The Online Safety Bill, now at the final stage before passage in the House of Lords, gives the British government the ability to force backdoors into messaging services, which will destroy end-to-end encryption.

Requiring government-approved software in peoples’ messaging services is an awful precedent. If the Online Safety Bill becomes British law, the damage it causes won’t stop at the borders of the U.K.

Random thoughts…

Even if platform-assisted end-to-end encryption (pseudo e2e) is censored, perhaps we could still use true user-to-user encryption. If “end” means the messenger software itself or a platform endpoint, then the following will be true e2e - “pre-end” to “post-end” encryption:

  1. Alice and Bob exchange their public keys. While using a secure channel for this is ideal, a monitored channel (e.g. a normal message app) is okay too for the time being.
  2. Alice prepares her plain text message locally: Alice.txt
  3. She does gpg -sea -r Bob -o ascii.txt Alice.txt
  4. Alice opens ascii.txt, pastes the ascii string in it to her messenger, sends it to Bob like normally.
  5. So Bob gets this ascii-armored GPG message, and saves it as ascii.txt
  6. gpg -d -o Alice.txt ascii.txt, and he has the original Alice.txt
  7. He types his reply locally (not directly on the messenger): Bob.txt
  8. gpg -sea -r Alice -o ascii.txt Bob.txt and sends back the new ascii string
  9. Alice gets it, so she does gpg -d -o Bob.txt ascii.txt to read Bob.txt

In theory, scanning by government-approved software can’t detect anything here: Alice and Bob are simply exchanging harmless ascii strings. Binary files like photos can be ascii-armored too.

Admittedly this will be inconvenient, as you’ll have to call gpg manually by yourself. But this way you don’t need to trust government-approved software at all, because encryption/decryption will be done by yourself, before and after the ascii string goes through the insecure (monitored) channel.

  • eric2377
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    What you describe as a possible solution is already implemented since decades. Most email clients give you the option to set and use a gpg keys or s/mime keys and will encrypt the contents automatically for you before sending it out, provided you have the receivers public key on your key ring, of course. But even that is too much work/too inconvenient for people to actually use it. Only massive pressure will eventually force people to use what we already got. Sad, but that’s the world we live in.

    • SakiOPM
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      It’s not a “solution.” More like a thought experiment, showing that scanning is technically pointless. Even if they’re monitoring messenger software X, you can still send/receive messages via X (not via email) in such a way that they can’t read them.