End-to-end encryption: What happens next?

Posted: May 3, 2023 | Author: | Filed under: Uncategorized | Tags: , , , | Leave a comment

The Online Safety Bill (OSB) is still winding its way through parliament. But while much of the analysis so far has been on its provisions to force social media companies to remove “harmful” content, there’s an elephant lurking in the corner of the room. Clause 110 compels not only social media firms but also messaging app providers to identify and take down child sexual exploitation and abuse (CSEA) content.

There’s one big problem here. End-to-end encryption (E2EE), which makes message content impenetrable to providers like WhatsApp. It appears as if the government might be looking at client-side scanning as a solution. Experts I spoke to for an upcoming feature are unconvinced.

What’s client-side scanning?

Put simply, this “accredited technology” would require individuals to download software to their devices. It would run locally, scanning potentially for suspicious keywords and image content that matches a CSEA database, before a message is encrypted and sent. On paper, this preserves E2EE while allowing the authorities to police child abusers. In reality, it will fail on both counts for several reasons.

  • Researchers have already worked out it could generate too many false positives to be useful, and could be hacked in other ways
  • If client-side scanning were targeted by foreign governments or cyber-criminals, it would put private data potentially at risk
  • The bosses of several big-name messaging apps say they’d rather exit the UK than comply with the OSB, which would also make UK firms and consumers less secure
  • If client-side encryption comes into force, child abusers will simply gravitate to unpoliced apps, as criminals have in the past with services like EncroChat
  • There’s a concern that the technology could be used in the future to police other content types – government mission creep

Matthew Hodgson, CEO of secure messaging app Element, argued that the new provisions directly contradict the GDPR in undermining encryption.

“It undermines privacy and security for everyone because every secure communication app which happens to have abusive users could be obligated to incorporate a third-party scanning solution, which then means every single user is at risk of that scanning solution being exploited by an attacker to break their privacy,” he told me.

“Any business depending on E2EE for privacy may find themselves at a loss, given encryption vendors would be forced to stop providing their services in the UK, as it is literally impossible to preserve privacy whilst also adding a mechanism to let third parties exfiltrate user data.”

Corelight cyber security specialist, Matt Ellison, cautioned against government putting its faith in a “magic technical solution” that doesn’t exist – adding that Apple abandoned similar plans for client-side scanning after a privacy uproar.

“Ultimately the government is proposing to significantly weaken the security of almost the entire nation, for the ability to perform a lawful intercept of an individual suspected of a crime,” he told me.

“Should all vehicles be fitted with a remote kill switch, in case you are deemed to be committing a crime in your vehicle? Should all houses have the same door key type, with authorities maintaining a master key that could get into everyone’s house to gather evidence without you knowing, again, if you are under suspicion?”

Ellison argued that smartphones are much more than just a technically advanced mobile phone.

“The reality is that they are an intimate and highly integrated aspect of our lives and mass surveillance approaches such as this are a gross invasion of privacy and civil liberties.”

What should happen?

According to Hodgson, there are plenty of ways law enforcers could hunt down child abusers.

“These include investigation/infiltration of forums where abusers recruit or advertise, or by analysing communication metadata, or by educating users within apps, and in general, to be mindful of abuse,” he added.

“Blanket surveillance which undermines the privacy of everybody is not the answer.”

Ross Anderson, who wrote a paper on this challenging the conclusions of the NCSC technical director Ian levy, agreed that old-fashioned policing techniques are the answer, rather than technology solutions which promise much but deliver little. The debate between law enforcement/government on one side and encryption specialists/tech vendors on the other has been raging for years. Throughout, the former have argued that tech wizards simply need to apply themselves more diligently to the task in order to find an answer. The latter retort that E2EE can’t be broken without undermining security for everyone.

So where does that leave us? With Labour backing the bill, it will undoubtedly become law. But what of Clause 110? If it remains unchanged, it’s unlikely the government will enforce it. The best privacy and security advocates can hope for is that its most controversial provisions are never enforced. That’s what happened with the Investigatory Powers Act – which incidentally already gives the British government theoretical powers to force tech firms to break encryption. It will probably happen again.

Advertisement

Why Theresa May’s Encryption Plans Are a Danger to Us All

Posted: July 28, 2017 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , | Leave a comment

houses of parliamentI realise it’s been a while since I posted something up here, so here’s an article I wrote recently for Top10VPN’s new Privacy Central site:

The UK has been unlucky enough to know terrorism for quite some time. Many will remember the IRA campaigns of the 1970s and ’80s. This was an era before smartphones and the internet, yet the Irish paramilitary group continued to wage a successful campaign of terror on the mainland.

