59 comments

[ 3.6 ms ] story [ 118 ms ] thread
>“end-to-end encryption poses an unacceptable risk to user safety and society. It would prevent any access to messaging content and severely erode tech companies’ ability to tackle the most serious illegal content on their own platforms, including child abuse and terrorism.”

Implying that any system which looks to casual users e2e encrypted now isn't, like the web. Are they ready to open that can of worms?

"... and asking for stricter regulation of the technology"

Like, stricter regulation of mathematics?

Right now, mass consumer use of technology for communication is predicated by:

1. There being a service provider that is a legal entity. 2. The service provider providing the client software. 3. The service provider gatekeeping to the social network that makes the system useful. 4. Consumers not generally being able or willing to interfere with their client end software to add E2E on top of what the service provider does, even if that is technically feasible.

Under these conditions, mandating backdoors through regulation is perfectly feasible, regardless of mathematics.

Maybe one day we'll see true P2P software that users actually control, with no central entity that the government can coerce, actually being used by the mass market. Until then, it's not defying mathematics at all to mandate backdoors.

I would argue connecting child abusers is a pretty niche market.
And enabling child abusers is even more niche, yet houses are still sold without built-in surveillance cameras, that would let law enforcement look at the recording of what you were doing (with a warrant, of course!)

But as it stands, private houses are warrant-proof places where anything can happen.

https://www.wired.com/2011/05/warrantless-house-search/

> yet houses are still sold without built-in surveillance cameras, that would let law enforcement look at the recording of what you were doing (with a warrant, of course!)

yet, but it could come. I can imagine offline AI detector that spies on you 24/7 in your house and only sends footage when it detects something illegal so the police wouldn't do the monitoring. I could see plenty of people being ok with that specially if it's advertised as a good way to proof your innocence.

I mean... people are already dumb and security-blind enough to willingly implant surveillance bugs into their homes (Alexa, Google Home, un-neutered smart TVs etc.). Just because these are manufactured and controlled by the private sector doesn't mean it's not just a stepping stone for some kind of mandated surveillance equipment installed into homes in future.

No. Thanks.

Imagine people could see on their telly what they said during the day and number of likes from the officers who watch them. The more correctly you behave, more likes you get and maybe a tax rebate. This is going to be the future. Modern politics in the UK is heavy influenced by R Thaler. People are being slowly nudged towards such concepts.
You can still communicate with end to end encryption even if they setup mitm. You just need to exchange keys and then encrypt/decrypt yourself. If this becomes a law someone will quickly come up with such an extra layer. It is going to be a cat and mouse game, people will have no privacy and criminals will always find a way, as you cannot regulate maths.
> You can still communicate with end to end encryption even if they setup mitm.

I already considered this in my predicate: 4. Consumers not generally being able or willing to interfere with their client end software to add E2E on top of what the service provider does, even if that is technically feasible.

I am sorry, you're right. I wonder what would happen to someone and something that would make it easy for your own encryption on top.
France actually banned non approved use of encryption algorithms/math in the 90s so there's some precedence.

https://www.theregister.com/1999/01/15/france_to_end_severe_...

Governments that issue patents on math/algorithms/software already claim the power to forbid you to use them. They just need to patent all public encryption algorithms, in perpetuity.

(Sarcastic? Who knows?)

>> One industry source who has spoken with government figures is skeptical that such a radical scenario will come to pass

And yet the Investigatory Powers Act[1] passed into law in the UK and has never been repealed.

We haven't seen a headline like "local ambulance chief spied on my wife's porn browsing habits" so far but I do wonder if there have been any abuses by now?

[1] That's the law which allows people like your local fire chief or food standards agency to download a copy of your browsing history without a warrant. From the legislation itself, here are the surprisingly large list of people:

https://www.legislation.gov.uk/ukpga/2016/25/schedule/4/enac...

Getting a warrant in the UK is not some huge effort, in the worst cases it can take just under 1 month but regularly can be under 35 minutes.

i assume in days of https, most of the history they would be able to obtain are only domain names, not specific URLs, right?
Hence the desire to backdoor all encryption to see the full juicy details. Also the reason DNS over HTTPS exists and is spreading.
Does DNS over HTTPS allow the dns provider to see beyond the domain name?
Since DNS (Domain Name System) only deals with the domain names themselves, any DNS resolver (communicated to via HTTP, TCP, UDP, QUIC or what have you) will only resolve a domain name => IP address. Adding a path in there makes no sense.
They can see the IP address of the machine making the request, if that's what you mean.
I am guessing the parent commenter is wondering if the full URL can be deciphered from DoH.

