Fundamentally, I think the issue is more about technical literacy amongst the political establishment who consistently rely on the fallacy that having nothing to hide means you have nothing to fear. Especially in the UK which operates as a paternalistic state and enjoys authoritarian support across all parties.
On the authoritarianism: these laws are always worded in such a way that they can be applied or targeted vaguely, basically to work around other legislation. They will stop thinking of the children as soon as the law is put into play, and it's hardly likely that pedo rings or rape gangs will be top of the list of priorities.
On the technical literacy: the government has the mistaken belief that their back door will know the difference between the good guys (presumably them) and the bad guys, and the bad guys will be locked out. However, the only real protection is security by obscurity: it's illegal to reveal that this backdoor exists or was even requested. Any bad guy can make a reasonable assumption that a multinational tech company offering cloud services has been compromised, so this just paints another target on their backs.
I've said it before, but I guarantee that the monkey's paw has been infinitely curling with this, and it's a dream come true for any black or grey hat hacker who wants to try and compromise the government through a backdoor like this.
It's not literacy. They don't care. They need control, and if establishing control means increased risks for you, it's not something they see as a negative factor. It's your problem, not theirs.
The government put in restrictions against using certain powers in the Investigatory Powers Act to spy on members of parliament (unless the Prime Minister says so, section 26), so I think they're just oblivious to the risk model of "when hackers are involved, the computer isn't capable of knowing the order wasn't legal".
No, it shows they're thinking of computers like they think of police officers.
Computer literacy 101: to err is human, to really foul up requires a computer.
They don't understand that by requiring the capability for going after domestic criminals, they've given a huge gift to their international adversaries' intelligence agencies. (And given this is about a computer vulnerability, "international adversaries" includes terrorists, and possibly disgruntled teenagers, not just governments).
They understand. Signal Foundation's president, Meredith Whittaker, among many other tech leaders, have made it abundantly clear to both the UK and the EU.
I personally campaigned at the time the law was being debated. Met my local MP, even.
If I'd known about the idea of "inferential gap" at the time, my own effort might not have been completely ignored… though probably still wouldn't have changed the end result as I still don't know how to show lawmakers that their model of how computers and software functions has led to a law that exposed them, personally, to hostile actors.
How even do you explain to people with zero computer lessons that adding a new access mechanism increases the attack surface and makes hacking easier?
The politicians seem to see computers as magic boxes, presumably in much the same way and for much the same reason that I see Westminster debates and PMQs as 650 people who never grew out of tipsy university debating society life.
(And regardless of if it is fair for me to see them that way, that makes it hard to find the right combination of words to change their minds).
> How even do you explain to people with zero computer lessons that adding a new access mechanism increases the attack surface and makes hacking easier?
You literally tell them that. That's it. As prominent tech leaders have been doing. They either choose to believe experts, or disbelieve them. Or they could get a CS major. They chose option #2. They ostensibly disbelieve experts because what they're hearing does not mesh with what they want.
But let's be honest with ourselves; it's not that they disbelieve them, or don't understand. It's that they don't care. You are giving these people way too much of a benefit of the doubt. They have the tools at their disposal to remove any ignorance.
> You literally tell them that. That's it. As prominent tech leaders have been doing.
As it's not working, QED not "that's it".
> You are giving these people way too much of a benefit of the doubt.
They're hurting their own interests in the process. If they were just hurting my interests, I'd agree with you. But this stuff increases the risk to themselves, directly. I may have even told them about https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204 given the timing.
> Neither is underestimating your enemy or making excuses for their behavior.
Indeed. I do neither, which is why I left the UK.
It would be underestimating them indeed to have remained there — I foresaw, even then, that a story equivalent to this very headline would eventually emerge.
And it would also be over-estimating myself to think that I could change them after the Act when I could not change them before the Bill.
Absolutely not, MPs are not too stupid to process the concept of “a back door is a back door” they simply want this power and do not care about security or privacy if non-MPs. Everyone who voted for this needs to be thrown out of politics, but that will obviously not happen.
They don't even need control. They want control. Why? Either they're idiots who think they need control or they are tyrants who know they'll need control later on when they start doing seriously tyrannical things.
