Hacker News new | past | comments | ask | show | jobs | submit login
UK PM wants to ban crypto: here's what it would cost, and why it won't work anyway (boingboing.net)
407 points by ColinWright on June 4, 2017 | hide | past | web | favorite | 221 comments



> Theresa May says there should be no "means of communication" which "we cannot read"

The article focuses largely on the technical difficulties and implementation risks that make this goal impractical. I would like to point out that the goal in question is explicitly Orwell-style surveillance.


There's another angle to this. In her previous role, Theresa May presided over record police cuts with utmost arrogance. It turns out that even if we had everything in plaintext, that there almost certainly isn't the manpower to follow up leads generated from a mass surveillance programme.

If we assume that May is competent and not exploiting a tragic attack to engage in jingoistic gesture politics for the election on Thursday, then this can only be about making sure that law-abiding dissidents cannot communicate with each other in secret to hold the powerful to account.


I think the competency of most politicians right now is seriously suspect; but then the general population is, to me, sounding increasingly tired of democracy and just wants an autocrat to make all their life choices for them. (Not necessarily a majority of society, but perhaps a significant minority).

The rational response is, more people die from falling off ladders than domestic terrorism. Can we look at this problem seriously in a way that includes the economics, without insisting that people be scared little bunny rabbits? Apparently we're not so inclined toward Vulcan logic, this silly primate species.


Terrorism is the current justification for military operations abroad. Likewise, there are some who believe terrorism to be an externality of our operations abroad, in which case there is positive feedback. We are told by our leaders as the justification for war that it will cause negative feedback, though the recurrence of terrorism would suggest this is not the case. Even without any feedback, to look at this economically you would have to take into account the news, the journalists, the wars, the arms sales, the rebuilding, the cable-laying that comes from war and the attempt at peace.

Consider two countries at war with the other. Now imagine that both are part of the same territory but the planes still fly and the bombs still fall on the same places. It is clear that this is economic and political madness. So as a combined system, the two warring countries are better off not engaging in war. But if one country can make money from war then it is beneficial for it to be at war.

The answer is for those who govern to think in terms of the whole system, i.e. both countries. That is unpopular with patriotic voters who accuse such leaders of being traitors.


>Terrorism is the current justification for military operations abroad.

It seems to me more and more that people are living in some kind of lala land today.

They seem to believe that military action against some group of people will not result in some kind of recoil. Especially when part of the group they are engaging military action against is living among them or has free access to enter the country.

I think that this is pretty disconnected thinking.

Asking intelligence agency to do better job feels is kind of ridiculous. They just have to follow too many people to be 100% effective.


We're literally at war. In a war, it's not just "their" guys that get killed. It's a two-way thing. It's amazing how many people don't seem to get this.


We're fighting an insurgency that is distributed across organizations and borders. Historical precedent would suggest this will not end with the annihilation of the insurgency, some of whom will currently be civilians, but with some kind of peace process.

The problem with calling this a war is that the right-wing press are calling this a war. This is not an existential threat to us in the way, say, WW2 was to the Soviet Union or to the UK once we had engaged militarily. We could withdraw from bombing campaigns in the middle east tomorrow and see almost no immediate detrimental domestic repercussions. That is probably a sign that this is not so much a war but something else. If it was domestic we would call it a massacre.

The more we go down the road of annihilation, the more costly that peace process will be and the more people will die purely for war. That includes our own.


I would like to nitpick a little here.

WW2 was an existential threat to the Soviet Union. It was so existential that this became the largest part of the identity of Russians.

But WW2 was not an existential threat to UK. UK could have exited from the war at any time. No battle took place on the soil of UK mainland.

I am not saying the people in UK did not suffer - they just did not suffer comparably to the people in the middle of the conflict. In a way the war was rather distant to the people living in UK.


> No battle took place on the soil of UK mainland.

Well, that's because the battle eventually took place in (mostly) France. But it's not as if that battle would not have eventually happened in the UK if the Germans had managed to gain air supremacy over the UK or if they had managed to pull a reverse Normandy. The UK could not have exited from the war at any time at all, their shipping would have been sunk and they would have been under siege from the moment they did so.

The larger cities were receiving a good number of aerial bombardments and V2's (ok, also a form of aerial bombardment). And then there was the shipping tonnage sunk with all hands.

War very much came to the UK, even if the eventual battle took place in France, Belgium, NL and eventually Germany (where whole cities had been obliterated).


UK could have negotiated unilateral peace with Germany, and it's likely that such negotiations would have succeeded. Hitler didn't actually want to fight the Brits - indeed, in "Mein Kampf" it's clear that he saw them with somewhat akin to an admiration, and a potential ally.

Not so for the USSR, since it had been designated as "Lebensraum".


Exactly, and this was my point - people in UK share somewhat disconnected experience from WW2.


I blame the media. They've conditioned two generations of voters that war is something that you see on TV or read about online, not something that involves you or your neighborhood, you 'go to war', it never comes to you.

This kind of verbal white-washing causes all kinds of problems when the inevitable adjustment happens which shows that we can play word games all we want but it won't make an actual difference.


The media is reporting what it is, which is a war that happens elsewhere. It's verbal white washing because it is socio-economically and politically white washed.

A draft would change this. But the military is a product like anything else. It's not civil service. It's not something that every family suffers from. The U.S. professional military is overwhelmingly middle and lower class. There's no meaningful representation of aristocratic families in the military. They have nothing to lose by supporting politicians who in turn support interventionist policies abroad.


"We're literally at war."

When discussing foreign policy on an internatioal medium it would be helpful to formulate your responses by specifying the hypothetical combatants and coalitions explicitly rather than implicitly (i.e 'we' is an ambiguous definition in this context).


Now imagine that both are part of the same territory but the planes still fly and the bombs still fall on the same places. It is clear that this is economic and political madness.

For example, China/Taiwan, North Korea/South Korea, which no longer fight.


The problem is not that more people die from ladders or cars for that matter, it's that in a polictical landscape: "no tragedy shall go to waste."

We saw similar pushes for strengthening Canada's Surveillance State when they had two terrorist acts. Canada's PM didn't even hesitate.

When an attack or an event happens that puts people in a state of shock and fear, politicians know their nefarious ideas have a higher probability of slipping through the public's filter. UK's PM is doing what has now become an automatic response to any kind of act. Expand government's power at all cost.


The rational response is

...falling on deaf ears. I have been saying for years that hacker culture needs to develop greater emotional intelligence and meet people where they are instead of lecturing them with arguments that make their eyes glaze over. Politics is not a function of logic.

Your best option, if you live in the UK, is to roll your eyes eyes and vote for the beardy communist despite his obvious faults. Logical arguments are not compelling to people in the grip of an emotional rush. The inability to assess and adjust to peoples' emotional states is a kind of social stupidity.


People have stopped rolling their eyes at the "beardy communist". At least one favourability poll now shows Corbyn being seen more favourable than May, and he's closing the gap rapidly in every one of them. At the same time Labour is closing the gap as well (with one poll showing Labour down to 1% behind). Whether it will close it enough by polling day is the big question, but what seems clear is that the Tories relentless personal attacks on Corbyn no longer work very well.


Those same polls predicted brexit would not happen and Clinton would win. I fear May will get the majority yet again. For a lot of people, her calls to essentially end cryptography will be seen as "doing something", and they will blindly vote for her.


> Those same polls predicted brexit would not happen and Clinton would win

You say it like it's a major indictment - people just don't understand probability and low probability events occur all the damn time. On the flip-side people also play the lottery.

A lot of factors contribute to poll errors: sample group is never perfectly representative of actual voters, people lying on their voting intention if they feel it's not socially accepted, &tc. That does not make polls worthless.


I too fear she will win again, but the poll improvements for Corbyn are several times the margin of error, while as others have pointed out, the Clinton/Trump result was within the margin of error.


No that's not true. The polls were within the margin of error. The polls were exactly right. The problem is the result landed within the margin of error, that the predicted error itself meant it wasn't possible to know with any certainty what was going to happen.


May has pretty clearly positioned herself as a dictator wannabe.


No. Their goal is simply to go back to the previous status quo. Which was when communication was capable of being monitored when there was a reasonable suspicion of a crime about to be committed.

Now I don't believe this makes any sense in this era (criminals will have crypto, ordinary people/dissidents/journalists etc will not) but I can very much appreciate where they are coming from. It's not a simple issue.


Thank you for pointing this out. It's a key point to make that it's kind of a complex issue.

