Slashdot Mirror
UK Gov't Can Demand Backdoors, Give Prison Sentences For Disclosing Them (arstechnica.co.uk)
An anonymous reader writes with some of the latest news about the draft Investigatory Powers Bill. Ars reports: "Buried in the 300 pages of the draft Investigatory Powers Bill (aka the Snooper's Charter), published on Wednesday, is something called a 'technical capability notice' (Section 189). Despite its neutral-sounding name, this gives the UK's home secretary almost unlimited power to impose 'an obligation on any relevant operators'—any obligation—subject to the requirement that 'the Secretary of State considers it is reasonable to do so.' There is also the proviso that 'it is (and remains) practicable for those relevant operators to comply with those requirements,' which probably rules out breaking end-to-end encryption, but would still allow the home secretary to demand that companies add backdoors to their software and equipment. That's bad enough, but George Danezis, an associate professor in security and privacy engineering at University College London, points out that the Snooper's Charter is actually much, much worse. The Investigatory Powers Bill would also make it a criminal offense, punishable with up to 12 months in prison and/or a fine, for anyone involved to reveal the existence of those backdoors, in any circumstances (Section 190(8).)"
Professor of journalism at City University Heather Brook writes at the Gaurdian: "When the Home Office and intelligence agencies began promoting the idea that the new investigatory powers bill was a “climbdown”, I grew suspicious. If the powerful are forced to compromise they don’t crow about it or send out press releases – or, in the case of intelligence agencies, make off-the-record briefings outlining how they failed to get what they wanted. That could mean only one thing: they had got what they wanted. So why were they trying to fool the press and the public that they had lost? Simply because they had won. I never thought I’d say it, but George Orwell lacked vision. The spies have gone further than he could have imagined, creating in secret and without democratic authorization the ultimate panopticon. Now they hope the British public will make it legitimate."
Professor of journalism at City University Heather Brook writes at the Gaurdian: "When the Home Office and intelligence agencies began promoting the idea that the new investigatory powers bill was a “climbdown”, I grew suspicious. If the powerful are forced to compromise they don’t crow about it or send out press releases – or, in the case of intelligence agencies, make off-the-record briefings outlining how they failed to get what they wanted. That could mean only one thing: they had got what they wanted. So why were they trying to fool the press and the public that they had lost? Simply because they had won. I never thought I’d say it, but George Orwell lacked vision. The spies have gone further than he could have imagined, creating in secret and without democratic authorization the ultimate panopticon. Now they hope the British public will make it legitimate."
The scariest thing about living in a "democracy" (Republic) now is that the *majority* really don't care about their rights, as long as they can watch their reality TV and they have someone to publicly shame on Facebook/Twitter.
"I have never let my schooling interfere with my education." - Mark Twain
When they write up these "drafts", usually what they just do is figure out what kind of legal crap they're already doing and put it down on paper for ratification by the "representatives".
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
The clause about penalising those who reveal the existence of backdoors created for use by British security service surveillance is classic upper class twat thinking... "If we don't tell anyone it exists then no-one will find it, tee hee". Problem is there is a world full of people smarter than them that will find the backdoors easily.
Ooh it's all OK then. It'll only happen if the home secretary thinks it's "reasonable". Good job we don't have a party independent constitution which guarantees there's always a hard line nutcases as home secretary.
The answer of "is it reasonable according to the home secretary" is always a resounding "yes", with a side order of "fuck you, proles".
SJW n. One who posts facts.
Is this like American law?
No, it isn't. In the 90s, there was an effort by the Clinton Administration to implement a key escrow system whereby all encrypted transmissions would have been required to submit encryption keys to some agency, so that the government could eavesdrop on those transmissions. The IT community here in the U.S. had a shit fit, and eventually defeated that idea, even though the Clinton Administration tried to scare us into thinking that if they couldn't monitor such transmissions, all sorts of awful things might happen. Except for the attacks on September 11, 2001, nothing has happened here, and our government still had plenty of warning about those attacks even without these system in place.
