Slashdot Mirror
Encryption Backdoor Sneaks Into UK Law (theregister.co.uk)
Coisiche found a disturbing article from The Register about the U.K.'s new "Snoopers' Charter" law that has implications for tech companies around the world:
Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the U.K. government to undermine encryption and demand surveillance backdoors... As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops -- such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications. Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored... At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will.
The bill added the Secretaries of State as a required signatory to the "technical capacity" notices, which "introduces a minor choke-point and a degree of accountability." But the article argues the law ultimately anticipates the breaking of encryption, and without customer notification. "The U.K. government can certainly insist that a company not based in the U.K. carry out its orders -- that situation is specifically included in the new law -- but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the U.K. market."
The bill added the Secretaries of State as a required signatory to the "technical capacity" notices, which "introduces a minor choke-point and a degree of accountability." But the article argues the law ultimately anticipates the breaking of encryption, and without customer notification. "The U.K. government can certainly insist that a company not based in the U.K. carry out its orders -- that situation is specifically included in the new law -- but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the U.K. market."
The government wants back doors on demand, but sooner or later a government worker will see the opportunity to sell the details ...
And he then retires.
The term used 'relevant provider' - if you dig through the definitions is only defined as 'a person who provides a postal or telecommunications service' - which is broad enough to cover basically anything from someone running a wifi hotspot on to a massive ISP.
It can also plausibly be read as software vendors - including open source ones resident in the UK (or for who it is considered reasonable to compel even though they are outside the uk).
This is UK primary legislation - it has theoretically been scrutinised by both houses of parliament.
The actual enabling secondary legislation - that specifies how all this works and lets us understand how bad it is will just go through on the nod.
will be for law abiding citizens and low grade criminals/terrorists/... The real bad boys will know how to and will use good encryption. But then I can't see that the food standards agency would be interested in real, hard, nasty people. This is why people are calling Theresa May the Pry Minister.
You can badger my comms provider all you want. They don't have access to my keys or software.
Have gnu, will travel.
This will lead to "UK import grade cryptography", where the rest of the world will have security, and UK will have back doors they wanted so badly. Plus, thanks to Brexit it isn't like they are that big of a market.
Here comes UK_1DES and Dual_UK_DRBG.
You mean like Apple DRM that locks you out of your legal audio library after an OS update until you authenticate yourself again via apple.com? How about Steam DRM, Sony DRM, Microsoft DRM, Adobe DRM, Oracle DRM, IBM DRM? Fsckwit. Let's add Samsung, LG and Sony HDTVs that call home as soon as you turn them on and disable network functionality when the mothership cannot be contacted. And you're worried about a trivial DRM in text files that has been breakable for years? Dumbass.
Circumventing DRM is illegal and has been since the 90s - all hail the USA and their mighty dollar that tells lapdog countries like those in Europe what laws they have to implements.
Right. Because companies abandoned China in droves because of their evil policies.
Oh, wait. No their didn't. Every man and their dog wants to move in to the massively growing and profitable market of China.
The UK is the same deal. It's a massive financial and tech hub, so companies aren't going anywhere.
Though they ARE busy trying to wreck that with the Brexit.
The population of China is roughly 1.4 billion people. The population of England is 0.053 billion. England has 4% of the population of China. Tech companies care a lot more about the marketplace of China than they do about England.
So that leaves the "massive financial and tech hub" you describe in England. How many financial companies are going to want to maintain, never mind expand, their presence in a country which is allowed to actively monitor their most secure communications? If I were CEO of a global financial company I would be very concerned about the backlash from my customers if my company were to remain in such a country.
"At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will".
At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they feel like it? Yes, they will.
FTFY.
I am sure that there are many other solipsists out there.
You can't put a back door in something, and only have certain people able to walk through it. If there's a vulnerability in the encryption that can be used to crack it by the service provider, someone else can do the same.
If this were implemented in the UK, it would totally kill Web commerce there. Who's going to put financial details across the Internet when it's as good as sent unencrypted? And if actual encryption is permitted for that purpose, well, then it can be used for any other purpose too.
I don't know why it's so difficult to understand. If you deliberately make something insecure, then it is, by definition, insecure. If it's designed to be secure, then even the designer can't break in, because if they can, someone else could do the same.
To fight the war on terror, stop being afraid.
You mean someone other than the people who work in the uk government, like that bunch of criminals isnt enough?
More importantly I suspect this will quite quickly drive many large businesses out of London. Those companies rely on their secrets, the prospect of any bored intern "with their heart in the right place" being able to send their every dirty secret to the daily mail almost certainly will gaurantee those already concerned by brexit relocate their offices sharpish.
It's the whole UK you need to consider, not just England, you geographically-challenged clod.
But yes, AFAIK a not inconsiderable amount of the financial institutions HQ'd in London have made and are beginning to act on plans to leave the UK for (likely) Paris. The City of London (i.e. the tiny bit full of the worst of the wankers) is stuffed full of them and they're all going to bugger off, likely reducing property prices there and as any semblance of financial recovery in the UK is based on a property boom that couldn't be sustained for much longer anyway, it'll boot the UK into recession. Again. All because that plank Cameron wanted to appease the swivel-eyed loons in his party. And now the spineless fuck has swanned off.
And you think you have trouble with President-Elect Tangerine?
There is a third option.
Move to a third world country where the government doesn't have the resources to waste on this kind of shit.