UK Threatens End-to-End Encryption

In an open letter, seven secure messaging apps—including Signal and WhatsApp—point out that the UK’s Online Safety Bill could destroy end-to-end encryption:

As currently drafted, the Bill could break end-to-end encryption,opening the door to routine, general and indiscriminate surveillance of personal messages of friends, family members, employees, executives, journalists, human rights activists and even politicians themselves, which would fundamentally undermine everyone’s ability to communicate securely.

The Bill provides no explicit protection for encryption, and if implemented as written, could empower OFCOM to try to force the proactive scanning of private messages on end-to-end encrypted communication services—nullifying the purpose of end-to-end encryption as a result and compromising the privacy of all users.

In short, the Bill poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copy-cat laws.

Both Signal and WhatsApp have said that they will cease services in the UK rather than compromise the security of their users worldwide.

Tags: , , , , ,

Posted on April 24, 2023 at 6:39 AM41 Comments

Comments

ResearcherZero April 24, 2023 6:46 AM

“increased excessively over the last few years … largely under the guise of ensuring workplace safety and confidentiality and protecting the business”
‘https://www.msn.com/en-us/money/markets/employee-surveillance-is-on-the-rise-and-that-could-backfire-on-employers/ar-AA1aeCeo

The tech represents a “fundamental challenge for the future world of work in democratic societies,” Schmit said.
‘https://www.politico.eu/article/ai-workplace-surveillance-facial-recognition-software-gdpr-privacy/

Xavier April 24, 2023 6:50 AM

And of course, criminals won’t download and use free software that come without that kind of proactive scanning because since they are criminals, they follow the law.

I accept the whole “they got Capone on tax fraud” tactic, but it’s still very stupid

finagle April 24, 2023 7:49 AM

Looking at the guidance on this bill it’s unenforceable nonsense.
I do think this is a stalking horse to attack end to end encryption, including HTTPS, and VPNs, because that is how the Digital Economy Act of 2017 ended up passed but unenforceable. That included such nonsense as banning ISPs from allowing access to adult material unless a user registering with their ISP, and resulted in the mainstream media telling everyone how to use a VPN or to prefer websites over HTTPS. It probably did more harm to law enforcement than it did any good to them, because it helped educate the masses, not just the putative criminals. This looks like the bill intended to clean up that mess by attacking the technologies that made that Act a failure. However like the Digital Economy Act it reads like a wishlist that will be obsolete by the time it is enacted and will be attacked and subverted in the same way.
On top of which they specify it will be enforced by Ofcom. Who are utterly useless as a regulator even, being largely staffed by and run for the benefit of the telecoms sector. At present Ofcom have more to worry about given everyone is starting to see what happens when Ofcom rubber stamp price fixing cartels who have built inflationary price rises into their contracts. Oops.

questioner April 24, 2023 7:56 AM

If law enforcement want to check out a specific, named person’s gmail account they get a court order and Google hands it over.

So, if law enforcement wanted to check out someone’s WhatsApp messages, what’s the technical problem with law enforcement requesting WhatsApp extract the plaintext message(s) from the recipients phone? There’s no need to weaken security for everyone etc. If some provision has to be made subject to legal safeguards, isn’t this an acceptable compromise?

Clive Robinson April 24, 2023 8:54 AM

@ ALL,

The proposals are “idiocy of the highest order”.

As I’ve pointed out repeatedly if people want secure end to end encryption then all they have to do is move the “privacy end point” past the “communications end point”.

The current range of user devices are designed such that the privacy end point is inside the communications end point device.

This means that an “attacker of your privacy” can end-run around your privacy end point to the plaintext interface or storage.

The solution take the privacy end point off of the communications end point device.

Obviously this is not as convenient for users, which should tell every one who’s privacy is being targeted.

Because after the likes of EuroChat etc backdoored phones pushed into the criminal fraternity, the smarter criminals will have either read this advice in a book detailing encryption in the 1970’s or earlier for diplomatic / military protection or worked it out for themselves.

But something else to consider.

You can hide private messages in public messages using “codes”.

Have people sat down and thought just how little effort would be required to turn the likes of a LLM into a “code book” to generate such messages in a way that the same message plaintext would always be different?

