Hacker News new | past | comments | ask | show | jobs | submit login
UK proposal to criminalize “sophisticated encrypted communication devices” (service.gov.uk)
234 points by costco 11 days ago | hide | past | favorite | 170 comments





It's a yearly tradition in the UK to propose some draconian law that will be the end of the internet. And yet the policies generally remain unimplemented. Is there some systemic pattern that explains this trend?

I always wonder if it's a "look at this crazy law we might pass and definitely don't look at the money we're stealing from the NHS or the tax we forgot to pay or the "loans" we've been given in exchange for plush jobs and peerages" kind of deal.

Is there even enough engagement with these proposals for them to work as this kind of distraction?

No. There is no distraction premise going on. It's simple authoritarianism (but people would rather believe it's something else, because of what that implies).

The UK ruling class has enough resources to pursue both at the same time.

Sure, but from the last year of events in the UK, plenty of them were far more distracting than this.

Everytime there is an uproar to fight it again, so they wait and try again a year later.

They aren't giving up, they are just waiting as they "only have to get lucky once"

Meanwhile those who recognize the issue instead must live by the maximum "Eternal vigilance is the price of liberty"


The only way to stop having to constantly fight this issue is to manage to swing things back further back, to have backlash in the direction of "no and stop asking", or if necessary, "no, and your smoking crater will be a warning to the next person to try".

We should be in a world where "I want to ban encryption" results in "Of course not, and your career in politics is now over". We should be in a world where "I want to ban encryption" results in "No, in fact here are a bunch of laws enshrining the right to encryption and privacy". We should be in a world where everyone building encryption technologies is building it in a fashion not just resistant to but actively hostile to any ability to control or backdoor it.


From the UN declaration of Human Rights:

Article 12

"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

Banning encryption constitutes "arbitrary interference with his privacy, family, home or correspondence" in my view, but it should be taken to (constitutional?) court.


That's what people kept saying about DRM in our CPUs and monitors. So far it hasn't really worked though, last time I checked both Netflix and Spotify are trivially reverse engineerable and 100% quality rips are online within hours.

maxim*

They tried for years to implement a bizarre law that would impose onerous age verification systems on porn sites, but do nothing about porn on Twitter or Reddit or whatever. Just total ineffectual nonsense, whatever you think about the principle.

I think they finally gave that one up.


As an American we have our own weird battles with technology, but UK is weird about certain stuff. I wanted to watch a show that is only available in UK, and it’s on BBC. So I downloaded BBC iPlayer with a VPN and signed up, no problem. Verified my age, I get it. Makes sense enough. Kind of dumb because there’s no way they can verify it. Then they wanted me to, on my honor, swear that I had a TV license before I could download the show, even though there was absolutely no way they could verify it. Wut. Actually now that I type it out it feels no less dumb than age verification, just a legalese checkmark

The way TV licensing works in the UK is strange. If you don't have or need one they'll regularly send threatening letters saying your under investigation, and sometimes a man will knock on your door demanding you let him search your house for a TV. They have no legal powers so you just say no and shut the door, and they'll do it again in a few months.

What happened to the van? I thought there was a van that could detect if you had a TV in your house.

Evidence from TV Licencing Vans have never been used to attempt to convict anyone who allegedly failed to pay for a TV license.

You could infer from that, that the vans were for show and a shock tactic only.

It's not impossible, I'm sure.

Back in the CRT days it was reasonably possible to detect a TV program from the intermediate frequency from UHF stations, but more difficult (but not impossible, see TEMPEST) due to direct conversion by SDRs. These side channel attacks can be found here: https://en.wikipedia.org/wiki/Van_Eck_phreaking

Sensitivity of the equipment and picking up the signal from the roadside would have probably impossible in the 60s-80s. But again it's a capability you don't want your cold-war enemies (or allies) knowing about.

Also, being able to prove that the signal was the defendants, in a way that would convince a jury might have been difficult.

I'm sure some experienced radio hams/RF engineers will weigh in and correct me if I'm way off base here.


I think making you ‘solemnly swear I have a TV licence’ was a way to boil the frog, so to speak, from the days when no licence was required at all to use iPlayer. Jumping straight to a real verification step would have created an uproar. Guess they never went all the way (not yet at least). Still seems odd and pointless.

I reckon it’s the dire quality of our elected politicians. UK politicians don’t try to understand technology, and they feel entitled to dismiss expert opinion whenever it will win them public favour, hence the disaster with Covid lockdowns.

The main constituency of the Conservative Party is old people that want their pensions to be increased, house prices to go up and the kids to stop having fun, whatever the cost.

When their idiocy demands something that would cause the utter destruction of civilization as we know it (such as banning encryption) they back off. If it makes it harder for the old person to access porn, they back off. But when the consequences won’t manifest themselves before 2-3 years, they go ahead and then blame the EU or the Albanians. Let me know if they have chickenpox vaccines, Zoely (the contraceptive pill) and lactose free milk in your area. My stockpile of Calpol should be enough to survive the current shortage.


You think Labour wouldn't try and pull the same type of shit? The freedom loving "Lets have ID Cards" Labour party?

I think this is missing the forest for the trees. Labour have openly endorsed all the "child protection" internet laws pushed by the Tory government.

I don’t understand the British fixation with ID cards, especially if they are conservatives and want people to show an ID to vote.

This time around, we have a party that is able to push through laws as they have 1) 80 majority and 2) no qualms about hiding their facist ways.

People that understand the implications are still in some places and put the brakes on.

they keep trying, public outrage keeps it from being viewed by our ruling class as anything other than political suicide.

