US, UK, and other governments asks tech companies to build backdoors into encrypted devices

https://www.theverge.com/2018/9/3/17815196/five-eyes-encryption-backdoors-us-uk-australia-nz-canada

 

Well, they already do pursue technological measures

And add China, Russia and India to the list, I guess. But they're not part of Five Eyes, of course.

 

From an LE perspective, it was previously easy to gather evidence and build on investigations as most criminals are stupid, and you rarely catch the smart ones, but that was just how things are.

The problem now is that stupid criminals are using smart technologies which can lead to investigative dead ends. The keyboard heroes can cheer the bad guys and support privacy without consequence, but although 80 % of LE is politically motivated, from the populist sentiment and without much overall benefit, the remaining 20 % has real impact on real people.

It will happen that processes such as encryption that hamper LE, will have to be addressed. The 'free' internet will end.

If you don't break the law, you don't have a problem, as apart from the US, the Five Eyes have relatively good legal systems.

 

I won't say much here, to avoid dreaded politics, other than to point out that other reasonable, historically informed and evidence-based views are not nearly as sanguine as you seem to be about LE. I'd also point out that in the UK, the laws and institutions have repeatedly found to be unlawful and done in secret without proper debate. They continue to blithely operate AFR unlawfully.

 

When you work in LE you realise it is an institution that isn’t a combined unit, but made up of individuals, all with their own agendas and interpretation of the law. But there are always numerous individuals, such as myself,who are run out of the job for disagreeing with the organisational culture. The good news is that there are many LEOs who at the slightest opportunity would burn their force to the ground with a good cause.

As for your view on lack of accountability, as I have stated previously, the best measure is how many police get charged, convicted and go to jail. A quick Google search shows numerous convictions of UK police, which is a good thing.

“…laws and institutions have repeatedly found to be unlawful and done in secret without proper debate…”

I agree entirely that from the outside this seems against the public interest, but when you are on the inside genuinely trying to do good, it honestly isn’t enough power to do your job.

The balance is always when neither party are happy.

 

In fact, I tend to trust most people in my jurisdiction, including most LE. A major problem we have though is that algorithms coupled to inaccurate and insecure databases (all of them), plus population-scale mass surveillance WILL lead to false positives (usually many more than good identifications), and that those false positives will not be judged by a real person using proper procedures. An algorithm will suggest a probable match to a bored squadie who wants to clear their desk, they tick a checkbox, and all of a sudden, you're on a no-fly or no-employment for life with no real redress or compensation. I do not call that justice, nor can you claim that the innocent have nothing to fear in that case.

The next problem is that most laws were written very badly and not so that a computer could make a decision about them; people are much better at knowing intent, but again, will sometimes never apply proper judgement to the situation.

Finally, and this is fundamental, no-one can fully trust their government to continue following the rule of law. You mention European jurisdictions who sometimes have somewhat better protections, and the reason for that is the horrific abuses inflicted by the state that have happened in living memory. I do not agree with the state knowing my every move & association at all times, which in fact they do,even if it's algorithmic - that makes it worse in a way, as I've pointed out. Which is why regular "innocent" people are interested in how they they can stay private from government snooping.

 

Yeah…we can go in circles with this and will have to agree to disagree, but I have never heard of this system and there is no capacity for it to exist. No fly lists have strict guidelines based on legislative requirements, and the only status that impacts employment is conviction in a court.

Cops get convicted, LE Agencies are settling out of court regularly, there is always compensation. We were always warned that if we make a mistake we can lose our house.

 

That's how we got TrueCrypt 7.1a replaced by VeraCrypt overnight

 

This debate has been going on since the NSA introduced the clipper chip in the 90s. Since then, every now and again, the fascist come out and demand back doors in encryption technology.

Let me add, that "The Verge" Article is not specific enough in telling who exactly is making these demands in government?? There are many in government who oppose backdoors.

Law Enforcement already have many tools to conduct their investigations. Taking the last layer of privacy that consumers have left is way out of bounds, and should NOT be addressed. In the U.S. Senate, there is actual legislation being considered that would prevent law enforcement from requesting assistance from tech companies to help with encryption.

Yes, it's alarming that they are even asking, as they seem to ask every couple of years. Creating backdoors to encryption would be economically disastrous to tech companies that have to comply, because there would be other companies, from other countries, who don't have such laws, that would fill that void of privacy. It would cost the industry billions upon billions of dollars.

If such backdoors were created, there is the high probability that they would fall into the hands of criminals, the unscrupulous, and that law enforcement would abuse this power.

Again, law enforcement officials have many investigative tools especially with the age of the internet, all the electronic gadgets that people carry around or have in their homes, that have cameras, microphones, etc.... These tools are sufficient for Law Enforcement to conduct their investigations, and their is no proof that encryption thwarts a large number of law enforcement investigations, therefore there is no need for backdoors.

 

What is good is subjective.

I agree. We live in the age that almost everyone has their personal live put on the Internet. We should not sacrifice our right to privacy completely just because small number of criminals can get convicted.

