Slashdot Mirror
Encryption Backdoor Sneaks Into UK Law (theregister.co.uk)
Coisiche found a disturbing article from The Register about the U.K.'s new "Snoopers' Charter" law that has implications for tech companies around the world:
Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the U.K. government to undermine encryption and demand surveillance backdoors... As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops -- such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications. Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored... At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will.
The bill added the Secretaries of State as a required signatory to the "technical capacity" notices, which "introduces a minor choke-point and a degree of accountability." But the article argues the law ultimately anticipates the breaking of encryption, and without customer notification. "The U.K. government can certainly insist that a company not based in the U.K. carry out its orders -- that situation is specifically included in the new law -- but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the U.K. market."
The bill added the Secretaries of State as a required signatory to the "technical capacity" notices, which "introduces a minor choke-point and a degree of accountability." But the article argues the law ultimately anticipates the breaking of encryption, and without customer notification. "The U.K. government can certainly insist that a company not based in the U.K. carry out its orders -- that situation is specifically included in the new law -- but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the U.K. market."
These backdoors will be exploited by criminals. Hopefully IT companies won't comply to this madness.
sudo rm -r -f --no-preserve-root /
Well played, community. Well played.
The government wants back doors on demand, but sooner or later a government worker will see the opportunity to sell the details ...
And he then retires.
Since it only requires a magistrate to sign a warrant not a judge just assume that no warrant is needed. Everyone's data will be collected regardless of guilt.
The term used 'relevant provider' - if you dig through the definitions is only defined as 'a person who provides a postal or telecommunications service' - which is broad enough to cover basically anything from someone running a wifi hotspot on to a massive ISP.
It can also plausibly be read as software vendors - including open source ones resident in the UK (or for who it is considered reasonable to compel even though they are outside the uk).
This is UK primary legislation - it has theoretically been scrutinised by both houses of parliament.
The actual enabling secondary legislation - that specifies how all this works and lets us understand how bad it is will just go through on the nod.
will be for law abiding citizens and low grade criminals/terrorists/... The real bad boys will know how to and will use good encryption. But then I can't see that the food standards agency would be interested in real, hard, nasty people. This is why people are calling Theresa May the Pry Minister.
You can badger my comms provider all you want. They don't have access to my keys or software.
Have gnu, will travel.
if some big tech companies would leave the U.K. market because of that. But of course it wouldn't go well with the shareholders. :D
... the difference between innocent content and encrypted content that uses steganography to appear innocent?
File under 'M' for 'Manic ranting'
This will lead to "UK import grade cryptography", where the rest of the world will have security, and UK will have back doors they wanted so badly. Plus, thanks to Brexit it isn't like they are that big of a market.
Here comes UK_1DES and Dual_UK_DRBG.
It's gonna be perfectly legal for Amazon to sell you that DRM encrypted book that you cannot decrypt.
"At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will".
At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they feel like it? Yes, they will.
FTFY.
I am sure that there are many other solipsists out there.
You can't put a back door in something, and only have certain people able to walk through it. If there's a vulnerability in the encryption that can be used to crack it by the service provider, someone else can do the same.
If this were implemented in the UK, it would totally kill Web commerce there. Who's going to put financial details across the Internet when it's as good as sent unencrypted? And if actual encryption is permitted for that purpose, well, then it can be used for any other purpose too.
I don't know why it's so difficult to understand. If you deliberately make something insecure, then it is, by definition, insecure. If it's designed to be secure, then even the designer can't break in, because if they can, someone else could do the same.
To fight the war on terror, stop being afraid.
...we're fucked.
Strong encryption puts the tiniest grain of autonomy and economic power in the hands of the common folk. Such an egregious abomination against propriety will never be tolerated!
The two options left are to emigrate to a country that understands the dangers of compromising cryptography and personal rights, or create a country that will, through legal or extralegal means.
