) may never wake up to the fact that banning math or software won't do any good. A company in some country that isn't a signatory to the ban is going to sell encryption software online without caring in the least. A country like Russia could ban in in their own country yet make it available everywhere else just to piss other governments off when they feel like it.

    5. Jellied Eel Silver badge

      Re: governments can always legislate

      To an extent, governments have already legislated. So lawful intercept is a thing. Problem is the product may be encrypted and can't be analysed.

      Then in the UK, we have RIPA that permits TPTB to demand passwords and keys. A suspect in a murder case has just been jailed for failing to divulge his Facebook password under those powers.

      So powers exist to deal with say, Alice and Bob communicating via PKI. They can be compelled to give up their keys (assuming they're both in the UK), or jailed until they do. But that's not necessarily great for crime prevention. So in the Facebook example, police want to know if/how the suspect communicated with the victim.. But sadly, it's too late for that young girl. If the police had known in advance she was being groomed, access to Facebook messages might have prevented her murder. But that would require some way of compelling Facebook to give law enforcement access to those messages.

      Where CSPs control encryption of their user's communications, there should be a mechanism to allow lawful access to those. Challenge would be defining lawful access, eg in the UK, the security services can access 'bulk data', but not the police, although AFAIK they can request access to specific subject data if they can justify it.

      1. Alan Brown Silver badge

        Re: governments can always legislate

        "But that would require some way of compelling Facebook to give law enforcement access to those messages."

        They hand them over quite readily when presented with a properly executed court order/search warrant.

        It's not that difficult and the fact that the police force concerned is having difficulty with the concept says a lot more about their attitude to due process and following procedures than Facebook's reluctance to hand over anything without appropriate legal authority.

      2. Anonymous Blowhard

        Re: governments can always legislate

        "Then in the UK, we have RIPA that permits TPTB to demand passwords and keys. A suspect in a murder case has just been jailed for failing to divulge his Facebook password under those powers."

        And there you have the problem; what if you actually don't know the password and you don't have a way of getting it? An example could be if you create an encrypted file or directory and then don't use it, so you never learn the password and there's no mechanism to recover it; the police could insist you decrypt it (in case it contains something incriminating) but you actually can't remember. Should you go to jail for life?

        Could you also end up in jail if someone else places an encrypted file on one of your devices?

        1. Tigra 07

          Re: governments can always legislate

          "Could you also end up in jail if someone else places an encrypted file on one of your devices"

          I'd be amazed if the security services hadn't already attempted it.

        2. Flywheel

          Re: governments can always legislate

          If web sites can get your computer/device to mine cryptocurrency without your knowledge, I'm sure the spooks could easily dump a file on your device. The fact that you don't know what the file contains or where it came from would be of no consequence to the spooks. Frightening thought!

          1. Anonymous Noel Coward
            Black Helicopters

            Re: governments can always legislate

            I saw a quote a few weeks back which I thought summed up the British Judical system quite well.

            "Show me the man and I will find you the crime."

          2. MachDiamond Silver badge

            Re: governments can always legislate

            "I'm sure the spooks could easily dump a file on your device. The fact that you don't know what the file contains or where it came from would be of no consequence to the spooks.

            Given all the crap accumulated across 12tb of drives on my computer, I'd have a hard time detecting a medium size rouge file. Drives are so cheap that it's a waste to spend too much time deleting things to free up space. I just copy over current stuff to the new drive, catalog the old one and put it in the archives.

            1. Anonymous Coward
              Anonymous Coward

              Re: governments can always legislate

              In my case, I started taking screenshots of how much space is free/used on every USB device I own every time I move/delete things.

              It's tedious, but necessary.

        3. MachDiamond Silver badge

          Re: governments can always legislate

          "Could you also end up in jail if someone else places an encrypted file on one of your devices?"

          I can see that scenario as being very plausible. Somebody sends you an email with an encrypted attachment that you don't have keys for and you just leave it on your computer with all of your other email. Some investigation of that person shows they sent you that encrypted file and you are on the hook for it even though you have never had the key.

          Police investigators need to go back to school and learn proper investigation techniques again and not rely on just reading email and IM's to bag someone. For justice to be blind, there needs to be several pieces of evidence for a conviction. There are cases where it might come down to just one little scrap of paper (or digital equivalent), but that shouldn't be very often. From many reports, Hillary Clinton's email system was more porous than pumice and she's getting off scot free. How can the legal system imprision the little guy in the face of malfeasance like that for the sin of not having a password?

        4. Long John Silver

          Re: governments can always legislate

          That is a legal provision to be used only sparingly. If applied beyond the realm of universally acknowledged criminality there would be vocal challenge about what should be construed as an entitlement to total privacy of digital sequences parallel to that of thoughts in one's head. We know now that even the latter is not sacrosanct given introduction of 'enhanced interrogation' as a supposedly legal investigative tool.

          The best opportunity to smash this legislation would arise if a large number of a relatively harmless protest group (e.g. concerning environmental damage or animal welfare) members were rounded up and told to divulge passwords. If all refused, the prospect of jailing a large number of people would be politically sensitive.

          As matters stand, digital technologies, means of storing data, and the Internet, have changed considerably since the UK government introduced the measure. There's no need to be in physical possession of a device holding encrypted data. There are many hideaways accessible anonymously via the Internet. These are just as good for dodgy businessmen hiding their true financial accounts as for terrorists. Also, there may be increased awareness of deniable encryption methods.

      3. Anonymous Coward
        Anonymous Coward

        Re: governments can always legislate

        >Then in the UK, we have RIPA that permits TPTB to demand passwords and keys. A suspect in a murder case has just been jailed for failing to divulge his Facebook password under those powers.

        Reading about this on another site...

        "What you have done is obstructed the investigation, and a very serious investigation indeed. It has caused a very significant delay," Judge Parker said.

        "It means that the task of police investigating the murder of Lucy McHugh is that much more difficult."

        Tough? He has no obligation to do the job of the police for them.

        Not surprising that the morons on Twitter are suggesting to torture it out of him, though. (Conveniently forgetting he hasn't been charged with murder. He's a suspect.)

    6. Alan Brown Silver badge

      Re: governments can always legislate

      "No amount of legalese will ever change the laws of mathematics and the principles that underpin encryption."

      In law there's a concept known as a "stalking horse" and a "dark horse".

      Don't be at all surprised if the heat and light around these attempts to legislate the impossible are merely a way of distracting attention from what's very pointedly NOT being talked about - particularly subjects which may have had some discussion and then gone eerile silent.

      The security services smashing up of USB mice and keyboards belonging to the Guardian was commented on at the time as technological ignorance. On the other hand given what we know now (malware hiding in plain sight on such devices) it could have been an attempt to give a heads-up about such things to anyone who might start wondering why those devices in particular were targetted.

  4. }{amis}{
    FAIL

    Wack a Mole

    Even if they do make good on the (probably empty) threats to force through crap legislation forcing companies to break security how do they expect to keep up with people just moving to other platforms in countries that are sensible?

    I migrated over to Protonmail after the Yahoo debacle and I can't see the 5 eyes successfully forcing Switzerland to drop the privacy legislation that protects it.

    1. Lee D Silver badge

      Re: Wack a Mole

      Who cares?

      Say my messenger program is legally required to copy all messages. It's now an untrusted communications medium.

      What do we do with untrusted communications media? We run encryption over them to produce a tunnel for a trusted communications medium.

      In messaging it's called "OTR" (off the record) plugins. And just as we used to use OTR over MSN, Yahoo, AOL IM, etc., so we can use OTR over WhatsApp, Facebook, messages printed in The Sunday Times, etc. In most cases, it could be as simple as just running another app on your phone or a "special" keyboard program that "encrypts" your messages as they are typed.

      If your communication medium is untrusted because an unwanted third-party (legally or not) gets into it, you layer encryption over it to make a trusted tunnel. That's what you do. That can't be beat. That works over anything.

      I could literally encrypt my dastardly plans for world domination, print them out and publish them in a national newspaper. If the encryption is anywhere NEAR useful, it will make no difference whatsoever and nobody will be able to read it.

      Nobody's going to "trust" a foreign entity more just because it's foreign. What you do is not REQUIRE yourself to trust your ISP, government, messaging provider or anyone else, ever, except the intended recipient.

      We have spent decades making protocols to make this true. And even "initial key exchange" can be done in full public view with nobody any the wiser what keys we ended up with. That's the whole POINT of encryption.

      1. illuminatus

        Re: Wack a Mole

        The problem with that line of thinking (though I agree with you) is that *we* may do that, but Joe Schmo in the street won't. And we are now not the only ones isinglass communication technologies. The general public will accept what they get, as long as their service is maintained, or until such time as it is so compromised to be fundamentally unsafe. For many people this would require serious intrusions or service loss.

        For *us*, who work in the industry, and know the score adding.OTR is a no-brainer, kite running your stuff through a VPN over public wifi

        The legislative part may, for example, require you to comply with RIPA and surrender any encryption keys you would use over that OTR service, or prevent companies legally offering such services in the country without approval. A very Chinese solution.

        The fact that we might continue to use such solutions would then mark us out as being "of interest" to the security services, even though allow want to do is, not entirely unreasonably I'd say, stop any old Tom, Dick or Harry taking a long lingering look through our living room window as they walk by it.

      2. Anonymous Coward
        Anonymous Coward

        Re: Wack a Mole

        Adding another application to a device, say OTR, isn't the way to secure your communications. Properly, your security endpoints must extend beyond your communication endpoints. This is why OTP's and encryption on other, preferably deniable or easily inerted, devices is so important. I've software that does this handily across many devices/operating systems, all of which are specifically selected, and kept totally segregated, from my (Internet and local) communication devices. That it has the benefit of providing a "safer" environment to do my work is just icing on the cake.

