Facebook and WhatsApp Will Be Forced to Share Encrypted Messages With British Police (bnnbloomberg.ca) 128
"Social media platforms based in the U.S. including Facebook and WhatsApp will be forced to share users' encrypted messages with British police under a new treaty between the two countries, " reports Bloomberg, citing "a person familiar with the matter."
The accord, which is set to be signed by next month, will compel social media firms to share information to support investigations into individuals suspected of serious criminal offenses including terrorism and pedophilia, the person said.
Forced how? (Score:3)
Re: (Score:2)
Rubber hose, or the deluxe steel wrench. If you don't want to leave a mark, waterboarding will do.
Trivially simple: (Score:4, Insightful)
It's closed source.
Yes. That's it. No need to say more.
Re: (Score:2)
End-to-end encryption (Score:5, Insightful)
Remember guys, end-to-end encryption only work iff you control said endpoints.
If these endpoints are closed source software, this means the end points are *somebody else's software*, it doesn't belong to you, you can't control what's happening inside.
It's entirely possible that yes, WhatsApp and Messenger, did implement Open Whisper Systems' Axolotl encryption (= the Signal protocol) as announced back then by Facebook, that their Apps did indeed receive perfectly secure message form other users, and that the Apps contain extra code that will send a perfectly secure copy of your message to law enforcement.
WhatsApp already contains the capability to relay securely messages form your app to a web-app running in the browser on your desktop.
Probably the police will get something similar, except they don't need to scan a QR code to establish a secure channel with your App, and your App will not constantly pop-up reminders that you have a "CopApp" session logged in, the same way it adverises currently your logged in WebApp sessions.
Re: (Score:2)
Encryption should always be a FOSS add on, the code must be open and viewable by all that use it, else you will be backdoored every time. Although, if it is your government doing the backdooring, safer to let them, the alternate is they kick down your doors, steal your electronic stuff and possibly shoot your for holding a suspicious looking cheeto, just to be safe, they had to shoot you thirty to forty times sort of thing. When you are, do not forget to give them many interesting things to read, don't forg
Re: (Score:2)
Remember guys, end-to-end encryption only work iff you control said endpoints.
No. It works if you *TRUST* the said endpoints. There's a big difference. I didn't setup my bank's computer system but the fact that I didn't do so doesn't make my encrypted internet banking section broken. It still works just fine.
Naive (Score:3)
Ha ha ha ha ha !!!...
Oh sweet summer child.
- now that Snowden is already abroad in Russia, who is going to leak the info when WhatsApp version 2.23.307 is updated with a mandatory backdoor access for law enforcement ?
- do you really think the general population is still paying any attention to such an ancient event as the NSA scandal, so long ago before the latest bullshit by the Paul LoKardashian on SnaptagramTok??
People are so busy with identity politics and great replacement conspiracies, they don't hav
Re: Naive (Score:2)
The people that the authorities are really after use their own channels and encryptions.
So what the authorities can hope for is to peek at the low hanging fruit.
No? I'm saying it is useless. (Score:2)
Whatsapp does ue Signal's protocol. That is not in question.
But what good is a secret underground tunnel ... between your enemy's forts?
Both end points are untrustworthy, so securing the connection between them is so ridiculous it's making the TSA tell you to turn down the theater a notch. And frankly, it's insulting our intelligence.
Like in science, if you, personally, can't verify it really is secure, then it's not security.
And I mean with the ability to compile it yourself to check if it results in the s
Not trivially simple - encrypt client side. (Score:2)
Is there a good app to wrap Facebook/Whatsapp to only send PGP encrypted messages over their networks?
The only safe communication (from a privacy point of view) is one that uses standards-based client side encryption where the key never is shard with the service provider.
The technologies exist (pgp-encrypt your facebook message before giving it to facebook) - but aren't used much.
Re: (Score:2)
Oversec in the F-Droid Store is close.
Extra encryption over WA and Messenger. (Score:2)
First, PGP is a bad idea (but has been experimented in the past).
In practice you need some deniability.
Systems like OTR - Of The Record - are better suited.
now about the question:
- Pidgin has optional plug-ins that relies on the API used by the webapp of Messenger to get the messages.
- Pidgin has a plugin that implements OTR encryption atop off any messenging protocol.
Problem: only few nerds are going to jump through the hoops to get that stack running.
The other 99.98% of the population want an app that jus
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
Yes. This. If the messages are actually, literally encrypted, it's IMPOSSIBLE to share them. That's the definition.
