And, in other news, attendees at the Winter Olympics (well, US attendees at least) are being recommended to use burner phones whilst in China. Presumably, this wouldn’t be needed if end-to-end encryption was more widely available…
Many UK companies have the same policies when travelling to the US…
Many UK companies have the same policies when travelling to the US…
Many US companies (mine at least) have similar.
@grum You might find the monthly Schneier newsletter enlightening. There's a whole lot of security theatre used by governments to suppress their populaces. It can be a depressing read when one realises what abuses are enacted by the nation's leaders.
I'm aware of the abuses Sandwich I'm just saying privacy is a double edged sword. I tend to lean towards favouring the privacy side but lots of you seem very blasé about the potential consequences.
As mentioned already it isn't just the NCA making warning noises about this.
https://tfn.scot/news/childrens-charity-calls-for-debate-on-how-private-messaging-is-encrypted
Maybe the NSPCC are in on the conspiracy.
So might toilet roll, shall we ban that too?
That's a really dumb flippant comparison about a pretty serious topic.
Flippant, yes. Dumb, no. This is my day job.
Anyone can make "warning noises," what's that even supposed to mean? You saw the date on that article you linked to, right?
Your day job is what? Being blasé about child trafficking and sexual exploitation?
Yes, yes that's absolutely my day job. Totally what I meant.
I've known you a long time Grum, I never had you down as a berk. I might be winging it on politics and legal threads and I totally hold my hand up there, but I'd like to think I kinda know a bit about computers.
I was doing flippant too, you started it.
I still don't get why none of you are even slightly concerned for the potential abuse of this.
Have you not seen what happens on Telegram already? It's full of Nazis and people selling quack supplements and all sorts of awful shite.
He, FB already has groups where people trade advice on how to give their autistic kids bleach enemas to try and 'fix' them. This will make it much easier for them.
I am not saying your opinion is wrong grum, just different to mine. But please believe me I am not blasé about the consequences, I have just come to a different conclusion to you.
Heh. Point.
I am not saying your opinion is wrong grum, just different to mine.
I don't really know what the answer is but I think some people are deluded thinking there are no downsides to privacy.
Are you actually trolling? That's out of character if so.
If you're serious then I'll pick this up tomorrow, it's been a long day.
We can do away with secure interactions in the name of making it harder for criminals, but all that will do is empower criminals by giving them access to our transactions. It’s like saying kids will be safer if we all leave our front doors open, as people will have less privacy in which to do harm to children. That’s fine ‘till you find people in your home, taking your passports, your payment cards, your daughter’s diary… and the criminal will just get a second hidden closed and locked door fitted in their house to hide behind anyway.
Have you not seen what happens on Telegram already? It’s full of Nazis and people selling quack supplements and all sorts of awful shite.
He, FB already has groups where people trade advice on how to give their autistic kids bleach enemas to try and ‘fix’ them. This will make it much easier for them.
I get tons of junk emails every day but none of what your telling us is relevant to the availability of E2E encryption....and who are you to be the arbitrator of what "content" is "acceptable"...
The ICO, which oversees the protection of people’s data in the UK, believes that end-to-end encryption is one of the most reliable ways of protecting the data of people who use large messaging platforms. Bonner said encryption protects children by preventing criminals and abusers from accessing their pictures – which could expose them to the risk of blackmail – and their location.
This morning The Register has an opinion piece about encryption. This acknowledges that there is potential harm to children but also points out you wouldn't chat to HMRC on unsecured links and the money being spaffed on Saatchi and the campaign would be better spent on direct assistance to children at risk of harm.
EDIT The comments on the linked article gave a link to Schneier that lays it all out quite nicely though it's a bit of a long read. This is one of those times we need to listen to the experts as our political class don't know about this stuff.
Also from your article TJ
Responding to the ICO, the NSPCC said end-to-end encryption offered privacy benefits but put children at risk if it was poorly implemented. “That’s why the NSPCC wants companies to risk assess end-to-end encryption and balance the privacy and safety requirements of all users, including young people, to ensure it is rolled out in the best interests of the child,” said Andy Burrows, head of child safety online policy at the charity.
