63 comments

[ 3.3 ms ] story [ 132 ms ] thread
I am sure I have just read an article which basically says: bo ho we can't decrypt all the security used. Switch the target from paedophiles back to terrorists, so that we can remove the liberties of the nation.
I wonder if he's referring to the fact that they can't hack into tech companies as easily as they did pre-Snowden revelations.

> But Mr Parker, in the first live interview by a serving MI5 boss, said what should be included in new legislation was a matter "for parliament to decide".

Yes, I'm sure the MI5 or GCHQ will offer no input whatsoever to the Parliament and will just let them come up with the legislation on their own.

The fact that he refused to answer the question about whether he agreed with judicial oversight speaks volumes.
You'd wonder how we all survived in the days before the internet, when they had none of this data.
Easy - place bugs in 10 Downing Street:

http://www.theguardian.com/uk/2010/apr/18/mi5-bugged-10-down...

Poor Harold Wilson - 'Just because you're paranoid doesn't mean they aren't after you.' - he was paranoid about being bugged and it eventually turned out that they were.

Yes but Wilson was actually going mad, early onset Altzimers - its tragic and was hushed up for years out of respect for the Man.

Wilson also had his own in house dirty tricks dept who fed his apatite for conspiracy theory's which did not help.

Prior to the Internet where people and spies communicated using radio, telephones, Telex, telegrams, ... those technologies were intercepted by the security services.

For example, in 1967 it was revealed that in Britain all private cables into and out of the UK were being intercepted and given to the security services.

There is nothing new in GCHQ's desire to have access to signals intelligence and to sift through it looking for both metadata patterns (who is talking to who) and actual contents.

All internet communication in and out the transatlantic communication cable is stored and recorded, exactly like telephones were:) The amount of data is so huge that unencrypting it is quite boring. They are getting lazy dis days;P have it plain text would be nicer.. lol?
> He said internet companies had an "ethical responsibility" to alert agencies to potential threats.

As long as keeps it just ethical and not legal responsibility ... oh wait, we are pushing in that direction.

> "It's in nobody's interests that terrorists should be able to [...] communicate out of the reach of authorities."

Since you can't distinguish between 'terrorists', and anybody else, this effectively reduces to our old favourite:

> "It's in nobody's interests that people should be able to [...] communicate out of the reach of authorities."

Ultimately that's their biggest fear. That certain elements that are not friendly to their interests organize either themselves, or organize at the behest of a foreign government to undermine their control over the system. And it's a valid concern. Governments want to maintain their control. It doesn't take much to destabilize a State, they have done it many times they know this to be the case.
I think that largely depends on the State and Government.

Growing up in England, I'd largely say that people have a sense of freedom [how true that is vs. media tainted perspectives is anyone's guess], that despite (allegedly) one of the most extensive surveillance networks in the world, people there don't generally sense a fear of being watched or oppressed... and it's not that people don't know they're on camera somewhere, we're all well aware that someone could be [albeit after the fact] watching our every [public] move, it's just that they don't tend to give it a second thought or care.

I can't say this doesn't affect anyone's behaviour, but I don't feel that my feelings are atypical and it doesn't affect mine.

It's only once there's a tipping point in the volume of people feeling of oppressed that revolutions arise and States destabilized...

...or bad actors use dirty politics to throw countries into financial turmoil, inject a sense of panic into the population and overthrow regimes that are not friendly to their agenda... or back the wrong frenemies and leave a pile of rubble and a want for revenge where there was once [reasonable] stability; even if that stability didn't look like they thought it should or didn't align with their own economic/political agenda.

On another note, pencil & paper never got a virus that tunneled its way around the internet taking over thousands of computers to be used as a bot network for cyber attacks on industry... and when the power went out, I could still use my credit card to pay for things. Most stores appear to have forgotten that ability.

All you have to find is a disgruntled minority with ideological differences and get them to do your bidding. There does not have to be a majority discontent for anything to actually happen. And often it's not really about some sort of change, but rather tying up the government of such countries in local affairs so that they don't have time to contemplate other affairs.
It's worse than that. It's anything else

> "It's in nobody's interests that anything should be able to [...] communicate out of the reach of authorities."

Forcing encryption backdoors compromises systems that do nothing but talk to systems. How'd you feel about a smart grid now that has knowingly insecure crypto.

Further, how do you feel about that knowing that the government has been compromised more than once. It's like let us install backdoors, but how do you know the government is actually secure. In Canada for instance we have had CSIS (our MI5) agents leave important documents in laptops which were then stolen. If backdoors exist anyone can potentially get to them by stealing information from the government.
I saw a catchy sound-bite about this the other day, I think from a US politician:

If you can't protect it, don't collect it.

