Help me on this…

BBC News – Facebook Messenger: The battle over end-to-end encryption

Why has the battle over end-to-end encryption been reduced to a battle against paedophiles?

Surely the simple answer to the “child safety” concerns is don’t give your kids un-restricted access to social media? Do parents not spot check what their kids are up to on social media?

(I don’t have kids. Only a dog. And he needs me to unlock his phone 😂)

(For the record, before the arrival of the “why do you need end to end encryption if you’ve got nothing to hide” brigade, I personally have nothing to hide but my employer and my employers clients take data security VERY seriously. I hope your employer is also serious about my data security if you happen to handle it!)

Surely the simple answer to the “child safety” concerns is don’t give your kids un-restricted access to social media?

That’s that one solved then. The police will be relieved.

Why has the battle over end-to-end encryption been reduced to a battle against paedophiles?

Because the battle over end-to-end encryption being reduced to a battle against terrorists didn’t work so they needed a new excuse.

The long-form answer to this question is not something I’m going embark on at half past midnight. I’ll pick it up tomorrow. Don’t believe the lies, encryption isn’t bad, it is critical to the operation of the modern world.

TL;DR – it’s a PR stunt being run at the taxpayer’s expense. Can’t imagine why they might need a diversion right now.

And, in other news, attendees at the Winter Olympics (well, US attendees at least) are being recommended to use burner phones whilst in China. Presumably, this wouldn’t be needed if end-to-end encryption was more widely available…

Because the battle over end-to-end encryption being reduced to a battle against terrorists didn’t work so they needed a new excuse.

Certainly feels that way.

I dont want to sound like the conspiracy theorist, but many of these new laws seem to promote that ideal.

Throwing a “dead cat on the table” – surprisingly hurling out something controversial and attention grabbing – has long been a government tactic when they want to divert public attention away from something embarrassing or corrupt. Not that anything like that has happened lately of course.

That’s not conspiracy theories, that’s just 21st Century politics.

Surely the simple answer to the “child safety” concerns is don’t give your kids un-restricted access to social media? Do parents not spot check what their kids are up to on social media?

You obviously don’t have kids. They are born with The Devil in them. It’s a never ending battle to lead them on the path towards The Light. They learn shit from their friends really fast too.

I just enjoy watching the government squirm when in one instance they throw the terrorist/paedophile excuses around and then say “but China/Iran/Russia/North Korea….” and no one has a solution to hacking.

Is it any wonder that individual citizens want to prevent bad actors accessing their data and that tech companies are interested in supplying a solution to their users.

I’m not an Apple fan boi but I do admire their stance on privacy.

Whilst I’m in favour of citizens having access to end-to-end encrypted communication there’s definitely some downsides (mostly criminality related) but yeah trying to justify having backdoors or banning it by putting out stories about it enabling paedophilia etc. isn’t a good approach

Link seems to be broken, but I can guess the content.

Another classic example of policy makers not understanding what they are talking about.

Linky: https://www.bbc.co.uk/news/technology-60055270

I’m not an Apple fan boi but I do admire their stance on privacy.

Well….. mostly!
https://www.bbc.co.uk/news/technology-60004257

Encryption like espionage is only unfair when the other guy is using it.

sharkbait
Free Member

I’m not an Apple fan boi but I do admire their stance on privacy.
Well….. mostly!
https://www.bbc.co.uk/news/technology-60004257

“Other trackers are available” (and they don’t tell you when someone has left one about your person.

Another classic example of policy makers not understanding what they are talking about.

… is about the size of it.

I said I’d come back to this but really it’s hard to know where to start. So in no particular order:

1) Make no mistake, this is a PR exercise. I mean, there is a literal advertising campaign behind it. Who doesn’t want to make children safer, right? What are you, some sort of prince?

2) Related to 1) there is an element of deadcatism as I said last night. Cos there’s nothing else of interest going on right now that we should be paying attention to, is there.

3) Our government has previous form with Big Data mining. The Investigatory Powers Act, Cambridge Analytica, now they want to be able to read your messages? this alone should give you the fear.