    2. Anonymous Coward
      Anonymous Coward

      Re: Wack a Mole

      I think everyone misses the point with this. Sure, there are going to be people that use encryption they can't break but they aren't that bothered, they just want the the juicy data on the masses for control. Your average person isn't going to home brew/download some encryption for their emails and data. What they do or a future government does once they have that data is where we end up in uncharted territory.

      1. JohnFen

        Re: Wack a Mole

        "Your average person isn't going to home brew"

        Which is a good thing. Nobody should "homebrew" crypto. What you'll get is almost certainly going to be something that is easily broken.

        1. Anonymous Coward
          Anonymous Coward

          Re: Wack a Mole

          Still better than nothing.

        2. herman

          Re: Wack a Mole

          "Nobody should "homebrew" crypto." That is a very tired and elitist attitude.

          You are basically saying that everybody is stupid, except you.

          1. JohnFen

            Re: Wack a Mole

            It's not elitist at all -- I, after all, am included in the group of "everybody".

            It's just a plain statement of the truth that good crypto is incredibly hard to do, and it's even harder to know if you've done it right. Even crypto math experts don't trust themselves to produce solid crypto. Anything the pros produce is vetted and tested by a lot of other experts before it is accepted as being worth anything.

            1. bombastic bob Silver badge
              Devil

              Re: Wack a Mole

              "good crypto is incredibly hard to do"

              I wouldn't say 'incredibly hard', but the diligence of testing the algorithm for actual cryptographic strength would be a part of that, yeah.

              I wrote an encryption algorithm a couple o' decades ago. It was in protest of the 128-bit vs 60-bit "exportable" encryption nonsense, which was finally overturned a year or so later.

              I described it in prose on a web site (kinda like PGP) just to make a point. It used a 256-bit key and a CRC algorithm at its core with a moving window that involved the encrypted data, not the 'dry' data, and was hyper-efficient on encrypting very large data files. Downside, required building a 128kbyte translation table which took a second or two on those old machines. I also encrypted the source file and published the binary, DARING anyone to de-crypt it. I used to get a lot of hits on that page, too (a hundred or so a month) and no takers on decrypting the source file. I forget what key I used to encrypt it. heh.

          2. Claptrap314 Silver badge

            "No homebrew" is NOT elitist

            I'm a mathematician. I spent a decade doing microprocessor validation, most of it in assembler. I have DREAMT integer register programming. If there is such a thing as an expert in integer programming, I qualify. And if I were to write code that needed bounds checking on external inputs in C, I would use a library. This is BECAUSE I am an expert. As an expert, I know just how hard it is to get this stuff right, and even though I have complete confidence in my own ability to get it right, I also know how much of my time it would take to be certain that I got it right. Just. Use. The. Damn. Library.

            Or, you know, you might get https://en.wikipedia.org/wiki/Stagefright_(bug). Twice.

            Crypto? Your trolling, right?

            1. bombastic bob Silver badge
              Facepalm

              Re: "No homebrew" is NOT elitist

              "and even though I have complete confidence in my own ability to get it right, I also know how much of my time it would take to be certain that I got it right"

              blah blah blah - sorry, I don't accept the *kinds* of statements that I would consider *toxic*. They are similar to:

              "other, smarter people" "it's too difficult" "other people have tried and failed" "it will never work" "you don't have the skill set" "re-inventing the wheel" "wasting your time" "use what already exists" "it's been done before" "it's never been done before" ... on, and on, and on, the negativity, so negative!

              How about something encouraging like: "Well, when it comes time to check your algorithm, make sure that [short description of mathematical algorithm or procedural test] does [whatever result you should get for good encryption]

              Otherwise, it sounds like the usual negativity ninnies. Just sayin.

              [and I'd be interested in what tests you WOULD recommend]

              icon, because, I hear from negativity ninnies all of the time. It's irritating at the least. Why discourage those with enthusiasm? Instead, point them in a direction that's actually HELPFUL.

              1. DavCrav

                Re: "No homebrew" is NOT elitist

                "How about something encouraging like: "Well, when it comes time to check your algorithm, make sure that [short description of mathematical algorithm or procedural test] does [whatever result you should get for good encryption]

                Otherwise, it sounds like the usual negativity ninnies. Just sayin.

                [and I'd be interested in what tests you WOULD recommend]

                icon, because, I hear from negativity ninnies all of the time. It's irritating at the least. Why discourage those with enthusiasm? Instead, point them in a direction that's actually HELPFUL."

                1) Start by reading Silverman 1 and 2. That will give you some idea of the Mordell--Weil group of an elliptic curve and what on earth is going on.

                2) Read Ireland and Rosen. It's a basic book on some modern number theory.

                3) Do a PhD in number theory. This will take a few years, but you'll get a good solid background in number theory, which you'll need for the next bit.

                4) Overturn a century of modern mathematics. Most of modern mathematics rests on the idea that there are no general purpose algorithms to attach problems of a standard kind. For example, no there is no general procedure to solve Diophantine equations, or to solve the halting problem, and the decision problem. With these in mind, mathematics now becomes something that cannot be given as a list of instructions, but is much more intuitive, and then sometimes counter-intuitive. Solving problems requires ingenuity, not simply reading off a checklist.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: "No homebrew" is NOT elitist

                  @DavDrav there is a LOT more to Cryptography than Number Theory - especially for symmetric ciphers. Yes, some of this is used for asymmetric ciphers, such as RSA and ECDH, but things such as AES don't rely so heavily on Number Theory.

              2. Claptrap314 Silver badge

                Re: "No homebrew" is NOT elitist

                Of all the comentards, I would have expected you to have caught the humor in my example. I specifically set up the challenge of bounds-checking external input combinations in C because it is so hard, while it is trivial (as in: check the results of the correct overflow bit) to do in assembly.

                As has been mentioned, the "useful" advice starts with: get at least a master's in mathematics from a class one or better institution. Because your options are either to exhaustively test input combinations, or to write a formally checked proof. That's it. As I pointed out, if you fail to do that, you might humiliate yourself the way that G did with Stagefright I & II.

                But this discussion is not about such a simple problem as sanitizing a pair of untrusted integer inputs. This discussion is about crypto. Another has summarized nicely what you need to do to enter (and I stress: enter) the field of professional crypto. He missed one point, though, and I see this point made everywhere I see professional crypto folks: never trust yourself. The pros of crypto don't roll their own. They work in teams. And when they think that they might have something, they get OTHER professionals to check their work.

            2. Adam 1

              Re: "No homebrew" is NOT elitist

              > I have DREAMT integer register programming.

              You're only human. Don't beat yourself up.

            3. StargateSg7

              Re: "No homebrew" is NOT elitist

              Nah! I've been doing this for probably a LOT longer than you have! Unless you've been programming computers since 1978 then you might have something on me. I grew up a digital native of PDP, VAX, PET, Sun/Apollo, IBM 360 and AS400, Apple II/Mac/PC/Windows/Linux and so much else that I've been able to do decent security in my sleep!

              I'm the type of guy who makes custom flat panels with custom controller/RGBA driver chips with custom motherboards. I do custom massively parallel systems using custom motherboards that use custom FPGA network, drive, display and bios logic. I've even been DABBLING in actual 64-bit/128-bit+ CPU/GPU design on GaAs/GaN and CMOS since we have a 7 nm electron beam etcher to send our tape-outs to! We use custom cross-compilers, custom assemblers, custom OS'es, custom BIOS'es, custom microcode and even an advanced custom-designed VHDL system for outputting CPU/GPU designs. There isn't ANYTHING we can't do that isn't fully custom down to the gate/diode level.

              So security-wise, good luck! We have doing this for a LOOOOOOOONG TIME!!!!!!

              The gear and tech we have makes even LMCO, Raytheon, Boeing,, Northrup, IBM, Google, Microsoft, Apple, Intel, TI, TMSC, Foxconn, Huaweii, Ericsson, Nokia, Philips, Thales, D'assault, EADS, Bosch, NEC, Sony, Canon, Matsushita, JPL, NASA, LLNL, etc ultra-ultra-green with envy! We have tech expertise, software and hardware that literally IS SECOND TO NONE and in some cases IS ABSOLUTELY NUMBER ONE IN THE WORLD !!!!!!!!!!!!!!!!!!!!!!

              To put it mildly, if the powers-that-be want to make security insecure, we can EASILY put a stop to it and make our software and hardware results COMPLETELY OPEN SOURCE AND UTTER FREE FOR USE BY ANYONE !!!!

              AND WE ARE ABSOLUTELY WILLING TO DO IT WITH NO HESITATION WHATSOEVER since we are NOT affected by any external financial pressures! And upon any external political pressure? WE ARE ALL ABSOLUTELY THE TYPES TO JUST DO IT FOR THE HECK OF IT!!!! We will ABSOLUTELY IGNORE ANY AND ALL DIRECTIVES FROM EVERYONE AT EVERY LEVEL OF GOVERNMENT PERIOD !!!!!!!! We will SIMPLY IGNORE ANY AND ALL INJUNCTIONS !!!!!!!!!!!

          3. Anonymous Coward
            Anonymous Coward

            Re: Wack a Mole

            The people who are the literal giants in the field of cryptography say exactly the same thing. That completely ignores the issues that the doing of cryptographic engineering isn't something that pretty much the whole damned planet isn't able to pull off, and that's speaking as someone who works in that field. It was that work that has informed so much of my regular software and hardware engineering, let alone the other IT-related types. And there's always another technique you have to defeat down the road due to the laws of physics, by the way. Brutal. Fun, if you have my warped idea of what constitutes fun!

