Encryption Backdoor Sneaks Into UK Law (theregister.co.uk)

← Back to Stories (view on slashdot.org)

Encryption Backdoor Sneaks Into UK Law (theregister.co.uk)

Posted by EditorDavid on Saturday December 3, 2016 @04:39AM from the breaking-the-codes dept.

Coisiche found a disturbing article from The Register about the U.K.'s new "Snoopers' Charter" law that has implications for tech companies around the world: Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the U.K. government to undermine encryption and demand surveillance backdoors... As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops -- such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications. Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored... At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will.
The bill added the Secretaries of State as a required signatory to the "technical capacity" notices, which "introduces a minor choke-point and a degree of accountability." But the article argues the law ultimately anticipates the breaking of encryption, and without customer notification. "The U.K. government can certainly insist that a company not based in the U.K. carry out its orders -- that situation is specifically included in the new law -- but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the U.K. market."

42 of 137 comments (clear)

Min score:

Reason:

Sort:

They never learn by volodymyrbiryuk · 2016-12-03 04:45 · Score: 5, Informative

These backdoors will be exploited by criminals. Hopefully IT companies won't comply to this madness.

--
sudo rm -r -f --no-preserve-root /
1. Re:They never learn by mSparks43 · 2016-12-03 07:05 · Score: 5, Insightful
  
  You mean someone other than the people who work in the uk government, like that bunch of criminals isnt enough?
  More importantly I suspect this will quite quickly drive many large businesses out of London. Those companies rely on their secrets, the prospect of any bored intern "with their heart in the right place" being able to send their every dirty secret to the daily mail almost certainly will gaurantee those already concerned by brexit relocate their offices sharpish.
2. Re:They never learn by Freischutz · 2016-12-03 08:08 · Score: 2
  
  These backdoors will be exploited by criminals. Hopefully IT companies won't comply to this madness.
  You mean someone other than the people who work in the uk government, like that bunch of criminals isnt enough?
  More importantly I suspect this will quite quickly drive many large businesses out of London. Those companies rely on their secrets, the prospect of any bored intern "with their heart in the right place" being able to send their every dirty secret to the daily mail almost certainly will gaurantee those already concerned by brexit relocate their offices sharpish.
  Relax boys, it's all being done in the name of freedom.
3. Re:They never learn by lsatenstein · 2016-12-04 05:44 · Score: 2
  
  These backdoors will be exploited by criminals. Hopefully IT companies won't comply to this madness.
  No more on-line banking ever more as you know it. If the government can get the decryption capability, so can the criminals.
  Not only that, dare you to use your credit/debit card at any retailer. WOW,
  
  --
  Leslie Satenstein Montreal Quebec Canada
Opportunity Cost + Retirement Fund by BoRegardless · 2016-12-03 04:52 · Score: 5, Insightful

The government wants back doors on demand, but sooner or later a government worker will see the opportunity to sell the details ...
And he then retires.
For added fun. by queazocotal · 2016-12-03 04:54 · Score: 5, Insightful

The term used 'relevant provider' - if you dig through the definitions is only defined as 'a person who provides a postal or telecommunications service' - which is broad enough to cover basically anything from someone running a wifi hotspot on to a massive ISP.
It can also plausibly be read as software vendors - including open source ones resident in the UK (or for who it is considered reasonable to compel even though they are outside the uk).
This is UK primary legislation - it has theoretically been scrutinised by both houses of parliament.
The actual enabling secondary legislation - that specifies how all this works and lets us understand how bad it is will just go through on the nod.
1. Re:For added fun. by fustakrakich · 2016-12-03 05:24 · Score: 2
  
  It can also plausibly be read as software vendors - including open source ones resident in the UK (or for who it is considered reasonable to compel even though they are outside the uk).
  Better encryption will just have to be anonymously created and maintained. But, once again, our dependence on the ISP for service makes all that moot when they engage in deep packet inspection and block and report all unauthorized protocols traveling through their wire. The only long term solution will be P2P ad hoc networking. There is no other way.
  
