Slashdot Mirror
UK Drafts Crypto Bill
np-complete writes "The UK Guardian has an article here giving details of the governments proposed new crypto laws. The draft bill includes provision for decryption notices to be served on companies, and also allows for a prison sentence of up to two years for tipping people off that their comunications are being monitored. (Site may need free registration if their guest login doesn't work). " Gosh, perhaps the Brits and the FBI have been talking. *sigh*
cypherdaemon
cypherdaemon
If you're interested in anonymous remailers, take a look at "Freedom" by Zero Knowledge Systems. They're based in Canada, so they're not bound by US crypto export schemes.
Their technology is pretty complicated, but I'm beta-testing it and it seems to work fairly well. The upshot is that my internet communications are outrageously secure (but ONLY when I use Freedom, which I'm not using right now).
It does slow down surfing etc. a bit, but it might be worth it if you're thinking about anon remailers; it even has provisions for defeating traffic analysis, and does full-fledged cookie management, so I can browse "cookified" sites without revealing my genuine identity. The system is also built to support multiple false identities per user.
The URL is http://www.zeroknowledge.com
I certainly hope they *wont* be the only ones who use crypto if its outlawed.
I really dont undertand why they hate crypto so much....they let us use envelopes on letters for
crying out loud !!!
... they won't let you read the article without enabling cookies. Screw them.
You're just confusing yourself unnecessarily.
The problem I have found with PGP and GPG is that not all clients support it correctly. If you send PGP messages from say mutt to a Outlook user (the corporate standard whether we like it or not) then it shows as an attachment and they can't use it properly. Aside from that GPG has no windows version. I wanted our org. to role our PGP across the board but the interoperability issues were too much of a mountain to get over for a sales force that was only partially interested (mostly in protecting themselves from the emails where they really say what they think!) and I'd rather no PGP than force everyone to use the same client s/ware...particularly the techs on Linux/BSD/whatever etc.
Would it be possible to do this:
1) Take 2 messages. One says "Hi John! How are you? Loved the party last night." and the second one says "We can provide the plutonium for $100,000,000."
2) Encrypt them such that decrypting the message with one private key gives message 1 and decrypting with another private key gives message 2.
3) Decrypt the message with key 2, which ideally you keep somewhere else or encrypted a couple of times.
3) When law enforcement comes knocking and demands that you decrypt the message, you use key 1, showing a harmless message about a party.
Too late for nukes - we would have had to do that back in the '50's before M.A.D.
There's still time for biological warfare, but that might adversely affect Canada, who are comparatively blameless.
Besides, we all know that weapons of mass-destruction aren't the answer - they'll only increase popular support for the leadership. The real answer is an army of robots who look like Snoopy.
Funny, I thought the US preident was the only one with real power. Tony can shout all he wants, but if his partys MPs refuse to back him, he's dead.
Computer files are the least of the evidence you'll leave when committing a crime. Despite that strong encryption in the form of PGP has been around for years, you will not find even one law enforcement agency that will tell you that they were not able to convict someone of a crime because that person was using encryption to protect his computer files. A lot of evidence would be required anyway, in order to get a warrant for your computer and files.
The only reason the assorted lawmakers don't like encryption is because widespread encryption usage would prevent the NSA from reading everyone's E-Mail. That would mean no more useful leaks to US Businesses and that would simply not be acceptable.
There is a *huge* difference between being required to turn over your own key as part of an official criminal investigation, and being forced to turn over someone else's key. The "key" word (hehe) here is "abuse": if the government is intruding on your secrets, you might actually resist and insist on the government convincing and independent person (i.e., a judge) that this intrusion is warranted. This makes use of this procedure expensive and unpleasant enough for the government to limit cases to where it is really justified. On the other hand, will a third party worry about protecting your key? Heck no. The government could probably issue a list of a thousand keys they want from a database, for all we know, and get instant access.
n line0528_01.html.
