If youd been quietly chasing down cryptographic bugs in a proprietary police radio system since 2021, but youd had to wait until the second half of 2023 to go public with your research, how would you deal with the reveal?

Youd probably do what researchers at boutique Dutch cybersecurity consultancy Midnight Blue did: line up a world tour of conference appearances in the US, Germany and Denmark (Black Hat, Usenix, DEF CON, CCC and ISC), and turn your findings into a BWAIN.

The word BWAIN, if you havent seen it before, is our very own jocular acronym thats short for Bug With An Impressive Name, typically with its own logo, PR-friendly website and custom domain name.

(One notorious BWAIN, named after a legendary musical instrument, Orpheuss Lyre, even had a theme tune, albeit played on a ukulele.)

This research is dubbed TETRA:BURST, with the letter A stylised to look like a shattered radio transmission mast.

TETRA, if youve never heard of it before, is short for Terrestrial Trunked Radio, originally Trans-European Trunked Radio, and is widely used (outside North America, at least) by law enforcement, emergency services and some commercial organisations.

TETRA has featured on Naked Security before, when a Slovenian student received a criminal conviction for hacking the TETRA network in his own country after deciding that his vulnerability reports hadnt been taken seriously enough:

Trunked radio needs fewer base stations and has a longer range than mobile phone networks, which helps in remote areas, and it supports both point-to-point and broadcast communications, desirable when co-ordinating law enforcement or rescue efforts.

The TETRA system, indeed, was standardised back in 1995, when the cryptographic world was very different.

Back then, cryptographic tools including the DES and RC4 ciphers, and the MD5 message digest algorithm, were still in widespread use, though all of them are now considered dangerously unsafe.

DES was superseded at the start of the 2000s because it uses encryption keys just 56 bits long.

Modern computers are sufficiently fast and cheap that determined cryptocrackers can fairly easily try out all possible 256 different keys (whats known as a brute-force attack, for obvious reasons) against intercepted messages.

RC4, which is supposed to turn input data with recognisable patterns (even a text string of the same character repeated over and over) into random digital shredded cabbage, was found to have signficant imperfections.

These could be used to used to winkle out plaintext input by performing statistical analysis of ciphertext output.

MD5, which is supposed to produce a pseudorandom 16-byte message digest from any input file, thus generating unforgeable fingerprints for files of any size, turned out to be flawed, too.

Attackers can easily trick the algorithm into churning out the same fingerprint for two different files, annihilating its value as a tamper-detection tool.

End-to-end encryption for individual online transactions, which we now take for granted on the web thanks to secure HTTP (HTTPS, based on TLS, short for transport layer security), was both new and unusual back in 1995.

Transaction-based protection relied on the brand-new-at-the-time network-leve protocol known as SSL (secure sockets layer), now considered sufficiently insecure that youll struggle to find it in use anywhere online.

Unlike DES, RC4, MD5, SSL and friends, TETRAs 1995-era encryption remains in widespread use to this day, but hasnt received much research attention, apparently for two main reasons.

Firstly, even though its used around the world, its not an everyday service that pops up in all our lives in the way that mobile telephones and web commerce do.

Secondly, the underlying encryption algorithms are proprietary, guarded as trade secrets under strict non-disclosure agreements (NDAs), so it simply hasnt had the levels of public mathematical scrutiny as unpatented, open-source encryption algorithms.

In contrast, cryptosystems such as AES (which replaced DES), SHA-256 (which replaced MD5), ChaCha20 (which replaced RC4), and various iterations of TLS (which replaced SSL) have all been analysed, dissected, discussed, hacked, attacked and critiqued in public for years, following whats known in the trade as Kerckhoffs Principle.

Auguste Kerckhoff was a Dutch-born linguist who ended up as a professor of the German language in Paris.

He published a pair of seminal papers in the 1880s under the title Military Cryptography, in which he proposed that no cryptographic system should ever rely on what we now refer to as security through obscurity.

Simply put, if you need to keep the algorithm secret, as well as the decryption key for each message, youre in deep trouble..

Your enemies will ultimately, and inevitably, get hold of that algorithm

and, unlike decryption keys, which can be changed at will, youre stuck with the algorithm that uses those keys.

Commercial NDAs are peculiarly purposeless for keeping cryptographic secrets, especially for successful products that end up with ever more partners signed up under NDA.