            1. mwnci

              Re: Wack a Mole

              You know you don't have to encrypt your posts mate. I had to re-read this about 4 times and I'm still not sure if you've made a Typo - or that's what you meant to say.

              "That completely ignores the issues that the doing of cryptographic engineering isn't something that pretty much the whole damned planet isn't able to pull off, and that's speaking as someone who works in that field."

              If you are trying to say "It's technically not feasible to do what the 5 eyes Governments want us to" - I agree 100%.

          4. DavCrav

            Re: Wack a Mole

            " "Nobody should "homebrew" crypto." That is a very tired and elitist attitude.

            You are basically saying that everybody is stupid, except you."

            Nobody should do their own cryptography because it's difficult. It's absolutely an elitist attitude, because difficult things need attention, experience, and talent. If you homebrew it, you are highly likely to have none of those qualities.

            I don't see why 'elitist' is a bad thing. People rarely go round saying tripe like 'Brain surgery isn't too hard. It's a very tired and elitist attitude to say that you shouldn't homebrew neurosurgery'.

            Just as an example: you should choose primes a and b for your public key. How do you protect against a Fermat attack? You want an elliptic curve for your shiny new cryptosystem. Do you want it to be supersingular, or not to be supersingular? Should you assume the existence of a discrete log oracle when doing complexity analysis for your new system?

            All of these questions are stupid, and the answers are incredibly obvious. Here's a less obvious one: you want some random noise somewhere. Will an LCG do, or a QCG, or does it have to be 'more random'? Rolling your own random number generator is incredibly difficult.

        3. Anonymous Coward
          Anonymous Coward

          Re: Wack a Mole

          Couple of things:

          1. The article says that governments "claim that their inability to lawfully access encrypted content risks undermining democratic justice systems". Well, well, well.....and I suppose these same governments are following EVERY PART of national and international law. If you believe this, perhaps you should study the Snowden papers....or maybe this one reference will do for now:

          - https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/

          *

          2. @JohnFen Home brewed crypto is "easily broken". Well that may be true, but there's an interesting asymmetry here - plod will take some time to break a "home brewed" crypto, while the users can use the communication immediately. Take a book cipher for instance. Here's a short message in a "home brewed" book cipher -- what does the plain text say?

          *

          2E1D55597C5F0481C74D01C6A154F52B8DB1C6F9

          618793A06A0DA1908AC4364A8282525778660394

          27A1C137E00A8FE1628C647D648F2065EB20F534

          18FD06F1DD302262309F401A00BDFA69A2140F10

          30AC84C979701C53F4F073AA522D285DA236A21C

          2BC56425136643B6B9506A88D1B5B567C96056EF

          3A9372601F586C72668934F842163B3DE2F4ECFF

          1. bombastic bob Silver badge
            Thumb Up

            Re: Wack a Mole

            thumbs up for the book cipher example. it just has to be a difficult lock to pick.

            1. Anonymous Coward
              Anonymous Coward

              Re: Wack a Mole

              @Bombastic Bob

              Thanks for the thumbs up about a book cipher.

              *

              What continues to surprise me in this thread is the almost complete absence of (what seems to me an important point), namely that EVEN IF GOVERNMENTS legislate for communications service providers, people like me can craft a book cipher which is then sent over service provider channels.

              *

              Meaning....even if there are back doors in communications services, plod STILL HAS ANOTHER LAYER of crypto to go before plod knows what is being said. OK...this only applies to text messages, but isn't that what plod wants to read?

              *

              Then there's the question of metadata. Plod can probably find out (eventually) who sent a message. But in the case of the public message I posted in this thread, how is plod going to find out who the recipient(s) of the message are? Beats me.

              *

              Am I mad?.....or is this focus on COMMUNICATIONS SERVICES completely off point?

              1. Claptrap314 Silver badge

                Re: Wack a Mole

                Believe it or not, there is a standard way to identify & attack book ciphers. And it's not that hard to roll through every book published in the last 70 years or so to identify the book.

                These guys are scary good.

                But really, the crypto experts don't work alone. You shouldn't either.

    3. Uffish

      Re: Secure communications

      You have nothing to fear if you have nothing to hide. Oh, you do have something to hide ...

      1. bombastic bob Silver badge
        Black Helicopters

        Re: Secure communications

        don't forget "process crimes" and perjury traps set by the F.B.I. ... if they wanna 'get you', they'll 'get you', or bankrupt you with legal defense costs until you plead guilty or get financially ruined.

      2. Brent Longborough

        Re: Secure communications

        Saying "If I have nothing to hide, I have nothing to fear" is on the same level of crass stupidity as "I don't need free speech as I have nothing to say"

        Oh, and guess who said it first? Doktor Goebbels.

    4. Missing Semicolon Silver badge
      Thumb Down

      Re: Wack a Mole

      @ }{amis}{

      Not only will providing an unsnoopable messaging platform be illegal, using it will be too.

      So best of luck with the court case when you get caught!

      1. Alan Brown Silver badge

        Re: Wack a Mole

        "Not only will providing an unsnoopable messaging platform be illegal, using it will be too."

        What about a snoopable one overlaid with another layer of crypto?

        As I mentioned earlier, the metadata of who talked to whom from where and when is often far more valuable than the content of the messages, particularly if the "who" isn't the person of interest but known to be assciated or travelling with them.

    5. Anonymous Coward
      Anonymous Coward

      Re: Wack a Mole

      I can't see the 5 eyes successfully forcing Switzerland to drop the privacy legislation that protects it.

      Why do you think that? The "international community" have already pressured Switzerland to roll back hundreds of years of tradition of banking privacy for foreigners. I can't see why the Swiss would worry about data privacy for foreigners when that's something that doesn't make anything like the money their private banking industry does.

      I am of course assuming you're not a Swiss citizen.

  5. Anonymous Coward
    Anonymous Coward

    business won't comply

    but not get prosecuted. Remember this is all to crack down on the little man.

    1. Yet Another Anonymous coward Silver badge

      Re: business won't comply

      That doesn't matter - so long as the enemy complies

      I'm sure Russia, China, N Korea and Iran are rushing to put in back doors so that Nato can access their communications

      1. MRS1

        Re: business won't comply

        > That doesn't matter - so long as the enemy complies

        >

        > I'm sure Russia, China, N Korea and Iran are rushing to put in back doors so that Nato can access their

        > communications

        Remember that Russia, China, etc. are not the enemy here. The enemy in this context is actually the citizenry, the largely law abiding citizenry that is, of the Five Eyes countries.

    2. jmch Silver badge

      Re: business won't comply

      In fact, while terrorism and paedophilia are offered up as the big straw men to justify invading everyone's privacy, the entities to have most benefit from strong encryption are organised crime, corrupt governments and money-launderers who can transfer assets untraceably.

      No easy answer to that one, although public registration of ultimate beneficial ownership is a good idea that needs to be implemented. Hope the EU gets a move on with that one

      1. Woodnag

        Re: business won't comply

        5-eyes' problem isn't tracking terrorists, molestors, mafia etc.

        These countries want the ability to see what normal citizens are doing.

        Terrorists, molestors, mafia etc can/will use encryption REGARDLESS of the law.

      2. Mark 85

        Re: business won't comply

        the entities to have most benefit from strong encryption are organised crime, corrupt governments and money-launderers who can transfer assets untraceably.

        There in is the problem. Those groups want the control and access to yours and everyone else's data. So do we protect the general population, or expose them to the groups you mentioned? This sword they want will cut both ways.

      3. Someone Else Silver badge

        Re: business won't comply

        [...] the entities to have most benefit from strong encryption are organised crime, corrupt governments and money-launderers who can transfer assets untraceably.

        So that's why the Drumpf "government" is so keen on this!

  6. Lt.Kije

    Never never never...

    ...give these agencies legislated access

    They have a solid track record of misusing every dodgy right ever given to them. And of course it is never ever reciprocal, they always Stonewall any attempt to look at their ecrets.

  7. GnuTzu
    Megaphone

    Don't Forget...

    Yes we've been saying all along; might as well make an effort to add it to every one of these damn articles.

    Then, only the crims will have...

  8. jmch Silver badge

    Not complex at all

    "requires urgent, sustained attention and informed discussion on the complexity of the issues "

    The issue is not a complex one at all to understand -

    (a) it is not possible to create a backdoored encryption system where only the 'good guys' have backdoor access. An encryption system is either totally secure or it isn't.

    (b) democratic norms across the civilised world provide for privacy of it's citizens. They also provide that law enforcement can infringe on that privacy in certain specific cases (eg warrant based on probably cause)

    (a) and (b) are diametrically opposed to each other and cannot both co-exist. It is absolutely simple. HOWEVER... simple does not mean easy. Because the combination of those 2 facts will lead to one of these scenarios:

    1) 'public' encryption systems are backdoored. Law enforcement has access to everyone's data. Criminals also eventually gain access to everyone's data. Criminals run their own perfect encryption systems.

    2) Strong and unbreakable encryption becomes the norm. People have complete digital privacy. Law enforcement has no access to anyone's digital files / comms, even if there is a signed warrant based on probably cause.

    It's understandable why law enforcement don't want (2). It's just that they cannot see far enough to know that their insistence on backdoors is going to lead to (1) which is a worse scenario all around.

