[mattmanser]

Basically she's saying chat apps in the UK shouldn't be allowed end-to-end encryption.

So the terrorists will setup a chat system that look like payments.

In the mean-time, the UK government will use our chat to identify harmless political dissidents, groom them online and then fail to incite them to violence. Given previous performance, they will meet some of their targets, get a few pregnant and then get sued 20 years later when someone reports on how idiotic the police and spies really can be while everyone sane scratches their heads about the targeted pro-solar-power "terrorists", who happened to piss off Lord McOil who had a quiet chat with his Eton buddy in GCHQ which got them classified as dangerous.

After 5 years, Boris, our new PM, will decide to give government departments access to find benefit cheats and illegal immigrants. The system they'll build will cost more than they recoup and will be a drop in the bucket compared to what they could have recovered if they had spent 1/10th of that money chasing rich tax dodgers.

A couple of years later, they will give councils access to the whole country's chat to try and catch some fly-tippers.

In this time, the civil servants will actually use the system to stalk ex-girlfriends, random crushes and celebrities or spy on wives and husbands.

Eventually, some civil servant will accidentally leave a hyper-storage-cube on the bus containing the last 5 years of everyone's chat and it'll turn up on 4chan.

The resulting misery and damage will be justified by the government because they once caught a "terrorist" who was standing in the street screaming "Allah is great" and stabbed a policeman. In reality he was a normal guy who had suffered from Bipolar Disorder but the NHS couldn't afford to treat him and classified him low risk, so ended up having a breakdown.

[abainbridge]

Say a smartphone app ran both an https client and server. For users to send each other messages, they connect to each others servers. That's end to end encryption, right? And looks identical to the type of encryption they'd still allow right? What have I missed?

[abainbridge]

I guess once it gets popular, they just force Apple and Google to remove it from the apps store. So it has to be a web site with all the http server running in javascript/web assembly. I guess you still need a central server to let clients find each other in the first place. They could block that at the DNS level.

[grey-area]

I'd use bank accounts, PayPal or money transfer with small transactions and a one time pad to signal. They'll never ban bank accounts and it'd be hard to find signals amongst the noise. Or you could just use pgp and paste it into whatever app you want. Pandora's box has been opened, its remarkably naive to try to ban secrets at the same time as hoarding an unprecedented number of signals.

Obviously you can't intercept signals from someone using outlawed encryption, a one time pad or no direct messages. I'm not sure the stated goal (stop evil terrorists) is the real goal though - reading almost all communications and selective leaks is just such a useful tool for things like subverting democracy, throwing elections and controlling politicians.

[cr0sh]

> reading almost all communications and selective leaks is just such a useful tool for things like subverting democracy, throwing elections and controlling politicians.

Maybe someone out there needs to air her dirty laundry secrets that she's projecting on the rest of the population?

[cr0sh]

> I guess you still need a central server to let clients find each other in the first place.

Would you? Couldn't you have a list of servers stored in localstorage, and bake the initial list in a bunch of seed copies?

Alternatively, use pastebin or imgur or something like that for your "central store" to pull from initially, then store everything in localstorage after.

[aoeusnth1]

The follow up bill which makes it mandatory to have government spyware on all https servers?

[abainbridge]

They can't do that because it would require major open source web servers to be forked. There's no way they're going to persuade operators in other countries to run UK government spyware.

[klibertp]

> They can't do that

Well, it works for China, so I don't see why it wouldn't elsewhere.

As a techie, I'd like to believe that there are limits to what can be passed as law, but the history shows that it is not so. Just because something is technically impossible doesn't mean it can't be required by law, with all the consequences for not complying. It's uterly futile to go against the people in power with technology or even science alone. The best you can hope for is for you and me, personally, avoiding problems. For a time.

[ocschwar]

Kazakhstan already did it. All they have to do is force browsers to accept a CA that then MITMs everything.

[midnitewarrior]

Yes, UK can just enforce that all SSL certs come from their CA. If they find an invalid SSL cert, they come arrest you, shut you down, or confiscate your equipment (or all 3!)

[markburns]

:) The Black Mirror of HN comments

[jacquesm]

Black mirror is fiction.

https://www.theguardian.com/uk/2012/jan/20/undercover-police...

[markburns]

I'd have to disagree. Black mirror is gradually being shown to be fact.

[tanilama]

How could they prevent terrorists to develop their own end-2-end encrypted chat app?

[api]

... or connecting with SSL to an overseas server under their control ?

[nkrisc]

Jailed for use of an illegal encryption scheme. Welcome to the future.

[hoosieree]

Not just the future: https://en.wikipedia.org/wiki/Illegal_number

[mrkrabo]

They can't but if they catch you they can throw you in jail regardless of whether they can decrypt what you've transmitted or not.

So you have the choice of either getting thrown in jail or to give up the keys.

[jdc0589]

that was beautiful.

[TomK32]

I wonder how many whatscrap groups are there for fly-tippers.