It's natural for the government to want control. It's literally what it is optimized for - control. More control is always better than less control. More data about subjects always better than less data. What if they do something that we don't want them doing and we don't know? It's scary. We need more control.
> they'll need control later on when they start doing seriously tyrannical things.
You mean like when they start jailing people for social media posts? Or when they are going to ban kitchen knives? Or when they're going to hide a massive gang rape scandal because it makes them look bad? Or when they would convict 900+ people on false charges of fraud because they couldn't admit their computer system was broken? Come on, we all know this is not possible.
I used to think it was illiteracy, but when you hear politicians talk about this you realise more often than not they're not completely naive and can speak to the concerns people have, but fundamentally their calculation here is that privacy doesn't really matter that much and when your argument for not breaking encryption based around the right to privacy you're not going to convince them to care.
You see a similar thing in the UK (and Europe generally) with freedom of speech. Politicians here understand why freedom of speech is important and why people some oppose blasphemy laws, but that doesn't mean you can just burn a bible in the UK without being arrested for a hate crime because fundamentally our politicians (and most people in the UK) believe freedom from offence is more important than freedom of speech.
When values are misaligned (safety > privacy) you can't win arguments by simply appealing to the importance of privacy or freedom of speech. UK values are very authoritarian these days.
Well it’s important that the argument is correct. They view ending end-to-end encryption as a way to restore the effectiveness of traditional warrants. It isn’t necessarily about mass surveillance and the implementation could prevent mass surveillance but allow warrants.
I oppose that because end to end encryption is still possible by anyone with something to hide, it is trivial to implement. I think governments should just take the L in the interest of freedom.
> They view ending end-to-end encryption as a way to restore the effectiveness of traditional warrants.
Traditional warrants couldn't retroactively capture historical realtime communications because that stuff wasn't traditionally recorded to begin with.
> It isn’t necessarily about mass surveillance and the implementation could prevent mass surveillance but allow warrants.
The implementation that allows this is the one where executing a warrant has a high inherent cost, e.g. because they have to physically plant a bug on the device. If you can tap any device from the server then you can tap every device from the server (and so can anyone who can compromise the server).
They shouldn’t be able to tap any device from a server. I’m guessing they would have to apply for a warrant and serve the warrant to Apple who review the warrant and provide the data.
Putting the panopticon server in a building that says Apple or Microsoft at the entrance hasn't solved anything. Corporations are hardly more trustworthy than the government, can be coerced into doing the mass surveillance under gag orders, could be doing it for themselves without telling anyone, and would still be maintaining servers with access to everything that could be compromised by organized crime or foreign governments.
Which is why the clients have to be doing the encryption themselves in a documented way that establishes the server can't be doing that.
"Especially in the UK which operates as a paternalistic state and enjoys authoritarian support across all parties."
What is a "paternalistic state". I studied Latin so obviously I understand pater == father but what is a father-like state?
What on earth is: "authoritarian support across all parties".
The UK has one Parliament, four Executives (England, Northern Ireland, Scotland, Wales) and a Monarch (he's actually quite a few Monarchs).
Anyway, I do agree with you that destroying routine encryption is a bloody daft idea. It's a bit sad that Apple sold it as an extra add on. It does not cost much to run openssl - its proper open source.
In medicine, a paternalistic attitude towards the patient from a point of authority (like a father)
The doctor acts as if he knows more and knows what is better. The patient has his own preferences and priorities, but they don't necessarily match with what the doctor does.
I suppose a paternalistic state functions to satisfy the needs of the people, and to define those needs. The people get what the state says is best for them.
Paternalism, unless I'm mistaken, is a belief among those in power that they what's best for you, better than you do, and will exercise power on your behalf in that manner. Just like your parents do when you're a child.
Government knows what’s best for the people (colloquially we call it the nanny state).
All our main political parties have an authoritarian slant so these policies have rarely received long-lasting opposition. Literally every government in office for the past 30-odd years has presented legislation like this.
Are you trying to disagree with them by pretending that they're speaking rubbish? As a Brit, their comment made complete sense to me.
By the way, there is no 'England' executive; it's the government of the United Kingdom, which handles all matters not devolved, in England and the rest of the UK.
