Draft Investigatory Powers Bill Select Committee included a question about iMessage. The question was asked several times, and did not get a straight answer. The replies even started to quote the Cameron/May rhetoric about "no safe place for terrorists to communicate".
This is am important issue - the government have made some clear contradictory statements that they feel there should be no way for people (including terrorists) to communicate such that the authorities cannot read what they are saying (with court order, oversight, etc). They also say encryption is important to the economy and safety and so on. These two things are contradictory.
The point about encryption is that you make it mathematically impossible for anyone else to read the message.
["impossible" meaning that with the resources of any adversary the message could not be revealed in the time frame during which its secrecy is important]
You cannot make a system where nobody else can read the message "unless they have a court order". Mathematics does not know about court orders - so anything you do to allow access with a court order weakens the system so that it is not longer safe. Whatever weakness or backdoor exists, it means criminals could exploit it. It is not proper encryption any more.
So far the government have not tried to ban encryption - to do so would make the UK a laughing stock, drive lots of business away from the UK, and make the UK a target for criminals making us all very much less safe.
You also have to remember that no matter what you do, what law you pass, how much you restrict or cripple software, people can always communicate completely secretly with nothing more than a pen, paper and dice. This means that the "safe place for terrorists to communicate" will always exist anyway.
iMessage came up because it is a problem for the authorities - they cannot read it! Apple have chosen to make it secure. You can be sure, if you trust Apple, that messages you send cannot be "snooped" on by the authorities or Apple. There is some reason to trust Apple in that if they were lying, it would eventually come out if ever such communications were used in any court case or hacked, and that would massively damage their reputation - they have no reason to lie about this.
The problem is that the government don't like this - but can they ban a company offering end-to-end encrypted communications? Well, I think they are trying (and failing) :-
Thanks to Neil Brown for doing the leg work here :-
In RIPA, it is an obligation which can be imposed under a maintenance of capability order, under paragraph 10 of the Schedule to Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002.
In the draft bill, it is part of the broad power to require a provider to maintain technical capability, in s189. It is called out by way of example in s189(4)(c), but this is just an example, and not a limitation.
The two positions can be contrasted: under the 2002 Order under RIPA, the list in the schedule sets out everything that the SoS can impose: it is exhaustive unless the Order is amended. Under the draft IP bill, there is no limited list of obligations, but rather anything the SoS considers to be reasonable, with some examples which are not limiting.
So, my understanding is that Apple could be served with an order to "maintain technical capability" and that includes the capability to "to remove any encryption applied". If so ordered, Apple would have to either change their system not to do encryption end-to-end, or at least have the means to do so when ordered to intercept communications. Also, they would not be able to tell us that they have done it.
The fact that someone could get such an order may have a chilling effect on the willingness to offer end-to-end encrypted services based in the UK.
This is really not acceptable, and needs addressing in the bill and RIPA, and removing. The reasons being that (a) anyone can communicate secretly anyway (as above) and (b) there are a couple of huge holes in the idea that you could force someone like Apple to change their systems :-
1. Apple is not in the UK. In fact the company that provides iMessage is, as far as I know, in Luxembourg, and so they can just tell the UK to sod off when they get an order. Also note that iMessage is free, so crippling the ability for UK "customers" to pay for the service does not help (Apple would have to separate itself from the company providing iMessage, but that is not hard).
2. Apple could simply separate iMessage in two - one is a service, perhaps a simple xmpp platform, that provides communications but does not in any way provide encryption. Then a separate company, which offers an app (software) that uses that service to provide end-to-end encryption. From the users point of view it would be a minor change to those Terms & Conditionings that you never read, and everything works the same - but legally it is different. The s/w company making the app is not a communications provider and so not subject to such orders. The communications company does not have means to decrypt the communications (mathematically impossible, remember).
Trying to make anyone that produces software include back-doors is back to the "batshit insane" category we started with, and fails to address open source software, or that the software can simply be provided by companies not based in the UK.
Ultimately, all you do is drive communications and software business out of the UK - you don't get encrypted communications decoded. Remove this requirement from the bill and RIPA!
People will know I am a slight Stargate fan (!), and I like making PCBs. So, well... Latest is... LEDs First off, the LEDs. There is a very ...
Broadband services are a wonderful innovation of our time, using multiple frequency bands (hence the name) to carry signals over wires (us...
For many years I used a small stand-alone air-conditioning unit in my study (the box room in the house) and I even had a hole in the wall fo...
It seems there is something of a standard test string for anti virus ( wikipedia has more on this). The idea is that systems that look fo...