Jump to content
Manx Forums - A Discussion Board & Classifieds for the Isle of Man

UK Govt Banning End-to-End Encryption

HeliX

By HeliX
in International News

Recommended Posts

pongo Rising Star

pongo

Posted
Posted

My question was vague and insufficiently succinct: The govt is only proposing stopping companies from providing E2E encrypted services where the company does not have the key and therefore cannot be required to give it up? Only companies are affected?

So they stop iMessage, WhatsApp and, potentially, companies providing Bitcoin services - but not apps which provide equivalent services built on P2P where the user is the keyholder (ie the person they must go to for the key).

Is that right?

Link to comment
Share on other sites
  • Replies 67
  • Created
  • Last Reply
HeliX Grand Master

HeliX

Posted
  • Author
Posted

My question was vague and insufficiently succinct: The govt is only proposing stopping companies from providing E2E encrypted services where the company does not have the key and therefore cannot be required to give it up? Only companies are affected?

 

So they stop iMessage, WhatsApp and, potentially, companies providing Bitcoin services - but not apps which provide equivalent services built on P2P where the user is the keyholder (ie the person they must go to for the key).

 

Is that right?

What do you mean by built on P2P? In any form of E2E encryption the key is in the possession of the user, not the company. The UK Govt is trying to stop such apps from being available. Presumably by getting Google to remove them from the store in that jurisdiction.

Link to comment
Share on other sites
pongo Rising Star

pongo

Posted
Posted

What do you mean by built on P2P? In any form of E2E encryption the key is in the possession of the user, not the company

For example - like the difference between using a bitcoin client yourself vs using a bitcoin service. Users can simply download the source and compile the code for themselves. The protocol is open and the networking is p2p rather than via specific company servers. There is no company.

 

By contrast the govt seem to be primarily concerned with WhatsApp and iMessage. ie the widely used commercial products which have largely replaced sms for now. Certainly the reporting has focused on these. In theory the user holds the key - but (with iMessage anyhow) on an encrypted device - probably difficult to recover and do we know whether even if recovered it could be used to retrospectively decrypt previously captured traffic?

 

I don't see this as nefarious or Orwellian. My guess is that it is well intentioned but possibly poorly thought through.

Link to comment
Share on other sites
HeliX Grand Master

HeliX

Posted
  • Author
Posted

 

What do you mean by built on P2P? In any form of E2E encryption the key is in the possession of the user, not the company

For example - like the difference between using a bitcoin client yourself vs using a bitcoin service. Users can simply download the source and compile the code for themselves. The protocol is open and the networking is p2p rather than via specific company servers. There is no company.

 

By contrast the govt seem to be primarily concerned with WhatsApp and iMessage. ie the widely used commercial products which have largely replaced sms for now. Certainly the reporting has focused on these. In theory the user holds the key - but (with iMessage anyhow) on an encrypted device - probably difficult to recover and do we know whether even if recovered it could be used to retrospectively decrypt previously captured traffic?

 

I don't see this as nefarious or Orwellian. My guess is that it is well intentioned but possibly poorly thought through.

 

The bitcoin analogy isn't quite accurate as in that case the server is storing your keys. With WhatsApp and iMessage the user stores the keys. The major difference between WhatsApp/iMessage and pure P2P services is that WhatsApp/iMessage are companies who supply their own messaging Apps, where a pure solution like Bitmessage is an open source app built to perform actions with a certain protocol, and the messages pass through WhatsApp/iMessages servers in their case. But at that point the messages are already encrypted and cannot be decrypted by a third party.

 

I find it hard to believe that the Government won't have discussed the issue with GCHQ, and that GCHQ have such a poor understanding of their target demographic that they think they'll be using WhatsApp. Which leaves us with the only explanation, the Government is being scummy.

Link to comment
Share on other sites
pongo Rising Star

pongo

Posted
Posted

@HeliX

 

So we more or less agree that this legislation seems aimed at, would seemingly mostly impact, commercial solutions. I also doubt that the govt is going to want a public argument with Apple - or to be responsible for British account holders from being blocked from using iMessage and WhatsApp.

 

But we disagree about the intent of the legislation. You see it as scummy, where as I see it as probably well intentioned.

 

I find it hard to believe that ... GCHQ have such a poor understanding of their target demographic that they think they'll be using WhatsApp.

We don't know. Have you seen Four Lions?

 

--

 

I am curious to know whether British based Bitcoin solution providers are concerned about the possible implications of this.

Link to comment
Share on other sites
HeliX Grand Master

HeliX

Posted
  • Author
Posted

@HeliX

 

So we more or less agree that this legislation seems aimed at, would seemingly mostly impact, commercial solutions. I also doubt that the govt is going to want a public argument with Apple - or to be responsible for British account holders from being blocked from using iMessage and WhatsApp.

 

But we disagree about the intent of the legislation. You see it as scummy, where as I see it as probably well intentioned.

 

I find it hard to believe that ... GCHQ have such a poor understanding of their target demographic that they think they'll be using WhatsApp.