It's obvious to me that cryptography shouldn't and realistically cannot be outlawed. That doesn't make any sense. On the flip side, I think that most people would accept that targeted surveillance of criminal suspects is a reasonable tool.

The thing is, if it becomes the default for all messages to be encrypted end-to-end – obviously a good thing – then this effective tool becomes useless.

I think any proposals to restrict cryptographic software are obviously wrong and doomed to failure, and I will continue using such software regardless of what laws are passed in the UK. But it is a complex issue, and I wish there was some more acknowledgement of how the field of surveillance has changed.


The Manchester attacker was reported many times as an extremist, and had the ISIS flag on his car. To suggest that he would have been caught if only the Food Standards Authority has constant read-access to your drunk teenage loveletters is ridiculous.

We need more actual police officers to do more actual police work.


Isn't it more a question of what instructions those existing police officers are given? Currently their activities always come a bit late for the innocent dead and injured. A positive check about someone hiring a van is not prima facie evidence of intent to mow down pedestrians.


Comparing

- Running investigations, police officers being known and trusted "faces" in their community, and surveilling people in meatspace

To

- Running grep on every TCP packet of 65 million people, then asking a relatively small number of LEOs to "do something" when analysts see something that could be suspicious

The former seems more likely (to me) to succeed.


Yes, but that would require rolling back some of those cuts. Another thing that would really help is if police officers would make a half decent salary. That would also cut back significantly on corruption.


Is it complex? Even with crypto authorities have more ability to surveil us than any other time in human history. Crypto seems like a very small loss when looking at the way things have trended the last 10 years, much less 100.


Even with end to end encryption they can still hack any current OS. We're a long way from having provably secure operating systems for current devices.


provably secure? I'd almost settle for theoretically secure these days.


That's not an honest representation of the argument given there is no parallel you can make between today's world of electronic communication passing over centralized infrastructure to however people communicated before.

There was no ability for the government to read everyone's (or anyone's) mail at once in the past.


Intelligence services absolutely had the ability to read people's postal mail and intercept their phone calls. For example, the CIA in a declassified report from 1976 opened over 215,000 physical letters:

https://www.cia.gov/library/readingroom/document/0001420864


I guess that's a very small sample. We are talking about them making copies of every letter ever sent...



There is a huge difference in scale. Phone wiretapping required explicit targeting and was not possible at scale modern measures allow.


  > capable of being monitored when there was a reasonable
  > suspicion of a crime about to be committed.
The thing is: they knew about the Manchester attacker, and today on BBC was also a report that law enforcement was informed about one of the London attackers. If they cannot act on the intelligence they already have what's the point of diluting it with even more data?


You can't go back to the previous status quo any more than you can ask your mother to "bear you back" because you don't like living outside.

Trying to pretend you can is one of the most dangerous things a politician can ever do.


yea, its a rejection (a lack of understanding) of the technology of internet. It clearly states in their manifesto that they want to treat the internet the same as the physical world without appreciating that this is impossible.

I look forward to whenever politicians work out that people not under their legal jurisdiction can muck about on their internet thereby making their intent of constraint irrelevant.


> criminals will have crypto, ordinary people/dissidents/journalists etc will not

Does is imply that politicians will have crypto?


Does that mean you open people's letters to make sure they don't commit a crime?


Yes. The overt statements of HMG say they want warrants and court orders and individual targeting, not kibozing or grepping the gmail spool.


They already grep phone conversations and SMS messages, and whatever Internet traffic they can.

https://en.wikipedia.org/wiki/Tempora


That seems to have been the UK's goal for a while now


> the goal in question is explicitly Orwell-style surveillance

Because that's the only politically correct thing they can do.


> Because that's the only politically correct thing they can do

This is not even wrong. There is a long list of 'politically correct' things the government could do which are inconvenient (timing-wise) as they would highlight their fallibility/incompetence. First on the list is to stop the drastic cuts[1] they instituted to the police force. A close second is to stop exporting jihadists (that's right: exporting civilian British nationals[2]) to wage war in Islamic countries. It is unfortunate that saving face in light of the impending snap-elections is preventing real solutions from being implemented; instead, we get security theatre that sounds good to the electorate but wouldn't even have prevented the previous attacks - a necessary factor for the action to be considered as an improvement at the very least. Right now the issues are totally unrelated; just opportunistic legislation.

1. https://www.theguardian.com/uk-news/2017/mar/02/inspectorate...

2. https://medium.com/insurge-intelligence/the-manchester-bombi...


I'm also deeply concerned about "backdoors for the good guys". Beyond just worrying about who else could get access, the "good guys" really just means government, and my comfort level with the current Trump administration using their "good guy" backdoor for a noble purpose currently sits at zero.

All that being said, how do we the tech community solve Theresa May's problem? Her philosophy is "if we knew more, we could have prevented this." Is that the right philosophy? Is there some other mechanism to authorize "legitimate" access to encrypted data?


>All that being said, how do we the tech community solve Theresa May's problem? Her philosophy is "if we knew more, we could have prevented this." Is that the right philosophy? Is there some other mechanism to authorize "legitimate" access to encrypted data?

there's absolutely nothing substantiating her claim. terrorists seem to have done just fine in the absence of encryption -- the bataclan attackers coordinated with ordinary sms. governments still make this push _all the time_, witness the doj going after apple after san bernardino.

the UK is literally the most surveilled society in the history of the world in terms of communications of its inhabitants intercepted by its own government, comparable perhaps only to the stasi. this is mode of action is not working. two attacks in two weeks, and their answer is "the same but more"?


> terrorists seem to have done just fine in the absence of encryption -- the bataclan attackers coordinated with ordinary sms

Even if the UK somehow managed to illegalize use of AES and other "professional" encryption algos, it would still be trivial to communicate using simple innocuous sounding code words over plain SMS. There's practically no way to detect it. The entire effort is futile from the very beginning.


Same for steganography. You can embed messages in pictures of lolcatz.


Next step, mandatory JPEG (re)compression (q=50) for all social media pictures.


That isn't even nearly enough. Text messages take very little space and can easily be embedded in very low quality images.

You can't allow images, sound, or video at all if you want to prohibit steganography.


So will you be able to prove that you are not using steganography when the authorities accuse you of using it?


I mean, will they be able to prove that you are? That's usually how it works.


Not anymore. They can force you to provide the keys for the jpegs from your wedding even if you don't have anything encrypted in them. Just the police suspecting you of a crime is enough.


You can hide messages in whitespace. Think badly formatted MS Word documents of The Brothers Karamazov by F. Dostoyevsky.


no terrorist attacks: "it's working! we can't tell you details but we caught ALL the terrorists, and there were lots! But they're crafty, you know - expand the surveillance so we can keep up!"

terrorist attacks: "we told you so! expand the surveillance!"


> there's absolutely nothing substantiating her claim.

yes, and this is very weird. She must have a chain of reasoning going on in her head before opening her mouth, right? We always only get the conclusion, that is: "we need more access". Any normal person looking for a solution to a problem would generate loads of ideas and then, when pitching an idea, present the pros/cons of their various ideas to finally argue why they have chosen solution x. We don't see any of that wrt to this topic.


The chain of reasoning is:

- I want more power/money/whatever

- suerveillance can give it to me

- I just need to pass the bill once to get it to work for years in my favor

- they have to reject it at every attempt I try to pass it

- therefor I should try to pass it everytime the news let me do a bold claim

- nobody is going to do shit against it anyway


> She must have a chain of reasoning going on in her head before opening her mouth, right?

Control thoughts -> No bad thoughts


But that's not reasoning. That's jumping to conclusions.


Quite!


> We don't see any of that wrt to this topic.

There are countless studies that get conducted every year by universities, think tanks, NGOs and journalist style organisations on this topic. And these are tabled in parliament, reviewed by ministers and debated in intelligence committees and within cabinet. In Australia for example we have Senate Estimate Hearings which are freely available online for you to watch.

To think that governments are not exploring every avenue in order to protect their citizens is a bit ridiculous.


> There are countless studies that get conducted every year by universities, think tanks, NGOs and journalist style organisations on this topic.

Could you name me one credible source that advocates the banning of encryption? At Harvard, for instance, they concluded that banning encryption is futile. [0]

[0] https://www.dailydot.com/layer8/worldwide-survey-of-encrypti...


It seems people like to believe that the terrorist would simply obey the law and not use encryption.

In reality, if a terrorist used encryption, they most likely would use a non-backdoored encryption no matter if it's legal.


> the UK is literally the most surveilled society in the history of the world in terms of communications of its inhabitants intercepted by its own government

China?


