Legislators and technologists have not reached consensus on regulations for cryptographic control. Let's look at arguments, history and the future in order to balance the discussion and to restore trust in controlling cryptography.

We'll look at the importance of cryptography, and why some want to weaken it. Technical options are discussed, followed by arguments for keeping cryptography strong. We'll then look at current proposals from the EU and the UK that aim to undermine the security of end-to-end encrypted messaging apps.

Content headings

  1. Why do we need cryptography?
  2. Why weaken cryptography?
  3. What are common options for weakening?
  4. When does weakened and regulated cryptography make sense?
  5. Why wouldn't we want to weaken cryptographic systems?
  6. Results from the past and the future
  7. Current events
  8. Conclusion
  9. References

Why do we need cryptography?

Encryption is essential for securing modern life. It protects privacy, public safety, and cybersecurity, as well as economic competitiveness, freedom of expression, civil and human rights, and the Open Internet. (Civil Society Organizations et al., 2015; Schneier, 2016; Encryption Working Group, 2019)

Governments require cryptography to stay protected from adversaries. The 2022 report from the AIVD – the Dutch intelligence service - states that the government is making headway with their Nationale Cryptostrategie. This is a strategy for speeding up the development of strong information security and for stimulating knowledge sharing. GCHQ celebrates a similar program called National Crypt-Key Centre. The report from the NSA has an entire section on cryptography where it highlights that encryption is essential for securing national secrets and for physical security on the battlefield.

"If you don't want the adversary to know it, control it, or deny your use of it, then encryption is your last line of defense" - (NSA, 2022)

Most importantly, freedom must not be taken for granted. Internationally, cryptography protects human rights and democratic values. Vulnerable populations like journalists, activists and the LGBTQ+ rely on encryption to protect themselves, their sources, and their communities. Oppressive regimes still manage to kill 80 journalists per year on average, and China has recently exploited bugs in messaging apps to locate and brutally interrogate protesters. Being LGBTQ+ is a criminal offense in over 70 countries. Maintaining an Open Internet – having access to online services without government interference – reflects Western values, which comes with geopolitical and strategic benefits. (Abelson et al., 2015; Amnesty International, 2019; Civil Society Organizations et al., 2019; Doffman, 2019; Internet Society, 2019; Reporters Without Borders, 2022)

Why weaken cryptography?

Cold War America had little interest in sharing its cryptographic technology with the rest of the world. Exporting and publicizing this technology was regulated because it was part of the military arsenal. Only crackable systems were allowed outside the US, and other countries were maintaining a similar strategy. As society started to digitalize in the 60s-70s, the need for cybersecurity, and with that, cryptography, started to rise. In the 90s the technology couldn't be contained due to world-wide development of software like browsers, so by 1996 the restrictions were partially lifted.

The use of cryptography hinders some criminal investigations, so there is a recurring push from policy makers to weaken or even ban it. After 9/11, they campaigned to stop terrorists. Recent campaigns aim to stop child sexual abuse and the spread of CSAM (Child Sexual Abuse Material). (Schneier, 2019)

What are common options for weakening?

A common approach is to create a key escrow system. This means that a third party – such as a vendor or the government – has a database of decryption keys. Ozzie (2017) proposed CLEAR, a disk encryption system for mobile phones. The phone would have an additional encryption key, encrypted with the HSM of the vendor, readable from a barcode. The design shows that law enforcement must "Take photo of barcode & email it" to obtain the secret key. Savage (2018) extended the design by having the HSM from the vendor encrypt the phone's key with a key from law enforcement, who can then decrypt the key to unlock the device. A paper named Abuse-Resistant Law Enforcement Access System aims to make retrieval of such keys transparent, and therefore resistant to abuse by totalitarian governments. However, they note that their work might indicate that any retrospective surveillance system is innately susceptible to abuse.