These policies will get implemented as soon as we are sick of being outraged.


HN is trying to derive axiomatically what this is about, but there's an empirical backstory you want to know about this. Start with this grugq conversation on Twitter from a few months ago:

https://twitter.com/thegrugq/status/1610169123388141568

What this appears to be about is not encrypted messengers but rather particular brands of modded Android phones that are used exclusively for organized crime.

That doesn't mean you should support the proposal, but if you're reading it as "the UK is trying to ban encryption outright", that's not the whole story.


It's still troublesome as a precedent: Making a particular class of software illegal to be in possession of.

As others have pointed out - once the precedent is in place, what is stopping them from deciding that some other piece of software superficially matches the law close enough that the police will ding you for it? After all, this is policing 101, where they use whatever laws are on the book as leverage for something totally unrelated to the laws they're using.

Having a look at the wording on offer:

- An offence of making, modifying, supplying, offering to supply a specified article where a person has reasonable grounds to suspect that it will be used in any serious crime.

- An offence of possessing any specified article where a person intends or, has reasonable grounds to suspect, that it will be used in any serious crime.

Every time we get new laws like this, we take a step towards the police being able to arrest anyone, for any reason, at any time.


Two things are simultaneously true:

1. The entire UK economy is dependent on everyone having access to cryptography so good that even Russia can't break it, therefore it is of paramount national interest that everyone does have access to it.

2. Bad people will use the exact same tech to avoid detection while planning and committing major crimes that have the potential to escalate to the level of undermining the state.

The only way to prevent #2 is to enforce extremely luddite laws that mess up #1.

In reality things get much harder to guess at when pontificating from armchairs, as when you have to account for the fact that the government and police aren't actually trying to perfectly enforce any specific law — not even the ones we all grew up assuming they "surely must" fully enforce because they were the worst horrors in the newspapers — it stops being clear how much any given law is supposed to help nor how much harm it will cause.


> The only way to prevent #2 is to enforce extremely luddite laws that mess up #1.

That's often how they think, but of course it isn't true.

The FBI has had good success with another route:

https://www.pcmag.com/news/fbi-sold-criminals-fake-encrypted...

Then there's just good old fashioned good police work. Informants. In-person Surveillance. Sting operations.


The problem with the latter is that it's very labor-intensive, and states would like to be able to automate detection in the same way that professional criminals are becoming capable of automating crime.

It's interesting that the UK is (as usual) taking the approach of designating particular technologies to be bad because they facilitate crime, and thus presumptively assigning criminal liability to their manufacture. Perhaps it's because the technology can be described in abstract terms, similar to a patent. A more expedient approach (like saying 'I notice, sir, that 95% of your customers are criminals') founders on the dilemma of needing a new kind of legal theory to address the criminal supplier's plausible deniability, or an elaborate and uncertain investigation to discern just how product X gained the approval of the criminal class to become established as a standard.

It's also interesting how non-geeky criminals want a walled garden ecosystem with very limited configurability, so they can outsource the technical decision-making to some underworld equivalent of Steve Jobs instead of having to promulgate standards of digital security practices.


You're ignoring the main point of the comment you're replying to, which is that laws like this mean they can arbitrarily charge whoever they like because everyone is constantly in violation of some law. The argument that we should trust the police not to use this power irresponsibly doesn't stand up when they're shown again and again that they are very happy to abuse such powers despite promising not to do so when the law is brought in. The UK government has made it clear they want to prevent anyone from hiding data from them and criminalising encryption and selectively enforcing that law is one way to achieving that.

> The only way to prevent #2 is to enforce extremely luddite laws that mess up #1.

Except laws are not effective in preventing #2 because bad people, by definition, are happy to break the law. Such pre-emptive laws mostly annoy honest, law abiding citizens.


Funny you say that. It's almost like if some part of Russian intelligence had strong influence on the Tory party and they try to make us less safe.

Elections can't come soon enough. These people are dangerous.


Almost, but not quite. It seems that there isn't a country left on Earth that isn't toying with such ideas, so I don't see how one could blame it on covert influence of Russia or any other single state.

> but if you're reading it as "the UK is trying to ban encryption outright", that's not the whole story.

But isn't that the whole story? A device produced to securely encrypt data is proposed to be outlawed - if that's a physical device today, it'll be an algorithmic device tomorrow. A law against one effective safe is a law against all effective safes.

Any encryption device is "sophisticated" if it is useful. Maybe we could read it as "UK is trying to ban /useful/ encryption outright"


In fact, these devices are already out there. Specifically your smartphone (most likely) already encrypts data at rest and your laptop possibly does too.

In fact their own laptops do, and often get left on trains.

This is yet another authoritarian power grab.


It's dangerous to assume context and intent when writing a law will limit how that law, once passed, is applied. Because they won't. And there's a lot of "not available commercially" language in there, that makes me think it'll apply to anything you can't buy at a local mall, e.g. a privacy-focused Android fork.

It's also a dangerous step in making the mere act of hiding from the government a crime.


The problem, of course, is that the government can never be trusted to keep within the boundaries they claim they'll set. Metadata retention went through in Australia and the meat inspectors wanted access to it; surveillance in the UK was used to spy on people who left their rubbish bins out; at the height of the pandemic, contact-tracing data (which was promised hand-on-heart to be for public health only) was used by the police for unrelated crimes.

If a communication device is favoured by criminals, I kinda want in. I mean, we're talking people who have very good reasons to avoid detection, right? Maybe there's something good in those phones?

(Not that I would trust the criminal's supply chain, mind you.)



Well I tried… Thanks for the links.