In the way DoH is being used in practice, it alllows third parties to collect histories of DNS lookups for myriad users, separated by individual program. In other words, the third party can tell which program was used by a given user to initiate any given DNS lookup. The program often reveals identifying information about the device on which it is installed. Other parties collect user data pertaining to IP address and device.

Device fingerprinting, i.e., associating a given user with a given device, is in widespread use purportedly "as a security measure" by "tech" companies like Facebook. Can we be sure the data collected is also not being used for other purposes.1

Combine the DNS program+IP fingerprint with, e.g., a web browser+IP fingerprint and now we can potentially identify a user from DNS lookups.

Now consider that Facebook prefixes all external URLs posted to Facebook pages (including external URLs posted in messages) so that any clicks on these URLs are captured, and the HTTP requests to non-Facebook sites are redirected via Facebook servers, again as a purported "security measure". Can we be sure the data collected is not also being used for other purposes.1 Thus Facebook has a history for each user of the URLs in Facebook pages/messages that the user clicks/follows.

The problem with DoH in practice is that it is being used almost exclusivelt to provide third party DNS. When we use third party DNS we give anyone (e.g., a "tech" company, a government, etc.) the potential opportunity to obtain from the third party (e.g., through subpoena, acquiring assets through merger, undisclosed data breach, etc.) complete DNS lookup histories for users' individual programs. There is no need to do this because there is no technical need to use third party DNS. And, of course, DoH does not have to be used only by third party DNS providers, so DoH itself is not the problem.

1. If I recall correctly, Facebook in the past has been caught lying about collecting telephone numbers "only" as a security measure.

Makes sense, thanks for explaining the bigger picture.
Except if you have a root certificate, then you can MITM you heart away. Which govs probably have.
yes, but it'd be the ISPs storing the internet history
Backbones have the reputation of being filled with intercepting devices from various entities, including gov's own.
wouldn't certificate pinning partially prevent this though? i'm not saying this is impossible, but for regular ISP-logged data that some schmuck wants access to, rather than a 3 letter agency or whatever, i doubt this is much of a concern
Intercepting at line rate isn't a thing. Recording absolutely happens, but that's why we're talking about End to End Encryption. It would suit snoops very much if what they recorded wasn't 90% unintelligible noise.

Right now they get a good idea which sites are visited (because of Server Name Indication) by web browsers, and they get some portion of email (sent in the clear) plus a small fraction of web traffic (HTTP-only) and numerous older unencrypted protocols.

In particular they also get most of DNS. DPRIVE work (DNS over TLS, DNS over HTTPS, and eventually DNS over QUIC) reduces that considerably. Future DPRIVE work also includes oblivious transfer (you ask say Google to do a DNS lookup on your behalf, they learn who you are and which DNS server was asked but not what you asked it, the DNS server learns what was asked but not who you are, you get your answer).

Or of course, if you're particularly worried, you use Tor and everything on the snoops' screens dissolves into noise.

A root CA certificate doesn't allow you to "MITM you heart away". Its purpose, as would be clear if you think about what the CA does with it, is to sign other certificates for keys which in turn are used to sign certificates that identify machines.

So first of all this hypothetical government would have to issue itself certificates for any sites it was interested in intercepting, and intercept the traffic to impose a MITM. It has to do this live or it won't work. Every time it does this, it provides the other participant a smoking gun, which is to say evidence - in the form of these bogus certificates.

But wait, if you run Chrome, Safari or similar browsers, these certificates just won't work. To be functional the government has to obtain proof they were logged for everybody to see - in the Certificate Transparency system. Without that the user just gets an error telling them the certificate isn't logged and can't be trusted.

If they were logged, we all get to see them. Do you see them? No, because this isn't actually a thing. It's a paranoid fantasy.

