Tuesday, 3 November 2015

Government still think there are "communication providers"

Traditionally there were communications providers, that provided telephone service using copper pairs and the like.

However, these days, there are (at least) two clear levels - one level provides the actual wires, fibres, coax, radio links that carry the Ethernet, PPP, or even IP level traffic around. There are ISPs that connect those links to "the Internet" (peers and transit providers).

Then there is a layer on top where people actually have "services" and things like "email", and "VoIP" and "messaging".

The problem is that the government think that all of these "services" have "service providers" of some sort, so we get headlines like "Internet firms to be banned from offering unbreakable encryption under new laws". I.e. the government want to make it law that these "service providers" have to have ways to access message that are passed over their "service".

There are a couple of huge holes in this...
  1. These "service providers" are often not based in the UK, either organisationally or technically. As such these UK laws will have no effect.
  2.  There may not always be a "service provider".
This second point is something I don't think anyone in government has got their head around at all. They understandably do not want to make every iPhone user a criminal, and want to go after Apple, and in the more general case the "service provider". But the way communications work means there may simply be no "service provider". If the "service providers" become subject to laws, there will be more and more "services" that have no "service provider".

Some simple examples:
  1. Email can be provided using your own mail server that you control yourself - so that when people send you email, they do not go via your "email service provider". If they too send email directly with no "email service provider" then there is no third party which the government can expect to log the email (content or meta data). Existing data retention laws totally fail to understand this concept. Making the people running the mail servers in some way liable will not work as they are the very people doing the communications and hence the suspects.
  2. Even where email is using an email provider, there can be layers - you can use PGP to encrypt email end to end, and there is no "encryption service provider" involved. The email providers see meta data but cannot decode the content of messages.
  3. Even with VoIP it is perfectly possible (I do this) to have calls that do not use a "telephony service provider" in any way - DNS sends the calls directly to my own call server which I control. Again, no third party that can be expected to log the calls or intercept the content. Again, the phones at each end can also do end to end encryption with no "encryption service provider".
  4. I can run an https site and allow other people to connect to that site, providing messaging and other services directly myself. Again, no third party service provider involved.
This puts a massive hole in their logic and creates an opportunity for terrorists to communicate freely and without some third party able to divulge the content. It will only be "normal people" that will in any way be impacted by such laws. Remember that terrorists (and normal people) can communicate with unbreakable end to end encryption using only a dice and pen and paper.

Of course they could outlaw such systems from being used, meaning you have to hand in your iPhones, but that won't stop criminals using them.

terrorist1: Let's use strong end to end encryption
terrorist2: That's illegal now
terrorist1: Right, OK, we better not do that then - would not want to break the law

So please, give up this lunacy - just accept that privacy exists - people (including terrorists) can communicate secretly, it is a fact of life, and any steps to try and stop it will be unsuccessful and damaging to everyone else. We can concentrate efforts on the end devices, on social engineering, covert operations (getting undercover people in to the cells) and all of the good old fashioned ways of policing that already work well to make terrorism a lesser threat than bee stings in this country.

Petition - please sign.

Update: Best response I have had to a tweet yet:


  1. I'm still unsure what this new legislation is going to do above and beyond RIPA, where an "end" of an end-to-end conversation can be compelled to provide decrypted versions of the message or go to jail.

    How much more draconian can you get than the status quo of putting the onus on the recipient to prove that they could not have decoded a message?

    1. RIPA does not say that though does it - it is only if you have the means to decrypt that you must decrypt. There are plenty of systems whereby you do not have the means. After all, do you have the transient keys used last time your browser went to Facebook? Could you decrypt that https traffic if it was captured?

    2. How the law is written and how it is applied don't always gel.

      "I can't decrypt it, officer, I don't have that PGP key any more. My laptop hard disk died."

      "We think you do. You deliberately deleted the key. You must have a backup. Everyone has backups! Decrypt the file NOW!"

      "I don't, so I can't."

      "We believe you still have the keys. So now we have to refer this to the CPS."

      ...and so in this fictional "dog ate my homework" scenario, the courts must decide whether I lied that I had "lost the keys" or whether I was deliberately lying to avoid incriminating myself by decrypting the files.

      What am I missing about RIPA, then?

    3. What you are missing is "The way this system works is that I never see the key and don't ever get a copy of it, so I cannot decrypt it - here is a reference that explains it". As I say, imagine your last Facebook access https was captured and you are asked to decrypt it - the answer "Browsers don't work like that - they don't file the keys for later, so I can't". No "dog ate my homework grey areas at all".

  2. I suspect that the aim here is to scare big providers out of the business of providing privacy for all, thus making the haystack smaller for GCHQ to look for its needles in. We already know that in the mass-data collection GCHQ does on the backbones, VPN traffic is set to one side for later analysis - and I'm guessing that they have the capability to decrypt that traffic later. But either way, in the civil servants' minds, the only people using strong encryption would be ne'er do wells and privacy loons. I'd be interested to see how Apple will respond to this, as they are one company with the resources and the business strategy to stand up to this. If Apple said they were no longer selling iPhones in the UK, who would blink first - Cupertino or Whitehall?

    1. Quite, hence the graphic. Apple could, by taking a stand, quite simply force a change of government - they have that market power!

  3. That petition map is quite interesting with 2 "hotspots" in oxford and cambridge - there must be a link between academia and encryption lol

  4. What is more, with ephemeral key exchange (EDH/DHE) not only are the session keys not stored, even if one is somehow compromised it does not allow an attacker to break into subsequent traffic. This whole thing betokens a massive clue deficit on behalf of whichever authoritarian wombat is proposing it.

    1. The way I see it, there are two anti-privacy lobby groups. One is the espionage/"security" establishment, exemplified by GCHQ, which has at least some people with technical clue. The other is the copyright lobby, which doesn't, because let's face it what competent techie would want to work for them?

      But when government has proposals for something unpopular it always releases trial balloons first, both to gauge the reaction and so that it can say "well, it isn't as bad as that irresponsible newspaper said it would be". So let's wait until we see the actual details…

  5. Do you know how the government proposes that ISPs retain a log of all their customers' web traffic? DNS logs? Will all ISPs be expected to route all port 80 traffic through a proxy & retain its logs? Or are they suggesting that ISPs must log all traffic at the network level?

  6. Apparently this bill "will not compel overseas communications service providers to meet our domestic retention obligations for communications data."

    Is it time to relocate A&A somewhere overseas?