Arguably, it's not impossible to share them, just terribly pointless as they'd only have the encrypted versions. Getting the plaintext version would be the cops' problem.
Relay (Score:5, Insightful)
Ever given half a second brain time at how the Webapp ( web.WhatsApp.com ) can display message if they are supposed to be end-to-end encrypted ?
Answer: because the webapp can establish a secure channel with your phone (that QR-code thingy you need to scan to log into the webapp)
Now, what is preventing the GCHQ (or the NSA, for that matters) from having a similar secure channel to your app, (except they don't need a QR code, and your app doesn't nag you constantly about a currently logged in web session)?
The apps are closed source, you can't even prove that's not already the case.
Remember guys, end-to-end encryption only works when you actually control said ends.
Closed source software is software that belongs to somebody else.
You can't expect anything even if the encryption is actually implemented correctly.
Re: (Score:2)
The apps are closed source, you can't even prove that's not already the case.
You can monitor all the IP traffic coming and going. It would take only one security researcher to expose it and put the entire world-wide business in jeopardy.
Re: Relay (Score:2)
And how would anyone be able to distinguish a parallel channel of message traffic encrypted with a separately negotiated key from all the other encrypted traffic?
NAT, STUN, TURN, etc. (Score:2)
Okay, I wasn't clear.
Your smartphone and your browser aren't litteraly opening a direct connection in "OSI layer 5: Session" or "TCP/IP's transport layer" sense.
First there might be NATing involved, so unless they happen to be on the exact same Wifi segment, both devices might not even be able to see each other and thus not establish direct link to eachother's IP adresses. Same between smartphones.
So if you watch network traffic, I'm ready to bet that all you're seeing is packet going from/to Facebook's se
What happens if they refuse (Score:2)
Re:What happens if they refuse (Score:5, Informative)
Re: (Score:3)
Re:What happens if they refuse (Score:4, Interesting)
Re: (Score:2)
Technically yes but the treaty can't set punishment for citizens (or corporations) that don't follow it, only U.S law can do that
A wild guess would be that it is a civil matter and not a criminal one.
Re: What happens if they refuse (Score:1)
Re: What happens if they refuse (Score:4, Informative)
Re: (Score:2)
Treaties apply to the government, as does the Constitution. That means the government is bound by the treaties it signs and by the Constitution.
Neither is binding on anyone else. For that, laws must be passed.
A treaty nay bind the government to pass a law or not pass a law. If a law is passed, it must still be consistent with the restrictions of the Constitution.
Re: (Score:2)
Government signs a treaty with a native tribe that establishes some land is theirs. They can then use existing trespassing laws to keep someone off their land with no further law needing passed.
Re: (Score:2)
Nevertheless, a law must exist in order for anyone but the government to be bound the treaty alone won't do it.
Re: What happens if they refuse (Score:4, Informative)
In fact, the example of extradition contradicts your thesis. Extradition and anything else created by treaty is always subject to the laws of the country where the person is, say the US or Canada. In particular, the crime that the person is accused of must be a crime in the US if Canada wants to extradite someone from the US, and vice versa.
If you read the wording in the (British-flavored) English of the day, it says in modern terms
This Constitution comes first, then the Laws of the United States, then treaties.
If you're interested in how this works in practice, there's an active extradition-treaty case about that as we speak, United States v Meng, 2018 BCSC 2255 (CanLII), http://canlii.ca/t/hwmhm [canlii.ca], retrieved on 2019-09-28, about Meng Wanzhou, the daughter of the founder of Huawei and currently the CFO and Deputy Chairwoman of the Board of Huawei. She argues what she did in the US is not a crime anywhere else in the world, and arguably not in the US either.
Re: (Score:2)
Usually that is how extradition treaties are written. Example, Canada's extradition treaty with America includes the provision of no capital punishment so we don't extradite murderers until you assure us that the death penalty will not be pursued.
Re: What happens if they refuse (Score:4, Informative)
That is not what it says. That is your misunderstanding of it. By your logic Trump could enter into a treaty with Putin that abolished free speech and elections. Think before you post.
Actually he could, with the consent of 67 senators. That would create a constitutional crisis. Think the UN Small Arms Treaty (thankfully not ratified). Because of the language of the Constitution, the Supreme Court would decide the issue. That's the problem with the 'supreme law of the land' and is created by the phrase:
Think before YOU post.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
No. He could not. A treaty means that if I go to Russia and violate the terms laid out in it I am in violation of US law despite being on foreign soil. Just accept the fact that you have no idea how treaties work and move on with your pathetic life.