I think they meant unrestricted signing certificate. A few CA's have been caught providing this to external entities and have been pulled from trust stores. The cynical side of me assumes the behavior just moves to another shell company. For those curious how to mitigate or at least identify when this is occurring, you could trust transparency reports, or if you don't trust those, then log certificate fingerprints of the sites you visit.

  for domain in $(cat ./mydomains.txt); do echo -en "${domain} "; openssl s_client -servername "${domain}" -connect "${domain}":443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin; done|sort -k2 -t"=" | awk {'print $NF "\t" $1'} | column -t

  Fingerprint=4C:B1:F9:42:9A:58:CB:E2:7F:92:27:A9:41:5B:15:8B:01:3B:D1:64  ycombinator.com
  Fingerprint=98:70:50:FF:B9:05:CA:D3:A7:9A:85:96:C2:12:0D:B9:7C:03:A1:65  news.ycombinator.com

It's probably also worth logging the creation/expiration dates too, given that certs expire so much quicker these days. If you wanted to make this information even more useful, have people all around the world run this and feed it into a distributed database and log the ISP the test was run from so that you can see if a particular ISP has been compromised. That is how some folks I know in Africa found out their ISP was using BlueCoat proxies and that the certs were being installed as part of their ISP's required package downloads.
This seems like an over-complicated non-solution. If your browser is trusting some other root, you can see that information in the browser. For example if I click the padlock for this site, and pick More Information / View Certificate, sure enough this is a certificate issued from DigiCert.

But also, it's basically game over if you agree to run arbitrary software other people pick, so that's where the real problem is for the African case you describe.

(comment deleted)
(comment deleted)
What about specific lengths of the documents, linked from pages which may be known or be easy to guess (earlier visited, front page or known size)?
Getting a warrant to spy on your neighbours wife would be like robbing a bank and leaving a note for the cops.

It's literally a crime done right in front of the police, with official records and signatures for you to be prosecuted.

The Justice system has all sorts of power. A cop can arrest you, right now, for no reason at all - which is totally against the law, but he could do it, you'd have to file a redress and hopefully they'd be charged.

So the issue isn't really about encryption, it's about the integrity of our systems.

We'll get 10x further by improving processes than otherwise.

Technology can help, but it's secondary.

This all only works in theory. In reality police in the UK is mostly useless if you tried to report a crime. They won't touch anything unless it gets them PR points or you present all evidence, track the perpetrators and so on and still they may drop it because the judge wouldn't give them time so why bother. It's a problem that media don't talk about.
This is true with with minor crime. It's not true at all of violent crime, or serious cases; if you're knocked down by a drunk driver, the police absolutely are very good to you and do -- eventually -- get there. Minor theft? Expect less. Copyright infringement? Hope you are a big player, otherwise piss off...
From my experience I disagree, even violent crime not always gets followed up. It's usually down to who committed it, who reports it, what is the chance of public outrage if ignored etc. It is maybe different in other parts of the country, sure.
Mike Birbiglia has a whole one man show centered around being ordered to pay damages on the drunk driver who hit him - due to a sloppily written police report.
> It's literally a crime done right in front of the police, with official records and signatures for you to be prosecuted.

How does the party know they have been wronged? Are they notified that someone has been given access to their browsing history?

It's always either "Think of the children!" or "X will only be used to investigate the most serious of crimes like terrorism, rape and murder" which shortly afterwards is then (quietly) forgotten about when something like browsing history etc. can be downloaded by basically anyone in government(s).

Maybe there is a restriction snort where such an action requires a warrant but considering that "judges" and "courts" for that (like that infamous US secret court, seriously WTAF) are basically rubber-stamping enthusiasts, it's not actually a restriction and just compromises end user privacy and (online) information security.

"Backdooring E2E encryption"/"Private key escrow" are some other examples of unrealistic and ultimately harmful things called for by technologically inept, old people who inexplicably have been granted the power to devise laws that will most likely only show their full effects years or decades down the line when most of those legislators are either already dead or don't have to worry about the consequences of such legislation anyway ("I don't even use a computer, what do I care? The internet is just full of criminals anyway." quote from my 80-something grandmother). In German there is a nice idiom for that kind of thought pattern: "Nach mir die Sintflut" (something like "After me, the flood/deluge" from what I could find). At the same time these old people and their accomplices - indoctrinated middle-aged people - try to stem the flow of young people into politics if their ideologies do not align with the elderly agenda by e.g. accusing them of trying to oppose the protection of children or something equally effective in the mass media (via the excuses mentioned above).

It's all just so fucked up...

> In German there is a nice idiom for that kind of thought pattern: "Nach mir die Sintflut"

Interestingly this is originally a French saying by Louis XV, Après moi, le déluge [0]. From wiki:

> It is generally regarded as a nihilistic expression of indifference to whatever happens after one is gone, though it may also express a more literal forecasting of ruination. Its meaning is translated by Brewer in the forms "When I am dead the deluge may come for aught I care", and "Ruin, if you like, when we are dead and gone."

It looks like the German translation of the same idiom was popularised by Marx [1].