  --
  “He’s not deformed, he’s just drunk!”
2. Re:For added fun. by queazocotal · 2016-12-03 05:35 · Score: 2
  
  P2P ad-hoc doesn't really work. Mesh has various spectral problems - there isn't enough free legal spectrum.
  In addition, without a central operator, everyone has the opportunity to cheat, and use more of the bandwidth for their traffic than is fair.
  This, and bottlenecking due to random distribution of nodes means it basically can't work unless the P2P/mesh is over a very short distance of a few nodes only and it then hops off to the 'proper' internet.
3. Re:For added fun. by fustakrakich · 2016-12-03 05:52 · Score: 2
  
  P2P ad-hoc doesn't really work.
  So it's hopeless then? Should we just put our hands up, and say *We surrender*? I, for one, would love to know what would work. Personally I see the latency, bandwidth, jamming issue as a temporary one. Obstructions are meant to be overcome. Let's use any and all means available, and let the authoritarians weep.
  
  --
  “He’s not deformed, he’s just drunk!”
4. Re:For added fun. by fustakrakich · 2016-12-03 06:38 · Score: 2
  
  Yeah, no doubt about it, we will have to be mobile, and maybe plant little self powered access points all over the city, in office broom closets, or in sunny spots in the street. Kinda "sprinkle" them around, keep 'em chasing after ghosts. What is really needed is to turn the majority away from authoritarian governments. That is the hard part. In the meantime, cat and mouse it is. May the best man win...
  
  --
  “He’s not deformed, he’s just drunk!”
The only communications affected by Alain+Williams · 2016-12-03 04:56 · Score: 3, Insightful

will be for law abiding citizens and low grade criminals/terrorists/... The real bad boys will know how to and will use good encryption. But then I can't see that the food standards agency would be interested in real, hard, nasty people. This is why people are calling Theresa May the Pry Minister.
1. Re:The only communications affected by Freischutz · 2016-12-03 08:10 · Score: 2
  
  will be for law abiding citizens and low grade criminals/terrorists/... The real bad boys will know how to and will use good encryption. But then I can't see that the food standards agency would be interested in real, hard, nasty people. This is why people are calling Theresa May the Pry Minister.
  Oh, I think they are calling her way worse names than that.
2. Re:The only communications affected by John+Allsup · 2016-12-03 09:02 · Score: 3, Insightful
  
  I wrote a letter to my MP, which was forwarded to some minister, who replied with the usual political "don't think it's right criminals and terrorists can communicate in secret" lines, saying that they do not intend to prevent people using strong cryptography (oblivious to the contradictions in what he wrote), and essentially the whole point, that end-to-end encrypted messaging can be achieved by anybody with a LAMP stack online somewhere and a couple of hours to write a few hundred lines of PHP, Javascript and HTML (using croptojs). We have a government of technologically clueless idiots.
  
  --
  John_Chalisque
3. Re:The only communications affected by AmiMoJo · 2016-12-03 09:49 · Score: 2
  
  The really bad guys don't even bother. All the recent terror attacks have one thing in common: they didn't bother much with encryption.
  That's why governments want these laws. They think they will be able to spot these attacks. They are wrong, they will be overwhelmed with data and the bad guys will quickly start encrypting, along with everyone else. The damage done to the economy will be difficult to measure, but significant.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
4. Re:The only communications affected by AHuxley · 2016-12-03 18:27 · Score: 2
  
  They will just revert to the trusted networks of the 1950-80's. A holiday, tour, massive flow of illegal migrants, students, study trip or part of the jet set. Takes a few days or weeks for the round trip but no calls, voices or computer needed. MI6 or the CIA might get a photo of a meeting but if nothing is said and no later digital files exist...
  The security service contractors sold the UK that every interesting person, group cult, faith, political party, criminal would always talk on the phone (voice print), use a fax and have network computers, bank accounts just like in the 1980's over the next decades.
  A phone call, file, computer network would always play a key role in any activity.
  The interesting people just revert to their own face to face global networks. For that the security services need local informants. Thats hard too if interesting groups are closed and never need strangers.
  