Insults are the primary proof of a lost argument. Thank you for the admission.
I do understand exactly how treaties work. They are, as the constitution itself says, the 'Supreme Law of the Land' and must be recognized by all judges, anything to the contrary notwithstanding.
The Supreme Court has used treaties to expand federal power. So, as it turns out, a treaty CAN trump the Constitution, at least by adding to it. And honestly, given the Constitution was supposed to give the Feds limited powers, the
Re: (Score:3)
Yes, your misunderstanding of what a treaty is and how it applies is backed up by the constitution, which is meaningless, and the fact that your misunderstanding comes from that meaningless document is proof of your infallibility. You're a regular fucking stable genius.
LOL. Yep, personal insults again. What the individual who cannot marshal any facts relies on. It is the case that the US Supreme Court agrees with me, in several important cases. Yes, there ARE limits, but nobody knows what they are. And that's the very definition of a Constitutional crisis. But, what we do know is that at least in several clear instances, the Supreme Court has ruled that treaties can, and do, expand the meaning of the Constitution and can give to the federal government powers which the Con
Re: (Score:1)
Lofty misinformed bullshit aside, quoting verbatim a parent post on a threaded forum is not only unnecessary but further advances the original premise that you're an idiot.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Are you really claiming that a Native American couldn't charge you with trespassing on their land that is their land by Treaty?
How about not being able to arm yourself with poison gas due to treaties America has entered, contrary to the 2nd?
Of course America is infamous for not following its Constitution, little well treaties.
Re: (Score:2)
The 2nd is pretty clear, even mentions militias. Poison gas being illegal was unconstitutional, just like outlawing any other arms an army regularly or even seldomly uses.
Are you really arguing that a reservation is foreign soil rather then a sovereign part of America? That's like arguing that since Texas is sovereign, Federal law doesn't apply. In short, sovereignty is split.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
and
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
It didn't lose on those grounds. It lost because of the supremacy clause.
Which was the Supreme Court doing what it frequently does, and completely dodging the incipient constitutional crisis. The crisis is still waiting for something written in a such a way that it wends its way through all lessor wickets and actually forces the Supreme Court to rule on Article VI.
Re: (Score:2)
How about limiting what is considered arms per the 2nd. America has signed treaties outlawing chemical and biological weapons, I think that would make a strong case that people can't arm themselves with poison gas or smallpox. (This is in theory as the 2nd isn't honoured anyways as it clearly allows any arms that a militia needs to function as a militia as well as the common law principles of self defence, hunting and such. That piece about the militia was added on purpose to be clear it included military a
Re: (Score:2)
The Constitution would seem to disagree with you: [quotes the supremacy clause]
That's another of the misreadings of the clause.
(The common one is the claim that it means treaties, negotiated by the President's team approved by 2/3 of the Senate, are equivalent in force to constitutional amendments, requiring approval of 2/3 of the state legislatures after being proposed by either 2/3 majorities of both the senate and the house or a consitutional convention called by 2/3 of the state legispatures.)
What it
Re: (Score:2)
What it really says is that the constitution, federal laws, and treaties trump state constitutions, laws, and court rulings when they are in conflict. The states can't nullify provisions of the Constitution or federal laws, or abrogate or modify treaties, by legislation or court rulings.
If this were true, then the court would have decided Misouri v Holland in the other direction, as the ruling expanded the powers of the Federal government which is the purview of the states, via amendment. In other words, the US government was given permission to engage in plainly unconstitutional behavior because they signed a treaty saying they could.
Re: What happens if they refuse (Score:2)
Missouri v. Holland simply found that federal treaties trump state constitutions (not the federal constitution), exactly as the guy you're responding to said. You have no clue what you're talking about.
Re: (Score:2)
If this were true, then the court would have decided Misouri v Holland in the other direction, as the ruling expanded the powers of the Federal government which is the purview of the states, via amendment.
No, it did not.
The previous federal attempts to regulate migratory birds, as an interSTATE issue, had been struck by the Supremes when states argued that there wasn't an enumerated power to regulate bird harvests so the Tenth Amendment reserved this to the states.
