End-to-end Encryption

~ admin

Should we or shouldn’t we?

There are many different answers to the question:

WhatsApp: We won’t lower security for any government

https://www.bbc.co.uk/news/technology-62291328

Signal would ‘walk’ from UK if Online Safety Bill undermined encryption

https://www.bbc.co.uk/news/technology-64584001

What does Coco think?

Should we or shouldn’t we be allowed to use end-to-end encryption? The authorities will always argue that they need it for certain purposes – such high purposes as national security. Do they also need it for communication with the taxpayer? How high is the bar before it is permitted to be used? Do private citizens ever have the need to use it?

Perhaps private citizens do not need it. We happily speak to each other in the hearing of others all of the time without applying encryption to our voices, but one day whilst Coco was speaking with a client, he answered a telephone call. The conversion proceeded in English, until he had something to say that he did not want me to know. He then encrypted his message. Even his secretary could not decrypt it, but it was the mother tongue of the caller. We also go into quiet places for certain conversations, do we not? There are times when it is not appropriate for others to listen in to our conversation. When we used to write on paper to each other, we did not always use postcards, did we? No, we sealed our text into an envelope so that the proper recipient would know that there had been no interference.  

Now it is said that the UK Online Safety Bill has many good things about it which will help in the combat of crime and particular types of crime which otherwise would be hard to detect. I shall not address that here but a different aspect of its benefit.

The Online Safety Bill sounds to Coco like a wonderful new business opportunity. Is anybody out there ready to deliver the necessary software, please?

It seems likely that messaging apps will be required to scan and report on any malicious content in any message they send. This will be achieved it is suggested by scanning any message in its unencrypted form before it is sent. Should any disallowed content be found the messaging app will be required to report it to an appropriate authority.

It sounds good. We do not want the apps we use to be used to transmit harmful material. But many have recognised that as soon as it becomes possible to scan for anything one thing, then it is possible to scan for all things. Governments may require the apps to scan for illegal content, but what is illegal content? We may (note may) not have corrupt, despotic, immoral liars or cheats as leaders, but if they do exist, will they require scanning for words which might further defame the already defamed name of the leader? Will yet others require scanning for words which indicate disagreement with the current moral ethic? Will advertisers see the opportunity to ask, or place pressure upon, the owners of the messaging services to scan for words which would allow them to more easily target you in other market places (you may see that as a benefit)? Will the owners of the messaging apps start to scan for words which indicate discontent with the provider? Will the owners of the messaging apps see their own way to profit from the information that scanning provides? Well, you may answer: But they already do all of these things anyway. Perhaps they do, but then they are liars and cheats themselves for they speak to us about end-to-end encryption and declare that they cannot read what we write.

You may also say: Actually, I don’t care. When I used physical post I never used sealed envelopes, I always used postcards. Let the post man read it if he wants. And most of the time the post man did not want, apart from want to complete his shift. If they want to read my messages let them, and if it means they catch the bad guys, so much the better.

But, Coco suggests that you do care about privacy. In Facebook, do you place everything you post into the public arena, or do you restrict it to friends and followers? Let Coco also ask, do you ever use Facebook Messenger? In that you are speaking one to one with another user. If you did not care about the privacy of your message, why do you not post it in your journal openly?

So let Coco ask, once the door has been opened for scanning, how will you know for what is being scanned? Coco sought recently, and many years ago as well, to understand what had caused the blacklisting of an email account. No-one could say precisely as the spam scanners are so complex. Youtube scans videos that are uploaded for among other things copyrighted content. One that was recently uploaded was scanned and copyrighted material was found in it. It was there, but it was not a problem. The material however that had been found was incorrectly attributed to the wrong copyright holder, and the scan failed to find all of the copyrighted material. The scans do a job, and to some extent a good job, but do you not have to check your own spam folder just to be sure that there is nothing there that is not spam? Even government departments will warn you that some of their messages to you may be treated as spam. The scans we could say are capricious. If our incoming scans are capricious, will not the outgoing one be also?

So, thinking about a particular class of images, we may have problems with images produced for medical purposes, where perhaps the patient is in need of urgent attention. If the messaging app scan determines that the image is of a proscribed type, what will the consequence be? Will it refuse to send it and then report it? If it cannot be sent, the patient may not receive the correct treatment for whatever condition is indicated by the image. How long will it take to have the image released? The doctor may even find himself unable to carry on providing treatment if an allegation is raised under safeguarding legislation.

Similar consideration may be applied to images sent out of a disaster or war zone for they may be sent for good or bad purposes. How can the scanning distinguish the purpose or the sending of the image? Will all of the class be put on detention because one boy, unknown to the others, wrote on the blackboard?

But perhaps a greater problem is that the more complex the scanning routines become, the more easily malicious actors will be able to place their own malicious pre-entry scans into them, perhaps not merely scanning what is there but inserting their own content as well. Do you not recall seeing messages at the foot of emails such as:  ‘E-mail transmission cannot be guaranteed to be secure or error free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses’.

So, what we need then to avoid these problems is an crypting app which will encrypt our messages before we hand them over to the messaging app, which then sends our already encrypted message. The crypting app will then unencrypt the message at the other end for the recipient. This crypting app will not need to send any messages, as it is not a messaging app, so it should not fall under the scrutiny of the regulator. It will give you the necessary key, or allow you to define your own, to share with your correspondent for any particular conversation, period of time, or message by message, or you may have permanent keys for particular correspondents saved into both your copy of the app and your correspondents, depending upon the level of security you may desire.

You may be able to use the crypting app with a single messaging app, sending both one key and the encrypted message over it, or use two messaging apps one for the key, the other for the encrypted message, or perhaps have the key encoded into an image. We assume of course that the recipient already has the second key.

In the meantime, and in the absence of such an app, please encrypt any messages to Coco using PureChocolate as the lock on: https://moffattfamily.org.uk/htm/purechocolate/encryptor/index.htm. Please do not forget to provide a copy of the key that you use to turn the lock, else your message shall be lost forever – or at least for as long as it takes to get to the top of the heap of one of the guardians of the net, but then that may only be one day less than forever.

W&U*\Dp{r0w_npqNMsU.2u#c,`4n(]0(_npve?oU/9w']wk+'xU4iRxhsOY*Z#:s*i6XDuwh'(_u'vHHDel5d,[6p5|(Z1zixldK8xN8Ak'c6X4k(W1uTtn#[>*]#@l2n%\Domf'6

MlU0vS3W#en*\'stm@lZ&ur[MvP%2#2_6Z5u|f#lTi{#TH}L&3/<R-kD p].{_&P#T0%e,2d"n%\9zi['{ilyrTM%V/W#__yfDim]0oisluL;%ey;#'^we/tih'(Tjlde8}e/;o'[{c?'|c@lZ&zrsM

Finally, Coco is not advocating the use of such a crypting app, merely trying to say that what is proposed will not catch the bad guys but may defeat some of what the good guys want to and must do. The good guys have nothing to hide. The bad guys will simply build a better wall behind which to hide what they wish to hide.

Leave a Reply

Your email address will not be published. Required fields are marked *