WEBVTT 00:00:00.000 --> 00:00:12.590 rC3 preroll music 00:00:12.590 --> 00:00:18.109 Herald: This is Ross Anderson, and he's giving a talk to us today, and the title 00:00:18.109 --> 00:00:24.079 is What Price the Upload Filter? From Cold War to Crypto Wars and Back Again. And 00:00:24.079 --> 00:00:31.489 we're very happy that he's here today. And and for our non-English speaking public, 00:00:31.489 --> 00:00:35.990 we have translations. speaks german 00:00:35.990 --> 00:00:41.300 Dieser Talk wird auf Deutsch übersetzt. speaks french 00:00:41.300 --> 00:00:49.839 Cette conférence est traduit en français aussi. 00:00:49.839 --> 00:00:56.769 Yeah. Um. Ross, ready to start? Let's go. Have a good time. Enjoy. 00:00:56.769 --> 00:01:09.750 Ross: Yes, ready to go. Thanks. OK. As has been said, I'm Ross Anderson and I'm in 00:01:09.750 --> 00:01:13.620 the position of being one of the old guys of this field and that I've been involved 00:01:13.620 --> 00:01:18.680 in the crypto wars right from the start. And in fact, even since before the clipper 00:01:18.680 --> 00:01:27.510 chip actually came out. If we could go to the slides, please. 00:01:27.510 --> 00:01:31.407 Right, can we see the slides? 00:01:31.407 --> 00:02:09.505 silence 00:02:09.505 --> 00:02:14.790 surprised the U.S. armed forces. And guess what happened? Well, in 00:02:14.790 --> 00:02:21.060 the 1950s, Boris Hagelin had set up that company, secretly sold it to the NSA and 00:02:21.060 --> 00:02:28.110 for a number of years, quite a lot of years, countries as diverse as Latin America and 00:02:28.110 --> 00:02:33.130 India and even NATO countries such as Italy were buying machines from Crypto AG, 00:02:33.130 --> 00:02:39.470 which the NSA could decipher. And this had all sorts of consequences. For example, 00:02:39.470 --> 00:02:44.780 it's been revealed fairly recently that Britain's success against Argentina in the 00:02:44.780 --> 00:02:50.680 Falklands War in 1982 was to a large extent due to signals intelligence that 00:02:50.680 --> 00:02:58.790 came from these machines. So, next slide, please. And in this prehistory of the 00:02:58.790 --> 00:03:03.600 crypto wars, almost all the play was between governments. There was very little 00:03:03.600 --> 00:03:08.180 role for civil society. There was one or two journalists who were engaged in trying 00:03:08.180 --> 00:03:13.870 to map what the NSA and friends were up to. As far as industry was concerned, well, at 00:03:13.870 --> 00:03:18.180 that time, I was working in banking and we found that encryption for confidentiality 00:03:18.180 --> 00:03:22.319 was discouraged. If we tried to use line encryption, then false mysteriously 00:03:22.319 --> 00:03:26.880 appeared on the line. But authentication was OK. We were allowed to encrypt PIN 00:03:26.880 --> 00:03:32.380 pad, PIN blocks. We were allowed to put MACs on messages. There was some minor 00:03:32.380 --> 00:03:37.250 harassment. For example, when Rivest, Shamir and Adleman came up with their 00:03:37.250 --> 00:03:42.650 encryption algorithm, the NSA tried to make it classified. But the Provost of 00:03:42.650 --> 00:03:47.840 MIT, Jerome Wiesner, persuaded them not to make that fight. The big debate in the 00:03:47.840 --> 00:03:52.880 1970s still, was whether the NSA affected the design of the data encryption standard 00:03:52.880 --> 00:03:57.800 algorithm, and we know now that this was the case. It was designed to be only just 00:03:57.800 --> 00:04:04.330 strong enough and Whit Diffie predicted back in the 1970s that 2 to the power of 00:04:04.330 --> 00:04:08.920 56 key search would eventually be feasible. The EFF built a machine in 1998 00:04:08.920 --> 00:04:13.510 and now of course that's fairly easy because each bitcoin block costs 2 to 00:04:13.510 --> 00:04:20.169 the power of 68 calculations. Next slide, please. So where things get interesting is 00:04:20.169 --> 00:04:25.919 that the NSA persuaded Bill Clinton in one of his first cabinet meetings in 1993 to 00:04:25.919 --> 00:04:30.270 introduce key escrow, the idea that the NSA should have a copy of every of these 00:04:30.270 --> 00:04:36.860 keys. And one of the people at that meeting admitted later that President Bush, 00:04:36.860 --> 00:04:41.280 the elder, had been asked and had refused, but Clinton when he goes into office was 00:04:41.280 --> 00:04:46.300 naive and thought that this was an opportunity to fix the world. Now, the 00:04:46.300 --> 00:04:50.159 clipper chip which we can see here, was tamper resistant and had of secret block 00:04:50.159 --> 00:04:58.620 cipher with an NSA backdoor key. And the launch product was an AT&T secure phone. 00:04:58.620 --> 00:05:05.030 Next slide, please. Now the Clipper protocol was an interesting one in that each chip 00:05:05.030 --> 00:05:12.210 had a unique secret key KU and a global secret family key kNSA burned in. And in 00:05:12.210 --> 00:05:18.189 order to, say, send data to Bob, Alice had to send her clipper chip a working key kW, 00:05:18.189 --> 00:05:22.890 which is generated by some external means, such as a Diffie Hellman Key exchange. And 00:05:22.890 --> 00:05:28.430 it makes a law enforcement access field, which was basically Alice and Bob's names 00:05:28.430 --> 00:05:33.529 with the working key encrypted under the unit key and then a hash of the working 00:05:33.529 --> 00:05:38.449 key encrypted under the NSA key. And that was sent along with the cipher text to make 00:05:38.449 --> 00:05:43.209 authorized wiretapping easy. And the idea with the hash was that this would stop 00:05:43.209 --> 00:05:47.830 cheating. Bob's Clipper Chip wouldn't use a working key unless it came with a valid 00:05:47.830 --> 00:05:53.889 LEAF. And I can remember, a few of us can still remember, the enormous outcry that 00:05:53.889 --> 00:05:57.819 this caused at the time. American companies in particular didn't like it 00:05:57.819 --> 00:06:02.439 because they started losing business to foreign firms. And in fact, a couple of 00:06:02.439 --> 00:06:07.499 our students here at Cambridge started a company nCipher, that grew to be quite 00:06:07.499 --> 00:06:13.300 large because they could sell worldwide, unlike US firms. People said, why don't we 00:06:13.300 --> 00:06:17.019 use encryption software? Well, that's easy to write, but it's hard to deploy at 00:06:17.019 --> 00:06:22.749 scale, as Phil Zimmermann found with PGP. And the big concern was whether key escrow 00:06:22.749 --> 00:06:28.620 would kill electronic commerce. A secondary concern was whether, how on earth, 00:06:28.620 --> 00:06:32.389 will we know if government designs are secure? Why on earth should you trust the 00:06:32.389 --> 00:06:40.669 NSA? Next slide, please. Well, the first serious fight back in the crypto wars came 00:06:40.669 --> 00:06:45.259 when Matt Blaze at Bell Labs found an attack on Clipper. He found that Alice 00:06:45.259 --> 00:06:52.339 could just try lots of these until one of them works, because the tag was only 16 00:06:52.339 --> 00:06:57.589 Bits long and it turned out that 2 to the power of 112 of the 2 to the power of 00:06:57.589 --> 00:07:03.749 128 possibilities work. And this meant that Alice could generate a bogus LEAF 00:07:03.749 --> 00:07:07.589 that would pass inspection, but which wouldn't decrypt the traffic, and Bob 00:07:07.589 --> 00:07:11.879 could also generate a new LEAF on the fly. So you could write non-interoperable rogue 00:07:11.879 --> 00:07:16.691 applications that the NSA has no access to. And with a bit more work, you could 00:07:16.691 --> 00:07:21.479 make rogue applications interoperate with official ones. This was only the first of 00:07:21.479 --> 00:07:30.089 many dumb ideas. Next slide, please. OK, so why don't people just use software? 