Encryption Backdoor Sneaks Into UK Law

Coisiche found a disturbing article from The Register about the U.K.'s new "Snoopers' Charter" law that has implications for tech companies around the world: Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the U.K. government to undermine encryption and demand surveillance backdoors... As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops -- such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications. Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored... At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will.
The bill added the Secretaries of State as a required signatory to the "technical capacity" notices, which "introduces a minor choke-point and a degree of accountability." But the article argues the law ultimately anticipates the breaking of encryption, and without customer notification. "The U.K. government can certainly insist that a company not based in the U.K. carry out its orders -- that situation is specifically included in the new law -- but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the U.K. market."

They never learn

[volodymyrbiryuk]

These backdoors will be exploited by criminals. Hopefully IT companies won't comply to this madness.

Re:They never learn

[mSparks43]

You mean someone other than the people who work in the uk government, like that bunch of criminals isnt enough?

More importantly I suspect this will quite quickly drive many large businesses out of London. Those companies rely on their secrets, the prospect of any bored intern "with their heart in the right place" being able to send their every dirty secret to the daily mail almost certainly will gaurantee those already concerned by brexit relocate their offices sharpish.

Opportunity Cost + Retirement Fund

[BoRegardless]

The government wants back doors on demand, but sooner or later a government worker will see the opportunity to sell the details ...

And he then retires.

For added fun.

[queazocotal]

The term used 'relevant provider' - if you dig through the definitions is only defined as 'a person who provides a postal or telecommunications service' - which is broad enough to cover basically anything from someone running a wifi hotspot on to a massive ISP.
It can also plausibly be read as software vendors - including open source ones resident in the UK (or for who it is considered reasonable to compel even though they are outside the uk).
This is UK primary legislation - it has theoretically been scrutinised by both houses of parliament.
The actual enabling secondary legislation - that specifies how all this works and lets us understand how bad it is will just go through on the nod.

End-to-end encryption

[PPH]

You can badger my comms provider all you want. They don't have access to my keys or software.

Re:End-to-end encryption

[johanw]

That may work in a pgp-like setup but is completely useless when dealing with perfect forward secrecy like Signal uses. I don't HAVE the key for the past messages anymore, and if I deleted the messages NOONE can decrypt them anymore.

UK import grade cryptography

[sinij]

This will lead to "UK import grade cryptography", where the rest of the world will have security, and UK will have back doors they wanted so badly. Plus, thanks to Brexit it isn't like they are that big of a market.

Here comes UK_1DES and Dual_UK_DRBG.

Re:Could be fun

[JimMcc]

Right. Because companies abandoned China in droves because of their evil policies.

Oh, wait. No their didn't. Every man and their dog wants to move in to the massively growing and profitable market of China.

The UK is the same deal. It's a massive financial and tech hub, so companies aren't going anywhere.

Though they ARE busy trying to wreck that with the Brexit.

The population of China is roughly 1.4 billion people. The population of England is 0.053 billion. England has 4% of the population of China. Tech companies care a lot more about the marketplace of China than they do about England.

So that leaves the "massive financial and tech hub" you describe in England. How many financial companies are going to want to maintain, never mind expand, their presence in a country which is allowed to actively monitor their most secure communications? If I were CEO of a global financial company I would be very concerned about the backlash from my customers if my company were to remain in such a country.

And yet once again, they'll learn.

[laughingcoyote]

You can't put a back door in something, and only have certain people able to walk through it. If there's a vulnerability in the encryption that can be used to crack it by the service provider, someone else can do the same.

If this were implemented in the UK, it would totally kill Web commerce there. Who's going to put financial details across the Internet when it's as good as sent unencrypted? And if actual encryption is permitted for that purpose, well, then it can be used for any other purpose too.

I don't know why it's so difficult to understand. If you deliberately make something insecure, then it is, by definition, insecure. If it's designed to be secure, then even the designer can't break in, because if they can, someone else could do the same.