> If a communication device is favoured by criminals, I kinda want in. (...) (Not that I would trust the criminal's supply chain, mind you.)

Here's an extra challenge: how do you know that a given device is "favoured by criminals"? Where did you acquire that knowledge, and how sure are you of it?

If it's just from randos on the Internet, even if you aggregated opinions of many such randos, it's likely the result is still wrong. Or worse, a honeypot. On the other hand, if you honestly have it on good authority from actual users with skin in the game... then you're probably already in - on the crime part.

EDIT: And, on the off chance the actual preference of experienced criminals becomes public knowledge, guess which tool the law enforcement will focus on breaking and circumventing?

This kind of security has an anti-inductive quality similar to that of the stock market: if you learn some information that could let you beat the market, most likely the information is either wrong, or has already been exploited to the point of diminishing returns.


You make good points, I think I agree with them. I started this tongue in cheek, but if I'm being serious here, my actual method is building genuine expertise in infosec and cryptography, to the point where I can make my own stuff. Which I did: https://monocypher.org

I was dissatisfied with the state of the art, which did not seem to provide the simple solutions I thought the world deserves. (My subject at the time was file encryption.) Even cryptographic libraries left something to be desired, including libsodium itself, despite the ton of respect I have for this library.

So I experimented with my own thing, and ended up finding a sweet spot between portability, performance, and simplicity. A surprising benefit was the embedded market: Monocypher can go where libsodium doesn't, and is to this day one of the fastest cryptographic libraries on micro-controllers.

Long story short, I don't have to rely on some reputation game to evaluate the security of something. I have the expertise to look at it more directly, and if need be do much of it myself. I have, and will, but I do hope the world doesn't turn so badly that my own expertise becomes more reliable than good external sources.


>"the UK is trying to ban encryption outright", that's not the whole story

It really is though.

They’ll always have a good reason to present, and they’ll always say it won’t go any further.


This whole story is kind of sad because crimephones don't even provide good security. Either they are easily hacked by the government or they're government honeypots from the beginning.

I never understood the purpose of those phones. They aren’t using their own secret crypto (which would be a bad idea) like the military does, so why not just use something like Signal?

If I were in this market, I’d be more suspicious of some modified device sold specifically to unsavory characters. It would be a great target for the government to compromise.


I suppose if you're someone selling privacy to criminals, it's a lot easier to preconfigure mid-range Android phones to sell than to configure each individual customer phone for maximum privacy. Also, it's not just about keeping your own data private, but about the other person you're communicating with. If you know the other person is using the same phone you can feel safer that it's secure, as opposed to trusting that the other person is taking things seriously and knows what they're doing when configuring their own phone. Plus it makes it easier to enforce things like messages being deleted after a period of time. The extra cost is easy to justify when you're trying to avoid jail time.

Which, they have, eg https://www.engadget.com/fbi-encrypted-chat-app-anom-crimina...

But imagine you're the tech-smart mobster trusting your freedom to the rest of the mobsters. You really want to play text support, or you just gonna properly setup Signal to auto-destruct and pre-verify safety number and give those devices out?


The phones "just work" and are a kind of status symbol. It's not like selling drugs even at a high level requires a lot of brainpower. Buy from Colombians, put in shipping container disguised as something else, wait, ???, profit. You just have to have a large risk appetite.

If anyone wants to start reading on the shady world of organized crime, smuggling, gangsters and such that can be found in Vancouver, BC, google "phantom secure Vancouver".

The well known "phantom secure" custom firmware phones sold years ago for organized crime type people.

https://www.google.com/search?client=firefox-b-d&q=phantom+s...

Then google "Vancouver Canada casino money laundering".

I would think that any sufficiently sophisticated organized crime group in 2023 would consider any "special" secure phone sold with such software to be a honeypot, and either DIY it or come up with some other method. This sort of thing would be purchased by clueless/gullible mid and low level people only now.


> This sort of thing would be purchased by clueless/gullible mid and low level people only now.

And therefor should actually be subsidized immediately.


Yes... Waste your time and resources on the mitifable or manageable agents, and leave the high-threat, throughput multiplying organizers to just continue the churn.

Low-hanging fruit collection, while looking good on a poster, will never be as effective as neutralizing high-level actors.

This is the same logic that makes it a jailable offence to steal a loaf of bread, but stealing someone's life savings and disappearing it through fraud or malfeasance gets you a shot on getting on a Board someday.


Yet the tone of the later paragraphs in that section is axiomatically assuming they should be able to prosecute the makers of the encrypted devices, or anyone possessing such a phone, in addition to the 2,864 criminals they already caught using them. All while implicitly admitting there's nothing fundamentally illegal about building or possessing a strongly encrypted device.

Seriously police should be thanking the makers of this device that enabled the UK to arrest 2,864 criminals.


The encrypted phone services mentioned in that tweet have been breached by the police and thousands of arrests have been made.

In the case of encrypted phones the current laws are working.


From what I have read [no1bc](https://no1bc.com) has been one of the more popular devices after the Sky ECC takedown, and it's basically just an iPhone with their special messaging app installed and an MDM setup to disable a bunch of settings and allow remote wipe. An iPhone is "commercially available" and some of these services even have their apps on the app store. Would that be a sophisticated encrypted communication device? It will be interesting to see what definition they come up with but it seems likely it will include some false positives.

I looked at the no1bc thing and their ONEKEY is literally just a commercial off-the-shelf Bluetooth smartcard reader (the Certgate AirID Mini).

Would this make any smartcard-enabled messaging or email client suddenly "sophisticated encrypted communication"?


