Hacker News new | past | comments | ask | show | jobs | submit login
Decrypting Amber Rudd (ar.al)
159 points by tolien on Aug 2, 2017 | hide | past | favorite | 70 comments



I'm by no means going to support government attempts to ban encryption, but assuming 100% virtuous purposes (e.g.: counter-terrorism efforts), I can understand why they think this will work. I mean, they think that passing laws on guns and drugs will stop those things.

The fundamental problem is that the government and the public do not understand that powerful encryption will exist forever now. The cat is out of the bag, and the bag has disintegrated. You can't ban the ideas, and you can't stop them from being implemented in the shadows. Even worse for them, there's nothing physical to find. You can't train a dog to sniff out encrypted data. Banning it now only hurts honest uses, like protecting financial transactions and medical records.


Thing is, gun control laws work. See Scotland after Dunblane, Australia after Port Arthur. See Canada’s per-capita murder rate and gun death rate in comparison to those of the U.S., where gun control laws are essentially nonexistent.

Passing the right laws on drugs (abuse) works (see Portugal). Prohibition doesn’t, but treatment does. (And, the truth is that the drug laws in the U.S. are working; they just aren’t working for the citizenry, but the police state. This is by design, and there’s a not-insignificant marginalization/targeting of minorities by design in these laws, too.)

Encryption is…rather more subtle to deal with, because you cannot weaken it for one purpose without weakening it for all purposes, because math and physics. Better that they work on laws that target actions and behaviours rather than technologies. Then again, any time I see a politician talking about terrorism, I recognize that they are attempting to increase their own power at the expense of those without power to begin with.


I agree about "right" drug laws, but many of the countries supporting this idea are not "right" drug law kind of places.

As for guns, they trot out "terrorism" as the reason for wanting to get rid of encryption. Well, gun laws have yet to stop terrorism. If they couldn't find a gun, they made a bomb, or they used an airplane, etc.


Strong gun laws have, in fact, stopped most mass killings in places that have them. Not entirely, obviously (the mass attack on the Bataclan theatre and elsewhere in Paris in 2015), but these are exceptions.

In the U.S., there have been more than one mass shooting every month in 2017 even under the most ridiculous definition (4+ people killed, indiscriminately, in a public place; this would not include someone who killed 5 people in a targeted manner). Using a looser definition (4+ people killed or injured), there have been almost 7 per week in the U.S.

There have been far fewer than that in Canada. In Toronto, there have been 26 murders total, and perhaps two “mass shootings” by either definition. The main mass shooting story in Canada this year is the terrorist attack on the mosque in Quebec. In the U.S.? Too many to say that there’s a main one (although the attack on the Congressional baseball game will probably be the one that gets talked about).

Source: http://www.cnn.com/2017/06/15/health/mass-shootings-in-2017-...


> passing laws on guns and drugs will stop those things.

Problematic comparison. Politics aside, gun laws can definitely achieve publicly desired outcomes. E.g. handgun ban in Australia. Drug laws mean your paracetamol won't poison you.

Encryption laws where you want to have your cake and eat it are a very different matter.


Gun regulations and drug bans do not stop the worst of the worst from getting their hands on those things. They will literally manufacture their own guns and drugs if they have to (see marijuana grow ops and this Vice article on cartel gun makers https://motherboard.vice.com/en_us/article/78xa99/the-cartel...). Banning encryption will not stop the underbelly of society from using it either. They'll just hire some black hats to build it for them.


>I'm by no means going to support government attempts to ban encryption

I don't think Rudd, Murdoch or May think encryption ban is possible or even effective at counter terrorism. It's about controlling behaviour.

People behave differently if they think they might be being watched. Self censorship is better than any encryption ban.


I doubt that. They very much want to read people's email, etc. At a minimum, they want to do it to find terrorists. The maximum is just corrupt without bound.


> You can't train a dog to sniff out encrypted data

?? But you can easily train a computer to. I mean, it's expensive as hell, but if all encryption is either back-doored, banned, or weaker than a newspaper cryptogram, then yeah... sure. Encrypted data is easy to find - it's the data you can't read.


