a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment by user-inactivated
user-inactivated  ·  3323 days ago  ·  link  ·    ·  parent  ·  post: Internet firms to be banned from offering unbreakable encryption under new laws

I find it very strange to see laws like this proposed. Intelligence agencies benefit the most from having end-to-end encryption mechanisms that are open source. In fact, many spies would start to die if we went back to enigma style encryption. Why? Because an NSA/GCHQ proprietary algorithm isn't safe without public scrutiny and they know it.

So when you see the alphabet agencies push against encryption, know that they don't even really want it. It's a psychological tactic to trigger you to not want to use encryption. If a law were about to pass that would have this, they would be the first lobbying against it. They just like supporting these ideas because they know it will never get there, and that many businesses such as banks will tell the government, "Okay, then you're telling us to shut our doors and end your entire economy".

BEST CASE SCENARIO is that if a country passes a law like this, all foreign countries that give internet services to that country will just stop serving that country because implementing such a system would provide criminals and hackers an easier way of breaking into their communications, and also take a large quantity of time and manpower to implement and change their current ways of working with your data. It's not even worth the effort to invest in a system that can do this sort of thing just for Google or whomever to do business with the UK.

First country to pass this law becomes the next North Korea guaranteed. Everyone pushing it knows that, too, they just want to play political mind games on the public.





mk  ·  3323 days ago  ·  link  ·  

Perhaps, or do you think it is possible that these agencies want encryption for government use only? That is, they get to use it, and we don't?

Of course, even that doesn't make very good sense, but that hasn't retricted government policy before.

user-inactivated  ·  3323 days ago  ·  link  ·    ·  

Well if they get to use it and we don't then the public scrutiny part of the encryption becomes nullified, meaning that just another Chinese/Russian team to analyze their ciphertext would have a higher probability of breaking it.

Nobody would willingly do public analysis on the cryptography if it served no benefit to them and likely made them a candidate for getting arrested ("YOU BROKE OUR STATE SECRETS!!!!", it would probably be advertised by the media as "Professor hacks into the NSA" or something equally stupid, which wouldn't be accurate at all).

I reread the article and "making encryption illegal" is actually not what is being proposed here. It's so hard to keep track of all of these anti-encryption laws being proposed now since so many people are jumping in on the game and generally have no idea what they are talking about.

This particular law is about ending "end-to-end" encryption as mentioned Apple's iMessage and FaceTime information. Well, this has less ramifications on economics and wouldn't affect banking institutions (though companies would still be ticked off and move away from the UK just to restructure their entire network infrastructure and code), but it still has far more overreaching problems.

For instance, many companies use S/MIME for email communication for both signatures (to make sure the message came from where it says they came from) and encryption of the data itself for preventing corporate spies from stealing data or criminals stealing sensitive data being passed around. This is built into Microsoft Exchange, for instance, though only a small portion of Exchange services use this feature. Usually it's a large corporation that uses it for everyone or just for executives whose communication can affect the companies outcome. This is, however, end-to-end encryption that would be impossible for a government agency to come into and read the email if they had access to the servers (without scripting some weird "send me your key" feature which I guess is possible as well).

So this isn't making "link encryption" illegal such as TLS or VPN tunneling (which is what the FBI director wanted, he wanted a backdoor into TLS), which basically just encrypts the traffic from your computer to Google's servers and then on Google's servers it is unencrypted at some point and intercept-able. Skype, for instance, uses link-encryption and they can intercept your call information (and NSA's PRISM taps into this). If FaceTime is end-to-end encrypted, then PRISM-like spying cannot actually intercept your FaceTime calls. There are still ways to do it, it's just much harder (you have to break into the iPad/iPhone of one of the ends, which is potentially illegal for them to do under most circumstances (not all), and much harder to pull off since they have to bypass firewalls or inject code via some other means (browser exploits, app exploits, etc).

So what does this really accomplish? Not a whole lot, actually. It's bad for the consumer since their communication can be easier to intercept by criminals. Take for instance the Sony hack. Those criminals or nation-states or whomever it really was were so deep into Sony's network that they could have easily spied on people's communications on the PSN network since it was link-encryption based. Sony's email servers weren't using S/MIME or anything like it clearly, since their executive's emails got leaked.

Imagine the government saying "Sorry Sony, but your new method of protecting against hacks like the one you just experienced is now illegal, sorry." I mean that's basically something that would get Sony to lobby against the government to prevent a bill like this from happening, and also likely to have Sony say "screw you" to the US/UK and just leave (they are a Japanese based company, after all). They'd still sell PS4s and such, just not have any corporate offices in those countries.

So, even pushing back against end-to-end encryption would have major repercussions against your economy and legal system, and there are plenty of corporations that would prevent that from happening (never thought I would be happy that corporations were lobbying the government... but when the government is making this little sense then corporations are the only people who can do anything about it).

The other thing to note about this is that if you make link-encryption legal while making end-to-end encryption illegal, you haven't actually accomplished much in regards to technology. Both systems use the same encryption algorithms and methods, they just configure that encryption differently. So OpenSSL or Crypto++ or whatever will still be libraries that would be legal to use since they are required for usage in TLS, but you could easily use those libraries to do full end-to-end encryption, and terrorists and pedophiles will be able to use those algorithms just fine. It might be black-market software at that point but who cares to them, they are already committing heinous crimes, whats to stop them from breaking an encryption law that even university professors would be willing to break?

Anyway back to your question (and off the topic of link-encryption and this article since I derailed the conversation accidentally), encryption for government use only is not practical since basically you'd be handing criminals and non-criminals alike a big pile of your credit card information and passwords without them needing to try. Right now they have to bypass or break encryption (likely bypass) to get at that kind of information and if the company does the encryption correctly it would be near impossible to get at.

Also think about DRM mechanisms. The only way that these systems work is through encrypting their media content on the disk and having a system of decrypting it on individual players. This is the only actual way to perform this kind of protection. So, do you think media companies would be very happy to hear, "DRM is now illegal to produce"? Actually it conflicts with existing laws, so it's not even possible to pass a blanket no-encryption law. They could add a list of exceptions, though, which would just end up being completely silly and restrict the development of new technology.