{"id":40439,"date":"2023-08-24T14:06:17","date_gmt":"2023-08-24T18:06:17","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=40439"},"modified":"2025-02-21T17:15:28","modified_gmt":"2025-02-21T22:15:28","slug":"u-k-proposal-to-weaken-messaging-security","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2023\/08\/24\/u-k-proposal-to-weaken-messaging-security\/","title":{"rendered":"UK Proposal to Weaken Messaging Security"},"content":{"rendered":"<p><a href=\"https:\/\/www.justsecurity.org\/87615\/changes-to-uk-surveillance-regime-may-violate-international-law\/\">Ioannis Kouvakas<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.justsecurity.org\/87615\/changes-to-uk-surveillance-regime-may-violate-international-law\/\"><p>The existing IPA regime appears to already allow the U.K. government to demand that companies <a href=\"https:\/\/techcrunch.com\/2017\/05\/05\/uk-surveillance-law-still-fuzzy-on-decryption-rules-for-comms-providers\/\">alter their services<\/a> in a manner that may affect all users. For example, a <a href=\"https:\/\/www.legislation.gov.uk\/ukpga\/2016\/25\/section\/253\/enacted\">technical capability notice<\/a> requiring the &ldquo;removal by a relevant operator of electronic protection&rdquo; could be used to force a service, such as WhatsApp or Signal, to remove or undermine the end-to-end encryption of the services it provides worldwide, if the government considers that such a measure is proportionate to the aim sought.<\/p><p>[&#8230;]<\/p><p>As a result, an operator of a messaging service wishing to introduce an advanced security feature would now have to first let the Home Office know in advance. Device manufacturers would likely also have to notify the government before making available important <a href=\"https:\/\/www.bbc.co.uk\/news\/technology-66256081\">security updates<\/a> that fix known vulnerabilities and <a href=\"https:\/\/www.ncsc.gov.uk\/collection\/device-security-guidance\/managing-deployed-devices\/keeping-devices-and-software-up-to-date\">keep devices secure<\/a>. Accordingly, the Secretary of State, upon receiving such an advance notice, could now request operators to, for instance, abstain from patching security gaps to allow the government to maintain access for surveillance purposes.<\/p><\/blockquote>\n\n<p>Via <a href=\"https:\/\/daringfireball.net\/2023\/08\/kouvakas_uk_surveillance\">John Gruber<\/a> (<a href=\"https:\/\/mastodon.social\/@daringfireball\/110941982138798947\">Mastodon<\/a>):<\/p>\n<blockquote cite=\"https:\/\/daringfireball.net\/2023\/08\/kouvakas_uk_surveillance\"><p>Removing E2EE wouldn&rsquo;t require some mere tweak to the protocols, it would require replacing the protocols entirely (with inherently insecure ones).<\/p><p>And the notion that security updates, for every user in the world, would need the approval of the U.K. Home Office just to make sure the patches weren&rsquo;t closing vulnerabilities that the government itself is exploiting&#x2009;&mdash;&#x2009;it boggles the mind. Even if the U.K. were the only country in the world to pass such a law, it would be madness, but what happens when other countries follow?<\/p><p>[&#8230;]<\/p><p>What will actually happen, I believe, is that E2EE messaging platforms like WhatsApp (overwhelmingly popular in the U.K.), Signal, and iMessage <em>will stop working and be pulled from app stores in the U.K.<\/em>, full stop. The U.K. seems to think it&rsquo;s a bluff; I don&rsquo;t.