No you can't.

The data you can't read is not only encrypted data. Most unencrypted data will be data you can't read, due to there being absurd amounts of file formats and protocols. How do you intend to be able to validate that the content of all, say, CAD and 3D model files is not malicious? How will you deal with new codecs? New network protocols?

Encrypted data is, unless the protocol is severely broken, almost indistinguishable from random data, which without context and knowledge of all file formats and protocols in the world, is indistinguishable from most real, unencrypted data. And not only that, you can hide information in almost any data type. Encrypted content can be hidden in a perfectly normal looking picture or video just fine. Look up steganography.

Encrypted communication cannot be detected in any sane manner.


> Most unencrypted data will be data you can't read, due to there being absurd amounts of file formats and protocols

Well I sure couldn't read it, but the NSA could.

> How will you deal with new codecs? New network protocols?

With a massive staff and constant influx of money. I did say it would be expensive. Still, I think it's within the reach of state-level actors.

> Encrypted data is, unless the protocol is severely broken, almost indistinguishable from random data, which without context and knowledge of all file formats and protocols in the world, is indistinguishable from most real, unencrypted data.

Sure- context is a critical tool. I don't know why you stipulated "without context", though.

> Encrypted content can be hidden in a perfectly normal looking picture or video just fine. Look up steganography.

UNencrypted data can be hidden in the same way. I know what steganography is, and sure, the art of hiding data is a great way to hide data. Separate issue, though.

> Encrypted communication cannot be detected in any sane manner.

I think the facilities and manpower for detecting unauthorized use of encryption would indeed be insane, from several perspectives. And it would require a bunch of legislative support, too. But WITH legislative support, mandated back doors, ISPs that are cooperative, shitloads of manpower and money.... Yeah, I think it would be possible to detect encrypted traffic. Could a person who hadn't already attracted the attention of the "agencies" choose to hide small amounts of data in an innocuous file? Sure, but they could glue an SD card to a homing pigeon, too. I'm thinking more of PGP, SSL, VPNs, WhatsApp and the like.


No amount of staff will be able to predict file formats and protocols before they are designed, and unless file formats and protocols are permitted prior to being "understood" by this hypothetical internet filtering agency, then no new formats or protocols can be formed, or even updated. However, permitting them prior to being understood also mean that arbitrary traffic will be permitted, as long as the formats and protocols mutate faster than they are implemented by the bad guys (the state-level actors you describe).

The only scenario where I can think of a setup where a filtering agency would be able to block "dangerous content", while still permitting legit use, would be one where each and every file format and protocol creation/update would require applying for a permit to the respective agencies in every country where the format is to be used. The absurd bureaucracy this would entail, such as the time it takes for the agency to write some form of verification, would kill most, if not all, innovation. The only innovation I could imagine still living in such an environment would be circumvention efforts.

Furthermore, steganography is not a separate issue. In the hypothetical scenario where this is both possible and the resources for this exercise are present, the entire exercise becomes moot once you realize that you can encode anything as a jpeg or video file with a minimal overhead. Applications would just all implement protocols that exchange JPEG's or MP4's with a small overhead, leading to no traffic being stopped as "unreadable".

And before you ask: Detecting such measures is not possible in the general case.


It's not that easy because computers can't read most data. How would a computer know whether an image/video file contains an encrypted message?

https://en.wikipedia.org/wiki/Steganography


Steganography is a separate issue. The art of hiding data is a great tool for hiding data, encrypted or non.


That assumes you are aware of every file format ever and can also spare the resources to search through every file. Otherwise, the inside of a large compressed file has about as much entropy as an encrypted one.


History would seem to suggest that it will be trivial for people with bad intentions to sway public opinion against encryption as they did in the past against things like cannabis, or the many books which have been banned. All it will take his associating encryption strongly with the despised group and that will be that for decades. I want to believe otherwise but it's happened with issues much simpler and much easier to understand than encrypted data.


