UK infoseccer launches petition asking government not to backdoor encryption

Sign up and make your voice heard

A UK infosec bod has launched a petition asking the government if it would please drop its plans to install backdoors in end-to-end encryption.

Application security specialist Sean Wright's Parliamentary petition comes as an expression of uneasiness at long-signalled plans for British state agencies to sidestep encryption and enable snooping on private citizens' online conversations at will.

The so-called "ghost user" proposal, the latest incarnation of which was dreamt up by folk from eavesdropping agency GCHQ, prompted an international backlash last year from luminaries such as Bruce Schneier and Richard Stallman. Critics have warned that a backdoor, once discovered, is open to everyone – regardless of whether they have "permission" to use it or not.

Wright told The Register today of his anti-backdoor petition: "From what's been proposed, I don't see a way of protecting privacy without having an impact on others, especially legitimate users."

What's most concerning about the backdoor plan is what happens when it is discovered and abused, he said. "If I have an abusive partner in law enforcement, will they then be able to use [the backdoor] against me as their attack vector? We've seen politicians doing different things for different reasons, how do we ensure that's not abused? Also how do we ensure it's protected? Only legitimate users should get access to it, so it's going to be another system that could potentially be compromised."

"I do have concerns that if we do put some type of mechanism into place which would allow law enforcement to be able to read this private data, it may jeopardise legitimate use of encryption for ordinary law abiding citizens," said Wright on his personal blog.

The Five Eyes spying alliance (UK, US, CAN, AUS, NZ) plus their new pals Japan and India renewed global calls to break encryption by claiming the world's children would come to harm if it wasn't removed, in so many words.

Jake Moore, formerly of Devon Police and now with Slovakian infosec biz ESET, opined to The Register: "Old fashioned police tactics cannot decrypt these encrypted messages easily, which puts many cases on hold. However, putting the internet in jeopardy by demanding the relaxation of encryption is not the answer, so a petition is regretfully needed. Getting the numbers up is another quest altogether and until people fully understand what the government are after, we may sadly struggle to get the signatures up."

Encryption remains a target for state agencies

The National Crime Agency (NCA) claimed in a press release earlier this week that a child abuser could not have been caught if Facebook had deployed end-to-end encryption.

It also revealed that the perp was identified and caught through what sounds like old-fashioned policing methods: a Facebook account he used to contact his victims was linked to a pay-as-you-go mobile phone number; that phone was topped up at a shop with CCTV, giving police a visual ID of the perp; and when they figured out his name and arrested him, the phone was found in his bedroom. He then pleaded guilty. In addition, as the NCA said: "IP addresses used to commit the offences resolved to his house."

US authorities helped the NCA by obtaining data from Google, while Facebook passed details of the criminal's chats to US cops, who forwarded it to their British counterparts.

The NCA's Rob Jones, director of threat leadership, said: "It's chilling to think [sexual predator] Wilson wouldn't have been caught if Facebook had already implemented their end-to-end encryption plans which will entirely prevent access to message content."

The agency insisted to The Register that the investigation would never have been possible without secretly reading the contents of Wilson's messages.

Meanwhile, the French police hack of encrypted chat service Encrochat, something gleefully (and rightfully) leapt upon by British law enforcement, seems to have been made possible not because encryption had to be broken but because the French man-in-the-middle'd an Encrochat server. From there police deployed malicious updates across the Encrochat network to dump unencrypted images of users' handsets back to servers they controlled, bypassing encryption altogether by simply reading off chats direct from user endpoints.

Western law enforcement agencies maybe do not struggle with encryption to the extent that they claim. Those who believe in keeping themselves and their loved ones safe online may, therefore, find Wright's petition a useful outlet in the current climate. ®

Similar topics

Broader topics

Other stories you might like

  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading
  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading

Biting the hand that feeds IT © 1998–2022