UK Gov't Can Demand Backdoors, Give Prison Sentences For Disclosing Them

An anonymous reader writes with some of the latest news about the draft Investigatory Powers Bill. Ars reports: "Buried in the 300 pages of the draft Investigatory Powers Bill (aka the Snooper's Charter), published on Wednesday, is something called a 'technical capability notice' (Section 189). Despite its neutral-sounding name, this gives the UK's home secretary almost unlimited power to impose 'an obligation on any relevant operators'—any obligation—subject to the requirement that 'the Secretary of State considers it is reasonable to do so.' There is also the proviso that 'it is (and remains) practicable for those relevant operators to comply with those requirements,' which probably rules out breaking end-to-end encryption, but would still allow the home secretary to demand that companies add backdoors to their software and equipment. That's bad enough, but George Danezis, an associate professor in security and privacy engineering at University College London, points out that the Snooper's Charter is actually much, much worse. The Investigatory Powers Bill would also make it a criminal offense, punishable with up to 12 months in prison and/or a fine, for anyone involved to reveal the existence of those backdoors, in any circumstances (Section 190(8).)"

Professor of journalism at City University Heather Brook writes at the Gaurdian: "When the Home Office and intelligence agencies began promoting the idea that the new investigatory powers bill was a “climbdown”, I grew suspicious. If the powerful are forced to compromise they don’t crow about it or send out press releases – or, in the case of intelligence agencies, make off-the-record briefings outlining how they failed to get what they wanted. That could mean only one thing: they had got what they wanted. So why were they trying to fool the press and the public that they had lost? Simply because they had won. I never thought I’d say it, but George Orwell lacked vision. The spies have gone further than he could have imagined, creating in secret and without democratic authorization the ultimate panopticon. Now they hope the British public will make it legitimate."

Scary stuff and nobody cares

[RobinH]

The scariest thing about living in a "democracy" (Republic) now is that the *majority* really don't care about their rights, as long as they can watch their reality TV and they have someone to publicly shame on Facebook/Twitter.

Re:Scary stuff and nobody cares

[Dog-Cow]

You are 100% right that the majority does not care. If they did, it would be simple enough to assume that all British companies are backdoored and to drive them out of business by using alternatives in other countries. Granted, those other companies might also be backdoored, but the point is to make a point to the local authorities.

Re:Scary stuff and nobody cares

[oobayly]

I have a colleague who is perfectly happy to throw away his rights - "I don't care what they do if it's anti-terror related" and "we need to get rid of all this human rights bullshit", which was in response to my mention of civil rights, namely being detained without charge and warrant-less access of private data.

The problem is that civil/human rights don't feature very high up on people's priorities because they don't need the obvious ones on a daily basis, and they don't realise how much of our daily lives is made possible because of those rights. More succinctly - people don't care about their rights until they need them.

In a way, it's very similar to how all these people are leaving their countries to join ISIL - they're blind to the freedoms they've been afforded and go off to fight the kind of regimes their parents fought to escape from.

Re:Scary stuff and nobody cares

[ArmoredDragon]

I kind of wonder if this law would impact ARM Holdings, which has potential implications for the smartphone industry.

Re:British Intelligence?

[drinkypoo]

The clause about penalising those who reveal the existence of backdoors created for use by British security service surveillance is classic upper class twat thinking... "If we don't tell anyone it exists then no-one will find it, tee hee". Problem is there is a world full of people smarter than them that will find the backdoors easily.

Your problem is that you assume that you're smarter than these people because they do things which are harmful to the citizenry. That's stupid. They're doing this shit on purpose. They have no illusions about being able to hide the back doors from malicious actors. They don't care about the fallout! They only want to stifle dissent, like any well-heeled fascist. If they make it illegal to talk about the back doors, then many people won't talk about them, and the full extent of the problem will be hidden from the masses. They aren't trying to avoid people discovering the back doors. They're trying to keep the masses of asses complacent.

They are, of course, succeeding. You're glad they took your guns away. Next you'll be happy when they ban large chef's knives.

Only if the home secratary thinks it's reasonable

[serviscope_minor]

Ooh it's all OK then. It'll only happen if the home secretary thinks it's "reasonable". Good job we don't have a party independent constitution which guarantees there's always a hard line nutcases as home secretary.

The answer of "is it reasonable according to the home secretary" is always a resounding "yes", with a side order of "fuck you, proles".

Re:If you find a backdoor

[rcase5]

Is this like American law?

No, it isn't. In the 90s, there was an effort by the Clinton Administration to implement a key escrow system whereby all encrypted transmissions would have been required to submit encryption keys to some agency, so that the government could eavesdrop on those transmissions. The IT community here in the U.S. had a shit fit, and eventually defeated that idea, even though the Clinton Administration tried to scare us into thinking that if they couldn't monitor such transmissions, all sorts of awful things might happen. Except for the attacks on September 11, 2001, nothing has happened here, and our government still had plenty of warning about those attacks even without these system in place.

There have been other stories more recently where large telecommunications companies have been cooperating with the U.S. Government in essentially making a copy of all transmissions over the Internet. While those companies were not required to comply (and there were a few who chose not to), they did anyway. There was a huge stink made about that as well, and as far as I know, those operations have been shut down (I'm sure someone will correct me if I'm wrong).

