End to end encryption of messaging apps

May we then continue discussing E2EE in this thread?

1 Like

Personally I don’t think there are cons to E2EE in the product unless it’s negatively impacts the user experience or makes the product impossible to implement.

In my opinion the only reason not to implement it in a chat app (like but not limited to sphere) would be if you where planning on using the user generated content (another way of saying this would be “reading people’s messages”) or because you had the intention of complying with governement censorship.

1 Like

Of course. Indeed, I was talking about it up-thread:

There are some tough questions for us as a society, with no easy answers.

2 Likes

So in response to your question number 1…

Under the ‘snoopers charter’ / Investigatory Powers Act 2016, ISPs are now required to store what websites were visited by an individual for one year, and the police/gov now have the power to request this data in bulk without any need to suspect of criminal wrongdoing, and have fairly wide-ranging powers allowing them to hack phones and computers, again without need for suspicion of criminality.

The collection of internet history appears to only be coming into force now, with many of the big ISPs involved.

I have been urging all my friends to install VPNs and obscure their browsing as much as possible so as to resist such mass surveillance without cause and avoid having a single profile drawn up and clearly linked to yourself.

So while I note your premise of appropriate oversight, such a reality is quickly disappearing, and therefore I think it is appropriate and in fact important that we have spaces which aren’t accessible at all.

Without a drastic shift in government policy, I believe things like this will only get worse. It’s much harder to restore a freedom that been lost.

I think that’s my answer to Q2 as well really. I don’t think we should ever make ourselves less secure.

The thing is, though, that I’m not particularly concerned about the gov doing it’s thing.

I don’t like it either, but I can accept it, as long as there is oversight.

Companies doing the same is something that I am far more critical of, as they do it almost always for financial reason (even if they say they do it for security, most companies are only concerned about “security” where it affects - directly or indirectly - their bottom line).

So, bottom line: Current government surveillance bothers me far less than surveillance by a commercial chat provider.

1 Like

So, my point is that there is very little oversight of the above-mentioned new powers.

And this gov appears to increasingly be doing things for financial gain too. Who’s gonna get the contract for sifting through all this surveillance data? It’s gonna be Palantir or their like, not civil servants on gov salaries.

So while I’m worried for very different reasons, I don’t quite see that reasoning standing up in the current climate.

You make a few really good points, but discussing government surveillance seems very off topic for this thread, so to avoid being told off again, I’ll shut up now.

This isn’t entirely true. I’m not totally clued into the laws here, but my isp do not do this. It’s primarily why I chose them.

https://www.aa.net.uk/broadband/real-internet/

We do not log which websites you visit (though the website administrator may). We don’t run any sort of transparent proxies or other systems to covertly log what you do on the internet, and do not sell data to anyone. We have no, so called, black boxes which monitor traffic for the government, or anyone else.

AFAIK this is just nonsense spouted by the VPN industry to scare people into subscribing, blissfully unaware that they too are defined as ISPs, and would need to comply in order to provide their service here. The law may allow the government to force ISPs to log this stuff, but as of yet, they don’t.

I know their are some court decisions that target specifically the big ISPs though, but I don’t recall them being related to logging data.

This has been an intense game with the government for about a decade now. The same proposed laws keep resurfacing under new names and we again push back. So far, they’ve been unsuccessful. Encryption is the only line of defence should they ever succeed.

This depends. A centralised surveillance tool will be a prime target for threat actors. I don’t trust our government to have the skills necessary to protect against them. Proper oversight is only half the battle.

I’m of the opinion that whatever compromises we make to security protocols, and in turn, privacy, the only people they will impact are us ordinary law abiding citizens. We’ll have less freedom. Criminals won’t mind the extra little work to evade surveillance. And as long as mathematics is a thing, that will always be possible, regardless of any laws, and the criminals will use it no matter how illegal it is.

The proposed compromises always seem to be founded on the false dichotomy that criminals will cease to be criminals and follow the laws. They won’t.

As such, I think it’s unfair to assign accountability to the software engineers that build these tools to protect our privacy. It’s not their fault if a terrorist uses to plot an attack in secret. Without the tool, they’d have found another way, whilst the rest of us have zero privacy.

On the contrary, it ties very much into E2EE, and privacy in general. You can’t really discuss either in general terms without also discussing the potential threats surrounding their existence, or removal.

For as long as Sphere don’t have E2EE, they’re very much a target for governments to go after for their data. And because it’s not encrypted in a way where they don’t have the keys, they have no excuse not to hand it over.