  9. TiddlyPom

    Too stupid and too late

    Does these people have more than the brains of a garden snail? If you try and put back doors in encryption then there are plenty of open source encryption systems to use instead. You cannot put the genie back in the bottle. You can always use an extra layer of encryption over a potentially hackable transmission channel. So criminals use TOR (or even Freenet) and swap information in a Veracrypt container file. What then? Are you going to try and ban all open source development on encryption? Good luck with that. What about code or software outside the 5-eyes countries? Will potential terrorists or other people obey that ban?

    What about Torchat or a myriad of other new encrypted IM chat clones? Even if you ban existing encrypted channels then other will spring up. What if you tunnel your encryption over HTTPS (443)? Are you going to ban encrypted web links? What about bank/financial traansactions?

    Too stupid and too late. The 5-eyes Panopticon is dead.

    1. Ben Tasker

      Re: Too stupid and too late

      > What about code or software outside the 5-eyes countries?

      What about those within the 5-eyes countries? How many people here would stop working on encrypted stuff? I certainly wouldn't.

      > What if you tunnel your encryption over HTTPS (443)?

      To be fair, there are DPI solutions which can run pattern analysis on connections and predict whether it's likely to be web browsing, video streaming, IM style traffic etc inside. They also look at the handshake and fingerprint it to help identify Tor (for example). Not bullet proof, by any means, but simply sticking something on 443 isn't enough.

      > Too stupid and too late. The 5-eyes Panopticon is dead.

      The problem they have is they've taken a position that they cannot easily now back away from. They seem to have assumed that they'd be able to force their way of doing things, and completely underestimated the industries view of them once the Snowden leaks made it clear that you cannot trust these people with anything.

      Want to collect intel on terrorists? Then maybe don't record and store anything and everything you can find. Don't push for (and get) Bulk Interference powers so that you can legally pop my router on the basis that a terrorist might be using that model somewhere. Don't push for (and get) powers requiring ISPs to record my internet browsing behaviour, and *definitely* don't try and shrug it off with "it's just metadata, harmless, honest guv".

      They had a chance and they pissed it up the wall. Encryption is on the uptake, even in areas where it wasn't traditionally present, and long may it last.

      1. Mark 85

        Re: Too stupid and too late

        Don't push for (and get) powers requiring ISPs to record my internet browsing behaviour, and *definitely* don't try and shrug it off with "it's just metadata, harmless, honest guv".

        This point is moot as Google, FB, etc. do this already. Even the ISP's have logs on you.

  10. Anonymous Coward
    Anonymous Coward

    Transparency first..

    .. and then we will START talking.

    Until such time, there is no flaming way any legislative measures should be imposed on tech that effectively give the CRIMINALS access to our resources - at present there is already so much avoiding of laws designed to protect our rights that you can safely rank a lot of agencies in that category too.

    Oh, and we all know just how careful agencies are with master keys, no?

    1. Lexeus

      Re: Transparency first..

      Master keys are just a ticking timebomb in any context, like designing a nuclear bomb that has a 0.1% chance of blowing on any given day.

      Just look at Sony and their PS3 screwup with masterkeys, if a highly motivated tech company cannot keep a lid on such a system, what chance to civil servants stand.

  11. 8Ace

    They will change the target in legislation

    End to end encryption is the issue here, I think they now know that there isn't an answer to this that will allow any access that they need. So I fully expect that in some way or other the end to end element will be targetted in legislation so that traffic will have to go via an intermediary step or even that a licence will be required to provide encrypted services conditional on the licencee having the ability to decrypt any content.

    1. TiddlyPom

      Re: They will change the target in legislation

      How are you going to force people not to be able to connect between two arbitrary computers? Anybody can set up a server in the cloud. Nobody will know. You LUKS encrypt the server. You give the address to known people. You restrict the addresses to particular people and harden the firewall. You set up (say) OpenVPN on there. You run an encrypted IM server but over VPN links (with VPN running over port 443 - HTTPS). How do you legislate against that or even detect it easily? It is TRIVIAL to set up encrypted end-to-end chat. What about using it as the first step and then peer-to-per encrypted chat?

      It is too late. Even suggesting that it possible to do this (practically) is nonsense - especially if you use TOR and hop IP addresses all the time. You can try and legislate all you like. Look at China as an example. They still haven't managed to stop all encrypted end-to-end links.

      We cannot trust spooks. It is VERY important that we have end-to-end encryption. It is our one weapon against tyranny. Laws against encryption will not help the man in the street against criminality. It will just hurt you and I. Criminals who use encryption do not care. Many of these are state sponsored by foreign countries in any case.

      1. StargateSg7

        Re: They will change the target in legislation

        I will make the statement that you will ALWAYS be able to have end-to-end encryption because people like me and my colleagues will make it available OPEN SOURCE and UTTERLY FREE for use by anyone! We can ALSO GIVE YOU GUI-based desktop and server operating systems and CPU/GPU chip designs that are completely free and open source!

    2. ibmalone

      Re: They will change the target in legislation

      So I fully expect that in some way or other the end to end element will be targetted in legislation so that traffic will have to go via an intermediary step or even that a licence will be required to provide encrypted services conditional on the licencee having the ability to decrypt any content.

      This is just a back door by another name. That intermediary step has to be trusted and secure. Normal citizens may trust it (and maybe you trust the current government, but good luck with the government you get next year or in the next twenty years, all the way from the top to your local town councillor, because eventually they'll all want access), criminals wont and will find alternatives. And it's only going to be secure as the lowest bidder to be the intermediary. How about TalkTalk storing all your banking details unencrypted? On a system they bought from Huawei? Or would it be held by 'the authorities', who can be relied on to contract it out?

      1. 8Ace

        Re: They will change the target in legislation

        Exactly I agree completley, but this is a dog that just won't leave a bone alone. Whatever they come up with, and they will come up with something, will be a mess. For example they will be able to say to users, you still have AES 256 or whatever on your device, you can trust us, no back doors - honest. Except there will be a huge weakness in some other part of the chain.

        As for "rolling your own", yeah sure that will always be possible, it's the major players and providers they will target first. Any home brew setup will then probably stand out in their traffic analysis anyway and will attract appropriate attention.

        1. ibmalone

          Re: They will change the target in legislation

          Exactly I agree completley, but this is a dog that just won't leave a bone alone.

          Sorry, I should have known better than to think anyone here was advocating that state of affairs. Yes, looks like we are all deeply screwed. The irony is, in the long term, I don't think it's really in the interests of the people who do want it anyway.

        2. Anonymous Coward
          Anonymous Coward

          Re: They will change the target in legislation

          Any home brew setup will then probably stand out in their traffic analysis anyway and will attract appropriate attention.

          That's something that is getting a whole Hell of a lot of attention now.

  12. Anonymous Coward
    Anonymous Coward

    Typical really.

    They cant get what they want because maths so now it's time to resort to threats.

    The realisation that their eavesdropping utopia isn't quiet as simple as they hoped and nor would the people comply that now the threats come out.

    Still, seemingly, totally unaware that the mechanisms for secure communications are everywhere already, public and private.

  13. DuncanLarge Silver badge

    Scrapheap Challenge

    Perhaps we can teach them how impossible it is to create selective end to end encryption that decrypts itself for the police on command by giving them this task:

    Put them on scrapheap challenge!

    Give them the challenge of creating a lawnmower that must cut grass like a normal mower but on command, when detecting it is being used by a specific person, not cut blades of grass that are of a specified grass species. So the mower must cut all blades of species A normally while not cutting any blades of species B. The lawn has species A and B mixed throughout.

    When they say it cant be done, tell them that it will be done because you will legislate that in order to leave the set it must be done.

    When they finally convince you it cant be done, legislate that they can no longer use a lawnmower to speed up the process and must instead inspect and cut each blade of species A by hand.

    Then maybe they will get that with end to end encryption its all or nothing.

    1. MachDiamond Silver badge

      Re: Scrapheap Challenge

      The original series with Robert Llewelyn, not any of the later ones with the other presenters.

  14. ratfox
    Stop

    "privacy is not absolute"

    Die Gedanken sind frei, wer kann sie erraten,

    sie fliegen vorbei wie nächtliche Schatten.

    Kein Mensch kann sie wissen, kein Jäger sie schießen

    mit Pulver und Blei: Die Gedanken sind frei!

    1. Flip

      Re: "privacy is not absolute"

      Agree. Sharing your private thoughts is where it gets tricky.

    2. Anonymous Coward
      Anonymous Coward

      Re: "privacy is not absolute"

      The way things are going I begin to fear that "Neun und neunzig Luftballons" may be the epitaph of the Trump era.

  15. Aodhhan

    No way.

    Look... we voted out the Obama--Clinton power house Dems which abused their powers and continue to slow down progress by throwing false and malicious accusations against innocent people.

    We learned from the Obama era, even the FBI, MI6 and CIA can't be trusted... even within these organizations it's possible for people in the highest levels become corrupt and unfair.

    As someone who does pen testing and red teaming for a living... those who concentrate too much on encryption, often leave other weaknesses wide open; because people are, for the most part... lazy and forgetful.

    1. Adrian 4

      Re: No way.

      And if the good guys turned out to be corrupt, what chance the current ones ? We knew they were corrupt when they went in.

      1. Spanners Silver badge
        Black Helicopters

        Re: No way.

        And if the good guys turned out to be corrupt, what chance the current ones ?

        Who are the good guys? I do not trust Our, the US or anyone else's' spooks definitions of the good guys.

  16. JohnFen

    Self-contradiction

    Are they lying or deluding themselves?

    "saying that they have "no interest or intention to weaken encryption mechanisms" – and emphasise the importance of privacy laws."