Given the knife laws in London - you must have a valid reason for carrying a knife - making certain apps illegal to have on your phone without reason is suspicion enough!

Sure. But what happens when just takes normal phones, installs signal, and sells them to criminals?

Surely it'd be easier to just make crime illegal? Because we all know that declaring something illegal just makes it go away. Stop interfering with unrelated fields like encryption to stop criminals and just make criminal activity illegal!

The title is “Two legislative measures to improve the law enforcement response to serious and organised crime” under the “government consultation” subheading. This is a request for comment. Not an act of Parliament.

It's the "brexit of technology" - the UK doing something stupid that shoots itself in the foot.

I think we should just leave them to it......


Giving up Europe to "return to monke"?

Techie Brits exist too :(

I understand some criminals want encrypted comms without having to learn anything new or do technical deep dives (maybe they're just not technically savvy enough?). Personally I use a Nitrophone[0] for encrypted comms with friends, and GrapheneOS is stellar and I've configured it heavily and locked down many things. Not affiliated, just love that phone.

[0] https://www.nitrokey.com/news/2021/nitrophone-most-secure-an...


> We’re targeting the modified and bespoke devices that enable access to platforms, similar to Encro Chat, where the software/ hardware has been developed to anonymise its users and their communications and its user base is assessed to be almost certainly criminal. Under Option 1 where articles will be specified, we will be targeting those that supply, modify, and possess these bespoke devices; the provisions will not apply to commercially available mobile phones nor the encrypted messaging apps available on them. The proposed offences will seek to tackle those supplying and exploiting these devices in order to carry out serious crimes and will seek to reduce the supply of these devices to serious criminals.

The paper makes it sound like the intent is to target services that are advertised as being used for crime. While that is a judgement call, I do appreciate that standard devices / standard apps are not being targeted.

On it's surface it seems pretty straightforward. If you are advertising "Crime Talk as a Service", you'll probably be investigated and this gives a clear policy decision. If you are advertising "Anonymous chats away from nosy spouses" the police will have to do a _smidge_ more legwork to build a case.


The laws are never written so that they only target specific things.

Examples in the UK are many, you can go back 20-30 years when CCTV and surveillance started, powers aimed at "serious" things, resulting in local councils buying night vision goggles to make sure people are using the right bins.


>that is a judgement call

I think this is the critical point though. It leaves a lot of room to criminalize any type of encrypted communication device


Make me a hammer that only works on nails

>I do appreciate that standard devices / standard apps are not being targeted...

... yet.

Slow boil principle.


I think it's important to note that the linked document does say this:

"...the prosecution would need to show that the accused had reasonable grounds to suspect that the article they are making, modifying, supplying, offering to supply or possessing will be used in serious crime."

In other words, they're not proposing to criminalize "sophisticated encryption devices" except when associated with crime.

I think the HN headline is misleading by omitting this distinction.


> I think the HN headline is misleading by omitting this distinction.

You make a secure messaging service/protocol/app. It takes off, getting 100k+ users. The police send you a letter (gag order included) informing you 10 of those users are under investigation for "serious crime".

Now that you have reasonable grounds to suspect your service is used in "serious crime", you can either immediately shut it down and stop distribution and support of the code, or take the police's generous offer to stay prosecution against you if you sabotage your code and help them take down the bad guys. They pinky swear they won't use the vulnerabilities against anyone but "serious criminals".

There is no distinction.


The document does also say: "the provisions will not apply to commercially available mobile phones nor the encrypted messaging apps available on them".

I assume that means if I resell phones after putting a privacy-first ROM on them, or make a messaging app that doesn't get preinstalled by vendors or isn't available through either Google's or Apple's walled garden stores, that makes them "not commercially available".

This is, explicitly, one law for the corporations, and another for the commoners.


I think it depends on the exact wording. I get the impression from the document they don't consider their wording final yet, so we can only rely on their intent. I'm not sure their intent is bad in the sense that you're concerned about, based on what they've stated. But we'll have to see.

But it also says:

> It could in some cases criminalise those who did not suspect the articles would be used for serious crime. The justification for criminalising such people, who lack actual suspicion, is that the articles named in legislation are so closely associated with serious crime that it is appropriate to expect that those who are involved in making, modifying, supplying or offering to supply, or who are found in possession of such articles have at least a reasonable standard of awareness of the signs of criminal activity.

And then they say (in bold):

> Both options intend to better equip law enforcement agencies to target people supplying the tools of organised crime and people found in possession of those tools.

And in the EncroChat example they provided to justify their proposal, they say they lacked "sufficient evidence to seek to prosecute Mr A under existing offences" so they let him go. Presumably under the proposed law they would still be able to get him for possessing the EncroChat device.


> " that the article they are making, modifying, supplying, offering to supply or possessing will be used in serious crime."

Every single employee at Intel knows that terrorists probably have a Windows computer; and statistics say that half of those terrorists will be running an Intel-created chip.


That would apply to any major cryptography protocol or library, right? I (and I assume most openssl devs) for example would be pretty sure that openssl is used in "serious crime" in some way. Same goes for almost any other privacy-oriented thing like TOR, signal, etc.

The suggestions appear to refer to some custom-tailored software made specifically for organized crime purposes, the example given being EncroChat[0]. Stuff like Signal, Telegram, Tor or whatever are not included in this proposal.

> the provisions will not apply to commercially available mobile phones nor the encrypted messaging apps available on them

That said, I'm never a fan of any outlawing of encryption of any kind, so I do hope people in the respective jurisdictions voice their disagreement. I also imagine that what starts as "just criminal-focused services" will quickly expand to more popular stuff.

