We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.

Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]

Encryption, terrorism, privacy and security

Ars Technica ran a story about a man in Cardiff charged with using encryption to aid terrorism. A VPN provider wrote about it on their blog. Scotland Yard supplied more details about the charges.

Count 3: Preparation for terrorism. Between 31 December 2015 and 22 September 2016 Samata Ullah, with the intention of assisting another or others to commit acts of terrorism, engaged in conduct in preparation for giving effect to his intention namely, by researching an encryption programme, developing an encrypted version of his blog site and publishing the instructions around the use of programme on his blog site. Contrary to section 5 Terrorism Act 2006.

It appears the charges include that he used encryption (probably HTTPS) to secure his blog, and that he had a USB stick with an operating system on it (probably Tails). This is just silly. Use of encryption is not related to terrorism. We use exactly the same encryption to protect our communication with shopping sites and banks as we do share our family photos with other members of our families. Learning about encryption or teaching others about encryption is not a crime, so why is doing these things in relation to terrorism listed as a separate charge? Terrorists might eat eggs for breakfast but they are not charged with eating an egg in connection with terrorism. If there is evidence he was doing terrorism, charge him with that. There is no need to bring encryption into it at all.

There is a risk in connecting such things with crime in the public psyche. People need to be encouraged to make use of privacy tools, not be afraid of them. They need to use these tools to protect themselves from crime. It is not helpful if encryption becomes to be seen simply as a tool of terrorists and criminals.

It is a short step from there to demands for the state to Do Something About It. The state will inevitably do silly things, like insisting on back doors in encryption systems. As our own Perry Metzger pointed out on Fox Business, it is impossible to weaken encryption used by terrorists to communicate without also putting people at risk from fraudsters attempting to manipulate their bank accounts.

31 comments to Encryption, terrorism, privacy and security

  • the other rob

    Sounds like encryption is on its way to becoming the new guns.

  • Laird

    I’d like to know what “section 5 Terrorism Act 2006” actually says. Anybody?

  • Runcie Balspune

    http://www.legislation.gov.uk/ukpga/2006/11/section/5

    Nothing to do with encryption, its all about preparation, I surmize it’s what he was encrypting that was relevant not the act of encryption itself.

  • APL

    “Samata Ullah”

    Benefits of diversity in a society for you.

  • Mr Ecks

    The character in question would not be in the UK were it not for :

    a-The scum of the left

    b-The useless shite of the British state who allowed –and probably facilitated–the individual arriving and settling down to his “work” ie terror–or attempted terror at least. They will also be at least partly if not fully supporting his life here.

    Immigration must be stopped and the Real Jihad–ie demographic takeover–halted.

    Or this nation and the West are finished. And any native Britons who have kids are leaving them a legacy of Hell.

  • The topic being discussed is encryption and civil liberties, not Islam.

  • Nothing to do with encryption, its all about preparation, I surmize it’s what he was encrypting that was relevant not the act of encryption itself.

    It is entirely to do with encryption. You miss the whole point. As Perry M says in the linked video, you cannot secure a system without securing it entirely. If you make encrypting “bad stuff” illegal, you make encrypting anything illegal.

  • Erik

    As Perry M says in the linked video, you cannot secure a system without securing it entirely.

    I counter that there are two kinds of security: the kind that keeps out nosy siblings, and the kind that keeps out the Mossad.

  • Wrong analogy Erik. There are two kind of security: the kind that keeps out nosy siblings, and the kind that keeps out the criminal hackers and Mossad. If you think people who want to access your banking details are less able to exploit a back-door than Mossad, you are quite incorrect.

  • Perry E. Metzger

    I counter that there are two kinds of security: the kind that keeps out nosy siblings, and the kind that keeps out the Mossad.

    What does that have to do with anything? Any crypto that’s good enough to keep out criminals trying to get banking information or terrorists trying to get access to the SCADA systems for a power plant is going to be good enough to impede a SIGINT agency as well.

    It isn’t as though you sit at your computer all day long, thinking for every single network connection you make whether you should protect it with something designed to block a 12 year old vs. something to provide actual threat. You probably have no knowledge at all of most of the connections being made in the first place.

    The same email software is used by people at home sending their grocery list to their spouse and by a cabinet member discussing matters of national importance. Everyone now uses commercially available operating systems and programs, everyone is in the same boat. You can’t secure the one kind of message without securing the other. And regardless, what good would it do if you did have a dropdown box saying “this is an unimportant message”, as no one would ever have an incentive to use it for something they wanted GCHQ not to be able to read?

    The recent break-in to the US Office of Personnel Management which leaked all records of all US persons with security clearances to the Chinese should underscore the problem: everyone is using the same sorts of software running on the same sorts of systems. It isn’t like banks and governments can afford to have custom operating systems commissioned for them.

    BTW, the Mossad is not Israel’s SIGINT agency. They have no cryptographers.

