Wonder if they could apply it to a ministers device then get someone to hack it.
Indeed. Let's pilot it on high value data and devices, just to prove we have nothing to fear and it's all perfectly safe and normal....
TBH though if the secret services aren’t asking for this sort of access, they they’re not doing their jobs properly.
Which doesnt mean they should be listened to. Vaguely remember reading about some former tory minister saying they use to come and ask for x and then get politely ignored.
Plus for somewhere like GCHQ whilst some of their people would like it those who work on the defensive side would be sobbing quietly in the corner.
Somewhere in the middle is sensible legislation that keeps “most” people safe and their information private. I’m entirely un-surprised that we didn’t manage it.
I am not sure there is a sensible solution to it. Even if in theory its only the provider who has the master key to unlock then you need to hope they remain secure.
Plenty of examples of that failing eg recently the Azure account key loss.
Quite.
EternalBlue, anyone?
I'd be surprised if Apple (and similar) were prepared to make deliberately insecure versions of their software specifically for the UK market. I think the global harm would outweigh the local sales.
There's a lot more than security at risk from this Act. As I read it, any online web forum (such as STW and thousands of others) will be a "regulated user-to-user service" and the provider of that service will incur a huge raft of duties and legal responsibilities, to the point where I doubt anyone who isn't make a lot of money out it will be prepared to it on.
It doesn't all come into effect immediately, and the Regulations and OFCOM Codes of Practice don't exist yet, so it's hard to say exactly what effect it will have, but I can't see any way in which small volunteer run forums can continue. They will just have use a big platform like Facebook that has the resources to do it.
Anyone who wants to try reading the words for themselves, I think this is the most recent version (possibly without the final amendments):
https://bills.parliament.uk/publications/52368/documents/3841
Since it's waiting for but doesn't yet have Royal Assent it's still technically a Bill and isn't on legislation.uk so parliament.uk is the only place.
Our best hope is that we get a change of Government before the damage is done, but I can see the tabloid media ("Starmer wants to scrap online protection for kids!") making it an unlikely manifesto commitment.
It's a Woolly hat law full of holes tbh. I generally thought this had been kicked into the long grass. As international law is so difficult to Police nevermind domestic law bring your phone to the UK and let the government have a little snoop? I can see this getting enshrined then no one having a clue how far it effects people/business
Admittedly it's more about data than phones but tbh most of the data we consume is over a phone
I have always thought it is amazing that you can be the minister in charge of the health service, but never worked in the NHS, or be Defence secretary and having never served in the military, instead you get “yes” people giving you the overview you want to hear, and have no practical experience yourself.
Who though?
Most people would agree that the Peter Principle holds true. You can't just promote people and expect them to be competent just because they're now managing people doing something they were good at. You wouldn't recruit Dr's from the hospital gift shop, why would you recruit a health secretary from the NHS IT department (or a nurse, cleaner, porter, receptionist). The job requirements are politics and corporate management, not orthopedic surgery and oncology.
The irony explosion when the right gives the left the very thing they’ve been asking for. 🙄
Who the F on the left asked for this?
Closest is the generally universal demand that could Boris please try a bit harder to remember his WhatsApp password.
Who the F on the left asked for this?
Loads of drips have been screaming about controls on the web. This place was up in arms when Flack died by suicide as a result of 'trolls'.
I can't be arsed to do the usual STW form of posting a bunch of links, but you could use this link.
The govt did what I'd expect any govt to do and overreach and **** it right up.
Some people so desperately want saving from themselves they forget who is in charge. A bunch of clueless midwits who'd **** up toast.
Errr, yeahhhh but why do GCHQ need access to everyone’s everything in order to make Facebook moderate bullying/hate speech?
Well obviously they don't but Govts do like overreach, I'm really surprised that you're all surprised. Has nobody been following this?
Big Brother Watch admit they have not achieved as much as they'd like in having the bill amended, Labour have promised to strengthen it. No mention of opposing this shite though.