Also even if that's technically true due to digital surveillance, I'm still pretty sure virtually everyone would choose it over the DDR. But why not go with hyperbole! It's not like it feeds into a narrative that everyone who takes this stuff seriously is paranoid...


> Her philosophy is "if we knew more, we could have prevented this."

What is there to solve? This statement is wrong in its core. Its like you looking at blew up grenade and scratching your head "how can we put this back together".

There is nothing to fix. Since they yelled "Allah Akbar", they were clearly motivated by their religion and "holy war on infidels". Unless you can read people's mind, I don't find access to their communication relevant if they've been practicing said religion since crib times and one day simply decided to go and stab few people with knifes.

For this to put in motion, you don't need a cellphone or any sort of communication at all!


Yeah.. there you go!

Explain THIS, May:

"Another fanatic slips through the net: Killer jihadi, 27, 'radicalised by YouTube' was known to police and filmed arguing with officers after unfurling an ISIS flag in a park in a Channel 4 documentary" [1]

How on earth open plain-text communication will help prevent something that alread is clearly in their FACES??

http://www.dailymail.co.uk/news/article-4571902/London-Bridg...


May or may not, Theresa...


The portrayal of governments as "good guys" has always seemed pretty absurd to me. The reality of it is that they're just the other bad guys, with slightly different but still ultimately self-serving goals.

When "collateral damage" in the form of death and suffering inflicted upon innocent people is shrugged off as the cost of achieving your goals, you're still a terrorist no matter what those goals are and which flag you plant atop the mountain of bodies.


The problem is that "government" is poorly defined. Local governments, involving and affecting only people that you know personally, and operating with some form of consensus, are generally good. But at any greater scale, governments will likely be co-opted by criminals. Or at least, people with self-serving goals. It's a hard problem, because local governments need somehow to organize for defense.


> "if we knew more, we could have prevented this." Is that the right philosophy?

No. This philosophy is essentially saying that in order to make it easier to find all the needles in the haystack, we need to add more hay.

It's a ridiculous notion if you actually stop and think about it.


> I'm also deeply concerned about "backdoors for the good guys". Beyond just worrying about who else could get access, the "good guys" really just means government, and my comfort level with the current Trump administration using their "good guy" backdoor for a noble purpose currently sits at zero.

You call out the current Trump Administration...

Do you think the Obama administration was any better? Do you think the "other side" is more trustworthy? Especially considering all the scandals that surround the last 8 years?

Why do you think the Left is more trustworthy than the Right?


I wouldn't berate someone over thinking this, even though I agree with you that the Left is not more trustworthy than the Right. Frankly, it's better to point out that, if you give government additional power, that power will be used by both Left and Right, so you'd better be able to trust everybody with it.


If the state gave each and every civilian a colonoscopy every year, we could prevent deaths by noticing medical conditions earlier. Probably more than terrorists kill currently. But it's a complete non-starter because it infringes on so many human rights like self-ownership. Same goes with our private conversations. This line must never be crossed.



Why even permit people to have secrets of any kind? The real "problem" is not encryption, but people keeping secrets. Encryption is just one way of keeping a secret. With a law banning private secrets, they could throw anyone in jail for not answering a question.

If the government has a back door to read all your messages, they are saying they don't want you to have any secrets at all -- but electronic messages are the only ones they know how to pry open.


> Why even permit people to have secrets of any kind? The real "problem" is [...] people keeping secrets

You might be on to something! To lead the way to a secret-free world, they might wanna start by dissolving MI5, MI6, etc..


> hey could throw anyone in jail for not answering a question.

if the question is "What is the key to this encrypted disk?", then they can already do that which surely already means that the keeping of secrets is illegal whenever a policeman says it is.


Once upon a time society functioned that way - a strong belief in God acts in practice to make secrets impossible.

I am not sure that a society without any secrets would be a bad thing - it certainly would be very different.


Here's an idea. Instead of spending the effort on a damaging, losing battle on the technology side.. let's invest in social inclusion, mental health and healthy foreign policy in the middle east.

Catching the madmen on the wrong side of the curve makes much less economic sense.


like what European people did, let's warmly welcome them into our civilized world.


Let me spell out the day to day consequences I experienced of living in Germany, down the street from a refugee home: there were none.


Not really Europeans. Merkel did that.

Go ask anyone in Hungary, Poland or Czech Republic, or even Romania who complies with migrant quotas and is generaly an EU cheerer, unlike Hungary or Poland.


Have any of the recent terrorists been recent migrants? I thought most were from at least a decade ago, if not born here.


Not many but there's a recent wave of rapes commited by migrants that is downplayed and not reported my the EU cheering mainstream media.

https://www.gatestoneinstitute.org/9934/germany-rape-january


Do you have any sources other than incredibly biased ones?

https://en.wikipedia.org/wiki/Gatestone_Institute



Those are reports of two individual cases, hardly evidence of a "recent wave of rapes commited by migrants".


isn't that just prove the idea is so ridiculous which trying to social inclusion, mental health


It helps to give non-computer people a non-computer analogy: This is equivalent to requiring the walls of the houses we live in and the clothing we wear to be made out of special material which is opaque to us but see-through to the police. This will keep us all safe! Anybody got a problem with that?


> opaque to us but see-through to the police

Or to anyone who happens to get their hands on the police technology. And oh, once leaked, the technology is incredibly cheap and easy to duplicate and distribute among criminals.

This exact thing happened with NSA hacking tools a few weeks ago!


When I hear people say that backdoors are a good thing, I say to them: so you wouldn't mind either if an agent breaks into your home without permission, reads and copies all your mail and documents, installs microphones and cameras in every room, puts a GPS localizer in all your clothes so you are constantly tracked. Surely you don't want that, well, and if they make the same things through a backdoor in your phone, is it ok ?


In my experience, a lot of people will answer that they don't mind at all if it's for a greater good. I find people are more persuaded by this argument if you also explain that the greater good might change to be something they're uncomfortable with in the future. What if we have a few more terrorist attacks over the next few years and the government decides to outlaw Islam? Are you cool with the government coming in to your home and screening your communications to make sure you're not hiding muslims? Are you cool with the government screening your communications to make sure you're not trying to organize dissent? Just because you have nothing to hide right now, that's not to say that you won't in the future.


I am all right with that, as I don't think my privacy is sensitive to the agent, my email just normal email, no terrorism, no child porn, no drug etc, why I would care they check it or not. Apple, Google, Microsoft already scan all your online activities, why would they better than the government? You guys always trying to mix the privacy and security. for the iPhone case, in case the police need to unlock the iPhone to save hundreds of people's life, are you guys still insist that Apple shouldn't unlock the iPhone for the cops?


Even if you do not care about the complete loss of privacy, are you not wary about the methods for accessing the backdoors leaking to criminals and antagonist governments? Which has already happened, see Vault 7 and numerous other leaks.


S/He will start caring when s/he will be arrested because of a May joke or a neighbour denouncing him/her of being a terrorist. That is how it worked in communist countries. Neighbour issues? Just write a denouncement and file it. The Stasi will do the rest.


in which communist country? are you still living in cold war time?


In just about every communist country. No, but I lived in a commie country in the 80s and that's how things worked: microphones in your home, the secret police forever taping your phone line, informant neighbours, state propaganda, different radio bands so you won't listen to foreign media etc.


He was making a joke about you using will vs would for your Stasi comment I think.


No amount of loss of privacy will stop terrorism. They're not substitutable.


Evidently, most people don't have a problem with it, because that describes the situation at U.S. airports very well.


I'd give her a chance to retract this anyway, but otherwise PM May has revealed that she is either a fool or an autocrat. Either should get her voted out of office.


Unfortunately, the public doesn't understand this. They just hear someone is "fighting the terrorists" and don't care the policy is insane.


Actually the normal care more about the safety than what you said privacy. You can choose what you called freedom and privacy, but I also have the right to choose safety. Why you would say your choice is prior than my choice?


Because choosing privacy gets privacy, but choosing safety by handing over the keys to your life to other people, strangers, working for their own interests, for commercial interests, for power and money, does not get you safety.

Because an individual choosing privacy implicitly chooses privacy for everyone, but an individual choosing 'safety' (in this context) implicitly chooses no privacy for everyone else, and implicitly unsafety for people who needed that privacy while not actually doing anything illegal. (Or maybe doing something technically illegal but still just or reasonable or morally right).

It's an "I have nothing to hide, so you cannot hide anything", "I'm alright jack", "everyone should trust the people I trust because I agree with them" approach.