To me, that seems like a pretty good attitude to handling personal data responsibly.

The absolute most idiotic part is that any slightly intelligent person would use one of the multiple secure algorithms for encryption not controlled by authorities.

In other words, there is nothing they can do short of making encryption illegal; good luck with that.

Even that first premise is wrong in any state with the rule of law. Only crimes have to be prosecuted, not "people" or "communications" and prosecution is always something done "a posteriori."

The above must be understood correctly: I am not advocating that one should not investigate possible criminal plans: because planning some kind of crime (like killing someone) with intent is, ipso facto, a crime.

It is not PEOPLE that the law applies to. It is CRIMES.

We incarcerate people because we do not know a better way to punish them for their crimes, not because we do not want them to be human beings. CRIME-PUNISHMENT, not MAN-JAIL.

The trouble with this principle is that there is some damage you simply can't put right retrospectively, and in this case we really are talking about the government agencies whose remit is to try to prevent those things from happening in the first place. They do have a legitimate need to take preemptive actions in some cases, because otherwise people will quite literally die. The useful questions are about how we can help them to do their job and keep people safe from whatever real dangers are out there, but without doing more harm than good.

In the case of encrypted communications, I'm not sure that will ever be possible, because the dangers of preventing everyone from communicating privately may far outweigh the danger from otherwise unanticipated acts of terror. The politicians want a middle ground solution where only good people have access to the information, but the technologists understand that no such ideal solution can exist here.

You are right. But.

Suspicion about the existence of a crime (and plotting a crime with intent is by itself a crime) is (given enough evidence) reason enough to investigate. That is what you call "preemtive", I guess.

And yes, I am willing to run more risks for the benefit of freedom. Because there are things which are more important than life. And freedom is one of them.

By freedom I mean freedom of coertion, in this context.

It seems like we agree on the general principles here, but I think you have to be pragmatic about applying them.

We all live together in the same society, so we can never have complete freedom and universal rights. If nothing else, sometimes the rights and freedoms we value come into conflict.

A classic example is that in general we might want to protect freedom of expression and we might also respect a right to privacy. However, at some point those competing interests are incompatible, and so we have to try to balance them as fairly as we can.

Finding that balance is particularly difficult in cases where the damage caused from a violation may be very high but such violations are rare in practice. This is probably true, at least in countries like mine, both of fighting real violent terrorism and of real damage from blanket government surveillance. In both cases, we're also concerned about the potential future harm, not just the actual risk of harm today.

Unfortunately, hardly anyone is in a position to realistically assess the risk and make an informed personal judgement about what they think a good balance should be in an ideal world, even before we consider legitimate differences of opinion or the complications of not living in an ideal world.

How would they realistically prevent people from using encryption?
They could make it illegal and require a backdoor on all electronics?
good luck requiring a backdoor on chinese made chips, or trying to ban their import
Mandatory hardware based backdoors, unlimited funding for CPU power to accelerate decryption of intercepted data, etc.
Ban encryption without back doors. Some companies would withraw products, others would comply, maybe some others would protest for a while.

After a while the only option left would be steganography

https://en.wikipedia.org/wiki/Steganography

At which point it seems unlikely they'd be able to do anything other than work on techniques to detect steganography (which they no doubt already do)... which leaves us with a steganographic arms race (which has probably already been the case for some time behind the scenes).

What are some valid alternatives/compromises we could work towards in order to prevent such drastic ideas from being incorporated into law?
I love the idea of using Facebook, Email, Youtube, Instagram etc. to tunnel Tor.

Wonder how difficult it would be?

It's probably already happening just look for slightly different duplicates of the same videos.

The problem here is that tor is largely focused on realtime communications, and stuffing packets through e.g. facebook chat would probably be too slow. It would work great for another anonymity network that was more message-focused with no realtime needs.

That said, you might be interested in tor's meek pluggable transport: https://trac.torproject.org/projects/tor/wiki/doc/meek

Essentially, the idea is that someone buys a VPS hosted on a cloud service with common ingress IPs (such as Google App Engine, Microsoft Azure, etc). Tor clients then connect to it, sending an innocent-looking domain (gmail.com or something) in the TLS SNI header, and then only in the datastream protected by TLS do they expose the tor protocol.

This is of course useless against NSA and GCHQ, which have access to all these cloud providers, but it's very useful for example for people behind restrictive country-level firewalls as the authorities are reluctant to block such large services and it's hard for them to distinguish this from normal traffic.

They couldn't, as this video explains https://www.youtube.com/watch?v=3G8dPAdmyss

If two people really wanted to communicate, they could still do the encryption on paper, and transmit the garbled messages.