The opportunities to do either are dwindling with every day. The US for instance now requires thousands of dollars in fees to even have the opportunity to renounce your citizenship, and I imagine other countries will soon follow America's Shining Example(TM) and find new ways to keep their citizens from leaving while rent seeking the ones with the sense and means to.
Captcha was 'cudgels'. Likely some bloke in a bowler's hat, eh?
make UK great again!
The US and UK are now just copying China. They've seen how people will just accept it and let them do anything they want. Bunch of sheep... The only good thing I see is this will push us even more to create tougher encryption and anonymity tools. Encrypt everything, encrypt it now.
Does this law mean a UK user could get thrown in jail for using an encryption scheme for which the government has no backdoor access?
Who wants to comply this way?
1. The users password works .gov.uk domain, there's another backdoor password "admin"
2. There's a government backdoor password
3. If if's a computer located in the
I'll take my Nobel Peace Prize to go, please...
Well, that's the end of UK companies providing encryption.
Does this mean the network stack in an operating system? Can the existence of a communication service be leveraged into installing key-loggers, screen grabbers or RAM grabbers.
This might be aimed more at the "decrypt this phone" order than the "give us universal decryption" order that occurred with the San Bernardino shooter. Which is small comfort, since the manufacturer must destroy the user's privacy in either case.
Wrong question: How can they stop that foreign company from putting back-doors into the UK government? That problem has always existed but demanding they install back-doors empowers a foreign company to sell the same insecure equipment to the government. Can the UK government walk away from their own legacy systems?
No it doesn't she was the home secretary that tried to push this through, failed, got promoted as the pro-brexit leader even though she wasn't pro-brexit, and now forces through the whole thing now she has the whiphand.
Oh you mean a choke-point in the form of a jackboot on the throat of the people. Yup your right.
For the rest of the World anyway.
Let the UK implement their silly backdoor idea and just sit back and wait.
If a decade goes by without the whole thing being compromised it would impress me.
See how much it costs them to clean up that mess after someone exploits their newly implemented idea.
A master key is very convenient, but very insecure. Both digitally and in its original form, the common door lock.
Though, when I needed to bypass such things ( door locks ) I certainly appreciated it when they made my job that much easier.
Sadly the governments of the world are heading in an non-democratic direction and the masses are gobbling it up. If you want freedom, liberty, security you're not going to be able to live just anywhere. You are going to have to move. There is no other solution that'll work.
Jason Sorens realized this way back in 2001. He realized the only way that we'll ever be able to secure some level of freedom moving forward is if enough people moved to a prosperous region for the pursuit of it. His essay got a lot of people interested in the idea, and from that the Free State Project was started. Today the Free State Project has attracted 20,000 participants and about 10% have moved already. This past March the migration officially started and we're seeing lots of new movers to New Hampshire as a result.
We have a lot of people in our community here in New Hampshire who are working on technological hacks to work around many of these sorts of bad laws. ThinkPenguin, Inc which was focused on technological freedom moved to New Hampshire this past March for example. They've been working on and sponsoring a project and standard called EOMA68. EOMA68 is a modular computing standard that is designed to make it easy and less costly to design freedom-respecting computing devices like laptops, tablets, cameras, and cell phones. When users have control over their devices the government and corporations don't.
From Silk Road-like projects to BitCoins there are projects based out of New Hampshire to decentralize market places (fixes Tor/Silk Road related issues), ride sharing (ie decentralized Uber), decentralized 'policing' (non-emergency or minor emergencies thus far really via cell phone apps), to move the control of currency from the hands of government to the hands of the people (we have lots of BitCoin start-ups), per capita, Keene has more bitcoin-friendly businesses than does San Francisco, the supposed #1 place for BitCoin acceptance.
Real principled libertarians don't sacrifice freedom for the sake of security. We understand that life involves risks and that eliminating all risk is a threat to democracy. We don't believe in the use of violence, fraud, theft, or coercion to achieve political or social goals. The government should be minimal if it exists at all. There should be no boarder guards or taxes (if we can't eliminate we should at least minimize to whatever extant its currently feasible). One (board guards) depends on the later (taxes) and both depend on the use of force against peaceful people. We are not pacifists mind you. We do believe in the use of violence for self-defence to whatever extent it is necessary. We believe in the right to travel without government permission slips (drivers licenses) utilizing whatever the common mode of transport of the day is (right to travel is something that was undermined, but is in the constitution).