The 'safety' choice is misinformed. People have allowed what they see in the media and what politicians are saying to cause them fear - fear which is completely irrational. I noticed this during the Question Time debates in the UK the other night where Jeremy Corbyn was hounded on nuclear weapons. Some people in that audience seriously believe we are on the brink of nuclear war and want someone in charge who has no issues dropping nukes on other people. I was pissed off watching it until I realised they genuinely seem scared. But their is almost no rational behind that other than things they've heard on the news. The terror attacks in the UK in the last 3 months have been devastating - but the number of deaths and even the number of injuries needs to be kept in perspective when choosing to give up rights as important as privacy. One choice is informed by logic and reason, the other by exaggeration and lies.


I don't think it is fear exactly. More that people favour "strength" and reject "weakness". Nukes are strong, and disarmament is weak. That is the same choice people make again and again. The actual sense of the policy is ignored in favour of simplistic rejection of naive liberal weakness (as they see it).


May cut 20,000 police, which even the Daily Mail has recognised might be a more direct that to safety.

http://www.dailymail.co.uk/news/article-4571186/May-cut-poli...


Safety is safety for now. Privacy is safety for whenever someone who doesn't like you gets into power. I would argue sacrificing long term safety for short term safety is short sighted.

This also isn't just privacy - they want to ban websites with content they find extreme on. Democracy doesn't work without the ability to discuss ideas.

They talk about Islamic extremists, and you say "sure, that ideology is evil", then maybe they go after proponents of assisted suicide - after all, it's illegal and they are suggesting doctors kill people! Then maybe someone else gets into power and they ban abortion - can't set up a website suggesting people kill babies! Or perhaps someone else gets in and says "This party wants to defund the NHS! People will die, better ban that!".


Yeah I get that. The problem is that you can't exchange one for the other: no amount of non-privacy would have prevented this attack. This has been proven over and over again, even all the way back to the 17th century. But even this attack alone proves it. They were known to police expressing the exact creed they carried out.


Then we failed to get the point across.


Yes. I believe we have. Not for lack of trying, however. I'm open to ideas.


She has been after this for years, there's absolutely no chance of her retracting it, unfortunately :(


I think you meant "Either should get her elected again."


You can hide meaning in plain English just by making it hard to read your intentions or the context that the sentence is given in. Take double entendres for example. Should we ban any grammatical construction that could possibly hide some second meaning?


It won't be necessary to ban ambiguity directly - the effect will be accomplished by harshly policing any problematic potential hidden meaning as "subversive" or "hate speech". It will then be wiser to avoid such constructions.

Of course it raises the question of what constitutes forbidden speech. To answer that I would look towards the opinions you are already frightened to voice publicly.


Isn't hate speech more of a different matter? I can't really see how it relates except under the umbrella of restricting speech, and I'd argue that there are various good reasons for restricting some speech, for example assault and shouting 'fire' in a crowded theatre.


I'd like to encourage people who mention the "shouting 'fire'" thing to have a look at Ken White's comments on this:

https://www.popehat.com/2012/09/19/three-generations-of-a-ha...

(brief excerpt from a much longer piece: "Holmes' famous quote comes in the context of a series of early 1919 Supreme Court decisions in which he endorsed government censorship of wartime dissent — dissent that is now clearly protected by subsequent First Amendment authority. The three cases in question arose from socialist criticism of conscription during World War One. The criticism at issue, to modern tastes, was a clearly protected and rather mild expression of opinion.")


Non-technical person's reply:

Don't be silly! I understand the interpretation of information in a conversation; if someone were doing this I could tell. But I don't understand cryptography mathematical mumbo-jumbo. Therefore these two situations are nothing alike. Let's ban crypto.


The end-game of BigSister is probably for ISPs to drop any encrypted packets. This seems doable. She's not as naive as the article makes out and undoubtedly takes advice from very smart people at GCHQ.

I agree that steganography can be a solution to sustain open communication. It's less brittle than crypto but offers weaker guarantees. I know of a suitable system design. Not plain English, rather plain bitfield.


Oh yes, drop all HTTPS traffic, and bankrupt the City after every fraud insurance is activated at once in the entire UK. What could possibly go wrong?


Just write the law so that it exempts really big businesses. After all the financial sector is already effectively an arm of the state. If they were genuinely independent businesses they would be allowed to go bankrupt when they make bad decisions, after all that is what limited liability was created for.


Ah, so we don't just have a fast internet lane, we also have a secure internet lane. And of course, a fast and secure internet lane costs more than double!


You're right, not universally dropped packets. Opt-in MITM with dropped packets as default?


Like pizza gate - yeah these are the BEST hot dogs


This propaganda about good guys backdoors being impossible again. This is cryptographic bullshit of the highest degree. We've had the DUAL_EC scandal, for once, as an example of NSA backdoor which as far as was proved, only the NSA could crack. And with the fact that the NSA had so many bad leaks, yet still everyone except the NSA can't crack it, proved that backdoors are not only possible, but were going on behind our backs.

Don't get me wrong - I'm completely against backdoors. But when you shift the argument into "we won't do it because it's impossible", you're already agreeing that it should be done, while your argument won't hold because it is in fact possible.

There's three kinds of people: 1. Non-technical people (theresea may) that want backdoors are don't care about whether it's possible or not. 2. Technical users, with a vague general knowledge of cryptography, and the imprinted thumb rule of "backdoors are bad" 3. People with actual knowledge in cryptography which had already been doing research about why it is possible for years. Just a teaser: https://en.wikipedia.org/wiki/Kleptography

Of course, the real issue would be the scale and the distribution of access to the backdoor to various agencies.


Utterly specious logic.

>And with the fact that the NSA had so many bad leaks, yet still everyone except the NSA can't crack it, proved that backdoors are not only possible, but were going on behind our backs.

How do you know that no other intelligence services have broken it? You don't show someone you've broken their ciphers unless you have to.


You make some interesting points, albeit in a rather confrontational style.

>We've had the DUAL_EC scandal, for once, as an example of NSA backdoor which as far as was proved, only the NSA could crack.

I am not a cryptographer but I understood this a little differently from the wikipedia article https://en.wikipedia.org/wiki/Dual_EC_DRBG

> proved that backdoors are not only possible...

This is not disputed. What is disputed is that there is some safe way of doing it

> but were going on behind our backs...

A number of people outside of the NSA had identified the possibility of a backdoor. It seems some decided to overlook it or felt powerless to do anything. Indeed some others patented it, thereby making it public. Maybe the $10M grant affected some peoples judgement

> only the NSA could crack

If I understand correctly the flaw weakened the selection of key parameters in a way that made it easier to brute force, by dramatically reducing the possible start points. If another nation state had brought their resources to this, maybe they could have exploited it and, most likely, they wouldn't have made that public. Moreover the Juniper scandal (mentioned at the end of the same article which was rather convenient) suggests that a third party did indeed make use of this backdoor.

> the real issue would be the scale and the distribution of access to the backdoor to various agencies.

Which was a point discussed in the original article at some length


Also, when you don't fight the real issue, which is that we shouldn't want backdoors in the first place, all those agencies can offer their backdoor to the decision makers (maybe it even happened with DUAL_EC - who knows? maybe already happening as we speak), and when all decision makers hear is "impossible" and "impossible", but never "don't do that", they will silently agree and you wouldn't know a damn thing about it.


I can also imagine a front-door approach where they legalize encryption only if you let the the government cosign the message with their own private key, say, through a web service. Not saying that's practical but it is possible.


I just posted a similar, if much less comprehensive comment. I'm troubled you've been downvoted for this.

Your second point in particular is highly significant. In general, "it's impossible" should be avoided as an argument when one's true objections are ethical. You don't want to be left standing naked because of some clever engineering.


It depends what you mean by "it's impossible" when you are discussing 'good-guy backdoors'. I don't think the article was saying its impossible just because it is technologically hard. The article discussed at length that what was impossible is that the keys would be guaranteed to stay in the hands of good guys, and that the good-guys would always be good.

I think it is perfectly reasonable to say that that is impossible.


I couldn't agree more. Saying that it's impossible to backdoor encryption in a "secure" (so long as you trust the government holding the 3rd key) is a very dangerous stance to take. It just sends this message to people who might campaign against backdoors that we don't need to bother - after all it's impossible.


The NSA was smart. They weren't advocating banning encryption, but what they did was weaken cryptography by tricking everyone into using ellptic curve cryptography with their EC.


"Terrorists can discuss things in private at their homes so we are going to put cameras on every home"

Same argument, just as ridiculous.


Give it a few more years...


Consumers are already willingly installing telescreens in their homes.


