They aren't giving up, they are just waiting as they "only have to get lucky once"
Meanwhile those who recognize the issue instead must live by the maximum "Eternal vigilance is the price of liberty"
We should be in a world where "I want to ban encryption" results in "Of course not, and your career in politics is now over". We should be in a world where "I want to ban encryption" results in "No, in fact here are a bunch of laws enshrining the right to encryption and privacy". We should be in a world where everyone building encryption technologies is building it in a fashion not just resistant to but actively hostile to any ability to control or backdoor it.
"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."
Banning encryption constitutes "arbitrary interference with his privacy, family, home or correspondence" in my view, but it should be taken to (constitutional?) court.
I think they finally gave that one up.
You could infer from that, that the vans were for show and a shock tactic only.
It's not impossible, I'm sure.
Back in the CRT days it was reasonably possible to detect a TV program from the intermediate frequency from UHF stations, but more difficult (but not impossible, see TEMPEST) due to direct conversion by SDRs. These side channel attacks can be found here: https://en.wikipedia.org/wiki/Van_Eck_phreaking
Sensitivity of the equipment and picking up the signal from the roadside would have probably impossible in the 60s-80s. But again it's a capability you don't want your cold-war enemies (or allies) knowing about.
Also, being able to prove that the signal was the defendants, in a way that would convince a jury might have been difficult.
I'm sure some experienced radio hams/RF engineers will weigh in and correct me if I'm way off base here.
When their idiocy demands something that would cause the utter destruction of civilization as we know it (such as banning encryption) they back off. If it makes it harder for the old person to access porn, they back off.
But when the consequences won’t manifest themselves before 2-3 years, they go ahead and then blame the EU or the Albanians. Let me know if they have chickenpox vaccines, Zoely (the contraceptive pill) and lactose free milk in your area. My stockpile of Calpol should be enough to survive the current shortage.
These policies will get implemented as soon as we are sick of being outraged.
What this appears to be about is not encrypted messengers but rather particular brands of modded Android phones that are used exclusively for organized crime.
That doesn't mean you should support the proposal, but if you're reading it as "the UK is trying to ban encryption outright", that's not the whole story.
As others have pointed out - once the precedent is in place, what is stopping them from deciding that some other piece of software superficially matches the law close enough that the police will ding you for it? After all, this is policing 101, where they use whatever laws are on the book as leverage for something totally unrelated to the laws they're using.
Having a look at the wording on offer:
- An offence of making, modifying, supplying, offering to supply a specified article
where a person has reasonable grounds to suspect that it will be used in any serious
- An offence of possessing any specified article where a person intends or, has
reasonable grounds to suspect, that it will be used in any serious crime.
Every time we get new laws like this, we take a step towards the police being able to arrest anyone, for any reason, at any time.
1. The entire UK economy is dependent on everyone having access to cryptography so good that even Russia can't break it, therefore it is of paramount national interest that everyone does have access to it.
2. Bad people will use the exact same tech to avoid detection while planning and committing major crimes that have the potential to escalate to the level of undermining the state.
The only way to prevent #2 is to enforce extremely luddite laws that mess up #1.
In reality things get much harder to guess at when pontificating from armchairs, as when you have to account for the fact that the government and police aren't actually trying to perfectly enforce any specific law — not even the ones we all grew up assuming they "surely must" fully enforce because they were the worst horrors in the newspapers — it stops being clear how much any given law is supposed to help nor how much harm it will cause.
That's often how they think, but of course it isn't true.
The FBI has had good success with another route:
Then there's just good old fashioned good police work. Informants. In-person Surveillance. Sting operations.
It's interesting that the UK is (as usual) taking the approach of designating particular technologies to be bad because they facilitate crime, and thus presumptively assigning criminal liability to their manufacture. Perhaps it's because the technology can be described in abstract terms, similar to a patent. A more expedient approach (like saying 'I notice, sir, that 95% of your customers are criminals') founders on the dilemma of needing a new kind of legal theory to address the criminal supplier's plausible deniability, or an elaborate and uncertain investigation to discern just how product X gained the approval of the criminal class to become established as a standard.
It's also interesting how non-geeky criminals want a walled garden ecosystem with very limited configurability, so they can outsource the technical decision-making to some underworld equivalent of Steve Jobs instead of having to promulgate standards of digital security practices.
Except laws are not effective in preventing #2 because bad people, by definition, are happy to break the law. Such pre-emptive laws mostly annoy honest, law abiding citizens.