Just doesn't seem very dastardly or unreasonable to me. 🤷♂️
Will check out your links Sandwich.
Do we recognise the NSPCC as world-leading authorities in cryptography and encryption?
What does "poorly implemented" mean here I wonder? "If you do something poorly then it won't be very good" is something of a tautology.
Do we recognise the NSPCC as world-leading authorities in cryptography and encryption?
Do we recognise FB and other tech nerds as experts in child protection?
You seem to think that techies are the only people who should be allowed an opinion on this. You really do work in IT don't you.
I'd also be very surprised if the NSPCC don't have tech experts on staff or at the very least as consultants.
What does “poorly implemented” mean here I wonder? “If you do something poorly then it won’t be very good” is something of a tautology.
Why not engage with what they are actually saying rather than trying to nitpick over phrasing?
Ah, you added this after I replied.
I still don’t get why none of you are even slightly concerned for the potential abuse of this.
Because, fundamentally, the pros massively outweigh the cons. There is no scenario where weaker security is a good idea because, why then have security at all? Would you have a plastic link in the middle of a bike lock in case the lock jammed? The notion that a backdoor would only be used by the good guys is fallacious as I explained on the previous page, one of the primary cybersecurity threats today is a bunch of exploits that the NSA accidentally lost control of. And you want to hand this sort of weapon - because make no mistake, that's what we're describing here - over to Boris? I wouldn't trust him with the keys to a Nissan Micra.
"Yes but terrorists and paedophiles" is a compelling appeal-to-the-heart but if we're not just a little bit careful it quickly goes all Brasseye. Terrorists use a specific model of Casio digital watch (the F-91W, aka "the sign of Al Qaeda") to synchronise their attacks and control time bombs, is anyone suggesting that Casio should make them less accurate? No? Why do we think that might be?
It would surely be ludicrous to even consider that the solution to preventing time bombs might be to make everyone with a Casio watch not know what time it is properly. I feel like I've just dropped a couple of IQ points just typing that! Even if we were to implement it, it likely wouldn't affect the thousands(?) of watches already out there and in any case the net result wouldn't be that the bombers would go "oh well, guess we can't do that any more" and take up macramé, but rather that the terrorists would just use a different watch and a lot of regular people wouldn't be able to trust that their watch was telling the right time.
So, why are we having the same argument about secure messaging?
I do get your points Cougar but I don't think it's as simple as you're making out We aren't talking about hamstringing a Casio watch. We're talking about introducing new features to a Casio watch to make it easier to trigger bombs and telling everyone who worries about this a dumby/fascist.
“Yes but terrorists and paedophiles” is a compelling appeal-to-the-heart but if we’re not just a little bit careful it quickly goes all Brasseye.
Yes this threat is obviously overused and in a manipulative and disingenuous manner but does that mean it's always completely untrue? The Register article admits there's the potential for increased risk to children but then just kind of glosses over it.
Surely there's always going to be a sliding scale or balancing act between freedom/privacy on one hand and state control/intervention/security on the other. I don't have much time for absolutism in either direction.
Do we recognise FB and other tech nerds as experts in child protection?
But that's not the same thing.
Say Finance need a new accounts package. I would expect them to evaluate what's on offer and decide what is suitable for their needs. I would not expect them to start dictating to IT the CPU cores, RAM and disk space requirements.
Turning that around, equally I wouldn't expect IT to go to Finance saying "we've chosen you a hew Accounts package." They've no idea what Finance actually require for their job any more than Finance knows what IOPS and gigaflops are. And neither of them really needs to if they trust the other to know what they're talking about.
IT don't need to be experts in child protection. They need to provide responses an solutions to concerns.
You seem to think that techies are the only people who should be allowed an opinion on this.
No. What I think is that we should recognise fields of expertise. "We need to make messaging safer" is an opinion you take to people who know how to make it safer. "We need to start installing backdoors in software" isn't an opinion, it's putting a random solution ahead of a hypothetical problem. Compare:
We think end-to-end encryption is a problem, so we need to break it.
We think end-to-end encryption is a problem, how do we improve it?
