
Decrypting Amber Rudd - tolien
https://ar.al/notes/decrypting-amber-rudd/
======
azurelogic
I'm by no means going to support government attempts to ban encryption, but
assuming 100% virtuous purposes (e.g.: counter-terrorism efforts), I can
understand why they think this will work. I mean, they think that passing laws
on guns and drugs will stop those things.

The fundamental problem is that the government and the public do not
understand that powerful encryption will exist forever now. The cat is out of
the bag, and the bag has disintegrated. You can't ban the ideas, and you can't
stop them from being implemented in the shadows. Even worse for them, there's
nothing physical to find. You can't train a dog to sniff out encrypted data.
Banning it now only hurts honest uses, like protecting financial transactions
and medical records.

~~~
knodi123
> You can't train a dog to sniff out encrypted data

?? But you can easily train a computer to. I mean, it's expensive as hell, but
if all encryption is either back-doored, banned, or weaker than a newspaper
cryptogram, then yeah... sure. Encrypted data is easy to find - it's the data
you can't read.

~~~
arghwhat
No you can't.

The data you can't read is not only encrypted data. Most unencrypted data will
be data you can't read, due to there being absurd amounts of file formats and
protocols. How do you intend to be able to validate that the content of all,
say, CAD and 3D model files is not malicious? How will you deal with new
codecs? New network protocols?

Encrypted data is, unless the protocol is severely broken, almost
indistinguishable from random data, which without context and knowledge of all
file formats and protocols in the world, is indistinguishable from most real,
unencrypted data. And not only that, you can hide information in almost any
data type. Encrypted content can be hidden in a perfectly normal looking
picture or video just fine. Look up steganography.

Encrypted communication cannot be detected in any sane manner.

~~~
knodi123
> Most unencrypted data will be data you can't read, due to there being absurd
> amounts of file formats and protocols

Well I sure couldn't read it, but the NSA could.

> How will you deal with new codecs? New network protocols?

With a massive staff and constant influx of money. I did say it would be
expensive. Still, I think it's within the reach of state-level actors.

> Encrypted data is, unless the protocol is severely broken, almost
> indistinguishable from random data, which without context and knowledge of
> all file formats and protocols in the world, is indistinguishable from most
> real, unencrypted data.

Sure- context is a critical tool. I don't know why you stipulated "without
context", though.

> Encrypted content can be hidden in a perfectly normal looking picture or
> video just fine. Look up steganography.

UNencrypted data can be hidden in the same way. I know what steganography is,
and sure, the art of hiding data is a great way to hide data. Separate issue,
though.

> Encrypted communication cannot be detected in any sane manner.

I think the facilities and manpower for detecting unauthorized use of
encryption would indeed be insane, from several perspectives. And it would
require a bunch of legislative support, too. But WITH legislative support,
mandated back doors, ISPs that are cooperative, shitloads of manpower and
money.... Yeah, I think it would be possible to detect encrypted traffic.
Could a person who hadn't already attracted the attention of the "agencies"
choose to hide small amounts of data in an innocuous file? Sure, but they
could glue an SD card to a homing pigeon, too. I'm thinking more of PGP, SSL,
VPNs, WhatsApp and the like.

~~~
arghwhat
No amount of staff will be able to predict file formats and protocols before
they are designed, and unless file formats and protocols are permitted prior
to being "understood" by this hypothetical internet filtering agency, then no
new formats or protocols can be formed, or even updated. However, permitting
them prior to being understood also mean that arbitrary traffic will be
permitted, as long as the formats and protocols mutate faster than they are
implemented by the bad guys (the state-level actors you describe).

The only scenario where I can think of a setup where a filtering agency would
be able to block "dangerous content", while still permitting legit use, would
be one where each and every file format and protocol creation/update would
require applying for a permit to the respective agencies in every country
where the format is to be used. The absurd bureaucracy this would entail, such
as the time it takes for the agency to write some form of verification, would
kill most, if not all, innovation. The only innovation I could imagine still
living in such an environment would be circumvention efforts.

Furthermore, steganography is not a separate issue. In the hypothetical
scenario where this is both possible and the resources for this exercise are
present, the entire exercise becomes moot once you realize that you can encode
anything as a jpeg or video file with a minimal overhead. Applications would
just all implement protocols that exchange JPEG's or MP4's with a small
overhead, leading to no traffic being stopped as "unreadable".