[0] https://en.wikipedia.org/wiki/Apr%C3%A8s_moi,_le_d%C3%A9luge

[1] https://de.wikipedia.org/wiki/Nach_uns_die_Sintflut

Huh, that's interesting, I'd only ever heard of it in German from my family members.

TIL.

We have the same idiom in Lithuanian, literal translation from the French: "Po mūsų nors ir tvanas".
Do UK and the four other Eyes play musical chairs or something to decide which of them takes a turn attacking privacy and confidentiality online? Sneaky headline wants me to think of them in a vacuum.
They want to compromise entire country security, just to make it easy for LE. Problem is that I doubt it will help in any way because criminals will still be able to communicate with e2e if they will be encrypting traffic themselves and then disguise it as normal text etc. It will be a cat and mouse game. Not sure why they don't sack people coming with such stupid, totalitarian and abusive ideas.
Yeah, how long before it's illegal to send storage devices through the mail? Packages scanned, no storage device shipping permit, package captured and opened, sender/reciever prosecuted for trafficking encryption keys.
Then stop and search and looking through phone for encryption software and so on... It's looking bleak ...
Is there any co-ordinated political response to this in the UK? Where do I sign up?
Vote libertarian. Governments will do what they can to make their jobs easier, to show off success. I know left leaning people are going to dislike that, but it's a double edged sword - if you want eg a national health system, you're going to end up with the government telling you to eat your five vegetables each day.
With private healthcare system, the difference will be that private company will be telling you to eat 5 vegs a day, then they will require that you take a photo each time you eat a veg and so on and if you don't you'll be left with nowhere to go for help. No thank you. I get that national health service is mostly rubbish, but it's better than nothing and if you are poor, it's your only chance and you can always have an option to go private.
If health care was properly private (not pseudo private) it would be really cheap. I had private health care in Spain / Gibraltar and it was relatively quite cheap.

The NHS is a massive money sink that always requires more money to keep on operating. I've heard the chant of "Save the NHS" since I was a child. As someone who parents are Labour voters (my ancestors used to work in the mines) even they are starting to think it might not be worth it.

I don't want to be "blackpilled" about it. But there is literally nothing that can be done about it. None of the politicians in the UK seem to care about freedom of speech, right to privacy or anything else that is classically liberal. Everyone in the UK either supports it or is resigned to it. Also almost nobody in the IT industry seems to care about it either (I've worked at quite a few places as a consultant).
There is nothing that you can do about it, so people are just apathetic. Only way to change something is by voting, but there is no party that would have a chance of winning that would support freedom of speech. People literally think that if you have nothing to hide, then you have nothing to worry about. When I tried to move some of my friends to Signal and told them that someone can read our messages, they just said so what. You also have this propaganda about being open, transparent with everything that you do and people share things themselves and they find it enjoyable.
Getting people to move from something like Whatsapp to Signal is almost impossible. I have no intention of even living in the UK in the next few years to probably one of the overseas territories again (they are starting to tax the hell out of the things I make a living on).
>Only way to change something is by voting

Any party with a chance of winning gets coopted.

The only real way to change is to participate in internal party politics machinery, and be prepared to play dirty, because they certainly will.

> There is nothing that you can do about it, so people are just apathetic.

Just to expand on this. It is just recognising the state of current situation. A lot of people in the UK support the state in some form or another and if the state tells you encryption is for terrorists or criminals then as far as they are concerned it it is for terrorists and criminals. Almost everyone in IT *might* grumble about it but that is as far as it goes.

People outside of that view point are seen as eccentric, crazy or "conspiracy theorists" even after you point to real abuses of the current snooping from GCGQ (e.g. people spying on their former spouses) that has rock solid evidence.

There is no political will in any mainstream party, even the non-mainstream ones don't care. The citizenry is apathetic, the professionals in the industry that work here are apathetic. In fact the very opposite exists, people seem to love it when the politicians do tyrannical things. There is also no real difference in the mainstream parties. I haven't voted in years because there is nobody to vote for who is worth a damn.

I am so fed up of fellow citizens. I am moving once the COVID situation is resolved as mentioned in another comment.

So if I use HTTPS and encrypted DNS what's my risk here? What are they able to record?
I am not a lawyer so sorry if this is obvious, buy how can a country been the use of software that is made in another one?

I read country X is trying to ban Y, and every time I just wonder: how?

I can download something off GitHub (except if the ban is in the US), or a copy somewhere else.

Ideally, developers wild set a multi country repository with a canary and be done.