UK introduces law to ban civilian encryption, but government policies recommend its use
on
Get link
Facebook
X
Pinterest
Email
Other Apps
By Joel Hruska
Last January, in the wake of the terrorist attacks in Paris, UK Prime Minister David Cameron began advocating
for limiting or preventing ordinary citizens from using end-to-end
encryption that the government could not break. Now, the government has
introduced legislation that would ban companies like Apple from offering
end-to-end encryption. What makes this particularly ironic is the
discovery of other documents from earlier this year that show the UK encouraging enterprise and governments to adopt encryption.
Both the BBC and the Telegraph have sounded off about the new powers the government is seeking. According to the BBC,
the new law (the Investigatory Powers Bill) would give government
investigators “to see if someone used Snapchat at 07:30 GMT on their
smartphone at home and then two hours later looked at Twitter’s website
via their laptop at work, but neither the text typed into the app, nor
the specific pages looked at on the social network would be accessible.”
That kind of power isn’t what has privacy advocates and
security researchers worried, however. the IPB also requires that
companies must take “reasonable” steps to provide data when a warrant is
issued, even if that warrant applies to encrypted communication.
Companies like Apple literally can’t take “reasonable” steps to provide
law enforcement with information because they no longer have the ability
to peer into their own encrypted devices without user-provided
information.
UK Prime Minister David Cameron has made killing encryption a major initiative
While the bill doesn’t explicitly ban encryption, there’s
been enormous concern about how things will play out if the government
demands access to material that Apple, Google, or another manufacturer
literally can’t provide. A Home Office spokesperson speaking to the
Telegraph said this:
The Government is clear we need to find a way to work
with industry as technology develops to ensure that, with clear
oversight and a robust legal framework, the police and intelligence
agencies can access the content of communications of terrorists and
criminals in order to resolve police investigations and prevent criminal
acts.
That
means ensuring that companies themselves can access the content of
communications on their networks when presented with a warrant,
as many of them already do for their own business purposes, for example
to target advertising. These companies’ reputations rest on their
ability to protect their users’ data.” (Emphasis added).
Apple’s own encryption system can’t be made compliant with
the new law without changes, which is why so many companies have been
against these types of laws in the first place. Implementing encryption
methods with backdoor decryption only weakens the entire stack. There’s
no way to create vulnerabilities that are guaranteed to remain in the
hands of the white hats, no matter who those whitehats happen to be.
ISPs will be forced to retain this data for one year, including the aforementioned data on browsing activities.
Do as we say, not as we do
Meanwhile, in an amusing twist,
a recent report on secure voice communications prepared by the UK
government notes that the public telephone network (PSTN) hasn’t been
considered secure for over a decade. The report contains an entire
section devoted to the security challenges of creating a secure voice
communication system — and it sheds light on the kind of hoops Apple
might be expected to jump through.
From the report:
The ability to support lawful interception and business
practice monitoring is a key requirement of secure voice technology and
it is often overlooked. Solutions which perform end-to-end encryption
generally need to rely on key escrow to support lawful interception.
It goes on to note that the IETF (Internet Engineering Task
Force) has developed a new protocol, MIKEY SAKKE (Multimedia Internet
KEYing – Sakai Kasahara Key Exchange). Mikey Sakke is designed using
elliptic-curve mathematics. That’s fascinating, considering the NSA
recently issued directives warning companies not to rely overmuch on
elliptic key cryptography. That’s not to say that the GCHQ recommended
standards are already broken, but the GCHQ may be contemplating shifting
to encryption methods that the NSA has already compromised.
Alternately, it could be advocating for the adoption of such standards
precisely because it wants the ability to crack its own code.
Proper encryption implementation is incredibly difficult — the last thing we need is government-mandated backdoors making an already tough situation worse.
Comments
Post a Comment