And before you ask: Detecting such measures is not possible in the general
case.

------
bengillies
While I agree that what the UK government is trying to do is dangerous, wrong
and ultimately won't help all that much anyway, this article is so full of
hyperbole, bluster and FUD that, even though I know and understand most of the
issues, it's honestly hard to take much of it seriously.

I expect exaggeration from Rudd and I expect her to misunderstand how certain
things (i.e. encryption and the internet) really work because a) she's a
politician b) she's not an encryption expert (that's what advisors are for). I
don't really expect the same thing from people should be trying to counter her
arguments with facts, explanation and alternative ideas though.

~~~
blub
Well, I can't say that there's anything obviously wrong with the article.

You should be fearful, uncertain and full of doubt about privacy and democracy
if you live in the UK. And those companies really are farming people's data
and doing whatever the heck they want with it. And removing the people's
access to private communication in the digital age is both stupid and evil.

There's no bluster and hyperbole, just the sad reality.

~~~
24gttghh
This doesn't seem to get suggested very often, or ever, but maybe we need to
keep protesting these developments, and boycott these companies/services who
collude with the government to erode our civil liberties. Nobody _has to_
login to facebook, at least not yet...It's only going to get more difficult.

------
andy_ppp
Does anyone ever wonder which school these people go to to be trained in such
a duplicitous way of thinking or do they really believe they are protecting
everyone from the terrorists? As the article clearly demonstrates, Amber Rudd
conflates the need to monitor and remove _public_ information with the need to
monitor everyone's _private_ information.

This sort of "tough love" probably plays well politically with most of the
population, who can't really think of a reason they'd like their privacy
protected.

I really can't get my head around why all politicians (across the world right
now really) converge on the same draconian policies.

~~~
garaetjjte
chapter 5 might be interesting: (whole book is interesting, but it is mainly
focused on followers, not leaders)
[http://theauthoritarians.org/Downloads/TheAuthoritarians.pdf](http://theauthoritarians.org/Downloads/TheAuthoritarians.pdf)

~~~
andy_ppp
Really interesting read, thanks!

------
saimiam
I fucking hate everything about the way the world is trending. We need a
proper grassroots revolution which throws these idiot ministers in prison for
crimes against humanity.

~~~
satori99
As depressing as it may be, I don't really see a way out. The genie is out of
the bottle now and any successful revolutionaries will also have an
overwhelming urge to use this technology to cement their power.

Benevolent AIs may be an outside possibility. Otherwise, short of nuking
ourselves back to the stone age, I think total surveillance societies are here
to stay.

~~~
saimiam
The revolution could be to get off the internet or to use it only for cat
videos, go back to using cash, reconnect with local friends only etc etc

~~~
icebraining
CCTV coverage is already high in London, and increasing everywhere.
Recognition software (not just facial) is getting quite good.

Cash can mostly be tracked unless you just trade with black/grey market
sellers. Adding RFID to notes and mandating readers on cash registers would
already be feasible.

Home devices (TVs, DVRs, even fridges[1]) increasingly have microphones and
other sensors, so it'll be hard to be sure you're not being recorded even when
talking to friends in their living room.

[1]
[http://www.popularmechanics.com/technology/gadgets/a24616/sa...](http://www.popularmechanics.com/technology/gadgets/a24616/samsung-
family-hub-2-voice-controlled-fridge/)

~~~
saimiam
Like the story of the 40 thieves, maybe the answer is to hide in plain sight.
Throw so much data at them that they can't meaningfully process all of it.
Fuck! This subthread is making me angry/ier.

~~~
nobodyorother
[https://duckduckgo.com/?q=ICCNCIDC](https://duckduckgo.com/?q=ICCNCIDC)

------
sspiff
> Facebook, Microsoft, Twitter, and YouTube (Google/Alphabet, Inc) have formed
> the Global Internet Forum to Counter Terrorism and Amber Rudd is asking them
> to quietly drop end-to-end encryption from their products. You should not
> believe a single word any of those companies tells you about end-to-end
> encryption or privacy on their platforms ever again.

and

> she reveals that she has created the Global Internet Forum to Counter
> Terrorism with Facebook, Microsoft, Twitter and YouTube (Google/Alphabet,
> Inc.) and asked them to remove end-to-end encryption from their products
> (remember that Facebook makes WhatsApp) without telling anyone.

This wording implies that these big tech companies would silently, without
anyone noticing, drop or compromise their E2E encryption. Is this something
they could do? I'd expect such a change to be noticeable in both the clients
they distribute and the network traffic they generate by people in the infosec
industry.

Can anyone with a deeper understanding of the matter chime in?

