Whilst the country is being distracted by the foppish sex pest turned bastard lovechild of Neil Oliver and Wim Hoff, the "Online Safety Bill" has quietly been passed in Parliament.
Further reading:
The whole world is basically now goverened/run by people who have literally no idea how anything to do with computers/IT/Internet etc actually works. And it's these idiots who are making decisions about everything to do with computers/IT/Internet etc
Is it even enforceable/enactable?
Where does that leave things like telegram and mastodon?
Ffs.
Honest to ****, what the hell has this country become?
I thought tinfoil hats were one size fits all? What's the problem? 😉
Gonna be interesting to see how this plays out. Whilst I can't see someone like Apple giving up on the UK market and they'll probably cave in and provide a back-door entry to their encryption, I can't see all VPN providers doing the same.
So, what's to stop anyone in the UK just installing a VPN from a company which doesn't have a legal, physical or business presence in the UK?
Because the traffic still goes via your ISP and if they are allowed to decrypt and inspect it the VPN won’t make any difference.
I would be astonished if Apple of all companies would capitulate.
"You can't sell phones here unless you give us a bypass to your security."
"OK. Bye!"
Give it two years, the dominant player will be the iPhony. Bonus, backdoors both for the UK government and the Chinese one. What could possibly go wrong.
what’s to stop anyone in the UK just installing a VPN
Nothing at all as far as I can fathom.
Whilst I can’t see someone like Apple giving up on the UK market and they’ll probably cave in and provide a back-door entry to their encryption, I can’t see all VPN providers doing the same.
They refused to do it for the US security services. It needs enough of our security IT professionals to keep telling the ****wits who came up with this harebrained scheme that it will be barely hours before government ministers have all their financial details splattered all over the dark web, along with all the juicy salacious little secrets they’d rather the grubby end of the media didn’t have.
And it will happen, the law of unintended consequences dictates it.
Wonder if they could apply it to a ministers device then get someone to hack it.
Because the traffic still goes via your ISP and if they are allowed to decrypt and inspect it the VPN won’t make any difference.
Surely that would be the whole point in using a VPN. They wouldn't be able to decrypt it as traffic is obscured within the tunnel that they won't have the key for.
Surely that would be the whole point in using a VPN. They wouldn’t be able to decrypt it as traffic is obscured within the tunnel that they won’t have the key for.
As long as they don’t have the key…..
You would have to configure a VPN proxy or something on your router at home so all your devices used it and then something else on your phone for when you’re out and about I guess…
I would be astonished if Apple of all companies would capitulate.
What, famously principled Apple?
If there's money to be made they'll cave...
A VPN wouldn't help with what's being proposed for phone surveillance, it's not about an encryption backdoor either - it's software on the phone that scans/intercepts data before it's encrypted and can extract that data and send on (presumably initially to the app provider, it's not clear if then a warrant is required by the police etc. to obtain that data (I would have thought so, that's a requirement now in order to access someone's gmail etc. stored in the cloud))
So I wouldn't have thought it needs the phone maker to enable this as the functionality could be embedded within the app (if it's being done by a separate app the phone OS would need to allow it (at least on iOS), or that security control to be circumvented which I guess is how Pegasus works). Within the app is one thing, at least then you know Meta is only scanning/extracting stuff you create within the Facebook app, I'd be concerned if it was outside the app as who's then policing social media companies aren't gathering data from other apps (call me naive but I actually marginally trust UK government agencies more than I trust social media companies...) .
The main problem I see with the Bill is how (deliberately) vaguely written it is, it should never have been passed in it's current state and it's no surprise people aren't taking the government at it's word about how the powers it grants will be used.
it’s software on the phone that scans/intercepts data before it’s encrypted and can extract that data and send on (presumably initially to the app provider
Eh? So what happens if this mysterious software isn't installed on the phone. Like if someone bought the phone abroad? Or is it somehow going to magically install itself when connecting to any "UK network"?
Is there an idiots guide about how this is gonna be implemented?
Right so - not commenting on the morality of this, but just from the philosophical aspect: What's the difference between the police being able to read your messages and being able to break into your house and confiscate your computer or anything else to go through it? Which they can already do.
I would be astonished if Apple of all companies would capitulate.