Think of something you don't do yourself, but would like to see banned. Could be guns, drugs, fox hunting, cars, eating meat, religion, anything, it doesn't matter.

Now consider there are people who feel exactly the same about your thing as you do about theirs. Civilisation absolutely requires that for them to leave you alone, you must be willing to do the same.


But there are things we do ban other people from doing (e.g. murder or owning slaves, to pick uncontroversial examples). There are some principles that are personal, but also some that are agreed on collectively, as a society or civilization.

Of course, then nobody "leaves us alone" on these things, but we agree by majority on first principles and then argue from those to collectively decide what is allowed and what isn't (i.e. allowed from the people and allowed from the government). Free speech and privacy are examples of such principles. So you can definitely have a social contract where mass surveillance is unacceptable, but rules on not hunting endangered species or owning certain type of weapons can exist[1]. I don't think May should be prevented from arguing for surveillance, but by the same token, people also have a right to oppose her on it.

Yes, this opens us to the possibility of losing the debate on encryption, at particular times and historical periods. Whereas having the iron clad rule that all can do as they please does not. But the later rule, applied in extremis, makes civilization impossible. Because again, we do want to ban people from doing certain things, that is what civilization means. The point that we need to argue is that banning people from having privacy causes more harm to what makes us human than a few horrific crimes do.

The anarchist posture is... complex. But the (absolute) libertarian posture is hypocritical. It wants a very particular set of rules to apply and be enforced by the state (e.g. private property), whereas decrying rules and state enforcement in general.

[1] And U.S. gun-owning folks agree on having rules against owning some kinds of weapons, I would think. At the very least I have never heard one argue for their god given right to own an ICBM on 2nd amendment grounds... is just that we disagree on the type of weapons that should be controlled.


> I have never heard one argue for their god given right to own an ICBM on 2nd amendment grounds...

You'd be surprised. There's an absolutist argument that goes like this: back when 2A was founded, it was common for private people to own artillery and warships, which were the pinnacle of that era's military technology. Therefore, the authors of 2A did not envision any limitations. Therefore, this should still be the case.

Granted, this is very much a fringe view even in the gun owner community. But there are enough people holding it, that you can actually see it argued on American gun forums etc occasionally.

It also springs up in fiction sometimes. In Vinge's "The Ungoverned" short story, there are privately owned tactical nukes. Which are actually used. Granted, that is considered an extreme case even for the described anarcho-capitalist frontier society, enough so to warrant an immediate all-out attack by other people on anyone discovered possessing them. And Vinge is actually ancap himself - and, so far as I recall, he actually said something along the lines of that story describing a society he wouldn't consider undesirable.


Both murder and slavery involve other people directly, so they are obviously out of scope for this


That's a valid point, I think, but I am not sure the line is as clear as you make it out to be. What is your definition of 'directly' here? I can think of ways in which e.g. hunting endangered species, owning weapons or eating meat affect others. Note that, of those: I revile one, I am undecided on one and I personally do another, but in all three cases I can think of ways they affect me when others do each of those things. Sure, they affect me in a way that is perhaps different than being the target of murder or slavery would, I'll definitely agree with you on that. But it is a leap from there to saying that those are matters society should not be involved in.

Consider nuclear proliferation: in theory it does not affect people 'directly', until it does (note that any logic about increased potential risk applies to gun ownership too, at a different scale). Now consider pollution: affects people directly, but in a diffuse degree. Vaccinations? (I was born in a country where a specific set of those are mandatory, I approve of that [1]). There is a limit to how much a man is an island.

I am a firm believer in having a right to privacy; a strong, fundamental, constitutional right. I would consider forms of deflection or civil disobedience in a society that aligned itself too strongly against that right. But that doesn't mean is not ultimately a matter of societal values of societal construction.

[1] Obviously they are mandatory to those with a healthy immune system who can be vaccinated, and a number of other caveats, but still, the state makes it its business whether or not you vaccinate your kids, and we are better off for it...


This reduces to "no-one should restrict the right of anyone to do anything". Why draw the line where you've done? Why shouldn't we also allow explicit torture of animals? Why shouldn't we legalize the making of death threats? Etc.


A good place to draw the line is one that places responsibility on the tool-wielders, and not on the mere existence or possession of the tools themselves.

Many of us object to gun control on that basis, and the same reasoning can be applied to encryption.

In fact, there's really not a lot you can say about one that you can't say about the other. No private citizen "needs" access to encryption so strong that even intelligence agencies can't break it, any more than any private citizen "needs" to own a weapon whose only purpose is killing. Right?


    > A good place to draw the line is one that places
    > responsibility on the tool-wielders [...] many of us
    > object to gun control on that basis.
I've yet to see someone make this argument who doesn't acknowledge that the mere posession of certain weaponry should be banned because it's too powerful, the difference is just whether you think guns should fall under that umbrella.

Or do you think private people should be allowed to buy hydrogen bombs?


Or do you think private people should be allowed to buy hydrogen bombs?

On what planet do you anticipate gun control laws having any effect whatsoever on the plans of someone who is inclined to acquire a hydrogen bomb?


On a planet that follows your advice that the line shouldn't be drawn at outlawing tools, and instead certain usage should be made illegal, "not [..] the mere existence or possession of the tools themselves".

I'm just taking your argument to its logical conclusion. I think that argument makes no sense, since it clearly leads to absurd outcomes, such as being able to purchase nukes, armed fighter jets, tanks, MRAPs, mines, chemical weapons etc.


For the most part, the examples you cite aren't "militia"-class weapons. They fall under the purview of multinational agreements like ITAR, not the Second Amendment. The argument is ridiculous because if you possess things like nukes, you're either a sovereign state or a non-state actor at the international level. You're not playing the role of a US citizen subject to Constitutional laws and protections. Absolutely no enlightenment can be had on the subject of gun control by bringing up thermonuclear weapons and saying, "So there!"

You're in good company, though, because the ACLU does the same thing in attempting to wriggle out of supporting Second Amendment rights.


The point is that, in the absence of laws regulating private possession of nukes, the only limit on obtaining one would be financial resources necessary to do so. This requires an actor that operates on the same scale as states, but e.g. modern transnational corporations are on that scale. If Apple invested its $250 billion into procuring a nuke, do you think they would be unable to do so? Would you be comfortable if they did?


If Apple invested its $250 billion into procuring a nuke, do you think they would be unable to do so? Would you be comfortable if they did?

It's an interesting question, all right. I'd ultimately have to throw up my hands and classify it as one of the ever-growing threats to human existence over which I have no control. Frankly I'd be more comfortable with Tim Cook's finger on the big red button than Donald Trump's or Mike Pence's.

I could totally see Woz building a nuke in his garage, just to see if he could do it...


You're commenting in a thread about the UK. Bringing up the specifics of US gun control law is completely irrelevant.

Yes of course any country trying to cell hydrogen bombs or chemical weapons to its citizens couldn't do so without international sanctions. The example is clearly ridiculous, but it's brought up in the context of illustrating that your argument is equally outlandish.


I can see your point, but I think you are glossing over nuance that is specific to tech. The Internet is pervasive and technology is ubiquitous.

With a single gun, a man can only kill as many people as he can see with the number of bullets on his person. With a computer and a connection to the internet, his reach and potential scale is much greater. That is why such powerful encryption is required for your average citizen.


With a computer and a connection to the internet, his reach and potential scale is much greater. That is why such powerful encryption is required for your average citizen.

I wonder if the encryption dilemma will ultimately be resolved with blockchain-like techniques. Cryptocurrencies work because their underlying trust processes are deliberately designed to require ever-increasing amounts of CPU time. They can be attacked, but only by spending enough resources to out-mine the other nodes. While possible in theory, it's simply not worthwhile for an attacker to marshal the kinds of resources that would be required to attack Bitcoin or similar blockchains.

So, while back doors for government access are stupid and unworkable for all of the reasons that people have stated, what about requiring a hypothetical encryption standard with no known backdoors or attack surfaces, but that is just strong enough to be broken by agencies like the GCHQ or NSA who can throw gigawatt-hours of computer time at the problem? Basically, if the government really wants to read my mail, they can, but it will cost them. It might take them hours to discover a given key, while nobody with a room full of GPUs or even a botnet could do it in less than several years.

In such a scenario, we'd be sufficiently safe from attack by cybercriminals, and most of the time, from our governments as well. Governments would still be able to target anybody, but unlike the case where a back door is mandated, they wouldn't be able to target everybody. That could limit the amount of harm that bad actors in the government could do.

It would be similar to the rationale of banning ownership of high-capacity magazines, except unlike that sort of feel-good measure, it might actually work.