 

Why would this matter if you rely on open-source encryption software/programs like Veracrypt or Luks?

 

Luks is part of Linux kernel and I don't know how this law impacts Linux kernel. Maybe Linux Foundation would be required to put backdoor into kernel, who knows. On the bright side this backdoor could be identified and removed by various Gnu/Linux distributions. Maybe Linux Foundation would emigrate from the USA.

 

This debate is certainly healthy and needs to be expressed. I think I made my point clear above on why this is occurring as LE is driven by a cycle of public pressure on government to solve criminal activity, which is then forced on the LE agency, which results in push back due to limitations to investigate and eventually more powers to solve blockages.

It is becoming inevitable that encryption issues will be addressed, so there is no point worrying about things you can't change. I'm only offering a perspective from a previous LE role that it is not as bad as some present, and that LEOs are people too; not just an army of fascists.

I don't expect you to change your views, or see them as wrong or right.

 

Yeah the USA is becoming less and less free everyday. I don't know...I still trust open-source encryption more than something like BitLocker from Microsoft, which is much more likely to have a backdoor since the source-code is proprietary and not open-source. And if a close-source software has a backdoor, there is no way for a 3rd party user to detect the backdoor unlike open-source software where backdoors can ACTUALLY be detected.

 

Making all secure encryption illegal will certainly discourage use. But even so, that won't 1) make it unavailable or 2) stop people who need/want it from using it. I mean, consider how well the global war on drugs has worked Also, just as with the global war on drugs, what this does is generate generalized disrespect for the rule of law. And consequent blowback.

If we go down this path, it's not going to end well. Especially in the context of global climate change, which also looks like it won't end well.

But hey, I'll be dead. And at least I can lulz at the fools, in the meantime

 

The war on drugs has failed for enough reasons to write a dissertation, but mostly it is the 5% effect.

That is, we can’t take drugs legally, amongst many things, because 5% of the population will do it irresponsibly, forcing it to be ruined for everyone.

You can’t ban encryption, but you can stop easily accessible hosted services that provide encrypted communication; see ‘most criminals are stupid’ above.

I don’t personally know any people that will be bothered, or even notice an impending ban on encrypted services. It is a good sample size and diversity.

 

Well, I guess that we'll see. Most people are probably too clueless to know just how much encryption is protecting them.

 

Yes, they probably just expect internet banking to be secure, but don't know how it is achieved.

 

I am not calling all LEO's fascists, let me state that to clear the air. I laid out several reasons why backdoors would be disastrous. Which one of those don't you agree with? I ask because most LEO's ignore the consequences that backdoors in encryption would bring to the industry and to society in general. I feel it is my duty to defend privacy rights of the citizenry.

As I stated above. We have been seeing these requests over and over again since the 90s. In the U.S. and in most countries at least, you don't have even close to unanimous consent from governments to insert backdoors. We have at least 20 years before it happens, and I doubt even then, the fact is, that 70% of Americans care about their privacy rights, and don't think it's necessary to tamper with encryption.

 

Have you heard of decentralization? Future apps such as Signal, Telegram, WhatsApp, Facebook, Twitter, and the likes that will crop up, can, AND WILL be hosted on a decentralized blockchains, where there NONE specific server, and there will be virtually nothing that can be done to censor or stop them. That is the way of the future, and Law enforcement requesting more access to data will only speed the development of this tech.

There are already a huge group of people on the side of human rights and privacy, designing even more tools such as this as we speak, ready to roll them out when necessary. Should such encryption backdoors take effect, ( and I doubt they will) these tools will be made available for wide spread public use.

 

I think this is too optimistic prediction. Blockchain technologies are high-latency networks. It usually means tens of minutes or hours to receive message. It's no good for instant messaging.

 

Yea, maybe it's better to start over and do it right this time with true P2P.
For example, no tracker servers ******** like it was at first in BitTorrent. Those are trivial to censor.
Instead use DHT from the start (BitTorrent now uses it) to form the base.

Also the bootstrapping nodes handling must be robust and reliable.

After those are handled reliably and there is no single one point of failure, the encryption can be finally added.

https://en.wikipedia.org/wiki/Bootstrapping_node
https://en.wikipedia.org/wiki/Distributed_hash_table

EDIT: Those would be for public services, protecting from censoring and snooping (that is, anybody could just download client program and join the network).
The final component after encryption would be adding some form of authentication(s) so that private groups within that network could be created.

EDIT2:
With things like HTTP/2, which is faster than previous versions and is not cleartext protocol (it's a binary protocol with encryption built-in) and TLSv1.3 (much faster than previous versions!), I don't think the latencies would be any problem.

 

Actually, the scaling is being solved as we speak. Take a look at for example's OMG's plasma based on the blockchain? It is the answer to scaling problem that the blockchain faces. The Ethereum Network is adopting it, and many other blockchains as well.

 

Can't use them if legislation requires ISPs to block.

 

Just don't use the crapper (computer).
Nothing will ever be private on these.