~~~
FungalRaincloud
It's plausible that they could just compromise the security, intentionally,
without telling anyone (and without anyone being able to easily tell).

I think what's more likely, at least in the case of WhatsApp, is that they
would just not make an announcement when they remove E2E encryption entirely.
The security community would certainly complain, and long-term, the traffic
they are currently getting from parties of any interest would move somewhere
else. But in the short term, it would compromise the security of a substantial
number of their target users. It's plausible that, without a public
announcement, many 'nefarious' users would continue to use it for a few
months.

~~~
rocqua
I'm more worried about a trigger-able mode of whatsapp that silently disables
E2E encryption on a specific phone. The only way to figure this out is to
catch the app in the act.

It seems possible that WhatsApp could be persuaded by the government to
implement such technology.

~~~
FungalRaincloud
Something that does concern me about WhatsApp is that backups of messages (by
default, it seems, put on Google Drive on Android) are not encrypted. I'm not
really sure why. There's not a compelling reason that I can think of.

------
vixen99
"You’re more at risk dying from falling out of bed than you are from
terrorism?". I have no argument with the rest of the piece but this (true)
statistic is an irrelevance given that there are terrorists who had they
possession of nuclear options (literal or otherwise) would not hesitate to use
them (planned with or without electronic communication). In this context,
assessing risks like this is fatuous given the absence of required
information. That doesn't mean that an insurance company might not perform the
calculation for an individual but they have different goals from government.

~~~
tolien
While it's a relevant point, the risk (in a probability * cost sense, to
address your point about terrorists using a nuclear/radiological weapon were
one available) of terrorism has to be addressed somehow or you're cherry
picking one from a number of extremely rare but potentially catastrophic
events to worry about. We're not spending trillions of dollars and thousands
of lives on a War on Giant Asteroids, for example.

~~~
nobodyorother
The War on Giant Asteroids is unwinnable. That's why we should instead fund
the War on Giant Asteroids Piloted by Dinosaurs. We kicked their asses 6,000
years ago, we can do it again!

------
james1071
So, is she threatening or bribing the tech companies? Otherwise, I can't see
why they would take any notice.

~~~
richmarr
My guess is that she's arse-covering. She wants to be seen 'doing something'
and so that if there's an incident she can then point and say "I told them but
they didn't listen"

------
DanLM
Unfortunately, since there are more people who don't have a grasp on the
ramifications of what she's proposing that those that do, there'll be more
people that buy into this dangerous spin, than those that don't. She'll pull
it off, just like the Snooper's Charter.

~~~
JBReefer
I honestly don't think so, the UK isn't important enough globally for WhatsApp
to risk losing everything - look at what happened with them in Brazil, which
is a larger WhatsApp market by a good bit.

A lot of this stuff feels like a vindication of how Indians make fun of Brits:
foot stamping, bureaucratic, and out of touch with a world that has largely
passed them by.

~~~
rapsey
> A lot of this stuff feels like a vindication of how Indians make fun of
> Brits: foot stamping, bureaucratic, and out of touch with a world that has
> largely passed them by.

If there ever was bigger case of people in glass houses should not throw
stones, I've yet to see it.

------
iamthepieman
How do I "stock up" on strong encryption in anticipation of it being banned
eventually? Should I buy routers and hardware with strong hardware level
encryption in them? Should I acquire and backup the software (vpn, public key
toolchains etc)?

------
rajadigopula
Decryption of common people's ideas/thoughts is only the first step of
moderating them by the govt. in future! Terrorism is an easy & irrefutable
excuse.

------
throwawaymanbot
Its yet another Home Secretary being (to put it very very politely) extremely
disingenuous with the UK public. It would be laughable if it wasnt so sad.

------
throwawaymanbot
I agree with the articles author. Things conveniently "slip through the net"
always, even when the perpetrator was "known to the authorities" and they
think the answer to this is not fixing whats wrong with the Brit Security
Services but increasing surveillance on EVERYBODY? Something stinks, it does
not make proportionate sense.

As an example, Drunk Drivers kill more people per year than terrorism, But no
one in the UK talks about surveilling everyone to prevent drink driving.

