[HN Gopher] U.K. abandons, for now, legislation that would have ... ___________________________________________________________________ U.K. abandons, for now, legislation that would have banned end-to- end encryption Author : alwillis Score : 321 points Date : 2023-09-06 17:28 UTC (2 hours ago) (HTM) web link (daringfireball.net) (TXT) w3m dump (daringfireball.net) | phoe-krk wrote: | _> The UK government has conceded it will not use controversial | powers in the online safety bill to scan messaging apps for | harmful content until it is "technically feasible" to do so | (...)_ | | That would be waiting for a quantum computer and quietly hoping | that a) nobody develops a strong enough post-quantum scheme and | b) there is still civilization after RSA and ECC are broken? | Correct me if I'm wrong. | monero-xmr wrote: | Quantum computing doesn't matter. Nothing in the universe can | break a one time pad. | maxbond wrote: | Is quantum computing relevant to symmetric encryption like | OTP? GP was talking about asymmetric encryption. My limited | understanding is that quantum computing is a threat to | asymmetric encryption. | | There's also the question of, if you can distribute a key | which is at least the same size as your message over a secure | channel - why not just distribute your message over that | channel in the first place? | karmanyaahm wrote: | > why not just distribute your message over that channel in | the first place | | Latency? You can hand deliver a password ahead of time, but | not messages. | ianburrell wrote: | One-time pad isn't a password. It is a flash drive or | hard drive full of random bits. | InitialLastName wrote: | The difference between those is just one of scale and | storage. | | You still have to reliably move a chunk of out-of-band | information in a way such that it gets to (and only gets | to) the person you want to have it. | ianburrell wrote: | The difference between one-time pad and stream cipher is | provable, absolute secrecy, and really good secrecy. If | don't care about that, there is zero point to one-time | pad. | | Also, it isn't just a "chunk", for one-time pad it has to | be the same length as the messages. Which is fine if just | short messages but a lot harder if lots of data. | | If can exchange lots of data, better off using them as | keys for stream cipher. | hgomersall wrote: | Because with QKD you can distribute a random key knowing | that there were no observers but you cannot distribute a | message with the same guarantees. Specifically, any given | bit exchanged might be observed, but that is detectable so | the bit can be discarded. | | I read some years ago about a non quantum technique to | achieve the same based on (I think) noise in a coupled | electronic system. I wonder if that has been tested | further. | aetherson wrote: | One-time pads are obviously not a serious widespread | cryptography proposal. | | But the question of, "Why not just send the message instead | of the pad" is pretty straightforward: when you have the | opportunity to safely deliver the pad, you don't know what | the message will be. When you do know what the message will | be, you don't have the opportunity to safely deliver the | pad. | numpad0 wrote: | But quantum computing can put the ciphertext in a quantum | superposition between solved and unsolved state. Only problem | to remain will be simple matter of determining what the | plaintext is to be. | grotorea wrote: | Doing some armchair navel gazing cryptanalysis, but isn't | that only true if you assume the OTP has access to true | randomness? What if the attacker breaks your CSPRNG? Or what | if the universe is deterministic and therefore a true RNG is | impossible? | maxbond wrote: | Similarly relaxing in my armchair, a deterministic universe | is compatible with a CSPRNG as long as the information | required to recover it's internal state is too diffuse to | recover, or is outside the light cone of your adversary. | | Eg, rolling a dice is deterministic, and I imagine an | algorithm exists that could recover the value of a dice | throw from a recording of the sound of it rolling and it's | initial position. But once that sound has turned into heat, | and that heat has conducted itself about the walls and into | the air, I don't think it's possible to recover the sound. | | See also: | | "Is flipping a coin random?" (Numberphile) | | https://www.youtube.com/watch?v=AYnJv68T3MM [8m] | jamiek88 wrote: | It's possible. As in physics says it can be done. But it | isn't technically feasible, probably ever. | | There's nothing in the laws of physics that prohibits us | turning burned paper smoke back into a document and | recover the information. | maxbond wrote: | I'm not sure physics really does say that. Physicists | seem to believe that information is never lost - but that | doesn't mean the information can be _retrieved_. If it 's | in a fragile state, then the act of measuring it might | change it. Eg an electron has both a position and a | momentum, but that doesn't mean you can measure it's | velocity. | | When you burn a document, all the matter might be | transferred into the smoke, but you've rendered it into a | stream of particles which is small enough to be effected | by Brownian