Over the past few days, there have been a lot of reports in the media that the UK government was backing down from its requirement that every end-to-end encrypted messenger application inside the country had to give the government backdoor access to these messenger applications. However, after reading the actual words from the UK’s junior minister Stephen Parkinson, it seemed like all she did was give a “pinky promise!” not to enforce this requirement. The law itself did not change, is not changing, and will not change, and the requirement is still in there.
Today, the UK’s technology minister Michelle Donelan made that even clearer than it already was.
Donelan, however, denied on Thursday that the bill had been watered down in the final stages before it becomes law.
“We haven’t changed the bill at all,” she told Times Radio.
“If there was a situation where the mitigations that the social media providers are taking are not enough, and if after further work with the regulator they still can’t demonstrate that they can meet the requirements within the bill, then the conversation about technology around encryption takes place,” she said.
This raises an interesting question – why was everyone so keen on pushing the narrative yesterday that the “technology sector” had won, and that the UK government had backed down? Well, Facebook and Apple have kind of talked themselves into a corner in response to the UK’s requirement for backdoor access to WhatsApp and iMessage. The two companies threatened they would pull these services out of the UK if the government didn’t remove this requirement. When it became clear that the UK government wasn’t going to back down, Facebook and Apple were going to lose a lot of face if they didn’t actually pull WhatsApp and iMessage out of the UK in response. They needed something to get them out of this.
This vague pinky promise is all they needed. Now they can shit all over their supposed morals and values once again, completely abandon their grandstanding and promises about protecting end-to-end encryption in messaging, and continue to operate in the UK as if nothing has changed, despite them legally being obligated to break end-to-end encryption if the UK government asks them to – which they can now do whenever it pleases them.
And entirely unsurprisingly, the general tech media, ever looking to please the corporations they are supposed to do the journalism stuff about, fell for it, hook, line, and sinker. The narrative that the UK backed down and Facebook and Google won is out there now, and that’s all the tech sector needed.
Not sure about this, by saying they will scan E2E encrypted messages when it is “technically feasible”, that is the equivalent of backing down and saving face, unless you think it will be feasible in the future without breaking encryption, I cannot see how.
I expect the interoperability requirement coming from the EU will almost certainly open up the encryption to others in order to comply. Which will effectively make it useless. (I wouldnt be able to make a whatsapp compatible client without being able to encypt/decrypt the messages for example)
What this gives the UK is a Legal way of obtaining the same information that authoritarian regimes have already been granted and the nefarious will be able to acquire fairly easily.
Adurbe,
Open protocols don’t mean end to end crypto has to be broken. For example, software using FOSS client and an open protocol can still have strong cryptographic security.
I should have added that the law might break end to end crypto by requring communications to have wiretaps. But opening up a service in and of itself doesn’t have to break end to end crypto.
gunfleet,
I have no idea what the law says, however to answer the technical part of your question…
Some of the services like imessage use end to end encryption in an insecure manor under the control of the service rather than the user. The encryption keys used come from apple’s own directory service and users do not authenticate them. Therefor, apple technically has the ability to wiretap it by substituting it’s own keys and telling clients to use them, performing a man in the middle attack.
Some projects will have users authenticate each other’s keys or exchange them in person, but keys distributed through centralized directory services are certainly vulnerable to court orders.
Another vulnerability people seem to forget about, but is quite obvious once you think about it, is that most consumer operating systems have a literal back door in them in the form of auto update. Software binaries are under the direct control of a privileged vendor process that’s meant to update said software. These mechanisms might be used for law enforcement purposes in a targeted way without alerting the owner.. Has the update service on mainstream operating systems ever been used this way? Hard to tell since outside security researchers (whose devices haven’t been targeted/altered) don’t contain the evidence. Also hard to protect against.
In theory, using a service provider that doesn’t control the update mechanism would be safer because they don’t have the technological means to isolate targets. This significantly increases the odds that compromised binaries would reach security researchers.
Thanks Alfman, as I understand it Apple et al have refused to comply with the original legislation and have said they would withdraw their services first. Their reasoning is that it is not technically possible to do what the UK have requested without breaking the E2EE. You are suggesting they can already do it as they generate and store the encryption keys, As for the legality, I am sure that would not bother GCHQ, which suggests they can already break the encryption and this is all theatre to create a honeypot and legal cover.