Ireland Wants To Give Its Cops Spyware, Ability To Crack Encrypted Messages (theregister.com) 48
The Irish government is planning to bolster its police's ability to intercept communications, including encrypted messages, and provide a legal basis for spyware use. From a report: The Communications (Interception and Lawful Access) Bill is being framed as a replacement for the current legislation that governs digital communication interception. The Department of Justice, Home Affairs, and Migration said in an announcement this week the existing Postal Packets and Telecommunications Messages (Regulation) Act 1993 "predates the telecoms revolution of the last 20 years."
As well as updating laws passed more than two decades ago, the government was keen to emphasize that a key ambition for the bill is to empower law enforcement to intercept of all forms of communications. The Bill will bring communications from IoT devices, email services, and electronic messaging platforms into scope, "whether encrypted or not."
In a similar way to how certain other governments want to compel encrypted messaging services to unscramble packets of interest, Ireland's announcement also failed to explain exactly how it plans to do this. However, it promised to implement a robust legal framework, alongside all necessary privacy and security safeguards, if these proposals do ultimately become law. It also vowed to establish structures to ensure "the maximum possible degree of technical cooperation between state agencies and communication service providers."/i
As well as updating laws passed more than two decades ago, the government was keen to emphasize that a key ambition for the bill is to empower law enforcement to intercept of all forms of communications. The Bill will bring communications from IoT devices, email services, and electronic messaging platforms into scope, "whether encrypted or not."
In a similar way to how certain other governments want to compel encrypted messaging services to unscramble packets of interest, Ireland's announcement also failed to explain exactly how it plans to do this. However, it promised to implement a robust legal framework, alongside all necessary privacy and security safeguards, if these proposals do ultimately become law. It also vowed to establish structures to ensure "the maximum possible degree of technical cooperation between state agencies and communication service providers."/i
Incompatible requirements (Score:5, Insightful)
The "bill is to empower law enforcement to intercept of all forms of communications," and it also, "promised to implement ... necessary privacy and security safeguards."
Those goals are incompatible, full stop.
Re: (Score:3)
Those goals are incompatible, full stop.
They are. But too many people are incapable of seeing that and hence pushing this direct lie works. It also nicely illustrates the moral level the people behind this effort operate on.
Re: (Score:1)
Not completely. There are specific things which is incompatible - any law which controls the software that you install on your device when you are innocent; any law which allows them to carry out mass surveillence and keeping data of people who are not under examination. From the article I can't see that these things are being done.
Things which give them permission to hack with a warrant are reasonable. Firstly, it's something that can be measured because the warrants are recorded. Secondly, it can be disco
Re: (Score:3)
Things which give them permission to hack with a warrant are reasonable.
That's not what this is about. This is about giving them the ability to "intercept of all forms of communications."
If they are doing so, then "necessary privacy and security safeguards" have been violated.
The means of which does not matter. For example, they could have all end to end encrypted chats between 2 parties behave like a group chat with 3 parties, and they get one of those keys and the data.
Re: (Score:2)
there are two ways of doing that
1) require all software to support three party chats with an extra party added - forcing signal, for example, to either leave the country or compromise it's system
2) have a spyware / malware ("policeware") system that installs extra software on the end terminal, grab the chat before it's encrypted and send it off to the police
the difference is that 1) means that everyone is burdened by making the software that they use is insecure.
On the other hand, 2) only needs to apply to
Re: (Score:1)
Add a "beige box" in the cell towers and the internet hubs that has the _already known_ master keys (yes... all encryption can be decrypted (when on TOR, your computer has to know the key, as does the exit node, otherwise it'd just be gibberish)... all governments have the keys) for decrypting all traffic and sending it to the LEO that wants it.
Re: (Score:2)
Be very careful. There's lots of truth in what you say but there are a bunch of subtle misconstructions that you are repeating which are designed to weaken the privacy of the public. Let's talk very specifically about tor,.
* yes, some Tor nodes are run by the governments with the aim of spying and supporting their spys. It is not an accident that the US government / CIA was openly involved in early funding [theguardian.com]
* yes, obviously, the computers at both ends of the encrypted track know a key to decrypt traffic from
Re: (Score:1)
Okay... I'll run through this from the top down... stay with me.
