UK Government vs Encryption

The Washington Post reports:

Security officials in the United Kingdom have demanded that Apple create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud.

The British government's undisclosed order, issued last month, requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies. Its application would mark a significant defeat for tech companies in their decades-long battle to avoid being wielded as government tools against their users.

Rather than break the security promises it made to its users everywhere, Apple is likely to stop offering encrypted storage in the U.K., the people said. Yet that concession would not fulfill the U.K. demand for backdoor access to the service in other countries, including the United States.

The Home Office has served Apple with a document called a technical capability notice, ordering it to provide access under the sweeping U.K. Investigatory Powers Act of 2016, which authorizes law enforcement to compel assistance from companies when needed to collect evidence'

Apple can appeal the U.K. capability notice to a secret technical panel, which would consider arguments about the expense of the requirement, and to a judge who would weigh whether the request was in proportion to the government's needs. But the law does not permit Apple to delay complying during an appeal. Apple would also be barred from warning its users that its most advanced encryption no longer provided full security.

Meredith Whittaker, president of the nonprofit encrypted messenger Signal, said:

Using Technical Capability Notices to weaken encryption around the globe is a shocking move that will position the UK as a tech pariah, rather than a tech leader. If implemented, the directive will create a dangerous cybersecurity vulnerability in the nervous system of our global economy.

An article from computerweekly.com provides some interesting details about the secret technical panel which hears appeals about unviable technical capability notices. It is called the Technical Advisory Board (TAB) and is charged with reviewing secret legal orders given to internet communications companies to arrange surveillance of their users, and to copy their emails and files, or to monitor their calls and videos.

Enquiries by Computer Weekly this week revealed, astonishingly, that the Home Office had failed to renew the contracts for TAB members so maybe there is a little disarray there.

Apple says it will remove services such as FaceTime and iMessage from the UK rather than weaken security if new UK government proposals are made law and acted upon.

The government is seeking to update the Investigatory Powers Act (IPA) 2016. It wants messaging services to clear security features with the Home Office before releasing them to customers. The act lets the Home Office demand security features are disabled, without telling the public. Under the update, this would have to be immediate.

Currently, there has to be a review, there can also be an independent oversight process and a technology company can appeal before taking any action.

WhatsApp and Signal are among the platforms to have opposed a clause in the Online Safety Bill allowing the communications regulator to require companies to install technology to scan for child-abuse material in encrypted messaging apps and other services.

The government has opened an eight-week consultation on the proposed amendments to the IPA. , which already enables the storage of internet browsing records for 12 months and authorises the bulk collection of personal data.

Apple has made a  9 page submission to the current consultation opposing the snooping proposal:

It would not make changes to security features specifically for one country that would weaken a product for all users. Some changes would require issuing a software update so could not be made secretly The proposals constitute a serious and direct threat to data security and information privacy that would affect people outside the UK.

To: Chloe Smith, Secretary of State, Department for Science, Innovation and Technology
cc: Tom Tugendhat, Minister of State for Security, Home Office Paul Scully, Minister for Tech and the Digital Economy Lord Parkinson of Whitley Bay

Dear Ms Smith,

We are over 80 national and international civil society organisations, academics and cyberexperts. We represent a wide range of perspectives including digital human rights and technology.

We are writing to you to raise our concerns about the serious threat to the security of private and encrypted messaging posed by the UK's proposed Online Safety Bill (OSB).

The Online Safety Bill is a deeply troubling legislative proposal. If passed in its present form, the UK could become the first liberal democracy to require the routine scanning of people's private chat messages, including chats that are secured by end-to-end encryption. As over 40 million UK citizens and 2 billion people worldwide rely on these services, this poses a significant risk to the security of digital communication services not only in the UK, but also internationally.

End-to-end encryption ensures the security of communications for everyone on a network. It is designed so that no-one, including the platform provider, can read or alter the messages. The confidentiality between sender and recipient is completely preserved. That's why the United Nations, several human rights groups, and anti-human trafficking organisations alike have emphasised that encryption is a vital human rights tool.

In order to comply with the Online Safety Bill, platform providers would have to break that protection either by removing it or by developing work-arounds. Any form of work-around risks compromising the security of the messaging platform, creating back-doors, and other dangerous ways and means for malicious actors and hostile states to corrupt the system. This would put all users in danger.