There are four obvious problems here, namely:

The Dutch researchers in this story took the last approach, legally acquiring a bunch of compliant TETRA devices and figuring out how they worked without using any information covered by NDA.

Apparently, they discovered five vulnerabilities that ended up with CVE numbers, dating back to 2022 because of the time involved in liaising with TETRA vendors on how to fix the issues: CVE-2022-24400 to CVE-2022-24404 inclusive.

Obviously, theyre now holding out on full details for maximum PR effect, with their first public paper scheduled for 2023-08-09 at the Black Hat 2023 conference in Las Vegas, USA.

Advance information provided by the researchers is enough to remind us of three cryptographic must-follow rules right away:

Fortunately, it looks as though CVE-2022-24401 has already been quashed with firmware updates (assuming users have applied them).

As for the rest of the vulnerabilities

well have to wait until the TETRA:BURST tour kicks off for fuill details and mitigations.

Read the original:
Hacking police radios: 30-year-old crypto flaws in the spotlight - Naked Security

When I contemplate the return of the crypto warsattempts to block citizens use of encryption by officials who want unfettered spying powersI look back with dread on the late Middle Ages. I wasnt alive back then, but one feature of those times lingers in my consciousness. Starting around 1337 and all the way until 1453, England and France fought a series of bloody battles. The conflict went on so long it was immortalized by its centenarian length: We know it as the Hundred Years War.

The crypto wars havent yet reached that mark. (In this column I will be reclaiming the term crypto from its more recent and debased usage by blockchain enthusiasts, too many of whom havent read my 2001 book called, um, Crypto.) Dating from the publication of the groundbreaking 1976 paper that introduced public key cryptographya means of widening access to encryption that was developed just in time for the internetthe skirmish between encryption advocates and their foes in officialdom is only just approaching 50 years.

From the start, government efforts to constrain or outlaw secure encrypted communications were vigorous and persistent. But by the turn of the millennium it appeared the fight was over. Encryption was so obviously critical to the internet that it was built into every browser and increasingly included in messaging systems. Government snooping didnt endcheck out Edward Snowdens revelationsbut certain government elements around the world never got comfortable with the idea that citizens, including the most rotten among us, could share secrets safe from the eyes of surveillants. Every few years, theres a flareup with proposed new regulations, accompanied by scary scenarios from the likes of FBI directors about going dark.

The arguments of the anti-crypto faction are always the same. If we allow encryption to flourish, they plead, were protecting terrorists, child pornographers, and drug dealers. But the more compelling counterarguments havent changed, either. If we dont have encryption, no one can communicate securely. Everyone becomes vulnerable to blackmail, theft, and corporate espionage. And the last vestiges of privacy are gone. Building a back door to allow authorities to peek into our secrets will only make those secrets more accessible to dark-side hackers, thieves, and government agencies operating off the books. And even if you try to outlaw encryption, nefarious people will use it anyway, since the technology is well known. Crypto is toothpaste that cant go back in the tube.

The good news is that so far encryption is winning. After a long period where crypto was too hard for most of us to use, some extremely popular services and tools have end-to-end encryption built in as a default. Apple is the most notable adopter, but theres also Metas WhatsApp and the well-respected standalone system Signal.

Still, the foes of encryption keep fighting. In 2023, new battlefronts have emerged. The UK is proposing to amend its Investigatory Powers Act with a provision demanding that companies provide government with plaintext versions of communications on demand. Thats impossible without disabling end-to-end encryption. Apple has already threatened to pull iMessage and FaceTime out of the UK if the regulation passes, and other end-to-end providers may well follow, or find an alternative means to keep going. Im never going to willingly abandon the people in the UK who deserve privacy, says Signal president Meredith Whittaker. If the government blocks Signal, then we will set up proxy servers, like we did in Iran.

Originally posted here:
Almost 50 Years Into the Crypto Wars, Encryption's Opponents Are ... - WIRED

Microsoft is launching Collaboration Security for Microsoft Teams, a solution whose features include an enhancement of full end-to-end encryption.

The solution is among several Defender for Office 365 tools and applications being introduced to Teams as Microsoft, and its other features include enhanced visibility into attacks through end-user reporting and the new capability for IT admins and SecOps to auto-purge malicious messages and attachments after their delivery.

Initially announced in March 2023, Collaboration Security for Microsoft Teams is rolling out now, with full, email-style end-to-end encryption arguably its highlight addition.