I don't disagree that they could succeed with this method of attack. The problem is that it doesn't solve any problems. Encryption is a thing that humanity knows about. It's not going away. We're not going to stop knowing how to make guns, knives, drugs, or anything else that has been banned. And encryption just requires some computers. They're ubiquitous now. Encryption is baked into so many things that it would be impossible to stop as a concept.


While I agree that what the UK government is trying to do is dangerous, wrong and ultimately won't help all that much anyway, this article is so full of hyperbole, bluster and FUD that, even though I know and understand most of the issues, it's honestly hard to take much of it seriously.

I expect exaggeration from Rudd and I expect her to misunderstand how certain things (i.e. encryption and the internet) really work because a) she's a politician b) she's not an encryption expert (that's what advisors are for). I don't really expect the same thing from people should be trying to counter her arguments with facts, explanation and alternative ideas though.


Well, I can't say that there's anything obviously wrong with the article.

You should be fearful, uncertain and full of doubt about privacy and democracy if you live in the UK. And those companies really are farming people's data and doing whatever the heck they want with it. And removing the people's access to private communication in the digital age is both stupid and evil.

There's no bluster and hyperbole, just the sad reality.


This doesn't seem to get suggested very often, or ever, but maybe we need to keep protesting these developments, and boycott these companies/services who collude with the government to erode our civil liberties. Nobody has to login to facebook, at least not yet...It's only going to get more difficult.


Obviously wrong with the article:

" You should not believe a single word any of those companies tells you about end-to-end encryption or privacy on their platforms ever again. "

Well, that's going to make it hard to have any discussion about privacy on the internet.

"If you’re still not convinced and feel that the UK government should have the right to spy on everyone, you can stop worrying. Because they already do."

Well in that case, what are we talking about?

The main reason there is nothing obviously wrong is because it doesn't really say anything, just keeps repeating "Amber says X, other online news source says not X. Amber is evil".


From the article:

> Given the gravity of what’s at stake – which is nothing less than the integrity of personhood in the digital age and the future of democracy in Europe

So banning encryption in online chat programs (she obviously can't and won't be banning _all_ forms of encryption) is the same as destroying democracy and will effectively stop people from existing as people on the internet?

> Translation: We want to ban encryption and if we do we will be better equipped to catch terrorists.

in response to a direct quote saying "we don't want to ban encryption" is a bold and unsubstantiated opinion at best.

> Does it matter that you’re more at risk dying from falling out of bed than you are from terrorism

All analogies are bad, but this one is especially so. Nobody worries about dying falling out of bed. And if it really did happen, then it would be "merely" a tragic accident. Should the government only act to prevent types of murder if it happens more than people falling out of bed? A lot of people die of heart disease every year. Does that mean the government shouldn't do anything to try and prevent traffic accidents?

> Translation: We want to scapegoat the Internet as the root of the problem with terrorism.

This again is clearly not what's being said. They're aiming their guns at the internet, but nowhere is it implied that the root cause of terrorism is internet encryption.

> It is not the role of multinational corporations to police the world’s citizenry.

This is true, but those corporations cannot also place themselves above the law so they do have at least some duty, moral or otherwise to do something if the government wants them to (setting aside the specifics of the laws involved).

> Rudd pivots from the government’s successful battle against the spread of public propaganda by terrorist organisations to their belief that they need to eavesdrop on the private communications of every citizen in order to keep us safe.

I assume I missed something somewhere because afaict Rudd wants to be able to listen in on and extract evidence from private communications of suspects, much like they already do with telephone systems. I can't see anywhere she claims to want to actively listen to the entire population (though I fully get that it may end up that way on the basis that they've up to this point proven that they don't understand the technology well enough).

> You should take note of the companies that are part of the Global Internet Forum to Counter Terrorism and never trust another word they say to you about the encryption and privacy features of their products.

Feel free to stop using everything that most tech companies produce but if if this is intended to be actual advice I don't think it's realistic.

> What it will do is make all of less safe and lead to chilling effects that will destroy what little democracy we have left. It will result in a surveillance state and a global panopticon the likes of which humanity has never seen.