“You can’t sell phones here unless you give us a bypass to your security.”
“OK. Bye!”
bUt THeY neeD US mOrE tHAN We nEEd THeM...
Right so – not commenting on the morality of this, but just from the philosophical aspect:
The primary problem is from a security aspect.
Once its been backdoored you have to hope no one else gets their hands on it and runs it willy nilly.
Although for your comparison another problem is this sort of surveillance can be done at scale and without being obvious. So again more liable to misuse than having to send a team of cops to kick down the door.
What, famously principled Apple?
If there’s money to be made they’ll cave…
I don't think they'd have to cave. Want to get more younger people engaged in politics? Apple saying you can't get a new iphone because of your government should do it
What’s the difference between the police being able to read your messages
It's not the police (or any other "lawful authority" ) I'm concerned about. It's the unintended consequence of deliberately introducing a potential vulnerability I'm bothered about. I prefer the piece of mind that my banking app is secure and isn't about to be emptied by some criminal gang (or criminal state). And I'm sure my boss is equally concerned that any apps I use for work aren't similarly compromised...
(The company I work for WAS hacked about 18 months ago. Boy, that was not fun times I can tell you)
Glad to see there hasn't been any of the "Well if you've got nothing to hide you've got nothing to worry about" insufferable imbeciles popping up in this thread yet.
Worrying times indeed. Particularly worrying for sensitive information used in government agencies or security sectors, most will have to develop fully airgapped networks to ensure they adhere to compliance standards, same with SaaS companies that have high stakes competition. I mean really it's entirely unmanageable, certain VPN encryption methods if it's all monitored by ISP would be safe to use but not older IPSEC types, if its software based then im sure in Linux/Android devices you'd be able to disable it with some tinkering.. If it's hardware based it means all new devices will pass the cost onto the consumer and will be a nightmare to deal with
What’s the difference between the police being able to read your messages and being able to break into your house and confiscate your computer or anything else to go through it?
Because the conclusion is that we now should just leave our front door unlocked rather than them having to break in.
It’s the unintended consequence of deliberately introducing a potential vulnerability I’m bothered about.
Any install on a handset that sits there ahead of encryption is a massive potential problem, the government's track record on competently delivering IT projects is not reassuring. The backdoors will have backdoors aplenty.
As you say, no sane banking group will allow its app security to be universally defeated this way.
You wonder what the response will be from foreign governments or corporations brimming with sensitive information, who will be confronted by every single one of our citizens carrying these devices into their countries and headquarters.
Honestly; if the 'tech-bros' had paid a"bit" of attention to even trying to pretend to pay lip service to people saying that the on-line environment is particularly hazardous to children and vulnerable adults in their mad dash for everyone's money; we wouldn't be facing this sort of legislation now.
Their choices were "do something" or "have something done to you by ****ing idiots who don't know shit"
I guess counting their money was more fun/distracting
A more cynical soul might think that 'online safety' is simply the fig-leaf which the government has hung over measures which can potentially deliver carte blanche access to our devices, after an opportunistic request from the security services to a weak government, and an even weaker Home Secretary.
TBH though if the secret services aren't asking for this sort of access, they they're not doing their jobs properly. Somewhere in the middle is sensible legislation that keeps "most" people safe and their information private. I'm entirely un-surprised that we didn't manage it.
The whole world is basically now goverened/run by people who have literally no idea how anything to do with computers/IT/Internet etc actually works. And it’s these idiots who are making decisions about everything to do with computers/IT/Internet etc
I have always thought it is amazing that you can be the minister in charge of the health service, but never worked in the NHS, or be Defence secretary and having never served in the military, instead you get "yes" people giving you the overview you want to hear, and have no practical experience yourself.
I suspect that this is a policy that will not survive meeting reality. I hope so. Implementing and enforcing it is going to be impossible
TBH though if the secret services aren’t asking for this sort of access, they they’re not doing their jobs properly.
Oh, I'm sure they ask for this kind of thing frequently, but it's the job of competent government to strike a balance between their needs and wants, our freedoms, and the economic reality of the market with which they're seeking to interfere.
Because the conclusion is that we now should just
leave our front door unlockedgive them a skeleton key rather than them having to break in
A skeleton key whose existence shows an exploitable flaw in the locking mechanism that any motivated person can then aim to emulate.