If you don't believe this, read http://www.apbonline.com/safestreets/1999/05/28/o
The United Kingdom does not have the same democratic checks that the United States has.
As a result, the United States seems to have worked out a deal with the the UK to experiment with some law enforcement practices that are no yet legal here. In the meantime, US law enforcement agencies lobby heavily in Congress to gain more control over a ubiquitous communications medium that the public does not yet understand.
The US and UK governments both know that if they can achieve gains now (while the public is ignorant as to the consequences of governmental actions) it can have unprecedented control power.
This is not a paranoid vision.
There have been several security related articles posted here in the past few weeks and in all of them the government scores points, and the people are way behind.
Natedawg pushes the full court press. Quit playing with your voodoo card and code for the revolution! I trying to do something. Why don't you help out.
Too bad you all willingly gave him your guns. Bet one madman in Scotland doesn't look quite so dangerous any more.
This is actually a US conspiracy to take over the UK, and therefore the civilised world. France! China! Russia! Unite! Let's nuke the bastards now!
The NSA can monitor all the world's communications, it's true. But you guys don't know the REAL reason they exist. I will tell you now. It's porn, pure and simple. There are hundreds of gigabytes of porn transferred every day and the founder of the NSA must have been some visionary genius who decided to index them ALL. So all that computer and storage equipment they have, they just SAY they're monitoring mail but we all know better now. They're tracking and indexing porn.
In all likelyhood, the parts about "not disclosing that somebody is being monitored" would extend to Echelon as well, which would make it illegal to publish info on Echelon or similar efforts.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
HTML(ish) version at
http://www.ntk.net/ecbill/.
d.
The UK/US governments have been monitoring all telephone traffic (not just that going to Eire) for years. The listening station (the golf ball farm) at Harrogate was supposedly set up because of the cold war, yet it is still operating and guarded by military. The most ridiculous part of that place was when the locals tried to make it a listed building. They couldn't because it didn't exist.
I don't see this new act working in court even it does get through parliment.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
Looks like the goverments of the english-speaking world finally went nuts.?
:-)=
Ok, fine for me, continental europa has in general very liberal law on encryption and this will create thousands of new jobs here.
We could discuss the word "liberal": the german ministry of inner security called "breaking encryption an act of aggression, encryption itself an act of defense."
This coincidently wents along with an discussion about growing activity in spying science- and industrial secrets in germany, namely by the USA and the UK and most times even by "official" secret services.
You think that can`t be a big problem?
You are wrong! The known cases of stolen knowledge by the USA and the UK sum up to 30 Billion Dollars EACH YEAR. Makes some chinease bluecopies of uncle sam`s latest kill-o-zap look quite inexpensive
Some interesting laws are coming in germany this year and I expect encryption to become a MUST, not a MUST NOT in several cases.
"Life is short and in most cases it ends with death." Sir Sinclair
Re: power wieleded
I didn't notice much power welided by John Major in his (eventual) minority government before the 97 election. Ah well.
Re: bill
The bill should die. I fear it will not as MPs are not technically savvy enough to work out that it stinks.
What you need is an encryption system that can insert random rubbish into the encrypted output. For example, if I encrypt a 100KB file, the output will be around 200KB, of which half is rubbish. The rubbish is stripped out when decrypting, but without decrypting, you can't tell what is rubbish and what isn't.
The next stage is to have two different files, encrypted into the same output with two different keys. So I could have one 100KB file containing secret information, and a 100KB dummy file. The encrypted output contains both; but which you get depends on what key you use. To somebody who knows only one of the keys, it would appear that the output contains one file and 100KB of rubbish. There is no difference to tell what is rubbish and what might actually be encrypted data, unless you know all the keys.
Then, when the police ask you to hand over your keys, give them the key that produces the dummy file. You can just claim that the other 100KB of encrypted data is rubbish. If your encryption software routinely pads out files with 50% rubbish, such a claim would be believable.