    But they're saying this while pushing for something which is overtly and intentionally intended to weaken encryption mechanisms. Spy agencies should know full well that "encryption mechanisms" encompass far more than the crypto math itself. They also include how the crypto is used. If I have 100% unbreakable crypto, but an attacker is listening in on an end point where they can see the clear data before or after crypto, then the crypto mechanism (but not the algorithm or its implementation) has been weakened.

    1. Mark 85

      Re: Self-contradiction

      The reality is, they've gone too far down the rabbit hole to back out. Backing off now means they've lost. These agencies live and die by the "budget" and if they're collecting our data, you can be damn sure they're collecting all the data they can on those in power and using it to keep their budgets and powers.

      Politics is a very dirty business and one should always wash one's hands afterwards.

  17. Anonymous Coward
    Thumb Down

    In today's news-5 Eyes agencies ask tech companies to cut their own throats

    "encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services"

    And then those same information and communications technology service providers can watch their customer bases shrink, as first the generally more sophisticated business customers and then the increasingly large numbers of retail customers who value privacy and the security of their data from hackers and identity thieves start to move to competing, secure products.

    This war on encryption has been going on for more than 40 years. It was crap back when law enforcement and sigint agencies thought that an export ban of encryption technologies from the U.S. would solve the problem. Then it was bullshit when the NSA thought that they could get industry and consumers to be happy that they had bough computer and comms gear with the NSA's Clipper chip included, so that the NSA could backdoor them at will. Now it is bullshit because sigint and law enforcement agencies have NO ANSWER for what happens to the average citizen when encryption is weakened, and that citizen's financial and personal information is thrown to the ID theft wolves. Nor do they have an answer to what happens when every hacker, crime syndicate and hostile foreign government starts looking for technological flaws in the backdoor and corrupt individuals who have access to the backdoor.

    And if they carry out their threat to pass legislation (And the financial industry, healthcare industry and many average citizens will push back strongly during the legislation debate.), then you will see a repeat of what happened during the U.S. encryption export controls era. Encryption professionals and companies will move their work and headquarters to nations that don't insist on backdoors, and those nations will be delighted to receive the tech industry investment, tax revenues and exports.

    Come up with a SERIOUS proposal, 5 Eyes!! Stop insisting on "It's our way, or the highway". Start with the complete acceptance that there are REAL, completely lawful reasons that business, government and individuals want strong , non-compromised encryption platforms, and that the vast majority of encrypted communications and storage is completely lawful and indeed helpful to society. Move from there to the realization that having strong encryption technology and technology sectors in general in your own nations greatly benefits your agencies, because you have access to better technology, more qualified personnel and assistance, and the higher tax base helps pay for your own agencies' budgets. Don't insist on policies that expose your own citizens to ID theft and extortion based on data leakage. Don't insist on policies that will kneecap your local encryption and tech industries and see increasing amounts of their revenues and business activity moved to overseas jurisdictions, especially when those jurisdictions may even be hostile towards 5 Eyes nations.

  18. Anonymous Coward
    Anonymous Coward

    Have a quick look at youtube for a clip called "Early Data Encryptoipn Software" It's a clip from BBC's tomorrows world that explains the problem of encryption and was made in 1982....

    Goverments had the option to govern this before we grab it and ran with it. They didn't see it, now the genie is out of the bottle and its so big a part of our lives that any attempt to control it now will massively damage the global enconomy

    1. JohnFen

      "They didn't see it, now the genie is out of the bottle"

      Oh, they saw it, and they (at least, the US government) tried really hard to keep the genie in the bottle. Look at the various times they've surreptitiously included weaknesses in standardized crypto, efforts like the Clipper chip, and so forth. All those efforts failed.

      The bottom line is that people want to be able to speak privately to one another, will fight to keep that ability, and it's really hard to make the case that they shouldn't have that right.

  19. Snowy Silver badge
    Unhappy

    Just do a google/facebook tie in.

    Whatsapp encrypts messages end to end but the "new will not take up any space on your Google account" backup is not.

    There does not appear to be an option to still encrypt the backup and have it take up space on you account :/

  20. Mark Wallace

    They must be extraordinarily incompetent!

    I mean, I've watched oodles of US TV shows where the heroes hack into secure systems and break encryption with no more trouble than unlocking a door that isn't fitted with a lock!

    Maybe the Five Eyes need better spyglasses.

  21. StuntMisanthrope

    It’s not me, it’s you.

    trust (n.)

    c. 1200, "reliance on the veracity, integrity, or other virtues of someone or something; religious faith," from Old Norse traust "help, confidence, protection, support," from Proto-Germanic abstract noun *traustam (source also of Old Frisian trast, Dutch troost "comfort, consolation," Old High German trost "trust, fidelity," German Trost "comfort, consolation," Gothic trausti "agreement, alliance"), from Proto-Germanic *treuwaz, source of Old English treowian "to believe, trust," and treowe "faithful, trusty," from PIE root *deru- "be firm, solid, steadfast."

    from c. 1300 as "reliability, trustworthiness; trustiness, fidelity, faithfulness;" from late 14c. as "confident expectation" and "that on which one relies." From early 15c. in legal sense of "confidence placed in a one who holds or enjoys the use of property entrusted to him by its legal owner;" mid-15c. as "condition of being legally entrusted." Meaning "businesses organized to reduce competition" is recorded from 1877. Trust-buster is recorded from 1903. #thehistoryofetymology

    1. Anonymous Coward
      Anonymous Coward

      Re: It’s not me, it’s you.

      I've always preferred: Trust, that condition necessary for betrayal. We "trusted" our governments. Seriously bad mistake as any of the people behind the US Constitution could have, actually had really, predicted.

  22. DCFusor
    Mushroom

    Why is no one reacting to the obvious?

    Unelected "officials" threatening legislation that can only be done by elected ones?

    So, how? Blackmail of those in office? Yet another abuse of the spook's powers?

    Tyranny is already here, they're just disguising it in the hopes we'll knuckle under more easily.

    All they want is more...

    Two:

    Metadata is all they need anyway. If they can demand clear text from anyone producing interesting metadata, you're done. Don't tell me the known-comprised Tor is going to save you, that's nuts - and ask anyone they wanted badly if it worked for them - hint, it didn't.

    Don't tell me the Swiss or others can't be turned - the IRS has already. These guys have more, not less, influence. People sure have selective memory when it's so nasty they'd rather pretend it doesn't exist.

    If they see something they are interested in and can't read, they have other ways and use them. They just don't want to have to do it "in bulk" as the very thing they're trying to avoid by this push is the revolution it would spark when people notice a thinning out of their friends and neighbors by force - the pitchfork and guillotine kind of revolution, not some fake tech "disruption" that only changes who gets how much of the skim - a little.

    It's clear they are not worried about *our* security, but their own - the obvious targets are people trying to organize around the truth. Governments are supposed to be afraid of their people, but not act this way in response - they're supposed to be our servants. This is a very thinly disguised attempt to make tyranny permanent - nip any resistance in the bud (other than state created fake resistance to some puppet to make it look like there's hope from escape from the true powers that be).

    It's going to be so much fun when you can be jailed - or worse - for refusing to "decrypt" stuff from /dev/random - they can then claim it was anything they want, eh?

  23. Schultz

    pursue... legislative... measures to achieve lawful access

    Bravo,pursuing legislative measures is exactly what the security services should do to uphold the spirit and letter of a democratic state of law. By all means, have an open discussion in the legislative body about the correct balance between police powers and citizens rights. Feel free to pursue the full extent of the law to go after criminals. Just, please, don't try to cheat your way around the laws because you think you know better than the democratically elected representatives of your government.

  24. a_yank_lurker

    Traitors

    The excuse that encryption hampers criminal investigations is a strawman. If the communications were done face-to-face or other no electronic means (with burning of documents) it would be hard to reconstruct the conversations unless someone sings. Also, often what is often more important is the location and metadata as they will the contact history and device location. Make a couple of reasonable assumptions about the location and you can confirm or crack an alibi. The contact history shows who has been in contact and when, again often it confirms or cracks an alibi. In both cases the content is not always important. And since there is a conversation, you only need one party to sing for you.

    1. DCFusor

      Re: Traitors

      Yes, people who think things like Tor protect them are delusional. Someone has a record of this MAC being online at this instant talking to that IP address (which might be a Tor node) and someone else talking - connect the dots, that's what Utah is for, right? My golly, they think ISPs don't have logs?

      That aren't routinely pass over under gag orders? We forget what we want to forget.

      You could avoid having a tracking device (known as a phone), which I do, just because I'm cheap and happen to think my time is my own - anyone who knows my number is not entitled to free entertainment by me at their pleasure. If I'm out and about, that's my business.

      But even that - or lack of social media accounts, now brands one as suspicious - "what are you trying to hide?". It's now hard to get a job without a reference to such (glad I'm self employed), hard to get credit without a long record (glad I don't need it - and they know more than the spooks do about you, oh wait, the spooks buy that info - the stuff they aren't legally allowed to just collect themselves).

      It goes on and on. As I said, tyranny is already here. The frog is boiled, so to speak. It's all done by controlling the narrative and making people believe this is the best way - at least most of us.

      They're just trying to nab the few with critical thinking who saw through it all and fell through the cracks.

      Propaganda is now legal, passed by the political party most crying about the current situation, which is ironic, but also just plain sad. I keep leaving this link here - you can work it out.

      https://phys.org/news/2011-10-darpa-master-propaganda-narrative-networks.html

      Remember, anyone who resists tyranny can (and is) just be defined as a terrorist, and we're done.

