[HN Gopher] U.K. abandons, for now, legislation that would have ...
___________________________________________________________________
U.K. abandons, for now, legislation that would have banned end-to-
end encryption
Author : alwillis
Score : 321 points
Date : 2023-09-06 17:28 UTC (2 hours ago)
(HTM) web link (daringfireball.net)
(TXT) w3m dump (daringfireball.net)
| phoe-krk wrote:
| _> The UK government has conceded it will not use controversial
| powers in the online safety bill to scan messaging apps for
| harmful content until it is "technically feasible" to do so
| (...)_
|
| That would be waiting for a quantum computer and quietly hoping
| that a) nobody develops a strong enough post-quantum scheme and
| b) there is still civilization after RSA and ECC are broken?
| Correct me if I'm wrong.
| monero-xmr wrote:
| Quantum computing doesn't matter. Nothing in the universe can
| break a one time pad.
| maxbond wrote:
| Is quantum computing relevant to symmetric encryption like
| OTP? GP was talking about asymmetric encryption. My limited
| understanding is that quantum computing is a threat to
| asymmetric encryption.
|
| There's also the question of, if you can distribute a key
| which is at least the same size as your message over a secure
| channel - why not just distribute your message over that
| channel in the first place?
| karmanyaahm wrote:
| > why not just distribute your message over that channel in
| the first place
|
| Latency? You can hand deliver a password ahead of time, but
| not messages.
| ianburrell wrote:
| One-time pad isn't a password. It is a flash drive or
| hard drive full of random bits.
| InitialLastName wrote:
| The difference between those is just one of scale and
| storage.
|
| You still have to reliably move a chunk of out-of-band
| information in a way such that it gets to (and only gets
| to) the person you want to have it.
| ianburrell wrote:
| The difference between one-time pad and stream cipher is
| provable, absolute secrecy, and really good secrecy. If
| don't care about that, there is zero point to one-time
| pad.
|
| Also, it isn't just a "chunk", for one-time pad it has to
| be the same length as the messages. Which is fine if just
| short messages but a lot harder if lots of data.
|
| If can exchange lots of data, better off using them as
| keys for stream cipher.
| hgomersall wrote:
| Because with QKD you can distribute a random key knowing
| that there were no observers but you cannot distribute a
| message with the same guarantees. Specifically, any given
| bit exchanged might be observed, but that is detectable so
| the bit can be discarded.
|
| I read some years ago about a non quantum technique to
| achieve the same based on (I think) noise in a coupled
| electronic system. I wonder if that has been tested
| further.
| aetherson wrote:
| One-time pads are obviously not a serious widespread
| cryptography proposal.
|
| But the question of, "Why not just send the message instead
| of the pad" is pretty straightforward: when you have the
| opportunity to safely deliver the pad, you don't know what
| the message will be. When you do know what the message will
| be, you don't have the opportunity to safely deliver the
| pad.
| numpad0 wrote:
| But quantum computing can put the ciphertext in a quantum
| superposition between solved and unsolved state. Only problem
| to remain will be simple matter of determining what the
| plaintext is to be.
| grotorea wrote:
| Doing some armchair navel gazing cryptanalysis, but isn't
| that only true if you assume the OTP has access to true
| randomness? What if the attacker breaks your CSPRNG? Or what
| if the universe is deterministic and therefore a true RNG is
| impossible?
| maxbond wrote:
| Similarly relaxing in my armchair, a deterministic universe
| is compatible with a CSPRNG as long as the information
| required to recover it's internal state is too diffuse to
| recover, or is outside the light cone of your adversary.
|
| Eg, rolling a dice is deterministic, and I imagine an
| algorithm exists that could recover the value of a dice
| throw from a recording of the sound of it rolling and it's
| initial position. But once that sound has turned into heat,
| and that heat has conducted itself about the walls and into
| the air, I don't think it's possible to recover the sound.
