Slashdot Mirror
Encryption Backdoor Sneaks Into UK Law (theregister.co.uk)
Coisiche found a disturbing article from The Register about the U.K.'s new "Snoopers' Charter" law that has implications for tech companies around the world:
Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the U.K. government to undermine encryption and demand surveillance backdoors... As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops -- such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications. Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored... At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will.
The bill added the Secretaries of State as a required signatory to the "technical capacity" notices, which "introduces a minor choke-point and a degree of accountability." But the article argues the law ultimately anticipates the breaking of encryption, and without customer notification. "The U.K. government can certainly insist that a company not based in the U.K. carry out its orders -- that situation is specifically included in the new law -- but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the U.K. market."
The bill added the Secretaries of State as a required signatory to the "technical capacity" notices, which "introduces a minor choke-point and a degree of accountability." But the article argues the law ultimately anticipates the breaking of encryption, and without customer notification. "The U.K. government can certainly insist that a company not based in the U.K. carry out its orders -- that situation is specifically included in the new law -- but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the U.K. market."
this
the challenge is to make truly decentralised versions of Internet communications technology popular and easy to use, therefore adopted widely. ...and to do this quickly, so decentral tech can be well established before governments try to make decentral and personally owned comms and encryption technology illegal.
Where are we going and why are we in a handbasket?
What will be your solution be when your comm provider blocks "illegal" encryption?
Use steganography. If they believe it's not encrypted, they'll let it go through.
Write boring code, not shiny code!
You can guarantee the industry will respond by pushing the blame onto customers as far and as fast as possible. Once you've got a security weakness in there that you *cannot legally fix* there's basically no other way for companies to respond. Sure, mandate that we all have to make a copy of our keys and leave them with the gubmint - I can guarantee they'll refuse to be held responsible when China or Russia steals ALL of them. That's your problem.
Fuck it, just take all the security off and we can laugh as the whole UK economy goes down in a fireball.
I hope these politicians are moving their finances off-shore because they won't be able to live in the world they're creating.