Thursday, 5 July 2012

Government snooping for dummies

Basically, either the government can snoop on encrypted traffic, or they cannot. It does not matter which or how...

If they can snoop on encrypted traffic, then the systems for encryption will be changed until they cannot. There is no point in encryption if someone can snoop on it. It does not matter what the technology is, this is a simple fact.

If/when they cannot snoop on encrypted traffic then everyone using encryption for facebook, twitter, gmail, games, etc, etc, etc, will not be visible to them even to extract "communications data".
So, given that either now, or very soon after they have paid for lots of "black boxes", they will not be able to snoop on normal every day communications systems that are located outside of the UK, and used by millions of people - why the f*ck are they bothering?

Please pass this message on to your MP. It is as non technical as I can make it. Thanks.

12 comments:

  1. Technically they can still see communications data (where the packets are going) even if they are encrypted. This will be true unless you are using Tor.

    Now, they won't be able to see what page you are accessing on that host, but that may not be really required.

    ReplyDelete
    Replies
    1. More importantly, with sites like gmail defaulting to https, they will not see who is emailing who, simply that you (and millions of others) access gmail.

      Delete
  2. mjj29 but thats their argument for wanting to do this, they can't currently see communications data in web pages (like webmail or facebook) or they can't get non-UK based organisations to give them logs. So they need to be able to see inside the communications to extract the comms data...

    ReplyDelete
  3. If it does become an issue, I think they will go down the legislation route. The legislation will clearly define for businesses that operate in the UK when and when not to use encryption, for example to use encryption when logging into a web-page, viewing private financial information, etc…

    Facebook would be classed as operating in the UK; they would only be allowed to operate HTTPS on the login page and updating financial information for advertising for example.

    Unless the media pick up on this, the average UK citizen would be none the wiser. Even if the media did run with this, would the average UK citizen be bothered? As someone else has said, unless it’s about tax on a hot pasty, are they really that bothered?

    ReplyDelete
    Replies
    1. I believe other governments have tried to ban encryption, and this is all pointless anyway as if they are "operating in the UK" and in any way under UK law they can make laws requiring them to hand over the communications data anyway. The whole point of this stupidity is that they understand there are companies operating outside the UKs that they cannot force to hand over communications data, and those same people will ignore laws requiring they don't use https.

      Delete
  4. To be fair, there's another scenario: they install black boxes that can snoop on current encryption, and pass laws that make it illegal to use methods that circumvent that.

    Technically, it'll be possible to circumvent and avoid detection, but legally...

    ReplyDelete
    Replies
    1. I believe other governments have tried to ban encryption and it did not work, AFAIK.

      Delete
  5. There's another option: install black boxes capable of sniffing current encrypted traffic, and pass laws that make it illegal to use methods that can't be sniffed.

    Not a very appealing prospect, but much easier for them to do (if not enforce) than trying a technical solution...

    ReplyDelete
  6. Worth noting that gmail.com redirects to https automatically, as does twitter.com, and facebook.com suggests use of https but does not (yet) auto redirect.

    ReplyDelete
  7. I've already sent something akin to this already to my MP, and got a boilerplate reply that it was necessary to catch (the holy trinity of) "peadophiles, criminals and terrorists".

    I doubt my MP even read it.

    ReplyDelete
  8. Perhaps you need to set it in the context of an MP. All his/her privileged emails to their constituents will be caught up in this too, as well as their facebook followers and anyone looking at their tweets.

    Of course, I'd never suggest that MPs were "paedophiles, criminals or terrorists". Well, maybe not paedophiles anyway.

    ReplyDelete
  9. Hi,

    In history I'm aware of at least two attempt restrict encryption:
    - Around 1994 the US passed a law mandating the use of "Clipper chip", a kind of root encryption key government agencies will have access to and able to decrypt any US communication. Obviously it failed...
    - France tried to ban all encrypted traffic, also at the end of 80's early 90's and law was repelled with the development of the internet and obvious requirement for encrypted communication (for internet banking, etc...).

    The only way government could now technically intercept SSL traffic (beside URL which are plain text) is to have man-in-the-middle presence and a copy of root certificate to publish on the fly certificate. This could be achieved either by having access to those (VeriSign etc...) which depending on your level of conspiracy theory might or might not already be the case.
    The other (and far more practical way) is to force everybody in the country (or just the OS/browser publisher to include it) a "UK Government" root certificate (to avoid the annoying / alarming popup each time your communication is intercepted). This should be transparent to 90% of the clueless population.

    But once again, as for DRM and software protection, anybody having a need to circumvent it will be able to do so quite easily, so only innocent people (or paying customer in casse of DRM/game protection) will be annoyed...

    ReplyDelete