Having just gone through a general election that resulted in a rare minority government and, potentially as a result, a fundamental change to brexit ambitions, I don't buy this at all. We have just as much democracy as we had before. It's a very very long way from where we are now to the UK government locking up leaders of the opposition for example.


"I don't really expect the same thing from people should be trying to counter her arguments with facts"

No one cares about facts. "Encryption keeps you safe" is a fact but its a boring one, it won't get shared around on facebook, which means it wont get out to the people who don't know its a fact. When you don't have facts to back you up you can just make up whatever story you want "Encryption kills your kids" will get shared on facebook no worries.


imho the government isn't wilfully malevolent and pretending that it is is a surefire way of getting people to write you off as a crazy person.

> When you don't have facts to back you up you can just make up whatever story you want "Encryption kills your kids" will get shared on facebook no worries.

If the brexit debate taught us anything it's that people can see BS in arguments from a mile away and, when it happens on both sides they dismiss all the facts and go with their instincts. There are some really good arguments against what the UK government is trying to do. I think dressing them up with falsehoods does nothing to advance them.


If the brexit debate taught us anything it's that people can see BS in arguments from a mile away

What about the Brexit debate could possibly make you think that?


The bit where nobody bothered to listen to what experts were saying on the basis that both sides spent much of their time lying. If arguments that are counter to people's preconceived opinions are full of holes and exaggeration then they're really easy to dismiss imho.


Well, don't forget this is written by a man know for drumming up sensationalist products like the Indie Phone (crowd funded but never delivered, try google it), pissing off people, and even becoming a meme - https://imgflip.com/memegenerator/29521388/Indie-Phone-Aral-...

So the fact there is hyperbole is par for the course.


Does anyone ever wonder which school these people go to to be trained in such a duplicitous way of thinking or do they really believe they are protecting everyone from the terrorists? As the article clearly demonstrates, Amber Rudd conflates the need to monitor and remove public information with the need to monitor everyone's private information.

This sort of "tough love" probably plays well politically with most of the population, who can't really think of a reason they'd like their privacy protected.

I really can't get my head around why all politicians (across the world right now really) converge on the same draconian policies.


They don't care about catching terrorists. They care about power.


chapter 5 might be interesting: (whole book is interesting, but it is mainly focused on followers, not leaders) http://theauthoritarians.org/Downloads/TheAuthoritarians.pdf


Really interesting read, thanks!


Eaton?


> Eaton? [sic]

Assuming you mean 'Eton', I don't know if you were even trying to contribute something helpful or meaningful, but Amber Rudd certainly didn't attend a boys' public school.


I fucking hate everything about the way the world is trending. We need a proper grassroots revolution which throws these idiot ministers in prison for crimes against humanity.


Although I agree that the world is trending towards authoritarianism, with thunderous applaud, it does not spell the end of privacy.

In a world of total digital surveillance, steganography and traditional cloak and dagger spycraft become relatively more useful.


Can you share some more details? I'd like to learn more. Any tools for such spycraft for everyday users?


It's pretty easy to find with a google search, but I'm referencing the "classic" tools of spycraft. Hand-written messages that actually self-destruct (self-immolate), invisible ink, short-wave radio, burst transmissions, leaving physical messages at dead-drops.

While steganography usually refers to the practice of concealing a file, message, image, or video within another file, message, image, or video, it can be extended to the practice of hiding information in plain sight. An example is encoding a message into what passes for street graffitti. Or laying out rocks in a formation that only a drone or satellite can make sense of.

One of the smartest people I've ever met explained to me that more or less all digital communications are compromised if the resources of a nation-state are aligned against you and that the only practical solution for private and secure messages is hiding information in plain sight.


As depressing as it may be, I don't really see a way out. The genie is out of the bottle now and any successful revolutionaries will also have an overwhelming urge to use this technology to cement their power.

Benevolent AIs may be an outside possibility. Otherwise, short of nuking ourselves back to the stone age, I think total surveillance societies are here to stay.


The revolution could be to get off the internet or to use it only for cat videos, go back to using cash, reconnect with local friends only etc etc


CCTV coverage is already high in London, and increasing everywhere. Recognition software (not just facial) is getting quite good.