Spoiler: The video shows two people using a one time pad to communicate. It doesn't show any reason the government can't ban people from doing that, or stop WhatsApp using good encryption in the UK, or throw people in prison for using PGP. Admittedly that's not going to happen in the UK in the near future, but contrary to popular belief there's no reason you can't make maths illegal.
But it's really quite hard to make using a one-time pad illegal, and even harder to make maths illegal, so practically, while they could install all the backdoors in the world, they would struggle, practically, to prevent people ever encrypting anything.
I doubt they're that bothered about people using one-time pads on paper. I think they're bothered about encryption becoming sufficiently normal that the stuff they want to see is indistinguishable from cat photos. There are measures they can take (legislative and otherwise) to prevent that scenario happening.
Paper aside, I don't see how it would be viable for UK to try to enforce back doors all electronics, ban the import of non-back doored electronics, or enforce a ban on encryption software.

You can make it illegal but it won't stop people from using it

There's also no way they can stop all drug deals, bank robberies and murders, but they still legislate against those things, and I believe that legislation affects people's behaviour.

People will probably always be able to get together in secret underground clubs where they play with one time pads for kicks. This is not what the government / MI5 are seeking to prevent.

If they are trying to prevent major crime or acts of terror with this, it seems like it's doomed to fail - those people will not care whether encryption is legal or not
It's worth pointing out that the government is about to try and push through new surveillance powers.

Despite his protestations to the contrary, he very much is trying to shape UK policy and opinion.

He has the backing of a good part of the UK medias and the establishment: just look at the news surrounding the internal Labour election.
How much more secure would be using codes rather than encryption for "terrorists"? If I were a terrorist, I don't think I'd use encryption as it pretty much guarantees scrutiny.

But, how secure is coming up with some sort of code? Like say, "Honey, can you pick up some milk on the way home." Means the truckload of fertilizer is ready to be delivered or something.

Using a code words etc still leaves you vulnerable to analysis. MI5 here are asking for the ability to request records of individuals or individuals that match certain narrowly defined criteria. So at this point they would have a low level suspicion of you, something they can use to drive analysis. The only reasonable protection at the point of already being in the cross hairs is to use mathematically secure communications.
I'm sure it would (leave someone vulnerable), but I think it would be interesting to see some analysis of how it stacks up to encryption.

Governments have been breaking codes since forever, so I know they're good at it. And with computers, I'm sure it's gotten so much easier.

I'll only believe these "we stopped x number of attacks" quips when that number is given to us by an independent authority who doesn't have a vested interest in making numbers up.

Call me cynical - but I think recent history backs up that position.

I don't think asking for validation of what we're being told is cynical at all. I think that problem is that people think its a problem to ask for proof.
Especially innovations in shower rooms where criminals can communicate without authorities interference. I think every shower room should have a backdoor in form of a chair for an agent to sit and listen.
He should stop spread fear, uncertainty, doubt and terror.
Would it harm national security if they published a list of former security agency employees who are now employed by the security industry? It think it's safe to assume that a very high percentage of former security agency employees end up working in this industry as it is in their area of expertise and the industry could use their connections to the agencies. With all of this in mind, would it not make sense to assume that the terrorism threat could be highly exaggerated or even fabricated?
I heard Admiral Lord West[0] today giving an interview on the BBC radio station '5 live'. In it he sated words to the effect:

"Nobody cares about your emails or if your having 30 affairs".

This is just a variation on the 'if you have nothing to hide' argument which as ever forgets that bothersome dimension - time. Perhaps I have nothing to hide 'now', but who's to say I won't later? Even in very recent history I'm pretty certain that if I was gay I'd be very much regretting making any previous public declaration of my sexuality in Russia say 5 years ago, much less the age numerous examples over the last century where people have been persecuted as government positions changed.

This is a very difficult subject. I value privacy but I suppose I also value honesty. Knowing that what I put online (like this statement) is being surveilled en mass somehow feels better than finding out after the fact.

The flip side to that is then, what's the point of more security powers? Surely if everyone knows they're listening no one will say much of that particular interest? It's common knowledge that the security services have broken 'everything' save for cleanly and properly implemented encryption on a clean system (even then the hardware is breached so air gap it). The 'Bad Guys' know this so the likelihood of obtaining quality intelligence from such mass surveillance seems counter-intuitive to put it kindly.

Those who do use common online services will be the 'low-hanging fruit' and likely so stupid the'd have been caught anyway (maybe we should still pick that fruit, I guess).

