> other than the possibility of leaks of the nation’s most sensitive data
Amusing when you consider the National Cyber Security Centre (NCSC, a part of GCHQ), along with the Information Commissioners Office, both publish guidance recommending, and describing how to use, encryption to protect personal and sensitive data.
Our government is almost schizophrenic in its attitude to encryption.
And yet if I steal your money and refuse to give it back, or let you steal it back, you'll call that hypocritical. What does the size of an entity have to do with whether this is idiotic or not?
You're making the argument that the UK government will stop using encryption itself once the information about this becoming illegal makes it through the government.
It won't. The courts will refuse to force them to stop, and even if the courts attempt to force it, some government departments just won't listen, and be protected from the consequences.
This is another case of "the law applies to you, but not to me".
The law is that encrypted comms must be provided to the security services on request. This is not a problem for government agencies. It is not illegal per se.
I went digging a bit. No. You're wrong. You cannot substitute the law we're discussing with something else. If the law truly is that encrypted comms must be provided to the security services upon request, then Apple Encryption is not a problem. Security services simply should ask the owner of the icloud account ...
So that's NOT what the law says.
The law says that private sector entities cannot have effective encryption (so NOT government agencies). Why do I put it like that? Because it MUST be possible for the security services to get access to any data they can intercept in any way WITHOUT telling/alerting the participants. They must be able to ALTER those communications. Or to make it more practical: any software maker MUST be able to provide access to any data the security services physically intercept, encrypted hard drives, ssh capture ... anything. And no, there is no exception for open source software.
ANYONE who puts this in software is criminally liable, as well as any firm (director/...) of any firm that has software doing this:
// we're done with the key for this session, erase the key
key := 0
Obviously this means any government agency that runs a https website is violating this law. Publish an IOS app? Violation! (you're using encryption that is designed not to let anyone, including you yourself, alter the app on the wire). Publish an android app? Same. Publish a fucking rpm package on yum? (the signing code obviously violates this law). A fucking garbage collector violates this law. BUT ...
But there is one VERY specific limitation. Only the government gets to complain about this, and obviously, there is zero plans to enforce this equally. The government sure as hell is not planning to actually put in the effort to make the encryption they use compliant with this law. It's just to get at the contents of confiscated harddrives. It's just to force foreign companies to unlock phones that have been confiscated.
Oh and there's stricter punishments if you tell anyone you're complying with this. This law can be used to arrest Linus Torvalds until he backdoors encrypted loop devices, and threaten him with decades prison if he tells anyone he's done that.
And can I just say? If this law was put, properly explained, to the people of the UK, there's no way it would get 50% of the vote.
>> Of course: it's not a monolithic entity. It's a composite of different parts that have different goals an interests.
> And yet if I steal your money and refuse to give it back, or let you steal it back, you'll call that hypocritical.
That's a bad analogy.
> What does the size of an entity have to do with whether this is idiotic or not?
Because it's not about the size, and I said nothing about the size. It's about it being composed of different minds, organized into different organizations, focused on different goals.
It's just not going to behave like one mind (without a lot of inefficiency, because you'd need literal central planning), because that's not the kind of thing that it is.
I suppose they don't believe certain facts engineers are telling them. With Brexit it was coined "Project Fear". Now they're being told that adding backdoors to an encrypted service almost completely erodes trust in the encryption and, as in the case with Apple here, in the vendor. However, I suppose it is very hard to find objective facts to back this. I'd guess this is why Apple chose to both completely disable encryption and inform users about the cause.
Now we're probably just waiting for a law mandating encryption of cloud data. Let's see whether Apple will actually leave the UK market altogether or introduce a backdoor.
In the US, the NSA has always had both missions (protect our country’s data and expose every other country’s data). Since everyone uses the same technology nowadays, that’s a rather hard set of missions to reconcile, and sometimes it looks a little ridiculous. As of fairly recently, they have a special committee that decides how to resolve that conflict for discovered exploits.
Correct me if I'm wrong here, and maybe this is too charged for HN, but looking over at you guys from the US:
The US has problems (don't get me wrong, look at our politics, enough said); but the UK seems to be speedrunning a collapse. The NHS having patients dying in hallways; Rotherham back in the popular mind; a bad economy even by EU standards; a massive talent exodus (as documented even on HN regarding hardware engineers); a military in the news for being too run down to even help Ukraine; and most relevant to this story - the government increasingly acting in every way like it is extremely paranoid of the citizens.