> that having nothing to hide means you have nothing to fear
hopefully the US turning from leader of the free world to Russia's tool will give them the kick they need to realise that just because you trust the government now doesn't mean you trust the next government or the one after it.
You probably don't want to look up which US President tried to force Apple to insert an encryption back door into iPhones back in 2015.
However, Google did only start moving to protect location data from subpoenas after people started to worry that location data could be used as a legal weapon against women who went to an abortion clinic, so your larger point stands.
That would be none, as it was the FBI, operating independently (as it's supposed to), which tried to force the issue. They even tried to go to Congress but found little support for their stunt. I'm not even sure Obama ever spoke in support of the backdoor, much less used any political power to make it a reality.
Haven't we already learned that gaslighting the public is counterproductive?
President Obama sold himself as a Constitutional scholar who would set right the civil liberties overreach of his predecessor.
You aren't going to convince sane people that his executive branch agencies sought to gut the fourth amendment without his being aware of it, despite months of extensive press coverage.
"the other side is just as bad" isn't the justification that a lot of people seem to think it is. if you don't like what the other side has done, don't just copy them. do better.
It's simpler. If you claim that a particular action would be bad if the other political team were to perform it, don't suddenly make excuses for that very same action if it turns out that your favored political team has previously performed it.
Points about Russia or partisan politics aside, there are now at least 10M people living in the US who have a very strong incentive to hide all their data from the executive branch. That's to say nothing of the countless millions who might want to help them.
The demand for encryption just exploded, in a legal gray area (city, state, and federal laws seem to be in conflict here) it's just a question of whether governments allows the supply to follow.
He demands $500bn of rare earth minerals, insists that Ukraine started the war by getting invaded and wants Zelensky to be replaced by a Russian puppet. It's amazing how the US went from the defender of the free world to just another thug.
what do you call US nukes in Europe? that's exactly what it was - Pax Americana, 70 years of peace and prosperity has come to an end for most countries. Now Russia has an ally in their old enemy.
Dude. Learn some history if you think Europe had peace for 70 years. I'll help, Google Yugoslavia. Also, Google all the wars or "interventions" that NATO/US did all around the world.
It's truly repulsive how imperialistic warmongerers like you pretend you're "the good guys".
What the politicians want is partial security: something they can crack but criminals can't. That is achievable in physical security, but not in cybersecurity.
I have a feeling the politicians already know partial cybersecurity isn't an option, and don't care. Certainly, the intelligence community advising them absolutely does know. We don't even have to be conspiratorial about it: their jobs are easier in the world where secrets are illegal than in the world where hackers actually get stopped.
Any physical lock can be manipulated, even the particularly high-security ones. But in practice, most locks are not even challenged because doing so requires actually walking up to the lock and trying. You can't try every physical lock in existence; but you can try every digital lock. So the effects of, say, an encryption backdoor key compromise would be far greater and far more immediate than, say, the compromise of the Travel Sentry master keys.
With physical security the state apparatus can provide physical security in the form of police and what not, as well as deterrence and punishment.
In the world of cryptography it's... a bit harder to do something similar. In the best case they can come up with a key escrow system that doesn't suck too much, force you to use it, and hopefully they don't ever get the master keys hacked and stolen or leaked. But they're not asking for key escrow. They're asking for providers to be the escrow agents or whatever worse thing they come up with.
> That is achievable in physical security, but not in cybersecurity
This isn't accurate though, and leads us down the path of trying to prevent these bad laws from a technical perspective when we should be fighting the principle of the bad law not just decrying it for being "unworkable".
It is possible to construct encryption schemes with a "backdoor key" while still being provably secure against anyone else.
This creates precisely the "partial security" you describe: Criminals can't crack the encryption, but the government can use their backdoor-key.
But like those who argue online age-consent schemes can't work, it doesn't help to argue against the technical aspects of such bad laws. The law, particularly UK law, doesn't care for what's technically possible. The bad laws can sit on the books regardless of the technical feasibility of enforcement. Eventually technology can catch up, or the law can simply be applied on a best endeavours / selective enforcement approach.