We the people should not be made dependent on government assistance. Rather we should say no to taxes and all social programs in all forms rather than support inefficient and unethical wealth redistribution programs. These programs depends on the use of coercion, theft, and violence to enforce. When people are not coerced into paying vehicular registration (a form of tax), sales taxes, property taxes, income taxes, drivers licenses, business licenses, self-employment taxes, employee taxes (your income is taxed more than you think- the government takes 15% from you, but the business is also forced to pay another 15% for employing you), import tariffs, and more.
The majority could stand on their own two feet without the assistance of others if only the government stopped stealing. Those that remain in poverty can be easily supported by the charity of others (at one time people donated voluntarily 10% of their income to charity). Sadly the people have been intimidated and scared into socialism that has caused more harm than good. They add "rights" that then violate other people's rights. We will end up like Cuba, Venezuela, Russia, and much of Europe if w
...why don't they mandate that nobody is allowed locks on their back doors? We want the police to be able to sneak in and check up on us in case we're criminals, peodophiles, or terrorists, don't we?
I guess the UK decided that they are generously giving their businesses to the EU. Forget about tech companies, the inability to keep their confidential secure will scare away many more
Everyone who wants encryption will always have it. Even if you were to ban general purpose computers small children could easily learn to encrypt and decrypt OTP with pencil and paper.
Those who want to communicate in secret retain that capability no matter what as they have been able to do since the beginning of civilization.
These laws are exclusively about mass surveillance. Limits to government power isn't just because people don't want to be fucked with. Fundamentally the most compelling reason limits are essential is to protect government from itself.
Ok, Microsoft, several big banks, and some comms gear makers add more back doors to their products because of the UK Buggery Division.
Some bad person uses said backdoors and siphons 100 Million quid out to Russia via the Caymans. Who pays?
1) Govt Ex Gratia payment
2) British insurance company
3) Depositors ?
4) Software company under consumer rights?
5) Shareholders (Who rely on a due process annual report - that security is sound - not rooted)
6) Do security professionals get told to shut up - and become toadies?
Suddenly the UK does not look attractive.
... is that people who adopted it don't understand really how things work. The moment one installs a backdoor into a program, that can be found and accessed by anyone. And usually the people looking for those are either working for security companies (case in which it isn't that much of a problem, provided those people's ethics are intact) or not - and it's the latter that carries some issues with it.
I can understand the concern for security, however this exposes everybody, not only people with malicious intent, and it can have effects that ripple beyond getting law enforcement new tools. It can put everybody's data at risk and this means everybody, from large corporations who are using backdoored software to individuals trying to protect their naughty (or not) private pictures.
I suppose it all boils down to stopping usage of the cloud, storing everything locally with drawer HD and/or optical medium backups, middle fingering iCloud, Dropbox, Google Drive, OneDrive and so on. Losing convenience over gaining safety and security is one way of dealing with the whole issue.
As for browsing histories and what not, I don't really think people who wish to do harm are googling incriminating stuff or accessing suspect websites, so it's all looking rather pointless. Then again, people give up their data rather easily e.g. to Google for convenience, so the issue lies with educating people. I fear though that when it will become apparent to everybody, it will be too late. People don't realise it now, in the 11th hour, albeit there are strong warnings out there - https://en.wikipedia.org/wiki/...
By always encoding small messages into very large bundles it forces them to hire more people to check manually.
That creates jobs, slows down their progress, increases errors, and fills up their storage.
They'll just get tired and go away after awhile.
Lovely poem. Think I saw that written on the wall of a public toilet. In shit. It was spelled better than you though.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
Today's backdoor - tomorrow's downgrade attack.