|
| See also:
|
| "Is flipping a coin random?" (Numberphile)
|
| https://www.youtube.com/watch?v=AYnJv68T3MM [8m]
| jamiek88 wrote:
| It's possible. As in physics says it can be done. But it
| isn't technically feasible, probably ever.
|
| There's nothing in the laws of physics that prohibits us
| turning burned paper smoke back into a document and
| recover the information.
| maxbond wrote:
| I'm not sure physics really does say that. Physicists
| seem to believe that information is never lost - but that
| doesn't mean the information can be _retrieved_. If it 's
| in a fragile state, then the act of measuring it might
| change it. Eg an electron has both a position and a
| momentum, but that doesn't mean you can measure it's
| velocity.
|
| When you burn a document, all the matter might be
| transferred into the smoke, but you've rendered it into a
| stream of particles which is small enough to be effected
| by Brownian motion. Reversing the process (figuring out
| the initial position of each soot particle) involves
| knowing the position and momentum of the air molecules
| impacting the soot particles. In principle, you could
| take the current position and momentum of those particles
| and extrapolate backwards - but you can't actually
| measure that, not even in theory.
| macawfish wrote:
| Underappreciated fact
| contact9879 wrote:
| Once again, every cryptographic problem reduces to a key
| distribution problem :)
| phoe-krk wrote:
| And nothing in the post-quantum universe seems to reliably
| solve the problem of transmitting a one-time pad.
| toyg wrote:
| Oh no. That "technically feasible" translates to "when the
| government will be able to pass the practical parts of this
| legislation without too many people asking too many questions".
| [deleted]
| xkcd-sucks wrote:
| "I promise I will not stab you until I acquire a knife"
| paxys wrote:
| "Strong enough post-quantum schemes" already exist, and every
| single mainstream communications platform will update to become
| quantum-proof overnight if/when quantum computers approach that
| level of capability. Quantum computers cracking encryption is
| really not a concern on anyone's mind, at least no more than,
| say, modern processors cracking SHA-1 etc.
| phoe-krk wrote:
| TIL! Which ones? I've only seen ones that were proclaimed to
| be secure, only to be broken in some simple/clever ways not
| much later.
| sweis wrote:
| NIST post-quantum standards resulted from a 8+ year process
| and public competition:
| https://csrc.nist.gov/projects/post-quantum-cryptography
| mrguyorama wrote:
| You can basically just make the numbers bigger. Quantum
| computers aren't magic, and are still limited in what and
| how they can process within normal informational theories.
| tux3 wrote:
| There were a lot of pqcrypto candidates, and several of
| them were indeed thoroughly broken, prey to the fearsome
| cryptanalyst's laptop left running over a weekend
|
| NIST standardized Kyber and Dilithium, and for now at
| least, they seem to be holding up. I'd still want to do
| hybrid (ECC+PQ) asymmetric crypto for the time being, but
| we're (slowly) starting to gain a modicum of confidence in
| the new standards, enough for deployment
| jmilosze wrote:
| It's already perfectly feasible to do. Meta/Apple etc. can just
| deploy a client that decrypts the message, scans it, re-
| encrypts (with a different key) and sends it to their storage
| where they can store it forever and decrypt if needed. This way
| they could even have different clients in different regions
| still being compatible. It's just that it would suck and would
| not be secure any more.
| JoshTriplett wrote:
| "abandons" seems overstated; "The UK government has conceded it
| will not use controversial powers" does not mean it doesn't claim
| to _have_ those powers based on the legislation.
| [deleted]
| tomatocracy wrote:
| I wouldn't be surprised if this is a political attempt to stop
| the legislation being amended to remove the powers. I would
| hope that it fails.
| thinkingemote wrote:
| So it seems from the news that it was industry that forced this,
| but do we know how effective our campaigning and emails to MPs
| were? Or just some un-noteworthy political cog wheel action?
|
| How could we find out? Do the reasons get leaked unofficially
| usually?