<\/p><\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/01\/28\/protonmail-opposes-eu-golden-key\/\">ProtonMail Opposes EU Golden Key<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2020\/03\/09\/trying-to-weaken-encryption-again\/\">Trying to Weaken Encryption Again<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/07\/24\/attorney-general-william-barr-on-encryption-policy\/\">Attorney General William Barr on Encryption Policy<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2018\/12\/12\/australian-assistance-and-access-act\/\">Australian Assistance and Access Act<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2016\/02\/17\/fbi-asks-apple-for-secure-golden-key\/\">FBI Asks Apple for Secure Golden Key<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2014\/10\/10\/secure-golden-key\/\">Secure Golden Key<\/a><\/li>\n<\/ul>\n\n<p id=\"u-k-proposal-to-weaken-messaging-security-update-2023-08-25\">Update (2023-08-25): <a href=\"https:\/\/www.ben-evans.com\/benedictevans\/2023\/8\/24\/when-tech-says-no\">Benedict Evans<\/a> (via <a href=\"https:\/\/mas.to\/@carnage4life\/110946953888405829\">Dare Obasanjo<\/a>):<\/p>\n<blockquote cite=\"https:\/\/www.ben-evans.com\/benedictevans\/2023\/8\/24\/when-tech-says-no\">\n<p>The tech industry always has a reason why any new laws or regulations are bad - indeed, so does any industry. They always say that! The trouble is, sometimes it&rsquo;s true, and some laws are (or would be) disasters. So which is it? Well, there are three ways that people say &lsquo;NO!&rsquo;<\/p>\n<\/blockquote>\n\n<p id=\"u-k-proposal-to-weaken-messaging-security-update-2023-08-28\">Update (2023-08-28): <a href=\"https:\/\/pxlnv.com\/blog\/pants-on-fire\/\">Nick Heer<\/a>:<\/p>\n<blockquote cite=\"https:\/\/pxlnv.com\/blog\/pants-on-fire\/\">\n<p>But Evans does not give nearly enough weight to how often big industry players and their representatives simply lie. They often claim the effects of new regulations will be of the second or third type when there is no evidence to support their claims.<\/p>\n<p>[&#8230;]<\/p>\n<p>In 2015, after Uber launched in Calgary, the city <a href=\"https:\/\/pxlnv.com\/linklog\/lyft-alberta-lobbying\/\">proposed reasonable and sensible rules<\/a>, which Uber claimed were <a href=\"https:\/\/web.archive.org\/web\/20170225165857\/https:\/\/newsroom.uber.com\/canada\/response-to-calgary-city-councils-proposed-ridesharing-bylaw\/\">entirely &ldquo;unworkable&rdquo;<\/a> for ride sharing as a genre. Many, including <a href=\"https:\/\/macleans.ca\/news\/canada\/enough-with-the-uber-bashing-already\/\">popular media outlets<\/a>, concurred with Uber and begged the city to fold. But it compromised on only a single rule; everything else was passed, meaning that Uber drivers were subject to the same sorts of regulations as taxi drivers because they do the same job. And guess what? Uber has been happily operating in Calgary ever since.<\/p>\n\n<p>Apple spent years opposing repair legislation on the basis that <a href=\"https:\/\/www.macrumors.com\/2019\/04\/30\/apple-right-to-repair-consumer-harm\/\">people would hurt themselves<\/a> replacing batteries, and that any state which passed such laws would become a &ldquo;<a href=\"https:\/\/www.vice.com\/en\/article\/pgxgpg\/apple-tells-lawmaker-that-right-to-repair-iphones-will-turn-nebraska-into-a-mecca-for-hackers\">mecca for bad actors<\/a>&rdquo;. That line of argument was <a href=\"https:\/\/www.zdnet.com\/article\/why-apple-doesnt-want-you-repairing-your-broken-iphone-or-ipad\/\">echoed<\/a> by some, only for Apple to now <a href=\"https:\/\/www.404media.co\/apple-endorses-california-right-to-repair-bill\/\">support<\/a> such legislation &mdash; <a href=\"https:\/\/www.macrumors.com\/2023\/08\/23\/apple-supports-right-to-repair-in-california\/\">with caveats<\/a> &mdash; despite using exactly the same type of battery it says is dangerous for people to swap themselves.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/www.techdirt.com\/2023\/08\/28\/e-bike-industry-blames-consumers-for-fires-in-effort-to-undermine-right-to-repair-laws\/\">Karl Bode<\/a> (via <a href=\"https:\/\/news.ycombinator.com\/item?id=37293557\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/www.techdirt.com\/2023\/08\/28\/e-bike-industry-blames-consumers-for-fires-in-effort-to-undermine-right-to-repair-laws\/\"><p>Countless companies and industries enjoy making up scary stories when it comes to justifying their opposition to making it easier to repair your own tech. Apple claims that empowering consumers and bolstering independent repair shops will turn states into &ldquo;<a href=\"https:\/\/www.techdirt.com\/2017\/02\/21\/apple-says-nebraska-will-become-mecca-hackers-if-right-to-repair-bill-passes\/\">hacker meccas<\/a>.&rdquo; The car industry insists that making it easier and cheaper to repair modern cars will be a <a href=\"https:\/\/www.techdirt.com\/2020\/09\/11\/auto-industry-pushes-bullshit-claim-that-right-to-repair-laws-aid-sexual-predators\/\">boon to sexual predators<\/a>. <\/p><p>Throughout the arguments is routinely peppered a single theme: providing easier and cheaper repair options to consumers is <em>simply too dangerous to be considered<\/em>. It apparently doesn&rsquo;t matter that an FTC study recently <a href=\"https:\/\/www.techdirt.com\/2021\/05\/13\/bipartisan-ftc-study-confirms-everything-right-to-repair-advocates-have-been-saying-years\/\">found those claims to be self-serving bullshit<\/a> designed to protect harmful repair monopolies from reform and lost repair revenue.<\/p><p>[&#8230;]<\/p><blockquote><p>Asked for data to back up the claim that e-bike fires were being caused by unauthorized repairs, Lovell said that it was &ldquo;anecdotal, from folks that are on the ground in New York.&rdquo;<\/p><\/blockquote><\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2023\/08\/25\/apple-supports-california-right-to-repair-bill\/\">Apple Supports California Right-to-Repair Bill<\/a><\/li>\n<\/ul>\n\n<p id=\"u-k-proposal-to-weaken-messaging-security-update-2023-09-07\">Update (2023-09-07): <a href=\"https:\/\/www.ft.com\/content\/770e58b1-a299-4b7b-a129-bded8649a43b\">Cristina Criddle, Anna Gross, and John Aglionby<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.ft.com\/content\/770e58b1-a299-4b7b-a129-bded8649a43b\"><p>The UK government has conceded it will not use controversial powers in the online safety bill to scan messaging apps for harmful content until it is &ldquo;technically feasible&rdquo; to do so, postponing measures that critics say threaten users&rsquo; privacy.<\/p><\/blockquote>\n<p>Via <a href=\"https:\/\/daringfireball.net\/linked\/2023\/09\/06\/uk-encryption-win\">John Gruber<\/a>:<\/p>\n<blockquote cite=\"https:\/\/daringfireball.net\/linked\/2023\/09\/06\/uk-encryption-win\">\n<p>This isn&rsquo;t the worst reporting on encryption and lawmakers&rsquo; fantasies about &ldquo;backdoors only accessible by the good guys&rdquo;, but it&rsquo;s fundamentally misleading. End-to-end encryption&rsquo;s meaning is right there in its name. There&rsquo;s no dial that can be adjusted from &ldquo;weak&rdquo; to &ldquo;strong&rdquo;.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/www.macrumors.com\/2023\/09\/07\/uk-government-plan-scan-encrypted-messages\/\">Tim Hardwick<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.macrumors.com\/2023\/09\/07\/uk-government-plan-scan-encrypted-messages\/\">\n<p>The UK government has denied that it has dropped a controversial plan to scan encrypted messaging services for harmful content as part of its Online Safety Bill, which is due to become law later this year.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/pxlnv.com\/linklog\/parkinson-online-safety-bill\/\">Nick Heer<\/a>:<\/p>\n<blockquote cite=\"https:\/\/pxlnv.com\/linklog\/parkinson-online-safety-bill\/\">\n<p>Even though that is unclear, this argument is tautological: the government is arguing that technology companies will not be required to use technology which does not exist or is impossible. Which, well, duh. But then it says Ofcom is empowered to demand tech companies develop this impossible technology to the best of their abilities[&#8230;] It really sounds like the U.K. government wants operators of encrypted services to throw their &ldquo;considerable resources&rdquo; at doing as much as possible to solve the impossible.<\/p>\n<\/blockquote>\n\n<p id=\"u-k-proposal-to-weaken-messaging-security-update-2023-10-24\">Update (2023-10-24): <a href=\"https:\/\/www.bbc.com\/news\/technology-66854618\">Chris Vallance<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.bbc.com\/news\/technology-66854618\">\n<p>Peers have passed a controversial new law aimed at making social media firms more responsible for users' safety on their platforms.<\/p>\n<\/blockquote>\n\n<p>Via <a href=\"https:\/\/pxlnv.com\/linklog\/online-safety-bill-passes\/\">Nick Heer<\/a>:<\/p>\n<blockquote cite=\"https:\/\/pxlnv.com\/linklog\/online-safety-bill-passes\/\">\n<p>Remember how, a couple of weeks ago, there was <a href=\"https:\/\/www.techmeme.com\/230906\/p19#a230906p19\">lots of press coverage<\/a> celebrating an apparent withdrawal of provisions in the bill which required encryption to be broken, largely based on a <a href=\"https:\/\/www.ft.com\/content\/770e58b1-a299-4b7b-a129-bded8649a43b\"><em>Financial Times<\/em> report<\/a>? You may recall my <a href=\"https:\/\/pxlnv.com\/linklog\/parkinson-online-safety-bill\/\">subtly different interpretation<\/a> based on the actual words of Lord Parkinson promoting the bill&rsquo;s passage, and an actual reading of the text of the bill, which indicated that regulators would be granted the power to build something impossible.<\/p>\n<p>[&#8230;]<\/p>\n<p>By the way, it is not just encrypted messaging which has been put at risk in the U.K. because of this bill. The resources of the Wikimedia Foundation will <a href=\"https:\/\/wikimediafoundation.org\/news\/2023\/06\/29\/protect-the-future-of-wikipedia-in-the-uk\/\">probably be blocked<\/a> in the U.K. because those sites &mdash; wisely &mdash; do not engage in mass data collection or user profiling, so they cannot effectively verify users&rsquo; ages.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Ioannis Kouvakas: The existing IPA regime appears to already allow the U.K. government to demand that companies alter their services in a manner that may affect all users. For example, a technical capability notice requiring the &ldquo;removal by a relevant operator of electronic protection&rdquo; could be used to force a service, such as WhatsApp or [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2023-08-24T18:06:21Z","apple_news_api_id":"a130e7fd-32e4-497b-ad26-4b349f527d13","apple_news_api_modified_at":"2024-12-06T14:15:09Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAABg==","apple_news_api_share_url":"https:\/\/apple.news\/AoTDn_TLkSXutJks0n1J9Ew","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[248,2729,140,31,209,355,2086,48,1672,2166,96,1363,388],"class_list":["post-40439","post","type-post","status-publish","format-standard","hentry","category-technology","tag-android","tag-icloud-advanced-data-protection","tag-imessage","tag-ios","tag-legal","tag-privacy","tag-rich-communication-services-rcs","tag-security","tag-signal","tag-united-kingdom","tag-web","tag-whatsapp","tag-wikipedia"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/40439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=40439"}],"version-history":[{"count":8,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/40439\/revisions"}],"predecessor-version":[{"id":46061,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/40439\/revisions\/46061"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=40439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=40439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=40439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}