
UK surveillance bill includes powers to limit end-to-end encryption - wjh_
https://techcrunch.com/2016/07/15/uk-surveillance-bill-includes-powers-to-limit-end-to-end-encryption/
======
tetrep
I think this same logic that is purportedly the reasoning behind this bill
would also require us to constantly record all of our vocal communications, as
that would be the only way we could ensure that criminals could not have
communications that aren't accessible to law enforcement.

This, of course, would require microphones on all citizens as well as many
more in the surrounding environment, to ensure communications of unwilling
citizens can be monitored as well. And, of course, we'd need video as well to
get those pesky sign language users[0].

These sort of bills always make me wonder if we'll ever see a moral stance
taken by tech companies. There's a few skirmishes that happen every now and
then but there doesn't seem to be any general consensus on what companies will
tolerate in both themselves and their business partners. I'd love to see a
"Fair Trade"-esque branding used as an indication that the product and its
supply chain don't include actors who support government surveillance.

[0]: OT, but it makes me realize you can literally make illegal gestures due
to
[https://en.wikipedia.org/wiki/Hate_speech_laws_in_the_United...](https://en.wikipedia.org/wiki/Hate_speech_laws_in_the_United_Kingdom)

~~~
blowski
I'm going to play Devil's Advocate here, because complaining about intrusions
on our privacy and how ineffective they are, has become de rigeur on HN and
Reddit without much dissent. There clearly is a security problem in Europe at
the moment, and I'm assuming that the attacks are not being organised by the
security services.

So will this bill reduce, increase or have no effect on the attacks? If not,
then what would reduce the attacks and why are the authorities not doing it
already? If it will reduce the attacks, how much does it have to reduce them
before we accept the intrusion on privacy as a necessary evil?

~~~
Blahah
I appreciate you're playing devil's advocate, so I'm holding back.

"There's a security problem in Europe at the moment". What are you talking
about? The number of people harmed in terrorism-related events in Europe in
any given year is dwarfed by the number of people who harm themselves by
accident or stupidity in those same countries. And dwarfed to an even greater
extent by the number of people killed by police in the USA, or killed in mass
shootings that don't get attributed to terrorism in the USA. It is the media
attention given to the situation, not the situation itself, that is
terrifying. Europe is extremely safe and does not have a security problem.

The entire western world has a problem with xenophobia. It can't control its
own politicians who lead military assaults on middle eastern or north african
nations for purportedly moralistic reasons. Assaults that are guaranteed to
alienate entire generations of people and incite preditable retaliatory
violence.

Nothing about the proposed privacy intrusions helps protect people from
'terrorism'. It feeds a cycle of ineffectual security theatre and provocation
of western-produced radical activism that makes us all less safe. With one
hand we create and promote terrorism, and with the other we strip ourselves of
our freedoms and march toward technological totalitarianism.

~~~
blowski
The reason I push on this argument is that by making it, we as a community
sound like we're waving away the concerns of the majority. "Oh a lorry killed
loads of children? Don't worry about it love, loads more people commit suicide
every year."

So those who _do_ pander to those concerns end up winning the vote, and then
they can trash our civil liberties. This is precisely how we British have
ended up voting to leave the EU.

There _has_ been a significant increase in the frequency and effectiveness of
terrorist attacks in Europe. People _are_ growing more worried about it. We
need to make those people feel safe again, and we're not going to do that by
saying "my privacy is more important than reducing terrorism".

The argument you make at the end is the strongest point: on the one hand we
are nurturing terrorism by not dealing with the fallout of globalisation, and
our governments have been sold an expensive algorithm that they believe can
handle the problem, when in reality it will make us even less secure.
Meanwhile, the media can sell more advertising with the increased attention,
so they're quite happy to add fuel to the fire.

However, all these arguments end up being lost in whether it will work or not,
and the Donald Trumps will always win that argument because they go to a lower
denominator. If we want to win it, we need to show more genuine empathy.

~~~
reitanqild
> There has been a significant increase in the frequency and effectiveness of
> terrorist attacks in Europe. People are growing more worried about it.

This is important to understand.

Also it is important to understand that right now Europeans are losing
security for no good reason:

We could help a lot more refugees in surrounding countries than we can
integrate here. It is really that simple IMO.

Seens we are allowing this stream of immigrants not because we are good-harted
but because we are stupid.