Even Tory backbenchers think it's a crock of shite.
@relapsed_mandalorian usually I'm pretty much in agreement with stuff you say but you're off the mark here. Those poeple have nothing to do with left/right and are just the usual folk that have no idea how technology works, no inclination to learn and then get all upset when it blows up in their face because they're too lazy to do the basics (extending to actual parenting).
Basically like handing a pack of chimps a loaded SA80 each and being surprised when they don't master arms drill after the first one blows it's face off. Those people are the chimps but without the excuse that they're chimps.
How does WhatsApp encryption actually work? Is it going to be possible to have three-way encryption?
Its end to end encrypted. The keys to encrypt/decrypt are generated and held on the device and so, in theory, whatsapp etc has no ability to read them (since its their code in practice they would be able to get hold off the keys at least for future interaction)
The main alternative would be to generate them centrally and send them out to the individual devices as well as saving them in the background.
I wonder about signal et al? Would their server be blocked at IP level if they refused to comply?
Signal have already said they’ll leave the U.K. if they’re required to install back door access.
How does WhatsApp encryption actually work? Is it going to be possible to have three-way encryption?
As dissonance says; same with Apple’s Messages app, end2end encryption, and Apple have no access to anything contained in messages sent or received. If enforcement entities can get access to a device, then there’s Israeli software that can break a locked iPhone, the FBI/NSA have it, after threatening Apple with all sorts of repercussions if they didn’t help.
Apple, quite rightly refused, because of what would happen if they didn’t, and the phones were accessed anyway by the software the NSA/FBI had paid for.
The Israeli security company responsible have also built Pegasus, (I think that’s its name) which is being used to hack phones belonging to people at risk from unfriendly countries, like Russia, Hungary, and lots of others who don’t like journalists digging into their nefarious practices.
Apple have already sent out a security update for iOS 17 to patch three zero-day exploits that have already been hacked - China might be behind those, they’re already banning government employees from owning iPhones. More as a reprisal against the American government banning Huawei from any infrastructure installations, but anything they can get hold of could be useful.
The keys to encrypt/decrypt are generated and held on the device and so, in theory, whatsapp etc has no ability to read them
So it's private key encryption? The key is already on your phone or is it installed when you install WhatsApp?
I gather that in the U.S. the authorities can ask for a confidential court order to access suspicious accounts and that Google, Apple, Microsoft, etc. are actually very cooperative as long as a court order is issued
This exists in the UK, social media/email service providers etc. have portals for authorised government agencies whereby they can get access to what's stored on the provider's systems (e.g. Bob's gmail mailbox). This is strictly controlled though and requires a warrant or court order etc.
What's being proposed in this Bill though is allowing authorised agencies to not only intercept communications data (as they can and do already) but to decrypt it as well. The problem is most encryption systems in use by social media companies etc. don't have back-doors and would become inherently much weaker if that sort of functionality were built in (an analogy would be encryption as it stands is an impenetrable wall without a door but they're now adding a high security door to it, still secure on the face of it but now has vulnerabilities such as unauthorised people getting hold of the door key or tailgating someone who is authorised who's used a key).
I just can't see either device manufacturers or app creators creating a backdoor into their encryption systems themselves, as I said I see it more likely it will be done within the app so that the data is extracted before it's encrypted (e.g. as you're typing in a message within the app) but it's then not clear where that information would be sent or stored. Presumably it would have to be back to the service/app provider, likely sent to them encrypted but stored in their systems in a way where it can be extracted and unencrypted on request (from a government agency). As long as time stamps are recorded it should be possible to link an intercepted (but encrypted) communication the agency has with the decrypted version of that message held by the service provider. This is all wild speculation though and may well not be technically possible...
TBH Facebook, Apple, Whatsapp, Snapchat etc threatening to leave the UK market over this would be a wake up call to the increasingly small number of people who still think we have a vaguely competent government.
