Five Eyes backdoor in Encryption

The docs only state agreed principles and objectives. How they might create a solution is pure speculation at this point, but I would expect them to ask the larger tech providers to adopt some sort of Key Escrow where the police or whoever could obtain your personal key with a warrant.

They tried to restrict strong encryption in the 90’s and the price of that has been data breaches as computer power increased. The 90’s Clipper proposal was a flop.

The problem with an Escrow approach is how would you force everyone else to use it? Smaller players running their own servers or hosting them in non aligned countries worldwide not be a part. Furthermore anyone with some basic skills can use free software to run their own encryption, or simply build their own…

This is a cat and mouse game the authorities could force the large providers to join, but they will never be able to win and decrypt everything they intercept. I suspect the serious criminals will simply circumvent whatever might be adopted, and the powers will only be successful against lower order criminals who are less of a threat to national security.

That’s kind of my initial point. Forcing any kind of back door, whether it’s encryption side, client or server. It doesn’t stop the fact that it will have no impact on the real criminals

I think these are great points. I agree as well on the moral point, and it is something that is often overlooked.

I don’t necessarily think that nothing should be done. The police can get a warrant to tap a phone, or stake out a house on a suspect, interception of mail etc. There is no difference between that and digital information in reality.

Unless of course, you think that existing legislation is also immoral, which it may be depending on what you believe.

I agree though, how is it stored, implementation, oversight, how proportionality is handled, warrantry requirements. I think these play a part in being able to draw up the moral line, and if they aren’t correct would allow you to step over that line.

While this is a valid concern, id probably also suggest that this has been a valid concern from the existence any form of civilisation and law.

Bingo. That conclusion is bleedin’ obvious. Since there are at least a few employees of the various governments involved that can recognise the bleedin’ obvious, then the governments themselves must be fully aware that it won’t work.

If they know it won’t work, then there logically must be another — different — reason why they are continuing to push for it. One can speculate as to what that reason is (or reasons are) but, meh, time will tell.

They don’t know that. Politics deliberately defies logic. The US is currently in a hot debate about climate change while the western coast literally burns.

No reason to say that. Keep discussion on topic. Try not to attack the individual

I’m not sure its binary.

If this was true, existing law wouldn’t have worked, but it does. Humans are human. If we were that good we’d all be using gpg keys, but we don’t because its to difficult to use.

But all the time we see in the news of organised crime people going to prison and terrorists being stopped from carrying out attacks.

While its a really easy argument to make that ‘real’ criminals will just use gpg or one time pads or something else. The reality is they are just as human as everyone else.

(obviously not saying that there arent very sophisticated groups out there, there are.)

Also running your own mail server may possibly be the easiest way to get hacked if you were a target of interest.

Except it is. Isis isn’t messaging strategic information through Facebook and twitter. Drug dealers and pedophiles are using tor to find what they want. Yes criminals use services like Facebook to share information but that’s the minority. The people stupid enough to share information on criminal activity on social media don’t need a back door to be found out. Existing police work would do the job.

Big time criminals make it their top priority to separate themselves from risks. They are good at it and even if you could argue the case that criminals use social media to communicate illegal activity, you couldn’t argue that soon after a back door were to be implemented

It’s a common phrase and not directed at any individual — I’m not sure why you would think it was. My response was also directly related to your comment and the topic… so, all-in-all, a strange thing to say.

You’ve said previously that you feel exhausted. Maybe it’s time to hit the sack?

In every one of these types of stories, they always mention needing to break encryption for when a warrant is issued. I don’t believe this is why they want it. Governments and Law Enforcement now have the tools to obtain information without warrants. Encryption is the last obstacle in their way.

Governments like making laws, but they sure don’t like following them.

This isn’t like 20 or 30 years ago when the only way to get this information was to issue a warrant to the service provider to give them the information. These Stingrays are given out like candy.

The US Government has attempted something similar in the past. In contrast to the US edition, my 1996 European copy of Bruce Schneier’s book “Applied Cryptography” 2nd Edition was not available with a CD and only included a printed source code listing for the example encryption algorithms as, at the time, the US government considered strong encryption to be a “munition” which fell under the same export restrictions as weapons and military equipment so could not be exported as “software” in digital form.

The book contains the following: -

According to the U.S. government, cryptography can be a munition. This means it is covered under the same rules as a TOW missile or an M1 Abrams tank. If you sell cryptography overseas without the proper license, then you are an international arms smuggler.

The lack of an included CD meant anyone outside the US who wanted to implement the encryption algorithms shown would have to type the source code by hand, presumably a task considered beyond the means of non-Americans, criminals and terrorists.

These days I find it somewhat ironic that the current Advanced Encryption Standard used by the U.S federal government and approved by the NSA originated outside of the U.S, being developed by Belgian cryptographers.

Any new attempt to license or criminalise the unauthorised use of strong encryption is a futile attempt to put the genie back in the bottle. It will not deter criminals nor terrorist organisations and, through fear of prosecution, will only serve to compromise the privacy and security or law abiding citizens.

That is, of course, not entirely true. If you use an iPhone, for example, you can only install apps from Apple’s appstore. If governments legislate secure communication apps like Signal illegal, Apple will no longer offer it for download and there will be no way to securely communicate via an app on your iPhone. Of course you could still use a progressive web app, but that’s far less convenient and most people wouldn’t bother.