  • Perry E. Metzger

    This of course brings up another issue: what makes you presume that GCHQ is ahead of the PLA’s cryptographers? Why do you presume the NSA is so far ahead of FAPSI? Why do you presume you can build systems that will keep secrets from the Chinese or Russians but not impede the people you ostensibly want to be able to read things? There are professionals out there with very competing interests at this point. It is insane to think you can somehow fine tune things so that only the “good” guys can read them.

    One insane proposal that has been made is to intentional leak cryptographic material using a “back-door” cryptographic key or similar system, but of course, that key would inevitably be stolen from NSA or whomever else had it. After all, NSA’s “very secret” tools have been stolen by their opponents in the past, and even leaked. Once that inevitably happened, all hell would break loose.

  • Erik

    You are reading far too much into a flippant remark. I don’t for a moment believe that “padlock on your secret diary” levels of secrecy keep out the Mossad, banking fraudsters, or anyone else of note; nor should commoners be obliged to limit themselves to such measures. I still note that such weak security measures exist, in contradiction to Perry H’s implication that security is entirely binary. (It’s more like zero, zero-point-oh-five and one.)

  • Fred the Fourth

    In the US there was recently a brief moment of related sanity, in Massachusetts no less:

    http://www.mass.gov/courts/docs/sjc/reporter-of-decisions/new-opinions/11917.pdf

    The court ruled, in effect, that just because criminals are known to use cellphones, does not permit police to search a cellphone without a warrant.

  • Eric Tavenner

    There is a risk in connecting such things with crime in the public psyche.

    The intent of the Holy State 😡 is to make that connection.

  • bobby b

    There’s only (so far) one foolproof way to ensure the privacy of your phone and your e-mail.

    Don’t ever use them.

    But if you do, just realize that you might as well communicate by hoisting huge billboards over your head that can be read by everyone. Fortunately for most of us, no one would have any desire to know our secrets, but that is of no comfort once someone mistakenly decides you are “of interest.”

    As a result of the wonderful OPM leak, they send out weekly newsletters apologizing (again) for the trouble, and giving fun (and ironic) little lessons in how to preserve our personal security. So far, my take on all of these lessons is, as long as you’re using anything electronic, you have no personal security. If you always operate under that assumption, you’ll be fine.

  • bobby b

    “This is just silly.”

    They’re not leveling a charge based upon the act of encryption. They’re satisfying one element of the charge that they ARE leveling – by showing that the accused took a specific and voluntary step of preparation towards completing the criminal act complained of.

    A charged criminal conspiracy usually cannot be completely within the planning stages. Generally the government must show specific acts completed in furtherance of the plan. Setting up a system of encryption for use in furthering the conspiracy is one such specific act.

  • Alisa

    5 Preparation of terrorist acts
    (1) A person commits an offence if, with the intention of—
    (a) committing acts of terrorism, or
    (b) assisting another to commit such acts,
    he engages in any conduct in preparation for giving effect to his intention.
    (2) It is irrelevant for the purposes of subsection (1) whether the intention and
    preparations relate to one or more particular acts of terrorism, acts of terrorism
    of a particular description or acts of terrorism generally.
    (3) A person guilty of an offence under this section shall be liable, on conviction
    on indictment, to imprisonment for life.

    So no, it does not mention encryption specifically, and so it sounds like Bobby B. has a point – or am I missing something?

  • Setting up a system of encryption for use in furthering the conspiracy is one such specific act.

    Setting up a system of encryption for use in furthering plans to visit an online supermarket is also very sensible, so the fact a conspiracy featured the use of encryption online should be neither here nor there. The whole reason it is even mentioned is an attempt to make the very act of encryption grounds for suspicion. It is like saying meatspace conspirators locked the front door of the house in which they conspired. So what?

  • bobby b

    So what?

    Locking the door could be one of those acts that a prosecutor proves in the course of proving up a conspiracy case, but it’s not a very convincing one when you ask the jury to decide if you’ve proven enough to make them believe the door-locking is evidence that the actor was furthering the conspiracy.

    You prove that the accused has taken actual steps that further the conspiracy – that they set up the bank accounts that will receive the wired loot, or that they dug the six-foot-deep hole in which to hide the body, or that they bought the fake uniforms that will get them next to the President with their weapons, or that they purchased the five hundred pounds of mannitol they will use to cut the cocaine. Point is, the act being proved leads one to the conclusion that the accused is taking an active step in the claimed conspiracy.

    Proving they locked the door doesn’t get you far in a persuasive way. Proving that they set up an encryption process, and shared keys with the other accused conspirators, and thus readied that specific bunch of accused people to communicate in absolute private, does tend to make one believe more strongly that the claimed conspiracy was real.

    Plus, encryption is a hot button now, so showing that people are concerned enough about their privacy to act like sophisticated spies about it doesn’t hurt the prosecutorial chances. But, they’re not trying to demonize encryption – they’re trying to demonize the accused by associating them with encryption.