[0] https://en.wikipedia.org/wiki/EncroChat


> Stuff like Signal, Telegram, Tor or whatever are not included in this proposal.

Yet...


Yeh, that's exactly what I was saying with:

> I also imagine that what starts as "just criminal-focused services" will quickly expand to more popular stuff.

:)


Years ago, Turkish government made a law to force companies which develop crypto communication devices to share a copy of keys with government. Few years later, a group leaked call recordings of president and ministers. The same government complained about corruption in the system and power of bad guys. They couldn't accept they were hit by their own gun. in UK, as conservatives screw everything up even with crypto devices, they may not be worried about these kind of leaks.

Are there news articles about this? I did a quick search and I see more about cryptocurrency legislation in Turkey but not so much about communication cryptography.

Well, they didn’t want to be part of the European Union, and they’re very clearly demonstrating that they are indeed not part of the European Union.

The EU has repeatedly proposed to cripple E2E encryption with opaque client-side scanning technology. [1]

This comment seems to be incredibly misguided, all of Europe wants to destroy privacy.

[1] https://arstechnica.com/tech-policy/2022/05/war-upon-end-to-...


I was not aware of that particular CSAM proposal, similar to Apples proposal last year, it looks like.

It's only a "CSAM proposal" as far as the Patriot Act is a "anti-terrorist law", even though it's routinely used against ordinary citizens and lower level crimes.

CSAM is merely the trojan horse, it's not hard to see how this would be extended to ban wrongthink. After all, Germany and the UK already severely limit speech.

For example, the UK charged and convicted a young woman for posting the lyrics to a rap song in honor of her recently deceased friend because it happened to have the soft N-word in it. [1]

Europe has repeatedly and systematically attacked free speech and encryption on multiple fronts.

[1] https://www.bbc.com/news/uk-england-merseyside-43816921


EU Policy Paper Calls for “European Internet” that Can, “Like the Chinese Firewall”, Block Services: https://techmonitor.ai/policy/european-firewall-proposal

There are plenty of authoritarians and authoritarian proposals on either side of the English Channel.


As part of rule making, MPs should be forced to make their own info available twelve months prior to this rule being applicable to the public. A lot of useless laws would stop being proposed almost immediately. Increasingly, rule makers are a cabal.

These may be incredibly dumb questions, but...

Can someone explain to me how making something illegal actually prevents crime?

Is it really so difficult to prove crimes are being committed without making something illegal?

Why would anyone vote in favor of measures like this?


Something must be done, we are doing something, something has been done.

That's one bias: legislator wielding law to solve every and all problems like they would the proverbial hammer. Reinforced by the fact that they're public figures, surely they can't be caught doing nothing?

A second, more pernicious possibility, is to make illegal stuff that is highly correlated with actual crimes, such that law enforcement can now arrest people for innocuous as a substitute for punishing them for the real thing. Think Al Capone being done for because of taxes of all things.

A third, positively alarming possibility, is to facilitate arbitrary arrests. Probably wasn't the intent (it rarely is), but it does give ammunition to future governments or law enforcement, should they need to stifle, silence, or discourage political opposition.


> A second, more pernicious possibility, is to make illegal stuff that is highly correlated with actual crimes, such that law enforcement can now arrest people for innocuous as a substitute for punishing them for the real thing. Think Al Capone being done for because of taxes of all things.

I think it's mostly this. If you read their example they're basically mad that they couldn't prove that the guy ("Mr A") had a bunch of illegal money.


It doesn't. It makes prosecution of crime easier by adjusting the threshold of criminality. It's not about crime being difficult to prove, so much as multiplying the reasons you could be charged with one, thereby raising the cost of doing business for criminals.

People vote for it because there is plenty of cash to be made out of conditioning the public to feel as if they are under siege and danger lurks around every corner.


I'm terrified that one of these many proposals that come up from time to time by ignorant politicians will get through because of other ignorant politicians and scare campaigns. These are all too common.

Mobile phones are an obviously difficult target to go after (due to the public perception) but what about tor, encrypted Linux systems, or specifically tails?

And to contradict my own point, australia has anti-association rules specifically to deal with known criminals associating to prevent organised crime, to my knowledge this hasn’t been abused to infringe on the rights of previously convicted but otherwise legitimate people from associating.

I always felt US was most authoritative govt amongst the democratic countries, now I feel that spot is being taken either by UK or Australian govts.

The US put the operator of a service called PhantomSecure in jail after he expressed willingness to sell phones to an undercover pretending to represent a drug cartel. A Canadian who started a similar service after PhantomSecure was shut down is also currently wanted by the US https://storage.courtlistener.com/recap/gov.uscourts.casd.70... despite there seemingly being very limited evidence he was aware of criminal activity on his platform.

I wonder if this applies to GrapheneOS. It's not far off the Encro phone that this is clearly targetting.

Criminalise something used by criminals for crime?

I'm sure that'll stop them. Good work chaps.


HTTPS is pretty sophisticated. Are we going to outlaw Google Chrome next?

You joke, but until the year 2000, open-source asymmetric encryption such as TLS was export-controlled as a munition under ITAR in the United States.

Apparently the government didn't see much of a problem with that classification until online merchants started wanting to encrypt credit card transactions in the mid-'90s, and the ball was slowly rolled uphill from there.


> Digital files or templates for 3D-printed firearms components

Since freedom of speech is no longer a value of the UK, the population can now be arrested for having files that the government doesn't care for.

Mirroring thingiverse? That's a crime now.


Does that mean I can still use Pig Latin?

