David Cameron could block WhatsApp and Snapchat if he wins the next election, as part of his plans for new surveillance powers announced in the wake of the shootings in Paris.
The Prime Minister said today that he would stop the use of methods of communication that cannot be read by the security services even if they have a warrant. But that could include popular chat and social apps that encrypt their data, such as WhatsApp.
Apple’s iMessage and FaceTime also encrypt their data, and could fall under the ban along with other encrypted chat apps like Telegram.
Part of Cameron’s speech has been posted on YouTube.
I am so enraged by our government I may even have to campaign against it this election. Shameful. But damn, doorstepping sounds tedious.
Ban encrypted communications and you’ll make the country a veritable gold mine for criminals; it might stop law-abiding citizens, but criminals don’t care about laws and they’ll be absolutely delighted at the opportunity to watch everyone’s communications freely. I certainly am glad I do not live there.
Especially since last time I checked, https was also encrypted. It will be so nice to send my credit card data and passwords as raw text.
Not in the way you imply, though. In the scenario proposed, traditional crime is squashed and government becomes the criminals. See North Korea. One thing they DON’T have there is civil disobedience, because criminals run the country.
This is worse than banning encryption, because what they want is encryption that doesn’t work, meaning they’ll tell you you’ll still have encryption, but it would be an useless one (one they could crack in second).
VPN
That uses encryption does it not? Encrypted = Yes so ban it.
The Great Firewall of UK will block your connection if it’s encrypted.
What an idiot, disgraceful behaviour to ride on the back of a tragedy to further the idiocy of the surveillance state.
Yeah. Too bad it’s also effective and the sheeple will go for it. I’m coming to wonder if the average human even deserves to be free. They sure seem to want security at the expense of their own liberty.
The sheeple will just use what the Internet community gives them to use. This sounds like crypto wars 2.0 ( http://en.wikipedia.org/wiki/Crypto_wars 2.0 )
The UK has been at war with encryption for years now.
Remember the encryption password law ?:
http://www.pcpro.co.uk/news/361693/teenager-jailed-for-refusing-to-…
Or the UK ‘porn filter’:
http://www.forbes.com/sites/emmawoollacott/2014/07/02/uk-porn-filte…
I wonder how they are going to do that, because:
The Internet standards making body the IETF said after the Snowden leaks and the it became known what the US (NSA) and UK (GCHQ) were doing:
“to make encryption the norm for Internet traffic”
https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentia…
The W3C is working on a draft for transitioning the web to HTTPS-only:
https://w3ctag.github.io/web-https/
For example HTTP/2.0, the next version of HTTP, will only be available in encrypted form on the public Internet. There are technical reasons for doing this, but also because of spying and privacy.
So they are trying to ban ‘real-time communications’, right ?
Are they going to ban webbrowsers next ?:
Those include support for encrypted communication protocols too: HTTPS and WebRTC:
– HTTPS encrypts communication between the browser and websites.
– WebRTC is a form of encrypted peer-to-peer communication between webbrowsers. You can use it to sent text, data, audio and video. So any website can now include something which facilitates encrypted communication between people without any intermediate.
Are they going to block VoIP and XMPP Instant messaging ? XMPP has been in fully-encrypted-communication-only-mode since May 19, 2014:
http://blog.prosody.im/mandatory-encryption-on-xmpp-starts-today/
All the server software is already free:
http://www.rtcquickstart.org/
https://rtc.debian.org/
Also this year: HTTPS-encryption for websites will become free and stupid simple to deploy:
https://letsencrypt.org/
I think the cat is already out of the bag, I really don’t think you can’t put it back with legislation.
PS TIP: Don’t put ANY data in a cloud related to a US-company, you are going to be sorry, garanteed. The laws to get to your data are all in place. Maybe they are using it already:
http://media.ccc.de/browse/congress/2014/31c3_-_6195_-_en_-_saal_g_…
Edited 2015-01-13 10:52 UTC
While I agree, I’d be curious to know which cloud companies don’t have servers in the US given what a large market it is. All the ones I know are either based in the US or have sizeable server farms there.
Well,
If you are looking for storage, look at something like OwnCloud. Lots of hosting providers for that. Because it’s just a PHP-site. Don’t forget to get SSL for the site. Just look for them in your own country, so they are in the same jurisdiction. Or a jurisdiction with even better privacy policy like Germany or Brazil.
If you are looking for ‘compute’, so virtual- or real machines, just search for VPS or VPS comparison sites. It’s pretty rare for large VPS-providers to not have an API these days. Or look at the OpenStack site they have a marketplace:
http://www.openstack.org/marketplace/
That would be my suggestion.