Then of course you’d say well sure, but then the terrorists and kiddie pornographers and such will just use Android, because it allows sideloading. And sure, some will. But a lot of these guys aren’t technical masterminds-- remember, most of the coordinated terror attacks over the past 10 years communicated via SMS texts.

It’s like security via obscurity. It’s technically 100% true that moving your SSH port to 22222 doesn’t actually make it more secure against a determined attacker, but at the same time it does result in vastly fewer people rattling your doorknob. Banning strong encryption would have the same effect, it would certainly aid law enforcement in catching bad guys, at least for a little while.

The question is whether that’s worth compromising everybody’s privacy. Most of us here would immediately say no, of course not, a temporary half-measure that won’t even work in the long run is a terrible tradeoff. I certainly think so too.

But again, these are the same old men that brought a snowball into Congress in the dead of winter to argue against climate change. They’re fossils. You aren’t going to convince them via logic, because they are disinclined to believe logical arguments, are in many cases literally anti-intellectuals, and lack the mental faculty to understand even if they were so inclined.

Even if you did somehow, someway convince these old bastards the measure was harmful, they would still vote for it from fear of electoral adversaries airing TV commercials claiming they voted against keeping children safe from predators. So you would need to educate and convince the PUBLIC too.

Is that gonna happen? Yeah, eventually. Change does happen, gradually. We’re seeing that in action now with gay marriage and marijuana. But there will be turmoil and furor until it does.

And when that happens I’m done with technology and I’m going to work on cars and molding machines.

Am I reading correctly that basically the government would basically be a CA and issue keys, but have copies of those keys themselves obviously- so the encryption does not have to be inherently weak nor have a “back door”, simply the government has the private key that should have been private to just you?

If so, still sad to see the dystopian future further solidify with bad policy. The news is so depressing because it takes all of the ‘past tense’ horribleness in history books and says “psssht, that wasn’t past tense, the same tyranny has been ever present, just changed names and has a great PR department”.

The publication does not mention specific implementations.

Principle 3 outlines access to data

3. Freedom of choice for lawful access solutions
   The Governments of the Five Eyes encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services that they create or operate in our countries. Governments should not favor a particular technology; instead, providers may create customized solutions, tailored to their individual system architectures that are capable of meeting lawful access requirements. Such solutions can be a constructive approach to current challenges.
   Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.

And that is important.
The pure mass of communication combined with weak encryption makes it impossible for anyone to look at everything and put together the puzzle pieces.

That is why after terrorist attacks, they can allways say “we knew those people” because then law enforcement knows what cell phone numbers to look for in their logs and then the ISP can provide connection data.

From what I can tell a few reasons the agencies push to have a method of easily decrypting messages and files go more along these lines than just “won’t they think of the children”;

1. Post Snowden various international terrorist and criminal networks made efforts to change how they coummunicated: AQ published new tools and training videos to improve their tradecraft once they knew they were vulnerable.

2. Post 1990’s the SigInt world has changed dramically, more comms is carried via fibre-optic links whilst HF/VHF, microwave usage has declined: The old ways the NSA et al obtained data and cracked comms became increasingly irelevant to the point it barely exists anymore.

3. The Five Eyes nations and friends formed a cornerstone to the post-war world, economically as well as militarily, this is steadily changing with the rise of BRIC’s nations and increased wealth and markets in many African nations: There are new countries, companies and people to spy on who don’t use the old methods.

The motives of GCHQ, NSA, CIA, MI6 etc to have these powers are a level above that of the FBI and NCA which in turn are a level above a local police force or local government/council. Whilst the best interests of national security might mean most of us can accept some government agencies should have access to certain types of data (even if we are skeptical of how they would achieve that) should other echelons of government also get that power? Time and time again we see new powers getting misused and abused. My favorite example is this: https://www.huffingtonpost.co.uk/2012/08/21/local-councils-abusing-anti-terrorism-powers_n_1819715.html

I have no problem with proper process allowing spying on suspected criminals and foriegn powers, but I am highly skeptical that it’s a simple problem to solve, or indeed could be solved to everyones satisfaction. Citizens of countries that consider themselves free need to accept that our governments cannot protect us against all threats at all times and to ask them to try to do so risks abuses of power.

“He that would make his own liberty secure, must guard even his enemy from oppression; for if he violates this duty, he establishes a precedent that will reach to himself.” Thomas Paine

This is the crux of the matter. We [citizens] must acknowledge that we stand a chance of becoming a terrorist statistic and not give in to being manipulated into giving what freedoms we have, away.

You’re not supposed to talk about it.

This has been going on for decades, just recently encryption has become commonplace.

This is why i think the central CA idea is broken; all a 5 eyes nation needs to do is subvert the CAs and you’re boned for SSL/TLS.

I’m not sure what the solution is within the bounds of legality long term, the only real option we have is civil disobedience.

Yes and no.

I think the crux of the matter is that the population at large are being brainwashed that all this is to combat terrorism, when in reality it is about ensuring that the governments of the western world are able to maintain control in the face of less popular policy and the advent of the internet for disseminating information.

“Terrorism” is responsible for such a tiny fraction of injuries or deaths it’s a rounding error. I worked out the maths before (a couple of years back) but you’re far more likely to be struck by lightning. It isn’t even close. If i recall it was one or more orders of magnitude difference.

This is about maintaining the status quo for the western military industrial complex, make no mistake. The enemy of these governments is not terrorism. The enemy is us.