Elections can't come soon enough. These people are dangerous.
But isn't that the whole story? A device produced to securely encrypt data is proposed to be outlawed - if that's a physical device today, it'll be an algorithmic device tomorrow. A law against one effective safe is a law against all effective safes.
Any encryption device is "sophisticated" if it is useful. Maybe we could read it as "UK is trying to ban /useful/ encryption outright"
In fact their own laptops do, and often get left on trains.
This is yet another authoritarian power grab.
It's also a dangerous step in making the mere act of hiding from the government a crime.
(Not that I would trust the criminal's supply chain, mind you.)
Here's an extra challenge: how do you know that a given device is "favoured by criminals"? Where did you acquire that knowledge, and how sure are you of it?
If it's just from randos on the Internet, even if you aggregated opinions of many such randos, it's likely the result is still wrong. Or worse, a honeypot. On the other hand, if you honestly have it on good authority from actual users with skin in the game... then you're probably already in - on the crime part.
EDIT: And, on the off chance the actual preference of experienced criminals becomes public knowledge, guess which tool the law enforcement will focus on breaking and circumventing?
This kind of security has an anti-inductive quality similar to that of the stock market: if you learn some information that could let you beat the market, most likely the information is either wrong, or has already been exploited to the point of diminishing returns.
I was dissatisfied with the state of the art, which did not seem to provide the simple solutions I thought the world deserves. (My subject at the time was file encryption.) Even cryptographic libraries left something to be desired, including libsodium itself, despite the ton of respect I have for this library.
So I experimented with my own thing, and ended up finding a sweet spot between portability, performance, and simplicity. A surprising benefit was the embedded market: Monocypher can go where libsodium doesn't, and is to this day one of the fastest cryptographic libraries on micro-controllers.
Long story short, I don't have to rely on some reputation game to evaluate the security of something. I have the expertise to look at it more directly, and if need be do much of it myself. I have, and will, but I do hope the world doesn't turn so badly that my own expertise becomes more reliable than good external sources.
It really is though.
They’ll always have a good reason to present, and they’ll always say it won’t go any further.
If I were in this market, I’d be more suspicious of some modified device sold specifically to unsavory characters. It would be a great target for the government to compromise.
But imagine you're the tech-smart mobster trusting your freedom to the rest of the mobsters. You really want to play text support, or you just gonna properly setup Signal to auto-destruct and pre-verify safety number and give those devices out?
The well known "phantom secure" custom firmware phones sold years ago for organized crime type people.
Then google "Vancouver Canada casino money laundering".
I would think that any sufficiently sophisticated organized crime group in 2023 would consider any "special" secure phone sold with such software to be a honeypot, and either DIY it or come up with some other method. This sort of thing would be purchased by clueless/gullible mid and low level people only now.
And therefor should actually be subsidized immediately.
Low-hanging fruit collection, while looking good on a poster, will never be as effective as neutralizing high-level actors.
This is the same logic that makes it a jailable offence to steal a loaf of bread, but stealing someone's life savings and disappearing it through fraud or malfeasance gets you a shot on getting on a Board someday.
Seriously police should be thanking the makers of this device that enabled the UK to arrest 2,864 criminals.
In the case of encrypted phones the current laws are working.
Would this make any smartcard-enabled messaging or email client suddenly "sophisticated encrypted communication"?
I think we should just leave them to it......
The paper makes it sound like the intent is to target services that are advertised as being used for crime. While that is a judgement call, I do appreciate that standard devices / standard apps are not being targeted.
On it's surface it seems pretty straightforward. If you are advertising "Crime Talk as a Service", you'll probably be investigated and this gives a clear policy decision. If you are advertising "Anonymous chats away from nosy spouses" the police will have to do a _smidge_ more legwork to build a case.
Examples in the UK are many, you can go back 20-30 years when CCTV and surveillance started, powers aimed at "serious" things, resulting in local councils buying night vision goggles to make sure people are using the right bins.
I think this is the critical point though. It leaves a lot of room to criminalize any type of encrypted communication device
Slow boil principle.
"...the prosecution would need to show that the accused had reasonable
grounds to suspect that the article they are making, modifying, supplying, offering to supply or possessing will be used in serious crime."
In other words, they're not proposing to criminalize "sophisticated encryption devices" except when associated with crime.
I think the HN headline is misleading by omitting this distinction.