-- Ed Avis ed@membled.com
But if you had two keys, one producing the real message and one a fake, then law enforcement could make you reveal both.
The idea of rubbish is needed so that you can convincingly claim that there is no other data in the message, and no other key.
-- Ed Avis ed@membled.com
In the UK you are a SUBJECT of the state not a citizen
You're confusing the issue. You could abolish the monarchy, replace it with an elected (but powerless) presidency (like Italy's), and start calling each other Citizen and yelling "civis britannicus sum" tomorrow, but unless you changed the parliamentary system as well, the PM would keep all his powers.
What's wrong with this scenario? (apart from the jailtime, of course):
Cop: Give us your encryption key.
You: No.
Cop: Right, you're under arrest. You have the
right to remain silent, etc. etc.
You: Okay, I'm remaining silent.
Now since your key is in your head (you
*didn't* write it down did you?) the police
are stymied.
What it means is that everybody is free to use decryption, but if the police wish to read one of your encrypted messages, they can get a warrant that will require you to hand over your key. Presumably non-compliance would put you in contempt of court and you might end up in jail.
However, if you're using encryption to cover up something that would get you a very long jail term anyway, you might as well just destroy your key and put up with a smaller term for contempt of court.
Too bad you all willingly gave him your guns. Bet one madman in Scotland doesn't look quite so dangerous any more.
What an idiotic remark! What good would guns be against the Home Secretary or the Prime Minister?
There were never enough guns floating around in the UK for a rebellious population to outgun the police, let alone the army. And the UK police are hardly bristling with firepower. Anyway, that's just not the way we do things here. We just hurl bricks and bottles. It's much friendlier that way.
If you imagine that the laws allowing US citizens to bear arms are a significant factor holding your own government in check, you're probably indulging in pure fantasy. Your own police forces and National Guard are probably better armed than the rest of you are. And the US government has tanks and F-15's. I don't suppose they'd be that shy about using deadly force against you when you're shooting at them.
I support the UK Govt's action to restrict private ownership of handguns. It might not disarm all the criminals but it sure does reduce the number of madmen armed with automatic or semi-automatic weapons.
As a father of two small children I was deeply affected by the Dunblane massacre. I would have felt the same if the incident had taken place in your own country (though to me the mass shooting of twenty innocent infants is a thousand times worse than the shooting of twenty adolescents).
If you are the sort of person who thinks that the right to strut around feeling self-important with a gun is worth a tragedy on the scale of Dunblane then you are a senseless and selfish shit who doesn't deserve to live. In my opinion.
Consciousness is not what it thinks it is
Thought exists only as an abstraction
That's exactly what was implied. It takes a much larger GIF or MP3 to cloak insert a text file into rather than just encrypting the text and sending that. Say you want to send a 10KB document. You'd need to mask it within 90KB of other info. Therefore, you need higher sustained bandwidth if you do this regularly.
I don't think self-incrimination applies. This would seem to fall more under laws dealing with documents than with speech. They can't legally make you talk, but they can make you turn over any relevant documents (with the appropriate warrants, subpoenas etc).
This doesn't bother me. If they have to come to me with legal authority then I can defend myself. It's when they can access/monitor anything without my knowledge or consent that I object.
Good:
They've realised that key escrow _will not work_ and is very, very bad for e-commerce. People need to be able to transact knowing their financial details are not available without their explicit consent.
Requiring people to hand decryption keys over when required (by secretary of state etc.) as part of a legitimate criminal investigation is also ok, the government needs to be able to get evidence against criminals to prosecute them. We can also (just about) trust the government not to mis-use any small pieces of information they gain in this way, with the knowledge of the recipient (as opposed to being able to decrypt everything without the correspondent's knowledge, as key escrow allows).
The Bad:
Asking people to voluntarily hand keys in for escrow is just a bad idea, no criminals will hand in their keys, and is just a potential security hole for anyone using encryption.
