UK Gov't Can Demand Backdoors, Give Prison Sentences For Disclosing Them

An anonymous reader writes with some of the latest news about the draft Investigatory Powers Bill. Ars reports: "Buried in the 300 pages of the draft Investigatory Powers Bill (aka the Snooper's Charter), published on Wednesday, is something called a 'technical capability notice' (Section 189). Despite its neutral-sounding name, this gives the UK's home secretary almost unlimited power to impose 'an obligation on any relevant operators'—any obligation—subject to the requirement that 'the Secretary of State considers it is reasonable to do so.' There is also the proviso that 'it is (and remains) practicable for those relevant operators to comply with those requirements,' which probably rules out breaking end-to-end encryption, but would still allow the home secretary to demand that companies add backdoors to their software and equipment. That's bad enough, but George Danezis, an associate professor in security and privacy engineering at University College London, points out that the Snooper's Charter is actually much, much worse. The Investigatory Powers Bill would also make it a criminal offense, punishable with up to 12 months in prison and/or a fine, for anyone involved to reveal the existence of those backdoors, in any circumstances (Section 190(8).)"

Professor of journalism at City University Heather Brook writes at the Gaurdian: "When the Home Office and intelligence agencies began promoting the idea that the new investigatory powers bill was a “climbdown”, I grew suspicious. If the powerful are forced to compromise they don’t crow about it or send out press releases – or, in the case of intelligence agencies, make off-the-record briefings outlining how they failed to get what they wanted. That could mean only one thing: they had got what they wanted. So why were they trying to fool the press and the public that they had lost? Simply because they had won. I never thought I’d say it, but George Orwell lacked vision. The spies have gone further than he could have imagined, creating in secret and without democratic authorization the ultimate panopticon. Now they hope the British public will make it legitimate."

Scary stuff and nobody cares

[RobinH]

The scariest thing about living in a "democracy" (Republic) now is that the *majority* really don't care about their rights, as long as they can watch their reality TV and they have someone to publicly shame on Facebook/Twitter.

Re:Scary stuff and nobody cares

[oobayly]

I have a colleague who is perfectly happy to throw away his rights - "I don't care what they do if it's anti-terror related" and "we need to get rid of all this human rights bullshit", which was in response to my mention of civil rights, namely being detained without charge and warrant-less access of private data.

The problem is that civil/human rights don't feature very high up on people's priorities because they don't need the obvious ones on a daily basis, and they don't realise how much of our daily lives is made possible because of those rights. More succinctly - people don't care about their rights until they need them.

In a way, it's very similar to how all these people are leaving their countries to join ISIL - they're blind to the freedoms they've been afforded and go off to fight the kind of regimes their parents fought to escape from.

Only if the home secratary thinks it's reasonable

[serviscope_minor]

Ooh it's all OK then. It'll only happen if the home secretary thinks it's "reasonable". Good job we don't have a party independent constitution which guarantees there's always a hard line nutcases as home secretary.

The answer of "is it reasonable according to the home secretary" is always a resounding "yes", with a side order of "fuck you, proles".

Re:If you find a backdoor

[rcase5]

Is this like American law?

No, it isn't. In the 90s, there was an effort by the Clinton Administration to implement a key escrow system whereby all encrypted transmissions would have been required to submit encryption keys to some agency, so that the government could eavesdrop on those transmissions. The IT community here in the U.S. had a shit fit, and eventually defeated that idea, even though the Clinton Administration tried to scare us into thinking that if they couldn't monitor such transmissions, all sorts of awful things might happen. Except for the attacks on September 11, 2001, nothing has happened here, and our government still had plenty of warning about those attacks even without these system in place.

There have been other stories more recently where large telecommunications companies have been cooperating with the U.S. Government in essentially making a copy of all transmissions over the Internet. While those companies were not required to comply (and there were a few who chose not to), they did anyway. There was a huge stink made about that as well, and as far as I know, those operations have been shut down (I'm sure someone will correct me if I'm wrong).

As far as I know, nobody here in the U.S. is required to install back doors into their systems so that government agencies can gain access at-will. After the kerfuffle in the 90s, I seriously doubt such a measure would pass into law. In a way, this highlights the silliness of the UK undertaking such a measure in their law. If UK concerns are required to put in back doors, but nobody else in the world has the same requirement, it means the UK government is essentially spying on their own citizens. They are also increasing the likelihood that a foreign concern (government, company or individual) could break into these systems and make it easier for them to effectively spy on the UK. This would drive people to host their email and web sites (among other things) on foreign servers (likely US or Canada), and could put UK hosting providers out of business, along with other consequences.

If I were a British subject, I would complain to my representatives, LOUDLY, that this is a really bad idea.

Shortsighted law

[wienerschnizzel]

So what happens if the backdoor leads to a different criminal offence - such as leaking of the medical records of millions of citizens? Will the company be allowed to disclose that the vulnerability has been introduced to comply with another law? Can the company be held liable for the consequences?