  25. tfewster

    Oi, 5-eyes

    Start obeying the law yourselves, they we can start a dialogue:

    - Warrants for snooping, like you have to for physical access.

    - No more getting an untouchable "partner" in another 5-Eyes country to snoop for you and using the results.

    Quite apart from the fact that atrocities are almost always committed by someone "known to the authorities", so you don't need the mass-surveillance anyway.

  26. tip pc Silver badge

    Authorities first

    Before I divulge all my encrypted comma and data to the spies, I’d like the authorities (yes all of them) to give me real time access to ALL data they hold on me with details of job titles that have accessed that data, dates when accessed, reasons for access and decisions made as a result.

    Once I get that then five eyes can have whatever they want from me.

  27. Old Used Programmer

    Sauce for the gander

    Once again...the first legislation that is needed is a law (with big sharp teeth) that mandates that the intelligence community is required to use the same encryption systems that they want everyone else to use.

  28. steelpillow Silver badge
    FAIL

    98 percent

    What they are doing is trying to create a narrow slot in the graph of security strength and force everybody in there. 97% illegally fails to protect privacy, 99% illegally fails to allow easy snooping, every supplier has to hit 98% secure.

    Who will be first in the dock in one country for illegally lose code, while simultaneously in the dock in another country because that same code is illegally tight?

    The only conceivable way ahead would be an international standard and certification body for 98% code, with supplier indemnity from prosecution under international law, once their code is approved.

    OMG look, Hell is freezing over...

  29. Jamie Jones Silver badge

    Meetings on a desolate beach

    You know, if I decide to go to some random beach with mini-me, to discuss taking over the world, should the governments ban beach going?

    Technology has made it far easier for them to track people in general - they want to still have that cake after eating it

    1. JohnFen

      Re: Meetings on a desolate beach

      "if I decide to go to some random beach with mini-me, to discuss taking over the world, should the governments ban beach going?"

      Of course not, don't be silly. They'll just demand that all beach-goers have to wear a wire.

      1. Jamie Jones Silver badge
        Happy

        Re: Meetings on a desolate beach

        Doh! Of course!

        Hark at me - always being negative! :-)

  30. Max Watson

    How about just get better at police work

  31. Milton

    Can they actually BE that stupid?

    How many times does it have to be repeated: algos for excellent encryption already exist, as do others for impossibly obscure low-bit-rate steganography, and others still for completely convincing data randomisation, all of which represent genies long since out of the lamp, and all of which can be implemented by any one of a few tens of millions of competent coders across the globe.

    Anyone with non-trivial security needs, most especially Black Hats, will be able to encrypt and hide messages and even quite large data among the few billion bytes created and uploaded every single day. Even plausible deniability isn't remotely difficult now.

    The only people who will be "detected" or "caught" by any kind of backdoor system (which is what we're talking about, even when other terms are bandied about) will be (A) lazy, thick, low-level crooks of no great importance, and (B) absolutely everybody else who uses encryption at any point on the Net, for banking, retail, site authentication, insurance, taxation, accounting, research, medical records, government, law enforcement, military, &c &c—because it is an iron-clad and historically proven certainty that any scheme accessible to government quickly becomes abused, misused, corrupted and ultimately leaked. If NSA can't keep their secrets, why would you be stupid enough to imagine that anyone can?

    It always boils down to this, oft-stated yet worth repeating yet again:

    Anything which weakens crypto for one person weakens it for everyone.

  32. Alex 72
    Coat

    Why break encryption

    Given that the main issue the 5 eyes seem to have is with default on encryption for things like imessage and android messages as well as whats app and facebook if there were a system like the one describe below which was built in to client device (laptop desktop and mobile) OS's and made available to developers maybe mainstream comms and software providers could still have some security and allow "lawful" access but mainstream software isn't the problem for the real threats like terrorists they use telegram and ricochet and custom onion router code to communicate and even if they could find a way to incorporate this in to the those technologies without making them completely useless no one would use them after that as another open source app without this would appear in a day a fork of the predecessor from the last commit before it was added most likely with a shiny new name an no oversight. It's not the people who generate keys and share messages in the light you need to worry about.

    With Shamir's Secret Sharing surely a key could be assigned with 4 or 5 factor authentication to allow authorise organisations with a warrant (i.e. anyone who can get a software or hardware token activated and a valid smart card for an approved organisation and a password for an ldap account on a trusted directory (with audited access so that anyone doing without a warrant gets caught) plus 2fa secured passphrase based on the device info from an approved manufacturer employee or something similar to de-crypt a built in key which is random and unique generated at manufacture. This key would never be stored on the device or anywhere else un-encrypted (other than volatile memory on the device creating it) but in encrypted form on a worm chip plus a manufacturer whilst this back door is still a potential attack vector it is cumbersome enough to achieve that traditional blackhat hacking would be easier. The only problem with something like this is that 5 eyes may not like it as the manufacturer 2fa would mean that in circumstances where they would rather no one knew how many communications were being encrypted by agencies who have blanket warrants or who "don't need them" the manufacture would know and could insist that agencies provide authorisation or a aren't every time would report it to other agencies and the media if anyone ever fraudulent claimed to have a warrant but didn't...

  33. Anonymous Coward
    Anonymous Coward

    These fucking fuckers can fucking fuck the fuck off.

    1. Adam Foxton

      Fuck yeah!

  34. whitepines
    Flame

    I've said it before, I'll say it again to this particular type of idiocy:

    The right to absolute privacy of a written (or otherwise "fixed") idea has always been guaranteed. For as long as there has been paper and writing means, there has been fire. Maybe they should also ban fireplaces and flammable writing media while they're at it.

    Good police work involves establishing guilt without having a diary to present to court (since oftentimes such books go up in flames before being retrieved for evidence). There is no reason the same good police work can't apply to cases where the criminal has encrypted the diary on a computer (hint: hard drives are vulnerable to drills, hammers, and bricks, too. Want to ban those as well?).

    This is all about dragnet surveillance, nothing more. Real criminals leave physical evidence that is far from encrypted (DNA, bomb making materials, metadata from meetings with other criminals in the public sphere, etc. etc.). Use that, throw the real criminals in jail with real, irrefutable evidence, and maybe, just maybe, the agencies involved will be respected instead of scorned.

  35. RegGuy1 Silver badge
    Facepalm

    Brexit, anyone?

    This includes development of capabilities to prevent uploading of illicit content, to carry out "urgent and immediate" takedowns, and more investment in human and automated detection capabilities.

    Major firms should also set industry statements and help smaller firms deploy these capabilities on their own platforms.

    These are not the same bozos who think Brexit will be wonderful, are they? They are using the same delusional language.

    1. WatAWorld

      Re: Brexit, anyone?

      From my understanding they're dead against Brexit. It will cost them their connection to EU police and intelligence databases.

  36. Paul Hovnanian Silver badge
    Pirate

    Actual motive

    "prevent uploading of illicit content"

    Our intelligence services acting as rent-a-cops for Disney and the MPAA. Society will not suffer greatly if someone makes illegal copies of Mickey Mouse.

  37. Suburban Inmate

    Banning proper crypto isn't the point

    The point of this legislation isn't to wipe out strong crypto to thwart all those naughty 'terrorists'. The point is to make fishing expeditions routine and automated ("How did you know I'd be at this protest?"), and to make those using proper encryption stand out more.

    After all, if you're making an effort about privacy, you must have something to hide from the regime our kind and beneficent government, right?

  38. JustSomeBloke

    Many countries who fail to respect the rights of their citizens force companies to add an encryption hop (so it is in the clear for them) or block the app. They hunt for VPN’s and close them down. For the savvy individual there are ways around this but for a lot of people, they live in a monitored society.

    It must frustrate the North American and European governments that their voting public won’t also allow them to do this.

    Personally, I think that we have to come up with some sort of solution. As much as we ridicule these agencies, it is a concern that the observable shift to more right wing politics (particularly in Europe), means that we could face a backlash sponsored by our own electoral systems.

    1. Paul Hovnanian Silver badge

      "It must frustrate the North American and European governments that their voting public won’t also allow them to do this."

      As if the three-letter-agencies give a hoot about the law or voting public. The only time this becomes an issue is if they need to build a court case based on the collected evidence. At this point, a court issued search warrant and possible serial 14 month jail terms for non compliance should be enough.

  39. TheOldFellow

    Invest in Quantum Computing Now (IQCN)

    The only way out is to be able to crack encryption. Any legislation will fail because the laws of math are higher than the laws of misgovernments. Only Quantum Computing will work. At least at first Quantum Computers for encryption cracking will be too expensive for crooks, only taxpayer-raping misgovernments can afford them.

  40. Anonymous Coward
    Anonymous Coward

    And then there's steganography ...

    Just try finding a 1K plaintext message in a 10Gb video file.

    1. defiler

      Re: And then there's steganography ...

      Until you realise that the video is actually a 4k clip of the message on a whiteboard.

  41. TiddlyPom

    The biggest threat to law and democracy is the erosion of the right of silence

    There have been a number of cases in the UK using the (illegal) RIPA legislation (and subsequent replacements) to force individuals to give up passwords with the threat of years in prison hanging over them if they do not reply. I automatically generate long hex passwords for encryption containers so (deliberately) I would be unable to remember the passwords. Customer data needs to be protected especially in the cloud. What then? You threaten to jail somebody who cannot comply with something that they are physically unable to comply with in any case. What about the right of silence?