Cash can mostly be tracked unless you just trade with black/grey market sellers. Adding RFID to notes and mandating readers on cash registers would already be feasible.

Home devices (TVs, DVRs, even fridges[1]) increasingly have microphones and other sensors, so it'll be hard to be sure you're not being recorded even when talking to friends in their living room.

[1] http://www.popularmechanics.com/technology/gadgets/a24616/sa...


Like the story of the 40 thieves, maybe the answer is to hide in plain sight. Throw so much data at them that they can't meaningfully process all of it. Fuck! This subthread is making me angry/ier.



I don't see any trends in that direction right now. The institutions of both western democracies and most other societies have proven themselves wholly ineffectual at curbing any of the vast overreach by both intelligence agencies and police.

So it will just happen again. (Meet the new boss, same as the old... Animal farm etc) without all of them being dismantled too. And revolutions of that scale rarely work out well for anyone in the short term.


> I think total surveillance societies are here to stay

We could at least convert them into total sousveillance societies. If regular citizens can't have privacy, nobody should have privacy.


Fuck prison, we need to bring the guillotine back.


> Facebook, Microsoft, Twitter, and YouTube (Google/Alphabet, Inc) have formed the Global Internet Forum to Counter Terrorism and Amber Rudd is asking them to quietly drop end-to-end encryption from their products. You should not believe a single word any of those companies tells you about end-to-end encryption or privacy on their platforms ever again.

and

> she reveals that she has created the Global Internet Forum to Counter Terrorism with Facebook, Microsoft, Twitter and YouTube (Google/Alphabet, Inc.) and asked them to remove end-to-end encryption from their products (remember that Facebook makes WhatsApp) without telling anyone.

This wording implies that these big tech companies would silently, without anyone noticing, drop or compromise their E2E encryption. Is this something they could do? I'd expect such a change to be noticeable in both the clients they distribute and the network traffic they generate by people in the infosec industry.

Can anyone with a deeper understanding of the matter chime in?


> This wording implies that these big tech companies would silently, without anyone noticing, drop or compromise their E2E encryption. Is this something they could do? I'd expect such a change to be noticeable in both the clients they distribute and the network traffic they generate by people in the infosec industry.

The apps are closed-source, and cryptographic libraries already generate keystreams that look like random data. All they'd have to do is replace the random nonces etc. with data generated deterministically from their own key and some suitable factors (device ID, time), similar to how stateless password managers work; that would be virtually undetectable.


Yes, they could do that, and in order to detect it security professionals would need access to their servers and/or reverse engineer their binary software distributions where this is applicable.

Whether they do it, I don't know, but I'd like to point out that Google used RC4 for SSL for a suspiciously long time after it was considered broken (all in the name of compatibility, of course). A change in public policy only occurred after the Snowden revelations.

However, to make this clear, this is all speculation, they could do it but whether they do it I can't tell and no one else can without insider knowledge.


It's plausible that they could just compromise the security, intentionally, without telling anyone (and without anyone being able to easily tell).

I think what's more likely, at least in the case of WhatsApp, is that they would just not make an announcement when they remove E2E encryption entirely. The security community would certainly complain, and long-term, the traffic they are currently getting from parties of any interest would move somewhere else. But in the short term, it would compromise the security of a substantial number of their target users. It's plausible that, without a public announcement, many 'nefarious' users would continue to use it for a few months.


I'm more worried about a trigger-able mode of whatsapp that silently disables E2E encryption on a specific phone. The only way to figure this out is to catch the app in the act.

It seems possible that WhatsApp could be persuaded by the government to implement such technology.


Something that does concern me about WhatsApp is that backups of messages (by default, it seems, put on Google Drive on Android) are not encrypted. I'm not really sure why. There's not a compelling reason that I can think of.


Or already has and is under a gag order.


