Monday, 12 January 2015

Sorry David Cameron but we have a right to privacy!

David Cameron stating that we cannot allow a means of communications where the government cannot read that communication. [video]

Sorry, but no! This is not acceptable.

His statement is reported as relating to snapchat, but how would he make it so that all communications can be read by the government? If I access a bank that is not in the UK using https then this government cannot read that, which is as it should be.

He would have to ban encryption to achieve what he is saying and that is madness.

1. There are means which can be used to communicate in a way which cannot be read by the government, or anyone else - that is a fact and no amount of laws will change that fact. This is called encryption. Encryption is used every day by most people - Facebook defaults to using encryption, and of course on-line banking uses it.

2. There are means which can be used to communicate where it cannot be proved that any additional message exists if you of not have the key. This is called steganography. It means that one can send private message with no way to prove that you have done so, and so no way to prove you have broken some "no encryption" law.

Making laws against private communications is totally pointless as it does not stop private communications between criminals or suspects. What it does do is impact otherwise law abiding citizens and commerce and our right to a private life.

This issue surrounding David Cameron's statement that he believes that the government should be able to see/hear/read any communication in this country if necessary. He does go on about "in extremis" and how this needs to be signed off by Home Secretary, but even with the controls he mentions, in order to do this he needs it to be technically possible.

Think about that for a second - it means laws in the UK that make it possible for communication between two people to be listened in to by a third party even if those two people do not want that to happen. For the warrant from the Home Secretary to work, that has to be technically possible in the first place for all communication in the UK!

That is a huge thing to say - because if it is technically possible for the government to "listen in" then it is technically possible for criminals and terrorists to do so. What ever the legislation is, its job is to weaken what we do to the extent that the government can snoop. That means is possible, and those criminals will not need a sign off from the Home Secretary. That sort of change would make Britain a laughing stock and ensure nobody does anything sensitive with the UK. Indeed, it is hard to say how such weakening of communications could be consistent to Data Protection laws. In fact, it would mean NO COMPANY DEALING WITH UK CUSTOMERS COULD TAKE CREDIT CARDS ON-LINE as such weakened communications would be against the strict rules imposed and enforced by the card companies.

I have not actually read 1984, but is David Cameron quoting from it?

If you take what he has said literally it would mean whispering to your partner in bed would be illegal in case the government planted microphone could not pick up what you said.

Getting started with PGP.

Remember, Mr Cameron, you work for us, not the other way around. This sort of rhetoric shows you have no clue about basic rights or technology and really should not be running anything.

Update: Loads of responses on twitter along the lines of "Already UK law in RIPA, you have to hand over keys". ONLY IF YOU HAVE THE KEY! That does not help for transient keys. I mean, if you are asked to hand over the transient https key used on your last access to FaceBook so they can decode the TCP traffic they captured - you cannot. Similarly, I can simply make a key, send the public key to someone, receive from them a message, read it, and delete it and the key, then nothing to hand over. I think some chat apps do that inherently with transient keys in memory only, deleted after reading. It is not complex technology and perfectly legal not to have the key - only illegal not to hand it over on demand if you do have it.

Update: Another good blog post on this [Steve's blog].

Update: I have written to my [Conservative] MP.

20 comments:

  1. Nobody tell him that people can talk face-to-face in person. How will he get round that little "loophole"... actually, I don't want to know.

    ReplyDelete
  2. Not to mention that the Right to Privacy is enshrined in the Universal Declaration of Human Rights. I believe the UK has even signed a treaty which acknowledges said Declaration - a difficult thing to step back from.

    ReplyDelete
    Replies
    1. Taken to its logical conclusion it would be illegal to whisper to your partner in bed in case the government planted microphone cannot pick up what you are saying. Someone needs to put that question to Cameron. If is says it is silly he is acknowledging that it is right that some private communications exists and is original statement was bullshit. Remember, once you allow private communications you do not know if what was communicated is love notes or terrorist plans.

      Delete
    2. I don't think there's any dispute about whether Cameron is spouting bullshit :)

      Delete
  3. "If you take what he has said literally it would mean whispering to your partner in bed would be illegal"

    Most of what I whisper in bed probably IS illegal :-)

    ReplyDelete
  4. I've written to my (conservative) MP about this. I'm actually a conservative party member but will renounce my membership over this. I would even go so far as to campaign door to door on behalf of labour to prevent this. I'd prefer economic ruin to a police state.

    ReplyDelete
    Replies
    1. When Labour were in power they also pushed the police state agenda so I don't think switching to Labour is the answer. Whoever you vote for, the government gets in. :(

      Delete
    2. So very true, the police state is coming either way. But, I'd still prefer police state+economic ruin to police state+no encryption!

      Delete
  5. I don't think you've interpreted what he was saying correctly, but then you can never assume anything when politicians speak so I stand to be corrected if they put that into the policy.

    The furthest I think you could take it is to say that Cameron wants to be able to snoop on encryption, which to some extent they already can at GCHQ, but breaking all forms is arguably unworkable (certainly not on a mass scale – it has to be targeted at individuals). This is different from saying make encryption itself illegal, which would also be totally unworkable.

    In my view I'd say, yes, by all means go ahead Cameron and try to break encryption methods because only by doing that will new methods emerge to counter it and this thus encourages greater use of tougher security.. not less. Innovation is often driven by change.

    Otherwise what he said is nothing new, it's the same calls we heard last year to revive the Snoopers Charter for a 3rd attempt. The Labour party are essentially demanding the same, so we can expect something along these lines before 2015 is out. The devil is always in the detail and nobody has seen that yet.

    But after two failed attempts, what might they do differently a third time around? The problems with both of the past proposals were numerous, from cost to technical feasibility and issues of data security (central database, request filters etc.). I suspect they’ll have to re-hash some of these seemingly controversial aspects.

    ReplyDelete
    Replies
    1. I started replying to this, but it ended up turning into an essay... so I've turned it into a blog post: http://blog.nexusuk.org/2015/01/using-attack-on-freedom-to-attack.html

      Delete
  6. So Cameron has essentially announced that he doesn't want a single vote from a technologically-literate voter in the next election. Seems like a brave move for someone who is already likely to lose.

    ReplyDelete
  7. I'm chuckling at your letter. Not sure whether you're right about HTTPS not being decryptable after the fact though - Wireshark certainly seems to be able to decrypt HTTPS sessions if you import the server's key.

    ReplyDelete
    Replies
    1. Prepared to be proved wrong but as I understand it that site is set up is such a way. Not all are.

      Delete
    2. Oh, and even where it can be decoded you would need keys from the server end. No good it they are not UK bases.

      Delete
    3. For some of the crypto algorithms available in SSL/TLS, that's true - others, though, support "Perfect Forward Secrecy", which guarantees that even with the server's key, you can't decrypt the traffic stream. (Roughly speaking, I think the key would let you decrypt as far as the server and client telling each other temporary public keys to use, then you'd see traffic encrypted using those - the private keys are never transmitted, and destroyed once the connection is finished, so you can never recover the plaintext later: you'd need to capture the server or client's memory content during the connection lifetime.)

      Delete
    4. Quite. Like used for https://conservatives.com/ for example.

      Delete
  8. I understand that stopping terrorism should be our number one priority but leading your country in to a state of paranoia isn’t the right way to go about it. I would suggest that the security forces and the intelligence should do their job i.e. to maintain law and order. Taking away the freedom of your own people will only frustrate them even more.
    Thats why i always used tuvpn for anonymity
    http://www.bestvpnservice.com/tuvpn/

    ReplyDelete
    Replies
    1. Well, I have to question that - why is it "our No.1 priority". Terrorists cause a fraction of the deaths and injuries than cars. It should have a priority proportionate to the danger and risk posed which I seriously doubt is "Number 1". But otherwise, yes, I agree.

      Delete
    2. Why should stopping terrorism be the highest priority? As far as I've been able to determine, over the past 5 years there have been *2* people killed through terrorism in the UK. People are scared of terrorism, and a big reason why they are scared is because our own government keeps telling us we should be terrified, in spite of all evidence to the contrary - to my mind they are as much terrorists as the people who actually pull the trigger.

      Favourite quotes of the day, from PMQs:
      * David Cameron agrees on the importance of "standing together" in support of the values "we hold dear". [Which is why he's supporting onto the dearly held value of spying on everyone and stopping them going about their legitimate business in peace]
      * Conservative MP Michael Fabricant highlights comments made by the head of MI5 on gaps in surveillance which needs to be addressed by law. He says public safety must come above civil liberties - so there you go, someone to avoid voting for next time around.

      Delete
  9. Perhaps we can call on Team America to help if Cameron and his ilk continue to undermine our right to privacy.

    Hillary Rodham Clinton, as Secretary of State, said this in 2010:

    [those who incite others to violence... hate speech ... recruit terrorists or distribute stolen intellectual property]
    "these challenges must not become an excuse for governments to systematically violate the rights and privacy of those who use the internet for peaceful political purposes."
    ...
    "Now, we are reinvigorating the Global Internet Freedom Task Force as a forum for addressing threats to internet freedom around the world, and we are urging U.S. media companies to take a proactive role in challenging foreign governments’ demands for censorship and surveillance."

    http://www.state.gov/secretary/20092013clinton/rm/2010/01/135519.htm

    Of course the response would be "she wasn't talking about us, she meant those 'other' countries"

    ReplyDelete