Cryptographic building blocks can be designed with a hidden backdoor. There are designs for symmetric ciphers, asymmetric ciphers, predictable random number generators, and hashing functions that generate collisions on certain input. A SETUP (Secretly Embedded Trapdoor with Universal Protection) is a method to backdoor, for example, ECDH. A messaging app with end-to-end encryption could implement such a backdoor, but the ECDH function would yield different results than its genuine implementation. ZUGZWANG is an example backdoored block cipher, although a user has to comply with the backdoor being used, and after the backdoor is 'opened' the key is sent in plaintext over the line. (Easttom, 2017; van den Noort, 2018; Baksi et al., 2022)

Pre-screening is a term for scanning files for illegal content, also called Client-Side Scanning when performed on a client's device. The idea is to circumvent encryption by making the application scan content in the decrypted state. Apple aims to use a cryptographic tool called Private Set Intersection (PSI) to scan for CSAM in iCloud environments of users. PSI was expanded upon to create protection against malicious or coerced service providers in a paper named End-to-End Secure Messaging with Traceability Only for Illegal Content. (Bellare, 2021; Bartusek et al., 2023)

When does weakened and regulated cryptography make sense?

Having centralized systems is essential for enterprise security. It makes sense to have an IT department be in control of disk encryption keys – like a key escrow system - for all workstations (Encryption Working Group, 2019). It is also common for enterprises to have central solutions for password management, data storage, network monitoring, access control, data leakage prevention and application control. These systems are required to prevent theft, illegal use of company assets, and to monitor for cyber threats, even though they impact the privacy of employees. Companies can monitor and control their equipment as long as they are compliant with regulations such as GDPR.

The Dutch Ministry of Foreign Affairs published a Factsheet Cryptografie in 2018 with changes to cryptographic export regulations from the Wassenaar Arrangement. Selling tools for breaking into mobile communications is limited to certain countries, and a global license can't be obtained for surveillance software that subverts cryptography. It makes sense for a Western society to put restraints on selling such tools to oppressive regimes. Note that the positive point here is to not sell the software to the oppressive, instead of purposefully weakening it so it is crackable.

Why wouldn't we want to weaken cryptographic systems?

The 2015 paper Keys Under Doormats explains that a policy for breaking or backdooring cryptography would be unworkable. It would cause massive ethical and economic harm, and it would undermine the security structures that the internet took many years to fine-tune. Examples of similar studies exist on the abuse of intelligence information and government surveillance, the US cryptographic policy, national key escrow systems and backdoors of cryptography in general. They all conclude that the potential disadvantages outweigh the potential advantages. (National Research Council, 1996; Abelson et al., 1997; National Academies, 2018; USACM, 2018)

One top concern is that the backdoored, weakened or escrowed system can be used by the oppressive. Policy makers tend to think that it is a problem of cryptography and math, while the hard part is controlling the use of the system around it. Regimes might pressure or force Apple's Client-Side Scanning tool into scanning for more than CSAM, like 'terrorist activity', creating a foundation for censorship and surveillance. And it doesn't matter if your key escrow system is encrypted with the HSM of the vendor. The government can – on a whim – force the company to hand over all keys. Governments don't just have a history of abusing surveillance technology; they also spy on each other, and steal each other's secrets. (National Academies, 2018; Schneier, 2018; Access Now et al., 2021)

Criminals – who by definition don't abide by the law - will likely just switch to a different system. This might seem like an argument against the above paragraph, but the issue is that the good (for example, a billion iPhone users) will stay vulnerable while the bad are marginally effected. A 2016 study found over 850 cryptographic products that criminals can use. Even if all communication was monitored, a 2018 paper presents a stenography-like protocol for hiding key exchange and encryption. This means that people can use text from normal conversations to build strong cryptography on top of any communication system. (Rivest, R. L., 1998; Schneier et al., 2016; Horel et al., 2018; Green et al., 2021)

Most designs for weakening cryptography break foundational technology. TLS, for example, encrypts most of our network traffic, and it took about 20 years to get robust. TLS relies on cryptographic building blocks such as forward secrecy, which means using temporary keys, and authenticated encryption, which is encryption that also verifies who you're talking to. Any system that uses key escrow or some kind of master key will by definition break the security assumptions of these building blocks. Weakening cryptography for active communication in these ways will therefore set us back years. (Abelson et al., 2015; Encryption Working Group, 2019).