So the fed negotiated a treaty with Canada
Re: What happens if they refuse (Score:1)
Insanely, despite that rather clear constitutional binding, the Roberts court decided otherwise in MedellÃn v. Texas...
https://en.m.wikipedia.org/wik... [wikipedia.org]Ãn_v._Texas
Re: (Score:2)
The Constitution would seem to disagree with you:
The treaty either has to be "self executing" or statutory law is required to implement it domestically. Otherwise the Senate and President could bypass the constitution including the bill of rights and implement law by treaty alone.
They will just block the domains. (Score:3)
Or the IP ranges (taken from DNS) and VPN, if they aren't retarded (but evil).
Or, create an IP whitelist, if they want it to actually work (and are even more evil).
Basically, the UK is already halfway to a Great Firewall of China.
Re: They will just block the domains. (Score:3)
China will certainly have better censorship software than UK & Europe. Because, relative to cost of living, China pays their developers far better.
Delete Facebook, use Signal (Score:5, Interesting)
INB4 "nobody uses it": (Score:5, Interesting)
1. That's circular reasoning. It is also the cause.
2. I got a bunch of computer illiterate mature women to use Signal, as they were dealing with sensitive patient data. From children too.
Now their clients use it aswell. That way they can share videos of the progress of the children. Many of which using sign language, meaning text or audio is out of the question.
That's already a whole community. Because of one person.
Now's your turn. Be a leader for once. Accept that you're the cool guy here. Not that Facebook-using retard.
Re: (Score:2)
I was using Signal but it's bloated and needs ridiculous permissions. It's there a light version or something?
Bloated? On what planet? (Score:2)
I found it a bit minimalist at first, but it improved now.
Also, it actually uses all those permissions. And for sensible things only. If you don't trust my or anyone's code audit, only reading it yourself will help.
Otherwise, how about IRC? Or smoke signals? With hand-encoded one time pads, of course. In a featureless gray cement one-room "house". On the bare floor. Naked. Cause everything else is bloated and overwhelming. :P
Much more rational and sane.
Re: (Score:2)
Signal offer an open version, separate from the app store, that you can install yourself; for instance on https://signal.org/android/apk... [signal.org]
I consider it quite cool as there also are laptop versions, including for Linux.
With Signal nobody can read your talk, but anybody could check who you are talking to.
If you want to avoid the latter, to my knowledge you have a single solution, Briar, which has no laptop version. But then with Briar not only your comm is encrypted, but because it uses an Onion network nobo
Re: (Score:3)
Re: (Score:2)
At worst someone outside of their jurisdiction (or an anonymous person) will simply fork their repo and create a backdoor-free version.
Re: (Score:2)
The bullshit is a function of the number of users, not particularly of Zuckerberg. If lots of people start using Signal they will start pulling exactly the same crap.
This is essentially a claim that all people are equally bad. I do not think that is the case.
Re: Delete Facebook, use Signal (Score:2)
Signal is an obvious honeypot.
Re: (Score:2)
I tried using Signal but my friends on Whatsapp weren't getting messages. Apparently I wasn't either because you suggest I delete Whatsapp.
Why did you even offer that as a suggestion. Your solution literally broke the one thing I need this kind of app to do: Talk to specific people.
You are really bad a tech support. I'm leaving you a bad Yelp review.
Screw Facebook, why use them? (Score:2)
There are so many alternatives. There's no reason for the cops to know you're even communicating at all.
Good luck with that. (Score:5, Insightful)
AFAIK they use ephemeral keys due to using the same protocol as Signal. So even if they have the user keys, they can't get the messages contents.
Oh wait. They are closed source! Meaning that even with "independent" code audits, the encryption means nothing whatsoever!
Nevermind.
Re:Good luck with that. (Score:5, Insightful)
Re: Good luck with that. (Score:2)
Shhhhhhh! You will spoil everyone's daydream...
Re: (Score:2)
The Diffie-Hellman key exchange [wikipedia.org] is specifically designed such that the middleman is unable to derive the exchanged key even if he sees all messages passed.
Note that you need to use the verify end-to-end security feature out of band to assure that the diffie-hellman exchange is, in fact, with the intended peer and not a middleman after the first message exchange (which should be something you don't care about like "how's it going").
Re: (Score:2)
is specifically designed such that the middleman is unable to derive the exchanged key even if he sees all messages passed.
Yes, and if that is what they were doing then they wouldn't be able to hand messages over to police now, would they? So I'm willing to bet that's pretty much NOT what they're doing.