The heavy handed measures for informants and complaints etc, seems totally unjustified and way, way over the top. If I feel the government had no reason to get my decryption key from me, I expect to be able to recieve fair treatment when lodging a complaint, and expect a thorough investigation. There must be checks to stop law enforcement agencies abusing their powers, as they all seem so keen to do.
Unfortunately this seems to suggest that 'innocent until proven guilty' now doesn't count for anything.
The gift of death metal does not smile on the good looking.
I think the thing all of us need to do is say a big F.U. and start encrypting EVERYTHING we send - not just big important messages... I mean everything. Get your friends involved. Send everything via PGP as ascii plaintext. It has a really nice advertisement at the bottom for the PGP freeware.
This will get more and more folks to at least see it. The whole process is so stinking simple: Get it, use it. Nothing is hard about that at all!
Let's all quit whining about government intrusion into our privacy and do something about it.
Mister programmer
I got my hammer
Gonna smash my smash my radio
Problem with steganography is that you need a channel with at least an order of magnitude higher sustained bandwith than the secure channel you want to hide.
How about images, video or mp3s as cover for plain text? Sounds reasonable to me.
All the ones I knew have shut down. There may be some out there but I wouldn't rely on them!
I don't think they are going to enforce key escrow. As I understand it the select committee said key escrow was unworkable so it was taken out of the bill.
I've been a moderator at times and I'm in the UK. I think the moderators are selected randomly from slashdot readers with above a minimum amount of page views or something. This seems fair.
:-) We're being watched!
Personally, I like the moderation system. Although it's by no means perfect it has improved slashdot and is better than any other system I've seen at other sites.
The main problem I have is messages being moderated down for being off-topic. For instance, this message is off-topic compared to the headline article but is reply to your post and is relevant to that. I often see these type of posts moderated down.
BTW I notice several posts have been moderated up now
The UK has always had a poor record with regard to individual freedom. We do not have a constitution and the Freedom of Information act about to implemented is pretty much a joke.
Unfortunatley, probably because UK governments have historically been fairly careful about wielding their totalitarian powers, there is little concern in the UK about these issues.
As to the quote about lecturing the US on freedom - I didn't know we had been.
Blair spent a whole breakfast-time conference worrying about this issue ? ...
Wow, he must take security and personal liberty really seriously
Something I didn't quite get while reading the article---it made it sound as if the offence was not (e.g.) someone walking into an office and saying, ``Hey, you're being bugged'', it was someone going to the public and saying, ``Hey, my company is being bugged''. Which is even scarier, really. Particularly the fact that any sort of complaint could result in a two-year jail sentence, without a proper trial. (Of course, my ideas of what comprises a ``proper trial'' are shaped by the fact I live in the US; but I'm guessing that ``excluding the complainant from attending and issuing orders to keep secret the evidence on national security grounds'' is not exactly the usual procedure in the UK, either.)
This really does sound like something out of a dystopian novel. Even worse than some of the stuff the US has been pulling lately. I should hope it gets resolved quickly (and correctly!)... it looks like there are at least a few MPs on the right track. Does anyone know what the approximate likelihood of this passing is? (The article seemed to indicate that it hadn't come up for a vote yet.)
``This, too, shall pass.'' ---Eastern proverb
Here's the BBC article on the bill. It also provides a link to a copy of the actual draft bill.
``This, too, shall pass.'' ---Eastern proverb
Legislation gets madder and madder.
Surely if someone is being monitored, all I have to do is go up to them and say, you are NOT being monitored. (wink wink). No, of course you're not being monitored. (wink wink).
Do anonymous mailers still exist BTW?
As for requiring companies to disclose crypto stuff, I would imagine a company could defeat this by getting all their employees to generate their own private keys and take personal responsibility for keeping their own key private.
From my understanding of ITAR (the base set of regulations on munitions and cryptography products agreed to by most countries), it is always legal to import a product assuming the export is legal from the parent country (at least for cryptography products). This means if you can legally export something from the UK, then you can legally import it in the US. The problem here is that many products originate in the US and cannot be legally exported (except to Canada). So it is also illegal to import them elsewhere, because the export would have occured through illegal, though trival, means.