The immediate problem that I can see with this is that any government can target you, not just your own. Which means that, 1) you might not have any recourse, nor even demand any accountability, from your attacker, and 2) a foreign government might attack crucial private entities, or even public infrastructure that is below the "unbreakable" protection level.

But ultimately, the real question is - how do you enforce this, short of a massive censorship effort (and even then)? We already know how to make strong crypto. You can make it illegal, but unless you have a specific plan as to how to prevent me from coding, say, AES from scratch, I don't see how this would actually help prevent secure communications between terrorists and other high-risk criminals (and I would argue that criminal activity that is not severe enough that its perpetrators wouldn't invest into crypto even if it's banned, is not the kind that can be reasonably used to justify banning crypto in the first place).

So it is actually a lot like the high-cap mag bans - it's so simple to make them, that someone who would really derive benefit from having one would just do so. Same thing here.


I could live with this reality. As citizens, we will more or less be at the mercy of government to some extent, if only due to the scale of their operations.

I see this as the equivalent to governments having access to tanks, artillery, airforce and nukes while civilians have mere access to guns and knives.

Whether civilians should have access to guns is a discussion I would like to remain not a part of.


It really does seem that these people have lists of power grabbing desires ready and waiting for the next attack. I imagine this woman's first private reaction to the news of this attack was not sadness or concern for the victims, but joy/excitement about the possibility of exploiting the situation to achieve her political goals.


Yes, let's increase the size of the haystack. I've yet to see proof that having the ability to read each and every communication would have prevented any attack that from the last couple of years. For the most part the criminals communicated in clear text SMS or on open phone lines or in game chatrooms. If they needed advanced crypto that would prove at least that we have done everything else to make their lives harder, but so far it looks as if there is plenty of low hanging fruit.

Suggestion: reduce the size of the haystack further so that limited manpower can be concentrated on those cases where it is actually useful rather than to chase each and every 16 year old with a twitter account or a facebook page.


The real issue on putting backdoors, the way I see it, is that once you gave one government an access, you've already set a precedence and you can now be compelled by other governments to do the same.

Giving other governments backdoors would actually hurt the original country more than the backdoor could ever help it.

Segmenting the software according to which government is given backdoor will freeze the whole industry, and you would still have the unsolvable problem of imported protocols with different countries backdoors.

If the problem was only "good guys"-"bad guys" it would be solvable, but there are no good guys. There are so many countries, and each of them trust only themselves.


This is a good primer on the technical side of this madness. It is quite accessible and therefore a good one to share with people who don't yet realize that what May is trying to do will mean the end of the internet and tech industry in the UK.


Misses an additional point: they would need to ban software development. Or at least, dev by unapproved, unmonitored parties.

Code to encrypt using one (of the many) algorithms shipped in .NET (which is open source right down to the compiler, and so hard to tamper with):

  RijndaelManaged RMCrypto = new RijndaelManaged();  
  CryptoStream CryptStream = new CryptoStream(NetStream, RMCrypto.CreateEncryptor(Key, IV), CryptoStreamMode.Write);
Even if they banned everything else, people who want to create secure communications can do so with the aid of less than an hour of a capable developer's time.


On top of that: How you you distinguish an encrypted document from a data serialized according to a proprietary format?

As long as the algorithm to write the data is unknown and secret, this is essentially a cryptographic algorithm - you can't read the information on disk without the secret, unless you invest a lot of time. Weak crypto, mind you, because we'll probably be able to decrypt it in polynomial time.

So suddenly, all storage formats need to be openly documented?


Very nice of the author to spell 'Iphone' and 'Ios' in accordance with English capitalisation rules, refusing to submit to the idiotic dictates of some marketing department. Well done sir!


The list which the author introduces with the words "This, then, is what Theresa May is proposing:" sounds mad to anyone who knows anything about cryptography but they (Theresa May doesn't differ much from her western colleagues here!) really mean it! So even though they will not be able to fully succeed in reaching their goal, they are going to make our digital lives very, very miserable if we don't find a way to short-circuit such insane plans asap!


Perhaps we should no longer assume that politicians 'do not understand the internet' and assume they are asking for changes in the full understanding that they don't achieve the goal for which they're introduced.

As long as the situation that's being created is more favourable for them than the current one it's a net benefit.

Short-term politics is the biggest threat to UK society at the moment and the current government is particularly good at it.


I'd say the reason that the people in power want to be able to collect all information is not to protect the people, but instead to protect themselves and their friends in powerful positions.

One of the main threats to these large organisations and the people at the top of them ate journalists and whistleblowers. Because those are two groups of people that can provide critical data and reasoning on bad and evil things that are done within such large organisations.

So having the ability to find out who said what to whom will allow them to crack down or reporters and journalists before they can get their stories out. And it will allow them to trace and find out who the people are leaking sensitive information outside and deal with them.

In some way this is about protecting the people, just not the people we are all thinking of.


It does not help that the tech companies preach a kind of false equivalence here. Part of their argument is that they are investing a lot in ensuring they can "take down" these posts quickly.

So, the legal system in most countries is that if you post something explicitly (not in jest, or metaphor, but quite deliberately and with the intent of other people's death) asking people to murder other people, that is something that you perhaps ought to be charged with an offence over.

Meanwhile Facebook, etc, essentially argue that ok, they posted a request for the murder of a lot of people, but hey, we took it down after only a few thousand people read it, and we've closed the account (until they open another one), so that's job done, no need to prosecute any further, you shouldn't ask us to cooperate with police, we've got adverts to sell here.

Small wonder that governments are changing the law, when tech companies regard requests to kill people as something that, if really pushed, they'll treat as equivalent to how they handle copyright infringement, but actually there's less money in it for them so would you mind if it was a bit further down the planned feature list.


So how should they proceed without fundamentally altering the way their platforms work?


I seriously doubt a coordinated terrorist attack is done as a public facebook post. Isn't that a whole other issue?


Mathematicians: 2 + 2 = 4

UK PM: We'd like you to make it so that 2 + 2 = 5.

Mathematicians: That's mathematically impossible

UK PM: You just need to try harder


This is obviously nonsense - but I'm not envious of someone who has to stand at a podium and say something that will make voters believe you'll sort this problem. Nigel Farage just suggested internment camps (on Fox News). That's where we are now.

I don't think May's suggestion has any way of ever working - but her listeners don't understand that. This is populism in its purest form.


It would seem we've been able to see the real Nigel Farage, now that he has moved away.


I think by now our surveillance protectors already have total information awareness, well perhaps 90% of the information and not very great awareness. But i doubt lack of information is limitation on awareness. They could do a lot better even with less information, i suppose.

So why demand ever more intrusive powers? I think its just an excuse, and that they dont have great ideas to preempt attacks.


Man, I really need to move to the U.S.

Canada is becoming hostile to speech and the family with M-103, C-16, and Ontario Bill 89. Britain had to choose between a man who doesn't understand the nuclear deterrent and who would screw them in their biggest negotiation for decades, who would probably end up controlling the internet for antisemitic causes rather than ostensibly counter-terrorism causes; and a lady who doesn't understand any of the technical implications of the whoops-tyrannical policies she presents (in the middle of a campaign no less, are they all daft?). And because the UK Tories didn't do the smart thing and hang on to their popular moment for dear life to secure a supermajority, there's a hung parliament, which is only slightly better than the probably-antisemitic national socialist labour party getting a majority.

Prime minister doesn't even pretend to be meritocratic, denigrates his cabinet by saying that they were picked for their gender. The Social Justice Tribunals (actual name of the institution, not hyperbolic slur) are out of control. At least the U.S. has a real constitution, which at least purports to protect freedom of speech, the right to petition, and the right of the people to keep and bear arms.

Britain and Canada are sinking into the earth's core under smiling faces, and DJT is somehow making America better despite being a rough buffoon. Every day is opposite day.


No sane non-UK company will want to do any R&D or other sensitive stuff in the UK anymore, lest GCHQ leak their communications to their UK-based competition.


Do it May, I dare you.

It will launch the geek equiilivelent of the Manhattan project to find the master keys, and whoever does find them will become incredibly rich and powerful.



I don't see how that applies. Steganography cannot be used to hide encryption on a large scale because all steganography techniques depend either on the obscurity of the technique or on disguising encrypted data as other opaque encrypted data. You couldn't e.g. use steganography to hide that you're accessing a website via TLS because the client needs to know how to communicate with the server, and there's no way to make that possible for arbitrary citizens but not for government agents.