The UK government has indicated its intention for providers to use a technology that would scan chats on people's phone and devices -- known as client-side scanning. The UK government's assertion that client-side scanning will not compromise the privacy of messages contradicts the significant evidence of cyber-security experts around the world. This software intercepts chat messages before they are encrypted, and as the user is uploading their images or text, and therefore confidentiality of messages cannot be guaranteed. It would most likely breach human rights law in the UK and internationally.

Serious concerns have also been raised about similar provisions in the EU's proposed Child Sexual Abuse Regulation, which an independent expert study warns is in contradiction to human rights rules. French, Irish and Austrian parliamentarians have all also warned of severe threats to human rights and of undermining encryption.

Moreover, the scanning software would have to be pre-installed on people's phones, without their permission or full awareness of the severe privacy and security implications. The underlying databases can be corrupted by hostile actors, meaning that individual phones would become vulnerable to attack. The breadth of the measures proposed in the Online Safety Bill -- which would infringe the rights to privacy to the same extent for the internet's majority of legitimate law-abiding users as it would for potential criminals -- means that the measures cannot be considered either necessary or proportionate.

The inconvenient truth is that it is not possible to scan messages for bad things without infringing on the privacy of lawful messages. It is not possible to create a backdoor that only works for good people and that cannot be exploited by bad people.

Privacy and free expression rights are vital for all citizens everywhere, in every country, to do their jobs, raise their voices, and hold power to account without arbitrary intrusion, persecution or repression. End-to-end encryption provides vital security that allows them to do that without arbitrary interference. People in conflict zones who rely on secure encrypted communications to be able to speak safely to friends and family as well as for national security. Journalists around the world who rely on the confidential channels of encrypted chat, can communicate to sources and upload their stories in safety.

Children, too, need these rights, as emphasised by UNICEF based on the UN Convention of the Rights of the Child. Child safety and privacy are not mutually exclusive; they are mutually reinforcing. Indeed, children are less safe without encrypted communications, as they equally rely on secure digital experiences free from their data being harvested or conversations intercepted. Online content scanning alone cannot hope to fish out the serious cases of exploitation, which require a whole-of-society approach. The UK government must invest in education, judicial reform, social services, law enforcement and other critical resources to prevent abuse before it can reach the point of online dissemination, thereby prioritising harm prevention over retrospective scanning.

As an international community, we are deeply concerned that the UK will become the weak link in the global system. The security risk will not be confined within UK borders. It is difficult to envisage how such a destructive step for the security of billions of users could be justified.

The UK Prime Minister, Rishi Sunak, has said that the UK will maintain freedom, peace and security around the world. With that in mind, we urge you to ensure that end-to-end encrypted services will be removed from the scope of the Bill and that the privacy of people's confidential communications will be upheld.

Signed,

Access Now, ARTICLE 19: Global Campaign for Free Expression, Asociatia pentru Tehnologie Ui Internet (ApTI), Associação Portuguesa para a Promoção da Segurança da Informação (AP2SI), Association for Progressive Communications (APC), Big Brother Watch, Centre for Democracy and Technology, Chaos Computer Club (CCC), Citizen D / Drzavljan D, Collaboration on International ICT Policy for East and Southern Africa (CIPESA), Community NeHUBs Africa, cyberstorm.mu, Defend Digital Me, CASM at Demos, Digitalcourage, Digitale Gesellschaft, DNS Africa Media and Communications, Electronic Frontier Finland, Electronic Frontier Foundation (EFF), Electronic Frontier Norway, Epicenter.works, European Center for Not-for-Profit Law, European Digital Rights (EDRi), European Sex Workers Rights Association (ESWA), Fair Vote, Fight for the Future, Foundation for Information Policy Research, Fundación Cibervoluntarios, Global Partners Digital, Granitt, Hermes Center for Transparency and Digital Human Rights, Homo Digitalis, Ikigai Innovation Initiative, Internet Society, Interpeer gUG, ISOC Brazil -- Brazilian Chapter of the Internet Society, ISOC Ghana, ISOC India Hyderabad Chapter, ISOC Venezuela, IT-Pol, JCA-Net (Japan), Kijiji Yeetu, La Quadrature du Net, Liberty, McEvedys Solicitors and Attorneys Ltd, Open Rights Group, OpenMedia, OPTF, Privacy and Access Council of Canada, Privacy International, Ranking Digital Rights, Statewatch, SUPERRR Lab, Tech for Good Asia, UBUNTEAM, Wikimedia Foundation, Wikimedia UK