Yup welcome to a new world of possabilities that legislators have not thought about…

R April 24, 2023 9:07 AM

If the government get backdoor I also will get that backdoor or will have make one for myself.

Winter April 24, 2023 9:21 AM

In short, the Bill poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copy-cat laws.

I always compare it to banning the use of locks and safes unless a master key is deposited at the police station. Meanwhile, the police are not committed, or even required, to prevent burglaries or attacks of people in their own homes as securing homes is an obligation of the inhabitant.

In short, privacy and security are considered luxuries that can be removed at the discretion of the police or dept of justice.

Note that the Met police has been officially found to be institutionally racist, misogynistic and homophobic:
https://www.theguardian.com/uk-news/2023/mar/21/metropolitan-police-institutionally-racist-misogynistic-homophobic-louise-casey-report

And these people must protect women and children against abuse?

Clive Robinson April 24, 2023 9:35 AM

@ Bruce,

Without wishing to derail this thread, you need to look at the powers the “World Health Organisation”(WHO) an agency of the UN based in Geneva with diplomatic immunity for it’s staff are asking for in the way of two “power grabs” under the proposed “Pandemic treaty”.

Basically from what has been said avout the Intergovernmental Negotiating Body’s fourth meeting at the begining of March, they want every UN member country to put the WHO as a supernational agency by law, and give the WHO the right to dictate by law quite a number of things. Including but by no means limited to,

1, Control of individuals movments.
2, Central DB of every individual with full biometrics and medical records and location at all times.
3, Full control over what can be published with regards disease and health care.
4, Not complying to WHO requirments to have significant criminal sanctions.

As many will know the WHO is nolonger realy funded by Nations but around 85% of it’s income comes from Corporates with “vested interests” that they obviously would like to see favoured if not 100% promoted.

Increaaing numbers are seeing not just the privacy invading, and surveillance issues but also the censorship and propaganda issues of what’s being asked for.

And importabtly how such treary enforced legislation can and almost certainly will cause significant human rights issues.

Winter April 24, 2023 9:37 AM

@questioner

So, if law enforcement wanted to check out someone’s WhatsApp messages, what’s the technical problem with law enforcement requesting WhatsApp extract the plaintext message(s) from the recipients phone?

End-to-End encryption means that the intermediate provider, eg, Whatsapp, cannot read the message. That provider also has no access to the phone itself.

What can be done is that End-to-End encryption can be broken for a specific user and all future messages can be read. That has been done to Signal, for instance. But this requires the police to know whom to spy on and to make that demand specific. And it does not work for past messages.

If you want to spy on everyone at random [1], that is not a feasible procedure. Hence the demand to be able to spy on everyone at random.

[1] The biggest enemies of the state are journalists and their informers. These spy laws are targeting them.

Clive Robinson April 24, 2023 9:44 AM

@ Winter, ALL,

Re : UK Police mandated actions.

“And these people must protect women and children against abuse?”

Not at all…

A few years back there were riots especially in Croyden in South East London.

From various things that did and did not happen, various things came out.

Amoungst which was the interesting fact that the only thing Police are required to do is “Keep the King’s Peace”. Everything else is effectively discretionary…

So I guess the answer to your question is,

“Not if they don’t want to.”

Winter April 24, 2023 10:00 AM

@Clive

Amoungst which was the interesting fact that the only thing Police are required to do is “Keep the King’s Peace”. Everything else is effectively discretionary…

My remark was not entirely rhetorical. The guide to the bill especially says right at the top:
The Online Safety Bill is a new set of laws to protect children and adults online.

Note that the guide does not speak about harmful content, but only of illegal content. I suspect that the harm for which children and adults must be protected is supposed to come from pirated movies and music.

However, it is clear from the text of the guide that the protection is outsourced to everyone but Law Enforcement.

Deloris April 24, 2023 10:45 AM

questioner,

Re: “what’s the technical problem with law enforcement requesting WhatsApp extract the plaintext message(s) from the recipients phone?”

From the point of view of WhatsApp and its users, nothing. WhatsApp will tell the police they have no access to do that, and that’ll be the end of it.