> If you want a preview of what a back door looks like, just look at the US Transportation Security Administration’s “master keys” for the locks on our luggage

Good point. I have the same issue in my building. The postman has a master key to open the mailboxes. Apparently, these master keys are now well-spread and I can't order packages anymore as they get stolen.


Even if this was actually possible to do without compromising our security, it would not achieve anything as the bad guys will just use alternative methods to achieve their goals.

End game: Society will be none the safer, and the government/puppet masters will have total surveillance.


If 99.99% of made transactions are not malicious in nature why should people who made those transactions suffer? There are other means to detect suspects that don’t ask for a cost of a privacy of the nation.

On the whole other point of this don’t you think there’s a chance to the possibility that certain terror/cyber attacks were made by some intelligence agency? Timing on this is too convenient.

Besides, there is no known method that can resolve all types of cryptographic methods thus it makes it useless spending of taxpayers’ money.


To all my still-EU-cocitizens: you still have the possibility to leave your neo-facist country for another part of Europe. It will not get better, as the anglo-saxon world is currently destructing itself.


Why do they want to ban crypto? Because of terrorism? Why does Poland or Hungary don't want to ban crypto and why don't they have terrorism?

Easy solution: Ban Islam and Muslim migration.


Using fear to push for restrictive laws is not news, pretty much every government did it or will do it one day. It's just too tempting, people will accept the restrictions as a mean to fight terrorism/pedophiles/serial killers/$CURRENTENEMY etc. until the new laws will be slowly and silently used to quench dissent.


The article is pretty sniffy about Hogwarts' security, but it's missing an important point: magic can detect intent. So yeah, it might be possible for Harry Potter to build what Theresa May is asking for, but a) he doesn't exists and b) I'm pretty sure it'd be against his progressive principles.


If I had to explain the basics of "information" and "communication" to average people, I would say something like this.

There is no difference in the communication over the internet, over the letter mail, or verbal communication with voice. The encryption can be used in any form of communication. And the problem of banning it is always the same.

Banning the encryption is impossible simply because detecting the encryption is impossible. When you see two persons on the street, one says that the weather is nice, and the other responds that the grass is green, you can never know if there is some hidden message in their communication. Encrypted information can always be "tunneled" through unencrypted channels. Even if you ban all computer apps with encryption, you ban people from making own apps, make every person wear a microphone and a camera 24/7, there will always be a way to deliver information from one person to another without anybody else knowing about it.

Actually, banning encryption apps may be good for privacy, because you never know if the app maker made some backdoors in their encryption method and he already sells your information to somebody.


>Actually, banning encryption apps may be good for privacy, because you never know if the app maker made some backdoors in their encryption method and he already sells your information to somebody.

IMHO, the answer to this lies in Open Source + reproducible builds/compilation. Not in banning/not using apps that promise privacy.

If what you're trying to achieve is awareness about the possible false sense of security (when not appropriate), then the answer is educating people about it.

EDIT: Typos/Grammar.


The truth is that Britain and the US has been funding Palestinian terror for years and PM May knows this but refuses to withdraw funding:

https://www.nytimes.com/2017/05/02/world/middleeast/palestin....

"The issue of payments to families of suicide bombers and others who commit violence has become a frequent complaint by Israel and its supporters. The Palestinian Authority spends about $315 million a year to distribute cash and benefits to 36,000 families"....

Only last week the Palestinians named a women's center after Dalal Mughrabi who hijacked a bus on Israel’s Coastal Road and killed 38 civilians, 13 of them children, and wounded over 70.

I feel the pain of the British from the terrorist attacks, but why don't they stop all funding to the Palestinians until we can be certain they are no longer funding terror nor glorifying terrorists? Why doesn't President Trump stop all funding if he is truly serious about combatting terror?


I don't think it's the Palestinians in this case, but you are right all foreign relations ought to be examined.


It is very disturbing that people have down voted this implying the believe it is OK for US and British taxpayers to fund and incentivize Palestinian terrorists and funding a Palestinian government that names a women's center after a terrorist.


Yitzhak Shamir was the leader of a self-avowed Zionist terrorist group that directly orchestrated the murders of hundreds of civilians, politicians, policemen, and scientists.

Israel made him Prime Minister and, in honor of his centenary in recent months, has named research institutes and hospitals in his memory to add to the streets and parks that already bore his name.

How much funding and incentive has Israel received from US and UK taxpayers?


When it comes to terror, there is no middle ground. If you are against terror in the Britain and the US then you are against terror in Israel.

> "hundreds of civilians, politicians, policemen, and scientists"

Please cite your sources. The British had appointed the head of the Palestinians a terrorist who was responsible for the deaths of 73 Jewish students in Hebron in 1929 including 10 Americans. It was this man who became "The Grand Mufti of Jerusalem" who later spent WW II as a guest of Hitler's in Berlin. This man who was appointed by the British wanted Hitler to bring "The Final Solution" to the Middle East.

It was Israel which bombed the Iraqi Nuclear Reactor which made Operation Desert Storm far easier than it would have been if Iraq would have had nuclear weapons. Israel is committed to fighting terror and not letting terrorists get away with terror. See Steven Spielberg's movie, "Munich" about how the Palestinian terrorists that killed 11 Israeli athletes in the 1972 Munich Olympics were tracked down and killed. Or see how once prevalent airplane hijackings were stopped by the Israeli "Raid on Entebbe" which itself was featured in 3 different movies.

There has to be zero tolerance for terror. The Palestinians, instead of combatting terror embrace it. They honor terrorists and they pay them and their families over $300 million per year of US and British taxpayer money.

http://www.timesofisrael.com/un-chief-pulls-support-for-pale...

"Palestinian Media Watch, which first brought attention to the naming of the women’s center, recently quoted a local village leader saying that “the center will focus especially on the history of the struggle of Martyr Dalal Mughrabi and on presenting it to the youth groups, and…constitutes the beginning of the launch of enrichment activities regarding the history of the Palestinian struggle.”

In addition to the women’s center in Burqa, the PA has named a number of events and facilities in honor of Mughrabi and the other terrorists who died during the massacre in a firefight with Israeli security forces, with the ruling Fatah party repeatedly hailing them as “martyrs.”

There will never be a Palestinian State until the Palestinians elect leadership that denounce terror instead of embracing it.


If they ban secure software it surely will work as terrorists are law-abiding citizens. Right?


About the Travelsentry locks, what happen if someone from the airport open your luggage, and tamper with the content?

How can one be sure that the content their luggage has not been tampered with? I assume the answer is no but would love to hear otherwise


Lots of discussion earlier here https://news.ycombinator.com/item?id=14480758


The solution is a drivers license to use the internet. No more anonymity. Can't create backdoors(that'd be like removing the steering wheels from cars), but the internet is a public space like our highways. You can cause a lot of damage there, so you should have a license or passport.

Controlling speech or disabling crypto is very Orwellian.

obfuscating crypto is trivial. God Kay must either be as dumb as Trump acts or think we are all stupid.


"The solution is a drivers license to use the internet. No more anonymity."

Ten seconds later, someone else is posting under your license and you have no clue how and you're stuck talking to a scripted call centre employee who can't help and a police force that isn't interested.

5 billion people around the world are ignoring a "UK driver's license" for internet communication, particularly including potential terrorists. And domestic terrorists are communicating with a license out to an ordinary seeming server and not tripping any flags.

and how would it even work when you take into account free public wifi and carrier grade NAT? There's no equivalent to a single car with an easily tracked registration plate that each person drives over and over and over.

And the internet is explicitly not a public space, it goes from your computer to (say) Comcast's computers, to intermediate carrier computers, to Facebook's computers. There's absolutely nothing public in the same way that highways are public.

You can cause a lot of damage there

We're talking pictures and text. What damage? Do you also want a license to write on paper or post letters or send SMS or make phonecalls or draw paintings or write news or pamphlets or speak where more than two people can hear you?

License so you don't run an exploit on someone else's computer? That's already illegal.


> The solution is a drivers license to use the internet. No more anonymity.

That's not a solution, that's a failure and a regression. There is nothing wrong with the way the internet works right now.


Wow, really? The internet is very very broken. I believe in privacy, but I am also a very very big believer in accountability.

Anyways, disabling crypto is super stupid. We all agree on that. Terrorists will just embed crypto in images.

Kay also wants to restrict access to pron but that's her hang up.


> Wow, really? The internet is very very broken.

It works fine for me. I view the pseudo-anonymous nature of the Internet as a feature, not a bug.