Any master key or per-device backdoor will also create a backdoor for the entire society using it. Examine the case where someone steals the key(s), finds the weakness, or is able to bypass, our purposefully broken cryptography. All encrypted data can be decrypted, from the moment we introduced the backdoor, up until we patched everything. This includes replacing or fixing all affected hardware. (Rivest, R. L., 1998; Abelson et al., 2015; Encryption Working Group, 2019)

Results from the past and the future

Purposefully weakening cryptography in the 90s has backfired in multiple ways. During my work as a pentester – from 2014 onward - I have found clients' systems to still use vulnerable 'export ciphers', which are ciphers for encrypting network traffic that were weakened to comply with export restrictions. In 2015, the FREAK attack showed that keys once thought only crackable by the NSA can today be cracked with about a hundred bucks of cloud services.

This year researchers from Midnight Blue discovered that the TETRA protocol, which was standardized in 1995, contains major vulnerabilities that can be used to easily crack its encryption. The Dutch government knew about these vulnerabilities, because they were put in on purpose. The reason was an application of the Wassenaar Arrangement, the earlier mentioned export agreement for cryptography from the 90s. TETRA is currently deployed in over 100 countries for law enforcement, military, critical infrastructure and transport sectors. (Midnight Blue, 2023; Stout, 2023)

"Give the FBI the ability to hack into a cell phone today, and tomorrow you'll hear reports that a criminal group used that same ability to hack into our power grid." - (Schneier, 2016)

The 2022 reports from the GCHQ and the NSA signal fear of a Cryptanalytically Relevant Quantum Computer breaking cryptographic systems, taking heed of known unknowns in technological advancement. A backdoor with today's cryptographic assumptions might become the next FREAK or TETRA vulnerability 10 years from now.

There have also been straight up attempts to create hidden backdoors in cryptography used by the public. An infamous attack was the DUAL_EC_DRBG algorithm, which was a backdoored random number generator. It was standardized by NIST for seven years, until Snowden revealed that it was backdoored by the NSA. The most infamous but failed attempt to deploy a secret key escrow system was the Clipper Chip, a chip that would allow law enforcement interception of all voice and data transmissions.

A broken trust relationship is clearly visible in recent interactions. The NSA designed two ciphers for public use called SIMON and SPECK, but they were rejected by ISO. ISO asked a lot of questions, fearing another backdoor, and the NSA didn't provide enough details. On a similar note, the NCSC – from GCHQ – tried to provide a protocol for end-to-end encryption called MIKKEY-SAKKE, but this didn't land well. A 2016 blog post from Murdoch shows the public view of the GCHQ once again trying to create a backdoor, mostly because it involves a key-escrow system. The NCSC tries to explain that it is a key-escrow system because it is meant for organizations with central key management, who are able to control their own Key Management System, which is normal for enterprise software. (S. J. Murdoch., 2016; NCSC, 2016; Baksi et al., 2022)

Current events

A 2022 proposal from the European Commission to combat CSAM states that "voluntary action has thus proven insufficient", so they want to force all online providers in the EU, including messaging services, to implement detection mechanisms like pre-screening. The Dutch government responded with "end-to-end encryption must not be made impossible" in their 2023 Staat Van de Unie (State Of The Union). Technologists also raised the technical argument that these systems generally use a form of AI that can result in many false positives, which can lead to false arrests. (Abelson et al., 2021; Access Now et al., 2021; European Commission, 2022; Jansen, 2023)

The British government also wants to make Client-Side Scanning mandatory with their Online Safety Bill. Hodgson from Element writes that the bill is incompatible with decentralized standards like Matrix, on which Element is built. The NSPCC supports the bill, claiming that the NCA is able to catch predators as a result of scanning. The NCA is doing amazing police work, reporting that "Each month, coordinated action by the NCA and UK policing leads to over 800 arrests and nearly 1,200 children being safeguarded", but it is not stated how scanning contributes to this. They do refer to the 2022 report from the IICSA. The report lists 20 recommendations to prevent child sexual abuse in general, like proper registration of care staff. One recommendation is about pre-screening online content, where they recommend to scan "platforms and social media profiles", as well as "search services and user-to-user services", but they leave the technical implementation to the experts. (IICSA, 2022; Hodgson, 2023; Reuters, 2023; Tidy, 2023)