There's a lethargy, but it's hardly speedrunning. Things will be the same or slightly worse in a decade. I'm not sure I can say the same for the US, it seems different this time.
> The NHS having patients dying in hallways
Sadly routine in winter. Nobody wants to spend the money to fix this. Well, the public want the money spent, but they do not want it raised in taxes.
> Rotherham back in the popular mind
The original events were between 1997 and 2013. The reason they're back in the mind is the newspapers want to keep them there to maintain islamophobia. Other incidents (more recently Glasgow grooming gangs) aren't used for that purpose.
> a bad economy even by EU standards
Average by EU standards. But stagnant, yes.
> the government increasingly acting in every way like it is extremely paranoid of the citizens.
They've been like this my entire life. Arguably it was a bit worse until the IRA ceasefire. Certainly the security services have been pushing anti-encryption for at least three decades.
Yes - that is my impression as well as someone currently living in London.
Literally ever single system that I have to interact with seems to be somewhere on the spectrum between barely functioning and complete disfunctionality, with almost very few exceptions that come to mind.
By system in this context I mean every institution, service provider, company, business... everything.
Couple that with low salaries across the board - including the "high paying tech jobs in London" with price increases that are out of control with no reason to believe this is ever going to stop you end up with a standard of living significantly lower than let's say for example the EU countries of Eastern Europe.
Currently trying to figure out where to go next
Well Albanians apparently want to live in Norwich, leading to a bizarre anti-propaganda campaign with bleak black-and-white photography to convince them it's horrible.
It isn't? Huh, you're right, a lot of the Balkans aren't, I did not know that.
I don't think anywhere in the EU really describes itself as Eastern Europe, though. That's Ukraine, Belarus, Moldova. So really just Romania, sometimes.
Literally quite a significant number of EU countries describe themselves as Eastern European, what you said is factually wrong.
At this point I am considering your replies as either trolling or interacting in bad faith.
I'm an immigrant to the UK. I have lived here permanently for 21 successive years, though I was actually in and out of the UK for years before that. My current anecdotal feeling about the UK is at a pretty low point.
If it was an option, I would seriously look to emigrate again, but I honestly don't know where. The most appealing option for me is Australia, but my age works against me. I know everywhere has its issues, but I'm just so worn down by the horrible adversarial political system and gutter press in the UK right now. We seem unable to do anything of note recently. A train line connecting not very much of the UK has cost so much money, and in the end it hasn't even joined up the important part.
I don't know, life is good at a local level. I am privileged and live in a fantastically beautiful town, and life here is safe and friendly. If I ignored everything else for a while it would probably do me good.
Australian law explicitly prohibits requests that have someone "implement or build a systemic weaknesses, or a systemic vulnerability, into a form of electronic protection" - including any request to "implement or build a new decryption capability", anything which would "render systematic methods of authentication or encryption less effective", anything aimed at one person but could "jeopardise the security or any information held by another person", anything which "creates a material risk that otherwise secure information can be accessed by an unauthorised third party".
This UK request as reported would not be legal in Australia.
> Technical Capability Notices (TCNs): TCNs are orders that require a company to build new capabilities that assist law enforcement agencies in accessing encrypted data. The Attorney-General must approve a TCN by confirming it is reasonable, proportionate, practical, and technically feasible.
> It’s that final one that’s the real problem. The Australian government can force tech companies to build backdoors into their systems.
Yes. Since the 'Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018' which I was directly quoting from, and explicitly prohibits systemic backdoors.
That blog's own reference points this out:
> Regular use of encryption as electronic protection, such as online banking or shopping, is not of primary concern in the Act. To reinforce this, the Act includes safeguards between government and industry, such as restricting backdoors and decryption capabilities, preventing the creation of systemic weaknesses, and accessing communication without proper jurisdiction, warrants, or authorisations.
So I can only assume that the author is either too lazy to bother reading their own reference in full (let alone researching the topic of their blog), or is being knowingly dishonest.
I mean, this is no different than one part of the government suggesting running laundry at night to reduce the environmental impact of energy use, while another suggests only running it while awake to reduce fire hazard. Governments and corporations rarely have complete internal alignment.
Amusing when you consider the National Cyber Security Centre (NCSC, a part of GCHQ), along with the Information Commissioners Office, both publish guidance recommending, and describing how to use, encryption to protect personal and sensitive data.
Our government is almost schizophrenic in its attitude to encryption.