One of the things that sounds tinfoil-hat conspiracy-theory levels of crazy but came out in the Snowdon / Wikileaks is that neither the UK nor the US is allowed to perform mass surveillance on its populations. Solution, we tapped each other’s backbones and then exchanged the data. Today, secure encryption has mostly kyboshed that.

4) Weakening encryption is a really really retarded idea. “Let’s make everyone safer by reducing security!” said no-one with even the most basic grasp of security concepts, ever. I spend half my life telling people that they need to disable known-compromised protocols.

FW argued “there are some downsides” – there aren’t. There simply aren’t. You’re putting regular users at greater risk but the criminals will simply circumvent it. Reckon terrorists and nonces are going to use communications media that they know their governments are listening to?

5) Who do you trust to keep the keys to a known vulnerable system safe? The NSA tried this, the result was devastation on a large scale. Remember when like a third of the NHS went dark? Are we learning yet?

6) How can you possibly implement it? Encryption is known technology, the genie is long out of the bottle. Our junior analysts know how public key infrastructure works. I’m neither a crypto specialist nor a programmer but I could likely spin up a rudimentary encrypt/decrypt system in an afternoon. You cannot uninvent technology which is already in the public domain, it’d be like trying to ban French.

7) As I touched on above, this is all likely to be trivially circumvented. Three clicks of a mouse button and as far as anyone watching me can tell, I’m in Tel Aviv. Now what, we ban VPNs? That’s everyone working from home scuppered. Ban TLS? Sure, online shopping and banking is totally going to be safe over regular http.

8) Probably less of a direct issue for end users but there is a MASSIVE issue around compliance as soon as we start dicking about with encryption protocols. One example, there’s a thing called PCI-DSS, it’s a security standard you have to adhere to if you’re handling credit / debit cards. A PCI failure means you cannot take card payments. We run scans for our PCI customers on a regular basis and vulnerable security protocols would fail PCI. Our customers could no longer then legally accept card payments. Result: we lose customers. Result if this is country-wide: businesses move their operations out of the UK. Well at least that’s not happened before in recent history, hey?

9) For context, as a friend of mine posited: “We’re not the first country to [propose / do] this, but we’re not in great company. North Korea; Russia; China; Khazakstan; Iran; Columbia; etc etc etc”

I could go on but you get the idea I hope. It’s a publicity stunt, it’ll almost certainly never happen and it would be an act of gross self-harm if it did. Eh, good job we don’t have any previous form there, either…

FW argued “there are some downsides” – there aren’t. There simply aren’t. You’re putting regular users at greater risk but the criminals will simply circumvent it. Reckon terrorists and nonces are going to use communications media that they know their governments are listening to?

It’s not that simple though. Yes the bigger OCGs and some terrorists with a lot of money behind them will be using networks like EncroChat but the vast majority of comms related to criminality will be on stuff like Whatsapp

Everything Cougar said, and would add:

“I have nothing to hide, but have nothing I wish to show you”.

You obviously don’t have kids. They are born with The Devil in them

One of my neighbours refers to his youngest son quite openly as ‘The Devil’s child’ normally after apologising for whatever unaceptable behaviour has just occured.

You cannot uninvent technology which is already in the public domain, it’d be like trying to ban French.

This is such a big one it can’t be understated, you can’t undiscover the maths, that is decades old, can been implemented thousands of times. The bad guys will not be “disarmed”.

Everything Cougar said, and would add:

“I have nothing to hide, but have nothing I wish to show you”.

Adds name to the list.., checks telescreen.

It’s not that simple though. Yes the bigger OCGs and some terrorists with a lot of money behind them will be using networks like EncroChat but the vast majority of comms related to criminality will be on stuff like Whatsapp

Will it? “Yo bro, jump to Telegram”

Broadly I can see two scenarios here.

First, it’s used to target people ‘known’ to the powers that be. These are likely the big players who as you say are going to use something other than whatever we’re watching.

Second, mass spying on a grand scale. You’ll probably catch some low-hanging fruit. Whoopee.

