Last rites for the UK's Online Safety Bill, an idea too stupid to notice it's dead

Snoopers Charter: Dead cows don't snitch

Opinion Information wants to be free. This usefully ambiguous battle cry has been the mischievous slogan of hackers since early networking thinker Stuart Brand coined it in the early 1980s. Intended as part of a discussion about the inherent contradictions of intellectual property, it has bestowed irony in many other places since.

Veilid would seem to be one such place. The open source project has recently announced a secure communications framework, designed for decentralized peer-to-peer use through a multi-hop mesh routing system that combines strong encryption with untraceability. In particular, it is designed to be included in any app that wants to have impervious comms without central servers or third-party visibility. This is new, at least as far as its functionality is not tied to narrow use cases, and important. You never, ever want to roll your own networks, cryptographic systems or security management: now you don't have to.

The irony comes from Veilid's origins, the legendary Cult of the Dead Cow hacker collective. Like Tor before it, where the US Navy intelligence agency gave us an intelligence agency resistant network, Veilid isn't so much poacher turned gamekeeper as the creation of a mirror world. Information may want to be free, but it also wants to be free from interlopers and snoopers. If Veilid achieves its aims of a massive global network of mesh nodes, it will gain that freedom by becoming far too expensive to break.

This is particularly timely, as it is not just another nail in the coffin of state efforts to defeat personal secure encryption by diktat, but a permanent mausoleum as monumental as the Pyramids of Giza. 

Backdoor backwardness

The official madness over data security is particularly bad in the UK. The British state is a world class incompetent at protecting its own data. In the past couple of weeks alone, we have seen the hacking of the Electoral Commission, the state body in charge of elections, the mass exposure of birth, marriage and death data, and the bulk release of confidential personnel information of a number of police forces, most notably the Police Service Northern Ireland. This was immediately picked up by terrorists who like killing police. It doesn't get worse than that.

This same state is, of course, the one demanding that to "protect children," it should get access to whatever encrypted citizen communication it likes via the Online Safety Bill, which is now rumored to be going through British Parliament in October. This is akin to giving an alcoholic uncle the keys to every booze shop in town to "protect children": you will find Uncle in a drunken coma with the doors wide open and the stock disappearing by the vanload.

That assumes the best case scenario, where the deliberately weakened encryption needed for state access somehow resists attack by others. In practice, as those who actually understand encryption have said at endless length, it is impossible to guarantee or even expect this. Companies which don't deliberately compromise user security will be fined – hence Signal, WhatsApp and others have said they'd leave the UK rather than comply. In practice, this will mean geo-locking their apps in the App Store and Google Play to prevent installation to UK devices, a move that will hurt ordinary people but which is absolutely no barrier to anyone with motivation. Like criminals.

It is just stupidity stacked on incompetence balanced on political Dunning Krugerism, and the advent of Veilid drowns the lot in a tidal wave of foetid futility. What can a government do about a framework? What can it do about open source? The idea behind Veilid is to add end-to-end, peer-to-peer encrypted functionality to any app that can use it, which by itself is a force multiplier for privacy. The intent is for developers to integrate the framework as any other, as a seamless part of their products. As it stands, if the Online Safety Bill becomes law, then developers who do this will be excluded from UK commercial activity.

Software doesn't have to work like that, as users of open source audio and video tools already know. Codecs can come encumbered with patent and licence fees that exclude them from shipping with FOSS products. Make them external, optional libraries, and the FOSS product can ship and user install the libraries themselves. Those libraries aren't functional products until that point, which makes them trickier to attack legally.

Smack 'em in the supply chain

It is entirely possible to see not just Veilid but other end-to-end encryption systems taking this approach, a UK-only product that complies with the Snooper's Charter but which has the potential to pick up protection from another block of software, which doesn't itself need the ability to communicate with anything. It's not ideal, and opens up the potential for supply chain attacks and user confusion, but these are fixable with a bit of thought and care. Unlike the state strategy which promoted this little bit of evolution.

The only way to outlaw encryption is to outlaw encryption. Anything less will fail, as it is always possible in software to create kits of parts, all legal by themselves, that can be linked together to provide encryption with no single entity to legislate against. Our industry is fully aware of this. Criminals know it too. Ordinary people will learn it as well, if they have to. This information is free to everyone – except the politicians, it seems. For them, reality is far too expensive. ®

More about


Send us news

Other stories you might like