As far as I know, nobody here in the U.S. is required to install back doors into their systems so that government agencies can gain access at-will. After the kerfuffle in the 90s, I seriously doubt such a measure would pass into law. In a way, this highlights the silliness of the UK undertaking such a measure in their law. If UK concerns are required to put in back doors, but nobody else in the world has the same requirement, it means the UK government is essentially spying on their own citizens. They are also increasing the likelihood that a foreign concern (government, company or individual) could break into these systems and make it easier for them to effectively spy on the UK. This would drive people to host their email and web sites (among other things) on foreign servers (likely US or Canada), and could put UK hosting providers out of business, along with other consequences.

If I were a British subject, I would complain to my representatives, LOUDLY, that this is a really bad idea.

Re:British Intelligence?

[drinkypoo]

Tell me, "drinkypoo" when are you going to start fighting back with your guns?

There's no point to terrorism, only armed revolt, which one can't do oneself. You claim to be against gun violence, but then you ask when the individual will use it because that's what you really want. You're dead inside, so as long as something is happening, you're excited.

Shortsighted law

[wienerschnizzel]

So what happens if the backdoor leads to a different criminal offence - such as leaking of the medical records of millions of citizens? Will the company be allowed to disclose that the vulnerability has been introduced to comply with another law? Can the company be held liable for the consequences?

Re:British Intelligence?

[jeremyp]

That's not the point at all. It's not about keeping the backdoors secret but about stopping people from advertising that they exist. Companies like Apple and Google and Facebook and even the BBC would comply with the request to put back doors in but they would put a notice on the log in screen (for British customers only) along the lines of

        "Although we respect your privacy, be aware that, by order of the British Government we have to make your data available to them on request".

There's nothing like having a reminder every time you use Facebook, that your own government wants to snoop on you for driving up opposition.

Re:Concerns of a US citizen

[EmeraldBot]

Not too long ago, Europe objected that the US wasn't adequately protecting European citizens' data when US businesses are subject to government spying. These are legitimate concerns, but Europe is doing exactly the same thing the US is. As a US citizen whose data might be processed in Europe by multinational companies, how can I trust that my data is safe? When US companies and the US government are involved, I have the recourse of the court system. But there's no such recourse for me if the EU is spying. As a US citizen, I don't want my data shared with or processed in Europe. At least if it's in the US, I have a modicum of hope that the courts can protect me from government abuses.

UK != EU, especially when the UK's not even fully in the EU. Although reduced from what they used to be, Germany's concept of privacy far exceeds American or British standards; your data is much safer there, although ultimate privacy is an incompatability with the advent of the internet.

Proof-reading...

[shabble]

Professor of journalism at City University Heather Brook writes at the Gaurdian

Someone's misspelt Grauniad.

Catch-22?

[NetAlien]

Does this prevent an implementer from disclosing it to the agency itself? "The Investigatory Powers Bill would also make it a criminal offense, punishable with up to 12 months in prison and/or a fine, for anyone involved to reveal the existence of those backdoors, in any circumstances (Section 190(8).)"

Re:George Orwell lacked vision

[Applehu+Akbar]

In a country where self defense is illegal in most circumstances, the legal theory is that any response to attacks on people, whether by criminals or terrorists, has to be a police matter. The price of such a philosophy is you have to keep granting the police more and more power. And then you find that's never enough.

What's the problem?

They demand a back door -- you make it. They ask what it is, you say you are in compliance with the law and cannot disclose any information.

WIN!

Re:Huh

[Tomahawk]

Only if they are in the UK. Everyone other country can find and tell everyone about the backdoors as they are not bound by UK law.

Re:Always assume they know...

[AmiMoJo]

They may have a 12 month sentence for anyone who leaks this information, but you have to assume that it will be leaked, and you have to assume that everyone (who wants to) will know how it works.

Even if it isn't leaked, chances are someone will find it. People are constantly looking for backdoors left in for debugging or by nefarious companies/governments, or for flaws that can be exploited. It's probably worse than 50/50 that the person discovering the problem will make it public rather than just selling it on the black market, or giving it to their employer (e.g. foreign security services).

This creates a huge problem for companies that are forced to create backdoors. When discovered will they be able to patch it immediately? Maybe the reason why some companies take months to fix problems is because GCHQ/NSA won't let them fix it. Will they be compensated for the reputational damage? If it's a security focused company a backdoor could destroy them.

Tech companies really need to move to another EU country where they will be safe from having their business destroyed overnight on the whims of a clueless Home Secretary.

The Lavabit route

[tepples]

Since you can't disclose it, what can you do?

Does discontinuing a service entirely, as Lavabit did, constitute "disclosing it"? Or does this bill allow the government to force a private British citizen to provide a service to the public against his will?

Re:George Orwell lacked vision

[MullerMn]

You read the bit where he stabbed a guy 4 times with a samurai sword, right? I know in Texas that sort of thing is fine, but in the UK that's not considered self defence.

Also, that article is from 11 years ago, can you not find a more relevant example? We've had 2 (semi) different governments since then.

Re:George Orwell lacked vision

What's missing from the story is the fact that Lindsay was a drug dealer. The men entered posing as drug buyers, Lindsay chased them outside repeatedly stabbing one of them in the back with a sword he kept to protect his "business".

Re:George Orwell lacked vision

[shugah]

More details. Carl Lindsay was a drug dealer, the 3 men showed up to purchase some pot and pulled a gun on him. The robber / victim, Stephen Swindells received 4 wounds, all inflicted from BEHIND and all inflicted AFTER chasing him from the home.