In any case, that’s not what this is about. We had the ‘terrorism’ discussion the last time this came around. From the BBC link:

According to the US National Center for Missing and Exploited Children (NCMEC), 21.7 million reports were made in the US in 2020 about child sexual-abuse material being exchanged on social media.

The campaigners say 14 million of these reports could be lost every year if end-to-end encryption is rolled out more widely.

So they claim 65% of all reported cases were as a result of intercepting unencrypted messages from nonces?

Bull.

Shit.

“I have nothing to hide, but have nothing I wish to show you”.

That’s a nice way of putting it.

This argument crops up regularly in these sort of discussions, and it falls down at the slightest whiff of scrutiny. If anyone believes they have nothing to hide, let me know and I’ll pop round and install a publicly-streaming webcam in your shower room.

One of my neighbours refers to his youngest son quite openly as ‘The Devil’s child’

So is it him or his wife who is the Devil?

you can’t undiscover the maths, that is decades old, can been implemented thousands of times.

As an aside, if anyone is even remotely interested in this stuff, I can thoroughly recommend Cory Doctorow’s “Little Brother” book. It’s “young adult” level of writing and as well as being a great, thought-provoking story it goes into a lot of privacy concerns and cryptology tech in a really, really easy to digest way. IMHO it should be essential reading for everyone before they’re let loose on the Internet.

It’s available in the usual dead tree variants or can be downloaded for free in a hundred different formats from his website.

Saw a tiktok on this (I know) on this the other day. Guy was making an argument that not enforcing e2e on messenger was actual more likely to promote harm to children. I forget his reasoning now…

It’s basically BS anyway – all of the governments recent indiscretions were flagged via e2e comms anyway, they just don’t want us to use what they use…

Why has the battle over end-to-end encryption been reduced to a battle against paedophiles?

Because by calling on the four horsemen of the infopocalypse, no one can possibly disagree with your argument (/sarcasm). Everyone hates pedos, terrorists, organised criminals and drug dealers, so saying that your new approach will prevent these bad people from doing bad (possibly true, but probably not) is a good way to hide the fact that it will also affect everyone else negatively (almost certainly true).

Recent news of a pakistani sentenced to death for sharing an image over WhatsApp provide a grim but revealing indication of how this ban on encryption will be used by some. (for those who can’t be bothered to click – the woman shared an image of the prophet).

9) For context, as a friend of mine posited: “We’re not the first country to [propose / do] this, but we’re not in great company. North Korea; Russia; China; Khazakstan; Iran; Columbia; etc etc etc”

Plus, for context, the US, Canada, Australia, New Zealand and the EU, so the debate is not going to go away, particularly now that the primary justification has moved on from terrorism to assuming everyone’s a paedophile (“won’t somebody think of the children”). I suspect the encryption backdoor approach will die as most people now realise how important encryption is, but in its place end-device scanning seems to be gaining traction, such as Apple’s now delayed CSAM scanning implementation that seemingly came out of nowhere.

You obviously don’t have kids. They are born with The Devil in them

I don’t think anyone’s doubting that kids are awful, but I don’t think it’s end to end encryption that makes them like that!

Plus, for context, the US, Canada, Australia, New Zealand and the EU,

In honesty, I probably broke that statement. I added “propose” because we haven’t done it yet and that was a mistake. What I meant was: “We wouldn’t be the first country to do this”.

First, it’s used to target people ‘known’ to the powers that be. These are likely the big players who as you say are going to use something other than whatever we’re watching.

Second, mass spying on a grand scale. You’ll probably catch some low-hanging fruit. Whoopee

Again – that’s over-simplifying things. There is a HUGE part in the middle where investigations are mapping out everyone in OCGs or trying to identify victims etc. Communications that assist with this are more frequently being done these days over end-to-end encryption using widely available apps and it makes this vital part of an investigation much more challenging. Whilst you can still make connections between devices/people it’s much harder to add context or determine it’s relevance if you can’t see what was actually communicated. There are a lot of very nasty people in jail (or attacks prevented) as a direct result of this sort of intelligence work.