Tory party seems to be under great influence of Russian oligarchs and they seem to be enchanted by the stories of Soviet Union how Stalin has managed to keep the nation under his boot.

They want to have at least the same amount of power. The laws they propose are vague, open to interpretation and it means anyone could go to prison for anything if they do something the party doesn't like.

Nasty party.


so they want to ban cell phones now? ouch. Not a good look UK

So, phones?

> Similarly, when individuals are found in possession of such a device, it may not be possible to prove their knowledge or intent to the thresholds required to convict them, despite the difficulty of identifying legitimate uses for such technology.

Privacy is illegitimate, apparently.

Think before you post or you may receive a visit from us this weekend. Use the internet safely.

-Glasgow Police, https://twitter.com/GreaterGlasgPol/status/71586727326166220...


Next step.... UK to criminalize possession of Number Theory, Combinatorics, Probability Theory, Statistical Analysis Math Books. Special temporary licenses will be granted by your local Met Office to be allowed to read on Galois Theory.

That sounds flippant, but it really isn't.

Imagine this: someone doesn't like you and wants to harm you. They plant a USB stick with random data on it on you, or in your home. They call the authorities and tell a story about how you're colluding with terrorists, and the information you've been exchanging with terrorists is somehow in your possession.

The hard part would be to get someone to believe the story enough to get a search warrant, but if you're in a position of authority in the government, this isn't unreasonable.

Now the warrant is executed, your home is searched, and the USB stick is found. The data is examined, and the judge orders you to provide the means to decrypt it. Because you can't, and because the data is indistinguishable from real, encrypted data, the judge orders you held until you provide the keys.

Is this theoretical? No. It really could happen. The UK is a very, very scary place to be if you ever do anything that might piss off someone in power.


I think it would be easier to just plant some drugs or so instead.

Seems legit, see how well it went when Assange annoyed the government.

U.K. certainly is dangerous if you upset those in power.


This reminds me of Charles Stross's "Laundry Files" series, which I frequently recommend to anyone at the intersection of enjoying computers, spy stories, and Lovecraftian horror.

(The first conceit of the story is that there were two Church-Turing Theses, and the second one would be so disastrous as public knowledge that it was immediately suppressed by Her Majesty's Government, known only to a select few and the folks they monitor and handle).


Don't joke, Australian 'luminary' Malcom Turnbull passed a set of stupid laws and said unflinchingly and unironically that, “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia"

Politicians are idiots and the security services will play them like a fiddle.


Was he an idiot? It's pretty clear that what he indicated was these products/tools would be made illegal, not that he could literally change the laws of math.

Two things to fear: the criminalization of mathematics; secondly, the enforcement of the new regulations being in the hands of the UK's weather service.

https://en.wikipedia.org/wiki/Met_Office


I was assuming should be the Met Office as they would have the mathematical education :-)))

Isn't this ironic? A proposal for criminalization of encryption devices in the country which broke the Enigma device...

From where, to where...


Well, it would have been much simpler if Britain had banned encrypted communications during WW2 and Germany had cheerfully complied.

That would be hilarious, indeed. Chaps shall communicate clearly. Makes sense.

Oi m8 you got a loisence for them there elliptic curves?

Obviously they want to keep breaking that stuff. Worked out in the past, didn't it?


You'll be shocked to hear how most countries already ban large pieces of chemistry, and even inappropriate uses of momentum.

They'll have to prise my illicit angular momentum from my cold, dead, rapidly rotating fingers.

The world isn't exactly Texas indeed.

Still… I do hope even Texas bans some of those inappropriate uses of momentum. I do value the electrochemical impulses going on between my fellow meatbags' ears.


Framing it like that doesn't help, when they banned drugs did they banned chemical reactions or the atomic theory or the gas laws?

Obviously the intentions here are not to ban computations but devices doing computations that makes jobs of those people harder.


Computers are a little different than specialised devices like… well, bombs & drugs let's say.

Heard of the coming war on general computation?

https://www.youtube.com/watch?v=HUEvRyemKSg

https://en.wikisource.org/wiki/The_Coming_War_on_General_Com...


People claim things all the time.

It gets old quickly to claim that "they introduced DRM" kind of things as if those things were imposed from the top and didn't happen within the dynamics of the businesses.


DRM is one thing. But the laws that forbid people from circumventing them? That forbid security researchers from even discussing vulnerabilities that could negatively impact millions of people? Those are imposed from the top.

(They were lobbied from the dynamic of the businesses that wanted to enforce those DRMs, though.)


Nothing happened in vacuum. One thing is having people with interests pushing their agenda, another thing is seeing grand conspiracy where "They" strip our rights one by one.

Okay, I'm not sure we've heard the same guy… Cory Doctorow, science fiction author and advocate for, among many other things, a reduction in the scope and length of copyright laws?

I never got an illuminati vibe from him. No grand conspiracy. Except maybe an unreasonably small number of people with an unreasonably large amount of money and influence having unsurprisingly converging interests that cause them to lobby for more or less the same things…

Who's "they", in my mind? I would say the owning class. Capitalists. People who make money because they have money. People who own the means of production, either directly or through shares. Those have historically been quite a bit more sympathetic to Fascism than anything resembling Socialism. I believe they still are now. Why would they not, it's in their material interest to be.

Remember what happened almost a century ago in Europe: both the far left and far right were rising. What did "they" the owner class chose? Fascism of course: Socialists and Communists would have disowned them, and they couldn't have that. And in France at the very least they were right: they were disowned after the war, though only partially.


If that helps to compartment knowledge in order to further UK security, one can expect it, eventually.