The most calming, delightful and insightful read on the subject of cryptographic regulation is called Moving the Encryption Policy Conversation Forward. This should be no surprise as it is written by the CEIP, the Carnegie Endowment for International Peace, rated as the number 1 think tank in the world by the University of Pennsylvania. The CEIP highlights absolutist positions that are unlikely to result in productive dialogue. Many arguments from technologists are acknowledged, such as issues with forward secrecy and the dangers of mass-surveillance, as well as the concerns from law enforcement. A similar great work is Decrypting the Encryption Debate: A Framework for Decision Makers, in which legislators are giving well sourced information to empower proper decision making. (National Academies, 2018; University of Pennsylvania, 2019; Encryption Working Group, 2019)

Conclusion

We've reviewed why encryption is essential for securing modern life, and why some want to weaken it. We've looked at options for weakening and the dangers of implementing them. Lastly, the EU and UK proposals to weaken end-to-end encrypted messaging apps were reviewed.

The proposed mandates are a logical step for politicians, but undermining the security of end-to-end encrypted messaging apps could do more harm than good. The mandate must not become a foundation for censorship and surveillance, and vulnerable populations like journalists must maintain the ability to protect themselves. A system that can only be used by the good is not something that our technology can safeguard. Care must also be taken to prevent false positives, and the requirements must be compatible with foundational technology and decentralized standards. Well sourced information must empower proper decision making, as mistakes from the past shouldn't be repeated. And lastly, the imposed system mustn't erode trust in democracy.

Discussion can take place on my LinkedIn post.