    This is psychological torture and as such is illegal under human rights legislation (and international commitments against torture). This legislation has been used to threaten (and imprison) people who do not comply. This is the start of tyranny and state sponsored torture. If you happen to agree with torture and waterboarding then fine but I don't. This is no better. It doesn't matter if the person is a criminal or even a potential terrorist. You cannot torture them. That is against international law. Psychological torture is still torture.

    1. Anonymous Coward
      Anonymous Coward

      Re: The biggest threat to law and democracy is the erosion of the right of silence

      Whilst you are right, there are some considerations.

      Ultimately, it's the prosecutions job to provide evidence to a court of your wrongdoing, and to convince them "beyond reasonable doubt" that you are guilty *in law* of the offence laid before the court.

      There is no requirement upon a defendant to "prove" anything. Whilst the cerebrally challenged have always struggled with this outside court, it's the way things go *inside* the court.

      So not saying or doing anything from the get-go (i.e. from arrest) cannot be held against you. You have always had that "right of silence".

      Where people fall down is to start talking when arrested. At which point - game over. You can then be challenged over what you said, and if you chose not to take the stand in court, the judge can point it out to the jury. By the same token, if you say nothing when arrested, but have War and Peace ready for your trial - the judge can mention it.

      It's incredibly rare for a defendant not to take the stand. But when it happens, it can kill a prosecution dead, as it leaves the prosecutors having to suggest what you may (or may not) have thought, but your barrister will just sum up by saying they are nice fairy stories, but nowhere near the truth. And the judge will have to sum up reinforcing the "beyond reasonable doubt".

      Totally agree about RIPA though. Hence what a PP noted about steganography.

      1. TiddlyPom

        Re: The biggest threat to law and democracy is the erosion of the right of silence

        That's not how it works at all. The Police bully you to try and get you to admit to a crime that you have not admitted. RIPA is used as a threat to force you (under duress) to divulge passwords (even assuming that this is possible - not in the case of long computer generated passwords!) or even to admit to a crime that you did not commit in order to avoid a longer sentence. No proof required. After all, you *might* know the password and the file *might* contain terrorist information or *might* contain illegal pr0n. This is not about a conventional "find the evidence then convict somebody" case. It it about bullying somebody until they give in. As an example, if you are *accused* of child related chimes then of course you *must* be guilty or *must* be a danger to the public even if there is no evidence. Same with terrorism. After all, public safety is everything isn't it. Human rights should only apply to non-criminals, right?

        No WRONG.

        Human rights are universal. Beyond reasonable doubt cannot apply if there is no evidence or this is just somebody's opinion/story. Look at the false accusations of child abuse where this has been the case - especially the high profile cases. Beyond reasonable doubt does not apply if there is no evidence and yet plenty of people have been convicted in the absence of such. Much easier for the Police if they don't have to PROVE you're guilty isn't it...

  42. onemark03

    Spies still butthurt they can't get at encrypted comms data

    The benefits - real or imagined - are to the state, not the public.

  43. CAPS LOCK

    Hahahahaha, speaking as a pedrofile and terrist, I politely decline GCHQ approved software...

    ... Wait a minute, what is that you say, 'They'll make a law compelling me to use it'. Curses, foiled....

  44. Anonymous Coward
    Anonymous Coward

    I have a solution

    5 eyes should combine resources- and get more resources from their governments (they like plans that give them more money, don't they?)- to work together on a very, very big computer to crack encryption.

    Starting from the lower end old flawed encryption schemes, working through known implementation errors, and following this process. Keep a list of known 'weak spots' where things are decrypted or where useful metadata can be harvested.

    Keep doing that until they're left with no choice other than to break out the Big Gun and brute force it.

    So we chuck money at them to chuck at crypto research, quantum computers, massive supercomputing and GPU based parallel processing with the aim of becoming able to crack pretty much any encryption they come across.

    The result? They're happy as they've got stacks more funding and legal permission to break any encryption by a weakness in it- whether that's a small key, an implementation flaw, or suchlike.

    And everyone else wins as they pour money into research helping quantum computing, graphics processing and other fields which benefit the rest of us. Plus, if they never succeed the rest of us remain secure.

  45. TimMaher Silver badge

    Stephen Nicholson

    They gave him 14 months for refusing to reveal his FB password.

    Nothing else to say really

    1. GrumpyKiwi

      Re: Stephen Nicholson

      Yes but... they had to work for that conviction. Not just sit around on their lazy asses slurping up all the information and fishing for something to justify their existence. Much easy not to have to do all that nasty work that takes time away from drinking tea and watching porn.

      Remember there are three kinds of bureaucrats: Lazy, stupid, lazy & stupid

    2. Anonymous Coward
      Anonymous Coward

      Re: Stephen Nicholson

      True, but he opened his mouth first ...

  46. Anonymous Coward
    Anonymous Coward

    People laugh but

    I rely on physical security rather than encryption. Barring some method of hacking pen and paper (good luck with that) authorities will only ever be able to get a vague idea what I am working on. My current physics paper would permit time travel so not sure what level of classification this would be.

    It has every chance of working and from discussions elsewhere publishing it would probably not get me on the wrong side of the law as I understand it, at least not until it has been experimentally verified.

    Just as a taster, it uses some intriguing modifications of the Einstein-Rosen bridge that permit through-Earth communication beyond light speed and one day may lead to practical interstellar and possibly intergalactic travel I am not sure how the world will react.

    1. Woodnag

      "I am not sure how the world will react"

      Disbelief and sarcasm, for starters.

      1. Anonymous Coward
        Anonymous Coward

        Re: "I am not sure how the world will react"

        Sure, its based on some off-the-wall ideas but as it stands I am getting a 50% or better success ratio on complex events. Unfortunately it does not appear to be able to do more than that, yet.

        Maybe with more funding?

        I seem to have reached an impasse, as it turns out the ERB on which it depends is transient and only ever appears for about 3-18 seconds at a time every few days to weeks. It does seem linked to solar activity and other factors including lunar cycle wrt Sun position and possibly can be predicted but still need to run some more tests including trying to get a screenshot of the mysterious signal complete with bargraph translation and exact centre frequency.

        Perhaps if I can get a exact triangulation using previous events the next event will be visible on a Pi 0W NoIR TEC stack cooled camera? Some folks suggest that ball lightning might be something similar.

  47. WatAWorld

    Paraphrasing

    In an official communiqué on the confab, they claim that Russian, Chinese and North Korean inability to access encrypted content risks undermining democratic justice systems, because our the guys working for the Five Eyes can't access it either – and issue a veiled warning to industry.

    Yeah, "we" need to be easily spied upon so that we can be safe.

    "We" need to be easily hackable so that we can be safe.

    "We" being everyone who does not work for a national security agency, and includes our enterprises, our entrepreneurs, our inventers, our lawyers, our politicians, our academics, our physicians, our artists, and our teenage daughters.

    The guys at that confab, they're a bunch of chekists.

    https://en.wikipedia.org/wiki/Chekism

    Look at the management of US-based hedge funds. They all seem to have ex CIA and ex MI5 on them.

    And of course it goes without saying that major businesses in Russia are mostly run by ex KGB, FSB officers (KGB and FSB being the successors to the Cheka). Same in China with their ex MSS officers.

    To put it bluntly: How can one be loyal to their country without being loyal to their country's peaceful citizens? Are they not instead being loyal to their agencies and each other?

  48. Anonymous Coward
    Anonymous Coward

    Well...

    I have read all this, and I have this to say:

    I rolled my own crypto that is so advanced, not even quantum can crack it. Quantum excels in math. My crypto, although it uses math, it also uses boolean and logic as well. With the diffusion method that I am using, variable S-boxes, random order of math/logic operations, they would be better off attempting to brute force the key, and even that will take longer than the age of the universe.

    How do I know this?

    I was paid a visit by the G-men. You know the type. They wear sunglasses, black suits, and have no necks. They asked me a question. That question was "Why would you create such an evil encryption algorithm? What are you trying to protect? And from whom?"

    My answer consisted of three words: You, Me, You.

    Nothing more needed to be said.

    1. nice spam database '); drop table users; --

      Re: Well...

      github please :D

      if enough of us creates algorithms for encryption, it would be great.

  49. David Roberts
    Big Brother

    Crypto schmypto

    So much commentary on encryption when everyone knows that you can't effectively backdoor encryption.

    The narrative has moved on.

    At some point, to be intelligible, the information has to be in clear. Pre/post encryption. 5 Eyes are mandating that the data has to be accessible in clear to themselves.

    There are already major concerns that router encryption chips can be told to divulge clear text. China won't use US routers and vice versa. This just extends reach so that all commercial hardware platforms have to have embedded capability to reveal clear text pre/post encryption.

    There is a lot of suspicious stuff embeded deep below the OS on computer mother boards. Mobile SOCs get more complex every iteration so almost anything could be buried in there.

    Going on about encryption is just the magician waving one hand in the air to distract whilst the other hand does the real work.

    Regardless, someone has to design and manufacture any intrusion system and then employees have to use it. There may be a brief gain early on, but information invariably leaks over time. Down the line we will find out what they really did.

    Think about how you can securely encrypt off platform. Not using computing hardware made by someone else. This includes USB devices because they have a SOC in them.

    Recommendation; learn to hand encode important messages using One Time Pads, obscure book references, code words, other traditional methods. Give up all naive hope that your everyday online brain farts and cat pictures will ever be secure from official and officious snoopers. Oh, and make sure you include a lot of garbage text in your daily communications to mask the important stuff.

    1. Anonymous Coward
      Anonymous Coward

      Re: Crypto schmypto

      @David Roberts

      Alice and Bob don't need "obscure book references". How would you start to even guess which book is used for a book cipher -- like this example?