But that’s not really what we’re talking about. The politicians want to force WhatsApp to rearchitect its system so they’ll be able to extract those messages; and it’s gonna be a legally enforcible demand, not a mere request. Winter wrote “That provider also has no access to the phone itself”, but of course that doesn’t have to be true. The technical problem is that such “safety bills” require insecure system designs. Like, the provider has all the keys (which could leak as did all of Equifax’s data) or have some backdoor protocol by which they can siphon it, and the messages, off every user’s phone (which would be even more dangerous if compromised).

This point from the open letter is, at least, badly worded: “The Bill … could empower OFCOM to try to force the proactive scanning of private messages on end-to-end encrypted communication services – nullifying the purpose of end-to-end encryption as a result and compromising the privacy of all users.”

The bill wouldn’t nullify the purpose, but would vindicate it. Allowing such scanning would nullify it. But OFCOM merely “trying to force the […] scanning” would be futile given proper end-to-end encryption, and is a great justification for such encryption. Of course, countries that pass laws like this could become irrelevant to app developers, and maybe in the future we’ll know that all the best stuff is made in the Cayman Islands. Or maybe not; the infamous surveillance-friendly rearchitecture of Skype didn’t seem to harm the service’s popularity.

tfb April 24, 2023 10:52 AM

I do wonder how hard it would be for a messaging app, in conjunction perhaps with Apple / Google, to come up with some kind of architecture which supported third-party plugins. These would not be general-purpose programs and so would not be able to skirt around app-store things: they’d just be able to turn text into other text on the way in and out of the app, and probably store some limited amount of configurational data. They would have no network access of their own. They could be used for, I don’t know, writing a program which converted your messages into pig-latin in an amusing way, or something like that.

Nobody could complain that such an app was doing end-to-end encryption, because it would not be doing so. It would just be, you know, supporting plugins.

Of course this is very much like how JS should be in browsers (and might even be), so you could just use a browser probably.

Pieter Janssens April 24, 2023 11:10 AM

Looking at the guidance on this bill it’s unenforceable nonsense.

I’m afraid these people have become very good at making our lives miserable with unenforceable nonsense. This time an international consensus is growing (same laws in EU, maybe even US) and the chances are high we’ll have to deal with this in the unforseeable future.

@Winter, that’s quite the statement you’re making there, do you have a link to future-decryptable Signal messages (upon subpoena I suppose)?

gord April 24, 2023 11:22 AM

@Winter

“What can be done is that End-to-End encryption can be broken for a specific user and all future messages can be read. That has been done to Signal, for instance.”

That is quite an allegation, which is hard to believe. Do you have proof?

John Tillotson April 24, 2023 11:24 AM

There are multiple implementations of PGP available, which are all free and secure. As long as these exist then no “law” requiring that PGP-encrypted messages can be intercepted and read surreptitiously will be enforceable. Also, anyone can use a one-time pad to secure their messages.

The outcome of this law is simply that “when encryption is outlawed, only outlaws will have encryption”.

Winter April 24, 2023 12:19 PM

@gord

That is quite an allegation, which is hard to believe. Do you have proof?

Sorry, my bad, I mixed things up. That was not Signal, but ProtonMail:
‘https://www.zdnet.com/article/protonmail-ceo-says-services-must-comply-with-laws-unless-based-15-miles-offshore/

Signal got a search warrant, but could supply little information and no messages or IP addresses:
https://www.zdnet.com/article/signal-unveils-how-far-us-law-enforcement-will-go-to-get-information-about-people/

In response to the search warrant, Signal provided law enforcement authorities with timestamps regarding the account specified in the search warrant. The timestamps showed the dates that the account last connected to Signal.

Signal said in a blog post that, by default, it does not collect the requested information from users.

Q April 24, 2023 2:10 PM

There needs to be a shift away from the tyranny of using closed source apps through a single forwarding service (Whatsapp, Messenger, etc.). All these services absolutely do have access to the device and all messages. They encrypt the plaintext for the user, so they obviously do see the plaintext. It would be trivial to target someone and tell their client app to update itself to a new version, as happens regularly for everyone now, but they get a “special” version that, in addition to functioning normally, sends the plaintext to another party. They’d get the illusion of protection, when in reality all their messages are compromised.