Sehrish Khan, Product Marketing Manager at Microsoft, wrote in a blog post in March:

With 71 percent of companies admitting that sensitive and business-critical data is regularly shared via collaboration tools like Microsoft Teams, organizations are increasingly realizing the need to make collaboration security an integral part of their overall SOC strategy. Thats why we are bringing the full feature set that customers use to protect their email environments across prevention, detection, and response to Microsoft Teams.

Microsoft state that Collaboration Security for Microsoft Teams was catalysed by the growth of hybrid and remote working, with the risks to data protection, privacy and security inherent to working over UC and collaboration platforms.

Attacks like phishing and ransomware that for decades have primarily used email as an entry point are now also targeting users on collaboration tools with growing frequency, Khan added.

Customers of Microsoft E5, Microsoft E5 Security, or Microsoft Defender for Office 365 can now leverage this update to improve their Teams security.

As well as introducing full end-to-end encryption in Teams, Microsoft also adds capabilities to improve cybersecurity awareness and resilience for business users.

All collaboration security functions will be integrated with the unified security operations (SecOps) experience of Microsoft 365 Defender, Microsofts Extended Detection and Response (XDR). As a result, all signals and alerts will be compiled across other domains, including endpoints, identities, email, DLP, and SaaS apps.

Microsoft now enables users to report suspicious messages directly in Teams, similar to how users can report suspicious emails in Outlook. The security team will be alerted whenever users report suspicious messages and can note them in the 365 Defender portal. This is an update of Microsofts Safe Links feature, initially launched in 2021, which scanned URLs shared in Teams conversations, chats, or channels for possibly malicious content at time-of-click to prevent users from accessing malicious websites.

All user submissions will be compiled into an auto-generated investigation of suspicious URL clicks. This will streamline the experience of reviewing suspicious messages for SOC teams, allowing them to respond more quickly.

The automatic purging of potentially malicious messages and attachments is an intriguing capability. For a faster response and automatic action, we are bringing zero auto purge (ZAP) to Teams, which protects end-users by analysing messages post-delivery and automatically quarantines messages that contain malicious content to stop the actor from compromising the account, Khan wrote.

Once a malicious message or attachment has been identified, the entire Teams ecosystem will be automatically scanned for the same sign of compromise before quarantining all other relevant messages at scale for better protection.

The default configuration for ZAP is to transfer all malicious messages into quarantine, where SOC teams can assess them further before deciding on the next steps, but the policy can also be customised to suit each businesss needs.

Other Collaboration Security features include providing SecOps with proactive tools for the advanced hunting of threats, which comprises a query-based threat-hunting tool that lets admins and SecOps examine up to 30 days of raw data. Microsoft is also adding attack simulation and training tools to bolster education, awareness, and risk assessment to support Teams user resilience against security threats.

Microsoft announced a series of new Copilot capabilities for Teams Phone and Chat. Copilot will be adding generative AI to phone calls for Teams Phone. With this new function, users can make and receive calls from their Teams app on any device and get real-time summarization and insights.

For Teams chat, users can quickly synthesise important information from their chat threads, allowing them to ask specific questions to catch up on the conversation so far, manage key discussion points, and summarise data relevant to their workflows.

Other new Teams features announced at Inspire included the Teams chat window being able to transfer to the Edge browser when opening webpage link from Teams chat, a keyboard shortcut to search chats and channels, collaborative notes in Teams meetings, and enhanced external collaboration requests.

Microsoft launched Bing Chat Enterprise, bringing Bing Chats generative AI features into the business world.

While Bing Chat Enterprises capabilities could be seismic for businesses around the world, Microsoft went to great lengths during the solutions announcement to emphasise how secure and safe its offering will be for companies with anxiety around data protection.

Microsoft emphasised the strength of Bing Chat Enterprises security because the most widely available generative AI solutions have come under close scrutiny in recent weeks and months for their handling of privacy and protection of business data.

The central issue is that OpenAIs ChatGPT, the most generally used generative AI service, leverages user prompts to develop and improve its model unless users deliberately opt out. This has galvanised worries that employees might inadvertently include proprietary or confidential data or information in their prompts, which ChatGPT utilises to answer future queries.

However, when business users utilise Bing Chat Enterprise, their chat data is not saved and, therefore, not extracted to train AI models. No one else can view the users prompts and data.

In this context, Collaboration Security for Microsoft Teams maintains MicrosMicrosoftstment in strengthening its security offerings across its suite.