You make a secure messaging service/protocol/app. It takes off, getting 100k+ users. The police send you a letter (gag order included) informing you 10 of those users are under investigation for "serious crime".
Now that you have reasonable grounds to suspect your service is used in "serious crime", you can either immediately shut it down and stop distribution and support of the code, or take the police's generous offer to stay prosecution against you if you sabotage your code and help them take down the bad guys. They pinky swear they won't use the vulnerabilities against anyone but "serious criminals".
There is no distinction.
This is, explicitly, one law for the corporations, and another for the commoners.
> It could in some cases criminalise those who did not suspect the articles would be used for serious crime. The justification for criminalising such people, who lack actual suspicion, is that the articles named in legislation are so closely associated with serious crime that it is appropriate to expect that those who are involved in making, modifying, supplying or offering to supply, or who are found in possession of such articles have at least a reasonable standard of awareness of the signs of criminal activity.
And then they say (in bold):
> Both options intend to better equip law enforcement agencies to target people supplying the tools of organised crime and people found in possession of those tools.
And in the EncroChat example they provided to justify their proposal, they say they lacked "sufficient evidence to seek to prosecute Mr A under existing offences" so they let him go. Presumably under the proposed law they would still be able to get him for possessing the EncroChat device.
Every single employee at Intel knows that terrorists probably have a Windows computer; and statistics say that half of those terrorists will be running an Intel-created chip.
> the provisions will not apply to commercially available mobile phones nor the encrypted messaging apps available on them
That said, I'm never a fan of any outlawing of encryption of any kind, so I do hope people in the respective jurisdictions voice their disagreement. I also imagine that what starts as "just criminal-focused services" will quickly expand to more popular stuff.
> I also imagine that what starts as "just criminal-focused services" will quickly expand to more popular stuff.
This comment seems to be incredibly misguided, all of Europe wants to destroy privacy.
CSAM is merely the trojan horse, it's not hard to see how this would be extended to ban wrongthink. After all, Germany and the UK already severely limit speech.
For example, the UK charged and convicted a young woman for posting the lyrics to a rap song in honor of her recently deceased friend because it happened to have the soft N-word in it. 
Europe has repeatedly and systematically attacked free speech and encryption on multiple fronts.
There are plenty of authoritarians and authoritarian proposals on either side of the English Channel.
Can someone explain to me how making something illegal actually prevents crime?
Is it really so difficult to prove crimes are being committed without making something illegal?
Why would anyone vote in favor of measures like this?
That's one bias: legislator wielding law to solve every and all problems like they would the proverbial hammer. Reinforced by the fact that they're public figures, surely they can't be caught doing nothing?
A second, more pernicious possibility, is to make illegal stuff that is highly correlated with actual crimes, such that law enforcement can now arrest people for innocuous as a substitute for punishing them for the real thing. Think Al Capone being done for because of taxes of all things.
A third, positively alarming possibility, is to facilitate arbitrary arrests. Probably wasn't the intent (it rarely is), but it does give ammunition to future governments or law enforcement, should they need to stifle, silence, or discourage political opposition.
I think it's mostly this. If you read their example they're basically mad that they couldn't prove that the guy ("Mr A") had a bunch of illegal money.
People vote for it because there is plenty of cash to be made out of conditioning the public to feel as if they are under siege and danger lurks around every corner.
I'm sure that'll stop them. Good work chaps.
Apparently the government didn't see much of a problem with that classification until online merchants started wanting to encrypt credit card transactions in the mid-'90s, and the ball was slowly rolled uphill from there.
Since freedom of speech is no longer a value of the UK, the population can now be arrested for having files that the government doesn't care for.
Mirroring thingiverse? That's a crime now.
They want to have at least the same amount of power. The laws they propose are vague, open to interpretation and it means anyone could go to prison for anything if they do something the party doesn't like.
Privacy is illegitimate, apparently.
Think before you post or you may receive a visit from us this weekend. Use the internet safely.
-Glasgow Police, https://twitter.com/GreaterGlasgPol/status/71586727326166220...
Imagine this: someone doesn't like you and wants to harm you. They plant a USB stick with random data on it on you, or in your home. They call the authorities and tell a story about how you're colluding with terrorists, and the information you've been exchanging with terrorists is somehow in your possession.
The hard part would be to get someone to believe the story enough to get a search warrant, but if you're in a position of authority in the government, this isn't unreasonable.
Now the warrant is executed, your home is searched, and the USB stick is found. The data is examined, and the judge orders you to provide the means to decrypt it. Because you can't, and because the data is indistinguishable from real, encrypted data, the judge orders you held until you provide the keys.