Nothing is scarier to me than a distant techno landscape where knowledge in irresponsible or irrational hands can be used for unimaginable horrors. Such extreme measures as censorship of undergrad STEM education would, in such a case, seem appealing to authorities.

Encryption offers table stakes for weaponization of math. I do, however, agree in spirit with your slippery slope arg


Cryptography is in the forbidden library Harry

So basically... computers. That have been either modified, or created, in such a way that they are illegal. They do not actually specify how. The phrasing is "modified and bespoke devices that enable access to platforms [...] where the software/hardware has been developed to anonymise its users and their communications".

Now... of course, we can always trust the good intentions of government bodies and agencies wink but it sounds like by this definition, installing Tor and a couple of apps that use it onto a phone could qualify as a "sophisticated encrypted communication device."

It seems that in a race to the bottom, the UK government is always a few steps further ahead of their peers.


So... computers running firewall software? Perhaps browsers with TLS support and anonymous mode as well?

Do cellphones qualify? They are very sophisticated and full of encryption...

“ Sophisticated encrypted communication devices have been used extensively by criminals to facilitate organised crime. We’re targeting the modified and bespoke devices that enable access to platforms, similar to Encro Chat, where the software/ hardware has been developed to anonymise its users and their communications and its user base is assessed to be almost certainly criminal. Under Option 1 where articles will be specified, we will be targeting those that supply, modify, and possess these bespoke devices; the provisions will not apply to commercially available mobile phones nor the encrypted messaging apps available on them.”

Seems to suggest that handsets explicitly made for anonymous encryption could be banned, but not messaging apps on normal phones.


How can it possibly matter that the “user base is assessed to be almost certainly criminal”? Like, if you criminalize using such a device, I suppose the whole user base is now criminal. But if they already were and you can prove it, why do you need to criminalize the device as well?

Here is an example they give:

>The case relates to an alleged conspiracy to transfer cash in excess of £10m out of the UK.

>A number of defendants were charged with conspiracy to remove criminal property from England and Wales contrary to section 1(1) of the Criminal Law Act 1977. Mr A was a relative of one of the defendants (Mr B). They both lived at the same address. When Mr B was arrested, the officers recovered an encrypted EncroChat telephone which Mr A admitted was his. Another defendant (Mr C) stated that he had been instructed to call Mr A on the EncroChat telephone once he had safely boarded the flight with the cash.

>Mr A denied any knowledge or involvement in any of the criminal activities. Mr A had no legitimate income that would have allowed him to own and maintain such an expensive mobile device.

>Based on available intelligence, the investigating team strongly believed that Mr A had been supplied with the EncroChat telephone by an OCG for the purpose of carrying out conduct in furtherance of the conspiracy. However, investigators were unable to access any data from the telephone due to the device’s security features which led to the data automatically deleting after a few days. It was assessed that there was not sufficient evidence to seek to prosecute Mr A under existing offences.

It doesn't really make sense to me though. Presumably the penalty if he were to unlock the phone would have been way higher than the penalty they are going to create for possessing such a device.


No. They state this quite clearly.

> "the provisions will not apply to commercially available mobile phones nor the encrypted messaging apps available on them"

They say they're going after bespoke devices whose "user base is assessed to be almost certainly criminal". Of course, that's very open to interpretation.

Also they go on to discuss how simply providing or possessing one of these devices should be crime in itself because of the "difficulty of identifying legitimate uses for such technology". It's the classic "If you're trying to hide something you must be a criminal" approach.


The legitimate use for such technology is I want my communications to remain private. I get that that is inconvenient for those who might wish to surveil me, but their right to not be inconvenienced is less important than my right to private speech. (I'm speaking from a US perspective here, not a UK one.)

> "the provisions will not apply to commercially available mobile phones nor the encrypted messaging apps available on them"

Which then implies that commercial devices can be eavesdropped at will by the government.


sophisticated as in "we tried to decipher or wiretap it and failed at both"

This presumably would criminalize E2E encryption apps like iMessage, FB, Whatsapp, Signal etc. All of these are popular enough on their own that I don't see how you can reasonably go this approach. We'll find out quickly though about which clients have backdoors based on the exception list.

do any of those services anonymize the social graph?

law enforcement cares less about what people are saying, more about who is talking to who


Signal certainly does. That’s what they’re famous for.

"the provisions will not apply to commercially available mobile phones nor the encrypted messaging apps available on them"

So, all you have to do is make these devices be “mobile phones” and “commercially available”?

Is selling a device on Ali Express enough to qualify?


Nathan Fielder would be proud. This policy will be easily avoided by any serious manufacturer of devices like these.

That is a great question.

Almost enough to undermine your faith in commercially available mobile phone encryption, hm?

GrapheneOS? Its not really commercial is it?

From the linked PDF:

> "This option would require the drafting of precise definitions of the specific articles, for example a definition of sophisticated encrypted communication devices which does not include all mobile phones."


One more from the new, independent Britain =)

> An offence of making, modifying, supplying, offering to supply a specified article where a person has reasonable grounds to suspect that it will be used in any serious crime.

Looks broad enough to cover any object. I have reasonable ground to suspect that of all the hammers sold in the UK, some will be used to break a window. It would certainly catch exploit toolkits, even if their primary intended use is pen testing. How can you not suspect someone will use it to break in into some system? And VPNs, ISPs, etc.


Always be wary of government proposals to criminalize things that the government itself does. It can never be good for the citizens.

First they came for financial privacy, and I did not speak out - because I did respect care about financial privacy…

Can't they just criminalize crime and put away the bad guys so that good people can enjoy society?