It continued to recruit members and organise itself to good effect. Politicians of the modern era, led by Theresa May and various members of her government, would do well to remember this when they launch into yet another assault on Facebook, Google, and the technology platforms that are alleged to provide a “safe haven” for Islamic terrorists today.

Now she is calling for greater regulation of cyberspace, something the independent reviewer of terrorism legislation has openly criticised. Along with increasing moves across Europe and the world to undermine end-to-end encryption in our technology products, these are dangerously misguided policies which would make us all less safe, less secure and certainly less free.

Our “Sliding Doors” moment

Every time a terror attack hits, the government continues its war of words not simply against the perpetrators, but against the tech companies who are alleged to have provided a “safe haven” for them. After all, such rhetoric plays well with the right-wing print media, and large parts of the party.

“Safe haven” has become something of a mantra for the prime minister, alongside her other favorite; “strong and stable”. She argues that terrorists are hiding behind encrypted communications on platforms like Facebook’s WhatsApp and Apple’s iMessage, and are using social media platforms like YouTube to recruit members and distribute propaganda.

“We cannot allow this ideology the safe space it needs to breed. Yet that is precisely what the internet, and the big companies that provide internet-based services, provide,” May said after the London Bridge attacks. “We need to work with allied democratic governments to reach international agreements that regulate cyberspace to prevent the spread of extremism and terrorism planning.”

Part of the regulation May wants to bring in could include fining tech companies that don’t take down terrorist propaganda quickly enough. Max Hill QC, independent reviewer of terror legislation, has rightly questioned this hard-line approach.

“I struggle to see how it would help if our parliament were to criminalize tech company bosses who ‘don’t do enough’. How do we measure ‘enough’? What is the appropriate sanction?” he said in a speech reported by The Times.

“We do not live in China, where the internet simply goes dark for millions when government so decides. Our democratic society cannot be treated that way.”

China is an interesting parallel to draw, because in many ways it offers a glimpse into an alternative future for the UK and Europe; one in which government has total control over the internet, where freedom of speech is suppressed and privacy is a luxury no individual can claim to have.

The problem is that no one sees authoritarianism coming, because it happens slowly, drip by drip. Regulating cyberspace would begin a slow slide into the kind of dystopic future we currently know only from sci-fi films. As Margaret Atwood’s heroine Offred says in her acclaimed novel The Handmaid’s Tale: “Nothing changes instantaneously: in a gradually heating bathtub you’d be boiled to death before you knew it.”

In many ways, we sit today at a Sliding Doors moment in history. Which future would you prefer?

The problem with backdoors

End-to-end encryption in platforms like WhatsApp and on our smartphones and tablets is something Western governments are increasingly keen to undermine, as part of this clamp down. It doesn’t seem to matter that this technology keeps the communications of consumers and countless businesses safe from the prying eyes of nation states and cybercriminals – it’s also been singled out as providing, you guessed it, a “safe space” for terrorists.

The Snoopers’ Charter already includes provisions for the government to force tech providers to effectively create backdoors in their products and services, breaking the encryption that keeps our comms secure. In fact, the government is trying to sneak through these provisionswithout adequate scrutiny or debate. They were leaked to the Open Rights Group and can be found here.

It remains to be seen whether the British government could actually make this happen. An outright ban is unworkable and the affected tech companies are based almost entirely in the US. But the signs aren’t good. Even the European Commission is being strong-armed into taking a stance against encryption by politicians keen to look tough on terror in a bid to appease voters and right-wing newspaper editors. Let’s hope MEPs stand up to such calls.

The problems with undermining encryption in this way are several-fold. It would give the state far too much power to pry into our personal lives, something the UK authorities can already do thanks to the Investigatory Powers Act (IPA), which has granted the government the most sweeping surveillance powers of any Western democracy. It would also embolden countries with poor human rights records to do the same.

Remember, encryption doesn’t just keep terrorist communications “safe” from our intelligence services, it protects journalists, human rights activists and many others in hostile states like those in the Middle East.

More importantly, it protects the communications of all those businesses we bank with, shop with, and give our medical and financial records to. The government can’t have its cake and eat it: recommending businesses secure their services with encryption on the one hand, but then undermining the very foundations on which our economy is built with the other.

Once a provider has been ordered to create a “backdoor” in their product or service, the countdown will begin to that code going public.

It’s inevitable.

Even the NSA and CIA can’t keep hold of their secrets: attackers have managed to steal and release top secret hacking tools developed by both. In the case of the former this led to the recent global ransomware epidemic dubbed “WannaCry”.

Why should we set such a dangerous precedent, putting our data and privacy at risk, while the real criminals simply migrate to platforms not covered by the backdoor program?

“For years, cryptologists and national security experts have been warning against weakening encryption,” Apple boss Tim Cook has said in the past. “Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.”

In short, we need more police officers, constructive relationships with social media companies, and smarter ways of investigating terror suspects. Dragnet surveillance, encryption backdoors and more internet regulation is the quickest way to undermine all those democratic freedoms we hold so dear – and send us hurtling towards that dystopic authoritarian future.

Why F-Secure and Others Are Opposing the Snoopers’ Charter

Posted: October 30, 2015 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , | Leave a comment

whatsapp logoIt’s widely expected that next week the government will unveil details of its hugely controversial Snoopers’ Charter, aka the Investigatory Powers Bill. To preempt this and in a bid to influence the debate cyber security firm F-Secure and 40 other tech signatories presented an open letter opposing the act.

The bill most controversially is expected to force service providers to allow the authorities to decrypt secret messages if requested to do so in extremis. This is most likely going to come in the form some kind of order effectively banning end-to-end encryption.

I heard from F-Secure security adviser Sean Sullivan on this to find out why the bill is such as bad idea.

To precis what I wrote in this Infosecurity article, his main arguments are that forcing providers to hold the encryption keys will:

  • Make them a likely target for hackers, weakening security
  • Send the wrong signal out to the world and damage UK businesses selling into a global marketplace
  • End up in China or other potentially hostile states a service provider also operates in also requesting these encryption keys – undermining security further
  • Be useless, as the bad guys will end up using another platform which can’t be intercepted

I completely agree. Especially with Sullivan’s argument that the providers would become a major target for hackers.

“End-to-end encryption makes good sense and is the future of security,” he told me by email. “Asking us to compromise our product, service, and back end would be foolish – especially considering all of the back end data breach failures that have occurred of late. If we don’t hold the data, we cannot lose control of it. That’s just good security.”

One other point he made was the confusion among politicians about tech terminology as basic as “backdoor” and “encryption”.

“A lot of UK politicians end up putting their foot in their mouth because they don’t properly understand the technology. They try to repeat what their experts have told them, but they get it wrong. UK law enforcement would probably love to backdoor your local device (phone) but that’s a lost cause,” he argued.

“The politicians (who actually know what they’re talking about) really just want back end access. As in, they want a back door in the ‘cloud’. They want to mandate warranted access to data in transit and/or in the back end (rather than data at rest on the device) and fear that apps which offer end-to-end encryption, in which the service provider doesn’t hold any decryption keys, are a threat.”

Let’s see what happens, but given the extremely low technology literacy levels among most politicians I’ve got a bad feeling about this one.

Singapore bids to snuff out APT fire as threats spell double trouble for APAC

Posted: January 24, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , | Leave a comment

big dataLast week APT and anti-malware firm FireEye announced the creation of a new Cyber Security Centre of Excellence (CoE) in partnership with the Singaporean government. It didn’t make many headlines outside of the city state but I think it’s worth a second look for a few reasons.

First up, FireEye is pledging 100 trained security professionals to this new regional hub, to provide intelligence to help the local government protect its citizens and infrastructure from attack as well as benefitting the vendor’s customers across APAC.

FireEye is one of the few infosec companies I’ve spoken to in this part of the world that is prepared to talk at length about the specific problems facing organisations in the region. More often than not when I try to go down this avenue with a vendor I’ll be told about how threats are global these days and attacks follow similar patterns no matter where you are on the planet.

While I know this is true to an extent, it was nevertheless refreshing to hear FireEye’s APAC CTO Bryce Boland tell me that the reason for building a team in Singapore was to have the necessary local language and cultural skills to deal with specific regional threats.

“We have a lot of countries here, many of which have tense relationships, so we see a lot of that boil over into cyber space,” he told me.

As well as the various hacktivist skirmishes that periodically hit the region, such as those between the Philippines and Indonesia or China and Japan, there are also more serious IP-stealing raids which stems from the fact that APAC represents more than 45 per cent of the world’s patents, Boland added.

As a result, regional organisations face almost twice as many advanced attacks as the global average.

Another reason the news of FireEye’s new CoE warrants attention is what it says about the approach to cyber security by the respective governments of Singapore and Hong Kong.

Although Hong Kong threw HK$9 million (£730,000) at a new Cyber Security Centre in 2012, my impression is that Singapore is more proactive all round when it comes to defending its virtual borders.

It was a view shared by Boland, who pointed to Singapore’s ability to attract and support infosec players looking to build regional headquarters there, as well as its efforts to attract globally renowned speakers to an annual security expo.

In my experience, what few events there are in Hong Kong are poorly attended, attract few speakers from outside the SAR, and rarely provide the audience with anything like compelling or useful content.