Encryption is necessary, but is not enough on its own. There also needs to be assurance that it is only encrypting for the intended recipients, and no one else. And that the client app isn’t examining the plaintext and tattling on the user.

The decision shouldn’t be up to Whatsapp, or any external party, about whether they get to prevent people using encryption. If the user chooses to use it then it should be solely the user’s decision. Let Ofcom chase 50 million individuals if they want to make a fuss. If Ofcom want to see my private messages they will have to ask me. I don’t trust Whatsapp to make that decision for me.

JonKnowsNothing April 24, 2023 2:27 PM

@gord, @Winter, All

re: Hidden Laws and Hidden Enforcement of Hidden Laws

iirc(badly) The USA has a number of secret laws and secret enforcement of these laws. There have been a few cases that became public where these laws were applied.

There was a USA email provider (now defunct) who received a letter-warrant which required the CEO to not divulge to anyone the contents or the restriction being imposed by the US Government. He could not even tell a lawyer that he had been served such a demand warrant. The CEO was required to make substantial changes to the email server so as to Un-Lock the Encryption for the entire server. Additionally the US Government chose to hold the case in a court in a distant state, so the provider had to travel to that state and find a lawyer there, that the US Gov would permit, to represent him.

A different case in Australia recently revealed such secrecy that the person could not even tell their mother. Australia Witness J secret sentencing document released.

  • The sentencing remarks [2019], released on Wednesday [April 19, 2023], reveal that [Witness J] was not allowed to tell anyone other than his brother and uncle that he was in custody, not even his own mother

These sorts of laws are very popular in “countries with democracies”. Australia and the UK has a new twist: using Counter Terrorism Laws that include charges for Not Giving Up Your Passwords to Devices.

  • UK section 7 of the Terrorism Act of 2000 : Ernest Moret, 28, a foreign rights manager for Éditions la Fabrique, was approached by two plainclothes officers at [a train] station on Monday evening after arriving by train from Paris to attend the
    London book fair. … [A lawyer called] to confirm that Moret had been
    arrested over his refusal to tell police the passcodes to his
    confiscated phone and laptop    .
  • AU Counter Terrorism Law: Joana Veronika Partyka, 37, pleaded not guilty on Monday in the Perth magistrates court to one count of failing to obey a data access order after she declined to cooperate with authorities. … Partyka was ordered to provide access to the electronic devices by early March, which she declined to do.

lurker April 24, 2023 3:02 PM

“… more than 15 miles from land”

Sounds like a use case for the MV Judgement Day.

critical April 24, 2023 3:05 PM

Without wishing to derail this thread

but doing it anyway,

you need to look at the powers the “World Health Organisation”(WHO) an agency of the UN based in Geneva with diplomatic immunity for it’s staff are asking for in the way of two “power grabs” under the proposed “Pandemic treaty”.

Before falling for this populist conspiracy theory narrative, you could first read the first draft of this proposed treaty:

‘https://apps.who.int/gb/inb/pdf_files/inb4/A_INB4_3-en.pdf

and form your own opinion.

iAPX April 24, 2023 5:56 PM

Due to my personal experience in different countries with their organizations (sic), I decided to never use end-to-end encrypted messaging service.

I use those of Apple, integrated into their Message App (on both mac, iPhone, iPad, etc.) but it is in no way real end-to-end encryption as your iCloud account credentials that you have to enter when THEY need it is enough for Apple or a 3-letter Org to have access to all your messages, with the ability at this point to add a hidden virtual client.
The first point is obvious if you have ever set a Mac, iPhone, iPad, etc.
The last point has been exposed through a bug, years ago.

As Clive stated,

…if people want secure end to end encryption then all they have to do is move the “privacy end point” past the “communications end point”.

With what we all know about our modern smart devices, they could definitely not serve as the encryption/decryption point.
There are still possibilities to create encrypted and mutually authenticated communication channels, but it’s clearly not that easy.

iAPX April 24, 2023 6:04 PM

To be clear, it’s the mutual strong authentication that is a real world problem, including with people that you don’t met (and even so…), not the encryption part that is more or less settled.