You really do work in IT don’t you.
No, I don't.
I’d also be very surprised if the NSPCC don’t have tech experts on staff or at the very least as consultants.
Neither you nor I have any idea whether they do or not. As above, if they trust the experts then I'm not entirely sure why they'd need to.
Why not engage with what they are actually saying rather than trying to nitpick over phrasing?
I'm not nitpicking. Rather that entire quote says nothing. It says they're concerned - and rightly so - and then pushes responsibility straight back on to companies to "assess risk." We already do that, we do it daily.
We think end-to-end encryption is a problem, how do we improve it?
I think there's a danger that tech people are so focussed on making the tech work brilliantly that all other considerations fall by the wayside. The way you and others talk about encryption almost make it sound like a cult that cannot be questioned.
And neither of them really needs to if they trust the other to know what they’re talking about
What's your level of trust when it comes to FB as a company? I put them in a similar category to Pol Pot or Hermes.
We’re talking about introducing new features to a Casio watch to make it easier to trigger bombs
But it's easy for them already so what does that gain?
does that mean it’s always completely untrue?
Of course not. Just because the vast majority of conspiracy theories are of the flat earth variety doesn't mean that MKUltra impossible. JHJ will be the first to tell you when one of his fire-hose theories actually gets a hit.
The Register article admits there’s the potential for increased risk to children but then just kind of glosses over it.
Because El Reg is many things but it's not silly. Let me give you another example. Actually, I'm going to post this and then type that up because I have actual work to do. I'll be back shorty.
The way you and others talk about encryption almost make it sound like a cult that cannot be questioned.
It's not that it cannot be questioned. It can and absolutely should be questioned. It's critical that these things are questioned, even.
You're just not listening to the answer.
The way you and others talk about encryption almost make it sound like a cult that cannot be questioned.
Or that it is an essential core part of the way we all communicate and do business in 2022.
Or that it is an essential core part of the way we all communicate and do business in 2022.
Including paedophiles, terrorists and drug traffickers.
https://www.vice.com/en/article/3aza95/how-police-took-over-encrochat-hacked
How will making encryption better/more prevalent not make operations like this impossible?
If we use the example of roads: yes criminals use roads too and no-one suggests banning roads. But we do put restrictions on their use like you have to be licensed, there are speed limits, cameras, MOTs etc. Explain to me how this is different.
You’re just not listening to the answer.
Your answer isn't necessarily the answer.
I like your road example. Now what do you propose for end to end encryption... we're all ears...
How will making encryption better/more prevalent not make operations like this impossible?
From a cursory read of the article, it seems the exploit used to gain access to the message network required initial physical access to a phone.
I like your road example. Now what do you propose for end to end encryption… we’re all ears…
I dunno I'm not a techy 😛
But are we really saying there's literally nothing that can be done to mitigate the extraordinary opportunity this represents for criminals - we just shrug our shoulders and say 'oh well'?
Can I also just ask why people think FB (sorry, Meta) are doing this? Is it a commitment to privacy for users? 🤣
I'm not really sure what's being debated anymore but as I see it:
End-to-end encryption has upsides and downsides
It's a personal opinion if you think the upsides out-weigh the downsides (I do)
Anyone saying there are no downsides to end-to-end encryption is wrong (this is the point I've been trying to make, and I work in a team providing IT services to a government agency I can't name :p )
Earlier I said: "Let me give you another example."
Let's change out a couple of your questions and look at vaccines:
The way you and others talk about
encryptionvaccination almost make it sound like a cult that cannot be questioned.
I'm sure most of us will agree that vaccination is a benefit to society, it's a mature science and proven to be highly effective. Yet some people are still sceptical and worried about potential harm. Which, y'know, is good, as above people should be asking questions.
but does that mean it’s always completely untrue?
Here's the rub. No-one is saying that it is completely untrue. Of course sometimes things go wrong, you're absolutely correct. People can have allergic reactions, sometimes severe ones.
What do we do about that? Do we undertake a risk analysis (which, let us not forget, is exactly what the NSPCC spokesman was asking for above), or do we slam the brakes onto the vaccination programme?
