Just To Be Safe, UK Government To Confiscate Cryptographic Keys
from the trust-us,-well-keep-it-secure dept
As new UK regulations come into force, businesses may be compelled to hand over cryptographic keys to the police force. The explanation, surprisingly enough, is that the government needs the keys in order to effectively combat pedophiles, terrorists, and any other public menace that a politician can dream up. Defenders of the actions say there is a difference between handing over the keys and being required to decrypt private data, but it's not clear why the key can't be handed over after the police suspect illicit communication. Besides, a centralized collection of cryptographic keys would be quite the mother lode for cyber-criminals to attack. Even if they're impenetrable from the outside, they'll be hard to protect from an internal attack (e.g. a spy). Should the regulations be executed, the big loser could be the UK, as companies keep important information and keys outside of its borders. As hard as it is to imagine, it seems a regulation designed to keep people safer from predators might actually heighten their risk.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
wow
wow
wow
This is fucking terrible.
WHO THE FUCK THOUGHT THIS UP, THIS IS THE WORST IDEA I HAVE EVER HEARD.
DUR DUR DUR UD RU.
Jesus fuckign christ on a cracker.
[ link to this | view in chronology ]
Version: PGP Desktop 9.0.6 (Build 6060)
qANQR1DDDQQJAwIOdpcZlLBRJ2DSWQE/hp3MzzU1KGi+94MU9vUVM2mKifsATh01
HvnvCNfHhiDgX3n92C1TJN83C U3v5V+e021QCZqsQaeXacqnJ/wRKmpLaiC41Bbo
lgxG3K2c9VIwzsDx7e2B
=hKZB
-----END PGP MESSAGE-----
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Faulted reasoning
Firstly it an admission that GCHQ/MI5 etc lack the computer capabilities and/or resources to crack everyday crypotgraphy. That means that PGP etc really is pretty good.
Secondly it is, on the face of it quite sensible. It places the responsibility for data with the data owner. Many companies simply can't manage their internal security (hell some can't even manage basic website security) so they place their keys in escrow. The law is designed to pave the way for forcing the accused to get those keys back not tie up police time and resources chasing rainbows.
The requirement is not an a priori arrangement as many people will assume. You don't have to hand over keys for all and any encrypted data you have. It is a measure to be used when a crime is under investigation not an open door to give the police unfettered access to company and private data.
But, it falls down on two points.
It creates a crime of not handing over the keys. There are many legitimate reasons to not have keys. Any good security policy rotates keys on a weekly or daily basis for non retained info. And why would you keep old keys, especially if you are up to no good? Thus it makes no distinction between well intentioned good security policy and suspicious behaviour.
It's based on the investigators assumption. There is no distinction between random noise and encrypted data. If the police come across a block of noise from a random wipe how are they to identify it? They ask the user for the key, and of course there is none, but then a criminal would say that wouldn't they. Thus, again, there is no technical way to differentiate between illegal and legal activity. One is therefore guilty of a crime (refusing to hand over non-existant keys) purely on the basis of an arbitary accusation.
In summary it has the usual effect of making those who are truly criminal but well informed safer (they will rotate and destroy keys for nefarious reasons) while exposing the innocent to greater chance of injustice and abuse.
Now I'll tell you, I know a few good cops. They hate this crap. They are overwhelmed, lacking in expertise and resources and completely befuddled by the technicalities and the laws. Most (all normal police but a few uber geek detectives) want to abandon what they see as a huge waste of time chasing technological evidence and go back to old fashioned methods of psychology and human investigation. That's how you catch criminals.
Which is why this law was obviously not created by the needs of criminal investigation. It is an admission by government that they powerless against criminals who use sophisticated methods and an attempt to change the burden of proof. They need to acknowledge that they have lost this battle and shift resources back into manpower where it can be effective (observation, infiltration, case building).
[ link to this | view in chronology ]
Re: Faulted reasoning
[ link to this | view in chronology ]
Citizens of the UK
[ link to this | view in chronology ]
Re: Citizens of the UK
[ link to this | view in chronology ]
[ link to this | view in chronology ]
This Doesn't Seem Plausible
However, I don't understand why governments go to such lengths to punish the law abiding while those breaking the laws will just continue to ignore the new rules as well. Idiots!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Why do you think AOL paid billions for Skype?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Stupid and stupid
Also stupid, however, is number 14. Hey dipshit...they never had guns. The laws preventing your average everyday citizen and/or criminal from getting guns came early...before guns were really common. Thus...NO ONE got guns, and they still don't have them. Criminals or "good guys" alike.
This obviously won't work in the US because we all already have guns, so only the law abiding citizens would be likely to give them up. Which would be kinda dumb. In fact, its almost the same thing as the crypt keys.
[ link to this | view in chronology ]
Re: Stupid and stupid
[ link to this | view in chronology ]
[ link to this | view in chronology ]
(='.'=)This is Bunny. Copy and paste bunny
(")_(")into your signature to help him gain world domination. :D
._...|..____________________, ,
....../ `---___________----_____|] = = = D
...../_==o;;;;;;;;_______.:/
.....), ---.(_(__) /
....// (..) ), ----"
...//___//
..//___//
.//___//
................ __
...........__.(__)..__
..........(__)l.....l(__)
..........l.=.ll..=.ll.=.l.__
..........l... .ll.....ll....l(__)
..........l.=.ll==ll.=.ll.=.l
..........l....ll.....ll....ll....l
__.......l. =.ll==ll.=.ll.=.l
l]...)....l......................l
l....|....l......................l
(......_. /......................l
................................l
...............................l
..... ........................./
..._......................./
...l.....................l
[ link to this | view in chronology ]
(='.'=)This is Bunny. Copy and paste bunny
(")_(")into your signature to help him gain world domination. :D
._...|..____________________, ,
....../ `---___________----_____|] = = = D
...../_==o;;;;;;;;_______.:/
.....), ---.(_(__) /
....// (..) ), ----"
...//___//
..//___//
.//___//
................ __
...........__.(__)..__
..........(__)l.....l(__)
..........l.=.ll..=.ll.=.l.__
..........l... .ll.....ll....l(__)
..........l.=.ll==ll.=.ll.=.l
..........l....ll.....ll....ll....l
__.......l. =.ll==ll.=.ll.=.l
l]...)....l......................l
l....|....l......................l
(......_. /......................l
................................l
...............................l
..... ........................./
..._......................./
...l.....................l
[ link to this | view in chronology ]