That’s great, but I already know about Owncloud. From a non-tech user’s perspective, however, which cloud company would allow me to avoid the US? Quite frankly, I don’t see any which is the point I was trying to make. Those of us who understand tech can always find other solutions, but those who do not are screwed it would seem.
Maybe we should ask something else first:
what is your definition of cloud ?
Because there are so many, you can’t believe.
I think this is a great idea.
Now all I need to know is which bank he uses as I am sure he will not mind me looking at his banking transactions or moving some of his money around.
Papa wants a new computer!
Edited 2015-01-12 21:21 UTC
Ban all encrypted communication will he? Is this sorry excuse of a human being aware that e-commerce exists today because of encrypted, impenetrable, end-to-end encryption?
Are you folks going to give your credit card info over the wire, un-encrypted? Hahaha, oh man, I want to see the show with UK credit card number flooding the internet. Will the brits lynch ol’ Davey then or will they let it slide because, otherwise, “terrorists win”.
Monkeys with power are far more dangerous and the stupid decisions they make are far more devastating than any group of terrorists can accomplish.
Go Davey ol’ chap, make the UK imagined in 2005 in “V for Vendetta” a reality. You’re almost there.
And lo, the founding fathers of the American Revolution did rise from their graves to say “We told you so.”
Only to wonder out loud, right after, how is it that the slaves are roaming the streets free and why women are allowed to vote…
This makes him look stupid and ill informed.
Ban encryption and you go against all sensible thinking for decades, centuries. Plus it gets super easy for anyone to pick off any credentials off the wire. EVerything from your bank login to any establishments admin accesses.
Not only that – you can’t ban encryption. I could talk to you using my mouth and have special words. Motions like scratching my ear. That’s code. That is banned?
Fools. Absolute idiots.
I normally stay out of these kinds of discussions but I am gobsmacked at the level of ignorance shown.
Why are his advisers so stupid? Not only that, he should be computer literate enough to spot this banana.
Which is to say, he looks like a typical politician… much talk, but very little attempt to understand what he’s talking about.
Someone on the news just said that they only propose that service providers keep keys so that content can be unlocked upon request.
So that’s ok then?
No – because there is no difference. Backdoored security maintained my your run of the mill company is effectively zero encryption when faced with threats like – bribery, accidents, laziness, … never mind people with cricket bats. (baseball bats if you’re from across the pond).
I say it again – dumbass fools. I am enraged not at the attempt but at their ignorance that drives the attempt.
That would still be an utterly stupid proposition, what with assuming that all criminals would use services that store their online-correspondence on the servers in the first place — I mean, there are PLENTY of encrypted protocols and services that don’t route traffic through some server or allow for storing of content — and thus most of the content that was being monitored would simply be that of ordinary people doing legal things and it all would be an enormous experiment in waste of effort.
And the companies? Under this proposition they’d either have to back-pedal user-security to use the same encryption key for all users, or to store each and every users keys in the system in a format that can be used to access all of their stored content. Hackers will love that, companies won’t.
WereCatf,
I think this just illustrates the ignorance of policymakers. It will not be effective nor enforceable against criminals. But…how much damage will they cause to civil liberties in the process of trying? It’s truly despicable when governments feel entitled to control the people instead of the other way around.
Keep keys to what, though? How would they store the SSH private key I might use for a tunnel, for example? Or are they really proposing to MitM all SSL traffic? It’s mind-boggling how stupid these proposals continue to be.
So, you thought you could have real encryption, huh?
It doesn’t work that way. Governments think they have a Right To Snoop.
In the future, you will have encryption, but only by “authorized services” and as long as it passes through some server and can be decrypted by said server if government requests so.
Of course, no effort to arrest or block “anonymous websites” and “anonymous advertisers” serving up malware. Which could really enhance security (if you set up a site or serve ads, you shouldn’t be anonymous, unlike visitors who deserve to be anonymous).
Edited 2015-01-13 00:18 UTC
Ban encryption? Sounds like the ramblings of someone who doesn’t hold their liquor very well.
F**k You! Do your damn jobs without infringing on my freedoms. God knows you get enough of my tax money that it’s not a financial issue. Bloated fat and lazy governments. Figure it out….a-holes.
Aaaaaaaaaaaaaaaand there’s the scariest thing ever. I had hoped this day would not come. We’re living in a dystopian novel
Truth is he has very little to do with any of his policies because he is a dullard and everything is driven from his party. Take the internet filtering (which I have yet to see forced upon my, even though I have a connection I signed up for less than a year ago), that was absolutely spearheaded by one female politician. He didn’t have a clue, and she fed him bogus stats which made him look like a total knob.
Cameron is probably not going to make another term.
Having just watched the “Imitation game” at the weekend I do feel he would like to return to the 1950’s “values” of that film. He’ll be chemically castrating “criminals” next. Criminalising normal life choices, and attacking any non-conformists.