Mutual authentication is a problem, and today with AI impersonification technologies, I don’t see how it is possible to create a secure channel to someone else that is not in front of me.

just dont call it steg* April 24, 2023 7:36 PM

start assembling and disseminating undetectable steg kits and auto-reproducing steg kits to as many recipients as possible,

…assuring a future.*

Clive Robinson April 24, 2023 8:03 PM

@ iAPX, ALL,

Re : Establishing Trust.

“Mutual authentication is a problem, and today with AI impersonification technologies, I don’t see how it is possible to create a secure channel to someone else that is not in front of me.”

The only way to start the process is by the first and second parties establishing a “Root of Trust” that,

1, Is shared by only the 1st&2nd parties.
2, Not known by any other parties.
3, Not guessable, calcuable, or obtained by some defect by any other party.

Rules one and two these days in effect require a secure side channel for the secret to be shared. Which effectively needs that private face to face meeting of “in front of me”.

Why is this the case? Well the simple fact is other methods we currently use are based on the assumption of a “One Way Function”(OWF) that also has a secret short cut or “trapdoor”. Nobody has actually proved that such functions can exist and be secure. Worse it’s now assumed that the current functions will fail when “Quantum Cryptography”(QC) becomes practical.

Currently we don’t know if QC ever will become practical it may not to the scale required. However a cautious person would not take the risk, thus seek alternative methods, that so far have also proved problematic.

As some know the Chinese Government have decided that mathmatical theorems are just one way to go and to investigate other methods that rely on the laws of physics as we currently understand them to get a level of secrecy equivalent to a “One Time Pad”(OTP) using quanum methods. Proved functional back in 1984 “Quantum Key Distribution”(QKD) has slowly been overcoming it’s inherant issues. The Chinese government have put into space on a satellite in LEO one part of a QKD system.

But these systems including in person face to face exchange does not solve all the problems in rule 3 of,

1, Not guessable.
2, Not calcuable.
3, No vulnerabilities.

It has been argued in the past that a shared secret needs to be atleast 128bits in size to be non guessable in a reasonable period of time. Others disagree and argue for twice that number of bits.

However some now consider 16384bits to be required for certain key sizes with some “Post Quantum Computing”(PQC) algorithms needing key sizes so large, they are bigger than the ASCII equivalent of a paperback book…

But… there is a problem I’ve mentioned before, which is,

“How do you generate such large numbers of bits without their being some form of vulnerability?”

The simple answer is “We don’t know”, because all physical processes have “bias” or “non random signals present” and other defects. We used to talk of “flipping fair coins” then some people came up with a way to make the flipping of even a fair coin fairly determanistic. Other attacks have been found on other supposadly “fair” systems. We know the NSA have taken advantage of “random number generator systems” atleast two that were Psudo-Random but assumed to be “Cryptographicaly Secure”(CS) and a large number of alledgedly “True Random Generators” because the level of entropy was woefully inadequate when used to generate “Roots of Trust” for PubKey Certs etc.

Worse the generation of PubKey certs can be “backdoored” in ways that can not be spotted by examining the P&Q primes or their multiple. Something Adam Young and Moti Yung worked out how to do decades ago… and others like Niels Ferguson have come up with other methods.

Thus the question arises of,

“Can we trust our roots of trust?”

To which the honest reply is,

“Unless you can carefully and knowledgeably control every step in the process you can not.”

The problem of course is “can you ever know enough?”.

Clive Robinson April 24, 2023 8:13 PM

@ just dont call it steg, ALL,

“start assembling and disseminating undetectable steg kits”

Do you know how to make an “undetectable steg kit?

It’s not as easy as you might think. In fact some even think it’s impossible to do with what they see as good reason.

Clive Robinson April 24, 2023 8:50 PM

@ critical,

Re : Proverbial bad faith penny.

“but doing it anyway,”

And you are just making things worse, yet again under your sock-puppet handle.

It’s fairly clear that you have an agenda, that is nothing what so ever to do with the subjects relating to this blog, but a personal embitterment. You do you comment constructively as witnessed by your past posts that are still visable. In fact you only comment in response, and in an ad hominem form, which you’ve been told before is bad debating form.