References

# Cryptography as essential
Civil Society Organizations et al. (2015, May 19). Dear President Obama. [Letter from Civil Society Organizations, Companies & Trade Associations and Security and Policy Experts to President Obama]. Retrieved from https://static.newamerica.org/attachments/3138--113/Encryption_Letter_to_Obama_final_051915.pdf
Schneier, B. (2016). The Value of Encryption. Retrieved from https://www.schneier.com/essays/archives/2016/04/the_value_of_encrypt.html
Encryption Working Group. (2019). Moving the Encryption Policy Conversation Forward. Carnegie Endowment for International Peace. Retrieved from https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573
# National security
AIVD. (2022). Jaarverslag 2022, Dreigingen helpen voorkomen of wegnemen. Retrieved from https://www.aivd.nl/onderwerpen/jaarverslagen/jaarverslag-2022/dreigingen-helpen-voorkomen-of-wegnemen
GCHQ, NCSC. (2022). NCSC Annual Review 2022. Retrieved from https://www.ncsc.gov.uk/files/NCSC-Annual-Review-2022.pdf
NSA. (2022). NSA CYBERSECURITY year in review 2022. Retrieved from https://media.defense.gov/2022/Dec/15/2003133594/-1/-1/0/0139_CSD_YIR22_FINAL_LOWSIDE_ACCESSIBLE_FINAL_V2.PDF
# International human rights & democratic values
Abelson, H., Anderson, R., Bellovin, S. M., Benaloh, J., Blaze, M., Diffie, W., Gilmore, J. F., Green, M., Landau, S., Neumann, P. G., Rivest, R. L., Schiller, J. I., Schneier, B., Specter, M. A., & Weitzner, D. J. (2015). Keys under doormats: mandating insecurity by requiring government access to all data and communications. Journal of Cybersecurity, tyv009. https://doi.org/10.1093/cybsec/tyv009
Amnesty International. (2019). Hong Kong: Arbitrary arrests, brutal beatings and torture in police detention revealed. Retrieved from https://www.amnesty.org/en/latest/press-release/2019/09/hong-kong-arbitrary-arrests-brutal-beatings-and-torture-in-police-detention-revealed/
Civil Society Organizations et al. (2019, December 10). To Whom it May Concern. [Letter from Civil Society Organizations, Technology Companies and Trade Associations and Security and Policy Experts to US and Australian government officials]. Retrieved from https://newamericadotorg.s3.amazonaws.com/documents/Coalition_Response_Letter_-_Encryption_DOJ_event_and_letter_to_Facebook.pdf
Doffman, Z. (2019). Telegram Bug 'Exploited' By Chinese Agencies, Hong Kong Activists Claim. Forbes. Retrieved from https://www.forbes.com/sites/zakdoffman/2019/08/25/chinese-agencies-crack-telegram-a-timely-warning-for-end-to-end-encryption/
Internet Society. (2019). Encryption: Essential for the LGBTQ+ Community. Retrieved from https://www.internetsociety.org/resources/doc/2019/encryption-factsheet-essential-for-lgbtq-community/
Reporters Without Borders. (2022). 1,668 journalists killed in past 20 years (2003-2022), average of 80 per year. Retrieved from https://rsf.org/en/1668-journalists-killed-past-20-years-2003-2022-average-80-year
# Cold War & public message trends
Schneier , B. (2019). Scaring People into Supporting Backdoors. Retrieved from https://www.schneier.com/blog/archives/2019/12/scaring_people_.html
Crypto Wars. (2023).In Wikipedia. https://en.wikipedia.org/wiki/Crypto_Wars
# Key escrow systems
Ozzie, R. (2017). CLEAR. On Github. https://github.com/rayozzie/clear/blob/master/clear-rozzie.pdf
Savage, S. (2018). Lawful Device Access without Mass Surveillance Risk: A Technical Design Discussion. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18) (pp. 1761–1774). Association for Computing Machinery. https://doi.org/10.1145/3243734.3243758
Green, M., Kaptchuk, G., & Van Laer, G. (2021). Abuse resistant law enforcement access systems. In Springer eBooks (pp. 553–583). https://doi.org/10.1007/978-3-030-77883-5_19
# Kleptography and backdoor design
Easttom, C. (2017). An overview of cryptographic backdoors. Journal of Information System Security, 13(3), ISSN: 1551-0123.
van den Noort, P. (2018). Spionage met beveiligingssoftware (Bachelor Scriptie). Universiteit Utrecht, Faculteit Betawetenschappen. Retrieved from https://studenttheses.uu.nl/bitstream/handle/20.500.12932/37643/Scritie.pdf
Baksi, A., Bhattacharjee, A., Breier, J., Isobe, T., & Nandi, M. (2022). Big Brother is watching you: A closer look at backdoor construction. In Lecture Notes in Computer Science (pp. 81–96). https://doi.org/10.1007/978-3-031-22829-2_5
# Client-Side scanning & pre-screening
Bellare, M. (2021). The Apple PSI Protocol. University of California, San Diego, Department of Computer Science and Engineering. Retrieved from https://www.apple.com/child-safety/pdf/Technical_Assessment_of_CSAM_Detection_Mihir_Bellare.pdf
Bartusek, J., Garg, S., Jain, A., & Policharla, G. (2023). End-to-End Secure Messaging with Traceability Only for Illegal Content. In Lecture Notes in Computer Science (pp. 35–66). https://doi.org/10.1007/978-3-031-30589-4_2
# Export regulations and weakening making sense
Ministerie van Buitenlandse Zaken. (2018). Factsheet Cryptografie. Retrieved from https://open.overheid.nl/documenten/ronl-70300623-8c97-4912-9635-66cdc39def3e/pdf