This means we could be more secure and help more refugees if we stopped
playing for cheap political correctness points and started to think about how
we could help as many as possible.

~~~
kiba
We are getting a flow of immigrants because the civil war in Syria did not
stop, and instead rage on and on destroying the infrastructure and economy
there that is needed to sustain the civilian population there.

We are squeamish because we do not want to send young men and women to die in
some godforsaken country, doing god know what for god knows how long.

Remember the last time that happened? Oh yes, the Iraqi occupation that seem
to go on forever and forever, draining the blood and treasure of the United
States.

Either we pay it now, or we pay it later.

~~~
ptaipale
It's a misconception to think that the current wave of migration is just
because of Syria. Or because of war in Iraq.

The people who come on boats to Europe are mostly not Syrians. They are from
the vast lands stretching from Senegal to Morocco to Congo to Egypt to Syria
to Iraq to Pakistan to India to Bangladesh, and they are not travelling to
Europe because one particular place is very bad; they are travelling right now
because they realize that it's about the last time to get a foothold Europe
before the gates close, i.e. the current asylum process changes.

(I've met dozens and dozens of underage asylum seeker boys when arranging
football trainings for them; they started to hang around in the neighbourhood
and I realized it's better if they have something to do, so set up some games
every week. Only a couple of them were from Syria. Many more were from
Afghanistan and Iraq, but the list of source countries is very long. Mostly
these boys are from middle-class families in countries that have some war but
mostly just a very corrupt government, and the families have selected those
who are able-bodied and have better language skills to seek for a future for
themselves and possibly for the whole family, through the well-advertised
family reunification programs.

The poor don't get to travel; the cost paid to people smugglers is somewhere
in $5000-10000 range but the cost has been decreasing as the people-smuggling
business commoditizes.)

~~~
kiba
Is there a source?

I wasn't aware of that fact.

~~~
ptaipale
Syria was the largest of source countries in 2015, with a particularly large
number arriving in Germany as well as Sweden, but the migration is not at all
restricted to Syrian refugees. E.g. in my country (Finland) Syrians were only
3 % of the applications.

For instance, in Britain, the largest numbers of asylum seekers came from
Eritrea, Iran, Pakistan, Sudan and Syria as fifth. In Ireland, the largest
groups were from Pakistan, Bangladesh, Albania, Nigeria and India. In Italy,
the largest source countries were Nigeria, Pakistan, Senegal and Bangladesh.
In France: Sudan, Syria, Kosovo, Dem. Rep. of Congo, Bangladesh.

[http://ec.europa.eu/eurostat/statistics-
explained/index.php/...](http://ec.europa.eu/eurostat/statistics-
explained/index.php/File:Five_main_citizenships_of_\(non-
EU\)_asylum_applicants,_2015_\(number_of_first_time_applicants,_rounded_figures\)_YB16.png)

------
sklivvz1971
It's such a pointless war on its own law-abiding citizens. It makes me sad.

People that _really_ care about privacy, people who need to hide what they do
will not be majorly impacted.

* The main threat is metadata anyways, not the data itself. Locating where you are (e.g. with millions of cameras and facial recognition) is a much worse threat.

* They will still use full disk encryption, free software, PGP or AES, etc. outside of the affected apps. That software won't stop to exist, nor the mathematics that powers it will stop working.

The sad part is that the people who will be disproportionally affected will be
the common people who have nothing to hide anyways, and do not have the
technical means, or the will, to protect themselves.

TLDR: useless and damaging.

~~~
vidarh
I agree with most of what you wrote. Just one comment:

> (e.g. with millions of cameras and facial recognition)

The vast majority of CCTV in the UK is not networked, and owned by small
private companies (e.g. your local corner store), and rarely store data long
enough to be of use to anyone unless something sufficiently serious happens to
cause a request to be made quickly.

While there are areas covered by networked, government operated cameras, they
are not the norm.

~~~
nxzero
UK is being watched by a network of 1.85m CCTV cameras.

EDIT: Curious how stating a fact is worth downvotes. What am I missing?

~~~
saintwind
You can't state facts that go against the hivemind here, otherwise a downvote
will occur.

~~~
CarolineW
It's demonstrably not a fact, and it doesn't add to the discussion. Add
constructively to the discussion and contrary opinions are not only tolerated,
but engaged.

~~~
EdHominem
The comment is factual. It's not relevant who owns the cameras.

Look at any major incident in the UK recently and the police have CCTV footage
from private businesses. Either voluntarily given or subpoenaed.

~~~
CarolineW
The comment was:

    
    
        > UK is being watched by a
        > network of 1.85m CCTV cameras.
    