As for your handle, it’s clear you do not have anything aproaching “critical reasoning” abilities, and people realy should start to wonder who does your homework for you.

After all,

“Before falling for this populist conspiracy theory narrative, you could first read the first draft…”

You can’t even get that right can you?

Politico released a leak of a much more interesting version, that’s something like twice the size,

Politico4April2023.pdf

Cyber Hodza April 25, 2023 2:32 AM

What is confusing about this insistence on breaking the end-to end encryption is that most of the governments (including British one) have the ability to break this kind of encryption as they control the underlying hardware infrastructure as well as most if not all of the root certificates used as the underlying mechanisms the end-to-end encryption relies on?

FA April 25, 2023 4:56 AM

@Clive

Politico released a leak of a much more interesting version, that’s something like twice the size

Can you provide a working link ?

SJ April 25, 2023 5:28 AM

Not sure why anyone is exercised by this. It’s performative nonsense from a clapped out, corrupt, incompetent and borderline fascist govt that will shortly be resoundingly booted from office.

The UK is pretty much a failed state at the moment and is overdue for some serious reforms: a written constitution, proportional representation, abolition or serious reform of the house of lords, federation of the nations currently subjected to English majoritarian diktat.

See e.g.

https://www.spiegel.de/international/europe/britain-in-crisis-the-uk-faces-a-steep-climb-out-of-a-deep-hole-a-6b61dc6f-e33f-46f3-bd27-743364dd675c

The authoritarian fantasies of the far right in the UK are going nowhere. If legislated for — and this is unlikely* — they will be repealed after the next election.

*various threats to break international law and violate human rights have already been abandoned, along with threats to undercut the EU on taxation and scrap all legislation jointly agreed with the EU in the last 40+ years.

Clive Robinson April 25, 2023 6:57 AM

@ FA, ALL,

Re : Automod issues.

“Can you provide a working link ?”

You might have noticed I had automod issues the other day that may have been related to the inclusion of just one or two links.

Therefor I’m trying to provide an alternative via giving sufficient information to use even with Duckduckgo / Bing.

The file name is unique as far as I can tell –via Bing– and the inclusion of “politico” and “zero draft”[1] should be sufficient to find one or more articles that link to it on the likes of “keionline” on their page about “Media coverage of the WHO pandemic treaty negotiations” on their site in the “org” domain.

[1] Unlike claimed by someone above it’s not yet at the “First Draft” stage, hence “zero draft”. There are a lot of nations agitating to change things the EU especially has come in for a raised eyebrow, and in a rare sign of collective desires both Russia and the US want the NSA’s and NGO’s locked out of the process even as spectators (a sure sign that no good is intended much like those oh so super secret trade deals the Obama administration tried to push down everyones throats with the realy nasty dispute resolution process only US Corporates were invited in to propose etc).

iAPX April 25, 2023 9:05 AM

@Clive

The only way to start the process is by the first and second parties establishing a “Root of Trust” that,

1, Is shared by only the 1st&2nd parties.
2, Not known by any other parties.
3, Not guessable, calcuable, or obtained by some defect by any other party.

Rules one and two these days in effect require a secure side channel for the secret to be shared. Which effectively needs that private face to face meeting of “in front of me”.

Essentially, we need a secure and mutually authenticated channel with another party (whatever it is) to create a secure and mutually authenticated channel.
“Root of trust” being part of that.
And there are no “root of trust”, that doesn’t exist except in fairy tale.

There is a problem here, as fundamentally it seems impossible to create a secure communication channel with someone you don’t meet face-to-face to create it.

ResearcherZero April 26, 2023 4:08 AM

“The Digital Markets Act ruled that users on different platforms should be able to exchange messages with each other. This opens up a real Pandora’s box. How will the networks manage keys, authenticate users, and moderate content? How much metadata will have to be shared, and how?”
‘https://arxiv.org/abs/2303.14178.pdf

With the new “countryd” system, Apple will be able to easily determine if the device is being used in an EU country to allow sideloading. Apple IDs are essentially country locked.