Britain still scares me less than whacko fully radicalised USA, but we are heading there rapidly.
And as this is just after Major of London said in a interview that “I’m not particularly interested in this civil liberties stuff when it comes to these people’s emails and mobile phone conversations. If they are a threat to our society then I want them properly listened to.”
A lesson of fine democracy indeed, Mr. Major.
I hope you mean Mayor as Major hasn’t been in power since 1997! (although he is now a Lord
)
IF WhatsApp and co were banned then Blackberry BBM would be in an ideal position to clean up. They have previously offered bespoke access to to the Indian Gov so im sure they would do the same for the UK.
I’ll be watching this one closely to see how quickly Facebook (whatsapp) sell out on their ideal if it does go through and see their market vanish.
The problem is the enterprise version of BBM is also fully encrypted. They can only intercept things on court order if the messages go through Blackberry’s fallback servers for non-enterprise customers.
Terrorists apparently don’t but the enterprise edition :-p
Journalists use encryption to protect themselves.
It would be nice to get a comment from the journalists at Charlie Hebdo about how they’d feel about having their encryption options reduced.
(ISIS hacking the US govt command centre’s twitter account shows that breaking computer security is part os those groups’ tactics.)
And therein lies the great deceit they’ll perpetrate on the populace to get this to stick. Read the summary carefully again:
So they’re not worried about all encryption, only about encryption that they can’t get you to open up for them (i.e. perform rubber-hose cryptanalysis on). Many modern communications methods support ephemeral key encryption, including TLS 1.1, OTR and try to switch to it when available. This scheme generates temporary key material for each communication session and discards it permanently after the communication is done, defeating the utility of e.g. a court order to reveal keys/passwords. The fascists in government don’t like this, so they want to prevent you from using such a scheme. What they don’t realize is that the cat’s out of the bag and there’s no getting it back in. TLS has supported this for years now, all modern browsers have it, servers support it, etc.
Also of note is the irony of this story being posted on a website that still doesn’t support HTTPS access and every time I log in I have to send my password unencrypted over the wire. Shame on you, OSNews.
Speaking of which, why doesn’t OSNews support HTTPS? It’s not like it’s difficult to set up, it takes quite literally 5 minutes of your time and you just need a proper certificate for it.
Good question. All it takes is having postmaster@ for a domain and you can get a free Class-1 certificate accepted by most browsers out there in about 5 minutes. I honestly think it’s complacency at this point.
saso,
The main weakness for SSL as implemented in HTTPs is it’s reliance on third parties to sign the root certificates. If any CA is vulnerable or working with agencies (cooperatively or via court order), then it becomes a simple matter to impersonate any “secure” website in the world including all these other security features. I’m sure the agencies have insiders in at least a couple CAs.
Does seem a bit ironic, but it’s probably just not that big a priority. The thinking might be “why increase server load if this is good enough”…
Right, but that’s a side-channel attack, not really a problem of the underlying crypto, plus there are effective countermeasures against these kinds of attacks (see Perspectives, SSL Observatory, etc.). As for CAs being willing to issue fake certificates – I’m sure in certain specific cases it’s possible to happen, but most likely not on the general Internet (otherwise if they get found out by plugins such as Perspectives, it’s business over for these companies). What I’m trying to get at here is preventing the “drag-net” type of surveillance where everybody’s communication is collected and can subsequently be analyzed and used against them.
saso,
Regardless of what kind of attack it is, it still means it isn’t absolutely trustworthy.
Perspectives is worth mentioning, however it’s not foolproof. I remember reading that perspectives didn’t work well with some large sites that used multiple certs. But even if that’s an exceptional configuration there isn’t really a good way for us as end users to know which certs are legitimate and which are forgeries, that’s what the CA’s were supposed to be for. We’re lucky that laymen verify HTTPS is on at all, asking them to install additional non-standard security components isn’t going to happen no matter how good the intention.
To me, it’s virtually inconceivable that billion/trillion dollar government agencies don’t already have this capability. Their chances of getting caught using this against their targets are very slim and they can even reduce that to nearly zero if they first confirm their targets aren’t running such plugins. Even if the forgery is detected, it doesn’t necessarily mean the agencies will be found out since they have plausible deniability. There have been high profile cases where the CAs have revoked certs after security lapses become public, any one of those cases may, or may not have been the result of government meddling, we really don’t know.
Of course active man-in-the-middle attacks can’t be done retro-actively.
The upcoming UK general election will result in either a Conservative or Labour government(perhaps in coalition). Even if Labour win it is worth remembering that they tried to implement the “Interception Modernisation Programme” – http://en.wikipedia.org/wiki/Interception_Modernisation_Programme
We can only hope for a coalition government to halt a snooper’s charter, both our main parties have a strong authoritarian streak.