Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
United Kingdom Encryption Privacy Security

Internet Firms To Be Banned From Offering Unbreakable Encryption Under New UK Laws (telegraph.co.uk) 418

Retron writes: Despite statements from the minister for internet safety and security Baroness Shields last week that the UK government would not require software developers to build backdoors into their products, the Telegraph is reporting that the UK Government is going to ban companies from offering 'unbreakable' encryption, effectively requiring a backdoor in products from the likes of Google and Apple. The reasons given are that they don't want the likes of terrorists and paedophiles to communicate in places the Police can't reach. A Home Office spokesman said: “The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts."
This discussion has been archived. No new comments can be posted.

Internet Firms To Be Banned From Offering Unbreakable Encryption Under New UK Laws

Comments Filter:
  • Sigh (Score:5, Interesting)

    by MPBoulton ( 3865641 ) on Tuesday November 03, 2015 @05:35AM (#50853885)

    Is this the sort of thing that the EU could override?

    • Re:Sigh (Score:5, Informative)

      by JaredOfEuropa ( 526365 ) on Tuesday November 03, 2015 @05:45AM (#50853927) Journal
      They could. It depends on who wins. The industry lobbyists (extremely influential in Brussels) who don't give a rodent's behind for your privacy but do not want the risk and hassle that comes with a ban on crypto. Or the hawkish commissioners and their backers in national governments, who do not give a rodent's behind for your privacy and who would absolutely abhor "clear oversight and a robust legal framework" around surveillance.

      And don't think for a second that this is about terrorists and paedophiles. There are enough crypto products for them to choose from already.
      • I smell a false flag (Score:2, Interesting)

        by Anonymous Coward

        Call me a paranoid if you want, but this 'new law banning unbreakable crypto thing smells rotten

        1. The very mention of unbreakable crypto might give people some false sense of security to think that they still have something that can stop NSA / GCHQ from prying into their files

        2. The very word 'unbreakable' is misleading - as nothing, absolutely nothing - is unbreakable, in the tech scene

        3. The entire thing could be an attempt by some one high up (even higher than the politicians) to instill the impressio

        • 2. The very word 'unbreakable' is misleading - as nothing, absolutely nothing - is unbreakable, in the tech scene

          Yes, but anything that you can refer to as "breakable" encryption is really no encryption at all.

          And even if you are paranoid, somebody might still be out to get you.

        • 2. The very word 'unbreakable' is misleading - as nothing, absolutely nothing - is unbreakable, in the tech scene

          Cryptographic algorithms can be unbreakable using known technology. Implementations of cryptographic algorithms often have flaws that can be exploited and hence are breakable. What they are trying to ban is the use of cryptographic algorithms that are "unbreakable" in that sense.

          3. The entire thing could be an attempt by some one high up (even higher than the politicians) to instill the impressio

        • To date AES-256 is still secure, at least the NSA doesn't confirm or deny they can break it, most researchers assume they haven't yet, although quantum decryption methods may change that, certainly. And of course one-time pads are by their nature unbreakable.
        • Apple and Google I think won't mind this too much. I suspect they wanted to force the issue that the government has to come out and say, we will search e-mails rather than putting the squeeze on apple privately to sell out their customers with secret deals. If they get caught like AT&T did, it makes them look like crap and it doesn't hurt their competitors equally. Now if apple turns over a message they can just say every does it because its the law, and that's a fact. The "unbreakable" encryption pa

        • by mark-t ( 151149 ) <markt.nerdflat@com> on Tuesday November 03, 2015 @03:42PM (#50858685) Journal
          An encryption is considered unbreakable if it requires a copy of the original key to decode into the original message, and there is absolutely no way to ever tell whether any key you might try to use to decrypt it actually gives you the original message unless you knew in advance what the original message was.
    • "Is this the sort of thing that the EU could override?"

      Yes, that's why the morons want out.

      Also, by definition, no encryption is unbreakable, you just need a few thousand years to crack it.

      • you just need a few thousand years to crack it.

        If I XOR some data with a key of unknown length, how are you going to verify that you've cracked it?

        • Re: (Score:3, Informative)

          by Anonymous Coward

          The existing UK laws assume guilty if you do not hand over your key when law enforcement ask for it. It's been like this since the late 1980s.