@martinhutch comply agree, which makes this whole mess even more dead on arrival. It's clearly un-workable, and as @tjagain suggests won't survive contact with reality.
Also; coming down the line for the same people who bought you this hot-mess is devising legislation about GAI, LLM, and artificial biology
I'm going to predict it won't be a success.
Yeah, I'm not sure how you would even start enforcing this with multiple handset manufacturers serving the UK market. I imagine they'd subcontract out the software itself to the Israelis, they have a knack for this kind of thing, and they'd probably leave themselves some additional backdoors as well so they could provide access to other clients. It will make us a global pariah in terms of information technology, and anyone carrying a UK handset across a border would be viewed with suspicion.
TBH though if the secret services aren’t asking for this sort of access, they they’re not doing their jobs properly.
I gather that in the U.S. the authorities can ask for a confidential court order to access suspicious accounts and that Google, Apple, Microsoft, etc. are actually very cooperative as long as a court order is issued.
On top of that, non-U.S. citizens don't have the constitutional protections that U.S. citizens have. Despite all the boasts to the contrary, iPhones aren't perfectly secure, neither are Android phones, MacBooks, Windows PCs, etc. For high-value targets, the U.S. authorities will use zero-day exploits to hack devices. If they can get their hands on the device for a few minutes, it's compromised and the owner won't suspect a thing. Even brand new devices still in their box may have been intercepted mid-delivery and hacked, then replaced in new packaging.
It's the difference between going the extra mile to target a specific individual, and obtaining the authority of the court to do so, or employing specific espionage methods, again against individuals or groups.
This potentially casts a net over the online input/output of pretty much every citizen on demand. The temptation to employ behavioural and keyword algorithms widely would be irresistible.
but it’s the job of competent government
They haven't demonstrated any kind of competency (other than money laundering) for a few years
Even brand new devices still in their box may have been intercepted mid-delivery and hacked, then replaced in new packaging.
I seem to remember this happening with chip and pin machines when they were a new thing.
No. This is actually the entire point of the debate...I gather that in the U.S. the authorities can ask for a confidential court order to access suspicious accounts and that Google, Apple, Microsoft, etc. are actually very cooperative as long as a court order is issued.
As it currently stands, even Apple cannot get access to your iPhone/iMessages on behalf of law enforcement/governments even if they wanted to (which they don't) because it is encrypted and there is no backdoor (and they are refusing to implement one).
https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_dispute
Actually there's quite a lot of misunderstanding on this thread - no-one is talking about device-level backdoors so there's no danger of the security of an entire phone being compromised. The bill would put the onus on the messaging providers (WhatsApp, Apple iMessage, etc) so if they didn't want to comply they would simply withdraw their service in the UK.
But the clause is extremely vague at the moment, and could amount to nothing - but this is actually a huge problem in itself for us in the UK in that a law seems to have been passed but it has not yet been decided what it actually is!!
The government has 'experts*' who say this is feasible. Show your working then and name them. After all if they have nothing to hide, they have nothing to fear.
(*I suspect that these are all drips under pressure and nothing more)
The irony explosion when the right gives the left the very thing they've been asking for. 🙄
Couple of good podcasts with a knowledgeable lass from Big Brother Watch knocking about in this bill.
"Get back in there and do stuff to do with computers!"
I wonder about signal et al? Would their server be blocked at IP level if they refused to comply?
I suspect that this is a policy that will not survive meeting reality.
The basic MO of our government has been to say they'll do something and expect that enough people will take that the mean that it happened
The government has ‘experts*’ who say this is feasible. Show your working then and name them. After all if they have nothing to hide, they have nothing to fear.
Our government leaks like a sieve - theres no need to publish anything anymore. Just leave it to whoever has got eyes on your job to reveal any meaningful information in an attempt to rubbish you 🙂 Thats how we find out whats in all the briefings our ministers receive and ignore.
The basic MO of our government has been to say they’ll do something
A more cynical soul might think that ‘online safety’ is simply the fig-leaf which the government has hung over measures which can potentially deliver carte blanche access to our devices
I really don't think you need to be cynical about the current govt to think this. Cynical might be wondering how much of brexit was about the ability to do things like this. Actually, no, that's not cynical either.