…designed to set restrictions determined by government regulators, “countryd” was silently added with iOS 16.2, but is not being actively used for anything so far. It combines multiple data such as current GPS location, country code from the Wi-Fi router, and information obtained from the SIM card to determine the country the user is in.
‘https://9to5mac.com/2023/04/25/ios-16-restrict-features-based-on-location/

“None of these prototypes comes close to meeting reasonable requirements for efficacy and privacy.”
‘https://www.rephrain.ac.uk/safety-tech-challenge-fund/

‘https://multimedia.europarl.europa.eu/en/webstreaming/press-conference-by-andreas-schwab-rapporteur-on-digital-markets-act-dma-results-of-trilogue_20220325-1000-SPECIAL-PRESSER

Australia April 27, 2023 12:59 AM

In Australia tyrannnical legislation was introduced against encryption. This was done under the eye of the most hated man in Australian politics, the alleged prime minister Morrison.
I never noticed Bruce commenting about it, unfortunately.

Here is a good, thorough and legal assessment of the legislation

https://legalvision.com.au/encryption-laws/

Apparently the lesser known messenging product ‘Session’ doesn’t leave a trail of metadata. I’m aware that is a controversial claim.
May be of interest to some of you. I knew someone that used it specifically in response to the above legislation in Australia

Australia April 27, 2023 1:17 AM

Heres are some essential tip that will be valuable to some of you one day.

If you receive a ‘notice or request’ as a provider, to do something like release a new version of software with broken encryption, or modify a webpage as to function as a phishing attempt for one of customers. Or hand over keys, give up passwords, spill client data.
Or whatever.

  1. I’ll do that if you pay me, in advance.
  2. I’ll do that if you provide a signed indemnity form waiving all my liablity.

Sound familiar? It should, because these terms are exactly like any contractor. Get paid for providing a service and be indemnified in the carrying out of said service.

There are two laws no authority can get around. They are laws by the way, not legislation which is only colour of law.

  1. A workman is worthy of his hire. This is a maxim of commercial law as thousands of years old
  2. Even higher than 1. are laws against slavery.
    No one can be compelled to work for free without their consent.

So the crucial factor is DON’T BE A VOLUNTEEER. With covid mandates, the government relied upon people consenting and volunteering to go along with the legislation because it had no lawful basis.

On a day to day basis, police use aggression to get people to consent to comply when they quietly know they are outside the bounds of their authority but wish to compel people regardless

So, when you consent, you are not being compelled into slavery.
You are choosing. So, don’t volunteer! Perform but only according to your Terms & Conditions.
I’ve never seen a plumber agree to fix the broken toilet for free.

Create your Notice of Terms and Conditions.Make it thorough and professional. Be as detailed as possible.These three salient ingredients.

  1. You will cancel any implicit presumptions of contract. You already have these contracts with the authorities through your dealings over decades. But a contract needs to be equitable with informed consent so simply state that you revoke any such contract that compels you to perform for free and with liablity.

  2. You agree to any offer to contract or compel performance providing
    they pay you X amount ( make it a high amount) in advance

  3. You agree to any offer to contract or compel performance providing they issue you, in advance, a signed waiver of liablity

  4. If they do not comply but continue to attempt to contract or compel performance they agree they are committing the crime of slavery

NB the higher you charge, the more you can claim.And the greater the deterrent effect. So, don’t be too reasonable with your rates

I acknowledge Dean Clifford as the author of this concept.
He gave an first hand anecdote of someone in court up for sentencing, having their Terms and Conditions being read onto the record.
Spending time in a cell had a daily rate.
The prosecutor leapt up;
‘But, thats a preposterous amount!’
They didn’t complain about the fact of the rate. They complained about how high it was

Looking forward to your response Clive 🙂

Australia April 27, 2023 1:30 AM

I’m sorry. Regarding the recent legislation in Australia, I intended to comment on a particular manifestation known as the ‘hacking bill’.

But the previous link I provided did not address it.

The law is called Surveillance Amendment 2021 Identify and Disrupt.
This is what I really expected Bruce to be all over and all across, and which he sadly not appear to be.

