Encryption Backdoor Sneaks Into UK Law

Coisiche found a disturbing article from The Register about the U.K.'s new "Snoopers' Charter" law that has implications for tech companies around the world: Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the U.K. government to undermine encryption and demand surveillance backdoors... As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops -- such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications. Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored... At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will.
The bill added the Secretaries of State as a required signatory to the "technical capacity" notices, which "introduces a minor choke-point and a degree of accountability." But the article argues the law ultimately anticipates the breaking of encryption, and without customer notification. "The U.K. government can certainly insist that a company not based in the U.K. carry out its orders -- that situation is specifically included in the new law -- but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the U.K. market."

They never learn

[volodymyrbiryuk]

These backdoors will be exploited by criminals. Hopefully IT companies won't comply to this madness.

Re:UK import grade cryptography

[product_bucket]

It's already here: Enter the CESG's very own MIKEY SAKKE: http://www.theregister.co.uk/2016/02/04/gchq_voice_encryption/

UK Government-approved(TM) encryption. The backdoor isn't a backdoor, because the Gov says it isn't.

Here https://www.ncsc.gov.uk/articles/development-mikey-sakke is the take from the National Cyber Security Centre.

Re:End-to-end encryption

They can then just come knocking and ask for the keys. Already before this legislation they could imprison (indefinitely?) the one who refuses to give their keys on request.

Re:Welcome to China

I love Signal. The desktop/mobile platform is easy enough to get most of my friends on it, even non techies. However, I still have plenty of friends who say "I'm not a criminal, I don't need encryption" ... I have failed to convince them otherwise. Also, Signal is easier than encrypted email, just wish e2e email was easier.

Re:What are the implications on encryption?

Does this law mean a UK user could get thrown in jail for using an encryption scheme for which the government has no backdoor access?

Yes, section 49 of part III of the Regulation of Investigatory Powers act compels the operator of said encryption to hand over the keys or face prison.

Re:End-to-end encryption

[johanw]

That may work in a pgp-like setup but is completely useless when dealing with perfect forward secrecy like Signal uses. I don't HAVE the key for the past messages anymore, and if I deleted the messages NOONE can decrypt them anymore.