| nonrandomstring wrote:
| Maybe don't over-rate the influence of the industry.
|
| The Conservative party's own members tore it to shreds.
|
| From:
| https://cybershow.uk/media/episodes/OSB1_r2_2023-08-27.mp3 *
|
| "The source of the bill itself, the UK Conservative Party, has
| a significant number of its own critics calling it
| "fundamentally misdesigned" David Davis said its well-
| intentioned attempts may constitute "the biggest accidental
| curtailment of free speech in modern history."
|
| (* sadly my other sincere comment has been buried by people who
| apparently can't read past the first line)
| midasuni wrote:
| David Davis is somewhat unusual - he actually resigned as MP
| to protest against an erosion of civil liberties (and stood
| on a civil liberty platform)
|
| Westminster will be a worse place when he goes, which I
| assume will be in next year's election.
| traceroute66 wrote:
| > do we know how effective our campaigning and emails to MPs
| were?
|
| Campaigning to your MP is and always has been a waste of time.
|
| In addition, the "safer" their seat, the more of a waste of
| space the MP is because they know their constituents would vote
| for a pig if the right coloured rosette pinned to it.
|
| Most of the time they don't bother replying, and then if they
| do reply, you get a two-page party political broadcast,
| followed by a generic paragraph about "how they understand your
| concern blah blah blah" but never addressing the point at hand.
| ajb wrote:
| It's a little unclear, but my reading of this is that the power
| to do it will still be in the law, requiring at most secondary
| legislation to put into effect (perhaps not even that) if they
| think they ever have enough leverage over messaging providers, or
| are willing to spend the political capital. Not a great place to
| be in really, but better than it actually being deployed.
| makingstuffs wrote:
| I'd bet my life we start to see a massive influx of bad press
| aimed at messaging providers, focusing on how criminals are
| using their services, over the next few years.
|
| When the general sentiment of the average Dave is 'encryption
| === bad' this BS will rear its head again.
|
| Seems to have been the standard play for governments of this
| country for decades now.
| b59831 wrote:
| [dead]
| halJordan wrote:
| Yeah that was my reading as well. The legislation isn't being
| changed. The statement even says "We know you can develop [the
| methods to access], and we still have the authority to order
| it."
|
| The only relevant part of from op is the govt acknowledging
| that 2+2 = 4. But it fails to acknowledge that if they want to
| get 5, they can still order the equation to be 3+2.
| nonrandomstring wrote:
| Through most of history government _always_ has the power,
| but the question is whether it has the legitimacy.
|
| In this case it has the legitimacy, but lacks the power.
|
| This is an unusual turn.
|
| We need online safety for kids. The aims of this bill should
| obtain widespread support from everyone.
|
| But instead of carefully researching and implementing
| difficult ideas, framing it properly and obtaining permission
| from the people - a remit to empower us to embrace online
| safety on our own terms - it's taken a strictly 20th Century
| "Mother knows best, think of the children" approach and made
| this a battle with Big Tech.
|
| It is laughably "Yes, Prime-Minister" in its clumsiness. We
| have anachronistic throwbacks in charge.
| whatshisface wrote:
| I already have a remit to embrace online safety on my own
| terms - I can install a local filtering system if I choose
| to.
| nonrandomstring wrote:
| Of curse, but it's not terribly easy for the average
| person to put sophisticated filters into multiple content
| pipelines on every child's device (imagine having 4 or 5
| kids of different ages and needs).
|
| So a solution I think we brainstormed on the show was
| mandating open interoperable APIs that allow easy
| insertion of (presumably commercial or open source)
| plugins into the system, within the user's end-to-end
| digital estate, under the control of the user (parent)
| and completely rejecting the MITM and endpoint compromise
| via back-doors that the government naively proposed.
|
| In many ways that would take a much bigger stick to Big
| Tech,
|
| It also transitions the definition of "online harms" to
| those defined by the guardian/parent rather than
| problematically allowing the State to define harms and
| control the selectors.