motion. Reversing the process (figuring out | the initial position of each soot particle) involves | knowing the position and momentum of the air molecules | impacting the soot particles. In principle, you could | take the current position and momentum of those particles | and extrapolate backwards - but you can't actually | measure that, not even in theory. | macawfish wrote: | Underappreciated fact | contact9879 wrote: | Once again, every cryptographic problem reduces to a key | distribution problem :) | phoe-krk wrote: | And nothing in the post-quantum universe seems to reliably | solve the problem of transmitting a one-time pad. | toyg wrote: | Oh no. That "technically feasible" translates to "when the | government will be able to pass the practical parts of this | legislation without too many people asking too many questions". | [deleted] | xkcd-sucks wrote: | "I promise I will not stab you until I acquire a knife" | paxys wrote: | "Strong enough post-quantum schemes" already exist, and every | single mainstream communications platform will update to become | quantum-proof overnight if/when quantum computers approach that | level of capability. Quantum computers cracking encryption is | really not a concern on anyone's mind, at least no more than, | say, modern processors cracking SHA-1 etc. | phoe-krk wrote: | TIL! Which ones? I've only seen ones that were proclaimed to | be secure, only to be broken in some simple/clever ways not | much later. | sweis wrote: | NIST post-quantum standards resulted from a 8+ year process | and public competition: | https://csrc.nist.gov/projects/post-quantum-cryptography | mrguyorama wrote: | You can basically just make the numbers bigger. Quantum | computers aren't magic, and are still limited in what and | how they can process within normal informational theories. | tux3 wrote: | There were a lot of pqcrypto candidates, and several of | them were indeed thoroughly broken, prey to the fearsome | cryptanalyst's laptop left running over a weekend | | NIST standardized Kyber and Dilithium, and for now at | least, they seem to be holding up. I'd still want to do | hybrid (ECC+PQ) asymmetric crypto for the time being, but | we're (slowly) starting to gain a modicum of confidence in | the new standards, enough for deployment | jmilosze wrote: | It's already perfectly feasible to do. Meta/Apple etc. can just | deploy a client that decrypts the message, scans it, re- | encrypts (with a different key) and sends it to their storage | where they can store it forever and decrypt if needed. This way | they could even have different clients in different regions | still being compatible. It's just that it would suck and would | not be secure any more. | JoshTriplett wrote: | "abandons" seems overstated; "The UK government has conceded it | will not use controversial powers" does not mean it doesn't claim | to _have_ those powers based on the legislation. | [deleted] | tomatocracy wrote: | I wouldn't be surprised if this is a political attempt to stop | the legislation being amended to remove the powers. I would | hope that it fails. | thinkingemote wrote: | So it seems from the news that it was industry that forced this, | but do we know how effective our campaigning and emails to MPs | were? Or just some un-noteworthy political cog wheel action? | | How could we find out? Do the reasons get leaked unofficially | usually? | nonrandomstring wrote: | Maybe don't over-rate the influence of the industry. | | The Conservative party's own members tore it to shreds. | | From: | https://cybershow.uk/media/episodes/OSB1_r2_2023-08-27.mp3 * | | "The source of the bill itself, the UK Conservative Party, has | a significant number of its own critics calling it | "fundamentally misdesigned" David Davis said its well- | intentioned attempts may constitute "the biggest accidental | curtailment of free speech in modern history." | | (* sadly my other sincere comment has been buried by people who | apparently can't read past the first line) | midasuni wrote: | David Davis is somewhat unusual - he actually resigned as MP | to protest against an erosion of civil liberties (and stood | on a civil liberty platform) | | Westminster will be a worse place when he goes, which I | assume will be in next year's election. | traceroute66 wrote: | > do we know how effective our campaigning and emails to MPs | were? | | Campaigning to your MP is and always has been a waste of time. | | In addition, the "safer" their seat, the more of a waste of | space the MP is because they know their constituents would vote | for a pig if the right coloured rosette pinned to it. | | Most of the time they don't bother replying, and then if they | do reply, you get a two-page party political broadcast, | followed by a generic paragraph about "how they understand your | concern blah blah blah" but never addressing the point at hand. | ajb wrote: | It's a little unclear, but my reading of this is that the power | to do it will still be in the law, requiring at most secondary | legislation to put into effect (perhaps not even that) if they | think they ever have enough leverage over messaging providers, or | are willing to spend the political capital. Not a great place to | be in really, but better than it actually