No... Tor exit nodes are run by whoever... their not state actors or anything. I could let a Tor exit node run here and your search for "gun parts" from Siberia would come out here as "gun parts" here in (let's just say) Frozen North US (by the lakes).
I do a search on Tor browser... it's encrypted from me to you, you decrypt it on your end to send it to the German version of DuckDuckGo. The fact that your machine had that key already makes it
Re: (Score:1)
Keep in mind, everything (all communications... cell, internet) in the US all run through a facility that doesn't exist, where a few football-fields of computers scan everything for key words.
This has been a thing since like the 60's. Once the internet happened _and_ encryption became a thing for the public, in a backroom thing, the encryption outfits had to provide a master key for it... that key is shared with all governments.
The fact that you said what you said already flagged your IP, and I'm sure they
Re: (Score:1)
Are you talking about the shared decryption key or are you talking about your hatred towards Trump (who was elected by more than half, versus Harris who wasn't)? Find a hobby... ship models are awesome!
Actually... the shared decryption key doesn't care about the administration, genius. That has been in place since like Nixon. (if Trump is so bad, what about Nixon?)
Now... if you have anything useful to add here, you're next on the mic... make it a good argument (hint: hating a President is bad form)... so
Re: (Score:2)
1) require all software to support three party chats with an extra party added - forcing signal, for example, to either leave the country or compromise it's system
2) have a spyware / malware ("policeware") system that installs extra software on the end terminal, grab the chat before it's encrypted and send it off to the police
the difference is that 1) means that everyone is burdened by making the software that they use is insecure.
Another key difference is that #2 violates a bunch of other laws and personal property/privacy boundaries. I don't think anyone should be encouraging the use of hacking as a legitimate LEO method to use against our own citizens. While I disagree with the use of the 3 party chat solution, and it is a direct violation of necessary privacy and security safeguards, it would function and could be legislated fairly cleanly.
Re: (Score:2)
Another key difference is that #2 violates a bunch of other laws and personal property/privacy boundaries.
The whole point here is that, with a permitted court order and warrant it doesn't break any laws because the law will allow it. That's not a problem. Every day you go into shops which could break "trespass" laws if it were not for the fact that you have permission. Since you do have permission it doesn't. Law enforcement goes
I don't think anyone should be encouraging the use of hacking as a legitimate LEO method to use against our own citizens.
This is an interesting discussion. I don't see hacking as inherently more problematic than, for example, spying on suspects using the many methods that police already do use. However if
Re: (Score:1)
You realize that the ISPs already have the capability to intercept everything that happens online.
It's not hacking, specifically, if it's already baked into the software, and the possibility that (you could call it) "eavesdropping" might happen is already in the TOS and EULA.
It's been this way for decades. There is no privacy, all encryption schemes are easily cracked by the Master Keys the governments already have (the government (regardless of country) would never let an encryption scheme go public witho
Re: (Score:2)
You realize that the ISPs already have the capability to intercept everything that happens online.
Intercept is not the same as "read" or even "attribute". They can record traffic. If that traffic is properly encrypted at one end and decrypted at the other with keys that only the user has access to they they can't access the traffic. If the traffic is correctly put into a trustworthy Tor node which has sufficient traffic levels and then sent through the onion network they cannot work out who is communicating with who.
That means that the only information that you have to give away is the fact that you are
Re: (Score:1)
I know, well aware that when I open the page that has that pic of Christina Ricci, that it has to be decrypted on my end, which renders it insecure.
I also know that the reason for ECHELON and it's successors is so that certain 3-letter agencies can see all that. Back in the days of Napster and WinMX and Kazaa (may they rest in peace), the ISP knew because of the amount of data and through some backroom deal, WB or whoever had access to the ISP logs. Now, it's encryption.
Whether it's Whatsapp or Facebook M
Re: (Score:2)
Another key difference is that #2 violates a bunch of other laws and personal property/privacy boundaries.
The whole point here is that, with a permitted court order and warrant it doesn't break any laws because the law will allow it.
IMO, it would break some of our fundamental rights. Disclaimer: US citizen here, and I support the rights laid out in our bill of rights and its amendments. As you said above:
2) only needs to apply to the criminals at the point that they have a warrant against them; it requires some form of direct attack against the users terminal.
