I wrote to my MP (Scott Mann) a while back asking about the current Online Safety Bill wankery doing the rounds. The claim that our Government will somehow be able to read our messages but, oh no, definitely not breaking encryption is one we all need to challenge.
I’m not a nerdy enough nerd to fully understand how encryption really works, but I get the principles. I also get that literally everyone who does know about this is shouting from the hills saying it’s bullshit – so just maybe we should listen a little bit to them before getting sucked in to the NSPCC / Gov hyperbole bullshit.
Mr Mann sent my letter on to Paul Scully, apparently Minister for Tech and the Digital Economy – and he wrote back. I won’t publish the full letter here as much of it is the sort of PR bollocks about Keeping Our Children Safe that really doesn’t need to be said – but this stood out:
To ensure that the bill effectively tackles online CSEA, Ofcom has been given the power to issue a notice which requires a service to use accredited technology to identify and takedown CSEA content, where necessary and proportionate. This power is not routine, and Ofcom will only be able to use it to issue a notice to a particular service on a case-by-case basis, after considering impacts on privacy.
Ofcom will only be able to use this power to support the identification of CSEA content and it will be reserved for cases where it is the only effective, proportionate and necessary action available. Any technology must be accredited as highly accurate in only detecting CSEA content before Ofcom can require its use. In addition, Ofcom has obligations to uphold the right to privacy as a public body subject to the human rights obligations that are imposed on all public bodies. This power, and other elements of the bill, do not ban any design feature, including encryption.
I replied in an email as follows:
Dear Mr Mann, and a copy to Paul Scully
Thank you both for your time and consideration in this matter.
However – what is happening here is a near-literal bashing of technological heads on tables, whereby every technologist who actually knows anything about the web or encryption is currently looking at what is being proposed and shaking their heads.
Irrespective of the hyperbole about keeping children safe (yes, we can all agree that’s A Good Thing To Do, we really don’t need the headlines and the PR continually bashed into us to confirm that this is a good end goal) – the technology that you so readily claim to exist does not exist and in fact cannot exist.
Let me try an analogy, to take this out of the technology realm and make it easier for non-geeks to understand.
Say you have a house, and you lock the back door and go out. You take the key with you.
Your house is now safe, provided the lock is a good one. Let’s assume it is.
So now an MP comes along and says “yes, but we need to see inside your house on occasion. It’ll be for Proper and Real Reasons, we can guarantee that, but we definitely need to see inside your house”.
Now – irrespective of the human rights issues, the privacy implications, the endlessly wrong “I have nothing to hide” responses, the fact that this apparently benign government [the one who no longer lets us even protest any more] might one day Become Bad – let’s look at the actual physical security of this scenario. Say you agree to this, and get a copy of your key made which you give to your MP.
Where are you now? Well, now your entire house is inherently insecure. You’ve lost sight of your key – and now of course, the MP could come back later and say “sorry, I lost it, can you make me a new copy” or “damn, I left it in a Wetherspoons” or “it was stolen” or a gazillion other possible scenarios. Your house is now unsafe.
The point here is that there is no middle ground where you have a “sort of locked house” but “only those I’ve given access to can get in”. You either have a locked house or an unlocked house.
This is why WhatsApp, Signal, iMessage, Wired, anyone working in cryptography, anyone working with E2E encryption, the EDRI, the EFF… literally anyone who knows anything about this tech is shouting from the rooftops right now about how utterly, utterly stupid this idea is.
Here’s John Gruber. He knows about tech:
“It [scanning encrypted messages for illegal content without altering or breaking the security features offered by encryption] is technically impossible. There is no he-said/she-said debate here. The cryptographers are correct and the lawmakers are so ignorant that they’re proposing a fantasy. It’s a downwind effect of Arthur C. Clarke’s famous maxim that sufficiently advanced technology is indistinguishable from magic: the technology of E2EE is so far above the heads of lawmakers and law enforcement officials that they feel free to demand magic solutions.”
How many of these people are you going to continue to ignore?
I’m not even a proper geek and I have a reasonable grasp of this stuff. How can you be so ignorant as to continually stuff your heads into a hole in the ground, as if your “let’s keep the kids safe” mantra is enough to carry it over the line?
I just don’t get it.