UK Government Says App Developers Won't Be Forced To Implement Backdoors

Mark Wilson writes: The UK government is sending mixed messages about how it views privacy and security. Fears have been mounting since Prime Minister David Cameron wondered aloud 'in our country, do we want to allow a means of communication between people which we cannot read?' — his view obviously being that, no, we don't want to allow such a thing. Following the revelations about the spying activities of the NSA and GCHQ, public attention has been focused more than ever on privacy and encryption, Cameron having also suggested a desire to ban encryption. Today, some fears were allayed when it was announced that the government was not seeking to require software developers to build backdoors into their products. That said, the government said that companies should be able to decrypt 'targeted' data when required, and provide access to it.

Re:This haiku's about another kind of backdoor

[Dr_Barnowl]

Clearly you don't follow the news about our PM.

A better haiku would be

The Turgid Member,
Slipped into a dead pig's mouth,
Like he fucks the poor

Re:

[gweihir]

I don't think he ever had it in the first place...

David Cameron is not very intelligent

[Anonymous Coward]

Unfortunately, Mr Cameron lacks even basic knowledge of technology, so is unable to appreciate that his expectations of making encrypted data readable by the NSA/GCHQ/Stasi, are completely unrealistic. Cameron should keep his slimy far right persona out of areas that he can't understand - since that appears to include most areas of government, maybe he'd be better seeing employment that is more fitting for his level of ability - perhaps as a clown or jester.
And, to answer Mr Cameron's question as to whether we want to allow means of communication between people which can't be read by the secret police - I think anyone supporting of democracy will be screaming 'yes - of course we do'. This is fundamental to any democratic society. Cameron might want some kind of despotic right wing regime, but most people here don't. Remember - Cameron was elected by a very small minority of the British people (~20%), because of the way the antiquated electoral system has failed. He most certainly has no democratic mandate to rule.

Re:

[BranMan]

No state servant HAS subjects! W. T. F.

Re:

[Kkloe]

I think they are talking about getting data that passes the server of said company that would have master keys to unlock it

Re:

[91degrees]

Remember - Cameron was elected by a very small minority of the British people (~20%), because of the way the antiquated electoral system has failed. He most certainly has no democratic mandate to rule.

What would you consider a mandate, and what British PM has ever achieved that sort of level of support?

Re:

[91degrees]

He got less than 50% of the popular vote and only about 37% of the voting population picked him. And he's the most successful PM since the war.

Re:

[Hognoxious]

Your figures are off.

http://www.bbc.com/news/electi... [bbc.com]

Re:

[Jamu]

24% of the electorate voted for a Conservative candidate. 0.08% voted for David Cameron.

Re:

[AmiMoJo]

Don't underestimate Cameron. The upper class twat persona is just a mask. He is extremely careful to be bland an inoffensive at all times, speaking only in generalities and vague benign sounding ideals.

For example, on this issue he always talks about safety. No-one opposes safety, right? Safety is good. He avoids being too specific or saying anything too ideological.

He is a dangerous opponent, because he turns people to apathy. They vote for him because he stands for nothing specific, so they fill in the bl

Re:

[0123456]

Ha-ha. You think Cameron is 'far right'.

He's at best a cuckservative, and even that is debatable.

Re:

[Shortguy881]

Clown or Jester is the perfect job description for the modern politician. Look at the U.S. They are about to elect Trump.

I thought NSA and GHQ had backdoors

[invictusvoyd]

in every major encryption algo. So why do they worry?

Re:

[AHuxley]

AC by shortening of the keysize. What one section of a gov gives away in public, another ensures will revert to plain text :)

Re:

[AHuxley]

The US and UK have 3 areas to worry about.
Open source efforts produce a good new method thats free, accepted and upgraded.
Some neutral nation outside the US and UK direct academic influence sells, creates or offers good working encryption at a low price.
A brand installs harder than average encryption responding to market forces that does not decode easily in realtime in consumer hardware or software.
Most of the above are fixed with big cash offers, international treaties or a nice chat.

Re:

[gweihir]

They do not. Really not. That would be a catastrophe waiting to happen. (Then, we still have enough nukes at the ready to destroy the planet several times over, so that may not be much of a deterrent.) But it seems highly unlikely that they can break modern crypto like AES or indeed any of the other finalists for a number of reasons. In addition, the continued failure to force companies to make their software more secure does deliver a host of vulnerabilities all the time. I am not sure this is an accident.

Reveal a plot so fiendish

[AHuxley]

Any data flow could be of interest to the UK gov at some time for some reason and UK staff will have to provide gov/mil access when demanded.
A brand thinking their data sets will not be of interest and not build in UK ready traps doors or back doors would be offering a "means of communication between people which we cannot read".
By default UK based brands will have to build in trapdoors, backdoors just to cover that UK gov request eventuality ie "companies must be able to provide targeted access"".

Nobo

Bottom line

[93 Escort Wagon]

The politicians deciding these rules have no idea how this stuff works. "We're not asking for back doors. Back doors are bad. We just want a way to access the contents of encrypted messages when we deem it necessary."