Professor Paul Bernal, Nicholas Bohm, Dr Duncan Campbell, Alan Cox, Ray Corrigan, Professor Angela Daly, Dr Erin Ferguson, Wendy M. Grossman, Dr Edina Harbinja, Dr Julian Huppert, Steve Karmeinsky, Dr Konstantinos Komaitis, Professor Douwe Korff, Petr Kucera, Mark A. Lane, Christian de Larrinaga, Mark Lizar, Dr Brenda McPhail, Alec Muffett, Riana Pferfferkorn, Simon Phipps, Dr Birgit Schippers, Peter Wells, Professor Alan Woodward

The boss of WhatsApp says it will not lower the security of its messenger service. Will Cathcart told the BBC.

If asked by the government to weaken encryption, it would be very foolish to accept.

We continue to work with the tech sector to support the development of innovative technologies that protect public safety without compromising on privacy.

End-to-end encryption (E2EE) provides the most robust level of security, because - by design - only the intended recipient holds the key to decrypt the message, which is essential for private communication.

The technology underpins the online exchanges on apps including WhatsApp and Signal and - optionally - on Facebook messenger and Telegram. Only the sender and receiver can read those messages - not law enforcement or the technology giants.

The UK government wants phone software to scan people's phones for banned material prior to being encrypted for a message.

Cathcart explained:

Client-side scanning cannot work in practice. Because millions of people use WhatsApp to communicate across the world, it needs to maintain the same standards of privacy across every country.

If we had to lower security for the world, to accommodate the requirement in one country, that...would be very foolish for us to accept, making our product less desirable to 98% of our users because of the requirements from 2%.

What's being proposed is that we - either directly or indirectly through software - read everyone's messages. I don't think people want that.

Ella Jakubowska, policy adviser at campaign group European Digital Rights, said:

Client-side scanning is almost like putting spyware on every person's phone. It also creates a backdoor for malicious actors to have a way in to be able to see your messages.

The UK Government believes that British people should sacrifice protection against internet scammers, spammers and thieves in the name of being able to scan people's messages looking for child porn.

Perhaps a little like unacceptably asking people not to use door locks so that the police can always drop in to people's homes to check for child abuse.

Now it seems that the government is going to extremes to forward their beliefs by setting up a fake campaign website to pretend that people are calling for the removal of their basic internet security of end to end encryption used in several messaging apps.

Rollin Stone magazine has revealed:

The Home Office has hired the M&C Saatchi advertising agency -- a spin-off of Saatchi and Saatchi, which made the Labour Isn't Working election posters, among the most famous in UK political history -- to plan the campaign, using public funds.

A Home Office spokesperson said in a statement.

We have engaged M&C Saatchi to bring together the many organisations who share our concerns about the impact end-to-end encryption would have on our ability to keep children safe/

In response to a Freedom of Information request about an upcoming ad campaign directed at Facebook's end-to-end encryption proposal, The Home Office disclosed that, Under current plans, £534,000 is allocated for this campaign.

Offsite Comment: Why we need End To End Encryption

...And why it's essential for our safety, our children's safety, and for everyone's future

18th January 2022. See article from alecmuffett.com by Alec Muffett

The UK government has announced that it is funding five projects to snoop on your device content supposedly in a quest to seek out child porn. But surely these technologies will have wider usage.

The five projects are the winners of the Safety Tech Challenge Fund, which aims to encourage the tech industry to find practical solutions to combat child sexual exploitation and abuse online, without impacting people's rights to privacy and data protection in their communications.

The winners will each receive an initial £85,000 from the Fund, which is administered by the Department for Digital, Culture, Media and Sport (DCMS) and the Home Office, to help them bring their technical proposals for new digital tools and applications to combat online child abuse to the market.