Just to re-iterate, I don’t think (even if it were possible) that the above is a good enough reason to ban end-to-end encryption for citizens – but there is very much a downside from a law enforcement and anti-terrorism perspective. If you think government agencies are only intercepting communications for shady reasons like population control or to compile information to sell on to companies/other governments you’re mistaken.

Surely the simple answer to the “child safety” concerns is don’t give your kids un-restricted access to social media? Do parents not spot check what their kids are up to on social media?

(I don’t have kids. Only a dog. And he needs me to unlock his phone 😂)

Do you have any idea how much shite the average teenager sends? Do you have any idea how crafty kids are if they think there’s a channel their parents are watching they will use a different app, device etc.

The answer is totally not banning end to end encryption. But thinking that any parent could really police their child on-line activities in 2022 without interfering with their ability to thrive in a digitally dependant world is naive. More importantly even if that is what “responsible” parents do – then not all parents are responsible so who protects those children (who might well be the most vulnerable).

It’s not that simple though. Yes the bigger OCGs and some terrorists with a lot of money behind them will be using networks like EncroChat but the vast majority of comms related to criminality will be on stuff like Whatsapp

Its really not difficult. I’m not a professional software developer and could make you an end to end encrypted chat service in a week if I had nothing better to do. There’s probably multiple open source projects you could use off the shelf in less than that. Building it with the infrastructure to handle millions of chats per minute – would require expertise I don’t have but producing something which was privately circulated amongst only my dodgy circle of users would be simple. The reason that’s not common is WhatsApp etc provide a very robust, no hassle platform FOC – but have no doubts if you ban WhatsApp – its like alcohol prohibition, people will find a way. You can maybe make it an offence to be in possession of software that is capable of this – but it wouldn’t be difficult to hide this within some legitimate looking system.

Christ that Open Rights Group video is laughable.

Interesting there is a lot of scorn thrown at the government when it seems at face that a lot of child protection charities are pushing for it not to be implemented.

Again – that’s over-simplifying things.

Oh sure. My target audience here is a cycling forum not a Blue Team, and it was mostly a stream-of-consciousness grumble.

You’re correct of course, maybe I could’ve worded that better; targeted vs non-targeted perhaps.

If you think government agencies are only intercepting communications for shady reasons like population control or to compile information to sell on to companies/other governments you’re mistaken.

“Only”? No, I don’t think that’s the only reason. I rather feel that it might be naive to think it not to be a contributing factor.

You can maybe make it an offence to be in possession of software that is capable of this – but it wouldn’t be difficult to hide this within some legitimate looking system.

They tried with assymetric encryption, but PGP (Pretty Good Privacy) was released open source and after that it was impossible to but the genie back in the bottle.

Remember when 128-bit encryption in IE was classed as a weapon and required an export licence? Halcyon days.

Its really not difficult. I’m not a professional software developer and could make you an end to end encrypted chat service in a week if I had nothing better to do. There’s probably multiple open source projects you could use off the shelf in less than that. Building it with the infrastructure to handle millions of chats per minute – would require expertise I don’t have but producing something which was privately circulated amongst only my dodgy circle of users would be simple.

Building it in a secure way not just having the ability to scale is difficult, very difficult. So it depends who your client is – there’s a reason well-funded OCGs aren’t using Whatsapp (mostly due to the device security it’s running on and the human element in the equation). But it’s secure enough that it takes a massive amount of additional effort during intelligence gathering, likely to a degree it means that intelligence gathering can only focus on a handful of individuals rather than everyone that’s relevant to it so a lot of stuff will slip through the net.

Meanwhile, elsewhere on the government’s website:

https://www.ncsc.gov.uk/information/secure-default

Square those circles, square them!!

Data or actually access to data creates power (politicians like power)

This data will be abused, sold and form the launch pad for more invasion monitoring.

History tells us this.

Remember when 128-bit encryption in IE was classed as a weapon and required an export licence? Halcyon days.

Would that be PGP? The manual was a good read!

As for the rest of it, computer scanning is cheap but proper surveillance and investigations need boots on the ground and that’s expensive and may catch the ‘wrong sort of people’ (Tory Donors and the like).