      *

      Then there's the problem of metadata -- who is THIS anonymous coward?...and who are the intended recipients of this public message? The curious among us would like to know!

      *

      203E40EEEE13946140DC01C6A154F532EF308D83

      307E348E1C461A82502929A4B19B075778660394

      46F3A08ACD5A2FD06CFF06D474A6B15FDC023636

      1065C64C483A93E6991F438F920EA73EA2A6AC03

      7256C4A2D225FF220BD825DC912C1C1E6547240C

      2A2BE1ABAA1E5E63ACA56A88D1B5B50D5B964756

      3043E7489154F4C6FA6B6FD67374C2618761A866

      6411015F1468DF60197C23FF84512F

    2. MachDiamond Silver badge

      Re: Crypto schmypto

      Another technique is to do the encryption on one device and send it on another. Don't communicate anything on a mobile device that is sensitive. Mobile devices are big phat easy targets as so many people lay them out on the table in front of them and it's so easy to distract the target while another person grabs the phone. All they have to do is keep the phone busy so it doesn't go to sleep and relock. That's a really simple device to build to do it automatically along with providing power so the phone battery doesn't go flat. If you know the make and model of the phone, putting together something that will copy all of the files isn't too hard either. If you want to be really tricky, you hand the phone over to the bar or cafe where you lifted the phone telling them you found it on the floor. The owner thinks they dropped it and may not do any damage control like changing banking codes etc.

  50. NonSSL-Login

    They got used to having access to more of our communications than what they were entitled too and now want to push so that it continue. They should just be glad they had it while they did.

  51. Tom Paine
    Megaphone

    SUBS!

    Major firms should also set industry statements and help smaller firms deploy these capabilities on their own platforms.

    Should presumably be 'standards'

  52. Anonymous Coward
    Anonymous Coward

    Spooks caught with hand in cookie jar. Cookie jars are now locked by owners. Spooks upset they can no longer steal cookies.

    Oh boohoo, they have proven time and time again that they are unreliable little data-junkies with little to no regard for the privacy of ordinary citizens. Why don't they start by showing us that they know how to behave before continuing their demand for access to anything, anywhere.

  53. chuckrman
    Big Brother

    Different view/tinfoil hat warning

    What if the whole point of the backdoor is to mask decryption capabilities. In my view point (you may decide otherwise) encryption is *always * a temporary measure. The value of encryption is to conceal information until it is no longer useful. It does not prevent something from being unknown forever. The race between encryption and decryption pretty much guarantee's that at some point an encrypted bit of information will be deciphered. However, if you start putting mandatory backdoors the question of how you got through the encryption becomes more murky. Was the encryption broken or was there a backdoor? This makes it a little more difficult for the intelligence community (of any given entity) to determine risk. Was it a product issue? Was it an algorithm issue? Was it a leak? Think of it on a lower level such as a divorce proceeding where one spouse is hiding information from the other. Does not have to be at the nation state level. This I think opens up doors on a lot of levels.

  54. nice spam database '); drop table users; --

    It's just a formality

    Talk about freedom and democracy and whatnot, but we have detention centres like Guantanamo, we have the Patriot Act, FISA, etc, extended for as long as they want. All this in the face of the whole world, "what is known to the public" which is obviously the tip of the iceberg.

    No wonder NK and China have their own internet isolated from all this madness. For any real country (as opposed to vassal/puppet states) handing their data to google/fb and company is cyber-suicide.

  55. Anonymous Coward
    Anonymous Coward

    They just want permission

    Not sure what all this is about. They have the capability to do most of this already. To me they just want official permission....

    1. streaky

      Re: They just want permission

      There's capability to do it, but that doesn't mean it isn't computationally expensive. Even if they have "broken" crypto they have to find keys per user, and even if we assume things like TLS are deeply flawed (with little to no evidence this is the case) it's very unlikely this is trivial. Personally speaking, I like it that way - sure they can read my stuff if they really feel they have to but it shouldn't be so easy they can go on massive trawling expeditions which of course is *precisely* what they want to do. Basically it should be easy enough they can read a few thousand people's emails a year, but it shouldn't be so easy they can read a few million or billion, and I suspect that's probably roughly where we are.

  56. heyrick Silver badge

    and warned that governments can always legislate if they don't

    Good luck legislating mathematics...

  57. streaky

    Privacy.

    Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute

    I don't believe many people are saying it is.

    There are reasons in a perfect world where privacy isn't the be all and end all of the conversation. The problem is there are technical and security barriers layered on top of the privacy issues. Five Eyes and also other foreign powers screwed the pooch - there used to be an element of trust and a large amount of secrecy - then Snowden told us what they were up to. One can only assume what China, Russia, Germany and others are doing is as bad or potentially given their laws; worse.

    Unfortunately cryptographic services and ciphers are going to get stronger and stronger until they shut the hell up for 5 minutes. Every time they talk about this 10 new services pop up to keep them out. They can force all the companies they like, all they'll do is make people assume that they have the likes of Facebook, Microsoft, Apple, Google et al backdoored and use other services outside their reach. We use services like Signal internally because of the risk of warrantless (both meanings) state access to internal communications provided by such companies. We're just going to end up with more of that more of the time and using stronger security.

    This is all to say they're actively doing economic harm to their own states which in the case of GCHQ and assumedly many other such alphabet agencies the exact opposite of their reason for existing, they're supposed to protect the economic well-being of their respective countries, not actively harm it. "in the interests of the economic wellbeing of the United Kingdom" - says so right there in the Intelligence Services Act 1994.

    1. Chronicle18

      Re: Privacy.

      Yes, it also legislated under the internal realm security act of 1950 that no law enforcement may detain, obstruct or impea regardsd the agent of a foreign principal. Kind of telling when Cambridge University is the central recruitment arm for the federal securities services in central Russia don't you think, then there's the current president elect facing indictment on several charges for tax evasion and money laundering with his son in law running Citibank with its history of tax evasion. Break the cryptography, put backdoors everywhere and hand it all to trump, after all what's the worst that could happen?

      No collusion, just a witch hunt!

      Pfft, yeah ok we the prolitarate don't believe every lie!

  58. TimB

    They know exactly what they're doing

    If they really believed it was as simple as "Look guys, just give us access so we can stop the terrorists", they wouldn't go to the trouble of issuing communique's with veiled threats of legislation for non-compliance - they'd just jump directly to legislation. They know exactly what they're doing and they don't want a backdoor. They want a culture shift so that encrypted messaging goes away completely, so that the very presence of encryption is a cause for interest.

    All these stories about tech companies refusing to help isn't aimed at you - it's aimed at the man on the Clapham omnibus. They want him to ask why Whatsapp messages use end-to-end encryption in the first place - why this is a concern now when a couple of years ago he could just send an SMS and it worked exactly the same but didn't help the terrorists and pedophiles. They want broad consumer support in place before they legislate against the use of end-to-end encryption in consumer messaging products.

    They know they'll never stop encryption - that's not the goal. They just want it so that nothing on the app stores use end to end encryption, so anybody left who does still use it becomes interesting again.

    1. streaky

      Re: They know exactly what they're doing

      they wouldn't go to the trouble of issuing communique's with veiled threats of legislation for non-compliance

      I've pointed this out a few times before. If it was such an urgent problem and above all other concerns they'd just do it and try to wait out the consequences. Obviously not going well is it.

  59. rnturn

    Are they really this stupid?

    > saying that they have "no interest or intention to weaken encryption mechanisms"

    Having special access to encrypted data == backdoor == weakens encryption mechanism

    Again, are these agencies so stupid that they believe that the means that they would have to access someone's encrypted phone/data would never--ever--make it into the wild? And that the public won't see through this lame assertion? [smh]

  60. GiveMeSteam

    I support spies

    I support Five Eyes cooperation.

    I think the NSA is well regulated and disciplined and they only spy on foreigners, for the purpose of national security, which I don't have a problem with. I know a lot of people have a low opinion of government, and don't believe that, but I think in general it is true, and you have to ask what happens if we really need to be defended, and we've so weakened our spies that they cannot defend us?

    I encourage people to put back doors in their stuff. It's people's idea that they can have private communications, using technology, that's ridiculous. People should expect to be spied on, and simply not commit crimes. It's pretty straightforward.

    1. whitepines

      Re: I support spies

      Care to post your religion, gender, browsing history, social graph, the last 2000 books you have picked up and/or read, all games you have played, all movies you have seen (and where, and on what media), and the entire text of everything you have written everywhere (public and private, including physical diary?)

      I'm sure I can find a crime or two you've committed in there. Probably a few felonies too. Hope you enjoy your stay in prison!

    2. Claptrap314 Silver badge
      FAIL

      Re: I support spies

      Nice bit of trolling, but this is the internet. Sarcasm tags required. As demonstrated by the above. :(

    3. Claptrap314 Silver badge
      Pint

      Re: I support spies

      I swear--this gets funnier every time I read it. You already have my upboat. Have this -->

  61. Anonymous Coward
    Anonymous Coward

    Re. Internet history

    I thought about this a while back.

    Even tried to go through mine to see if there was anything interesting I'd forgotten about such as old downloaded PDFs that have now been deleted but alas nothing.

    Shame, because thats a lot of work to get back now without a working drive.

    Incidentally still trying to locate a replacement BIOS chip, if anyone has a source for these (its for an Acer tablet PC) needs to also have some free space available for the DSL boot image.

    Ideally a 25128 would be fine if I also rewrote the checksum etc and it can sideload the rest of boot image from SD card so it should be moderately secure.

    Thought the HDMI was busted but checked and its not the problem. Maybe eMMC failure?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like