See the article here:
Teams Enhances End-to-End Encryption to Bolster Security - UC Today

The need for robust cybersecurity measures has never been more critical than in 2023. Asymmetric encryption algorithms are the guardians of digital security ensuring that sensitive information remains protected and digital interactions stay authenticated.

There are many dangers out there that can harm our sensitive information and disrupt important services. These dangers keep evolving and becoming more advanced, making it harder to stay safe online.

From hackers trying to steal our money to cyber attacks sponsored by governments, the threats are diverse and relentless. They exploit weaknesses in our devices, and software, and even trick us into giving away our information.

To protect ourselves and our data, we need to be aware of these dangers and take measures to stay safe. By understanding the risks and implementing strong security measures, we can better defend against cyber threats and keep our digital lives secure.

Asymmetric encryption algorithms, also known as public-key cryptography, are powerful cryptographic techniques that play a pivotal role in modern cybersecurity. Unlike symmetric encryption, which relies on a single shared secret key for both encryption and decryption, asymmetric encryption algorithms utilize a pair of mathematically related keys a public key and a private key.

The concept behind asymmetric encryption is elegant and innovative. The public key is openly shared with the world, and accessible to anyone who wishes to engage in secure communication with the keys owner. On the other hand, the private key remains a closely guarded secret, known only to the individual or entity to whom it belongs. The ingenious aspect lies in the mathematical relationship between these keys data encrypted with the public key can only be decrypted with the corresponding private key and vice versa.

One of the most significant applications of asymmetric encryption algorithms is secure data transmission. By leveraging the public and private keys, these algorithms ensure that data exchanged between parties remains confidential during transmission, even if intercepted by unauthorized entities. The encryption process transforms the plaintext into an unintelligible ciphertext, and only the intended recipient possessing the corresponding private key can decipher and access the original data.

Asymmetric encryption algorithms are also instrumental in providing digital signatures, which verify the authenticity and integrity of digital messages or documents. Digital signatures are generated using the senders private key and appended to the data. The recipient can then use the senders public key to validate the signature, providing assurance that the message indeed originated from the claimed sender and has not been tampered with during transmission.

Beyond secure communication and digital signatures, asymmetric encryption algorithms find extensive use in file encryption. This application offers a robust solution for protecting sensitive data stored on electronic devices or transmitted across networks. By encrypting files with the intended recipients public key, the data becomes accessible only to the recipient possessing the corresponding private key, ensuring the datas confidentiality.

The concept of confidentiality is central to asymmetric encryption, as it guarantees that only the intended recipients with the appropriate private key can access and decrypt the encrypted data. This safeguard is essential for protecting intellectual property, personal information, financial records, and other sensitive data from unauthorized access and potential data breaches.

Additionally, asymmetric encryption enables the verification of the senders authenticity through digital signatures. Digital signatures provide recipients with a means to ascertain the legitimacy of the sender, reducing the risk of falling victim to phishing attacks or other forms of impersonation.

Moreover, asymmetric encryption enables non-repudiation, a crucial concept in cybersecurity. Non-repudiation ensures that a sender cannot later deny sending a specific message or initiating a particular transaction. The senders private key signs the message or transaction, providing cryptographic proof of the senders involvement and precluding any attempts to disavow the event.

Asymmetric encryption algorithms also play a pivotal role in facilitating secure key exchange techniques. These algorithms enable parties to establish a shared secret key for subsequent symmetric encryption without the need for prior communication or a secure channel. This key-agreement mechanism is essential for establishing secure and confidential communication between parties without the risk of exposing the shared key.

Beyond encryption and digital signatures, asymmetric encryption algorithms contribute to the creation of cryptographic hash functions, which play a critical role in ensuring data integrity. Cryptographic hash functions produce unique fixed-size hash values for input data, making it possible to detect any changes or tampering with the data, no matter how minor.

Finally, in the context of the internet and secure communication, asymmetric encryption plays a crucial role in creating digital certificates. These certificates are integral to establishing the authenticity and identity of entities on the internet, including websites and servers. By relying on asymmetric encryption, digital certificates ensure secure communication and encrypted connections with trusted entities, enhancing the overall security of online interactions.

In asymmetric encryption algorithms, users generate a key pair consisting of a public key and a private key. The public key can be openly shared, while the private key is kept confidential.

To send a secure message to the intended recipient, the sender uses the recipients public key to encrypt the data. Once encrypted, only the recipients corresponding private key can decrypt the information.