being deployed. | makingstuffs wrote: | I'd bet my life we start to see a massive influx of bad press | aimed at messaging providers, focusing on how criminals are | using their services, over the next few years. | | When the general sentiment of the average Dave is 'encryption | === bad' this BS will rear its head again. | | Seems to have been the standard play for governments of this | country for decades now. | b59831 wrote: | [dead] | halJordan wrote: | Yeah that was my reading as well. The legislation isn't being | changed. The statement even says "We know you can develop [the | methods to access], and we still have the authority to order | it." | | The only relevant part of from op is the govt acknowledging | that 2+2 = 4. But it fails to acknowledge that if they want to | get 5, they can still order the equation to be 3+2. | nonrandomstring wrote: | Through most of history government _always_ has the power, | but the question is whether it has the legitimacy. | | In this case it has the legitimacy, but lacks the power. | | This is an unusual turn. | | We need online safety for kids. The aims of this bill should | obtain widespread support from everyone. | | But instead of carefully researching and implementing | difficult ideas, framing it properly and obtaining permission | from the people - a remit to empower us to embrace online | safety on our own terms - it's taken a strictly 20th Century | "Mother knows best, think of the children" approach and made | this a battle with Big Tech. | | It is laughably "Yes, Prime-Minister" in its clumsiness. We | have anachronistic throwbacks in charge. | whatshisface wrote: | I already have a remit to embrace online safety on my own | terms - I can install a local filtering system if I choose | to. | nonrandomstring wrote: | Of curse, but it's not terribly easy for the average | person to put sophisticated filters into multiple content | pipelines on every child's device (imagine having 4 or 5 | kids of different ages and needs). | | So a solution I think we brainstormed on the show was | mandating open interoperable APIs that allow easy | insertion of (presumably commercial or open source) | plugins into the system, within the user's end-to-end | digital estate, under the control of the user (parent) | and completely rejecting the MITM and endpoint compromise | via back-doors that the government naively proposed. | | In many ways that would take a much bigger stick to Big | Tech, | | It also transitions the definition of "online harms" to | those defined by the guardian/parent rather than | problematically allowing the State to define harms and | control the selectors. | | What that says to me is that the government are dishonest | about the real aims of the bill. | | And further, as a consequence, it crushes my belief that | the government even truly care out child safety except as | a vehicle to greater tyranny. | robertlagrant wrote: | > on every child's device | | Devices only in public areas in the house. Dumbphones for | emergencies. | thereddaikon wrote: | People might be more receptive if the UK government had | shown any real intention of going after pedos before this. | But the number of scandals and coverups indicate they dont. | And this is little more than an excuse to make it easier to | spy on their subjects. | ChrisKnott wrote: | This comment could only be made by someone who gets all | their information second-hand from internet comments, and | has never worked in child protection. | generationP wrote: | The UK has a recent history of sweeping child abuse under | the rug when it involves minorities or famous | personalities. See https://en.wikipedia.org/wiki/Rotherha | m_child_sexual_exploit... or https://en.wikipedia.org/wik | i/Jimmy_Savile_sexual_abuse_scan... for two examples. | Jigsy wrote: | Online safety for kids begins at home. The problem is most | parents are just too lazy. | anonymous_sorry wrote: | Or too busy? In plenty of families both parents have to | work hard to make ends meet. | | Not helped by the fact that children are growing up in a | completely different environment to the one their parents | remember. Familiarizing myself with TikTok or whatever | the kids are into these days would fill me with dread. | And the way platforms work means my experience of them | would differ dramatically from a child's anyway. | merpnderp wrote: | The real question is why did they want this? Is the UK suffering | some giant crime wave or are the powers that be just really | intent on making sure people are using Bad Think in their private | chats? | aaomidi wrote: | "Eco terrorism" is on the rise. | | As we progress with climate change and climate disaster, it's | clear that eco terrorism is going to be increasing. This has | been especially highlighted in UK. | | I put it in quotes because honestly it's just fighting for | survival at this point, but the ones in charge have decided to | add the word terror to make it scarier. | tomatocracy wrote: | This bill (the Online Safety Bill) has a long and politically | complicated history. It was originally motivated by the Cameron | government's fairly limited desire to mandate that public WiFi | had porn filters in place and then seems to have grown over | many years to include