:)
On a totally different subject, I found out yesterday that a "crypologist" is a person who studies unknown animals, like bigfoot, lochness, etc. From this I take it "crypt" is the latin root for the unkown, and graphy is the practices/art of something? So cryptography really means "the art of the unkown." Sound like a some kind of cult activity.
-- Virtual Windows Project
Similar arguments against gun ownership are put up by the gun control crowd. Its the same exact situation. Encryption and guns are both sources of power. A democracy is supposed to be based off the idea that the people hold the power and the government derives its power from them. Attempts to limit or nullify the power of the people are sure signs that the kinds of people who would like to destroy our liberty are hard at work. I think its fitting that encryption technology is considered a "munition" because in some ways that is exactly what it is.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
no, as the previous reply said, escrow is unworkable. this merely makes it a criminal offence to not 'disclose the key which would make the message intelligable' to enforcement officers.
;-)
I'm sorry officer, I cant give you the key since the message is in plain text and is a paper on superstring theory; the only way it could be intelligable to you is you studied rather more math...
ray
Notifying someone of a wiretap on them can be considered interfering in an official investigation. That's already established, I believe.
The other part about making people decrypt stuff is only logical. We currently can issue court orders to make people tun over all relevant documents to an investigation. What's the point if we can't force them to decrypt it?
"What, turn over all the incriminating data on our company? Sure.. I hope the statue of limitations doesn't run out before you break the 2048-bit encryption on everything."
Come on. It's not like they're forcing everyone to make them able to break it at any time with or without a court order like with key escrow. This is simply a necessary part of investigating a company or person who encrypts all their data. If you didn't have this, encryption would be a get out of jail free card since you could bury any and all evidence against yourself.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
The article strongly implies that somehow they are going to enforce key escrow. If everyone in your company uses PGP then clearly you will know if your encryption key has been given up, because they will have to ask you for it.
Hopefully this bill will die soon.
...Or, would the self-incrimination exception prevent it, assuming the three branches of government are not all corrupt? Does anyone know of any precedents similar to this sort of intrusion of privacy in America?
Geeky modern art T-shirts
"Any country with an Official Secrets Act has no business lecturing the US on freedom." -- Tom Clancy
--
Disinfect the GNU General Public Virus!
is where it's at. "My my," says one spook to the other. "Those companies we're monitoritng for leaking sensitive information to the Fijis sure do send each other a lot of landscape pictures". The other spook agrees "But there's nothing wrong with that..."
Problem with steganography is that you need a channel with at least an order of magnitude higher sustained bandwith than the secure channel you want to hide.
...without mandatory, key-escrow compliance, that is. The only effect this will have is that people will use unbreakable encryption. The odd thing about the whole article was that it seemed to suggest that a "decryption order" would mean that the target data would automagically be decrypted... What the hell?
Encryption control is all or nothing. And certainly, key escrow means useless encryption. One thing - I'm getting f'n sick and tired of hearing about "pedophiles" and "terrorists". If encryption is banned, outright, they will be the only suckers who still use it!
This is made even more worrying given that in the last fortnight, details have emerged showing that the UK Ministry of Defence monitored all phone calls and email communications passing from Ireland into or through the UK secretly. The Irish were, understandably, slightly irked at this. On top of that there's the joint UKUSA Echelon system which monitors communications throughout the UK, Europe, and Africa. The EU are, funnily enough, annoyed at this as well. If they gain the ability to serve decryption orders, then the thought police would have a ridiculously scary amount of power.
Can you sum it up in a word? *No.* In a noise? *Whuuuurghhhhh!*
For those interested, here is a link about the ECHELON Surveillance system that is used by the US, UK, Canada, Australia, & New Zealand(before some Kiwis blew the lid off it).
http://fly.hiwaay.net/~pspoole/echelon.html