It's not a network - the comment was not factually correct. I was answering
the question and explaining my understanding of a likely cause for the
downvotes - I personally did not downvote it.

~~~
nxzero
The network is the legal system which controls them.

------
zeveb
> 'If we do not provide for access to encrypted communications when it is
> necessary and proportionate to do so then we must simply accept that there
> can be areas online beyond the reach of the law.'

Yes, yes we must accept that, since it's reality. Queen Elizabeth can no more
hold back encrypted communications than King Canute could hold back the tide.

~~~
golemotron
It's a re-balancing. Before electronic bugs every park and pub had
conversations that were completely beyond the reach of the law. And that's ok.
We used to call that liberty.

------
wheaties
If I want to keep my communications encrypted online, I'm going to do so. The
only people who won't have the same luxury as me are those that follow the
law. I don't get it.

~~~
superuser2
If encrypted communications are illegal, then anyone using them is an
automatic target for investigation and the encryption itself may be probable
cause to open up their lives and property.

It's considerably more difficult to conceal the fact of encryption on the wire
than (say) a gun in your home.

~~~
tomjen3
Ciphertext is supposed to be impossible to distinquis from random noise, so
how are they going to prove I am not just sending random noise, with a PGP
header?

As for asking why I would do such a thing? I think the law is wrong and want
to make the court waste their time.

~~~
bitwize
No one would actually send random noise as a message, so the law would assume
that comnunications which look like random noise are, _prima facie_ ,
encrypted comms and something the police have a right to see in cleartext.

~~~
logfromblammo
The folks at [https://www.random.org/](https://www.random.org/) and similar
true-randomness providers would beg to differ.

They do, in fact, have a _paid_ service to deliver what appears to be random
noise as a message, then store that noise in their archive for subsequent re-
verification.

I recall seeing videos of lava lamps and handfuls of d6 dice on a vibrating
table, broadcast live over the internet, purely for their utility as potential
sources for truly random numbers.

I can easily see a case for sending randomness in a client-server game with
protections against cheating and bandwidth restrictions. The randomness server
sends the same chunk of noise to game client and game server, and the game
client sends user commands to the game server. As long as the user isn't
cheating, the official server copy of the game state and the client copy
remain in sync.

~~~
adventured
Given the scenario in question, that only helps you at layer one of the
surveillance process and only for a very brief time. You're now a suspect to
be watched intricately.

At layer two, they begin digging into your life, tapping everything they can,
following you, and most likely eventually getting a warrant or equivalent to
enter your home and seize your property. There's no scenario under which you
don't break some arbitrary law, given enough time, at which point you're done.

~~~
logfromblammo
That's a self-fulfilling prophecy. Once the state begins persecuting a citizen
based on a suspicion of _exercising free speech_ and _security in their papers
and effects_ , it is ethically correct for that person to rebel.

~~~
bitwize
And once that person rebels, according to Presidential Decision Directive XXX,
the government may consider that person an unlawful enemy combatant, apprehend
them without a warrant, and incarcerate them at Secure Facility [REDACTED] for
interrogation and/or neutralization by means of [REDACTED]. If they are ever
heard about again, it will be because the government "found" ISIS materials,
CP, or other bad stuff on their computer.

------
3v3rt
Interesting to see that at the same time the EU privacy watch dog is proposing
to mandate encryption and outlaw these kind of decryption methodologies[0].
While still an opinion, it is good to see that in this area the EU is among
the most progressive governments around. [0]
[https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/sha...](https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2016/16-07-22_Opinion_ePrivacy_EN.pdf)

~~~
mark_l_watson
Interesting indeed. I thought it peculiar that the UK government released the
Tony Blair report just before the BRexit vote. That report certainly got many
people riled up about the 'establishment' and possibly could have changed the
BRexit voting result. My point is that if the UK had stayed in the EU then the
UK surveillance bill might have been dead in the water because it might have
comflicted with EU law.

~~~
Zenst
The EU referendum was on the 23rd June 2016 and the Chilcot report (as it is
known formerly) was released 6th of July 2016. So those facts aside your
point, do you have any conflicting EU laws in mind? I ask as currently the UK
has not left and then looking at 2 years notice so any new UK law coming into
play for years (due to the time to formulate them), will be complying within
current EU laws and regulations.

TL;DR No and no. But I respect the premise.

~~~
mark_l_watson
Thank you for the correction! I have made this cement to some friends, so I
will let them know I was wrong.

------
lb1lf
This belief that you can somehow force the strong encryption genie back in his
bottle is fascinating, if sad.

