A UK infosec bod has launched a petition asking the government if it would please drop its plans to install backdoors in end-to-end encryption.
Application security specialist Sean Wright’s Parliamentary petition comes as an expression of uneasiness at long-signalled plans for British state agencies to sidestep encryption and enable snooping on private citizens’ online conversations at will.
The so-called “ghost user” proposal, the latest incarnation of which was dreamt up by folk from eavesdropping agency GCHQ, prompted an international backlash last year from luminaries such as Bruce Schneier and Richard Stallman. Critics have warned that a backdoor, once discovered, is open to everyone – regardless of whether they have “permission” to use it or not.
Wright told The Register today of his anti-backdoor petition: “From what’s been proposed, I don’t see a way of protecting privacy without having an impact on others, especially legitimate users.”
What’s most concerning about the backdoor plan is what happens when it is discovered and abused, he said. “If I have an abusive partner in law enforcement, will they then be able to use [the backdoor] against me as their attack vector? We’ve seen politicians doing different things for different reasons, how do we ensure that’s not abused? Also how do we ensure it’s protected? Only legitimate users should get access to it, so it’s going to be another system that could potentially be compromised.”
“I do have concerns that if we do put some type of mechanism into place which would allow law enforcement to be able to read this private data, it may jeopardise legitimate use of encryption for ordinary law abiding citizens,” said Wright on his personal blog.
The Five Eyes spying alliance (UK, US, CAN, AUS, NZ) plus their new pals Japan and India renewed global calls to break encryption by claiming the world’s children would come to harm if it wasn’t removed, in so many words.
Jake Moore, formerly of Devon Police and now with Slovakian infosec biz ESET, opined to The Register: “Old fashioned police tactics cannot decrypt these encrypted messages easily, which puts many cases on hold. However, putting the internet in jeopardy by demanding the relaxation of encryption is not the answer, so a petition is regretfully needed. Getting the numbers up is another quest altogether and until people fully understand what the government are after, we may sadly struggle to get the signatures up.”
Encryption remains a target for state agencies
The National Crime Agency (NCA) claimed in a press release earlier this week that a child abuser could not have been caught if Facebook had deployed end-to-end encryption.
It also revealed that the perp was identified and caught through what sounds like old-fashioned policing methods: a Facebook account he used to contact his victims was linked to a pay-as-you-go mobile phone number; that phone was topped up at a shop with CCTV, giving police a visual ID of the perp; and when they figured out his name and arrested him, the phone was found in his bedroom. He then pleaded guilty. In addition, as the NCA said: “IP addresses used to commit the offences resolved to his house.”
US authorities helped the NCA by obtaining data from Google, while Facebook passed details of the criminal’s chats to US cops, who forwarded it to their British counterparts.
The NCA’s Rob Jones, director of threat leadership, said: “It’s chilling to think [sexual predator] Wilson wouldn’t have been caught if Facebook had already implemented their end-to-end encryption plans which will entirely prevent access to message content.”
The agency insisted to The Register that the investigation would never have been possible without secretly reading the contents of Wilson’s messages.
Meanwhile, the French police hack of encrypted chat service Encrochat, something gleefully (and rightfully) leapt upon by British law enforcement, seems to have been made possible not because encryption had to be broken but because the French man-in-the-middle’d an Encrochat server. From there police deployed malicious updates across the Encrochat network to dump unencrypted images of users’ handsets back to servers they controlled, bypassing encryption altogether by simply reading off chats direct from user endpoints.
Western law enforcement agencies maybe do not struggle with encryption to the extent that they claim. Those who believe in keeping themselves and their loved ones safe online may, therefore, find Wright’s petition a useful outlet in the current climate. ®