Using The Web to Fight Bad Legislation

Over in the UK, the Regulation of Investigatory Powers Bill is in severe danger of becoming law. In a nutshell, ISPs will be classed as telecoms operators, the Home Secretary can demand taps on ISP traffic with little deliberation -- and without publicity -- and you can be jailed for not handing over decryption keys, even if the police can't prove that you ever had those keys in the first place. There's more on this at the URL above; it's difficult to do it justice in this space. Anyway, the good folks over at STAND are a bit concerned about this. After their earlier @dopt an MP campaign, and their Operation Dear Jack photostory, they've unveiled their latest attempt to involve people. They've set up a web/fax MP gateway. Tap in a few details, including your postcode, and then compose your message. The backend determines who your local MP is, and then faxes your carefully crafted comments off to them. What could be easier? Just remember that it's only for British constituents, and naturally, you should only use your own postcode.

Intercepts not the problem

[DaveHowe]

1. Unfortunately, this posting has missed the two main thrusts of the bill. ISPs have been "cooperating" for years with the LEAs provided they produce the correct paperwork (most insist on a court order; some don't) but this is pretty normal - I don't think anyone can really object to the police having a right to tap any communication device given a suitable bench warrant. The *real* problems are these:-
2. The RIP "orders" don't require a judge's signature - they can be issued based on several different people's authorisation, don't have any time or size limits, and don't need to justify their existance to anyone
3. Give the authorised authorities, without judicial review, the right to write out an order as follows:
   • Demand from an *innocent* person, not suspected of any crime, their secret decryption keys - on the basis that the demanding officer thinks that it appears *to him* that some data he has seen was encrypted
   • Emprisonment if you don't produce a key - not HAVING a key is not a defence unless you can prove you never had it; this is impossible anyhow, and could make the common procedure of expiring keys and generating new ones at regular intervals a criminal offence
   • Emprisonment if you tell anyone you have been required to hand over a key - even by changing your key if the LEA thinks that will tip people off (and yes, this does let them continue to read your mail indefinitely)
   • No requirement to safeguard the key once they have it - so if you are a bank, and are forced to hand over your electronic funds transfer key, you may find the local plod's cleaners can pick it up.
   • No legal right to appeal (apart from to a closed board not required to publish or justify their decisions) or compensation (there *is* a discressionary compensation scheme, but I suspect if your business loses four or five billion after a competing firm gets details of every bid you put in (and undercuts you by one dollar :+) you may find they don't think you are entitled to it.

There are just SO MANY reasons why this is wrong and open to abuse - none of which seem to have been considered while drafting it.
--

Re:post office

[DaveHowe]

Would you please explain the problem that this causes. Are you planning to do anything that you really don't want the government knowing about?
Yes, I am :+)
I am not talking criminal activity here - When I am away from home, I send my wife intimate letters, I make phone calls to her I would be embarrassed to have eavesdropped. I don't want *any* of this to be available to any government official who is interested - It should be only be available to a police officer who has convinced a Judge it is needful to solve a criminal investigation. If I *didn't* believe this, I would use postcards and talk to people by broadcast radio.

When you enter a society you give up your rights, to gain protection. This is what is happening. If you don't like it, leave the country.
As a member of society, I am willing to give up those rights needful to for that society as a whole to function; I expect in return safeguards and public accountability for those that have access to those powers, and for abuse of those powers to carry a jail term. This isn't happening here.

Now, the idea of forcing you to give them your key, with a two year jail term if you don't give them it, even if you just lost it is a bit excessive. However, if the government knows you have kiddie porn on your computer, but as they are walking in you encrypt it, should they be able to force you to give them the key?
Ah, enter the Four Horsemen of the Internet. Can we please have a bit of originality here? NO-ONE is going to hand over their keys if it only costs them two years inside to refuse - Serving five years for child abuse (with what tends to happen to convicted child porn suppliers inside) isn't going to be a viable option. This is ONLY going to be served on innocent correspondents of suspected criminals, who are going to be frightened enough to abandon the master key to every "secure" message they have ever received rather than serve time. The keyword is INNOCENT here - not KiddiePorn supplier, not KiddiePorn perverted watcher, but bankers and travel agents.

If they can't then you will go free and a child molester is on the streets. Is that safety?
Works for me. Any criminal dumb enough to drop themselves into ANY jail term worse than the two years for non-production of a key, is going to be too dumb to encrypt their data in the first place. Any criminal smart enough to encrypt, will use a different and probably Stenoed storage method; This law will be about as affective against KiddiePorn as a law that requires all KiddiePorn suppliers to register themselves at the local police station so they can be picked up more conveniently...
--

She doesn't have a decryption key? She's a witch!

[LeSwoosh]

Back a few short centuries ago, if you didn't like someone you could accuse them of being a witch. This would result in, among other abuses,

a) Instant arrest.
b) Torture until confession.
c) Death upon confession.
d) Death upon claim of innocence.

In fact, it was common practice for the accusers and torturers and especially the church to split up the accused's estate.

Back a few short decades ago, in the USA, if you didn't like someone you could accuse them of being a communist. This would, among other abuses, often result in,

a) Swift arrest.
b) Interrogation and humiliation.
c) Blacklisting upon confession.
d) Blacklisting upon insistance of innocence.

Often, the only way to clear your own name was to finger other friends and associates as being communists.

Now we have this new legistlation being considered in the UK. It has much in common with the travesties above. With this proposed law, one of the dangers is that if someone doesn't like you, they will simply have to send you encrypted email, then cry encrypter! This will result in, among other things,

1) Sudden search, seizure, and probable arrest.
2) Interrogation and humiliation.
3) Jail sentence upon confession.
4) Jail sentence upon claim of innocence.

This will happen regularly by jilted lovers, angry employees, school children, and the police. It is no trouble at all to put files on someone's computer. It will be especially easy for the police, who if they decide not to take the encrypted email route, will instead be able to waltz in your home, shove you out of the way, and directly plant any files they want anywhere on your system. When you are asked for your decryption key, well, gosh, officer, I don't have one.

The burden of proof should NEVER have to reside with the accused.

Just like that, because you pissed off the wrong guy, you get two years.

You will if this insane law gets passed, that is.

She's an encrypter! Burn her!