|
| What that says to me is that the government are dishonest
| about the real aims of the bill.
|
| And further, as a consequence, it crushes my belief that
| the government even truly care out child safety except as
| a vehicle to greater tyranny.
| robertlagrant wrote:
| > on every child's device
|
| Devices only in public areas in the house. Dumbphones for
| emergencies.
| thereddaikon wrote:
| People might be more receptive if the UK government had
| shown any real intention of going after pedos before this.
| But the number of scandals and coverups indicate they dont.
| And this is little more than an excuse to make it easier to
| spy on their subjects.
| ChrisKnott wrote:
| This comment could only be made by someone who gets all
| their information second-hand from internet comments, and
| has never worked in child protection.
| generationP wrote:
| The UK has a recent history of sweeping child abuse under
| the rug when it involves minorities or famous
| personalities. See https://en.wikipedia.org/wiki/Rotherha
| m_child_sexual_exploit... or https://en.wikipedia.org/wik
| i/Jimmy_Savile_sexual_abuse_scan... for two examples.
| Jigsy wrote:
| Online safety for kids begins at home. The problem is most
| parents are just too lazy.
| anonymous_sorry wrote:
| Or too busy? In plenty of families both parents have to
| work hard to make ends meet.
|
| Not helped by the fact that children are growing up in a
| completely different environment to the one their parents
| remember. Familiarizing myself with TikTok or whatever
| the kids are into these days would fill me with dread.
| And the way platforms work means my experience of them
| would differ dramatically from a child's anyway.
| merpnderp wrote:
| The real question is why did they want this? Is the UK suffering
| some giant crime wave or are the powers that be just really
| intent on making sure people are using Bad Think in their private
| chats?
| aaomidi wrote:
| "Eco terrorism" is on the rise.
|
| As we progress with climate change and climate disaster, it's
| clear that eco terrorism is going to be increasing. This has
| been especially highlighted in UK.
|
| I put it in quotes because honestly it's just fighting for
| survival at this point, but the ones in charge have decided to
| add the word terror to make it scarier.
| tomatocracy wrote:
| This bill (the Online Safety Bill) has a long and politically
| complicated history. It was originally motivated by the Cameron
| government's fairly limited desire to mandate that public WiFi
| had porn filters in place and then seems to have grown over
| many years to include a huge number of pet projects and power
| grabs from various career bureaucrats.
|
| I don't think politicians set out to do this but it's been
| around in some form or other in Whitehall for so long that
| there's no real responsibility anywhere and it was low priority
| enough that noone ever thought to properly kill it.
|
| It's very British in that sense.
| tempodox wrote:
| > the tech regulator would only require companies to scan their
| networks when a technology is developed that is capable of doing
| so.
|
| IOW, as soon as backdoors are implemented. And we only have to
| lose this battle once.
| codeptualize wrote:
| You see this time and time again, some initiative to "just
| introduce some backdoors, what could go wrong", and then it takes
| some time for people who understand what it actually means to
| convince them that it is in fact a really bad idea and it would
| be a giant disaster.
| javajosh wrote:
| Why ban e2ee when you could just pass a law giving LEO's the
| right to passively turn on any mic or camera or look through
| photos and messages on any smartphone at any time? I mean, how
| can they keep people safe without that access? Think of the
| children!
| mfDjB wrote:
| I wonder where does this end? I do feel like nearly once a year
| some country in western world tries to ban encryption. Can we
| just make it a right to encrypt communications and be done with
| this endless debate?
| arichard123 wrote:
| Their purposes have been served. Values have been signalled.
| Implementation was never going to be possible, which made it all
| the better a choice, as it means you don't have to actually do
| anything except blame tech companies when it doesn't happen. Job
| done.
| ascorbic wrote:
| The whole UK government is run via WhatsApp. The threat to
| withdraw service should have concentrated minds.