It'd be funny if the stakes weren't so high.

Re:

[Kkloe]

?, as a developer I cant see how you cant build so the cant be unencrypted if it passes the servers we have control over, like apple, they have encryption on the phone that apple cant crack but when that message\data is passed\synced through apples servers they can allow other access to it.
this is what they probably are talking abou

Re:

[drinkypoo]

as a developer I cant see how you cant build so the cant be unencrypted if it passes the servers we have control over, like apple, they have encryption on the phone that apple cant crack but when that message\data is passed\synced through apples servers they can allow other access to it.
this is what they probably are talking abou

Please explain your rationale for believing that.

Re:

[Kkloe]

http://mashable.com/2014/09/18... [mashable.com]

There's a catch, though: even if Apple is unable to hand over the data from your phone, it can (and will, if asked via a court order) hand over the data from your iTunes or iCloud account

maybe

Re:

[drinkypoo]

as a developer I cant see how you cant build so the cant be unencrypted if it passes the servers we have control over, like apple, they have encryption on the phone that apple cant crack but when that message\data is passed\synced through apples servers they can allow other access to it.
this is what they probably are talking abou

Please explain your rationale for believing that.

"There's a catch, though: even if Apple is unable to hand over the data from your phone, it can (and will, if asked via a court order) hand over the data from your iTunes or iCloud account"

The government can already get your unencrypted transmissions, because they have tapped all backbone links in the USA, and probably everywhere. But the only way that Apple can provide the data from your iTunes or iCloud account is if there's a back door in the encryption system.

Re:

[Kkloe]

back door?, no they use their own keys to encrypt the stuff on *their* servers, thats not a back door, that is how it is

Re:

[dkasak]

Your data passing through someone else's servers doesn't automatically imply they have means of decrypting that data. Clients can generate keys themselves (or negotiate them securely with each other, in the case of asymmetric encryption) and keep them secret. Data encrypted in such a way can be stored wherever you want without the party owning the infrastructure being able to read it.

Re:

[mangobrain]

That may be how it is, but it is not necessarily how it has to be. It is possible to build a system where the data is encrypted with per-user private keys, which never leave the user's device(s) - at least, not in the clear, and ideally only when being migrated/copied to other devices. Do all the crypto on the device, transmit & store it with private keys unknown to the owners of the infrastructure.

For all I know, this might in fact already be how iTunes & iCloud work already; that certainly seems t

Re:

[echnaton192]

Not true. This Data is not encrypted by the users password or a separate encryption key. iMessage is encrypted end-to-end.

Emails, calendar, notes, address book, photos, unencrypted backup are not encrypted with a key apple has no access to on the icloud. You could encrypt the backup with a special password, the other stuff is NSL-able.

You could use posteo.de or similar services for emails, calendar and address book and encrypt the stored data with the password for login. That is easy because apple uses stan

Re:

[Kkloe]

so does it affect anyone in the end?, because beside some people that really wants to really avoid getting their info handed to the gov the general populace, businesses\organisations and governments will know about this and still use that software because there is no other option or is the best economic option vs security

Re:

[Dog-Cow]

I don't think you really understand this Internet thingy and how it works.

Re:

[mangobrain]

Could you clarify? References to Skype may or may not be relevant, but direct end-to-end communications is most certainly not impossible. It may be difficult in practice with contemporary IPv4 deployments (most devices are not directly addressable from the public Internet due to NAT), but of course it can be done: as long as it is possible for two devices to connect (which evidently it is, or we couldn't have an Internet at all), there is no "magic" which mandates that one or other of those devices be a cor

Re:

[Lakitu]

like apple, they have encryption on the phone that apple cant crack

If Apple can't unencrypt it on the phones, then they can't unencrypt it ever.

but when that message\data is passed\synced through apples servers they can allow other access to it

When the phone owner unencrypts his unencryptable data and sends that in an unencrypted message through Apple's servers, then Apple has the unencrypted data.

Re:

[gweihir]

Probably the only real problem with democracy is that most voters are morons, but more so, most politicians are morons and with all shreds of personal honor, integrity or morality removed.

Analog storage crime nest

[Anonymous Coward]

It's high time the governments of the world started cracking down on the terrorist nests that are analog books. It's impossible to know if thought crimes are committed with ink and paper. Perhaps a mandatory legal waiver of ones human rights with each purchase of writing materials?

It might be best to just proceed to the inevitable conclusion and burn every literate human being at the stake unless they agree to live with a government approved guardian overseeing their every action and thought.

Re:

[gweihir]

+1000000, insightful. Sorry, no mod points. (Time to start reading those classics again. They become more and more relevant, unfortunately.)

This has always been a big pile of hysteria.

[91degrees]

David Cameron made a speech. He said the government wants it to be impossible for terrorists to hide from the security services.

