UK introduces law to ban civilian encryption, but government policies recommend its use

By Joel Hruska 
Last January, in the wake of the terrorist attacks in Paris, UK Prime Minister David Cameron began advocating for limiting or preventing ordinary citizens from using end-to-end encryption that the government could not break. Now, the government has introduced legislation that would ban companies like Apple from offering end-to-end encryption. What makes this particularly ironic is the discovery of other documents from earlier this year that show the UK encouraging enterprise and governments to adopt encryption.
Both the BBC and the Telegraph have sounded off about the new powers the government is seeking. According to the BBC, the new law (the Investigatory Powers Bill) would give government investigators “to see if someone used Snapchat at 07:30 GMT on their smartphone at home and then two hours later looked at Twitter’s website via their laptop at work, but neither the text typed into the app, nor the specific pages looked at on the social network would be accessible.”
That kind of power isn’t what has privacy advocates and security researchers worried, however. the IPB also requires that companies must take “reasonable” steps to provide data when a warrant is issued, even if that warrant applies to encrypted communication. Companies like Apple literally can’t take “reasonable” steps to provide law enforcement with information because they no longer have the ability to peer into their own encrypted devices without user-provided information.
UK Prime Minister David Cameron has made killing encryption a major initiative
While the bill doesn’t explicitly ban encryption, there’s been enormous concern about how things will play out if the government demands access to material that Apple, Google, or another manufacturer literally can’t provide. A Home Office spokesperson speaking to the Telegraph said this:
The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts.
That means ensuring that companies themselves can access the content of communications on their networks when presented with a warrant,
as many of them already do for their own business purposes, for example to target advertising. These companies’ reputations rest on their ability to protect their users’ data.” (Emphasis added).
Apple’s own encryption system can’t be made compliant with the new law without changes, which is why so many companies have been against these types of laws in the first place. Implementing encryption methods with backdoor decryption only weakens the entire stack. There’s no way to create vulnerabilities that are guaranteed to remain in the hands of the white hats, no matter who those whitehats happen to be.
ISPs will be forced to retain this data for one year, including the aforementioned data on browsing activities.

Do as we say, not as we do

Meanwhile, in an amusing twist, a recent report on secure voice communications prepared by the UK government notes that the public telephone network (PSTN) hasn’t been considered secure for over a decade. The report contains an entire section devoted to the security challenges of creating a secure voice communication system — and it sheds light on the kind of hoops Apple might be expected to jump through.
From the report:
The ability to support lawful interception and business practice monitoring is a key requirement of secure voice technology and it is often overlooked. Solutions which perform end-to-end encryption generally need to rely on key escrow to support lawful interception.
It goes on to note that the IETF (Internet Engineering Task Force) has developed a new protocol, MIKEY SAKKE (Multimedia Internet KEYing – Sakai Kasahara Key Exchange). Mikey Sakke is designed using elliptic-curve mathematics. That’s fascinating, considering the NSA recently issued directives warning companies not to rely overmuch on elliptic key cryptography. That’s not to say that the GCHQ recommended standards are already broken, but the GCHQ may be contemplating shifting to encryption methods that the NSA has already compromised. Alternately, it could be advocating for the adoption of such standards precisely because it wants the ability to crack its own code.
Proper encryption implementation is incredibly difficult — the last thing we need is government-mandated backdoors making an already tough situation worse.

Comments