Re: (Score:2)
Just because a law says they have to hand the messages over doesn't mean they can do more than hand over the cyphertext.
All the same, I am switching over to signal wherever possible since I don't trust Zuck to not tamper with WhatsApp (or rather not to order others to tamper).
The point is, it's not the man in the middle that can screw you, (given a good protocol) it's the provider of the software.
Re: (Score:2)
With Signal you are supposed to verify the other users in person. With WhatsApp, which uses the Signal protocol, I'm not sure if you can verify so all you get is a notification if their key changes. That happens when they reinstall the app, for example.
Anyway, if you verify then MITM is impossible because the MITM can't fake the other person's secret key that you verified.
Re: (Score:2)
It's a huge bonus for FB, if they can sell it as "no one can read your crap but you, and law enforcement after they serve us with a warrant". Most ordinary people would be ok with that. They will fail to mention that having the keys or transcripts on a central server is a huge weakness... and
Re: Good luck with that. (Score:3)
"no one can read your crap but you, and law enforcement after they serve us with a rubber stamp"
FTFY
1984 (Score:2)
Amazing! One less leaking/insecure messenger on my phone.
Nope... (Score:2)
Re: (Score:2)
That's technically impossible. Perhaps they don't understand how end-to-end encryption works.
Facebook and Whatsapp write the software. I'm quite sure they're much more aware than someone on /. as to what can and can't be achieved. Given there needs to be an exchange of keys between sender and recipient somewhere along the path otherwise you can't decrypt the sent message I'm quite sure Facebook/Whatsapp have the ability to find what those keys are.
Re: Nope... (Score:1)
Re: (Score:2)
That's technically impossible. Perhaps they don't understand how end-to-end encryption works.
When have governments ever worried about a trivial detail like understanding how something works?
Although, this being Facebook, I wouldn’t be particularly surprised to find out their client is saving a clear text copy of every message to a Facebook server before encryption and transport.
Re: Nope... (Score:2)
"That's technically impossible according to what I've read in the tame media. Perhaps I don't really understand how 'end-to-end' encryption works."
FTFY
Re: (Score:2)
That's technically impossible. Perhaps they don't understand how end-to-end encryption works.
Only if YOU have complete control of the keys. If they are managed by anyone but you, then it's perfectly possible. Apple could, for example, in their key bundle in iMessage, insert a third-party key without you knowing about it. That's the price of convenience.
Unless your message/file/whatever is encrypted with software you know to be 'good', and you create the key yourself, then snooping is entirely possible.
Re: (Score:2)
Thats the level of the app software the police like to have equal access to
Re: (Score:2)
Big Brother UK (Score:2)
What's the big deal? (Score:1)
no they wont (Score:2)
Re: (Score:3)
They'll make a stand just like they promised not to share data with Facebook when they were bought. /s
Criminals will just use something else (Score:3)
Smarter criminals will move to something else more obscure, maybe even smart enough to speak in code and remember not to use names (or at least real names).
Top-tier criminals, the really organized ones, including terrorist organizations, these days can even have personnel on their staff who can write their own encrypted communications software and apps that garden-variety police won't even know about, and MI-5/MI-6 types will lag behind knowing about.
Then there's old-school tradecraft: word substitution, book cyphers, and so on.
Truly sensitive information and communication, if not time-sensitive, can still be done in truly old-school ways: dead-drops and handoffs, facilitated these days by microSD cards -- which can contain deeply encrypted data. For bonus points: deeply encrypted digitally, plus book cyphers. Have fun unlocking that!
For the common citizen, though: Have sensitive, personal communications, that you don't want nosy government types poking their little brown noses into? Do it in person, not on your phone or over any 'apps' or 'social media'. Assume, anymore, that there are eyes and ears everywhere online.
Re:Criminals will just use something else (Score:5, Informative)
For the common citizen, though: Have sensitive, personal communications, that you don't want nosy government types poking their little brown noses into? Do it in person, not on your phone or over any 'apps' or 'social media'. Assume, anymore, that there are eyes and ears everywhere online.
It is illegal to attempt to have any conversations outside the range of a telescreen or to encourage others to do so, comrade. MiniLove has been informed of your double-plus ungood badthink, please remain where you are.
Strat
Re: (Score:2)
Re: (Score:2)
envrypted (Score:1)
Are they really encrypted? (Score:2)
no info (Score:2)
On who authorizes