Persuading every app manufacturer capable of E2E encrypted communications to install a backdoor has to be impossible. Wouldn't they have to resort to a keylogger type thing at device level? And of course, those who really don't want their messages being read (ie the people you're trying to catch) will always look for a way to stay ahead, such as Sky ECC.
How does WhatsApp encryption actually work
It doesn't matter, when quantum computing gets into it's stride, they'll all be decrypted overnight any way.
What irks me most about this bill is the Big Brother Surveillance State nature of it.
This is coming from a party who love to band on about free speech, saying what you want and if you take offence that's your problem.
They want to control and monitor everything we do and say and think and talk about.
It doesn’t matter, when quantum computing gets into it’s stride, they’ll all be decrypted overnight any way.
Well, apart from Signal at least. They have just updated their crypto to something that current (and future) quantum computers will have a hard time with.
This could go the way of the old "Export Cryptography" rules that the US put in place for ITAR/weapons exports, but given that normal, strong PKI is pretty much everywhere, that just meant you took off your default, weak crypto and installed a strong cert in its place. You'd have to make every manufacturer either use some sort of escrow system for keys so that they could three-way it, or force them to install a backdoored algorithm (like the Russian ciphers?) tht _had_ to be used in the UK and could not be configured away.
This bullshit just highlights _AGAIN_ that politicians haven't got a clue. How in the hell you would go about forcing this on global companies and every device in the UK is beyond me. Operator settings may be able to set some configurations, but this may not impact the apps installed on a device. Even if they did, would their devices be exempt? Who else would be able to claim an exemption, footballers?
Just as a thing, this would weaken security for everyone in the UK. Backdoored crypto is a terrible idea (ask RSA) as the backdoor _will_ be exploited by foreign actors and then you have truly lost the keys to the kingdom.
The key is already on your phone or is it installed when you install WhatsApp?
Its a version of the Signal protocol.
When you install whatsApp it generates a public/private key.
Then everytime you start a chat it uses that to securely create a symmetric key per chat (since using pki all the time is expensive) which is also stored on the phone.
I think they use the full implementation so it actually generates a new key per message.
Not quite sure how the group chats work.
WhatsApp can certainly compromise it. They could also have it send the keys each time back to a central server for people of interest or simply bcc the messages to a central server using a separate key.
There is no way to defend once the phone itself has been compromised. Examples being Pegasus or law enforcements compromise of the "ultra secure" Encrochat phones.
Well, apart from Signal at least.
They hope...
Isn’t this whole thing pointless? If I was a ‘bad person’ that wanted to communicate without the government reading my messages what’s to stop me doing this outside of communication apps?
I’m no expert but surely all I’d need is a stand-alone encryption tool at each end (signal’s open source, isn’t it? so, getting at suitable code should be possible) then I can create public and private keys, share the public key, encrypt a message with my friend’s public key and attach it to an email. There’s probably better ways to do this but my point is that anyone that really wants secure comms will be able work around this law.
Encription is ‘just’ maths, the government may as well try and ban calculus, or French.
There’s probably better ways to do this but my point is that anyone that really wants secure comms will be able work around this law.
Yes however the counter argument (in my opinion rather weak) is it makes it harder if you force people into meeting up for key parties etc and so makes it harder to scale.
The alternative is the criminals go for "secure" networks but they have the disadvantage of now concentrating criminals in one place. Aside from Encrochat there are several other cases where these have been compromised by one or other countries security agencies who then invited other countries cops to the party. In one case the FBI/Australian cops cut out the hassle of compromising the system and just created their own company Anom.
I tend agree with whoever said this won't stand up to the harsh glare of reality is probably right.
Based on my reading, VPN solves this.
So, the VPN service providers will have a good christmas party...
Unless the Gov decides to restrict VPNs...
When you consider what uses E2EE/VPNs, mobile banking, internet shopping, business/remote working VPNs...ugghhhh.
All from a Gov that stated it wanted to the UK to be a high tech hub of industry.