You are correct that we can engineer a cryptosystem with two sets of keys.
However, nothing prevents keys from being stolen by someone else. In a normal cryptosystem the security of the key is entirely up to you; but in a "law enforcement accessible" system now you have to worry about the feds getting hacked, too. And since the feds will have backdoor keys for many, many users; there is much more interest in stealing those keys.
Physical security has a different set of tradeoffs. Notably, you have to actually be physically present to manipulate and defeat a physical lock, which is what I was alluding to. Even then, it provides an example of how easily a backdoor can be compromised. The Travel Sentry system exists to allow TSA employees to unlock and inspect luggage. There are seven master keys in total; copies of which are spread around thousands of airports with tens to hundreds of TSA employees each. Suffice it to say, the master keys leaked decades ago and you can buy them off Amazon for a few bucks. Any such backdoor key will need similar levels of access to government employees and will likely leak for the same reasons as the TSA keys. Except that the consequence of an encryption backdoor key leaking will be much higher than someone being able to open luggage locks.
Politically, there is also an argument that we should be able to keep secrets from the state. Certainly, there is a reason why we have a 4th Amendment, and it is not because searches and seizures just so happen to be inconvenient.
As for age-of-consent checking, the problem is that existing age verification services would be able to track everyone who accesses an age-verified site. Which, given today's legal climate basically demanding age verification for everything[0], would give the verifier access to your whole browsing history.
Physical age verification is relatively privacy-preserving: I present my ID and that's that. The government that issued that ID does not learn where I presented it, because it's an offline credential. The people I'm doing business with do learn my identity, and they could sell that information, but that's something they didn't need an ID to do (so we should pass a law to prohibit that).
[0] There is also a political argument that the 1st Amendment precludes age verification on social media - aka "don't censor kids"
> This creates precisely the "partial security" you describe: Criminals can't crack the encryption, but the government can use their backdoor-key.
No, it doesn't. Now criminals just have to get the key. These schemes have been tried many times. They've been discovered by actors that shouldn't have access to them.
Please don't go around advising government leaders and organizations. This is exactly the problem solving capabilities of governmental leaders that security experts are decrying here in this thread.
I honestly though get you're comment was going to go along the lines of perfect physical security can only be perfectly secure from everyone, including the people it shouldn't be. We constantly see the hacking oh physical locations. The big things keeping some orgs from being attacked: redundancy, observability, and ENCRYPTION WITHOUT BACKDOORS!
> the government has the mistaken belief that their back door will know the difference between the good guys (presumably them) and the bad guys
This is a very good point, and in the recent months we have been witnessing that people in government, or aiming to become the government, are definitely not the good guys. So, even if what they are asking would be limited to just governments (which it wouldn't), they can't claim they are the good guys anymore.
Just to be clear: Wallace is not a head of state, or even an MP any more. At one point, he was Secretary of State for Defence, a Cabinet position, however he resigned this in 2023.
This doesn’t justify his position (it’s stupid) but he doesn’t speak for the current government.
Technically we did abolish the monarchy back in the 17th century, but the replacement was so bad we brought them back about 10 years later, which I think makes us a minority of one and even more weird.
Anyway, back on topic: this is a ridiculous law that is forcing services to erode their security while smart criminals can just use some nice free open-source software somewhere else for E2E communication. And a lot of this is definitely down to lawmakers not understanding technology.
You’re correct, however I gave GP the benefit of the doubt and assumed they meant Secretary of State ;-)
And, to be fair, while I’m generally a small r republican, I’m seeing benefits of having a non politically aligned head of state after J6. While the monarch has limited power, booting out a PM that can’t command the confidence of Parliament is one of them. The question of whether Johnson would accept being dethroned a la Trump was always silly given his consent was never needed.
I’ve become a bit of fan of it over the last few years. That said, I don’t think the UK can be replicated.
It wraps ultimate power up in a contradiction, you have it but you can’t use it. Sure, technically you could but it would be your last act.
Another important aspect, the for and against is currently split between parties, so there’s somewhat of unification factor between parties on that divide as well.
It gets a lot of hate, because it is imperfect, but I don’t think it gets its fair shake. My views more of, if it ain’t broke is it really worth the risk changing it.