Based across the UK and Europe, and in partnership with leading UK universities, the winners of the Safety Tech Challenge Fund are:

• Edinburgh-based Cyan Forensics and Crisp Thinking, in partnership with the University of Edinburgh and Internet Watch Foundation, will develop a plug-in to be integrated within encrypted social platforms. It will detect child sexual abuse material (CSAM) - by matching content against known illegal material.
• SafeToNet and Anglia Ruskin University will develop a suite of live video-moderation AI technologies that can run on any smart device to prevent the filming of nudity, violence, pornography and CSAM in real-time, as it is being produced.
• GalaxKey, based in St Albans, will work with Poole-based Image Analyser and Yoti, an age-assurance company, to develop software focusing on user privacy, detection and prevention of CSAM and predatory behavior, and age verification to detect child sexual abuse before it reaches an E2EE environment, preventing it from being uploaded and shared.
• DragonflAI, based in Edinburgh, will also work with Yoti to combine their on-device nudity AI detection technology with age assurance technologies to spot new indecent images within E2EE environments.
• T3K-Forensics are based in Austria and will work to implement their AI-based child sexual abuse detection technology on smartphones to detect newly created material, providing a toolkit that social platforms can integrate with their E2EE services.

Haha he thought he was protected by a level 5 lock spell, but every bobby on the street has a level 6 unlock spell, and the bad guys have level 10.

The Government is playing silly games trying to suggest ways that snooping backdoors on people's encrypted messaging could be unlocked by the authorities whilst being magically safe from bad guys especially those armed with banks of Chinese super computers.

The government wants to make backdoors mandatory for messaging and offers a worthless 'promise' that authority figures would need to agree before the police are allowed to use their key to unlock messages.

Andersen Cheng, chief executive of Post-Quantum, a specialist encryption firm working with Nato and Government agencies, said a virtual key split into five parts - or more - could unlock messages when all five parties agreed and the five key fragments were joined together.

Those five parties could include the tech firm like Facebook, police, security service or GCHQ, an independent privacy advocate or specialist similar to the independent reviewer of terror legislation and the judge authorising the warrant.

Cheng's first company TRL helped set up the secure communications system used by 10 Downing Street to talk with GCHQ, embassies and world leaders, but I bet that system did not include backdoor keys.

The government claims that official access would only be granted where, for example, the police or security service were seeking to investigate communications between suspect parties at a specific time, and where a court ruled it was in the public or nation's interest.

However the government does not address the obvious issue of bad guys getting hold of the keys and letting anyone unlock the messages for a suitable fee. And sometimes those bad guys are armed with the best brute force code cracking powers in the world.

The Five Eyes governments of the UK, US, Canada, Australia and New Zealand have threatened the tech industry to voluntarily create backdoor access to their systems, or be compelled to by law if they don't.

The move is a final warning to platform holders such as WhatsApp, Apple and Google who deploy encryption to guarantee user privacy on their services. A statement by the Five Eyes governments says:

Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information ...HOWEVER.. . the increasing use and sophistication of certain encryption designs present challenges for nations in combating serious crimes and threats to national and global security.

Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution.

If the industry does not voluntarily establish lawful access solutions to their products the statement continued, we may pursue technological, enforcement, legislative or other measures to guarantee entry.

The recent TalkTalk hacking seems to have taught David Cameron a lesson on how important it is to keep data safe and encrypted.

The topic came yup this week in the House of Lords when Joanna Shields, minister for internet safety and security, confirmed that the government will not pass laws to ban encryption. and that the government has no intention of introducing legislation to weaken encryption or to require back doors.

The debate was brought by Liberal Democrat Paul Strasburger, who claimed Cameron does not seem to get the need for strong encryption standards online, with no back door access. Strasburger said:

[Cameron] three times said that he intends to ban any communication 'we cannot read', which can only mean weakening encryption. Will the Minister [Shields] bring the Prime Minister up to speed with the realities of the digital world?

Liberal Democrat peer Lord Clement-Jones asked if she could absolutely confirm that there is no intention in forthcoming legislation either to weaken encryption or provide back doors.

Shields denied Cameron intended to introduce laws to weaken encryption and said:

The Prime Minister did not advocate banning encryption; he expressed concern that many companies are building end-to-end encrypted applications and services and not retaining the keys.

She then seemingly contradicted herself by adding that companies that provide end-to-end encrypted applications, such as Whatsapp, which is apparently used by the terror group calling itself Islamic State, must be subject to decryption and that information handed over to law enforcement in extremis .