I can sorta get the where they're going with this on the Encro example given, but that line seems impossible to define.

"Sophisticated encrypted communication devices" is a complete and utter joke in a world where even the memes are https encrypted


>"Home Office"

Is that you Xi?


Is Vernam cypher sophisticated?

Much democracy...

Man... I wonder why people will stop denying/ignoring such criticism like the one in my parent comment and start calling a spade a spade. Police bill, online censorship, and now banning encryption along with all the rest that is happening in the UK. Its going towards a hellhole. Denying reality wont change the reality. It didnt change it during and after the Brexit debacle. It wont change it now. Things will only change when people stop denying reality and take matters into their own hands.

The proposal does not seek to simply ban encryption.

> Sophisticated encrypted communication devices have been used extensively by criminals to facilitate organised crime. We’re targeting the modified and bespoke devices that enable access to platforms, similar to Encro Chat, where the software/ hardware has been developed to anonymise its users and their communications and its user base is assessed to be almost certainly criminal. Under Option 1 where articles will be specified, we will be targeting those that supply, modify, and possess these bespoke devices; the provisions will not apply to commercially available mobile phones nor the encrypted messaging apps available on them. The proposed offences will seek to tackle those supplying and exploiting these devices in order to carry out serious crimes and will seek to reduce the supply of these devices to serious criminals


> The proposal does not seek to simply ban encryption.

They're not that dumb. They'll chip away at our rights however they can, gradually, so we hardly even notice.

In the US for instance, there's no way they'll be banning guns overnight. But it's clearly the end goal: they're hoping to reduce death count by making guns disappear, and sacrifice the second amendment in the process. Right now though they're content with an "assault weapons" ban that alone won't work, but is a step towards banning guns. Next time they'll limit ammunitions. Then the places you can carry your gun to. You get the idea.

Conversely, I'm pretty sure the states who are banning abortion in the name of "saving babies" are sticking their head in the sand that such legislation tends to lead to later abortions (like, you know, when the foetus is closer to being an actual human being?), pregnancy related deaths, that kind of thing. But the end goal of some of those people is probably to outlaw any form of contraception, and maybe sex before marriage while we're at it. Like the "good Christians" they are, they are going to make abstinence work. It doesn't (hormone driven young people don't abstain for some reason), but they'll make it work, promise.

Right now the French government is trying to pass a law to increase the legal retirement age. Won't do much, but it's yet a small step in a long series about making us work until we die. The end goal? As far as I can tell this is carrying the neo-liberalism ideology, turning everything into marketable goods. And among them there definitely are people who would love to increase unemployment rates (raising retirement age mechanically does that), so they can negotiate lower salaries and make higher profits (at least in the short term).

That pendulum used to swing the other way: we were lowering the work-week, the retirement age… We were raising the minimum wage. The end goal was clearly to maximise the free time of everyone, and we'll automate everything to further that goal if we need to.

Or the mandatory contributions to various nationalised services, like the hospital, unemployment insurance, or retirement: those are clearly a step towards Socialism with a big "S", where lucrative property (the stuff that give you money just because it's yours) is abolished, workers are in full possession of their own tools, and in the extreme you could go full Communism with guaranteed salary for everyone (though we still need incentives to make sure the necessary work is being done).

---

Most proposed legislations aren't designed or proposed in a vacuum. They're almost part of a more or less coherent ideology, that some people want to push everyone towards. Slippery slope arguments are often valid because there are people out there actively waxing those slopes. Now it would be nice to have a compromise, meet in the middle… but in reality the middle is shifting too. So it's pretty important to identify the ideologies behind proposals, and know which you subscribe to and which you want to fight.

Me, I'm fighting the ideology that says privacy is not such a big deal. Sorry folks, my ideology is that privacy is a human right. Talking to people and being sure no one is snooping is a human right. Doesn't matter if the other person is in the same room or halfway across the world, private conversations are a human right.

This proposal here? It's a step towards encroaching that human right. I'm not British so I don't have a say, but if I did: no thanks.


Elected representatives voting for a bill? Yes you are right that is democracy.

I feel like you wanted a different word for this.


It's only democracy if the people would actually have voted those laws.

We have many, many examples demonstrating without the shadow of a doubt that elected representatives are often a pretty bad proxy for the actual will of the people.

There's a bill in the works right now in France to increase the legal retirement age, that we have excellent reasons to believe over 2/3rd of the population is against. Yet the politicians are very likely to vote it (or something similar) anyway.

Elections don't make a democracy.


I think the problem is fetishisizing democracy when it's the least relevant philosophy here. Speaking of France in particular: Liberté, égalité, fraternité. Democracy is nice after all of these things, but it doesn't even make the top 3.

The problem with the proposed laws is that they violate fundamental principles of liberty and equality, not that they're undemocratic.


Here's my wager: the informed will of the people would never pass laws that violate fundamental properties of liberty and equality. Thus, any law that violates them is necessarily undemocratic, because it would go contrary to the informed will of the people.

Emphasis on informed. I wouldn't trust a surprise referendum. I would trust a process where we first gather a congress of 300 randos, let them reflect on the issue for a few weeks or months, then let them explain their conclusions and decisions on national television for a couple weeks, and then do the referendum.

I mean, if this process actually results in laws that violate the fundamental principles we might as well just give up and let the world burn.


Well... if it was 300 anonymous, sequestered randos, with access to objective information about the subject, that might work. 300 randos being bombarded with intense lobbying and biased information? That still might work out better than the legislature, but I would trust it considerably less than the sequestered randos.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: