Thursday, August 24, 2023

U.K. Proposal to Weaken Messaging Security

Ioannis Kouvakas:

The existing IPA regime appears to already allow the U.K. government to demand that companies alter their services in a manner that may affect all users. For example, a technical capability notice requiring the “removal by a relevant operator of electronic protection” could be used to force a service, such as WhatsApp or Signal, to remove or undermine the end-to-end encryption of the services it provides worldwide, if the government considers that such a measure is proportionate to the aim sought.


As a result, an operator of a messaging service wishing to introduce an advanced security feature would now have to first let the Home Office know in advance. Device manufacturers would likely also have to notify the government before making available important security updates that fix known vulnerabilities and keep devices secure. Accordingly, the Secretary of State, upon receiving such an advance notice, could now request operators to, for instance, abstain from patching security gaps to allow the government to maintain access for surveillance purposes.

Via John Gruber (Mastodon):

Removing E2EE wouldn’t require some mere tweak to the protocols, it would require replacing the protocols entirely (with inherently insecure ones).

And the notion that security updates, for every user in the world, would need the approval of the U.K. Home Office just to make sure the patches weren’t closing vulnerabilities that the government itself is exploiting — it boggles the mind. Even if the U.K. were the only country in the world to pass such a law, it would be madness, but what happens when other countries follow?


What will actually happen, I believe, is that E2EE messaging platforms like WhatsApp (overwhelmingly popular in the U.K.), Signal, and iMessage will stop working and be pulled from app stores in the U.K., full stop. The U.K. seems to think it’s a bluff; I don’t.


Update (2023-08-25): Benedict Evans (via Dare Obasanjo):

The tech industry always has a reason why any new laws or regulations are bad - indeed, so does any industry. They always say that! The trouble is, sometimes it’s true, and some laws are (or would be) disasters. So which is it? Well, there are three ways that people say ‘NO!’

Update (2023-08-28): Nick Heer:

But Evans does not give nearly enough weight to how often big industry players and their representatives simply lie. They often claim the effects of new regulations will be of the second or third type when there is no evidence to support their claims.


In 2015, after Uber launched in Calgary, the city proposed reasonable and sensible rules, which Uber claimed were entirely “unworkable” for ride sharing as a genre. Many, including popular media outlets, concurred with Uber and begged the city to fold. But it compromised on only a single rule; everything else was passed, meaning that Uber drivers were subject to the same sorts of regulations as taxi drivers because they do the same job. And guess what? Uber has been happily operating in Calgary ever since.

Apple spent years opposing repair legislation on the basis that people would hurt themselves replacing batteries, and that any state which passed such laws would become a “mecca for bad actors”. That line of argument was echoed by some, only for Apple to now support such legislation — with caveats — despite using exactly the same type of battery it says is dangerous for people to swap themselves.

Karl Bode (via Hacker News):

Countless companies and industries enjoy making up scary stories when it comes to justifying their opposition to making it easier to repair your own tech. Apple claims that empowering consumers and bolstering independent repair shops will turn states into “hacker meccas.” The car industry insists that making it easier and cheaper to repair modern cars will be a boon to sexual predators.

Throughout the arguments is routinely peppered a single theme: providing easier and cheaper repair options to consumers is simply too dangerous to be considered. It apparently doesn’t matter that an FTC study recently found those claims to be self-serving bullshit designed to protect harmful repair monopolies from reform and lost repair revenue.


Asked for data to back up the claim that e-bike fires were being caused by unauthorized repairs, Lovell said that it was “anecdotal, from folks that are on the ground in New York.”


Update (2023-09-07): Cristina Criddle, Anna Gross, and John Aglionby:

The UK government has conceded it will not use controversial powers in the online safety bill to scan messaging apps for harmful content until it is “technically feasible” to do so, postponing measures that critics say threaten users’ privacy.

Via John Gruber:

This isn’t the worst reporting on encryption and lawmakers’ fantasies about “backdoors only accessible by the good guys”, but it’s fundamentally misleading. End-to-end encryption’s meaning is right there in its name. There’s no dial that can be adjusted from “weak” to “strong”.

Tim Hardwick:

The UK government has denied that it has dropped a controversial plan to scan encrypted messaging services for harmful content as part of its Online Safety Bill, which is due to become law later this year.

Nick Heer:

Even though that is unclear, this argument is tautological: the government is arguing that technology companies will not be required to use technology which does not exist or is impossible. Which, well, duh. But then it says Ofcom is empowered to demand tech companies develop this impossible technology to the best of their abilities[…] It really sounds like the U.K. government wants operators of encrypted services to throw their “considerable resources” at doing as much as possible to solve the impossible.

Update (2023-10-24): Chris Vallance:

Peers have passed a controversial new law aimed at making social media firms more responsible for users' safety on their platforms.

Via Nick Heer:

Remember how, a couple of weeks ago, there was lots of press coverage celebrating an apparent withdrawal of provisions in the bill which required encryption to be broken, largely based on a Financial Times report? You may recall my subtly different interpretation based on the actual words of Lord Parkinson promoting the bill’s passage, and an actual reading of the text of the bill, which indicated that regulators would be granted the power to build something impossible.


By the way, it is not just encrypted messaging which has been put at risk in the U.K. because of this bill. The resources of the Wikimedia Foundation will probably be blocked in the U.K. because those sites — wisely — do not engage in mass data collection or user profiling, so they cannot effectively verify users’ ages.

2 Comments RSS · Twitter · Mastodon

I hope Gruber is right and these companies just pull their apps from the UK. That will hit the millions of users hard, which will force them to put pressure on their own government to not do this sort of thing. That’s really where the pressure should be coming from, not the companies.

Old Unix Geek

IngSoc's 3 principles:

War is Peace

Freedom is Slavery

Ignorance is Strength

and now, the successor to IngSoc, the British government, and their pal, the successor to O'Brien, have this principle to add:

Surveillance is Transparency.


Leave a Comment