# It will do more harm than good
National Research Council. (1996). Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. https://doi.org/10.17226/5131
Abelson, H., Anderson, R., Bellovin, S. M., Benalob, J., Blaze, M., Diffie, W., Gilmore, J. F., Neumann, P. G., Rivest, R. L., Schiller, J. I., & Schneier, B. (1997). The risks of key recovery, key escrow, and trusted third-party encryption. World Wide Web, 2(3), 241–257. https://doi.org/10.7916/d8gm8f2w
National Academies of Sciences, Engineering, and Medicine. (2018). Decrypting the Encryption Debate: A Framework for Decision Makers. Washington, DC: The National Academies Press. https://doi.org/10.17226/25010
USACM. (2018). On mandatory engineered law enforcement access to information infrastructure and devices. Retrieved from https://www.acm.org/binaries/content/assets/public-policy/usacm/2018-usacm-statement-law-enforcement-access.pdf
# Political pressure, use by oppressive regimes
Schneier, B. (2018). Ray Ozzie's Encryption Backdoor. Retrieved from https://www.schneier.com/blog/archives/2018/05/ray_ozzies_encr.html
Access Now et al. (2021, August 19). Dear Mr. Cook. [Letter from many organisations to Tim Cook]. Retrieved from https://cdt.org/wp-content/uploads/2021/08/CDT-Coalition-ltr-to-Apple-19-August-2021.pdf
# Criminals can switch to other systems
Rivest, R. L. (1998). The Case against Regulating Encryption Technology. Retrieved from https://people.csail.mit.edu/rivest/pubs/Riv98e.pdf
Schneier, B., Seidel, K., & Vijayakumar, S. (2016). A worldwide survey of encryption products. Social Science Research Network. https://doi.org/10.2139/ssrn.2731160
Horel, T., Park, S., Richelson, S., & Vaikuntanathan, V. (2018). How to Subvert Backdoored Encryption: Security Against Adversaries that Decrypt All Ciphertexts. arXiv (Cornell University). https://arxiv.org/pdf/1802.07381.pdf
# Breaking forward secrecy and other internet foundations
TLS. (2023). In Wikipedia. https://en.wikipedia.org/wiki/Transport_Layer_Security
# Examples of export control backfiring, TETRA
FREAK. (2023). In Wikipedia. https://en.wikipedia.org/wiki/FREAK
Midnight Blue. (2023). TETRA:BURST. Retrieved from https://tetraburst.com/
Stout, J. (2023). Nederlandse overheid al dertig jaar op de hoogte van zwakke beveiliging Tetra. Retrieved from https://tweakers.net/nieuws/212212/nederlandse-overheid-al-dertig-jaar-op-de-hoogte-van-zwakke-beveiliging-tetra.html
# Broken trust relation. GCHQ (MIKKEY-SAKKE), NSA (SIMON and SPECK)
S. J. Murdoch. (2016). Insecure by design: protocols for encrypted phone calls. Retrieved from https://www.benthamsgaze.org/2016/01/19/insecure-by-design-protocols-for-encrypted-phone-calls/
GHCQ, NCSC. (2016). MIKEY-SAKKE frequently asked questions. Retrieved from https://www.ncsc.gov.uk/guidance/mikey-sakke-frequently-asked-questions
Dual_EC_DRBG. (2023). In Wikipedia. https://en.wikipedia.org/wiki/Dual_EC_DRBG
Clipper chip. (2023). In Wikipedia. https://en.wikipedia.org/wiki/Clipper_chip
# European push to break E2E
Abelson, H., Anderson, R., Bellovin, S. M., Benaloh, J., Blaze, M., Callas, J., Diffie, W., Landau, S., Neumann, P. G., Rivest, R. L., Schiller, J. I., Schneier, B., Teague, V., & Troncoso, C. (2021). Bugs in our Pockets: The Risks of Client-Side Scanning. arXiv (Cornell University). https://doi.org/10.48550/arxiv.2110.07450
European Commission. (2022). Proposal for a regulation of the European parliament and of the council: Laying down rules to prevent and combat child sexual abuse. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52022PC0209&from=EN
Jansen, J. (2023). Nederlands kabinet: end-to-endencryptie mag niet onmogelijk worden gemaakt. Retrieved from https://tweakers.net/nieuws/206708/nederlands-kabinet-end-to-endencryptie-mag-niet-onmogelijk-worden-gemaakt.html
Dutch government, Tweede Kamer. (2023). Kamerbrief staat van de unie 2023. Retrieved from https://open.overheid.nl/documenten/ronl-27b162db3eb427e8d096258650373a64a4a6f826/pdf
# UK push for pre-scanning
Reuters. (2023). WhatsApp and other messaging apps oppose UK's move on encryption. Retrieved from https://www.reuters.com/technology/whatsapp-other-messaging-apps-oppose-uks-move-encryption-2023-04-18/
Hodgson, M. (2023). The Online Safety Bill: An attack on encryption. Retrieved from https://element.io/blog/the-online-safety-bill-an-attack-on-encryption/
Tidy, J. (2023). E2E encryption: Should big tech be able to read people's messages?. Retrieved from https://www.bbc.com/news/technology-66099040
# The NCA report
IICSA. (2022). The Report of the Independent Inquiry Into Child Sexual Abuse - October 2022. Retrieved from https://www.iicsa.org.uk/document/report-independent-inquiry-child-sexual-abuse-october-2022-0.html
# Work from think tanks
University of Pennsylvania. (2019). Public Policy Research Think Tanks 2019: Top Think Tanks - Worldwide (US and non-US). Retrieved from https://guides.library.upenn.edu/c.php?g=1035991&p=7509972