FYI, that should be, "... apply to the SUSPECTS ...". And if it requires a direct attack against their own property, that's a pretty clear violation of their rights.
Maybe you're ok with the law providing exceptions such as these to your rights. I am not, and I would not view that as clean legislation.
I disagree about the clean legislation. This involves forcing non-technical normal citizens to put themselves at risk by carrying software with them at all times which is designed to work against them.
Not exactly. They would still have
Re: (Score:2)
Maybe you're ok with the law providing exceptions such as these to your rights. I am not, and I would not view that as clean legislation.
The US constitution protects against unreasonble siezure. That is already a clear exception for reasonable seizure which is the whole point. I am okay with that.
Imagine requiring that all cars had explosives on them so that, in the case they were used for a bank robbery the police could blow them up remotely.
Replace explosives with a safer way to disable said vehicles,
Here I agree with you that even this is a problem. When a war with China comes as seems likely and people need to evacuate or transport food, China will be able to use those mechanisms to disable many vehicles across the US. This will cause major problems. There should not be a requirement for people to purchase equipment that could be used against
Re: (Score:2)
"Things which give them permission to hack with a warrant are reasonable."
Imagine thinking privacy doesn't matter and mission creep isn't guaranteed here. https://www.wordnik.com/words/... [wordnik.com]
Re: (Score:2)
Imagine thinking privacy doesn't matter and mission creep isn't guaranteed here.
Nobody said that. Privacy does matter which is why you need to encourage reasonable searches with warrants. If you ban them from using techniques like spy systems against actual criminals then they will use that to get permission to embed spying in all systems.
As far as mission creep goes, it's inevitable. However, what's also inevitable is that secret services and police perverts will get caught spying on people they shouldn't be and abusing that. Whenever that happens, you get to reverse the mission creep
Re: (Score:2)
Your proposals require trusting government with powers they should not have. No reason to even venture down that path.
Re: (Score:2)
Imagine thinking privacy doesn't matter and mission creep isn't guaranteed here.
Nobody said that. Privacy does matter which is why you need to encourage reasonable searches with warrants. If you ban them from using techniques like spy systems against actual criminals...
You mean suspects, right? Since when did they lose their basic rights? Just no. We have plenty of 3 letter orgs with their own special exceptions to the laws. The police can respect our basic rights.
Re: (Score:2)
You mean suspects, right? Since when did they lose their basic rights? Just no. We have plenty of 3 letter orgs with their own special exceptions to the laws. The police can respect our basic rights.
The entire point of the category of "suspect" is that the police have more power over a person where they can show "reasonable suspicion" than they have over someone who is not a suspect. Think of the standard "think of the children" scenario. A van was seen next to the place where a child was kidnapped. Do you want the same set of rules to apply to all vans as the one that is "under suspicion"?
If you try to say "nothing proven; no right to investigate", the simple fact is that this will make it almost impo
Re: (Score:2)
If you ban them from using techniques like spy systems against actual criminals...
You mean suspects, right? Since when did they lose their basic rights?
The entire point of the category of "suspect" is that the police have more power over a person ...
And the entire point of the category of "criminal" is what? No different than "suspect" to you? I doubt that's what you meant, but that's the part I took issue with.
Reasonable searches with warrants are fine. Hacking a suspects device (phone/computer/etc..) and installing spyware/etc is not, IMO, reasonable, ESPECIALLY in the context of police, as opposed to FBI/CIA/NSA. Justifying that violation of rights by referring to them as, "actual criminals," makes it all the more disingenuous - should they be permi
Re: (Score:1)
guvf vf cbfghevat naq gurngre, iveghr fvtanyvat sbe pbafgvghragf, erny-jbeyq erfhygf ner abg gur tbny naq abg bs pbaprea
Yes, that will go well (Score:3)
Obviously some surveillance fascists at work. These people need to be closely monitored and strictly limited in what they can do, or everything goes to hell.
An Taoiseach (Score:3)
It'll just take a low-level cyber-criminal to send An Taoiseach a copy of all his messages to the members of the DÃil or members of his family, and it'll be undone soon enough. Maybe.