  --
  Domestic spying is now "Benign Information Gathering"
5. Re:The only communications affected by AHuxley · 2016-12-03 18:59 · Score: 2
  
  The security services would have dedicated efforts on any trending app.
  VPN use does not pose any issues to the GCHQ. It even makes the more interesting people more easy to find on any UK network :)
  
  --
  Domestic spying is now "Benign Information Gathering"
End-to-end encryption by PPH · 2016-12-03 04:59 · Score: 4, Insightful

You can badger my comms provider all you want. They don't have access to my keys or software.

--
Have gnu, will travel.
1. Re:End-to-end encryption by fustakrakich · 2016-12-03 05:26 · Score: 2
  
  What will be your solution be when your comm provider blocks "illegal" encryption?
  
  --
  “He’s not deformed, he’s just drunk!”
2. Re:End-to-end encryption by presidenteloco · 2016-12-03 05:30 · Score: 3, Interesting
  
  this
  the challenge is to make truly decentralised versions of Internet communications technology popular and easy to use, therefore adopted widely. ...and to do this quickly, so decentral tech can be well established before governments try to make decentral and personally owned comms and encryption technology illegal.
  
  --
  
  Where are we going and why are we in a handbasket?
3. Re:End-to-end encryption by currently_awake · 2016-12-03 05:33 · Score: 2
  
  That's alright, the provider of your OS will be compelled to "update" your machine to provide them your code keys.
4. Re:End-to-end encryption by Pieroxy · 2016-12-03 05:48 · Score: 3, Interesting
  
  What will be your solution be when your comm provider blocks "illegal" encryption?
  Use steganography. If they believe it's not encrypted, they'll let it go through.
  
  --
  Write boring code, not shiny code!
5. Re:End-to-end encryption by Anonymous Coward · 2016-12-03 06:08 · Score: 3, Informative
  
  They can then just come knocking and ask for the keys. Already before this legislation they could imprison (indefinitely?) the one who refuses to give their keys on request.
6. Re:End-to-end encryption by Place+a+name+here · 2016-12-03 06:47 · Score: 2
  
  Pluggable transports to the rescue.
7. Re:End-to-end encryption by johanw · 2016-12-03 10:13 · Score: 4, Informative
  
  That may work in a pgp-like setup but is completely useless when dealing with perfect forward secrecy like Signal uses. I don't HAVE the key for the past messages anymore, and if I deleted the messages NOONE can decrypt them anymore.
8. Re: End-to-end encryption by Maritz · 2016-12-05 00:42 · Score: 2
  
  Oh, they won't. They won't.
  I don't give a fuck either way, but in terms of making a point, you've been refuted.
  
  --
  I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
UK import grade cryptography by sinij · 2016-12-03 05:18 · Score: 5, Insightful

This will lead to "UK import grade cryptography", where the rest of the world will have security, and UK will have back doors they wanted so badly. Plus, thanks to Brexit it isn't like they are that big of a market.

Here comes UK_1DES and Dual_UK_DRBG.
1. Re:UK import grade cryptography by TheGratefulNet · 2016-12-03 05:29 · Score: 2
  
  and china and russia and probably all of the islamic countries, plus lets not forget Best Korea (grin).
  there are a lot that feel its their right to snoop on other people's comms.
  personally, I think this is a right that all people have, to comm in private and with NO one spying. period. full stop. ends never justifies this. I know I'm extreme on this but better this extreme than middle or moderate on the other way.
  I used to travel to the UK regularly. I have not been in well over 15 years and have no plans to ever visit the UK again. sad, as it was a nice place, once (at least to a visitor). now, I'd avoid going there unless 100% necessary. and so far, no travel has ever come up to be 100% necessary.
  