It doesn’t matter, when quantum computing gets into it’s stride, they’ll all be decrypted overnight any way.
This isn't really correct, at least for government secure stuff, 'quantum-safe' cryptographic algorithms have been mandated for a while now. I would assume encrypted app providers would either already be using them or would switch to them at a time quantum computing became a real threat.
Based on my reading, VPN solves this.
It really doesn't if the messages are intercepted before encryption and transmission, which is what the 'magical technology' being suggested by the government is alluding to.
It really doesn’t if the messages are intercepted before encryption and transmission, which is what the ‘magical technology’ being suggested by the government is alluding to.
If this Magical tech is being provided by the same company that provides the magical tech that would solve the Brexit/Northern Ireland issue, we are probably safe for a quite a while...
As zilog6128 has posted my understanding with Apple is it only affects iMessage. And Apple has threatened to withdraw that service. .There is also a message service the UK security services use including the MOD which will be affected which I can’t remember the name of that has also threatened to withdraw from the UK if it passed.
I am not IT literate at all.
Ive read most replies on this thread, and almost all doesnt make sense. I can jist about use word and excel and IT never interested me
I also have some young kids growing up and about to join a world of horrible social media, pron, abuse etc.
What is this legislation aimed at? Was it originally to prevent kids seeing/accessing stuff they shouldnt? Wasnt it out credit card details in to get onto a pron site? Has it creeped in scope to a much larger more wide ranging issue?
Sorry i am a luddite! But interested 😉
What is this legislation aimed at? Was it originally to prevent kids seeing/accessing stuff they shouldnt? Wasnt it out credit card details in to get onto a pron site? Has it creeped in scope to a much larger more wide ranging issue?
Pretty much. So either the security services saw the opportunity to sidle up for a landgrab as the legislation was under development, or some tech bod said 'we can't achieve your aims unless we do this much wider thing', and Suella said, fine, I can't be seen to drop my proposed legislation, so we'll just do it that way.
There's a few things going on in the bill. @ravingdave from your perspective there will hopefully be some welcome changes. At least that is my view.
Most people have agreed for some time now that young kids should not be able to stumble across porn and other inappropriate content online. Yet despite this being VERY easy to solve nothing has been legislated for so only a few companies (OnlyFans is actually one of the responsible ones) have actually done anything.
Will it stop 15/16/17 year olds getting access to porn. No. They will find ways round it. Just like those of us in our 40s did when we wanted a porn mag.
Will it stop primary school aged kids seeing porn. It will make it a lot harder. That's got to be worth it. Speaking as a parent of a 7 and 4 year old.
Will someone be able to read my whatsapp messages? Maybe? And then try and sell me a new shed. Perhaps. It won't be legal but might happen.
Will we be able to reduce amount of abhorrent content shared online (even by a tiny fraction)? Yes. Again, if the risks are someone knows a bit more about my mundane life and it reduces this shit then I'm game.
Sorry if I'm bucking the trend here and coming off all Tory. I'm not, I'm a raging lefty. But I'm also a parent. And that's my priority right now.
Isn’t this whole thing pointless?
I'm reasonably confident I could write an app now that used private key encryption and install it on my Android phone. Then I could send you the app and the private key and you could do the same. Noone would ever know.
I'm also reasonably confident I could do the same thing with PKI and create a criminal network based on my own shady certificate authority and anyone could use it.
if you’re not bothered by it why don’t you post your gmail username and password so we can have a poke around in all the emails you’ve sent over the past decade.
I’m also reasonably confident I could do the same thing with PKI and create a criminal network based on my own shady certificate authority and anyone could use it.
Which then makes you very interesting to governmental organisations across the world.
So unless you are really, really good and really, really lucky then chances are one countries law enforcement agency would find their way in and then invite everyone else to the party.
Will it stop primary school aged kids seeing porn. It will make it a lot harder.