Well this won't be misused regularly (Score:4, Interesting)
I get it, we want to catch criminals. However some people who should be subject to having that stuff on their communications devices FULL TIME should be every person with a wealth over 10 times the low median average, every government official, and every member of the police.
That way when it's misused, or has data stolen, that data is front and center.
Re: (Score:3)
How about any of the police demanding it, or the politicians looking to implement, this stuff?
Considering human nature, my guess is you'll see them flee the proposal. Heck getting cops to wear bodycams is a process. We still need to make obscuring, or muting, bodycams a Class B felony. They can edit / redact information before release IF it's considered something that should be redacted.
Re: (Score:2)
I get it, we want to catch criminals.
Every investigative agency want access to everything. And their leaders will advocate for that authority (that is their job, to solve crimes). Pushed, the honest leaders (and not all are honest) making the case will admit that that implies there that means there can be no privacy for anyone. Those that want to live in a free society (and accept that some criminals will end up going free) must push back.
That's really laughable (Score:4, Informative)
Re: (Score:2)
Quis custodiet ipsos custodes?
Never before have we been able to employ mass surveillance at this scale, and that goes both ways. Maybe an incorruptible, all-seeing AI will keep the police in check.
Re: (Score:2)
"... all-seeing AI ..."
That's what Eagle Eye (2008) is: It recruits civilians to punish a specific criminal, who ultimately thwart the AI's mandate because the criminal is the US president.
Re: (Score:2)
Re: (Score:2)
Security safeguards? Are they all doing drugs? What stops a cop (who already has access) from using it illegally in a stealthy way?
I can't tell for Ireland but access to police databases and such are usually logged and traceable, so there is accountability if strange coincidences get noticed and the accesses of a particular cop are audited.
On the one hand European governments enforce extremely strict laws about privacy. On the other, they give themselves the ability to steal any kind of communication they want.
It is defined in such legal frameworks that using private data for fun and profit isn't legitimate, but using private data to fight crime is. This comes from a hierarchy of importance of protected legal goods. It is your freedom to look for profit, but my data privacy is more important than your prof
If the government can read your communications (Score:4, Informative)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
The encryption they use is light-years ahead of what the public sees.
Sure, you could packet snoop the Pentagon, but someone outside of the building is gonna need a data center of supercomputers working to crack it.
The US government has football fields of server racks scouring all IP traffic (which is everything, now days) for thousands of keywords and phrases... the "AI" we have now available to the public has been in the government's hands for probably 10-15 years already, just for that purpose.
There hasn'
Damn! (Score:2)
Another county to cross off from my "country I'd consider moving to" (after the USA and UK).
All that's left is Canada, and it's cold :(
Re: (Score:2)
Assholes do not like the cold. Probably that is why Canada has much fewer of them. If Alaska didn't have oil it would be ok too. Sure Canada has oil but only Alberta is bad; it's a small part of the country; Alaska is too small.
Governments should be afraid of their people. (Score:2)
Re: (Score:2)
Safeguards are the important thing (Score:3)
Look, police obviously need the capability to do things like enter private property and decode information found on the phones of drug dealers.
The key however is always the safe guards. And it is NOT that hard to understand how to implement the safe guards:
1) If the creepy guy down the street can be charged with a crime for doing it, the police should HAVE to get a warrant/subpoena/approval from a judge to do it. Why? Because some cops are/become the creepy guy down the street. They have girlfriends and old enemies from high school, etc.
2) If the cop gets permission/warrant, they should be required to link it to an open case. If that case gets closed, 5 years later the target should be notified of the privacy invasion. This gives us a means to eventually figure out if the cops were abusing the process. Without that information we are unlikely to ever discover police abuses. Did they lie about an anonymous witness to check their ex girlfriend's boyfriend out? etc. etc.
3) Cops need to be really investigated/fired for misuse of this power. The police chief can NOT simply undo it - that is just the police chief abusing their powers.
Re: (Score:3)
Under the US CALEA act, the police don't need a warrant or a badge to collect a customer's information. The FBI has just realized that's a hole the Chinese can exploit, anytime.
The US FISA court where documents of unknown origin and accuracy can be declared evidence of a crime.
The US FLOAT act which essentially declares "all your data (in the world) are belong to us." Most countries have domestic laws depr