There have been other stories more recently where large telecommunications companies have been cooperating with the U.S. Government in essentially making a copy of all transmissions over the Internet. While those companies were not required to comply (and there were a few who chose not to), they did anyway. There was a huge stink made about that as well, and as far as I know, those operations have been shut down (I'm sure someone will correct me if I'm wrong).
As far as I know, nobody here in the U.S. is required to install back doors into their systems so that government agencies can gain access at-will. After the kerfuffle in the 90s, I seriously doubt such a measure would pass into law. In a way, this highlights the silliness of the UK undertaking such a measure in their law. If UK concerns are required to put in back doors, but nobody else in the world has the same requirement, it means the UK government is essentially spying on their own citizens. They are also increasing the likelihood that a foreign concern (government, company or individual) could break into these systems and make it easier for them to effectively spy on the UK. This would drive people to host their email and web sites (among other things) on foreign servers (likely US or Canada), and could put UK hosting providers out of business, along with other consequences.
If I were a British subject, I would complain to my representatives, LOUDLY, that this is a really bad idea.
So what happens if the backdoor leads to a different criminal offence - such as leaking of the medical records of millions of citizens? Will the company be allowed to disclose that the vulnerability has been introduced to comply with another law? Can the company be held liable for the consequences?
Re "I seriously doubt such a measure would pass into law"
The NSA and GCHQ let a generation of users enjoy US based consumer operating systems that responded well to gov malware and keyloggers. After that any compiled export crypto is a junk layer. Some great busy work and a generation of legal distraction.
Re "There was a huge stink made about that as well, and as far as I know, those operations have been shut down (I'm sure someone will correct me if I'm wrong)."
The fuss made just further covered collect it all and the ability to collect per person per US designed device.
Re 'could break into these systems and make it easier for them to effectively spy on the UK"
Hints of methods and easy network access showed up in the UK press around 2000.
"'Clean-up' police branded corrupt" (Sunday 31 March 2002)
http://www.theguardian.com/pol...
Huge amounts of secure digital information was floating around for sale from courts, police to the press or anyone with cash. ie any "government, company or individual" could buy into any secure network.
Domestic spying is now "Benign Information Gathering"
Not too long ago, Europe objected that the US wasn't adequately protecting European citizens' data when US businesses are subject to government spying. These are legitimate concerns, but Europe is doing exactly the same thing the US is. As a US citizen whose data might be processed in Europe by multinational companies, how can I trust that my data is safe? When US companies and the US government are involved, I have the recourse of the court system. But there's no such recourse for me if the EU is spying. As a US citizen, I don't want my data shared with or processed in Europe. At least if it's in the US, I have a modicum of hope that the courts can protect me from government abuses.
UK != EU, especially when the UK's not even fully in the EU. Although reduced from what they used to be, Germany's concept of privacy far exceeds American or British standards; your data is much safer there, although ultimate privacy is an incompatability with the advent of the internet.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
Someone's misspelt Grauniad.
http://harridanic.com
One can only hope that they will leave the EU, the sooner, the better.
Does this prevent an implementer from disclosing it to the agency itself? "The Investigatory Powers Bill would also make it a criminal offense, punishable with up to 12 months in prison and/or a fine, for anyone involved to reveal the existence of those backdoors, in any circumstances (Section 190(8).)"
Yes, only it is illegal to even discover the backdoors. This is great for security firms. Those firms are off course not notified of the backdoors, but it will be illegal to report those malicious pieces of code. Unless they are programmed by a non-government criminal, in which case it is their job to disclose them. Nice!
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
The other day, I watched the new Bond. What has the world come to, if the plot of such a movie actually starts to sound realistic? Especially the bit about the own guys not being the good ones anymore?
If I were a British subject, I would complain to my representatives, LOUDLY, that this is a really bad idea.
You are obviously outnumbered. Enjoy the ride.
“He’s not deformed, he’s just drunk!”
When I was studying IT Security and encryption, one of the things that came up a lot was that you should always assume the process of the encryption is known [as well as some of the text of the message]. Typically it's because the encryption process is a standard (AES, for example). Security through obscurity doesn't exist. And it's far easier to keep a key secret than an algorithm (or source code).