How? vpn job done. Unless you are wanting to block vpns in which case thats work from home amongst other things knackered.
The only way to prevent those kids seeing stuff is for their parents to properly supervise them.
Will someone be able to read my whatsapp messages? Maybe? And then try and sell me a new shed.
Or pretend to be your kid to extort some money etc etc.
Will we be able to reduce amount of abhorrent content shared online (even by a tiny fraction)? Yes.
Evidence required.
<span style="color: #000000; font-family: Roboto, 'Helvetica Neue', Arial, 'Noto Sans', sans-serif, -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol', 'Noto Color Emoji';">The Israeli security company responsible have also built Pegasus, (I think that’s its name) which is being used to hack phones belonging to people at risk from unfriendly countries, like Russia, Hungary, and lots of others who don’t like journalists digging into their nefarious practices.</span>
Sounds like someone else has listened to the most recent Darknet Diaries podcast 🙂
not sure I know many primary school kids using VPNs...
people can already use deepfakes to extort money off me by pretending to be my kid. This bill won't impact that.
Doing something will of course reduce content. It won't stop it, anyone who thinks anything can entirely stop it is an idiot. but doing nothing is not an option.
Whenever people slag off these kind of bills they rarely come up with an alternative. So I can only assume that means we all think nothing needs to be done. Maybe, but personally I'd rather do something. Bit like putting the recycling out and cutting down on meat...
The issue is that the "something" they've done have does nothing to prevent nefarious users doing nefarious things, but that if it is enforced it will make it easier/more likely for those things to happen to you or I. So sort of the exact opposite of your post.
So unless you are really, really good and really, really lucky then chances are one countries law enforcement agency would find their way in and then invite everyone else to the party.
How would they know?
If I give the app to people directly, and don't put it on Google Play, how would anyone know?
Yet despite this being VERY easy to solve
Could you please put your SA80 down and step away whilst someone makes the area safe?
Sorry if I’m bucking the trend here and coming off all Tory. I’m not, I’m a raging lefty. But I’m also a parent. And that’s my priority right now.
Do you understand the unintended consequences of this stupid bill? If not, I suggest you do some learning now. The potential negative impacts are many orders of magnitude more serious than your kids getting exposed to pornography a couple of years earlier than they should!
This is populist posturing and an attempt at over-reach by a lame government but has potential serious impacts on many other aspects of life such as security of your bank accounts and identity, plus how UK businesses can (or cannot) do business outside the UK or how foreign businesses may choose not to do business in the UK...
(BTW: I was "exposed to pornography" when I was 12 or 13 when I found a stash of porn mags. It didn't turn me into a rapist you'll be pleased to know so, you personally may have your reasons for wanting the government to "to something" but in the grand scheme of things, that's a trivial use case. Sorry for the reality check 😉)
Agreed, triviliaising the issues young girls and boys are getting from seeing some of the sick porn that is available, the disturbing content from some 'contributors' and the horrendous mental health impact that has to finding a mag in a hedge in the 80s is rather distasteful.
The potential issues you highlight are a potential major issue for the UK, but so is the 1st issue i raised above
"Parenting is easy..." said no one ever, but it's the parents responsibility to either (a) prevent their kids being exposed to pornography/evil/whatever (using whatever means available) or (b) dealing with the consequences.
It's a core part of parenting and it might make you the unpopular parent with your kid or their friends if/when you put limits on what they can do.
But this bill is throwing the "baby out with the bath water level of over-reaction" and I personally have a problem with parents who expect the state to step in fix the problem because they abject their responsibility for their own kids or complain because it's "too hard" whilst deliberately compromising MY security and/or potentially putting my livelihood at risk.
Firstly, that’s not how it works; secondly there’s porn and there’s porn…
Fullheartedly agree with your second point, not so sure about your first unless you're talking about the rabbit hole in the hedge?
Anyway I agree with his general point which is that this legislation is utterly brain dead and will wreak havoc when someone breaks open the back door.
And they will.