Is this theoretical? No. It really could happen. The UK is a very, very scary place to be if you ever do anything that might piss off someone in power.
U.K. certainly is dangerous if you upset those in power.
(The first conceit of the story is that there were two Church-Turing Theses, and the second one would be so disastrous as public knowledge that it was immediately suppressed by Her Majesty's Government, known only to a select few and the folks they monitor and handle).
Politicians are idiots and the security services will play them like a fiddle.
From where, to where...
Still… I do hope even Texas bans some of those inappropriate uses of momentum. I do value the electrochemical impulses going on between my fellow meatbags' ears.
Obviously the intentions here are not to ban computations but devices doing computations that makes jobs of those people harder.
Heard of the coming war on general computation?
It gets old quickly to claim that "they introduced DRM" kind of things as if those things were imposed from the top and didn't happen within the dynamics of the businesses.
(They were lobbied from the dynamic of the businesses that wanted to enforce those DRMs, though.)
I never got an illuminati vibe from him. No grand conspiracy. Except maybe an unreasonably small number of people with an unreasonably large amount of money and influence having unsurprisingly converging interests that cause them to lobby for more or less the same things…
Who's "they", in my mind? I would say the owning class. Capitalists. People who make money because they have money. People who own the means of production, either directly or through shares. Those have historically been quite a bit more sympathetic to Fascism than anything resembling Socialism. I believe they still are now. Why would they not, it's in their material interest to be.
Remember what happened almost a century ago in Europe: both the far left and far right were rising. What did "they" the owner class chose? Fascism of course: Socialists and Communists would have disowned them, and they couldn't have that. And in France at the very least they were right: they were disowned after the war, though only partially.
Nothing is scarier to me than a distant techno landscape where knowledge in irresponsible or irrational hands can be used for unimaginable horrors. Such extreme measures as censorship of undergrad STEM education would, in such a case, seem appealing to authorities.
Encryption offers table stakes for weaponization of math. I do, however, agree in spirit with your slippery slope arg
Now... of course, we can always trust the good intentions of government bodies and agencies wink but it sounds like by this definition, installing Tor and a couple of apps that use it onto a phone could qualify as a "sophisticated encrypted communication device."
It seems that in a race to the bottom, the UK government is always a few steps further ahead of their peers.
Seems to suggest that handsets explicitly made for anonymous encryption could be banned, but not messaging apps on normal phones.
>The case relates to an alleged conspiracy to transfer cash in excess of £10m out of the UK.
>A number of defendants were charged with conspiracy to remove criminal property from England and Wales contrary to section 1(1) of the Criminal Law Act 1977. Mr A was a relative of one of the defendants (Mr B). They both lived at the same address. When Mr B was arrested, the officers recovered an encrypted EncroChat telephone which Mr A admitted was his. Another defendant (Mr C) stated that he had been instructed to call Mr A on the EncroChat telephone once he had safely boarded the flight with the cash.
>Mr A denied any knowledge or involvement in any of the criminal activities. Mr A had no legitimate income that would have allowed him to own and maintain such an expensive mobile device.
>Based on available intelligence, the investigating team
strongly believed that Mr A had been supplied with the EncroChat telephone by an OCG for the purpose of carrying out conduct in furtherance of the conspiracy. However, investigators were unable to access any data from the telephone due to the device’s security features which led to the data automatically deleting after a few days. It was assessed that there was not sufficient evidence to seek to prosecute Mr A under existing offences.
It doesn't really make sense to me though. Presumably the penalty if he were to unlock the phone would have been way higher than the penalty they are going to create for possessing such a device.
> "the provisions will not apply to commercially available mobile phones nor the encrypted messaging apps available on them"
They say they're going after bespoke devices whose "user base is assessed to be almost certainly criminal". Of course, that's very open to interpretation.
Also they go on to discuss how simply providing or possessing one of these devices should be crime in itself because of the "difficulty of identifying legitimate uses for such technology". It's the classic "If you're trying to hide something you must be a criminal" approach.
Which then implies that commercial devices can be eavesdropped at will by the government.
law enforcement cares less about what people are saying, more about who is talking to who
Is selling a device on Ali Express enough to qualify?
> "This option would require the drafting of precise definitions of the specific articles, for example a definition of sophisticated encrypted communication devices which does not include all mobile phones."