  --
  
  --
  "It is now safe to switch off your computer."
2. Re:UK import grade cryptography by Archtech · 2016-12-03 06:01 · Score: 2
  
  I used to travel to the UK regularly. I have not been in well over 15 years and have no plans to ever visit the UK again. sad, as it was a nice place, once (at least to a visitor). now, I'd avoid going there unless 100% necessary. and so far, no travel has ever come up to be 100% necessary.
  That's funny - in a sad way - because I live in Britain and I feel exactly the same way about going to the USA. In the 1930s my parents - both teachers of French and German - used to visit Germany regularly every summer. I'm not as brave as they were - or perhaps I have benefit of hindsight.
  
  --
  I am sure that there are many other solipsists out there.
3. Re:UK import grade cryptography by product_bucket · 2016-12-03 06:02 · Score: 3, Informative
  
  It's already here: Enter the CESG's very own MIKEY SAKKE: http://www.theregister.co.uk/2016/02/04/gchq_voice_encryption/
  UK Government-approved(TM) encryption. The backdoor isn't a backdoor, because the Gov says it isn't.
  Here https://www.ncsc.gov.uk/articles/development-mikey-sakke is the take from the National Cyber Security Centre.
Of course by 101percent · 2016-12-03 05:33 · Score: 2

It's gonna be perfectly legal for Amazon to sell you that DRM encrypted book that you cannot decrypt.
1. Re:Of course by Anonymous Coward · 2016-12-03 05:49 · Score: 3, Insightful
  
  You mean like Apple DRM that locks you out of your legal audio library after an OS update until you authenticate yourself again via apple.com? How about Steam DRM, Sony DRM, Microsoft DRM, Adobe DRM, Oracle DRM, IBM DRM? Fsckwit. Let's add Samsung, LG and Sony HDTVs that call home as soon as you turn them on and disable network functionality when the mothership cannot be contacted. And you're worried about a trivial DRM in text files that has been breakable for years? Dumbass.
  Circumventing DRM is illegal and has been since the 90s - all hail the USA and their mighty dollar that tells lapdog countries like those in Europe what laws they have to implements.
Re:Could be fun by JimMcc · 2016-12-03 05:54 · Score: 5, Insightful

Right. Because companies abandoned China in droves because of their evil policies.
Oh, wait. No their didn't. Every man and their dog wants to move in to the massively growing and profitable market of China.
The UK is the same deal. It's a massive financial and tech hub, so companies aren't going anywhere.
Though they ARE busy trying to wreck that with the Brexit.
The population of China is roughly 1.4 billion people. The population of England is 0.053 billion. England has 4% of the population of China. Tech companies care a lot more about the marketplace of China than they do about England.
So that leaves the "massive financial and tech hub" you describe in England. How many financial companies are going to want to maintain, never mind expand, their presence in a country which is allowed to actively monitor their most secure communications? If I were CEO of a global financial company I would be very concerned about the backlash from my customers if my company were to remain in such a country.
Redundant verbiage excised by Archtech · 2016-12-03 05:59 · Score: 3, Insightful

"At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will".
At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they feel like it? Yes, they will.
FTFY.

--
I am sure that there are many other solipsists out there.
And yet once again, they'll learn. by laughingcoyote · 2016-12-03 06:05 · Score: 4, Insightful

You can't put a back door in something, and only have certain people able to walk through it. If there's a vulnerability in the encryption that can be used to crack it by the service provider, someone else can do the same.
If this were implemented in the UK, it would totally kill Web commerce there. Who's going to put financial details across the Internet when it's as good as sent unencrypted? And if actual encryption is permitted for that purpose, well, then it can be used for any other purpose too.
I don't know why it's so difficult to understand. If you deliberately make something insecure, then it is, by definition, insecure. If it's designed to be secure, then even the designer can't break in, because if they can, someone else could do the same.