The truth is, attacking a soft target like a western country is easy and requires no use of encryption. Just go and get a couple containers of fuel, go on a tube at rush hour with them in a backpack, pull the emergency stop, dump the fuel and light a match. You could probably rig up something custom made to get the job done simply and effectively (with no end of variation to counter your initial 'that wouldn't work'). That sort of thing would probably rival the 7/7 London bombings with just a one man attack (and talking about it will no doubt get me on a list now - wow look at me worrying about self-censoring).

In fact, I'd put £1000 on fire being the next weapon of choice because done properly it's incredibly effective. Could we defend against that sort of attack? No. We can't. That's the truth. We can't really stop anything (or most things) done quickly and where the attackers are themselves prepared to die.

So do we pull down all the (illusions of) freedom we have built up for ourselves in the hope of catching some low hanging fruit? I don't think that's a good idea. After all, the security services must remember that their job is in fact _supposed_ to be difficult (impossible even) and they must struggle to do it whilst maintaining those pesky freedoms the populace deserve that keep getting in the way all the time.

[0] https://en.wikipedia.org/wiki/Alan_West,_Baron_West_of_Spith...

At some point isn't there an argument to be made that they're being lazy? For example, say they gained the ability to inspect every single digital communication and read every message sent, as if that were actually feasible. So people stop sending the messages via the internet.

What's the next thing they're going to do? Install listening devices around the country to listen into private conversations in private homes all around major cities (assuming they already don't do that with mobile phone microphones on standby) ? Once they have that, will they begin exploring how to effectively 'read minds', or do pattern analysis on behaviors of different people as they walk around or sit in cafes or something to look for 'malicious intent behavior' ?

Terrorists will always continue to look for new ways to avoid detection, and these agencies are always going to push for more invasive means of circumventing them. It will always get worse, until we start saying, no thanks, i'd rather risk it. And, hey call me crazy, but maybe even working to stop the root causes of extremism rather than simply waiting for them to boil over could be a good idea.

If you live in the UK and care get ready to start writing to your MP.
You are 8 times more likely to be killed by a police officer than by a terrorist.

Is anyone talking about that?

I agree, more people should be talking about that, but... (a) MI5's budget isn't based on how well it supervises the police, because it doesn't, and (b) MI5 is based in a country where that "8 times more likely" statistic is completely reversed.

"According to data collected by the UK advocacy group Inquest, there have been 55 fatal police shootings – total – in England and Wales from 1990 to 2014." http://www.theguardian.com/us-news/2015/jun/09/the-counted-p...

And this list broadly supports that figure (adding deaths from Scotland and Northern Ireland):

https://en.wikipedia.org/wiki/List_of_killings_by_law_enforc...

Multiple problems with that statistic. (1) you quote England and Wales, what about Scotland and Northern Ireland? (2) The police in the UK do not generally carry firearms and most people that die in/at the hands of the police do not get shot in the UK.
Uh huh.

(1) I already made that point, and linked to data on the UK including Scotland and Northern Ireland. But, it broadly matches up. If you have better data please share it.

(2) The full-UK list I linked to is "people who died directly or indirectly because of the actions of law enforcement officers, regardless of the manner of death". Again, if you have better data feel free to share it.

I have to wonder what point you're trying to make.

The relevant point I made to the parent comment was that the "police kill 8 times more than terrorists" statistic quoted doesn't apply in the context of the UK. Even if manage to quibble the "55 people" stat up to 100 it's still an order of magnitude short of "8x".

Are you saying that UK police do kill 8x more than terrorists?

No I'm saying that your statistics are flawed/selective. The OPs clearly don't apply to the UK at all.
> The OPs clearly don't apply to the UK at all.

Bingo.

The actual article is about a UK agency making a statement about terrorism, and the parent commenter, danlindley, quoted a statistic implying police killings are what MI5 should be talking about instead of cyberterrorism.

You could argue that he wasn't implying MI5 should talk about police killings... but that would remove the last fragile connection between his comment and the actual topic: MI5 & terrorism.

I replied to him to point out why a UK intelligence agency would not be interested in making a statement about the topic he implied they should... that the UK has negligible incidence of police killing civilians and that even if we did MI5 would have no incentive to discuss it.

You can argue my statistics aren't perfect if you like, but to do that would be missing the point.

I was 'surprised' how weak the bbc interview was he lied several times during this interview and they did not pick him up on these lies once.
I stop listening to what the BBC had to say the day they were just "reporting" the project fear during the Scottish Independence referendum. The most notable fact was the report of new oil field discovered in North Sea early 2014, that suddenly couldn't outlive the current decade during the referendum period. Only to be completely resurrected the day after the referendum and the No victory. All reported by the same BBC.
This is familiar it happens to most people eventually when the BBC discusses an issue that one actually knows something about. Their independence since the Iraq war fallout has been seriously weakened.