So if the UK are trying to ensure that a backdoor exists in any encryption method created, then EVERYONE IS GOING TO KNOW ABOUT IT! It will be impossible to keep the existence of a backdoor secret. They may have a 12 month sentence for anyone who leaks this information, but you have to assume that it will be leaked, and you have to assume that everyone (who wants to) will know how it works.
This, then, leads to the problem of how to implement such a backdoor in such a way that only one group can use it but everyone else can't -- simply, impossible.
This reminds me of one of the major flaws of Enigma (that a character can't be encoded as itself) that was insisted upon by people who didn't really understand encryption - a flaw that was, in a large part, responsible to helping to break the Enigma codes.
In a country where self defense is illegal in most circumstances, the legal theory is that any response to attacks on people, whether by criminals or terrorists, has to be a police matter. The price of such a philosophy is you have to keep granting the police more and more power. And then you find that's never enough.
They demand a back door -- you make it. They ask what it is, you say you are in compliance with the law and cannot disclose any information.
WIN!
Only if they are in the UK. Everyone other country can find and tell everyone about the backdoors as they are not bound by UK law.
Yes, I and, several other British overlords are taking some serious consideration to moving to Amsterdam or Berlin, for good.
This is after the impending EU referendum which, anyone with a brain will be voting against so that we can actually stay in Europe.
- Dan
Since you can't disclose it, what can you do?
Does discontinuing a service entirely, as Lavabit did, constitute "disclosing it"? Or does this bill allow the government to force a private British citizen to provide a service to the public against his will?
You read the bit where he stabbed a guy 4 times with a samurai sword, right? I know in Texas that sort of thing is fine, but in the UK that's not considered self defence.
Also, that article is from 11 years ago, can you not find a more relevant example? We've had 2 (semi) different governments since then.
What's missing from the story is the fact that Lindsay was a drug dealer. The men entered posing as drug buyers, Lindsay chased them outside repeatedly stabbing one of them in the back with a sword he kept to protect his "business".
I would like to read the judgement on that, couldt not find it online, but I am not from the uk it might be blocked.
this could be as simple, he stabbed the robber once - OK , robber started fleeing and he stabs the robber 3 more times to make it fatal, make him the attacker, it is simple as that
I plead guilty to an offense where I'd defended a third party (he was hitting his girlfriend outside of a bar) and I was sued in civil court for it because I'd not stopped when the threat was concluded. Interestingly and tangentially related, I did get away with breaking a police officer's jaw. He had grabbed me from behind without identifying himself. I did spend the weekend in jail as they would not let me bail out without seeing a judge. The latter case was dismissed in criminal court, the former was one where I simply pleaded guilty and was credited with time served. In both cases, I lost in civil court and was obligated to statutory damages and medical costs.
So, in the above, my actions were fine until I sat on the guy's chest and slapped him around a little. My actions were also fine (it was self-defense - case not even brought before a judge beyond arraignment) criminally with the police officer but I was still culpable civilly due to the act having "probably" (difference in burden of proof) not having been committed had I not already been in the process of a criminal act - namely that of slapping the guy silly while taunting him. I was a bit drunk at the time, not overly so but enough for me to not think of the consequences.
They might have been able to pursue a criminal case with the assaulting an officer but that would have been difficult to prove so it was dismissed with the caveat that I would, indeed, be facing a civil trial and the officer would not be reprimanded for failing to follow the protocol that insists he clearly articulate that he's an officer of the law.
It was a costly lesson in law. It may not have been costly enough as I'm still entirely uncertain of what I'd do if faced with similar circumstances in the future. Hopefully, I'd stop when the threat was no longer a threat. Perhaps not though. Poor self-control has been an issue for me, when I get excited. Heaven forbid, you put me in a room with a big red button that says, "Do Not Push."
"So long and thanks for all the fish."
More details. Carl Lindsay was a drug dealer, the 3 men showed up to purchase some pot and pulled a gun on him. The robber / victim, Stephen Swindells received 4 wounds, all inflicted from BEHIND and all inflicted AFTER chasing him from the home.
If you aren't part of the solution, then there is good money to be made prolonging the problem
How is stabbing someone in the back while they're running away "self defence"?
I'm happy to live in a country that recognises there should be limits on unjustified violence.