Looks broad enough to cover any object. I have reasonable ground to suspect that of all the hammers sold in the UK, some will be used to break a window. It would certainly catch exploit toolkits, even if their primary intended use is pen testing. How can you not suspect someone will use it to break in into some system? And VPNs, ISPs, etc.
"Sophisticated encrypted communication devices" is a complete and utter joke in a world where even the memes are https encrypted
Is that you Xi?
> Sophisticated encrypted communication devices have been used extensively by criminals to facilitate organised crime. We’re targeting the modified and bespoke devices that enable access to platforms, similar to Encro Chat, where the software/ hardware has been developed to anonymise its users and their communications and its user base is assessed to be almost certainly criminal. Under Option 1 where articles will be specified, we will be targeting those that supply, modify, and possess these bespoke devices; the provisions will not apply to commercially available mobile phones nor the encrypted messaging apps available on them. The proposed offences will seek to tackle those supplying and exploiting these devices in order to carry out serious crimes and will seek to
reduce the supply of these devices to serious criminals
They're not that dumb. They'll chip away at our rights however they can, gradually, so we hardly even notice.
In the US for instance, there's no way they'll be banning guns overnight. But it's clearly the end goal: they're hoping to reduce death count by making guns disappear, and sacrifice the second amendment in the process. Right now though they're content with an "assault weapons" ban that alone won't work, but is a step towards banning guns. Next time they'll limit ammunitions. Then the places you can carry your gun to. You get the idea.
Conversely, I'm pretty sure the states who are banning abortion in the name of "saving babies" are sticking their head in the sand that such legislation tends to lead to later abortions (like, you know, when the foetus is closer to being an actual human being?), pregnancy related deaths, that kind of thing. But the end goal of some of those people is probably to outlaw any form of contraception, and maybe sex before marriage while we're at it. Like the "good Christians" they are, they are going to make abstinence work. It doesn't (hormone driven young people don't abstain for some reason), but they'll make it work, promise.
Right now the French government is trying to pass a law to increase the legal retirement age. Won't do much, but it's yet a small step in a long series about making us work until we die. The end goal? As far as I can tell this is carrying the neo-liberalism ideology, turning everything into marketable goods. And among them there definitely are people who would love to increase unemployment rates (raising retirement age mechanically does that), so they can negotiate lower salaries and make higher profits (at least in the short term).
That pendulum used to swing the other way: we were lowering the work-week, the retirement age… We were raising the minimum wage. The end goal was clearly to maximise the free time of everyone, and we'll automate everything to further that goal if we need to.
Or the mandatory contributions to various nationalised services, like the hospital, unemployment insurance, or retirement: those are clearly a step towards Socialism with a big "S", where lucrative property (the stuff that give you money just because it's yours) is abolished, workers are in full possession of their own tools, and in the extreme you could go full Communism with guaranteed salary for everyone (though we still need incentives to make sure the necessary work is being done).
Most proposed legislations aren't designed or proposed in a vacuum. They're almost part of a more or less coherent ideology, that some people want to push everyone towards. Slippery slope arguments are often valid because there are people out there actively waxing those slopes. Now it would be nice to have a compromise, meet in the middle… but in reality the middle is shifting too. So it's pretty important to identify the ideologies behind proposals, and know which you subscribe to and which you want to fight.
Me, I'm fighting the ideology that says privacy is not such a big deal. Sorry folks, my ideology is that privacy is a human right. Talking to people and being sure no one is snooping is a human right. Doesn't matter if the other person is in the same room or halfway across the world, private conversations are a human right.
This proposal here? It's a step towards encroaching that human right. I'm not British so I don't have a say, but if I did: no thanks.
I feel like you wanted a different word for this.
We have many, many examples demonstrating without the shadow of a doubt that elected representatives are often a pretty bad proxy for the actual will of the people.
There's a bill in the works right now in France to increase the legal retirement age, that we have excellent reasons to believe over 2/3rd of the population is against. Yet the politicians are very likely to vote it (or something similar) anyway.
Elections don't make a democracy.
The problem with the proposed laws is that they violate fundamental principles of liberty and equality, not that they're undemocratic.
Emphasis on informed. I wouldn't trust a surprise referendum. I would trust a process where we first gather a congress of 300 randos, let them reflect on the issue for a few weeks or months, then let them explain their conclusions and decisions on national television for a couple weeks, and then do the referendum.
I mean, if this process actually results in laws that violate the fundamental principles we might as well just give up and let the world burn.