          • The existing UK laws assume guilty if you do not hand over your key when law enforcement ask for it. It's been like this since the late 1980s.

            I was wondering about that... Doesn't this kind of prove that this latest offensive against privacy is not aimed at individual investigations, for which cases as you point out they have long had options? So this is about mass-surveillance.

            • Re:Sigh (Score:4, Informative)

              by Xest ( 935314 ) on Tuesday November 03, 2015 @08:54AM (#50854855)

              Of course it's about mass surveillance, if it was about individual surveillance then they'd just get a warrant to MITM or similar a particular suspects PC exactly like they always have with physical mail and phone calls. They already have the powers to do that type of attack to get a target of a warrant.

              They might argue that it's about retaining data so if they come back to someone they can investigate their communications retroactively, but that doesn't explain why they aren't getting all phone calls logged, and all physical mail photocopied and stored. They already can't get historical data of other communication mediums so there's no reason to think they suddenly need it for investigations using digital communications.

              So the only thing this possibly can be about is mass surveillance given that they have all the tools they need for individual surveillance already.

        • Re: Sigh (Score:5, Interesting)

          by John Allsup ( 987 ) <slashdot@nospam.chalisque.net> on Tuesday November 03, 2015 @06:36AM (#50854127) Homepage Journal

          People often overlook the issue of verification. If you take a small structured dictionary which takes in, say, 128 bits, and outputs a nonsense poem using the words of the dictionary and some simple rules, you have a reversible procedure for turning 128 bit hashes into literary nonsense. Reverse the procedure and apply a simple procedure to the original 128 bit hash to see if it contains a message. The simple procedure may include things about the sender. The trouble for crackers here, is that there are many such procedures. A simple software example is to append 'Borg' to a message, hash it with shasum, and see if the first two hex digits are f7, say, else discard. Then using evolutionary programs to find a short procedure which generates indices recursively for words in a video file [ with feedback, so the second index requires having the correct video file on hand ]. Guessing a random 128bit passkey is bad enough, but guessing a random procedure is far worse. Having everybody just [ just! ] using aes128 will seem like paradise compared to the output of the computational arms race the UK government is inadvertently about to kick off.

          I have fond memories of the old msdos program insults.exe. it has not escaped my attention that one can take a 128 bit number [ possibly the output of a sugared hash ] and use bits from it as indices into tables to generate phrases. There is much fun to be had, and so many variations. The paper from wayback about chaffing and winnowing will perhaps have more attention payed to it.

          • Re: (Score:3, Interesting)

            by Anonymous Coward

            I have thought about this many times over the years. Evolutionary strategies could lead to some really obscure and bizarre cryptography schemes. Especially if you use real cryptographic algorithms at each layer. Even if not, this is utterly ridiculous. Your example of a poem highlights the greatest injustice of banning encryption - poems can mask layers of meaning even from the author, sometimes for years. It's time to end this whole charade IMHO.

          • Two things: security through obscurity... and 2^128 words is about 10^30 English languages.

      • "Is this the sort of thing that the EU could override?"

        Yes, that's why the morons want out.

        Also, by definition, no encryption is unbreakable, you just need a few thousand years to crack it.

        Or the right algorithms, the right computing power and encryption that is regulated to be limited to a certain level? I am sure Interpol or various intelligence agencies could push to have the right tools?

        The problem with what the British government is asking is that it just takes one slip for the backdoor to be left wide open (see TSA security keys [extremetech.com]) and anyone who really cares about protecting their stuff and understands what they are doing probably will just encrypt their stuff with other encryption tools

      • Re:Sigh (Score:5, Informative)

        by gweihir ( 88907 ) on Tuesday November 03, 2015 @06:12AM (#50854035)

        Also, by definition, no encryption is unbreakable, you just need a few thousand years to crack it.

        Untrue. Encryption may be "Information-Theoretically secure". These cannot be broken with just enough computing power. For example, for ordinary text, this is even true for the venerable Enigma if less than 4000 Bits (if I remember things correctly) of ciphertext are available and the key was chosen at random. One-time pad based encryptions are never breakable, the only information you get is the maximum number of Entropy in the message, nothing else.

        You wrong statement is one of the often-repeated untruths about encryption.

        • Re: Sigh (Score:4, Interesting)

          by John Allsup ( 987 ) <slashdot@nospam.chalisque.net> on Tuesday November 03, 2015 @07:00AM (#50854227) Homepage Journal

          Put another way, one limiting factor is the availability of a computational means to verify a correct guess. If the false positive rate is too high, as happens with a OTP, you have problems. Then using encoding schemes rather than just encoding textual data is not hard. If, for example, you only need 2000 different words for your messages, you could start with a basic forth and work thus:

          ( assume 'append' appends to a word list, and 'say' outputs and clears the word list )
          : wHelp S" help" ;
          : wThe S" the" ;
          : wHomeless S" homeless" ;
          : mHelpThe wHelp wThe ;
          : mA mHelpThe wHomeless ;
          : s1 mA say ;

          Now we can map these definitions to 16 bit tokens, padding with random definitions, and store random definitions where the words go to get a non funtioning decode vector. Then to decode, we need a list of words and locations to insert them. One vector of 64k forth words could be used in many ways depending on which words are overwritten and what is put there. The 64k vector need not even contain the api, since we need only overwrite say v[435] with 'say', v[2789] with 'append', put 'S" help"' etc. in the right place and know that v[6789] is a correct code for mA. The secret code is in the modifications necessary, and without both pieces you have nothing. Just the vector and you have a random assortment of words defined in terms of other words.

          The issue for GCHQ is not unbreakability, but that the above could be implemented in a few lines of Perl or PHP, and if it becomes widespread by some social media like a computational Twitter on acid, the effort required to search would be prohibitive given the potential for false positives and that most messages are for fun.

          The Indiana Pi Law did not get passed, but many equivalently stupid laws have, and this will be yet another. You cannot pass a law requiring that maths magically become easy. Trying to causes collateral damage for no gain. But I guess politicians live in a different universe.

        • by mysidia ( 191772 )

          Untrue. Encryption may be "Information-Theoretically secure".

          No real-world encryption usage is information-theoretically secure.

          You mention one time pads, but these are typically not used, And they're not really encryption, as in traditional ciphers.... A one time pad is more of a way of dividing information into two equally-sized halves.

          For the most part, the Info-Theoretically secure crypto you see would be Quantum cryptography used for low-volume key exchange

          Even this cannot be declared unbrea

        • You wrong statement is one of the often-repeated untruths about encryption.

          Which is true.

          But as all these proven unbreakable algorithms require a secure channel to transmit the encryption key. But if you had a reliable secure channel, you wouldn't need any encryption to begin with. You could send the actual data over that secure channel instead.

          There is limited use for these when a secure channel is available ahead of time, but even then the storage of the key is vulnerable to attacks. (photographs of the codebook, "rubber hose cryptanalysis", etc)

          Not to start with the fact that a

      • by Viol8 ( 599362 )

        "Yes, that's why the morons want out."

        Yes, imagine that - a nation wanting self determination of its own laws! Radical huh?

      • Also, by definition, no encryption is unbreakable, you just need a few thousand years to crack it.

        Not thousands of years! As we've seen from all the encryption technologies that have been invented to date it generally just takes a couple of decades for the tech to upgrade to a point where it's relatively easy to crack. The question is will this all change when Quantum Computers are on every desktop?

        • If you're talking about brute force, no, that's not going to happen. It's not possible to test 2^128 possible keys using only the resources of the Solar System, and I consider that impractical. Assuming we develop quantum computers of the appropriate power (and I'm not convinced we can), they effectively cut the key size in half, so AES-256 could not be brute-forced without becoming something more than a Type II civilization.

          The alternatives are breaking the cipher, which is not considered likely for

      • Re:Sigh (Score:4, Insightful)

        by Jason Levine ( 196982 ) on Tuesday November 03, 2015 @08:42AM (#50854775) Homepage

        I actually like this argument. Sort of turns the "copyright is still a limited time even if it's 120 years long" argument on its head. If waiting 20 years to crack a phone's encryption makes the encryption "unbreakable" then why is a 120 year long copyright "limited"?

    • by Noryungi ( 70322 )

      Is this the sort of thing that the EU could override?

      Of course not. The European Union wants the exact same thing. They just take a more circuitous route to reach the same conclusion.

      Don't believe me? Read it and weep. [v3.co.uk]

      Money quote from the above link:

      As part of the focus on cybercrime the EC [European Commission] said it is important that, while the privacy of citizens should be respected, the right data for law enforcement agencies is also vital to protect Europe’s security.

      “Clear rules are needed to ensure that data protection principles are respected in full, while law enforcement gains access to the data it needs to protect the privacy of citizens against cybercrime and identity theft,” the report said.

      The strategy also calls for greater cooperation between all elements of society when tackling cybercrime, so that key information is shared with all relevant parties.

      Crypto War II. It's what's for breakfast. Download your copy of GPG while it's hot.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      It's the sort of thing that both the commons and the lords could override because contrary to the sensationalist Slashdot headline it's not actually a law, it's a proposed law, and that means it has to both be debated and pass in both houses. That wont happen because the Lords are out for blood right now and the Conservatives don't have a majority there.

      I'm actually willing to bet money that this clause will never make it into the final bill that is signed into law and as much as Slashdot babies will piss,

    • Coming soon, the campaign for Brexit which is the word already being used for the campaign for the UK to exit the EU. Obviously the Daily Mail and the Daily Express will be full champions of it and have been seeding discontent with the EU among their readership for years. I'm not sure how the rest of the media are going to line up but the unfortunately the result will be decided by the high population concentration of the south-east of the UK who outnumber the rest of us and seem particularly susceptible to

      • Re:Sigh (Score:4, Interesting)

        by Zocalo ( 252965 ) on Tuesday November 03, 2015 @06:31AM (#50854103) Homepage
        While you are right on the voting demographic and media bias/propaganda, I think there's possibly a major wrinkle in the debate coming that's going to seriously upset the applecart for the exit campaign. The Scottish are collectively much more pro-EU than the south of England, and the Scottish National Party are in the process of putting together a set of criteria that will trigger another referendum on their own independence from England. I'm fully expecting to see "UK voting to leave the EU" being right at the top of that list of criteria when it's announced, and if there's one thing that is likely to upset the anti-EU crowd more than remaining in the EU it's the very likely prospect of Scotland leaving the UK shortly afterward if they win.

        What, you thought the US had the monopoly on turning politics into a car crash TV event?
        • by Biolo ( 25082 )

          Exactly right. I'm a Scot who voted no at the last referendum, my decision was never in doubt, and I'm fed up with all the calls to repeat the referendum again. This said the UK exiting the EU would make me strongly reconsider my No vote, and I'd probably support having a new referendum whatever my eventual decision on my vote.

          • Maybe London could leave the EU and the UK, and then everyone would be happy.
            • by Biolo ( 25082 )

              Might be the only way to stop the Met Police thinking they have jurisdiction over the entire country. Then again, they seem to think national borders don't apply to them either for "intellectual property" enforcement, so maybe not.

    • Re:Sigh (Score:4, Interesting)

      by AmiMoJo ( 196126 ) on Tuesday November 03, 2015 @06:50AM (#50854179) Homepage Journal

      It might contravene EU rules on free trade. For example, I use a Swedish VPN service to prevent my internet browsing history and other activity records (metadata) being recorded by my ISP. If this law is to be effective, it would have to make using such services illegal. Otherwise there is little that they can do to force a foreign company to company with UK law.

      Maybe there is an issue with trying to ban foreign services for not complying with UK law. For example, they can't ban foreign services because they don't comply with the UK Data Protection Act, as EU free trade is based on the idea that all member states have broadly equivalent protections for such things. As long as the VPN service provider complies with local data retention laws (of which there are none, they only apply to ISPs) I don't think they can legally ban them.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Tuesday November 03, 2015 @05:36AM (#50853887)
    Comment removed based on user account deletion
  • by ThatsMyNick ( 2004126 ) on Tuesday November 03, 2015 @05:38AM (#50853903)

    Everything else goes, right?

    • by AHuxley ( 892839 ) on Tuesday November 03, 2015 @06:06AM (#50854019) Journal
      Ban entering or exiting the UK with paper, pens, maths books with crypto chapters on one time pads and big books.
      Any holiday or sabbaticals could be cover for a face to face meeting to set up a one time pad system with near unlimited key material.
      Years of messages could get total privacy after just one rendezvous.
  • by Anonymous Coward on Tuesday November 03, 2015 @05:41AM (#50853909)
    Replace "terrorists, paedophiles and criminals" with "people" and you get what this is really about: People must not be allowed a “safe space” online. Nobody wants that, except the rich elite in their mad power grab towards global tyranny.
  • Bullshit (Score:5, Insightful)

    by Anonymous Coward on Tuesday November 03, 2015 @05:42AM (#50853913)

    Everyone should be aware that the majority of paedophile rings that have been busted were found to be passing material amongst themselves by sending encrypted DVDs (and originally VHS tapes and photographs etc.) using services such as USPS/Royal Mail signed for etc. Physical mail can't be interfered with without a court order, is secure, cheap and reliable. I would imagine terrorists do much the same.

    This is plain and simply the gubberment desperately trying to keep all windows of the Panopticon open. Clueless old 19th century minds trying to legislate against the future and maintain their failed baboon style pyramid hierarchy.

    It will be a total failure.

    • This is plain and simply the gubberment desperately trying to keep all windows of the Panopticon open. Clueless old 19th century minds trying to legislate against the future and maintain their failed baboon style pyramid hierarchy.

      Indeed, this smells like government either not understanding technology and where it's moving, and/or conspiring with spy agencies to get (keep?) their fingers in everything - including where they shouldn't be.

      Unfortunately for them, there is no middle ground here. If the plebs can use general-purpose computers, there will be ways to get strong encryption software on it. If it's agreed you should be able to have a strongly secured connection between you and your bank (or your webmail, or your doctor, or

    • by AmiMoJo ( 196126 )

      Most of that stuff seems to happen on Tor anyway, which being an open source US based project won't be affected by these rules anyway.

    • by DrXym ( 126579 )
      More to the point, most terrorists, paedophiles and assorted other lawbreakers aren't computer geniuses. Even if they think they're practicing good security, chances are they're still making mistakes - their pattern of activity, the sites they frequent, the software they use, the people they converse with, their nuances of grammar and spelling. All things that can be exploited to find out who they are. Even computer hacking groups get busted from being careless - it only takes one slip-up and game over.

      An

  • by bill_mcgonigle ( 4333 ) * on Tuesday November 03, 2015 @05:44AM (#50853921) Homepage Journal

    This gives Apple and Google the power to decide whether or not there will be a revolt in the UK.

    I'm not sure the politicians have thought this one through all the way. But, good, from a meritocracy perspective.

    • by delt0r ( 999393 )
      The politicians are clearly totally clueless on the topic. However a few hacked email accounts or wifi routers and some juicy scandals centered around them, and they may just start figuring it out.
    • Comment removed based on user account deletion
  • by UberVegeta ( 3450067 ) on Tuesday November 03, 2015 @05:48AM (#50853939)

    There was a Slashdot poll a few years ago, asking the question "What percentage of your traffic is encrypted?"

    The answer that stuck in my mind was from a guy who said, "all of it. My WiFi has WPA2."

  • by Anonymous Coward on Tuesday November 03, 2015 @05:48AM (#50853941)

    So basically, no encryption at all, since if it's breakable by one person it's breakable by anyone.

  • by Anonymous Coward on Tuesday November 03, 2015 @05:54AM (#50853967)

    Encryption is only one way mathematical difficulty can be harnessed. There are others. Encryption is great for making large amounts of data unreadable in a way which is independent of the data. But procedures can be learned by rote, and executed in a human brain before deciding whether and how to interact with a machine. By compromising encryption, the government will stimulate criminals to both probe the detection network with false information, and to develop methods of using whatever legal encrypted communication exists so that messages go unnoticed. If two people agree a convention, such as using two spaces rather than one in a tweet, padding a 130 char tweet to 140, and have a mentally computable way of indicating whether the content has special meaning, and a dictionary of codewords, we are back where we were before the second world war, with cryptic crossword techniques being used. One shot conventions [ consider if I say that when I send messages on Twitter if you append 'FluffyBunny', md5sum the result, and then treat specially if the first three hex digits are 3f4, whilst trivially breakable if you know the scheme, and who will transmit with it, if you don't, brute force will swamp you with false positives, and what if this convention is only used once between people ]. Just as antibiotic use has bred superbugs, this action by the UK government has the potential to set off an evolutionary arms race, where many terrorists will be caught, but those who are not will have by chance have developed means of secrecy beyond the security services. Passing laws declaring the existence of unicorns, or banning gravity from acting, are foolish. We have, in digital technology, an enviroment which we as humans must adapt to, not try to adapt it to us. Laws like this do the latter, but such attempts will eventually succumb to the problems of computational inefficiency.

  • A brand outside the UK and 5 eye nations offers an openvpn https://en.wikipedia.org/wiki/... [wikipedia.org] file to user in the UK ensuring a less easy to log internet connection.
    That hop is from within a domestic like network after the providers "modem" like product.
    Will the UK ban, track, investigate and demand credit card payments to VPN providers be blocked in the UK?
    With "no plans to ban encryption services" that will be very cheap and simple way around the most simple provider level logging.
    Why is the UK not int
  • Comment removed based on user account deletion
    • by AHuxley ( 892839 )
      The US almost faced that tricky export market when pushing for early CALEA like access https://en.wikipedia.org/wiki/... [wikipedia.org].
      Did the world need to create systems just for the US at an extra cost? Did US brands have to make expensive products for the US and retool for export markets without trap doors, back doors?
      Every system got the back doors and trap doors as not to pass on costs or lock out law enforcement. No retooling, no dual designs needed.
      This more a legal change. Every UK ready product will hav
  • Internet Firms To Be Banned From Offering Unbreakable Encryption Under New UK Laws

    The reasons given are that they don't want the likes of terrorists and paedophiles to communicate in places the Police can't reach.

    Then in the great British tradition, they'll just Do It (Y)Themselves. It's not like "internet firms" - whatever that means - have a monopoly on mathematics.

  • Free WiFi for everybody [[[who knows how to get it]]] in the UK!
  • by l0n3s0m3phr34k ( 2613107 ) on Tuesday November 03, 2015 @06:03AM (#50854011)
    Both companies should just cease all official product sales and support in the UK. Neither company should be forced to make multiple products just because the UK demands this, but to be compliant that's exactly what they will have to do. There will be a "UK Model" IPhone, with pre broken encryption all ready to go. Of course this will horribly backfire once criminal ID theft people start exploiting this purposely weakened software. And no real criminals or terrorists will use any of these pre-cracked systems anyway, so the UK's main thrust here will do nothing but enable more ID theft. Good job, UK!
    • Comment removed based on user account deletion
  • If unbreakable encryption is outlawed, only outlaws will use unbreakable encryption.

    Strong (not to say "unbreakable") encryption is out there. It will be used. The question is whether you want it to be a weapon used by all or only against you.

  • So, if you are a terrorist or a paedophile, join the police. That is the only safe place for you. As a plus, you get enterprise grade access to other terrorists and paedophiles.
  • The draft bill is expected to be published tomorrow.
    If you are in the UK please write to your local MP. Even a one sentence letter.

    It will be too sad if this happens and we did not even try.

  • by Going_Digital ( 1485615 ) on Tuesday November 03, 2015 @07:05AM (#50854255)
    The British government is filled with luddites. So those of us who have legitimate use for encryption have to put up with insecure tools while terrorists just use some software they get from their terrorist friends. Clueless government.
  • by MagickalMyst ( 1003128 ) on Tuesday November 03, 2015 @07:05AM (#50854257)
    Doesn't that defeat the purpose of using encryption in the first place?

    "they don't want the likes of terrorists and paedophiles to communicate in places the Police can't reach."

    Considering that the majority of terrorist organizations and pedophile rings are linked directly to the ruling elite, this isn't really surprising.
  • by Flavianoep ( 1404029 ) on Tuesday November 03, 2015 @07:07AM (#50854263)
    Why do no politician even think that a backdoor may be used by a terrorist or a paedophile? A paedophile may take advantage of any vulnerability on an underage person's connected device, and those politicians want to ensure there be at least one? The same can be said about a terrorist getting info about British nationals which may pose threats their security and to the country's as well. Criminals use backdoors too.
  • by asylumx ( 881307 ) on Tuesday November 03, 2015 @07:16AM (#50854293)
    It seems to me that by doing this, the people of the UK are literally trading security for security. Or perhaps trading BOTH freedom and security for security. Not a good deal.
  • Did they specify a timeframe how long it has to take to break the crypto?
    If not, well, any crypto is breakable given infinite amount of time.

    Which makes the law effectively useless as nothing changes.

  • by Jim Sadler ( 3430529 ) on Tuesday November 03, 2015 @07:41AM (#50854427)
    First unbreakable is a vague term. Just how could the English government know that other spy agencies have not broken a code? So they must mean a code that they can not break that others may have broken. Then there is the issue of not being able to govern other nations. So what their government must really mean or want to do is punish any of their subjects for using an unbreakable code. Really what we are seeing is that no government wants to allow people to freely communicate. The US has gone so far as to declare that very strong codes are munitions and that if such a code gets into public hands it is a serious crime. What people need to know is that many encryption programs are probably put into public hands by our spy agencies. We can not trust encryption to convey messages at all. Codes that were secure five years ago are probably not secure at all with more modern computers and software testing them. One wonders just how many months or years a spy agency would run a super computer trying to crack one message. Such an effort might generate millions of dollars in expenses and in this twisted world dredge up nothing more than grandma's cookie recipe.
    • by AHuxley ( 892839 )
      A one time pad works. The privacy of the message is fine. The anonymity of the message is swapping details or meeting to set up the encryption is more work.
      Re "One wonders just how many months or years a spy agency would run a super computer trying to crack one message.". most of the effort is in finding code use online in the wild and a location, details.
      A keylogger ie "equipment interference" gets the plain text as its entered over a software, operating system or hardware layer thats always been wi
  • by fgouget ( 925644 ) on Tuesday November 03, 2015 @07:42AM (#50854429)
    V for Vendetta, great comic [wikipedia.org], great movie [imdb.com] and so very relevant to today's society.
  • by Attila Dimedici ( 1036002 ) on Tuesday November 03, 2015 @08:35AM (#50854749)
    SO, what they are saying is that they do not want you to be able to protect your information from criminals, because if the Police have a way to break your encryption, than so do the criminals (including terrorists). And, what they are overlooking is that either no one has "unbreakable" encryption (for whatever value of unbreakable they are using), including the government, or the criminals will have access to "unbreakable" encryption, but not law abiding subjects. The end result is that criminals will have greater power.
  • by swillden ( 191260 ) <shawn-ds@willden.org> on Tuesday November 03, 2015 @10:19AM (#50855543) Journal

    I work for Google. I build strong encryption in Android. The possibility of laws mandating back doors creates an interesting dilemma for me. Supposing such a law were to exist, and were effectively enforced so there's no possibility of sneaking in a non-backdoored system, what would I do?

    I see three options.

    1. I could run away from the problem, changing jobs to let someone else deal with it.
    2. I could accede, trying to build the tightest, narrowest, best-controlled backdoor possible, doing my best to ensure that only authorized government agencies could use it.
    3. I could refuse to build strong security systems at all, making it clear to everyone that their data is unprotected.

    What's the right thing to do? #1 is out, unless I have some reason to believe that someone else could make better decisions. #3 has some nose-thumbing appeal, but it means that everyone's data is accessible not only to government agencies, but to thieves, family members, spouses, etc. Also, this may be equivalent to #1, in that I'll be shuffled to another job and replaced by someone willing to build back doors.

    So, frankly, it's actually not much of a dilemma at all. I would do #2 (choice of number was not accidental). Well, and I'd probably also contribute to open source, possibly underground strong crypto implementations in my free time, because I strongly believe that the ability of people to keep secrets is critical to individual freedom and to societal progress. But such systems would only be used by a handful, seriously reducing their value.

    It's really, really important that we fight this sort of thing in the public, though. I've never been asked to build in back doors, and I never want to be.

    Oh, and by the way: Those of you out there who complain that you don't want full device encryption because it's slow? The slowness may be annoying, but it's well worth it. Not so much to you, now, but to everyone, in the future. Have a little patience with it. It will get faster over time as hardware gets faster and perhaps dedicated encryption hardware is added, but if we don't get it in now, setting the precedent that it's normal to encrypt everything, all the time, with the strongest crypto we can find and no back doors, there's a much greater risk that we may not be allowed to do it later.

  • by johanw ( 1001493 ) on Tuesday November 03, 2015 @11:02AM (#50855969)

    They mention only companies, assuming power over them if they sell products in the UK. The capitalist status quo. So open source software or free software developed outside the UK can just ignore that law. Blocking services might be an option (Signal / TextSecure) or not (SMSSecure, pgp/GnuPG).

Promising costs nothing, it's the delivering that kills you.

Working...