We don't know. Have you seen Four Lions?

 

--

 

I am curious to know whether British based Bitcoin solution providers are concerned about the possible implications of this.

 

I don't think this directly impacts Bitcoin service providers, there's no "Message" in Bitcoins, nothing to be hidden away from the Government. They seem more concerned with being able to read what people are saying to each other.

 

Though it wouldn't surprise me if they want to try to ban bitcoin entirely due to its anonymous nature. Another daft exercise that would be, mind.

Link to comment
Share on other sites
pongo Rising Star

pongo

Posted
Posted

@Helix

 

This is OT: I would like to recommend you this excellent edition of the RadioLab podcast. The first section anyhow - it's an interesting story, very nicely produced and presented.

 

First we meet mother-daughter duo Alina and Inna Simone, who tell us about being held hostage by criminals who have burrowed into their lives from half a world away. Along the way we learn about the legally sticky spot that unwitting accomplices like Will Wheeler find themselves in.

Link to comment
Share on other sites
Slim Newbie

Slim

Posted
Posted

The legislation (as I understand it) is not for companies, but specifically for service providers. It defines carriers and stipulates that carriers must be able to provide the authorities with access to customer activity when requested. Claims that it bans e2e encryption doesn't see to be correct.

 

https://grahamcluley.com/2015/11/draft-investigatory-powers-actually-says/

Link to comment
Share on other sites
HeliX Grand Master

HeliX

Posted
  • Author
Posted

This article at The Guardian addresses the subject with specific reference to WhatsApp & iMessage. It touches on the the question of who holds the keys.

In E2E encryption the users always hold their own keys. If they don't it's not E2E encryption.

 

The legislation (as I understand it) is not for companies, but specifically for service providers. It defines carriers and stipulates that carriers must be able to provide the authorities with access to customer activity when requested. Claims that it bans e2e encryption doesn't see to be correct.

 

https://grahamcluley.com/2015/11/draft-investigatory-powers-actually-says/

Well, yes and no. WhatsApp can't comply with a request to decrypt its users messages while it implements E2E encryption. So if the companies want to comply, they have to ditch E2E.

Link to comment
Share on other sites
pongo Rising Star

pongo

Posted
Posted

In E2E encryption the users always hold their own keys. If they don't it's not E2E encryption.

Nobody is disputing this. The Guardian article does not dispute this.

 

WhatsApp can't comply with a request to decrypt its users messages while it implements E2E encryption.

That's not necessarily strictly true. Firstly because it depends upon both the effectiveness and the strength of the encryption. They might, for example, better know where to begin with brute force.

 

Secondly - there might be a difference wrt decrypting real time messaging. Because ... well this article explains why it may not be such a binary argument.

 

imessage-graphic.png?w=400&h=322

Link to comment
Share on other sites
HeliX Grand Master

HeliX

Posted
  • Author
Posted

 

In E2E encryption the users always hold their own keys. If they don't it's not E2E encryption.

Nobody is disputing this. The Guardian article does not dispute this.

 

Perhaps not, but you've mentioned "Who holds the keys" several times so I thought maybe it wasn't clear smile.png

 

 

WhatsApp can't comply with a request to decrypt its users messages while it implements E2E encryption.

That's not necessarily strictly true. Firstly because it depends upon both the effectiveness and the strength of the encryption. They might, for example, better know where to begin with brute force.

 

Secondly - there might be a difference wrt decrypting real time messaging. Because ... well this article explains why it may not be such a binary argument.

 

imessage-graphic.png?w=400&h=322

 

Brute forcing is wasted effort on pretty much any encryption method worth its salt. If you use weak enough encryption that it can be brute forced, it won't just be the Government who's able to read it.

 

That article is a little bit misleading because it implies a lot of things that we can't really know. But is more of a question of trust and a good advert for open source software. To our knowledge iMessage does not encrypt your message a second time with Apple's key and send it to Apple. I'm unfamiliar with decompiling iOS apps (I don't have an Apple phone), but certainly this could be tested for WhatsApp. I would say with confidence that if WhatsApp start using a public key they control to sign your messages, we will know about it.

Link to comment
Share on other sites
Slim Newbie

Slim

Posted
Posted

Well, yes and no. WhatsApp can't comply with a request to decrypt its users messages while it implements E2E encryption. So if the companies want to comply, they have to ditch E2E.

Only if that company is defined as an ISP. That whatsapp is an ISP isn't clear, and it looks like it isn't in the draft that's been published.

Link to comment
Share on other sites
HeliX Grand Master

HeliX

Posted
  • Author
Posted

 

Well, yes and no. WhatsApp can't comply with a request to decrypt its users messages while it implements E2E encryption. So if the companies want to comply, they have to ditch E2E.

Only if that company is defined as an ISP. That whatsapp is an ISP isn't clear, and it looks like it isn't in the draft that's been published.

 

Surely WhatsApp (company) counts as a Communication Service Provider?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...