| hn_throwaway_99 wrote:
| This isn't true, is it? If so that's slightly terrifying.
| giobox wrote:
| I think its increasingly true of several countries, not just
| the UK. Any State with strong Freedom of Information
| legislation not surprisingly creates incentives for certain
| political operatives to want to avoid exposure by use of
| unofficial channels further out of reach of FoI - private
| WhatsApp groups etc etc. I don't see this as any different
| than the instances of private email service mischief that has
| occurred in a lot of States too over the last decade
| (avoiding use of official email accounts for contentious
| discussions).
| midasuni wrote:
| The political communications are done with WhatsApp. This is
| illegal of course.
|
| There has been no discussion of the obvious national security
| risk.
|
| https://www.theguardian.com/law/2022/mar/22/uk-ministers-
| acc...
| amiga-workbench wrote:
| It's not completely untrue, there was a whole hoo-hah over
| getting Boris Johnsons WhatsApp messages. They use it to get
| around the requirement that official communications be logged
| and available for later scrutiny, much like a bank has to
| retain communications in case of an audit.
| gridspy wrote:
| Assuming that is true, it's amusing that the politicians
| are trying to strip communications privacy from the masses
| while desiring it themselves.
| afandian wrote:
| The rules don't apply to them.
|
| https://www.bbc.co.uk/news/uk-politics-66165001
| tailspin2019 wrote:
| It does seem to be slightly true
| Jigsy wrote:
| I'm not sure why people are assuming they've abandoned the idea.
| They've simply said it's not technically feasible.
|
| Which implies that later - through the power of delusions of
| grandeur - that it will become feasible.
| glitchc wrote:
| Not technically feasible is akin to abandonment in government
| circles.
|
| To revive this, they would have to find an expert to attest
| that it is technically feasible to have security with a
| backdoor that government can access, but at the same time is
| impossible for malicious entities to access.
|
| Ergo, this is technically dead, which is the best form of dead.
| orlp wrote:
| > To revive this, they would have to find an expert to attest
| that it is technically feasible to have security with a
| backdoor that government can access, but at the same time is
| impossible for malicious entities to access.
|
| > Ergo, this is technically dead, which is the best form of
| dead.
|
| Except it's not. There exist such cryptographic trapdoor
| constructions that are perfectly secure, if the government
| backdoor key is kept safe.
|
| The problem is keeping the government backdoor key safe. But
| that's not a literal impossible technical problem. It's much
| more a social problem.
|
| Don't get me wrong, I really, really wish what you said was
| true and we could kill this garbage forever by nature of
| technical argument. But it isn't, so we must keep fighting
| against it for the real reason: we simply don't want this.
| rightbyte wrote:
| Ye I find it somewhat amusing that sharing a private key
| with the government is technically impossible. I guess you
| could be philosophical about whether it is private though,
| in that case.
|
| Anyway, I am gladly surprised they seem to back off.
| glitchc wrote:
| well, by definition if the key is to be used, and to be
| used more than once, it cannot be kept safe. The key has to
| go through multiple hands on its way from the senior
| government official responsible for its safekeeping to the
| peon assigned to unlock a specific phone at a specific
| point in time. It could be copied at any one of those
| points. No amount of technology or cryptography can solve
| the master key problem. The social problem is the technical
| problem, they aren't distinct.
| ChrisKnott wrote:
| Doesn't this problem exist throughout the tech industry
| though?
|
| Microsoft, Google, Apple etc are keeping the keys that
| allow you to push updates secret, aren't they?
| Jigsy wrote:
| > The problem is keeping the government backdoor key safe.
|
| Not a problem. Just change the locks every week. _[tapping
| head]_
| robertlagrant wrote:
| > Ergo, this is technically dead, which is the best form of
| dead.
|
| It's an older reference, sir, but it checks out.
| jjgreen wrote:
| This didn't even make the evening news, the Rolling Stones have a
| new album out!