Tech media sites assumed that Cameron knew exactly what he was talking about while at the same time having no idea what he was talking about. They concluded that the only way this would be achievable would be to ban encryption. In fact, given that pretty much everyone who talked about it mentioned WhatsApp and Snapchat, and no other services, it makes it pretty obvious they were

Re:

[echnaton192]

How could this possibly be? How could we assume that he is an orwellian Big Brother, conpiring with the USA to build an orwellian, fascist surveillance scheme?

Because of reports like this? https://theintercept.com/2015/... [theintercept.com]

Because there is nothing holding back the GCHQ from intersepting everything including porn use to denounce any resistance? Because the GCHQ has already infiltrated legal NGOs to undermine and control those "terrorist" NGOs like Amnesty International?

http://www.theguardian.com/uk-... [theguardian.com]

Because

Re:

[91degrees]

Well, yes... Most governments want to spy on their citizens. I am not defending this.

I'm just pointing out the idiocy of people who infer specifics based on a wild interpretation of a speech.

Re:

[gweihir]

David Cameron made a speech. He said the government wants it to be impossible for terrorists to hide from the security services.

And that is the problem right there: The only environment where that even gets close to the truth is extreme Fascism. If there is even a bit of personal freedom left, terrorists can hide. Hence even extreme Fascism offers some possibilities for terrorists to hide, so you have to have things like concentration camps, wars and famines to keep them otherwise occupied. But remember all those people that hid Jews in the 3rd Reich? All these qualify as "terrorists" in the convoluted mind-set of Cameron and he wan

Re:

[AHuxley]

A company is compelled to do the decryption on their own product at their own site :)
No outside legal advice over the warrant, staff are then doing the conversion back to plain text on their own private sector server.
All the cooling, cpu time, staff hours, costs, network changes can be pushed back into the private sector as they have to be fully compliant.
No more tricky private sector encoding ever again.
The cleared defence team is told in closed court the presented evidence is pure and direct from the

How can you tell when a politician is lying?

[Epeeist]

Answer: "When you can see their lips moving".

Cameron is an ex-PR flack who never lets truth get in the way of the message.

Not forced

[Anonymous Coward]

NO developers were forced to add back doors to these apps, but most of them voluntarily chose to live peacefully with their families.

contradictory statements

[v1]

Today, some fears were allayed when it was announced that the government was not seeking to require software developers to build backdoors into their products. That said, the government said that companies should be able to decrypt 'targeted' data when required, and provide access to it.

What's the difference here? Companies like Apple are designing their systems such that they never have the key to the data. They hold the data, but have no way to access it, by design. The UK is saying they're not going t

Not stupid

[FrozenGeek]

The majority of the public won't understand that "should be able to decrypt on demand" is the same thing as a back door. To them, what he said was good and fair. This is just another case of a politician playing with words in order to manipulate the electorate.

psht

[sociocapitalist]

Developers "Won't be forced" because they will otherwise be motivated (i.e. what just happened in the US where telcos get immunized against lawsuits in exchange for providing customers' private data to the Feds).

Re:

[gweihir]

While I agree on the sentiment, such a cancer can spread. Remember that Hitler was voted into office. (With a minority of votes, but still the largest share.)

The government wants systems to be secure

[DickBreath]

As long as they are insecurely secure.

In classic government oxymoronic style. Governments are full of oxymorons.

Some government "adult male" in their "arrogant humility" engaged in "a just war" wants us to "agree to disagree" to introduce "astronomically small" insecurities into our "insecurely secure" systems so that "military intelligence" can "read unreadable" messages.

It all makes sense.

smell the glvoe

[PopeRatzo]

UK Government Says App Developers Won't Be Forced To Implement Backdoors

But if they know what's good for them...

umm what?

[Rob MacDonald]

So I'm confused. They won't make app developers put in a back door (to allow them to intercept communication) but will require them to have a method to intercept communication on demand. How exactly is that not a backdoor?

Re:

[gweihir]

Something needs to be intentionally broken if they can intercept and decrypt communications. That is a "compromise" of the security of the app, but it is not a backdoor, which is a command and control interface into the app. Intercepting and decrypting communication can be done by weaknesses in the Architecture, design and implementation, but may not require contacting the app at all.

The distinction is purely technical though, the result is the same: A broken product that endangers its users.

Re:

[gweihir]

Well, not really, although it has the same effect. Weak keys, weak crypto, etc. all serve that purpose. I also have a nagging suspicion that legal approaches to make companies write more secure code are delayed or squashed in order to allow the GCHQ (and others of the same fundamental evil disposition) to continue to indulge their peeping habits.

But they will be forced to lie about it...

[gweihir]

This is really the best of both worlds: Force backdoors (which are insecure, of course) in there, but make it right again forcing the people involved to lie about it. Everybody that does not comply is obviously a terrorist and will go into an isolation cell in prison for his remaining lifetime.

In particular the British administration is lying habitually and pathologically and nothing they say can be trusted.

How can you run a country.

[Ralph Ostrander]

And not understand this cat is out of the bag and you will never be able to put it back in.