00:07:30.089 --> 00:07:36.189 Well, at that time, the US had export controls on intangible goods such as 00:07:36.189 --> 00:07:40.430 software, although European countries generally didn't. And this meant that US 00:07:40.430 --> 00:07:45.610 academics couldn't put crypto code online, although we Europeans could and we 00:07:45.610 --> 00:07:52.059 did. And so Phil Zimmermann achieved fame by exporting PGP, pretty good privacy, some 00:07:52.059 --> 00:07:56.099 encryption software he had written for America as a paper book. And this was 00:07:56.099 --> 00:08:00.509 protected by the First Amendment. They sent it across the border to Canada. They 00:08:00.509 --> 00:08:04.360 fed it into an optical character recognition scanner. They recompiled it 00:08:04.360 --> 00:08:08.889 and the code had escaped. For this Phil was subjected to a grand jury 00:08:08.889 --> 00:08:13.979 investigation. There was also the Bernstein case around code as free speech 00:08:13.979 --> 00:08:19.059 and Bruce Schneier rose to fame with his book "Applying Cryptography", which had 00:08:19.059 --> 00:08:24.249 protocols, algorithms and source code in C, which you could type in in order to get 00:08:24.249 --> 00:08:31.960 cryptographic algorithms anywhere. And we saw export-controlled clothing. This 00:08:31.960 --> 00:08:36.389 t-shirt was something that many people wore at the time. I've actually got one and I 00:08:36.389 --> 00:08:41.089 planned to wear it for this. But unfortunately, I came into the lab in 00:08:41.089 --> 00:08:47.230 order to get better connectivity and I left it at home. So this t-shirt was an 00:08:47.230 --> 00:08:53.009 implementation of RSA written in perl, plus a barcode so that you can scan it in. 00:08:53.009 --> 00:08:58.350 And in theory, you should not walk across the border wearing this t-shirt. Or if 00:08:58.350 --> 00:09:03.270 you're a US citizen, you shouldn't even let a non-US citizen look at it. So by 00:09:03.270 --> 00:09:08.579 these means, people probed the outskirts of what was possible and, you know an awful 00:09:08.579 --> 00:09:17.070 lot of fun was had. It was a good laugh to tweak the Tyrannosaur's tail. Next slide. 00:09:17.070 --> 00:09:25.030 But this wasn't just something that was limited to the USA. The big and obvious 00:09:25.030 --> 00:09:30.230 problem, if you try and do key escrow in Europe, is that there's dozens of 00:09:30.230 --> 00:09:35.810 countries in Europe and what happens if someone from Britain, for example, has got 00:09:35.810 --> 00:09:40.100 a mobile phone that they bought in France or a German SIM card and they're standing 00:09:40.100 --> 00:09:44.509 on the streets in Stockholm and they phone somebody who's in Budapest, who's got a 00:09:44.509 --> 00:09:48.699 Hungarian phone with the Spanish SIM card in it. Then which of these countries' 00:09:48.699 --> 00:09:54.260 secret police forces should be able to listen to the call. And this was something 00:09:54.260 --> 00:09:59.930 that stalled the progress of key escrow, that's a good way to describe it, in Europe. 00:09:59.930 --> 00:10:06.839 And in 1996 GCHQ got academic colleagues at Royal Holloway to come up with a 00:10:06.839 --> 00:10:11.860 proposal for public sector email, which they believe would fix this. Now, at the 00:10:11.860 --> 00:10:18.919 time after clipper had fallen into disrepute, the NSA's proposal was that 00:10:18.919 --> 00:10:24.130 also the certification authority should have to be licensed, and that this would enforce 00:10:24.130 --> 00:10:27.879 a condition that all private keys would be escrows, so you would only be able to get a 00:10:27.879 --> 00:10:33.530 signature on your public key if the private key was was held by the CA. And 00:10:33.530 --> 00:10:38.440 the idea is that you'd have one CA for each government department and civilians 00:10:38.440 --> 00:10:42.190 would use trusted firms like Barclays Bank or the post office, which would keep our 00:10:42.190 --> 00:10:48.009 keys safe. And it would also work across other EU member states, so that somebody in 00:10:48.009 --> 00:10:53.870 Britain calling somebody in Germany would end up in a situation where a trustworthy 00:10:53.870 --> 00:10:59.220 CA, from the NSA's point of view, that is an untrustworthy CA from our point of view, 00:10:59.220 --> 00:11:03.680 in Britain would be prepared to make a key and so would one in Germany. This, at 00:11:03.680 --> 00:11:10.630 least, was the idea. So how do we do this, next slide, on the GCHQ protocol. So here's 00:11:10.630 --> 00:11:14.829 how it was designed to work in the UK government. If Alice at the Department of 00:11:14.829 --> 00:11:20.120 Agriculture wants to talk to Bob at the Department of Business, she asks her 00:11:20.120 --> 00:11:26.089 Departmental Security Officer DA for a send key for herself and a receive key for Bob. 00:11:26.089 --> 00:11:35.360 And DA and DB get a top level interoperability key KTAB from GCHQ and DA 00:11:35.360 --> 00:11:44.120 calculates a secret send key of the day as a hash of KTAB and Alice's name and the 00:11:44.120 --> 00:11:50.430 DA's own Identity for Alice which he gives to Alice and similarly a public receive 00:11:50.430 --> 00:11:55.481 key of the day for Bob and Alice sends Bob her public send key along with the 00:11:55.481 --> 00:12:00.379 encrypted message and Bob can go to his DSO and get his secret receive 00:12:00.379 --> 00:12:06.120 key of the day. Now this is slightly complicated and there's all sorts of other 00:12:06.120 --> 00:12:11.299 things wrong with it once you start to look at it. Next slide, please. The first 00:12:11.299 --> 00:12:14.790 is that from the point of view of the overall effect, you could just as easily 00:12:14.790 --> 00:12:19.080 have used Kerberos because you've basically got a key distribution center at 00:12:19.080 --> 00:12:24.630 both ends, which knows everybody's keys. So you've not actually gained very much by 00:12:24.630 --> 00:12:31.081 using complicated public key mechanisms, and the next problem is what's the law 00:12:31.081 --> 00:12:36.390 enforcement access need for centrally generated signing keys? If this is 00:12:36.390 --> 00:12:40.480 actually for law enforcement rather than intelligence? Well, the police want to be 00:12:40.480 --> 00:12:47.480 able to read things, not forge things. A third problem is that keys involve hashing 00:12:47.480 --> 00:12:52.110 department names and governments are changing the name of the departments all 00:12:52.110 --> 00:12:56.980 the time, as the prime minister of the day moves his ministers around and they chop 00:12:56.980 --> 00:13:01.810 and change departments. And this means, of course, that everybody has to get new 00:13:01.810 --> 00:13:06.320 cryptographic keys and suddenly the old cryptographic keys don't work anymore. And 00:13:06.320 --> 00:13:10.800 those are horrendous complexity comes from this. Now, there are about 10 other things 00:13:10.800 --> 00:13:15.420 wrong with this protocol, but curiously enough, it's still used by the UK 00:13:15.420 --> 00:13:19.090 government for the top secret stuff. It went through a number of iterations. It's 00:13:19.090 --> 00:13:23.939 now called Mikey Sakke, there's details in my security engineering book. And it 00:13:23.939 --> 00:13:28.129 turned out to be such a pain that the stuff below top secret now is just used as 00:13:28.129 --> 00:13:32.959 a branded version of G suite. So if what you want to do is to figure out what 00:13:32.959 --> 00:13:37.050 speech Boris Johnson will be making tomorrow, we just have to guess the 00:13:37.050 --> 00:13:44.459 password recovery questions for his private secretaries and officials. Next 00:13:44.459 --> 00:13:51.060 slide, the global Internet Trust Register. This was an interesting piece of fun we 00:13:51.060 --> 00:13:55.929 had around the 1997 election when Tony Blair took over and introduced the Labor 00:13:55.929 --> 00:14:00.439 government before the election, Labor promised to not seize crypto keys in bulk 00:14:00.439 --> 00:14:04.499 without a warrant. And one of the first things that happened to him once he 00:14:04.499 --> 00:14:09.569 was in office is Vice President Al Gore went to visit him and all of a sudden Tony 00:14:09.569 --> 00:14:13.449 Blair decided that he wanted all certification authorities to be licensed 00:14:13.449 --> 00:14:18.520 and they were about to rush this through parliament. So we put all the important 00:14:18.520 --> 00:14:23.290 public keys in a paper book and we took it to the cultural secretary, Chris Smith, 00:14:23.290 --> 00:14:27.790 and we said, you're the minister for books why are you passing a law to ban this 00:14:27.790 --> 00:14:32.580 book. And if you'll switch to the video shot, I've got the initial copy of the 00:14:32.580 --> 00:14:36.579 book that we just put together on the photocopying machine in the department. 00:14:36.579 --> 00:14:42.200 And then we sent the PDF off to MIT and they produced it as a proper book. And 00:14:42.200 --> 00:14:48.350 this means that we had a book which is supposedly protected and this enabled us 00:14:48.350 --> 00:14:55.209 to get the the topic onto the agenda for cabinet discussion. So this at least 00:14:55.209 --> 00:14:59.779 precipitous action, we ended up with the Regulation of Investigatory Powers Bill in 00:14:59.779 --> 00:15:04.830 2000. That was far from perfect, but that was a longer story. So what happened back 00:15:04.830 --> 00:15:09.860 then is that we set up an NGO, a digital rights organization, the Foundation for 00:15:09.860 --> 00:15:16.620 Information Policy Research. And the climate at the time was such that we had 00:15:16.620 --> 00:15:22.310 no difficulty raising a couple of hundred thousand pounds from Microsoft and Hewlett 00:15:22.310 --> 00:15:28.370 Packard and Redbus and other tech players. So we were able to hire Casper Bowden for 00:15:28.370 --> 00:15:32.199 three years to basically be the director of FIPR and to lobby the government hard 00:15:32.199 --> 00:15:38.490 on this. And if we can go back to the slides, please, and go to the next slide, 00:15:38.490 --> 00:15:47.170 the slide on bringing it all together. So in 1997, a number of us, Hal Abelson and I 00:15:47.170 --> 00:15:54.569 and Steve Bellovin and Josh Benaloh from Microsoft and Matt Blaze who had broken 00:15:54.569 --> 00:15:59.430 Clipper and Whit Diffie, who invented digital signatures, and John Gilmore of 00:15:59.430 --> 00:16:05.689 EFF, Peter Neumann of SRI, Ron Rivest, Jeff Schiller of MIT and Bruce Schneier 00:16:05.689 --> 00:16:09.339 who had written applied cryptography and got together and wrote a paper on the 00:16:09.339 --> 00:16:13.830 risks of key recovery, key escrow and trust in third party encryption, where we 00:16:13.830 --> 00:16:18.470 discussed the system consequences of giving third party or government access to 00:16:18.470 --> 00:16:23.850 both traffic data and content without user notice or consent deployed internationally 00:16:23.850 --> 00:16:27.550 and available around the clock. We came to the conclusion that this was not really 00:16:27.550 --> 00:16:33.550 doable. It was simply too many vulnerabilities and too many complexities. 00:16:33.550 --> 00:16:38.899 So how did it end? Well, if we go to the next slide, the victory in Europe wasn't 00:16:38.899 --> 00:16:44.259 as a result of academic arguments. It was a result of industry pressure. And we owe 00:16:44.259 --> 00:16:48.750 a debt to Commissioner Martin Bangemann and also to the German government who 00:16:48.750 --> 00:16:56.699 backed him. And in 1994, Martin had put together a group of European CEOs to 00:16:56.699 --> 00:17:01.190 advise him on internet policy. And they advised them to keep your hands off until 00:17:01.190 --> 00:17:04.160 we can see which way it's going. That's just wrong with this thing and see what we 00:17:04.160 --> 00:17:10.670 can do with it. And the thing that he developed in order to drive a stake 00:17:10.670 --> 00:17:15.180 through the heart of key escrow was the Electronic Signatures Directive in 1999. 00:17:15.180 --> 00:17:20.330 And this gave a rebuttable presumption of validity to qualifying electronic 00:17:20.330 --> 00:17:24.640 signatures, but subject to a number of conditions. And one of these was that the 00:17:24.640 --> 00:17:29.570 signing key must never be known to anybody else other than the signer and this killed 00:17:29.570 --> 00:17:37.120 the idea of licensing CAs in such a way that the the NSA had access to all the 00:17:37.120 --> 00:17:41.390 private key material. The agencies had argued that without controlling 00:17:41.390 --> 00:17:45.260 signatures, you couldn't control encryption. But of course, as intelligence 00:17:45.260 --> 00:17:49.440 agencies, they were as much interested in manipulating information as they were in 00:17:49.440 --> 00:17:57.280 listening into it. And this created a really sharp conflict with businesses. In 00:17:57.280 --> 00:18:00.770 the U.K., with the Regulation of Investigatory Powers Bill went through the 00:18:00.770 --> 00:18:05.540 following year. And there we got strong support from the banks who did not want 00:18:05.540 --> 00:18:10.600 the possibility of intelligence and law enforcement personnel either getting hold 00:18:10.600 --> 00:18:16.380 of bank keys or forging banking transactions. And so we managed to, with 00:18:16.380 --> 00:18:20.720 their help to insert a number of conditions into the bill, which meant that 00:18:20.720 --> 00:18:25.520 if a court or chief constable, for example, demands a key from a company, 00:18:25.520 --> 00:18:29.400 they've got to demand it from somebody at the level of a director of the company. 00:18:29.400 --> 00:18:33.800 And it's got to be signed by someone really senior such as the chief constable. 00:18:33.800 --> 00:18:38.910 So there was some controls that we managed to get in there. Next slide! What did 00:18:38.910 --> 00:18:44.660 victory in the USA look like? Well, in the middle of 2000 as a number of people had 00:18:44.660 --> 00:18:49.170 predicted, Al Gore decided that he wanted to stop fighting the tech industry in 00:18:49.170 --> 00:18:54.410 order to get elected president. And there was a deal done at the time which was 00:18:54.410 --> 00:19:01.070 secret. It was done at the FBI headquarters at Quantico by US law 00:19:01.070 --> 00:19:04.880 enforcement would rely on naturally occurring vulnerabilities rather than 00:19:04.880 --> 00:19:10.070 compelling their insertion by companies like Intel or Microsoft. This was secret 00:19:10.070 --> 00:19:15.017 at the time, and I happen to know about it because I was consulting for Intel and the 00:19:15.017 --> 00:19:20.800 NDA I was under had a four year time limits on it. So after 2004, I was at the 00:19:20.800 --> 00:19:25.760 ability to talk about this. And so this basically gave the NSA access to the CERT 00:19:25.760 --> 00:19:30.930 feed. And so as part of this deal, the export rules were liberalized a bit, but 00:19:30.930 --> 00:19:38.090 with various hooks and gotchas left so that the authorities could bully companies 00:19:38.090 --> 00:19:45.580 who got too difficult. And in 2002, Robert Morris, senior, who had been the chief 00:19:45.580 --> 00:19:50.740 scientist at the NSA at much of this period, admitted that the real policy goal 00:19:50.740 --> 00:19:54.540 was to ensure that the many systems developed during the dot com boom were 00:19:54.540 --> 00:20:02.190 deployed with weak protection or none. And there's a huge, long list of these. Next 00:20:02.190 --> 00:20:11.430 slide, please. So what was the collateral damage from crypto war one? This is the 00:20:11.430 --> 00:20:15.310 first knuckle pass of this talk, which I've got together as a result of spending 00:20:15.310 --> 00:20:20.920 the last academic year writing the third edition of my book on security engineering 00:20:20.920 --> 00:20:26.520 as I've gone through and updated all the chapters on car security, the role of 00:20:26.520 --> 00:20:32.510 security and web security and so on and so forth, we find everywhere. But there are 00:20:32.510 --> 00:20:38.050 still very serious costs remaining from crypto war one, for example, almost all of 00:20:38.050 --> 00:20:43.430 the remote key entry systems for cars use inadequate cryptography for random 00:20:43.430 --> 00:20:48.290 number generators and so on and so forth. And car theft has almost doubled in the 00:20:48.290 --> 00:20:55.380 past five years. This is not all due to weak crypto, but it's substantially due to 00:20:55.380 --> 00:21:01.323 a wrong culture that was started off in the context of the crypto wars. Second, 00:21:01.323 --> 00:21:06.430 there are millions of door locks still using Mifare classic, even the building 00:21:06.430 --> 00:21:12.030 where I work. For example, the University of Cambridge changed its door locks around 00:21:12.030 --> 00:21:17.040 2000. So we've still got a whole lot of mifare classic around. And it's very 00:21:17.040 --> 00:21:21.150 difficult when you've got 100 buildings to change all the locks on them. And this is 00:21:21.150 --> 00:21:26.250 the case with thousands of organizations worldwide, with universities, with banks, 00:21:26.250 --> 00:21:30.990 with all sorts of people, simply because changing all the locks at once and dozens 00:21:30.990 --> 00:21:35.770 of buildings is just too expensive. Then, of course, there's the CA in your 00:21:35.770 --> 00:21:40.990 browser, most nations own or control certification authorities that your 00:21:40.990 --> 00:21:47.380 browser trusts and the few nations that weren't allowed to own such CAs, such as 00:21:47.380 --> 00:21:53.040 Iran, get up to mischief, as we find in the case of the DigiNotar hack a few years 00:21:53.040 --> 00:21:59.000 ago. And this means that most nations have got a more or less guaranteed ability to 00:21:59.000 --> 00:22:05.770 do man in the middle attacks on your Web log ons. Some companies like Google, of 00:22:05.770 --> 00:22:11.410 course, started to fix that with various mechanisms such as certificate pinning. 00:22:11.410 --> 00:22:16.160 But that was a deliberate vulnerability that was there for a long, long time and 00:22:16.160 --> 00:22:22.410 is still very widespread. Phones. 2G is insecure. That actually goes back to the 00:22:22.410 --> 00:22:27.281 Cold War rather than the crypto war. But thanks to the crypto wars 4G and 5G are 00:22:27.281 --> 00:22:32.450 not very much better. The details are slightly complicated and again, they're 00:22:32.450 --> 00:22:37.950 described in the book, Bluetooth is easy to hack. That's another piece of legacy. 00:22:37.950 --> 00:22:43.380 And as I mentioned, the agencies own the CERT's responsible disclosure pipeline, 00:22:43.380 --> 00:22:47.690 which means that they got a free fire hose of zero days that they can exploit 00:22:47.690 --> 00:22:53.780 for perhaps a month or three before these end up being patched. So next slide, 00:22:53.780 --> 00:23:02.600 please. Last year when I talked at Chaos Communication Congress, the audience chose 00:23:02.600 --> 00:23:08.900 this as the cover for my security engineering book, and that's now out. And 00:23:08.900 --> 00:23:12.730 it's the process of writing this that brought home to me the scale of the damage 00:23:12.730 --> 00:23:18.450 that we still suffered as a result of crypto war one. So let's move on to the 00:23:18.450 --> 00:23:24.610 next slide and the next period of history, which we might call the war on terror. And 00:23:24.610 --> 00:23:30.980 I've arbitrarily put this down as 2000 to 2013 although some countries stoped using 00:23:30.980 --> 00:23:36.790 the phrase war on terror in about 2008 once we have got rid of George W. Bush and 00:23:36.790 --> 00:23:41.330 Tony Blair. But as a historical convenience, this is, if you like, the 00:23:41.330 --> 00:23:46.140 central period in our tale. And it starts off with a lot of harassment around the 00:23:46.140 --> 00:23:54.700 edges of security and cryptography. For example, in 2000, Tony Blair promoted the 00:23:54.700 --> 00:24:02.290 EU dual use regulation number 1334 to extend export controls from tangible goods 00:24:02.290 --> 00:24:07.810 such as rifles and tanks to intangibles such as crypto software. Despite the fact 00:24:07.810 --> 00:24:13.980 that he has basically declared peace on the tech industry. Two years later, in 00:24:13.980 --> 00:24:18.090 2002, the UK parliament balked at an export control bill that was going to 00:24:18.090 --> 00:24:24.140 transpose this because it added controls on scientific speech, not just crypto 00:24:24.140 --> 00:24:28.900 code, but even papers on cryptanalysis and even electron microscope scripts and 00:24:28.900 --> 00:24:33.300 so parliament started the research exemption clause at the arguments of the 00:24:33.300 --> 00:24:39.420 then president of the Royal Society, Sir Robert May. But what then happened is that 00:24:39.420 --> 00:24:45.820 GCHQ used EU regulations to frustrate Parliament and this pattern of extralegal 00:24:45.820 --> 00:24:51.700 behavior was to continue. Next slide! Because after export control, the place 00:24:51.700 --> 00:24:57.310 shifted to traffic data retention, another bad thing that I'm afraid to say, the UK 00:24:57.310 --> 00:25:02.630 exported to Europe back in the days when we were, in effect, the Americans 00:25:02.630 --> 00:25:08.530 consigliere on the European Council. Sorry about that, folks, but all I can say is at 00:25:08.530 --> 00:25:15.900 least we helped start EDRI a year after that. So one of the interesting aspects of 00:25:15.900 --> 00:25:20.590 this was that our then home secretary, Jacqui Smith, started talking about the 00:25:20.590 --> 00:25:26.080 need for a common database of all the metadata of who had phoned whom when, who 00:25:26.080 --> 00:25:30.720 had sent an email to whom when, so that the police could continue to use the 00:25:30.720 --> 00:25:35.340 traditional contact tracing techniques online. And the line that we got hammered 00:25:35.340 --> 00:25:39.500 home to us again and again and again was if you got nothing to hide, you've got 00:25:39.500 --> 00:25:47.490 nothing to fear. What then happened in 2008, is that a very bad person went into 00:25:47.490 --> 00:25:53.550 Parliament and went to the PC where the expense claims of MPs were kept and they 00:25:53.550 --> 00:25:58.630 copied all the expense claims onto a DVD and they sold it around Fleet Street. And 00:25:58.630 --> 00:26:03.450 so The Daily Telegraph bought it from them for 400˙000£. And then for the best 00:26:03.450 --> 00:26:07.500 part of a year, the Daily Telegraph was telling scandalous things about what 00:26:07.500 --> 00:26:12.170 various members of parliament had claimed from the taxpayer. But it turned out that 00:26:12.170 --> 00:26:15.730 also Jacqui Smith may have been innocent. Her husband had been downloading 00:26:15.730 --> 00:26:21.010 pornography and charging it to our parliamentary expenses. So she lost her 00:26:21.010 --> 00:26:25.820 job as home secretary and she lost her seat in parliament and the communications 00:26:25.820 --> 00:26:32.950 data bill was lost. So was this a victory? Well, in June 2013, we learned from Ed 00:26:32.950 --> 00:26:39.310 Snowden that they just built it anyway, despite parliament. So maybe the victory 00:26:39.310 --> 00:26:43.400 in parliament wasn't what it seemed to be at the time. But I'm getting ahead of 00:26:43.400 --> 00:26:51.570 myself; anyway. Next slide, please. The other thing that we did in the 2000s is 00:26:51.570 --> 00:26:56.200 that we spent, I spent maybe a third of my time and about another hundred people 00:26:56.200 --> 00:27:00.856 joined and we developed the economics of security as a discipline. We began to 00:27:00.856 --> 00:27:05.660 realize that many of the things that went wrong happened because Alice was guarding 00:27:05.660 --> 00:27:10.910 a system and Bob was paying the cost of failure. For example, if you got a payment 00:27:10.910 --> 00:27:17.480 system, then in order to prevent fraud, what you basically have to do is to get 00:27:17.480 --> 00:27:21.920 the merchants and the bank to buy transactions from them, to take care of 00:27:21.920 --> 00:27:26.440 the costs of fraud, follow the cardholder of the banks that issue them with cards. 00:27:26.440 --> 00:27:31.870 And the two aren't the same. But it's this that causes the governance tensions and 00:27:31.870 --> 00:27:36.906 causes governments to break down and makes fraud harder than it should be. Now after 00:27:36.906 --> 00:27:41.530 that, one of the early topics was patching and responsible disclosure. And 00:27:41.530 --> 00:27:45.340 we worked through all the issues of whether you should not patch at all, which 00:27:45.340 --> 00:27:48.860 some people in industry wanted to do, or whether you should just put all the bugs 00:27:48.860 --> 00:27:52.690 on bug trackers which some hackers wanted to do or whether you would go through the 00:27:52.690 --> 00:27:57.200 CERT system despite the NSA compromise, because they at least would give you legal 00:27:57.200 --> 00:28:03.720 cover. And, you know, bully Microsoft into catching the bug the next patch Tuesday 00:28:03.720 --> 00:28:10.040 and then the disclosure after 90 days. And we eventually came to the conclusion as an 00:28:10.040 --> 00:28:16.270 industry followed that responsible disclosure was the way to go. Now, one of 00:28:16.270 --> 00:28:21.530 the problems that arises here is the equities issue. Suppose you're the 00:28:21.530 --> 00:28:27.260 director of the NSA and somebody comes to you with some super new innovative bug. 00:28:27.260 --> 00:28:33.490 You say they have rediscovered Spectre, for example. And so you've got a bug which 00:28:33.490 --> 00:28:40.640 can be used to penetrate any crypto software that's out there. Do you report 00:28:40.640 --> 00:28:45.640 the bug to Microsoft and Intel to defend 300 million Americans, or do you keep it 00:28:45.640 --> 00:28:50.830 quiet so you can exploit 450 million Europeans and a thousand billion Chinese 00:28:50.830 --> 00:28:55.170 and so on and so forth? Well, once you put it that way, it's fairly obvious that the 00:28:55.170 --> 00:29:00.370 NSA will favor attack over defense. And there are multiple models of attack and 00:29:00.370 --> 00:29:04.420 defense. You can think of institutional factors and politics, for example, if you 00:29:04.420 --> 00:29:10.350 are director of the NSA, and you defend 300 million Americans. You defend the 00:29:10.350 --> 00:29:15.720 White House against the Chinese hacking it. You know, the president will never 00:29:15.720 --> 00:29:19.970 know if he's hacked or not because the Chinese will keep it quiet if they do. But 00:29:19.970 --> 00:29:24.790 if, on the other hand, you manage to hack the Politburo land in Peking, you can put 00:29:24.790 --> 00:29:31.040 some juicy intelligence every morning with the president's breakfast cereal. So 00:29:31.040 --> 00:29:37.150 that's an even stronger argument of why you should do attack rather than defense. 00:29:37.150 --> 00:29:43.360 And all the thing that I mentioned in passing is that throughout the 2000s, 00:29:43.360 --> 00:29:47.390 governments also scrambled to get more data of the citizens, for example, in 00:29:47.390 --> 00:29:51.930 Britain with a long debate about whether medical records should be centralized. In 00:29:51.930 --> 00:29:56.030 the beginning, we said if you were to centralize all medical records, that would 00:29:56.030 --> 00:29:59.440 be such a large target that the database should be top secret and it would be too 00:29:59.440 --> 00:30:06.480 inconvenient for doctors to use. Well, Blair decided in 2001 to do it anyway. We 00:30:06.480 --> 00:30:10.700 wrote a report in 2009 saying that this was a red line and that this was a serious 00:30:10.700 --> 00:30:17.030 hazard and then in 2014 we discovered that Cameron's buddy, who was the transparency 00:30:17.030 --> 00:30:22.440 czar and the NHS had sold the database to 1200 researchers, including drug companies 00:30:22.440 --> 00:30:26.740 in China. So that meant that all the sensitive personal health information 00:30:26.740 --> 00:30:31.480 about one billion patients episodes had been sold around the world and was 00:30:31.480 --> 00:30:35.240 available to not just to medical researchers, but to foreign intelligence 00:30:35.240 --> 00:30:50.760 services. This brings us on to Snowden. In June 2013. We had one of those game 00:30:50.760 --> 00:30:57.280 changing moments when Ed Snowden leaked a whole bunch of papers showing that the NSA 00:30:57.280 --> 00:31:02.390 had been breaking the law in America and GCHQ had been breaking the law in Britain, 00:31:02.390 --> 00:31:06.320 that we have been lied to, the parliament had been misled, and a whole lot of 00:31:06.320 --> 00:31:10.580 collection and interception was going on, which supposedly shouldn't have been going 00:31:10.580 --> 00:31:15.790 on. Now, one of the things that got industry attention was a system called 00:31:15.790 --> 00:31:22.500 PRISM, which was in fact legal because this was done as a result of warrants 00:31:22.500 --> 00:31:28.190 being served on the major Internet service providers. And if we could move to the 00:31:28.190 --> 00:31:33.500 next slide, we can see that this started off with Microsoft in 2007. Yahoo! in 00:31:33.500 --> 00:31:38.121 2008, they fought in court for a year they lost and then Google and Facebook and so on 00:31:38.121 --> 00:31:44.640 got added. This basically enabled the NSA to go to someone like Google and say 00:31:44.640 --> 00:31:49.590 rossjanderson@gmail.com is a foreign national, we're therefore entitled to read 00:31:49.590 --> 00:31:54.660 his traffic, kindly give us his Gmail. And Google would say, yes, sir. For Americans, 00:31:54.660 --> 00:31:58.240 you have to show probable cause that they've committed a crime for foreigners 00:31:58.240 --> 00:32:06.060 you simply have to show probable cause that they're a foreigner. The next slide. 00:32:06.060 --> 00:32:14.700 This disclosure from Snowden disclosed that PRISM, despite the fact that it only 00:32:14.700 --> 00:32:20.400 costs about 20 million dollars a year, was generating something like half of all the 00:32:20.400 --> 00:32:27.160 intelligence that the NSA was using. By the end of financial year 2012, but that 00:32:27.160 --> 00:32:33.100 was not all. Next slide, please. The thing that really annoyed Google was this slide 00:32:33.100 --> 00:32:38.820 on the deck from a presentation at GCHQ showing how the NSA was not merely 00:32:38.820 --> 00:32:44.480 collecting stuff through the front door by serving warrants on Google in Mountain 00:32:44.480 --> 00:32:48.590 View, it was collecting stuff through the backdoor as well, because they were 00:32:48.590 --> 00:32:53.840 harvesting the plaintext copies of Gmail and maps and docs and so on, which were 00:32:53.840 --> 00:32:59.350 being sent backwards and forwards between Google's different data centers. And the 00:32:59.350 --> 00:33:04.650 little smiley face, which you can see on the sticky, got Sergei and Friends really, 00:33:04.650 --> 00:33:09.890 really uptight. And they just decided, right, you know, we're not going to allow 00:33:09.890 --> 00:33:13.310 this. They will have to knock and show warrants in the future. And there was a 00:33:13.310 --> 00:33:17.120 crash program and all the major Internet service providers to encrypt all the 00:33:17.120 --> 00:33:25.180 traffic so that in future things could only be got by means of a warrant. Next 00:33:25.180 --> 00:33:38.060 slide, please. The EU was really annoyed by what was called Operation Socialist. 