It gives authorities full scope to do anything they like, basically!
They can take over an account. Intercept comms and impersonate.
Add, remove, delete,manipuate data on a server or target computer.
And compel anyone to assist them they deem capable, via court order.
These can also be done IN ADVANCE of any crime being committed.
So it’s like that film Minority Report, intercepting crime before it happens.

This link gives good coverage of the Surveillance Amendment ‘Identify and Disrupt’ legislation

https://www.minterellison.com/articles/how-might-the-new-identify-and-disrupt-laws-impact-you

GrimOracle April 27, 2023 4:34 PM

England is the country where thousands of under age girls have been groomed, raped and abused. What did the police ? Nothing. It went on for well over 10 years. Children being raped and abused, and the police looked away.

And this country, this pile of horse sh*t when it comes to protecting children wants to put its nose inside private communications ?

Your police, your government has shown their beyond beliefe incompetence. They let for YEARS children girls get groomed, and raped.

Go clean your ass, England, before trying to climb the coconut tree.

You are the worst country in the world when it comes to protect children.

Winter April 27, 2023 5:06 PM

@GrimOracle

England is the country where thousands of under age girls have been groomed, raped and abused.

The USA is the country where
Tens Of Thousands Of Black Women Vanish Each Year.
‘https://www.npr.org/2021/09/24/1040048967/missing-black-women-girls-left-out-media-ignored

And where:
prejudice affects official search for missing Indigenous women, other women of color
‘https://www.pbs.org/newshour/show/how-prejudice-affects-official-search-for-missing-indigenous-women-other-women-of-color

ResearcherZero April 29, 2023 6:22 AM

@Australia

Pete’s bill has been previously covered on this blog. Pete also has a few other exciting bills. Though not all of them have passed, a few have…

‘https://www.smh.com.au/national/new-asio-law-one-more-step-towards-a-totalitarian-state-20200513-p54smi.html

Australian Security Intelligence Organisation Amendment Bill 2023
‘https://www.legislation.gov.au/Latest/C2023B00055

2020 version
‘https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/bd/bd2021a/21bd009

Redacted publication of the secret trialling of Witness J
‘https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/act/ACTSC/2023/83.html

“A user who is part of a sophisticated criminal enterprise has very different behaviour on encrypted services than an ordinary user.”
‘https://www.itnews.com.au/news/meta-says-expanding-e2ee-wont-stop-child-abuse-material-detection-591155

Meta has used both in-house and off-the-shelf tools to detect the content.
‘https://www.esafety.gov.au/sites/default/files/2022-12/BOSE%20transparency%20report%20Dec%202022.pdf

Nick Levinson April 29, 2023 9:11 PM

@ALL, @John Tillotson, & @Australia:

@ALL:

The other side: National governments have a right to know the content of domestic and cross-border communications because the national governments are bound by and have rights under the norms of international law, also known as general international law, which are above treaty law. These norms forbid war unless justified and appropriately scaled, allow national self-defense including by waging war, and hold national governments responsible for the acts of their nationals and of other persons present within their jurisdictions, including acts that essentially are acts of war if such war would be unjustified or over scale. If fulfilling that responsibility requires listening in on private communications, the norms of international law require that listening. Domestic legal provisions to the contrary are therefore not law.

Consistency with domestic law, depending on the nation, could be by limiting availability of knowledge derived from that listening to officials responsible for national self-defense and for preventing their nation from starting an unjustified or overscaled war. Thus, sharing the knowledge with a private business to improve its international competitive position in commerce could be unlawful.

This law can be abused. But the risk of abuse doesn’t change the law.

@John Tillotson:

A one-time pad, although describable in 5-10 minutes, requires implementation that for high-value targets is complex and expensive, and most nations lack the resources to routinely use one-time pads for high-value use.

@Australia:

In the U.S., and I doubt Australia, with shares a common-law heritage with the U.S., is different on this point, much legislation is law, not merely “colour of law”. In the U.S., we don’t usually speak of “colour of law” but a colorable claim is a claim that may or may not be true but, on first impression, has the appearance of truth sufficient to justify, when needed, a closer examination into its truthfulness. Statutes (legislation) are presumed to be law unless ruled otherwise (e.g., because unconstitutional or because internal wording makes it not, even purportedly, law).

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.