This week in encryption news; two main stories, oddly tied. First, China seeks to give the gift of encryption, but will it keep giving? And to whom? Then, as increasingly ironclad nations clamp down on freedom of information, one UK publication found a way to cut (code?) through the noise and to the screens of its secret readers. How encryption is increasingly the battle-axe for both sides in what is shaping up to be another round of the never-ending crypto journey.
What is the purpose of encryption? A lot of things, but namely that you are guaranteed the privacy of whatever’s inside—whatever's encrypted. And therein lies the rub. How do you define privacy?
How does the Chinese state define privacy? And after the realization of that definition, will encryption still live up to its promise?
What’s the story?
Starting the first day of 2020, the People’s Republic of China will put into effect a law passed to regulate encryption—an achievement in matter of principle. It delineates the multiple types of encryption, their uses and permissions, and the ramifications of breaching, tampering with or failing to protect said encryption.
Not surprisingly, the Chinese encryption law seems to serve first what most government laws serve—the state. Everything after that is irrelevant gravy.
Nuts and bolts
What you can do
“the country encourages the research, academic exchanges, conversion of academic achievements and application of the technologies of commercial cryptography”
What you can't do
“the scientific research, production, sales, service and import and export...must not harm the state security and public interests”
It also adds “or other people’s rights and interests”, but when they come into collision with that of the state, we can only speculate as to the efficacy of that statement.
Some main points
- “Core and Common” encryption will be used for state secrets.
- Encryption developers can’t be asked to turn over source code, and any business secrets turned in must be kept confidential
- Vendors of commercial cryptography that is not “examined or authenticated” will receive punitive measures. “Examined or authenticated” means under the auspices and criteria of the Chinese government.
What does it all mean?
The news here is that there is no news. No leaps and bounds, nothing new for the tech industry. Just a caveat that says anyone spotting a weakness in the encryption of state secrets (“core and common”) and failing to notify authorities is held accountable by law. We’ll see how that plays out over the coming months.
- Venafi Study: How Much Do Global Consumers Worry About Private Data Protection?
- Black Hat 2019 Survey: Do We Trust Governments to Effectively Regulate Privacy? [Ask Security Professionals]
While certain entities might be cracking down, the BBC network is ramping up and just went underground. At least partially. Now available to anyone with the software savvy to use Tor, accessible world news without censorship.
Originally developed as military technology by the Navy, The Onion Router (Tor) uses a series of intermediate volunteer computers to encrypt host communication and throw off the scent of the original requesting computer. Not only can users be unidentifiable, they can also access special sites not available to lay-browsers.
For example, the Tor URL for the BBC [note the “.onion”]: https://www.bbcnewsv2vjtpsuy.onion/
Which Countries Will This Affect?
The following countries have, or have attempted to, block BBC content to their citizens.
Ironically, Tor is known to many for its seedy reputation; its anonymity provides the perfect dark alley down which all breeds of cyber-rats scurry. But, with any luck, a beacon in the form of free world news will make its way down the same dark alley and shine a light on those whose access to information has been violently blackened out.