00:33:38.060 --> 00:33:49.920 Operation Socialist was basically, the hack of Belgacom and the idea was that 00:33:49.920 --> 00:33:56.710 GCHQ spearfished some technical staff at Belgacom and this enabled them to wiretap 00:33:56.710 --> 00:34:04.870 all the traffic at the European Commission in Brussels and as well as mobile phone 00:34:04.870 --> 00:34:11.910 traffic to and from various countries in Africa. And this is rather amazing. It's 00:34:11.910 --> 00:34:16.940 as if Nicola Sturgeon, the first minister of Scotland, had tasked Police Scotland 00:34:16.940 --> 00:34:21.781 with hacking BT so that she could watch out what was going on with the parliament 00:34:21.781 --> 00:34:30.919 in London. So this annoyed a number of people. With the next slide, we can see. 00:34:30.919 --> 00:34:40.149 That the the Operation Bull Run, an operation Edgehill, as GCHQ called their 00:34:40.149 --> 00:34:44.740 version of it, have an aggressive, multipronged efforts to break widely used 00:34:44.740 --> 00:34:49.899 Internet encryption technologies. And we learned an awful lot about what was being 00:34:49.899 --> 00:34:55.929 done to break VPNs worldwide and what had been done in terms of inserting 00:34:55.929 --> 00:35:01.830 vulnerabilities and protocols, getting people to use vulnerable prime numbers for 00:35:01.830 --> 00:35:06.750 Diffie Hellman key exchange and so on and so forth. Next slide, first slide and 00:35:06.750 --> 00:35:11.870 Bullrun and Edgehill SIGINT enabling projects actively engages the US and 00:35:11.870 --> 00:35:16.310 foreign IT industries to covertly influence and/or overtly leverage their 00:35:16.310 --> 00:35:20.690 commercial products' designs. These design changes make the systems in question 00:35:20.690 --> 00:35:24.680 exploitable through SIGINT collection endpoint midpoints, et cetera, with 00:35:24.680 --> 00:35:28.400 foreknowledge of the modification, the consumer and other adversaries however the 00:35:28.400 --> 00:35:36.510 system security remains intact. Next slide, so the insert vulnerabilities into 00:35:36.510 --> 00:35:41.450 commercial systems, I.T. systems, networks and point communication devices used by 00:35:41.450 --> 00:35:49.160 targets. Next slide. They also influence policy standards and specifications for 00:35:49.160 --> 00:35:54.270 commercial public key technologies, and this was the smoking gun that 00:35:54.270 --> 00:36:02.240 crypto war 1 had not actually ended. It had just gone undercover. And so with this, 00:36:02.240 --> 00:36:08.250 things come out into the open next slide so we could perhaps date crypto war 2 to 00:36:08.250 --> 00:36:13.190 the Snowden disclosures in their aftermath in America. It must be said that all three 00:36:13.190 --> 00:36:18.350 arms of the US government showed at least mild remarks. Obama set up the NSA review 00:36:18.350 --> 00:36:23.810 group and adopted most of what it said except on the equities issue. Congress got 00:36:23.810 --> 00:36:28.180 data retention, renewed the Patriot Act and the FISA court introduced an advocate 00:36:28.180 --> 00:36:33.340 for Targets. Tech companies as I mentioned, started encrypting all their 00:36:33.340 --> 00:36:39.220 traffic. In the UK on the other hand, governments expressed no remorse at all, 00:36:39.220 --> 00:36:43.450 and they passed the Investigatory Powers Act to legalize all the unlawful things 00:36:43.450 --> 00:36:47.740 they've already been doing. And they could now order firms secretly do anything they 00:36:47.740 --> 00:36:56.730 physically can. However, data retention was nixed by the European courts. The 00:36:56.730 --> 00:37:01.920 academic response in the next slide, keys under doormats, much the same authors as 00:37:01.920 --> 00:37:08.670 before. We analyzed the new situation and came to much of the same conclusions. Next 00:37:08.670 --> 00:37:14.620 slide, the 2018 GCHQ proposals from Ian Levy and Crispin 00:37:14.620 --> 00:37:20.870 Robinson proposed to add ghost users to WhatsApp and FaceTime calls in response to 00:37:20.870 --> 00:37:25.860 warrants. The idea is that you've got an FBI key on your device hearing. You still 00:37:25.860 --> 00:37:30.110 have end to end, so you just have an extra end. And this, of course, fills the keys 00:37:30.110 --> 00:37:34.380 on the doormats tests. Your software would abandon best practice. It would create 00:37:34.380 --> 00:37:39.690 targets and increase complexity and it would also have to lie about trust. Next 00:37:39.690 --> 00:37:49.310 slide, please. This brings us to the upload filters which were proposed over 00:37:49.310 --> 00:37:55.990 the past six months, they first surfaced in early 2020 to a Stanford think tank and 00:37:55.990 --> 00:38:00.960 they were adopted by Commissioner Ylva Johansson on June the 9th at the start of 00:38:00.960 --> 00:38:05.930 the German presidency. On the 20th of September we got a leaked tech paper whose 00:38:05.930 --> 00:38:11.650 authors include our GCHQ friends Ian Levie and Crispin Robinson. The top options are 00:38:11.650 --> 00:38:17.620 that you filter in client software assisted by a server, as client side only 00:38:17.620 --> 00:38:22.570 filtering is too constrained and easy to compromise. The excuse is that you want to 00:38:22.570 --> 00:38:28.520 stop illegal material such as child sex abuse images being shared over end to end 00:38:28.520 --> 00:38:34.210 messaging system such as WhatsApp. Various NGOs objected, and we had a meeting with 00:38:34.210 --> 00:38:39.580 the commission, which was a little bit like a Stockholm Syndrome event. We had 00:38:39.580 --> 00:38:43.750 one official there on the child protection front fax by half a dozen officials from 00:38:43.750 --> 00:38:48.610 various security bodies, departments and agencies who seemed to be clearly driving 00:38:48.610 --> 00:38:53.191 the thing with child protection merely being an excuse to promote this lead. 00:38:53.191 --> 00:39:00.360 Well, the obvious things to worry about are as a similar language in the new 00:39:00.360 --> 00:39:04.730 terror regulation, you can expect the filter to extend from child sex abuse 00:39:04.730 --> 00:39:10.840 material to terror. And static filtering won't work because if there's a bad list 00:39:10.840 --> 00:39:15.380 of 100˙000 forbidden images, then the bad people will just go out and make another 00:39:15.380 --> 00:39:22.530 100˙000 child sex abuse images. So the filtering will have to become dynamic. And 00:39:22.530 --> 00:39:26.880 then the question is whether your form will block it or report it. And there's an 00:39:26.880 --> 00:39:32.090 existing legal duty in a number of countries and in the UK to although 00:39:32.090 --> 00:39:37.310 obviously no longer a member state, the existing duty to report terror stuff. And 00:39:37.310 --> 00:39:41.840 the question is, who will be in charge of updating the filters? What's going to 00:39:41.840 --> 00:39:50.750 happen then? Next slide. Well, we've seen an illustration during the lockdown in 00:39:50.750 --> 00:39:55.230 April, the French and Dutch government sent an update to all Encrochat mobile 00:39:55.230 --> 00:39:59.450 phones with a rootkit which copied messages, crypto keys and lock screen 00:39:59.450 --> 00:40:04.460 passwords. The Encrochat was a brand of mobile phone that was sold through 00:40:04.460 --> 00:40:11.001 underground channels to various criminal groups and others. And since this was 00:40:11.001 --> 00:40:18.119 largely used by criminals of various kinds, the U.K. government justify bulk 00:40:18.119 --> 00:40:24.160 intercepts by passing its office targets and equipment interference. In other 00:40:24.160 --> 00:40:28.600 words, they brought a targeted warrant for all forty five thousand Encrochat handsets 00:40:28.600 --> 00:40:33.400 and of ten thousand users in the