I think we agree fundamentally that attempting to ban or restrict math is ridiculous. For the sake of discussion - what specifically about the current structure of the Internet is broken? You allude to accountability, but it's fairly easy for law enforcement to track someone down (in the "not-using-7-proxies" case - and even then, just repeat step 1 below):

* Subpoena a site for IP records

* Subpoena their ISP for subscriber information

Now, whether that person is actually located somewhere actionable is another question - but that's a geopolitical problem, not an Internet problem. The first point - sure, maybe a site doesn't keep IP logs. Are you saying it should be mandatory to track the source of posts? (Should it be mandatory for physical establishments to log the biometrics of visitors? If the answer to these questions is different, why?)

How would your proposal for tying Internet access to physical identity (e.g. drivers' licenses) impact access for those in developing nations? There are already a lot of hoops for them to jump through to get online.

Edit: I didn't downvote, by the way - I do still believe in the HN ethos of only downvoting spam/meme posts. People should have a chance to read both sides of a discussion.


>there's no back door that only lets good guys go through it.

Much as I agree with the general principle, this argument is flawed (except insofar as 'good guys' do not remain 'good'). What exactly is a crypto key, if not a "back door that only lets X go through it"?


I think what gets missed is that communcations interceptors are an entire platform (not just a key somewhere). There are lots of computers glommed onto the network to make the capability happen and humans to manage them.

The hard part is managing keys, access, storage, networking etc. The security on a lot of "lawful access" systems for cell networks is not as great as one would hope, and the LI system is sometimes the goal of attackers in a telco.

Just the capability (click n clone or tap to disk) is dangerous even when turned off. Of course, no one actually makes a telephony system without LI...


Every single implementation of cryptography would be required to encrypt the message both with the original key and separately with the government master key, and store / transmit both. The master key suddenly becomes very valuable, and the incentive to crack it is enormous. In addition, there would be an enormous amount of ciphertext available that's encrypted with that key, and it would likely be shared widely across government.

Also, wouldn't this require severely limiting the number of permitted encryption algorithms?


A clever system would easily mitigate your first point, probably with some sort of rolling key + key hierarchy (much like SSL and certificate authorities).

As to your second point, yes. It would require severely limiting a great deal of things. Consider that "impossible" at your peril.


I don't want to make this too political, but I am really curious about people's perspectives. Please stay like close to the center in your response to my question, obviously it is easy to make a kneejerk response. (I address this at the end of this comment.)

So, we heard about a recent terrorist that he was banned from his Mosque (for being too radical), reported by other Muslims, and that the FBI also reported him to the UK.

What do you guys think that the UK should do in this case?

I mean let's take an absurd example of a petition by 50 people from mosques and community saying, "Hey, this person is not a member of our community but is spouting radical nonsense and wants to commit terror."

In this case what should be done?

I am drawing a complete blank, because it doesn't take long to prepare terrorist acts but until you do them you aren't really a terrorist.

The only thing I can think of is something that even I can see would be a joke. If the government came to me and said, "hey we received over 12 people asking us to watch you because you are a terrorist. We'd like you to voluntarily participate in civilization training to better understand why terrorism is wrong. You'll get £200 for participating."

But I can hardly type that without it sounding like a joke. I mean there's politeness but this sounds just absurd. (I added the £200 part because I think there is no way they would agree otherwise. But if it's not voluntary then that doesn't sit right with me either.)

So in this actual, real-world case, what should the UK have done?

I don't think increasing surveillance so that you catch someone between the 45 minutes it takes them to inform themselves how to perform terrorism, and going and doing it. People are pretty strong and powerful and have a million tools of every kind, more surveillance couldn't possibly help here, I mean the reaction time would have to be like seconds from when someone chooses to start googling how to do terrorism to making a concrete enough plot to be criminal. It's just not a solution.

So returning to my question -- for the case I mentioned, what should we done?

Note: I understand that it is easy to make a flippant, knee-jerk response. For example, it is easy to say, "if someone reports a muslim for radical speech the reported muslim should be thrown in prison without a trial, and throw away the key". I really don't want to start a thread like that so please don't respond if you have attitudes like this: I've represented your response in this last paragraph and ask you please not to derail this thread on this subject. Yes, it is very easy to deal with if totalitarianism is okay. I specifically say this because I know people in real life who would make exactly this response or one exactly like it. That is not my question and I've represented this position in this paragraph, no need to repeat it, and you would just get downvoted. In this comment I am asking for people's practical ideas that are close to the center, if they have any. Thank you.


What should we do?

We should man up (metaphorically speaking) and accept that a few attacks from violent nutcases every so often are the price of living in a free society.


this is fair, but you do have to be careful because as you may or may not know, many parts of the world are literal war zones. So "a few" can become "an explosion in London killing 10-30 people, occurring about once a year". Or once a month. Or twice a day.

Obviously you do agree that at some point there is a line to draw. so the argument for finding the solution to this early on is not without merit.

"a stitch in time saves nine." Maybe two pamphlets sent twice a year to every address in the UK, describing why civilization and a free society is great and explaining why it means not blowing people or yourself up, would solve these people. If that costs £70 million per year but cuts terrorism down by 85%, how many people need to die before you would say, hey that's worth doing: 100 people a year? 500? 1,000? 5,000? 10,000? At that point it costs taxpayers around £7,000 per victim and since fatal victims of terrorism stop paying taxes at that point it is free.

I Googled how many people died from Terrorism in the UK. This article from literally yesterday says....

http://www.telegraph.co.uk/news/0/many-people-killed-terrori...

Well, that article says:

- 13 people died because of terrorism in the UK between 2010 and 2015.

So obviously we are very far from that metric. Actually this kind of supports your assertion.

It doesn't mean nothing needs to be done but your point is a lot stronger than I thought! Thanks for the response.


These attacks are not random like lightning strikes. They are motivated by an ideology that wishes to spread. And it will if we don't respond decisively.


I would posit that having such information, from multiple unrelated sources, could be reasonably used to justify a court warrant that would allow pretty much 24/7 surveillance using any legitimate means. At least for a while.

And that is more or less what they do. The problem, apparently, is that they don't have the resources for this level of surveillance for all the "persons of interest".

And I disagree that increased surveillance wouldn't possibly help here. In all cases that I'm aware of so far, there had been some advanced preparation - and not "45 minutes" advanced. E.g. in the recent London attacks, apparently, the guy was inquiring about how to rent a truck in the past days. If he had been monitored, that alone would have likely triggered an even higher readiness level for a while (to the point of "SWAT team on standby in a van outside of the residence").


> I am drawing a complete blank, because it doesn't take long to prepare terrorist acts but until you do them you aren't really a terrorist.

Presumably he has to make some plans and if he does that with someone else then they are both guilty of conspiracy to commit a crime. If the police had the resources to follow this up (physical boots on pavement type resources that is) and the courts had the time they could follow this up and have a chance of preventing the planned crime by using the laws we already have.

And perhaps your £200 idea could even work. Not everyone who gets frustrated, angry, and violent is a committed radical. The problem is that we all want this problem to be fixed without it costing us any money, time, or effort.


Do you know, did the case I mention have someone else they conspired together with?

As for the £200 thing. I know I "floated" this idea but I can't try to evaluate the idea I mentioned without it sounding like a joke. But if I try really hard and set aside my reaction to it: if it really did work than £200 a handful of times per year is nothing. I didn't realize just how few cases of terrorism there are every year, see the cousin comment. It's like, 13 people killed since 2010. How many people do you think are reported multiple times by multiple agencies and citizens? This expense would not even be a rounding error on a rounding error. (But I just can't get over how absurd it sounds.)


> Do you know, did the case I mention have someone else they conspired together with?

I was extrapolating to the more recent events where there were several killers but it applies often to the case where there is a lone wolf because often there is someone else who enables them, perhaps not enough to pin a formal charge of conspiracy on them but close.


In the UK or at least the north of Ireland 20 years ago it was illegal to have information useful to terrorists. It is information crime. (It was usually used if the victim was also being prosecuted for membership of the IRA.)


They will probably try honeypots and informers and relax the entrapment rules. Need to be careful they do not end up propping up all the terrorist groups with different branches of British 'intelligence' groups... Or maybe they have learnt from past experience.


Fur fubhyq ona greebevfz.


everything should be public, especially Government secrets...


why not educating people instead of banning ?


Terrorism happened before the internet.


Imo this isn't about legislative of today, rather about the philosophy/politics of today responsible for the legislative of the future.

Today's cryptography is like the ice sculptures art, we could show a lot, but on unstable timeline.

The true art is going to come with the quantum computers and the governments will have to have legislative for someone sending messages to someone else because they won't have any other tool available.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: