Tuesday, 8 March 2016

GCHQ boss: Tech firms should co-operate over encryption

This BBC article says GCHQ want to work with tech firms over the encryption issue.

Unfortunately there is a conflict of interest here - what the tech firms wish to do is keep user's data safe - they should do this - it is even in the Data Protection Act that personal data is important and should be kept safe.

So the objective of the tech firm is at odds with the objective of GCHQ which is to access user's data when they want to.

The gold standard for the tech firm is to make the data so safe that even they cannot access it. Even someone that knows exactly how it all works, that wrote the code that is used, cannot, by any means, access the data. Apple are pretty close and I am sure are working on ensuring this is the case.

If a tech firm is successful in this goal then there is not really a lot to discuss with GCHQ, is there? They cannot have the data, end of story. If there was something to discuss, some way that the data could be accessed by any means, then that is a loophole the tech company should be working on plugging!

One statement "The solution is not, of course, that encryption should be weakened, let alone banned. But neither is it true that nothing can be done without weakening encryption," shows the problem.

Let's be clear - this is not about the mathematics - this is a very simple high level thing. Anything that allows a third party (such as GCHQ) access to data is weakening the encryption. It does not matter if that is some procedural change, some storage of keys in a "safe place", some trick in the mathematics to allow a third key - none of that matters - the very possibility of access is a "weakening of encryption" by definition.

I am shocked that they seem not to understand this. Well, I am sure they do, but want to gloss over it.

Of course, the real "back door" to any system is the software update. It is essential to have this, not just for new features in a product, but also to fix vulnerabilities. Software is never 100% perfect, and even if it was the world changes and what is necessary to defend against attacks changes. So s/w updates are needed and should be encouraged. They should be digitally signed to ensure the s/w is genuine, of course. The issue is that new software can help access data - whether by allowing lots of attempts very quickly (what the FBI want) or by capturing keys next time the user legitimately unlocks the data.

There are steps a tech firm can take, and I expect Apple are working on this, such as ensuring there is no way to update the software on a locked phone. Even make the security hardware not allow an update without correct use of the PIN or password (and not allow many attempts). This addresses the issue of access to a device after it has been seized, but not the possibility of a systemic vulnerability being introduced on devices in advance - that needs trust in the suppler.

Of course if you do not trust your supplier or the government, you can do encryption yourself, and none of this will then apply. I should not have to keep saying this but criminals can always use encryption, and even do so covertly. Such laws or discussions only impact the non criminals!

Sadly the UK wants to remove all trust in any UK firm by allowing secret orders that could do exactly that - compromise security on all devices in advance. It will be a sad state of affairs very soon when we have to trust a foreign supplier as we cannot trust anyone in our own country.

"Made in UK" will become the hallmark of distrust by the end of the year!

P.S. The original talk was actually more balanced, but still misses the key points in many ways and thinks there can be a way for law and encryption not to clash, and somehow that criminals would obey any such laws anyway.

His comment "On encryption, it simply repeats the position of earlier legislation: where access to data is legally warranted, companies should provide data in clear where it is practicable or technically feasible to do so. No-one in the UK Government is advocating the banning or weakening of encryption." clearly lacks an understanding of the power of the bill going through parliament, that can secretly demand much much more.

5 comments:

  1. Steganography makes it easy to hide low payload messages (or high payloads, but this increases the risk) in a nearly undetectable way. Particularly with very large phone cameras these days, leading to a very high number of pixels and a low payload ratio. Sending encrypted texts in this way would mean a very low payload compared to the content, making it exceptionally hard to detect.

    And Alice and Bob don't even need to directly communicate to communicate. Alice can put the image up on Facebook so anyone can read it without an account. Bob could host a gallery of his snapshots. It could be used for forum avatars. There are so many ways to achieve this, all of which would fly completely under the radar.

    If you are the slightest bit competent, it is easy to evade detection. Obviously no good if GHCQ decide to bug your device or something (I was going to say with a warrant, but they probably do it anyway), but if it gets to that stage you're probably doing something wrong.

    It's just like airport security, which is security theatre. It will catch the idiots... sometimes (look at all the times people smuggle bombs, guns, etc. past staff). If anyone really wants to kill people, they'll smuggle a device internally or use a surgically implanted bomb. Or they'll bomb a football stadium or other crowded area. Or they'll give one of their zealots an AK and let them loose.

    I do not fear terrorism. I support taking reasonable measures to stop it of course; I'm sure many attacks are stopped each day that we're never told about. But I do not live in a perpetual state of fear, and demand we lose every right we have because OMG TERRORISTS AND IT MAKES PEOPLE SAFER! I'm far more likely to die driving into work (or to the airport) than I am to die of a terrorist.

    I do however fear governments who demand greater power, particularly when they cannot be trusted. The US government couldn't even make it through a week before admitting they wanted to unlock far more phones than just the one (as was obvious to anyone with a brain), despite all their promises how it was a one time exception. We've had councils abuse anti terror laws to spy on people putting out their bins. Of course, none of these people ever got prosecuted and imprisoned for their actions...

    The one thing that does offer protection from governments is their own incompetence. So I will be effortlessly evading Ms. May's attempts to spy on me should they ever be implemented. I'm sure thousands of terrorists browsing jihad.org/bombing/killinfidels/ will be quickly caught and make us all far, far safer though.

    ReplyDelete
  2. Coming back to the value of encryption - I had an interesting email conversation with your support staff who confirmed that I wasn't being dumb - you really don't support TLS on VOIP traffic. Any reason why not? Any plans to do so?

    ReplyDelete
    Replies
    1. Yes, good reasons, I think, some better than others, but see if any of these make sense.

      1. Most of the VoIP stuff we do is to/from the PSTN which is unencrypted and always has been.

      2. People accessing their own phone systems and making internal calls can do this, or use VPN anyway.

      3. Scaling a system to do TLS is tricky, and you have to work out trust issues.

      4. Ultimately the calls will be unencrypted in our switches, TLS would be you to us, and us to you, not PSTN, but we would have call in clear - necessary for services like call recording. And we can be hacked or ordered to disclose calls anyway.

      5. There are a lot of end to end voice and text applications if you want to have private calls or texts to people, and making a conscious decision to use them not just "make a phone call" is probably a good idea given how much of the telephone network is not secure/encrypted anyway.

      Basically, either calls are to/from people you know and trust to also do some security, in which case use Signal or some such, or are to/from the PSTN, in which case this does not help much.

      Yes, if you are using an open public WiFi, it helps, but for that just use a VPN to your office or some such anyway.

      Maybe, one day, it may make sense, but I see "traditional telephony" as becoming more and more legacy anyway over time.

      Delete
    2. Yeah, it's the public wifi bit I'm concerned about i.e. some kid sniffing unencrypted wifi traffic at the airport or something, not you or a state actor. I have an OpenVPN server at home but it's a bit of a hassle as I have to remember to switch the VPN on first, and that's a bit flakey from my iphone (and often get IP range conflicts between the local wifi network and my home one etc. as they're both on the same rfc1918 range etc.).

      Delete
  3. I might pay for a VPN service if you offered one, perhaps tied to my existing allowance, allow me to buy more etc.

    ReplyDelete