The UK monarch's power is largely based on convention more than active decision making. For example, a government is formed at the invitation of the monarch, but that's long reflected the results of an election. Getting rid of a PM generally happens when they run out of luck. That sometimes coincides with the ruling party/coalition imploding. The next PM is then shortlisted by MPs and selected by a minority of the electorate.
I guess the US equivalent is the leader of the house being unable to hold their majority together. In some ways the presidential election feels more democratic if a relative outsider (like Trump was) can win. But a 2 year lead up is crazy.
And that's why it is so important to nip this "pedo" / "think of the children" crap right in the bud.
Obviously pedos on the interwebs are bad, but hey as long as it's just anime they're whacking off to I don't care too much. But the real abuse, that's done by - especially in the UK - rich and famous people like Jimmy Savile. And you're not gonna catch these pedos with banning encryption, that's a fucking smokescreen if I ever saw one, you're gonna catch them with police legwork and by actually teaching young children about their bodies!
> But the real abuse, that's done by - especially in the UK - rich and famous people like Jimmy Savile
Jimmy Savile was a vile predator. He was protected by the inane customs of the British ruling class.
He was not alone among the toffs of England.
But do not be mistaken. It is not just the rich and powerful where you find sexual predators. They exist at all levels of society, all genders, most ages (I will except infants and the aged infirm....)
Jimmy Savile was a symptom of something much darker, much worse and widespread.
Honestly if the UK wants to reduce sexual crimes against children and adults one of the easiest ways to achieve that would be to reform UK liable law.
In the UK if you're raped by someone famous you'd be an utter idiot to say anything unless you're loaded or have a massive amount of hard evidence. You couldn't have a me to movement in the UK because everyone who came forward would be sued into bankruptcy. This is why so many people knew about Savile but no one said anything.
Yeah but if you sell the populace on the idea that pedos are only something that's a threat on the interwebs the populace won't care about all the other pedos, and if there is a pedo scandal like the next Savile the government can just go and shrug and say "we did all we could". And that is the point behind all that pedo scare.
No, the monarch does not pick the Prime Minister. At all.
They have a ceremonial role in confirming them. Like they do with every law that Parliament creates. If they ever actually practically exercised this theoretical power it would be the end of the monarchy.
"it's hardly likely that pedo rings or rape gangs will be top of the list of priorities".... is this not one of the most disturbing, disgusting, psychologically troubling and damning ideas ever to be put to words/brought to awareness? . Right up there "let's meticulously plan out this horrific, atrocious, dehumanizing act and meditate upon the consequences, and then choose the most brutal and villainous option". Dear Lord....
People are extremely opposed to pedos, so they're a primary rationalization for oppressive technology. But then you have two problems.
First, pedos know everybody hates them, so they take measures normal people wouldn't in order to avoid detection, and then backdooring the tech used by everybody else doesn't work against them because they'll use something else. But it does impair the security of normal people.
Second, there aren't actually that many pedos and the easy to catch ones get caught regardless and the hard to catch ones get away with it regardless, which leaves the intersection of "easy enough to catch but wouldn't have been caught without this" as a set plausibly containing zero suspects. Not that they won't use it against the ones who would have been caught anyway and then declare victory, but it's the sort of thing that's pretty useless against the ones it's claimed to exist in order to catch, and therefore not something it can be used effectively in order to do.
Whereas industrial espionage or LOVEINT or draining grandma's retirement account or manipulating ordinary people who don't realize they should be taking countermeasures -- the abuses of the system -- those are the things it's effective at bringing about, because ordinary people don't expect themselves to be targets.
> is this not one of the most disturbing, disgusting, psychologically troubling and damning ideas ever to be put to words/brought to awareness? .
Hmm? Hell has depths. Your yard might be a little too short to measure them? In that case, just think about this: rape is probably most common in prisons, where you will send innocents the moment this dragnet thing glitches.
> technical literacy amongst the political establishment who consistently rely on the fallacy that having nothing to hide means you have nothing to fear.
That's an awfully generous assessment on your part. Kindly explain just what "technical literacy" has to do with the formulation you note. From here it reads like you are misdirecting and clouding the -intent- by the powerful here.