"You’re more at risk dying from falling out of bed than you are from terrorism?". I have no argument with the rest of the piece but this (true) statistic is an irrelevance given that there are terrorists who had they possession of nuclear options (literal or otherwise) would not hesitate to use them (planned with or without electronic communication). In this context, assessing risks like this is fatuous given the absence of required information. That doesn't mean that an insurance company might not perform the calculation for an individual but they have different goals from government.


While it's a relevant point, the risk (in a probability * cost sense, to address your point about terrorists using a nuclear/radiological weapon were one available) of terrorism has to be addressed somehow or you're cherry picking one from a number of extremely rare but potentially catastrophic events to worry about. We're not spending trillions of dollars and thousands of lives on a War on Giant Asteroids, for example.


The War on Giant Asteroids is unwinnable. That's why we should instead fund the War on Giant Asteroids Piloted by Dinosaurs. We kicked their asses 6,000 years ago, we can do it again!


So, is she threatening or bribing the tech companies? Otherwise, I can't see why they would take any notice.


My guess is that she's arse-covering. She wants to be seen 'doing something' and so that if there's an incident she can then point and say "I told them but they didn't listen"


It's hard to know what's actually going on behind closed doors, but it sounds like the tech companies want to do something about it and are quite prepared to work with the government on a solution.

Of course, what that solution turns out to be is a separate issue. I trust Google et al to know what they're talking about wrt encryption far more than the UK government though, so actively working with tech companies is a huge step up from the previous position (though obviously a long way still to go).


My guess is threatening, since they'd be in violation of UK law. Each of those companies have a significant presence in the UK, which I doubt they'd want to abandon over this.


Unfortunately, since there are more people who don't have a grasp on the ramifications of what she's proposing that those that do, there'll be more people that buy into this dangerous spin, than those that don't. She'll pull it off, just like the Snooper's Charter.


I honestly don't think so, the UK isn't important enough globally for WhatsApp to risk losing everything - look at what happened with them in Brazil, which is a larger WhatsApp market by a good bit.

A lot of this stuff feels like a vindication of how Indians make fun of Brits: foot stamping, bureaucratic, and out of touch with a world that has largely passed them by.


> A lot of this stuff feels like a vindication of how Indians make fun of Brits: foot stamping, bureaucratic, and out of touch with a world that has largely passed them by.

If there ever was bigger case of people in glass houses should not throw stones, I've yet to see it.


I guess the concern is that other Western countries will get in on the act — TFA refers to Angela Merkel and Emmanuel Macron saying similar things so, given their level of influence within the bloc, it wouldn’t be hard to see a standard becoming EU-wide; we’ve already seen the FBI talk about compromising encryption (e.g. the San Bernardino iPhone).


That's a great point, actually. I suppose, rather ignorantly, I was talking with regard to the public as opposed to the corporations. Most Brits, at least, don't grasp the true implications of this sort of shit, and will buy into the spin about 'increased' security and terrorism prevention.


>the UK isn't important enough globally for WhatsApp to risk losing everything

But, it can be argued: this is WHY this is such a hot issue in UK politics at the moment. Total surveillance paired with The City's financial machinations = Britain can project its power again.


> I honestly don't think so, the UK isn't important enough globally for WhatsApp to risk losing everything

You are assuming there is no collusion between states. A big assumption in my opinion considering the UK is a part of the Five Eyes.


How do I "stock up" on strong encryption in anticipation of it being banned eventually? Should I buy routers and hardware with strong hardware level encryption in them? Should I acquire and backup the software (vpn, public key toolchains etc)?


Decryption of common people's ideas/thoughts is only the first step of moderating them by the govt. in future! Terrorism is an easy & irrefutable excuse.


Its yet another Home Secretary being (to put it very very politely) extremely disingenuous with the UK public. It would be laughable if it wasnt so sad.


I agree with the articles author. Things conveniently "slip through the net" always, even when the perpetrator was "known to the authorities" and they think the answer to this is not fixing whats wrong with the Brit Security Services but increasing surveillance on EVERYBODY? Something stinks, it does not make proportionate sense.

As an example, Drunk Drivers kill more people per year than terrorism, But no one in the UK talks about surveilling everyone to prevent drink driving.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: