Ir al contenido principal

Canciones sobre la Seguridad de las Redes
un blog de Michał "rysiek" Woźniak

Ban on encryption is not about banning encryption

Ésta es una publicación antigua, de más de 4 años.

Como tal, puede que ya no corresponda con la opinión del autor o el estado del mundo. Se ofrece como archivo histórico.

Lo sentimos, este no está disponible en español, mostrando en: English.

David Cameron’s bright idea to ban encryption that is not backdoored by the UK law enforcement, backed, of course, by Barrack Obama, is not exactly popular among the geeks and the technically savvy.

Main argument against the ban goes: if an encryption system has a master key, “bad guys” too can get it or discover it. The whole encryption scheme, then, is critically flawed.

Apart from that, the prevailing view among the geeks and hackers can be summarized as “good luck banning it, I’m going to use it anyway and what are they going to do about that? They’re not going to put us all in jail!”

Problem is, the ban is not about banning encryption. It’s about criminalizing its use and flagging those who use it.

Hence, the whole technical community – hackers, activists, IT specialists, etc – discussing technical merits of the proposal and technical means to go around it once introduced miss the point completely. Technical issues are not relevant for the British PM and his ilk.

All for one and one for all

Right now John McDoe using an HTTPS-protected website or TLS-protected IMAP-server basically uses the same crypto, that a TOR-using privacy activist does. AES, Diffie-Hellman key exchange, public-key crypto are all there. These are tried and true, based in some basic math, ingeniously used.

If any of the elements gets compromised, it’s compromised for everybody. Security of your bank’s HTTPS-protected website is directly connected to the security of TOR or GnuPG.

And of course, it’s as deplorable to the listeners, as it is obvious to the techies.

Show me a man and I’ll find a crime

Making strong, non-backdoored crypto illegal is a neat “solution” to this “problem”.

Banks and large corporations will bend over, because being prosecuted for non-compliance with “legislation critical to national security” is not good for business. Besides, they’re patriots, right?

Anything used or offered officially by any company in the UK or the US will have to be backdoored. This will “solve the problem” of commercially-available secure platforms, offering good security and privacy for non technically-savvy users. You either pay for backdoored encryption, or are on your own using (unwieldy at times) FLOSS tools.

Of course, the tech-savvy can still use the encryption tools, and help the less technically fluent to do so too. However, when they do, they become criminals. The Government does not have to show that you did anything illegal other than the simple fact that you used non-backdoored encryption services or software.

The very fact of wanting to stay secure and keep your privacy will become a criminal offence.

How can they prove you used non-backdoored encryption tools? Simply by saying so, provided that you used any encryption at all. This also means that even if you do use a backdoored encryption platform, the Government can always claim that this particular platform has not been backdoored, and therefore you still broke the law. You have no way of proving otherwise. Can we guess how that plays out?

Oh, and have you ever participated in a CryptoParty, or, even worse, organised one? Congratulations, you might also be liable also for “conspiracy to commit a crime”.

Nobody’s going to be putting non-backdoored encryption users in jail by the dozen, no doubt. But as soon as the Government wants you, they can have you. By the balls or behind the bars.