a huge number of pet projects and power | grabs from various career bureaucrats. | | I don't think politicians set out to do this but it's been | around in some form or other in Whitehall for so long that | there's no real responsibility anywhere and it was low priority | enough that noone ever thought to properly kill it. | | It's very British in that sense. | tempodox wrote: | > the tech regulator would only require companies to scan their | networks when a technology is developed that is capable of doing | so. | | IOW, as soon as backdoors are implemented. And we only have to | lose this battle once. | codeptualize wrote: | You see this time and time again, some initiative to "just | introduce some backdoors, what could go wrong", and then it takes | some time for people who understand what it actually means to | convince them that it is in fact a really bad idea and it would | be a giant disaster. | javajosh wrote: | Why ban e2ee when you could just pass a law giving LEO's the | right to passively turn on any mic or camera or look through | photos and messages on any smartphone at any time? I mean, how | can they keep people safe without that access? Think of the | children! | mfDjB wrote: | I wonder where does this end? I do feel like nearly once a year | some country in western world tries to ban encryption. Can we | just make it a right to encrypt communications and be done with | this endless debate? | arichard123 wrote: | Their purposes have been served. Values have been signalled. | Implementation was never going to be possible, which made it all | the better a choice, as it means you don't have to actually do | anything except blame tech companies when it doesn't happen. Job | done. | ascorbic wrote: | The whole UK government is run via WhatsApp. The threat to | withdraw service should have concentrated minds. | hn_throwaway_99 wrote: | This isn't true, is it? If so that's slightly terrifying. | giobox wrote: | I think its increasingly true of several countries, not just | the UK. Any State with strong Freedom of Information | legislation not surprisingly creates incentives for certain | political operatives to want to avoid exposure by use of | unofficial channels further out of reach of FoI - private | WhatsApp groups etc etc. I don't see this as any different | than the instances of private email service mischief that has | occurred in a lot of States too over the last decade | (avoiding use of official email accounts for contentious | discussions). | midasuni wrote: | The political communications are done with WhatsApp. This is | illegal of course. | | There has been no discussion of the obvious national security | risk. | | https://www.theguardian.com/law/2022/mar/22/uk-ministers- | acc... | amiga-workbench wrote: | It's not completely untrue, there was a whole hoo-hah over | getting Boris Johnsons WhatsApp messages. They use it to get | around the requirement that official communications be logged | and available for later scrutiny, much like a bank has to | retain communications in case of an audit. | gridspy wrote: | Assuming that is true, it's amusing that the politicians | are trying to strip communications privacy from the masses | while desiring it themselves. | afandian wrote: | The rules don't apply to them. | | https://www.bbc.co.uk/news/uk-politics-66165001 | tailspin2019 wrote: | It does seem to be slightly true | Jigsy wrote: | I'm not sure why people are assuming they've abandoned the idea. | They've simply said it's not technically feasible. | | Which implies that later - through the power of delusions of | grandeur - that it will become feasible. | glitchc wrote: | Not technically feasible is akin to abandonment in government | circles. | | To revive this, they would have to find an expert to attest | that it is technically feasible to have security with a | backdoor that government can access, but at the same time is | impossible for malicious entities to access. | | Ergo, this is technically dead, which is the best form of dead. | orlp wrote: | > To revive this, they would have to find an expert to attest | that it is technically feasible to have security with a | backdoor that government can access, but at the same time is | impossible for malicious entities to access. | | > Ergo, this is technically dead, which is the best form of | dead. | | Except it's not. There exist such cryptographic trapdoor | constructions that are perfectly secure, if the government | backdoor key is kept safe. | | The problem is keeping the government backdoor key safe. But | that's not a literal impossible technical problem. It's much | more a social problem. | | Don't get me wrong, I really, really wish what you said was | true and we could kill this garbage forever by nature of | technical argument. But it isn't, so we must keep fighting | against it for the real reason: we simply don't want this. | rightbyte wrote: | Ye I find it somewhat amusing that sharing a private key | with the government is technically impossible. I guess you | could be philosophical about whether it is private though, | in that case. | | Anyway, I am gladly surprised they seem to back off. | glitchc wrote: | well, by definition if the key is to be used, and to be | used more than once, it cannot