  • bobby b

    And now, having read the Act itself (finally) I can see that they’ve simply codified the “acts in furtherance” requirement into a “preparation” offense standing alone. So, what M. Balspune said, above.

    “Preparation:

    (1)A person commits an offence if, with the intention of —

    (a) committing acts of terrorism, or
    (b) assisting another to commit such acts,

    he engages in any conduct in preparation for giving effect to his intention.”

    They’ve just made the “acts in furtherance” into a new and additional stand-alone charge.

  • But, they’re not trying to demonize encryption – they’re trying to demonize the accused by associating them with encryption.

    And the net effect is indeed demonising encryption… by associating it with something terrorists do. Which is why it needs to be pointed out that using encryption online is like using seat belts in a car: it is the default thing to do regardless of your intentions and nothing should be imputed from that.

  • Alisa

    Perry, Rob’s post above says ‘a man in Cardiff charged with using encryption to aid terrorism’ – that seems to be incorrect, and that is the only point of contention here that I can see.

  • bobby b

    . . . using encryption online . . . is the default thing to do regardless of your intentions and nothing should be imputed from that.”

    No argument from this long-time TrueCryptie. All of those OPM notes about how they’re sorry the Chinese ended up with the personnel files sort of puts the lie to the idea that we should entrust government with keeping our encryption keys secure.

    My only point was that if Persons A, B, C, D, and E are accused of conspiring to terrorize, and C sets up an encryption procedure and shares the keys with A, B, D, and E, it’s no great leap to assume the procedure is project-oriented, the project includes those five people, and the project requires secrecy. Tying it in to the rest of the evidence of conspiracy is then simple, and you’ve got your “preparation” count nailed.

  • Alisa

    Further to my previous comment and in all fairness to Rob, his post seems to be just repeating the assertion made by the websites under his two first links. No such assertion is apparent from the Scotland Yard link, where encryption is simply mentioned as a matter of fact, among other facts.

  • Laird

    As I see it, the operative language here is the final clause of paragraph 1: “he engages in any conduct in preparation for giving effect to his intention.” A couple of observations:

    1) That seems to be extraordinarily overbroad. Charging up his smartphone could constitute “preparation”, as, for that matter, could be having breakfast in the morning. In the US I think there would be serious constitutional challenges to the statute. I can’t speak to UK law, however. (Where is Mr Ed when we need him?)

    2) To secure a conviction on this charge the prosecutor will have to prove the existence of an intention to commit (or assist in) an act of terrorism (which I presume is elsewhere defined in the Act). Standing alone, I can’t see how the mere act of researching on encryption methods, or publishing his findings on his blog, would satisfy that requirement (otherwise innumerable writers for Wired magazine, among others, would be under indictment; here is one such). So (notwithstanding the language of the final clause in paragraph (2)(b), as to which see my point #1) I suspect that there has to be much more evidence here. And I note that this is merely Count 3, so undoubtedly that is indeed the case. This particular count seems to be little more than “piling on” by the prosecutor, and if I were defending Mr. Ullah I would probably try to argue that it is a “lesser included offense” rather than an independent crime. But in any event it doesn’t really seem to be an attempt to criminalize encryption per se.

  • rxc

    In the US, encryption software is still listed on the schedule of “munitions” for which one has to get an export license to send them outside the country.

    I know this because in the 1990s I had to get one of these licenses, as a government employee, in order to send a commercially available encryption package to my counterparts in the Italian government, in order to send them commercially valuable data over the internet. It was the very beginning of the internet, and no one wanted to waste all the time it would take to send it physically by post, and no one’s management wanted to pay for courrier trips (to Rome or to Washington) for a tape (a real tape). So we decided to try PGP, which was embroiled in a lawsuit with the US government about the munitions classification.

    In the end, we had to do a delivery trip, two people (me and one IT manager) to deliver the PGP package to Rome. We combined it with some other stuff to make it sound plausable.

    It was a giant farce.

  • APL

    Perry: “The topic being discussed is encryption and civil liberties, not Islam.”

    There is an argument that Islam and civil liberties are incompatible.

    If you want one, you can’t have the other

  • PersonFromPorlock

    As always, I suggest that some public-spirited citizen write a bot program that uses infected PCs to sent random number strings to other infected PCs that disappear them so that the computers’ owners never suspect. Let us keep government code-breakers busy, busy….

  • There is an argument that Islam and civil liberties are incompatible. If you want one, you can’t have the other

    Irrelevant to this discussion which is not about Islam, it is about encryption. End of digression.

  • Edward

    Both Perrys have the right of it here. My business is MY business, and I have the absolute right to keep my business to myself.

    You think I’m indulging in nefarious deeds? Fine, prove it in a court of law, and they’ll get me to show you what I’m doing without the encryption. You are not entitled to assume I’m participating in dodgy doings simply because I encrypt my traffic.