Also does ERIC SCHMIDT an accomplished geek (who is an official member of MIC since (during?) his departure from Sun Microsystems) suffers from "technical literacy" issues:
I feel like the comment was clear, technical illiteracy leads politicians to believe that they'll be the only ones with access to this backdoor, which isn't true.
The comment's clarity was not questioned. You are passing around the same tired line that because politicians do not understand technology and how it can be used against anyone. Sure computers are new but communication technology is not. All a politician needs to understand is "capability". That is it. "We can read their communications", no degree in CS required. Also, they have power geeks advising them left and right. They know "capabilities" can be misused. They know this.
Yeah. Not buying it. They know, or someone smart enough told them that backdoors can be accessed by anyone with enough skill. They just don't care because the people that are asking for this are criminals already and wanting profit off of other people's data.
Let me offer a possible example that might be more in line with the HN commenting guideline about interpreting people's comments as charitably as reasonably possible:
My password manager vault isn't exactly something to hide in the political sense, but it's definitely something I would fear is exposed to heightened risk of compromise if there were a backdoor, even one for government surveillance purposes. And it's a reasonable concern that I think a lot of people aren't taking seriously enough due, in part, to a lack of technical literacy. Both in terms of not realizing how it materially impacts everyday people regardless of whether they're up to no good, and in terms of not realizing just how juicy a target this would be for agents up to and including state-level adversaries.
As for Eric Schmidt, he's something of a peculiar case. I don't doubt his technical literacy, but the dude is still the head of one of the world's largest surveillance capitalist enterprises, and, as the saying goes, "It is difficult to get a man to understand something when his salary depends on his not understanding it."
The AP News was just kicked out of press conferences for not using the government-preferred term for the Gulf of Mexico. The new director of the FBI is pledging to go after members of the press that he doesn't like. The US is jumping headfirst in the "bad speech isn't free" direction in the past month.
Of course they are. Violent threats and admitting illegal activity on social media can lead to arrests in the US. By being so unspecific your comment does not really foster good discussion on the topic. You should describe what kind of posts they are being arrested for and which laws/protections in the UK you are specifically criticizing.
Hardly. There are limits to speech in most jurisdictions. That hardly crosses the threshold for "authoritarian". The high profile cases in the UK have been around incitement to violence and contempt of court.
No, they get arrested for conduct that would be criminal no matter where they did it. Facebook (2x) and Twitter (2x) were the (virtual) venues where the crimes were committed, but the crimes were attempting to organize a mob to burn down a courthouse, inciting and threatening to murder police, conspiracy to suppress votes and threatening to kill the President. The crimes would be just as criminal had they been done in person at a local bar (or any other physical location).
There are limits to speech in every country, including the US. What I always find baffling is the sheer arrogance of Americans, that the only way to be a free and democratic country is their way, to the extent that they send their elected representatives to Germany of all places to implicitly argue for the legalisation of the Hitler salute.
Meanwhile their country has slid into fascism. Sad and tragic.
If you see a red car driving down the street do you not call it red because there are many other red cars? They're adding color (pun intended) to their description of the general bias of the UK government. What you're doing is called Whataboutism - the argument that others are doing something similar or as bad in different contexts. It doesn't make what the UK is doing any less bad for citizens (and non-citizens) privacy or data sovereignty.
On the authoritarianism: these laws are always worded in such a way that they can be applied or targeted vaguely, basically to work around other legislation. They will stop thinking of the children as soon as the law is put into play, and it's hardly likely that pedo rings or rape gangs will be top of the list of priorities.
On the technical literacy: the government has the mistaken belief that their back door will know the difference between the good guys (presumably them) and the bad guys, and the bad guys will be locked out. However, the only real protection is security by obscurity: it's illegal to reveal that this backdoor exists or was even requested. Any bad guy can make a reasonable assumption that a multinational tech company offering cloud services has been compromised, so this just paints another target on their backs.
I've said it before, but I guarantee that the monkey's paw has been infinitely curling with this, and it's a dream come true for any black or grey hat hacker who wants to try and compromise the government through a backdoor like this.