U.K., eight hundred were arrested in June when 00:40:33.400 --> 00:40:39.680 the wire tapping exercise was completed. Now, again, this appears to ignore the 00:40:39.680 --> 00:40:44.450 laws that we have on the books because even our Investigatory Powers Act rules 00:40:44.450 --> 00:40:48.710 out all interception of U.K. residents. And those who follow such 00:40:48.710 --> 00:40:52.950 matters will know that there was a trial at Liverpool Crown Court, a hearing of 00:40:52.950 --> 00:40:59.369 whether this stuff was admissible. And we should have a first verdict on that early 00:40:59.369 --> 00:41:05.270 in the new year. And that will no doubt go to appeal. And if the material is held to 00:41:05.270 --> 00:41:09.820 be admissible, then there will be a whole series of trials. So this brings me to my 00:41:09.820 --> 00:41:17.050 final point. What can we expect going forward? China is emerging as a full-stack 00:41:17.050 --> 00:41:21.700 competitor to the West, not like Russia in Cold War one, because Russia only ever 00:41:21.700 --> 00:41:26.760 produced things like primary goods, like oil and weapons in trouble, of course. But 00:41:26.760 --> 00:41:30.690 China is trying to compete all the way up and down the stack from chips, through 00:41:30.690 --> 00:41:35.690 software, up through services and everything else. And developments in China 00:41:35.690 --> 00:41:40.850 don't exactly fill one with much confidence, because in March 2018, 00:41:40.850 --> 00:41:45.400 President Xi declared himself to be ruler for life, basically tearing up the Chinese 00:41:45.400 --> 00:41:50.280 constitution. There are large-scale state crimes being committed in Tibet and 00:41:50.280 --> 00:41:55.240 Xiniang and elsewhere. Just last week, Britain's chief rabbi described the 00:41:55.240 --> 00:42:03.991 treatment of Uyghurs as an unfathomable mass atrocity. In my book, I describe 00:42:03.991 --> 00:42:09.280 escalating cyber conflict and various hacks, such as the hack of the Office of 00:42:09.280 --> 00:42:15.100 Personnel Management, which had clearance files on all Americans who work for the 00:42:15.100 --> 00:42:20.710 federal governments, the hack of Equifax, which got credit ratings and credit 00:42:20.710 --> 00:42:25.560 histories of all Americans. And there are also growing tussles and standards. For 00:42:25.560 --> 00:42:32.840 example, the draft ISO 27553 on biometric authentication for mobile phones is 00:42:32.840 --> 00:42:38.080 introducing at the insistence of Chinese delegates, a central database option. So 00:42:38.080 --> 00:42:43.480 in future, your phone might not verify your faceprint or your fingerprint 00:42:43.480 --> 00:42:50.440 locally. It might do it with a central database. Next slide, how could Cold War 00:42:50.440 --> 00:42:56.550 2.0 be different? Well, there's a number of interesting things here, and the 00:42:56.550 --> 00:43:00.960 purpose of this talk is to try and kick off a discussion of these issues. China 00:43:00.960 --> 00:43:06.120 makes electronics, not just guns, the way the old USSR did. Can you have a separate 00:43:06.120 --> 00:43:13.600 supply chain for China and one for everybody else? But hang on a minute, 00:43:13.600 --> 00:43:20.220 consider the fact that China has now collected very substantial personal data 00:43:20.220 --> 00:43:25.300 sets on the Office of Personnel Management, the US government employees, 00:43:25.300 --> 00:43:32.360 by forcing Apple to set up its own data centers in China for iPhone users in 00:43:32.360 --> 00:43:39.270 China, they get access to all the data for Chinese users of iPhones that America 00:43:39.270 --> 00:43:44.750 gets for American users of iPhones, plus maybe more as well. If the Chinese can 00:43:44.750 --> 00:43:50.690 break the HSMs in Chinese data centers as we expect them to be able to, Equifax got 00:43:50.690 --> 00:43:56.960 them data on all economically active people in the USA. care.data gave them 00:43:56.960 --> 00:44:02.390 medical records of everybody in the UK. And this bulk personal data is already 00:44:02.390 --> 00:44:08.470 being targeted in intelligence use when Western countries, for example, send 00:44:08.470 --> 00:44:13.640 diplomats to countries in Africa or Latin America or local Chinese counter- 00:44:13.640 --> 00:44:16.870 intelligence, people know whether they're bona fide diplomats or whether they're 00:44:16.870 --> 00:44:22.210 intelligence agents, undercover, all from exploitation of all this personal 00:44:22.210 --> 00:44:26.220 information. Now, given that this information's already in efficient targeted 00:44:26.220 --> 00:44:31.970 use, the next question we have to ask is when will it be used at scale? And this is 00:44:31.970 --> 00:44:37.390 the point at which we say that the equities issue now needs a serious rethink 00:44:37.390 --> 00:44:43.830 and the whole structure of the conflict is going to have to move from more offensive 00:44:43.830 --> 00:44:49.540 to more defensive because we depend on supply chains to which the Chinese have 00:44:49.540 --> 00:44:55.460 access more than they depend on supply chains to which we have access. Now, it's 00:44:55.460 --> 00:45:01.190 dreadful that we're headed towards a new Cold War, but as we head there, we have to 00:45:01.190 --> 00:45:05.950 ask also the respective roles of governments, industry and civil society, 00:45:05.950 --> 00:45:14.040 academia. Next slide, please. And so looking for my point is this. That is Cold 00:45:14.040 --> 00:45:18.860 War 2.0 does happen. I hope it doesn't. But we appear to be headed that way 00:45:18.860 --> 00:45:23.680 despite the change of governments in the White House. Then we need to be able to 00:45:23.680 --> 00:45:31.010 defend everybody, not just the elites. No, it's not going to be easy because there 00:45:31.010 --> 00:45:35.270 are more state players, the USA is a big block, the EU is a big block. There are 00:45:35.270 --> 00:45:39.650 other players, other democracies that are other non democracies. Those other failing 00:45:39.650 --> 00:45:45.210 democracies. This is going to be complex and messy. It isn't going to be a 00:45:45.210 --> 00:45:50.310 situation like last time where big tech reaches out to civil society and academia 00:45:50.310 --> 00:45:55.930 and we could see a united front against the agencies. And even in that case, of 00:45:55.930 --> 00:46:00.550 course, the victory that we got was only an apparent victory, a superficial victory 00:46:00.550 --> 00:46:06.410 that's only lasted for a while. So what could we do? Well, at this point, I think 00:46:06.410 --> 00:46:10.960 we need to remind all the players to listen. But it's not just about strategy 00:46:10.960 --> 00:46:15.800 and tactics, but it's about values, too. And so we need to be firmly on the side of 00:46:15.800 --> 00:46:21.470 freedom, privacy and the rule of law. Now, for the old timers, you may remember that 00:46:21.470 --> 00:46:29.520 there was a product called Tom-Skype, which was introduced in 2011 in China. The 00:46:29.520 --> 00:46:34.470 Chinese wanted the citizens to be able to use Skype, but they wanted to be able to 00:46:34.470 --> 00:46:38.290 wiretap as well, despite the fact that Skype at the time had end to end 00:46:38.290 --> 00:46:44.520 encryption. And so people in China were compelled to download a client for Skype 00:46:44.520 --> 00:46:50.450 called Tom-Skype. Tom was the company that distributed Skype in China and it 00:46:50.450 --> 00:46:55.070 basically had built in wire tapping. So you had end to end encryption using Skype 00:46:55.070 --> 00:47:01.240 in those days. But in China, you ended up having a Trojan client, which you had to 00:47:01.240 --> 00:47:08.240 use. And what we are doing at the moment is basically the EU is trying to copy Tom- 00:47:08.240 --> 00:47:13.440 Skype and saying that we should be doing what China was doing eight years ago. And 00:47:13.440 --> 00:47:17.540 I say we should reject that. We can't challenge President Xi by going down that 00:47:17.540 --> 00:47:21.970 route. Instead, we've got to reset our values and we've got to think through the 00:47:21.970 --> 00:47:27.600 equities issue and we've got to figure out how it is that we're going to deal with 00:47:27.600 --> 00:47:32.570 the challenges of dealing with non- democratic countries when there is serious 00:47:32.570 --> 00:47:40.620 conflict in a globalized world where we're sharing the same technology. Thanks. And 00:47:40.620 --> 00:47:52.230 perhaps the last slide for my book can come now and I'm happy to take questions. 