Upon receiving the encrypted data, the recipient uses their private key to decrypt it. As the private key is known only to the recipient, the confidentiality of the message remains intact.

In contrast to symmetric encryption, which uses a single key for both encryption and decryption, asymmetric encryption relies on a pair of keys.

Symmetric encryption is faster and more suitable for bulk data encryption, while asymmetric encryption excels in secure key exchange and digital signatures.

Here is a table that provides an overview of these two widely used encryption algorithms:

Both symmetric and asymmetric encryption have their strengths and weaknesses, making them suitable for different use cases. Symmetric encryption excels in speed and efficiency, making it ideal for bulk data encryption.

On the other hand, asymmetric encryption offers secure key exchange and digital signatures, enhancing security in communication and authentication.

The choice between the two encryption methods depends on the specific requirements of the application and the desired level of security.

Several asymmetric encryption algorithms are widely employed in the field of cybersecurity due to their unique features and varying levels of security.

Here are some of the most popular ones:

Triple DES (Data Encryption Standard) is an asymmetric-key block cipher based on the original DES algorithm. It provides enhanced security by applying the DES algorithm three times sequentially, using three different keys.

Each block of data undergoes a series of three transformations, significantly boosting security compared to the original DES. However, Triple DES has become less popular with the rise of more efficient and secure algorithms like AES.

Advanced Encryption Standard (AES) is one of the most widely used symmetric-key encryption algorithms. It replaced the aging Data Encryption Standard and operates on fixed-size data blocks with key lengths of 128, 192, or 256 bits.

AES employs a substitution-permutation network, making it highly secure and efficient for various applications.

RSA Security (Rivest-Shamir-Adleman) is a widely used asymmetric encryption algorithm based on the mathematical properties of large prime numbers.

It involves a key pair a public key for encryption and a private key for decryption. RSA is commonly used for secure key exchange, digital signatures, and secure communication.

Blowfish is an asymmetric-key block cipher known for its simplicity, efficiency, and resistance to attacks.

It operates on 64-bit blocks and supports key lengths ranging from 32 to 448 bits. Blowfish is used in secure data storage and transmission, password hashing, and other cryptographic applications.

Twofish is another asymmetric-key block cipher designed as a candidate for the AES competition. Although not selected as the standard, Twofish remains a respected and secure encryption algorithm.

It operates on fixed-size blocks and supports key sizes of 128, 192, or 256 bits.

Cryptographic hash functions, while not exactly one of the asymmetric encryption algorithms, they are vital in cybersecurity. They generate a fixed-size hash value for an input message, ensuring data integrity and enabling digital signatures and password hashing.

Popular hash functions include SHA-1, SHA-256, SHA-3, and MD5 (though MD5 is considered insecure).

Hash-Based Message Authentication Code (HMAC) is a construction that combines a cryptographic hash function with a secret key to provide message authentication and integrity.

Stateful Hash-Based Signature Scheme (SPHINCS) is a post-quantum secure digital signature scheme designed to resist quantum attacks.

Cracking the code: How database encryption keeps your data safe?

CAST (Carlisle Adams and Stafford Tavares) is a family of asymmetric-key block ciphers designed for secure encryption and decryption.

CAST-128 and CAST-256 are popular variants with varying block and key sizes.

Asymmetric encryption is a fundamental pillar of cybersecurity, providing robust mechanisms for secure data transmission, authentication, and digital signatures.

One of the primary applications of asymmetric encryption algorithms is to establish secure communication channels over untrusted networks, such as the Internet. When two parties wish to communicate securely, they exchange their public keys. Each party keeps their private key confidential.

By using the other partys public key to encrypt messages, they ensure that only the intended recipient with the corresponding private key can decrypt and access the information. This mechanism safeguards data confidentiality during transmission and protects against eavesdropping or unauthorized access.

Suppose Alice wants to send a confidential email to Bob. Before sending the message, Alice obtains Bobs public key. She then uses Bobs public key to encrypt the email, ensuring that only Bob, possessing the private key, can read the contents of the email.

Asymmetric encryption algorithms also enables the creation of digital signatures, a critical component for authenticating digital messages or documents. Digital signatures provide a way to verify the origin and integrity of data. The sender uses their private key to generate a digital signature, which is appended to the message.

Recipients can then use the senders public key to verify the signature, ensuring that the message indeed came from the claimed sender and has not been altered during transmission.