I guess it is not as futile as it may appear at first glance, though - after
all, you don't need all the world's suppliers of communication software to
adhere to be successful; just force the major ones to help you out, then
simply assume that anyone using an insignificant (by user base) app is up to
something nefarious.

Bah. Orwell was an optimist.

------
JustSomeNobody
Anyone hell bent on killing people will likely succeed. Surveillance is not
the answer. Too much data is just as bad as not enough. The solution is
finding out WHY people want to kill you and fix THAT.

------
49para
What possibly can they do with all this data ?

It seems that current governments can't seem to solve the drug war, the war on
terror, gun crime, or the increasing number of terrorist attacks.

How much intrusion do they actually need and what is the cost of the
technology before they can actually seem to make headway on solving issues.

------
CiPHPerCoder
Dear UK government,

Good luck with that.

Signed,

An open source software developer outside your jurisdiction

~~~
Spivak
I mean they're just going to fine/jail anyone within their jurisdiction that
uses your software. Pretending that you can't ban encryption because you can't
eliminate its availability is silly.

This is a political problem that must have a political solution.

~~~
CiPHPerCoder
The only effective political solution is to get the common person in on using
end-to-end encryption so its ban becomes unpopular.

------
inetsee
I can't help but wonder how this bill, on top of Brexit, will affect the state
of technology entrepreneurship in the UK. Why should an entrepreneur start up
a technology business in the UK if his efforts will be hampered by politicians
who have no clue about how technology actually works?

~~~
carterehsmith
Rest assured that there are people working for the government that know more
about encryption then you or I or 5,000 entrepreneurs.

For example, GCHQ came up with PKI before the people that "invented" PKI and
published it.

~~~
inetsee
I have no doubt that the people working for GCQH know as much as anybody about
encryption. The question is, are they smart enough to convince buyers that
encryption with backdoors is secure against hackers. Because if buyers don't
believe encryption with backdoors is secure, they won't buy it. If the buyers
won't buy it, it's going to be very hard for entrepreneurs to succeed in
selling it.

------
austinjp
It's time to call this stuff out for what it is: flat out idiocy or lies.
Possibly both.

Here's a brief thought to uncover why:

There are two countries. Country A has security capabilities equivalent to
today's UK. Country B, equivalent to today's UK plus the proposed changes.

Could maniacs based in country B commit attacks of equivalent fatality to
maniacs based in country A? Of course they could.

Could a criminal gang in country B get away with crimes of similar magnitude
to a similar gang in country A? Of course they could.

Other threads here have pointed out the minimal extra effort that would be
required by perpetrators, if any.

So why propose these changes, and why give the stated reasons?

Perhaps the government doesn't understand the negligible impact they'll have.
This seems unlikely, although perhaps they "can't see the wood for the trees"
and are getting carried away with the current xenophobic mood in the air.

Perhaps the government is showing its true colours and exercising the basic
Conservative desire to deny societal evolution, by tightening control over
anything new and complex.

Perhaps they've had a good hard think to the best of their abilities, and have
genuinely decided this is The Best Thing To Do.

Whatever the reason, it's either founded on idiocy or couched in lies.

------
reacharavindh
It is to an extent funny to think that governments think they can sit on top
of communications and implement mass surveillance. If you make it illegal to
encrypt your stuff, the knowledged/tech savvy people will start to work on
using steganography. There will be an explosion of cat pictures in the
Internet. Good luck finding the hideous cat :-)

All the government does now is inconvenience to the majority of citizens who
they have nothing to worry about anyway.

------
pre
So, how are companies supposed to keep customer data safe from hackers without
encryption exactly?

This kind of thing can only make the people of the UK less safe, more at risk,
and more likely to be hacked and otherwise digitally abused.

If you wanna keep the people safe, you don't ban encryption. Better would be
to mandate it.

------
DanBC
This is a fairly obvious sacrificial anode bit of the legislation. They'll
drop this, while making the "provide the keys" bit of RIPA stronger.

------
petre
If privacy is outlawed, only outlaws will have privacy.

They created terrorism in the first place by bombing and occupying other
countries, removing dictators.

------
SeanDav
I am surprised they did not add the line "think of the children" in there
somewhere...

Meanwhile in the real world, criminals will resort to sending encrypted USB
sticks via post, or carrier pigeons, or implanted in mules. There is always a
way around these things for those that absolutely do not want their
communications compromised. It is safe to say that any criminal enterprise
knows that live electronic communication of any sort is likely to be
compromised.

Also of concern, is that criminals will now have extra attack vectors to
sensitive data, because if encryption has to be weakened for Government, it
will be easier for other parties to exploit.

------
fweespeech
Has the UK lost their god damned minds?

I'm sorry but between this and everything else lately...they seem pretty
committed to "Security at any economic and/or personal cost! Security for
everyone!"

In the real world, that never works.

~~~
k-mcgrady
I don't think it's to do with people 'losing their minds'. The weird thing
about bills like this, or really anything effecting privacy/IT security, is
that no matter how bad it is the general public have no idea it's happening.
The number of people I've spoken to who know nothing about Snowden/PRISM etc
despite it being front page news for months shocks me.

That basically means that it's up to a small group of people who are informed
(like ourselves) to do what we can to stop this stuff. If we sit back and do
nothing they won't have any problem implementing these laws.

~~~
flyinghamster
For a long time, people who are concerned about online security and privacy
have been derided as paranoid, tinfoil-hat-wearing kooks.

Not only that, but it seems to me that there's been far less coverage of these
issues in mainstream media than in the tech press, and most mainstream
coverage seems to take the governments' side. People who get most or all of
their news from TV likely won't hear anything about all this; if they do,
their eyes will glaze over as they don't have a clue how encryption works, or
why it's important. Or, it will just vanish in the news cycle and they never
think about it again.

Edit: It also seems to me that most people just aren't going to care unless it
directly affects them, at which time it's already far too late.

~~~
soundwave106
If this is implemented, it's going to be fun the day that someone from the
government gets hacked and compromised via the very same security weaknesses
they ordered.

------
themartorana
_"...there should be no safe spaces..."_

Got it.

------
mankash666
If the laws are this regressive and encompassing, the very least we as
citizens can do is to lobby for full transparency in requests - after all the
data belongs to the individual (regardless of what the TOS claims) and the
individual deserves to know about requests on his data immediately.

------
0xmohit
"The Lives of Others" [0]

[0]
[https://en.wikipedia.org/wiki/The_Lives_of_Others](https://en.wikipedia.org/wiki/The_Lives_of_Others)

------
cloudjacker
If UK finishes leaving the EU, they will just be excluded from the market
given their diminished relevance. Are sure given the power vacuum in tech,
I'll release a gimped software product for their citizens. $£$£$£$£$£$£$£$£$£

------
beedogs
Will the last tech company to leave the UK please turn off the lights?

------
LinuxBender
Two can play at this game. Surely folks here at HN can create something that
is not technically or legally encryption, but accomplishes the same goal.

~~~
pferde
...until it gets legally declared as encryption as well.

~~~
LinuxBender
Fair enough. Maybe it's like an arms race, or a shell game. but you are
probably right.

------
brador
When does something become encryption?

Say I switch t and r in evetyrhing I rype, is that encryption? No? Then at
what point of mixing does it all become encryption?

~~~
dvtv75
I would guess the point at which they say it does.

------
hardlianotion
Just another little reminder that you must never confuse the government's
interests with your own.

------
known
Govt should limit end-to-end encryption AFTER open sourcing all their
software;

------
saulrh
> “Doors are now almost ubiquitous and are the default for most houses and
> buildings. If we do not provide for access to people's bathrooms when it is
> necessary and proportionate to do so then we must simply accept that there
> can be rooms beyond the reach of the law,”

There are well-established and functional methods for extending law into areas
that you can't see all the time. You don't need to ban encryption, in exactly
the same way that you don't have to ban doors. Just because it's ooon the
iiiinterneeettttt doesn't mean you need to break everything.

~~~
logfromblammo
The state's enforcers do not fear doors, because they have boots for kicking,
and stout legs to fill them. Even the heavier doors can be breached by prybar,
ram, cutting torch, or explosive.

But when your bathroom door is protected by 256-bit encryption, the peace of
your metaphorical deuce-dropping is (statistically) guaranteed until such time
as the sun leaves the main sequence and devours the Earth.

The states conveniently ignore that kicking down a toilet door to pick through
someone's poo and count the peanuts is not generally beneficial to anyone's
security, especially when holding out a net under the appropriate sewer pipe
could usually achieve the same results with less public outrage.

In any case, those with truly incriminating poo-peanuts will likely burn them,
or head off into the woods with a trowel, and your toilet raids will only end
up menacing those who linger too long in the stall, solving sudoku puzzles or
practicing toilet-square origami, or whatnot.

~~~
jon-wood
How love how quickly this escalated, have you considered doing a comedy act?

~~~
logfromblammo
My ability to speak on stage before an audience ranges dangerously close to
Harpo, Marceau, and Teller. I might be able to write for someone else, though.