2 Likes

Sorry, you are right that wasn’t totally correct. They can be required to do so for a period of 12 months at any time.

My second para did state that this appears to only be starting now, per the Wired story which broke today stating that a number of major ISPs ARE now being forced to do exactly this. And my view (and the view of Liberty, a major legal/human rights charity) is that this will only be the start, so while it may not be the case for yours today, it could be one day.

Re the VPN industry being treated the same, my understanding is that the Act requires local companies to break their encryption, but not foreign ones. So if your VPN provider was based outside the UK and stored their stuff appropriately, that would protect you.

And secondly, if you use a provider which doesn’t keep logs, then you’re safe anyway, as they can’t hand over what doesn’t exist. The power is to force ISPs (or CSPs as it is in the legislation) to retain and hand over data, so if you don’t have anything to retain, that saves you from having to hand over.

Completely agree with the entirety of the rest of your post.

1 Like

Since you are all discussing off topic stuff - lets see if I’ll get away with it this time:

3 Likes

Been catching up on some ISP related news over the past week, and one troubling article I stumbled across reminded me of this.

Troubling news. And if the government is hellbent on continuing to pursue this, then encryption is more important now than ever.

Edit: just realised the article @dwarf posted above this essentially discusses the same thing! Not sure how I missed that! :see_no_evil:

1 Like

Been using VPN’s since the snoopers charter has been a thing.

Sad reality about the current state of the UK, I honestly feel like tor is the future of the internet in the UK. Another why you can scupper the logging is to use DNS crypt, you can turn this on in both Firefox and Chrome. Don’t turn this on if you are a VPN user as it can cause IP address leaks.

Hopefully windows, linux and Mac OS start supporting this as system level and turn it on by default.

Why do you think every youtuber is sponsered by Nord VPN, I personally use PIA as they are the only VPN service to date to testify in court that they do not log user activity in court.
May ditch them due to their new british ownership by Kape.

After the way Nord handled the data breach, I’ll never trust them. I always found them Shady to begin with though. In fact most are shady, and it’s a shame they’re more trustworthy than most ISPs thanks to our government.

For now, I still feel safe enough with my current ISP. They care about this stuff deeply, and I trust them with my data. They also offer a free encrypted DNS service intended for their own customers, but anyone can use it. Platform support is limited though. Firefox support encrypted DNS though, and Apple are working on it.

I’ve only used two VPNs in my lifetime. Encrypt.me (formerly getcloak) was built by a few friends of mine, so naturally, I trusted it. The company has been bought and sold a few times since, so that’s no longer the case. VyprVPN is another I’ve used, namely because I just liked the old app and the fact they own all their hardware so they can better ensure integrity. They’re audited as a no logs VPN too. But draw your own conclusion from that.

TOR is an entirely different story. Great for anonymity. Bad for privacy, unless you can trust the exit node, but if you can trust the node, that may diminish the extent of your anonymity. TOR is a necessary tool though, but it’s not designed to solve the problem people think it does.

Encryption is the most crucial tool when it comes to combatting this level of intrusion. The data is of no use if they can’t read it. This means we need to start encrypting the metadata too.

Edit: fixed a few typos

2 Likes

TOR is good for browsing news websites and things you don’t login to or browsing it’s hidden services.

I wouldn’t use TOR for anything else due to the exit node problem. DNS over HTTPS being a option in browsers is a good start but should be enabled by default. (The UK goverment whined about this)

I’m not voting for these people again, whats worse labour is no better when it comes to online privacy.

1 Like

When it comes to the issue of privacy, there’s very little real choice for us in political affiliations. The two big parties have very clearly demonstrated that they’re both in favour of censorship and surveillance.

It’s an issue I’ll never compromise on though, and it matters a great deal more to me than other political issues. I either vote green (they seem to oppose laws like the snoopers charter and I align with many of their other values) or abstain, to the fury of some of my friends at the last election because I *didn’t vote tactically and at least labour would have been better!*:roll_eyes:
I liked Jeremy Corbyn, but besides him, they’re no different than the conservatives when it comes to issues that matter to me. I’ll digress though, I don’t like political discussions, and I don’t much care for politics.

I tactically voted for the conservative party due to my love of cars and nothing else. (disaster rural policies such as fuel duty increases and my employment being in online retail I can’t vote for a pro high street party)

I’m probally going to either spoil my ballot or vote for a independent as I refuse to vote labour.
I have labour voting parents who are super not happy I voted for the tories.

1 Like