--
To fight the war on terror, stop being afraid.
1. Re:And yet once again, they'll learn. by Anonymous Coward · 2016-12-03 09:36 · Score: 2, Interesting
  
  You can guarantee the industry will respond by pushing the blame onto customers as far and as fast as possible. Once you've got a security weakness in there that you *cannot legally fix* there's basically no other way for companies to respond. Sure, mandate that we all have to make a copy of our keys and leave them with the gubmint - I can guarantee they'll refuse to be held responsible when China or Russia steals ALL of them. That's your problem.
  Fuck it, just take all the security off and we can laugh as the whole UK economy goes down in a fireball.
  I hope these politicians are moving their finances off-shore because they won't be able to live in the world they're creating.
What are the implications on encryption? by serutan · 2016-12-03 07:53 · Score: 2

Does this law mean a UK user could get thrown in jail for using an encryption scheme for which the government has no backdoor access?
1. Re:What are the implications on encryption? by Anonymous Coward · 2016-12-03 09:11 · Score: 3, Informative
  
  Does this law mean a UK user could get thrown in jail for using an encryption scheme for which the government has no backdoor access?
  Yes, section 49 of part III of the Regulation of Investigatory Powers act compels the operator of said encryption to hand over the keys or face prison.
2. Re:What are the implications on encryption? by HiThere · 2016-12-03 10:17 · Score: 2
  
  Anonymously send someone some random binary data. Prosecution win.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
Re:Could be fun by Anonymous Coward · 2016-12-03 08:35 · Score: 3, Insightful

It's the whole UK you need to consider, not just England, you geographically-challenged clod.
But yes, AFAIK a not inconsiderable amount of the financial institutions HQ'd in London have made and are beginning to act on plans to leave the UK for (likely) Paris. The City of London (i.e. the tiny bit full of the worst of the wankers) is stuffed full of them and they're all going to bugger off, likely reducing property prices there and as any semblance of financial recovery in the UK is based on a property boom that couldn't be sustained for much longer anyway, it'll boot the UK into recession. Again. All because that plank Cameron wanted to appease the swivel-eyed loons in his party. And now the spineless fuck has swanned off.
And you think you have trouble with President-Elect Tangerine?
Re:Welcome to China by Anonymous Coward · 2016-12-03 09:02 · Score: 2, Informative

I love Signal. The desktop/mobile platform is easy enough to get most of my friends on it, even non techies. However, I still have plenty of friends who say "I'm not a criminal, I don't need encryption" ... I have failed to convince them otherwise. Also, Signal is easier than encrypted email, just wish e2e email was easier.
Re:It is getting worse everywhere. by anarcobra · 2016-12-03 11:27 · Score: 3, Insightful

There is a third option.
Move to a third world country where the government doesn't have the resources to waste on this kind of shit.
One of the issues of this law by cosmin_c · 2016-12-03 18:48 · Score: 2

... is that people who adopted it don't understand really how things work. The moment one installs a backdoor into a program, that can be found and accessed by anyone. And usually the people looking for those are either working for security companies (case in which it isn't that much of a problem, provided those people's ethics are intact) or not - and it's the latter that carries some issues with it.
I can understand the concern for security, however this exposes everybody, not only people with malicious intent, and it can have effects that ripple beyond getting law enforcement new tools. It can put everybody's data at risk and this means everybody, from large corporations who are using backdoored software to individuals trying to protect their naughty (or not) private pictures.
I suppose it all boils down to stopping usage of the cloud, storing everything locally with drawer HD and/or optical medium backups, middle fingering iCloud, Dropbox, Google Drive, OneDrive and so on. Losing convenience over gaining safety and security is one way of dealing with the whole issue.
As for browsing histories and what not, I don't really think people who wish to do harm are googling incriminating stuff or accessing suspect websites, so it's all looking rather pointless. Then again, people give up their data rather easily e.g. to Google for convenience, so the issue lies with educating people. I fear though that when it will become apparent to everybody, it will be too late. People don't realise it now, in the 11th hour, albeit there are strong warnings out there - https://en.wikipedia.org/wiki/...