| jiofj wrote:
| They announced a new album but it won't come out until late
| next month.
| disgruntledphd2 wrote:
| It made _my_ evening news as I subscribe to the FT.
| nonrandomstring wrote:
| I feel it can be said, without "conspiracy" or paranoia, that
| there's a widespread will to bury all activity around this
| bill.
|
| Government doesn't want it debated or scrutinised. Tech
| companies want it to go away. The media doesn't understand it
| and cannot communicate the issues. People are scared or too
| pre-polarised to take a position. It's been kicked into the
| long grass by 4 prime-ministers. Even mentioning here that it
| is complex and worth examining both sides gets one down-voted
| to hell (judging by my other comment).
| b800h wrote:
| That bit isn't as bad as the part that says you can't run an
| interactive service without age verification though....
| dmje wrote:
| This is the bit that is scaring me, as someone who manages
| website for clients..
| greybox wrote:
| The government are denying the 'U-Turn' which of course, as
| always, confirms it :P
| https://www.bbc.com/news/technology-66716502
| nonrandomstring wrote:
| > No, Thursday's out. How about never -- is never good for you?
|
| Do please give this one a listen:
|
| https://cybershow.uk/media/episodes/OSB1_r2_2023-08-27.mp3
|
| The problem with this bill is that it's courageous in its aims
| and long overdue. It's something we strongly support. I am
| saddened at how it's been mishandled over the past 4 years.
|
| The tragedy is that it's been put together by people who clearly
| have absolutely no technical knowledge and are in the realms of
| perpetual motion machines and other "mind traps" that seem to
| short circuit reason and evidence. The proposed implementation is
| a feat of fantasy and wishful thinking.
|
| How could such a gulf emerge between good intent and practice?
|
| We really, really need competent government with advisors who are
| honest and neutral.
| toyg wrote:
| _> How could such a gulf emerge between good intent and
| practice?_
|
| Road to hell paved with good intentions - always has been.
|
| To be honest, I don't think it could have gone any differently.
| It's an eminently hard thing to achieve: we want everyone to be
| free on the internet, but we also want "bad guys" not to be,
| and you can't really disjoint the two sets of people.
| nonrandomstring wrote:
| I agree on the intractability of the problem. But could it
| have gone differently?
|
| I'd like to think so.
|
| How could it have gone differently?
|
| Sincerity and honesty from the get-go. Using science and
| mathematics?
|
| It is the deceit and self-deceit, the avoidance of difficult
| questions that has marred this bill from the start.
|
| Ambitious social aims need backing up with outstanding
| technical competence, in computing, law, social sciences....
|
| That didn't happen. Ignoring the advice of experts has been
| business as usual for our government, at least since Covid.
| kelseyfrog wrote:
| It's very easy to protect kids online - simply don't allow them
| online. Banning children from the internet violates fewer
| people's rights(the number of children) than violating
| everyone's right to privacy(the total population: adults +
| children).
|
| The podcast makes a unsubstantiated and unexamined assumption:
| kids must be online. A cursory glance reveals that they in fact
| do not.
| nonrandomstring wrote:
| > The podcast makes a unsubstantiated and unexamined
| assumption: kids > must be online.
|
| You haven't listened to a single word of it have you?
|
| https://soundcloud.com/chrismorrisbits/peter-ohanraha-
| hanrah...
|
| It says precisely the opposite.
| kelseyfrog wrote:
| The podcast starts with a kid interviewing parents who
| unanimously support the bill, calling it brilliant.
|
| If the podcast wants to say the thing, they should say the
| thing rather than its opposite.
| nonrandomstring wrote:
| I'm sorry you felt tricked by that dramatic device.
|
| Perhaps listen to _end_ of the podcast to get closure.
| jamiek88 wrote:
| Interesting critique considering the podcast says the exact
| opposite.
| [deleted]
___________________________________________________________________
(page generated 2023-09-06 20:00 UTC)