00:47:52.230 --> 00:47:58.460 Herald: Yeah, thanks a lot, Ross, for your talk. It's a bit depressing to listen to 00:47:58.460 --> 00:48:09.510 you. I have to admit let's have a look. OK, so I have a question. I'm wondering if 00:48:09.510 --> 00:48:15.369 the export controls at EU level became worse than UK level export controls 00:48:15.369 --> 00:48:20.660 because entities like GCHQ had more influence there or because there's a harmful 00:48:20.660 --> 00:48:26.619 Franco German security culture or what it was. Do you have anything on that? 00:48:26.619 --> 00:48:30.890 Ross: Well, the experience that we had with these export controls, once they were 00:48:30.890 --> 00:48:38.260 in place, was as follows. It was about 2015 I think, or 2016, It came to our 00:48:38.260 --> 00:48:43.800 attention that a British company, Sophos, was selling bulk surveillance equipment to 00:48:43.800 --> 00:48:49.330 President al Assad of Syria, and he was using it to basically wiretap his entire 00:48:49.330 --> 00:48:54.080 population and decide who he was going to arrest and kill the following day. And it 00:48:54.080 --> 00:48:58.530 was sold by Sophos in fact, through a German subsidiary. And so we went along to 00:48:58.530 --> 00:49:06.870 the export control office in Victoria Street. A number of NGOs, the open rights 00:49:06.870 --> 00:49:11.880 group went along and Privacy International and us and one or two others. And we said, 00:49:11.880 --> 00:49:16.480 look, according to the EU dual use regulation, bulk intercept equipment is 00:49:16.480 --> 00:49:19.950 military equipment. It should be in the military list. Therefore, you should be 00:49:19.950 --> 00:49:25.330 demanding an export license for this stuff. And they found every conceivable 00:49:25.330 --> 00:49:34.100 excuse not to demand it. And it was the lady from GCHQ there in the room who was 00:49:34.100 --> 00:49:38.280 clearly calling the shots. And she was absolutely determined that there should be 00:49:38.280 --> 00:49:44.040 no export controls on the stuff being sold to Syria. And eventually I said, look, 00:49:44.040 --> 00:49:47.260 it's fairly obvious what's going on here. If there's going to be black boxes and 00:49:47.260 --> 00:49:51.110 President al-Assad's network, you want them to be British black boxes or German 00:49:51.110 --> 00:49:55.960 black boxes, not Ukrainian or Israeli black boxes. And she said, I cannot 00:49:55.960 --> 00:50:00.830 discuss classified matters in an open meeting, which is as close as you get to 00:50:00.830 --> 00:50:06.840 an admission. And a couple of months later, Angela Merkel, to her great credit, 00:50:06.840 --> 00:50:12.640 has actually come out in public and said that allowing the equipment to be exported 00:50:12.640 --> 00:50:16.440 from Utimaco to Syria was one of the hardest decision she'd ever taken as 00:50:16.440 --> 00:50:21.770 counselor. And that was a very difficult tradeoff between maintaining intelligence 00:50:21.770 --> 00:50:27.470 access, given the possibility that Western troops would be involved in Syria and the 00:50:27.470 --> 00:50:33.300 fact that the kit was being used for very evil purposes. So that's an example of how 00:50:33.300 --> 00:50:38.280 the export controls are used in practice. They are not used to control the harms 00:50:38.280 --> 00:50:44.330 that we as voters are told that they're there to control. Right. They are used in 00:50:44.330 --> 00:50:49.940 all sorts of dark and dismal games. And we really have to tackle the issue of export 00:50:49.940 --> 00:50:55.980 controls with our eyes open. H: Yeah, yeah. There's a lot a lot to do. 00:50:55.980 --> 00:51:03.800 And now Germany has left the EU, UN Security Council. So let's see what 00:51:03.800 --> 00:51:13.000 happens next. Yeah. We'll see, Ross. Anything else you'd like to add? We don't 00:51:13.000 --> 00:51:19.350 have any more questions. Oh, no, we have another question. It's just come up 00:51:19.350 --> 00:51:24.510 seconds ago. Do you think that refusal to accept back doors will create large 00:51:24.510 --> 00:51:35.300 uncensorable applications? R: Well, if you get large applications 00:51:35.300 --> 00:51:41.619 which are associated with significant economic power, then low pressure gets 00:51:41.619 --> 00:51:51.450 brought to bear on those economic players to do their social duty. And... this is what 00:51:51.450 --> 00:51:56.520 we have seen with the platforms that intermediate content, that act as content 00:51:56.520 --> 00:52:00.220 intermediaries such as Facebook and Google and so on, that they do a certain amount 00:52:00.220 --> 00:52:08.510 of filtering. But if, on the other hand, you have wholesale surveillance before the 00:52:08.510 --> 00:52:13.690 fact of End-To-End encrypted stuff, then are we moving into an environment where 00:52:13.690 --> 00:52:19.200 private speech from one person to another is no longer permitted? You know, I don't 00:52:19.200 --> 00:52:24.490 think that's the right trade off that we should be taking, because we all know from 00:52:24.490 --> 00:52:28.780 hard experience that when governments say, think of the children, they're not 00:52:28.780 --> 00:52:32.090 thinking of children at all. If they were thinking of children, they would not be 00:52:32.090 --> 00:52:36.280 selling weapons to Saudi Arabia and the United Arab Emirates to kill children in 00:52:36.280 --> 00:52:41.850 Yemen. And they say think about terrorism. But the censorship that we are supposed to 00:52:41.850 --> 00:52:47.880 use in universities around terrorism, the so-called prevent duty is known to be 00:52:47.880 --> 00:52:52.280 counterproductive. It makes Muslim students feel alienated and marginalized. 00:52:52.280 --> 00:52:57.480 So the arguments that governments use around this are not in any way honest. And 00:52:57.480 --> 00:53:01.810 we now have 20 years experience of these dishonest arguments. And for goodness 00:53:01.810 --> 00:53:05.550 sake, let's have a more grown up conversation about these things. 00:53:05.550 --> 00:53:11.700 H: Now, you're totally right, even if I have to admit, it took me a couple of 00:53:11.700 --> 00:53:24.660 years, not 20, but a lot to finally understand, OK? This I think that's it, we 00:53:24.660 --> 00:53:31.230 just have another comment and I'm thanking you for your time and are you in an 00:53:31.230 --> 00:53:36.680 assembly somewhere around hanging around in the next hour or so? Maybe if someone 00:53:36.680 --> 00:53:41.860 wants to talk to you, he can just pop by if you ever if you have used this 2d world 00:53:41.860 --> 00:53:45.260 already. R: No, I haven't been using the 2d world. 00:53:45.260 --> 00:53:50.590 I had some issues with my browser and getting into it. But I've got my my 00:53:50.590 --> 00:53:55.380 webpage and my email address is public and anybody who wants to discuss these things 00:53:55.380 --> 00:53:59.740 is welcome to get in touch with me. Herald: All right. So thanks a lot. 00:53:59.740 --> 00:54:04.195 R: Thank you for the invitation. H: Yeah. Thanks a lot. 00:54:04.195 --> 00:54:07.800 rC3 postroll music 00:54:07.800 --> 00:54:43.050 Subtitles created by c3subtitles.de in the year 2020. Join, and help us!