For example, a CEO can digitally sign an important company document using their private key. When employees receive the document, they can verify the signature using the CEOs public key to ensure that the document is authentic and has not been tampered with by unauthorized parties.

Asymmetric encryption is also employed for secure file encryption, adding an extra layer of protection to sensitive data stored on devices or transmitted over networks. Instead of using a symmetric key to encrypt the entire file, asymmetric encryption algorithms can be used to encrypt the symmetric key, which is then used for bulk encryption.

Imagine an organization that wants to share confidential files with a partner company. The organization encrypts the files using a randomly generated symmetric key. To securely share the symmetric key, they use asymmetric encryption algorithms. The partner companys public key is used to encrypt the symmetric key before sending it. Upon receiving the encrypted symmetric key, the partner company uses its private key to decrypt it and then uses the symmetric key to decrypt the files.

Asymmetric encryption algorithms areinstrumental in authentication mechanisms such as digital certificates, which are used to establish the authenticity of websites, servers, and individuals on the internet. Digital certificates contain the entitys public key, and a trusted certificate authority signs them, verifying the certificates authenticity.

When a user connects to a secure website (HTTPS), the website presents its SSL/TLS certificate. The users browser can verify the certificates authenticity by checking the signature from a trusted certificate authority. The certificates public key is then used to establish a secure connection and encrypt data during the browsing session.

Asymmetric encryption algorithms ensure non-repudiation, meaning the sender cannot deny sending a particular message or initiating a transaction. The use of the senders private key to sign the message provides cryptographic proof of their involvement.

Parties can use asymmetric encryption to sign contracts digitally. When one party signs a contract using their private key, it proves their agreement to the terms and prevents them from later denying their involvement in the contract.

As you can see, asymmetric encryption algorithms are one of the most important weapons you can use to ensure your and your companys cybersecurity.

Remember, your data is something you should guard as carefully as your ID in your pocket and you should always turn to its guardian angels.

Featured image credit: Freepik.

Read the rest here:
Asymmetric Encryption Algorithms: What Are They And How Are ... - Dataconomy

The Online Safety Bill is currently in the House of Lords, where members have adopted a new amendment concerning the regulation of encrypted content.

According to the new amendment, Ofcom, the telecommunications regulator, will have to add an extra reporting stage before it can require technology companies to scanend-to-end encrypted content and messages for child sex abuse material and other illegal content.

The measure for extra scrutiny is meant to give further protections to privacy that is typically secured by end-to-end encryption.

A report by a skilled person will have to be commissioned by Ofcom before the regulator gives notices to technology companies to scan encrypted messages.

The skilled person will be an independent expert, according to Lord Parkinson of Whitely Bay, who spoke at the House of Lords on Wednesday.

Ofcom would need to consider how the scanning of encrypted messages in each circumstance would impact privacy and freedom of expression prior to requiring a company to introduce the technology necessary to read encrypted messages. Further, the regulator would be bound by human rights laws.

But it still remains unclear how end-to-end encryption scanning technology will be rolled out, and how the regulator will balance privacy concerns amid an alarming rise in child sexual abuse content in the UK.

Two other amendments which attempted to impose stricter parameters to Ofcoms encryption scanning notices were dropped in the House of Lords in favour of the newly adopted one.

The first, introduced by conservative Lord Moylan, would have put an outright ban on Ofcom imposing any requirements on weakening or removing of encryption, a move which has been called for by many tech companies like WhatsApp and Signal.

Labour Peer Lord Stevensen of Balmacaras amendment was also dropped, which would have required an independent judicial commissioner to review if an encryption scanning notice would be proportionate prior to its issue by Ofcom.

There still remains a lack of consensus in government on what this bill would mean for privacy and encryption.

The bill excludes text messages, Zoom, and email from the encryption measures, as well as messages sent by law enforcement, the public sector, and emergency responders.

The exclusion of the public sector and law enforcement from scans, especially amid reports of rampant sexual abuse by law enforcement in the UK has pulled into question the effectiveness of this part of the online safety bill, as well as where it is pointed.

Lord Parkinson, however, has assured that scanning encrypted messages would be a last resort if companies were found to not properly manage their risks if child sexual abuse material is continually found on a platform, Ofcom will be able to direct the company to use accredited technology to remove the content.

Even with the extra step, civil groups are saying the protections do not go far enough to ensure privacy and freedom of expression.

Related

See the rest here:
Online Safety Bill: Where is encryption now? - DIGIT.FYI