.comment-link {margin-left:.6em;}

Monday, June 05, 2017

Can Theresa May deliver on her promise to regulate the internet?

The Prime Minister is absolutely right to be outraged at the attacks in Manchester and London over the last few weeks, and is right too to want to do everything possible to deny terrorists the opportunities they currently exploit, particularly on the Internet, to plan these attacks and to radicalise others.

As CNN reports, Theresa May wants a new approach to tackling extremism, including changes that would deny terrorists and extremist sympathizers digital tools used to communicate and plan attacks. But what exactly does this mean? How will she implement it? More importantly is it possible at all without the sort of authoritarian approach taken by China to these matters?

In my view we cannot be left without specifics four days before a General Election. We need to know what the Government propose and the implications for everybody else so that we can judge whether these proposals will be effective or not. Vague rhetoric is no longer enough.

I raise this now, because we have been here before. David Cameron made the same promises but did not deliver on them. The reason for his non-delivery was actually because his proposals were half-baked and impractical. In other words he did not understand his subject and nor, it seems does Theresa May.

A more detailed explanation can be found in this article by Cory Doctorow:

It’s impossible to overstate how bonkers the idea of sabotaging cryptography is to people who understand information security. If you want to secure your sensitive data either at rest – on your hard drive, in the cloud, on that phone you left on the train last week and never saw again – or on the wire, when you’re sending it to your doctor or your bank or to your work colleagues, you have to use good cryptography. Use deliberately compromised cryptography, that has a back door that only the “good guys” are supposed to have the keys to, and you have effectively no security. You might as well skywrite it as encrypt it with pre-broken, sabotaged encryption.

There are two reasons why this is so. First, there is the question of whether encryption can be made secure while still maintaining a “master key” for the authorities’ use. As lawyer/computer scientist Jonathan Mayer explained, adding the complexity of master keys to our technology will “introduce unquantifiable security risks”. It’s hard enough getting the security systems that protect our homes, finances, health and privacy to be airtight – making them airtight except when the authorities don’t want them to be is impossible.

What Theresa May thinks she's saying is, "We will command all the software creators we can reach to introduce back-doors into their tools for us." There are enormous problems with this: there's no back door that only lets good guys go through it. If your Whatsapp or Google Hangouts has a deliberately introduced flaw in it, then foreign spies, criminals, crooked police (like those who fed sensitive information to the tabloids who were implicated in the hacking scandal -- and like the high-level police who secretly worked for organised crime for years), and criminals will eventually discover this vulnerability. They -- and not just the security services -- will be able to use it to intercept all of our communications. That includes things like the pictures of your kids in your bath that you send to your parents to the trade secrets you send to your co-workers.

But this is just for starters. Theresa May doesn't understand technology very well, so she doesn't actually know what she's asking for.

For Theresa May's proposal to work, she will need to stop Britons from installing software that comes from software creators who are out of her jurisdiction. The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available, and thanks to things like cryptographic signing, it is possible to download these packages from any server in the world (not just big ones like Github) and verify, with a very high degree of confidence, that the software you've downloaded hasn't been tampered with.

May is not alone here. The regime she proposes is already in place in countries like Syria, Russia, and Iran (for the record, none of these countries have had much luck with it). There are two means by which authoritarian governments have attempted to restrict the use of secure technology: by network filtering and by technology mandates.

He goes on to say that although companies like Apple and Microsoft could be compelled by an act of Parliament to block secure software other EU states and countries like the USA are unlikely to follow suit, and that means that anyone who bought an Iphone in Paris or New York could come to the UK with all their secure software intact and send messages "we cannot read."

Furthermore there is a problem with more open platforms, like GNU/Linux variants, BSD and other unixes, Mac OS X, and all the non-mobile versions of Windows. He says that all of these operating systems are already designed to allow users to execute any code they want to run, meaning that even an act of Parliament cannot do anything to stop people from using all the PCs now in existence to run code that the PM wants to ban:

This, then, is what Theresa May is proposing:

* All Britons' communications must be easy for criminals, voyeurs and foreign spies to intercept

* Any firms within reach of the UK government must be banned from producing secure software

* All major code repositories, such as Github and Sourceforge, must be blocked

* Search engines must not answer queries about web-pages that carry secure software

* Virtually all academic security work in the UK must cease -- security research must only take place in proprietary research environments where there is no onus to publish one's findings, such as industry R&D and the security services

* All packets in and out of the country, and within the country, must be subject to Chinese-style deep-packet inspection and any packets that appear to originate from secure software must be dropped

* Existing walled gardens (like Ios and games consoles) must be ordered to ban their users from installing secure software

* Anyone visiting the country from abroad must have their smartphones held at the border until they leave

* Proprietary operating system vendors (Microsoft and Apple) must be ordered to redesign their operating systems as walled gardens that only allow users to run software from an app store, which will not sell or give secure software to Britons

* Free/open source operating systems -- that power the energy, banking, ecommerce, and infrastructure sectors -- must be banned outright

It is up to Theresa May now to say exactly what she proposes to do, and if not the above then what and how will it work?
Comments: Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?