Spoiler: that vaccination risk analysis? It's already been done, many times over, decades ago. We know what we're doing these days, the only people arguing against vaccination today are people who either don't understand it or don't want to understand it.
Spoiler #2: The same is true of encryption. Folk may be screaming "why won't you think of the children?" but the answer is, we already have. See Kelvin's excellent post near the top of this page - putting an intentional vulnerability in encryption will not make them safer, it will do the opposite. This is not my "opinion," this is fact and one which has been proven many times over.
If you take nothing else away from this, please believe me on one point: if we compromise security, the bad guys will exploit it. It really is that simple. It's low-hanging fruit, it would just a matter of when. Pinky promise.
Your answer isn’t necessarily the answer.
I'm rather afraid that it is.
Can I ask why people think FB (sorry, Meta) are doing this? Is it a commitment to privacy for users?
Messenger will lose market share to one of the other platforms that they own (WhatsApp).
Messenger requires a Facebook account, and they don't want to lose Facebook accounts.
Anyone saying there are no downsides to end-to-end encryption is wrong
Don't think anybody is saying that.
As I've understood it, they are saying that systems exist in the wild already, and bad guys are already using them.
Not implementing it for widely used platforms just means ordinary people are less protected that criminals from other criminals...
What’s your level of trust when it comes to FB as a company?
You know what, this is a great question. Let's say "somewhere between slim and none."
Would you rather have a scenario where Facebook could potentially read all your messages, silently use them for targeted advertising, maybe sell them to the highest bidder? I wonder what, say, Emerdata would give for that? And what they'd do with it?
Or, would you rather have a scenario where Facebook absolutely could not access your messaging, even if they -really- wanted to? That's what E2EE brings to the table.
If we use the example of roads: yes criminals use roads too and no-one suggests banning roads. But we do put restrictions on their use like you have to be licensed, there are speed limits, cameras, MOTs etc. Explain to me how this is different.
Do speed limits prevent terrorism? Does licensing stop criminals without licenses from driving? Remember that time we busted a paedophile ring at the local MOT centre?
I hear that criminals use the third lane of the motorway to try to outrun the police so
But are we really saying there’s literally nothing that can be done to mitigate the extraordinary opportunity this represents for criminals – we just shrug our shoulders and say ‘oh well’?
we should, what, close the third lane? Shrug our shoulders and say ‘oh well’? Something else?
You don't know, you're not a traffic officer (and aren't prepared to listen to one)?
You don’t know, you’re not a traffic officer (and aren’t prepared to listen to one)?
I'd listen to an expert in road safety at a strategic level. A traffic officer, not so much.
Is that the problem, you think every so-called "tech nerd" replying to you here sticks hard disks in PCs for a living?
This does go to show just how good "fear the paedos" is for tugging at the heartstrings.
Perhaps we could expand this, "by offshoring your profits in the cayman Islands you're taking valuable resources away from the anti-paedo police".
I'm currently doing a CISSP course so I'm firmly on the E2EE "is a good thing" bench. 🤣
Yeah, that's on my to-do list. Where / how are you studying?
Doing all the training in a working week over teams, my head will soon explode!
Back in the old days when we would send letters to each other I wouldn't be keen on "the authorities" opening them.
Doing all the training in a working week over teams, my head will soon explode!
In a week? 😯 Messiah on a pogo stick.
Back in the old days when we would send letters to each other I wouldn’t be keen on “the authorities” opening them.
Yeah, I thought this also. The counter-argument is that they still physically could.
Do speed limits prevent terrorism?
Many a traffic stop has had an unintended big collar for the officer carrying it out.
EDIT
Yeah, I thought this also. The counter-argument is that they still physically could.
This would normally be under the supervision of Royal Mail and with a warrant/authorisation from a body outside the intercept. With computers and broken encryption there would be no oversight.
This would normally be under the supervision of Royal Mail and with a warrant/authorisation from a body outside the intercept. With computers and broken encryption there would be no oversight.
If you’re intercepting communications, I.e want the key to unscramble messages as they fly from sender to recipient, a warrant signed by SSHO would still be required.