be kept safe. The key has to | go through multiple hands on its way from the senior | government official responsible for its safekeeping to the | peon assigned to unlock a specific phone at a specific | point in time. It could be copied at any one of those | points. No amount of technology or cryptography can solve | the master key problem. The social problem is the technical | problem, they aren't distinct. | ChrisKnott wrote: | Doesn't this problem exist throughout the tech industry | though? | | Microsoft, Google, Apple etc are keeping the keys that | allow you to push updates secret, aren't they? | Jigsy wrote: | > The problem is keeping the government backdoor key safe. | | Not a problem. Just change the locks every week. _[tapping | head]_ | robertlagrant wrote: | > Ergo, this is technically dead, which is the best form of | dead. | | It's an older reference, sir, but it checks out. | jjgreen wrote: | This didn't even make the evening news, the Rolling Stones have a | new album out! | jiofj wrote: | They announced a new album but it won't come out until late | next month. | disgruntledphd2 wrote: | It made _my_ evening news as I subscribe to the FT. | nonrandomstring wrote: | I feel it can be said, without "conspiracy" or paranoia, that | there's a widespread will to bury all activity around this | bill. | | Government doesn't want it debated or scrutinised. Tech | companies want it to go away. The media doesn't understand it | and cannot communicate the issues. People are scared or too | pre-polarised to take a position. It's been kicked into the | long grass by 4 prime-ministers. Even mentioning here that it | is complex and worth examining both sides gets one down-voted | to hell (judging by my other comment). | b800h wrote: | That bit isn't as bad as the part that says you can't run an | interactive service without age verification though.... | dmje wrote: | This is the bit that is scaring me, as someone who manages | website for clients.. | greybox wrote: | The government are denying the 'U-Turn' which of course, as | always, confirms it :P | https://www.bbc.com/news/technology-66716502 | nonrandomstring wrote: | > No, Thursday's out. How about never -- is never good for you? | | Do please give this one a listen: | | https://cybershow.uk/media/episodes/OSB1_r2_2023-08-27.mp3 | | The problem with this bill is that it's courageous in its aims | and long overdue. It's something we strongly support. I am | saddened at how it's been mishandled over the past 4 years. | | The tragedy is that it's been put together by people who clearly | have absolutely no technical knowledge and are in the realms of | perpetual motion machines and other "mind traps" that seem to | short circuit reason and evidence. The proposed implementation is | a feat of fantasy and wishful thinking. | | How could such a gulf emerge between good intent and practice? | | We really, really need competent government with advisors who are | honest and neutral. | toyg wrote: | _> How could such a gulf emerge between good intent and | practice?_ | | Road to hell paved with good intentions - always has been. | | To be honest, I don't think it could have gone any differently. | It's an eminently hard thing to achieve: we want everyone to be | free on the internet, but we also want "bad guys" not to be, | and you can't really disjoint the two sets of people. | nonrandomstring wrote: | I agree on the intractability of the problem. But could it | have gone differently? | | I'd like to think so. | | How could it have gone differently? | | Sincerity and honesty from the get-go. Using science and | mathematics? | | It is the deceit and self-deceit, the avoidance of difficult | questions that has marred this bill from the start. | | Ambitious social aims need backing up with outstanding | technical competence, in computing, law, social sciences.... | | That didn't happen. Ignoring the advice of experts has been | business as usual for our government, at least since Covid. | kelseyfrog wrote: | It's very easy to protect kids online - simply don't allow them | online. Banning children from the internet violates fewer | people's rights(the number of children) than violating | everyone's right to privacy(the total population: adults + | children). | | The podcast makes a unsubstantiated and unexamined assumption: | kids must be online. A cursory glance reveals that they in fact | do not. | nonrandomstring wrote: | > The podcast makes a unsubstantiated and unexamined | assumption: kids > must be online. | | You haven't listened to a single word of it have you? | | https://soundcloud.com/chrismorrisbits/peter-ohanraha- | hanrah... | | It says precisely the opposite. | kelseyfrog wrote: | The podcast starts with a kid interviewing parents who | unanimously support the bill, calling it brilliant. | | If the podcast wants to say the thing, they should say the | thing rather than its opposite. | nonrandomstring wrote: | I'm sorry you felt tricked by that dramatic device. | | Perhaps listen to _end_ of the podcast to get closure. | jamiek88 wrote: | Interesting critique considering the podcast says the exact | opposite. | [deleted] ___________________________________________________________________ (page generated 2023-09-06 20:00 UTC)