UK's Snooper's Charter Includes Mandatory Backdoors For Encryption
from the crypto-wars-move-overseas dept
Remember earlier this week when we mocked the silly reports claiming that the UK government had "backed down" on its demands for a Snooper's Charter. As we noted at the time, it did not appear they were backing down at all, but pulling out a bogus publicity campaign where they decided to "ditch" some absolutely crazy ideas that never really would have been included in the first place, but still leaving in plenty of terrible ideas.And, now we know that includes mandatory backdoors into encryption -- a stupid and dangerous policy that will directly put UK citizens at risk. While, thankfully, those pushing for crypto backdoors in the US have realized that it's a politically untenable idea, the UK's new "Investigatory Powers Bill" has gone in the other direction, and will mandate encryption backdoors and ban any encryption offerings where there is no backdoor for law enforcement.
Companies such as Apple, Google and others will no longer be able to offer encryption so advanced that even they cannot decipher it when asked to, the Daily Telegraph can disclose.UK Prime Minister David Cameron and Home Secretary Theresa May will undoubtedly make a big show of this over the next few months, claiming that they need this to keep the public safe, but that's a load of hogwash. Backdooring encryption does the opposite. It puts everyone at serious risk. It's a technically dangerous solution by technically clueless people. If there are backdoors in encryption you are opening up a massive attack vector for those with malicious intent -- and that doesn't even get into the question of authorities abusing such powers. This has been explained over and over again, and it appears that Cameron's government simply decided to ignore all the technical experts and go with a "but they have to!" approach.
Measures in the Investigatory Powers Bill will place in law a requirement on tech firms and service providers to be able to provide unencrypted communications to the police or spy agencies if requested through a warrant.
If you recognize the long history of governments using surveillance powers for nefarious reasons this should worry you. But even if you 100% trust the government, this should worry you, because what they're asking for, on a technological basis, is to make your information significantly less safe and much more open to hackers and online criminals.
A Home Office spokesman said: “The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts. “That means ensuring that companies themselves can access the content of communications on their networks when presented with a warrant, as many of them already do for their own business purposes, for example to target advertising. These companies’ reputations rest on their ability to protect their users’ data.”This belief that law enforcement needs this information to do its job is hogwash. For all of history prior to this, people have had methods of communicating entirely in secret, and since the dawn of civilization it was still possible to track down criminals and conspirators through traditional detective work. This belief that the content of these communications is absolutely necessary would seem to suggest that UK law enforcement is currently terrible at doing its job. I'd like to believe that's not true.
The big tech companies may now face a pretty big fight in the UK. Over the last few years, they've increasingly ramped up their efforts to provide more real privacy solutions that can actually protect your information. The UK wants to send things back to the stone age, and that's dangerous. Hopefully, companies like Apple -- which has made a big show of pushing non-backdoored-encryption -- take a stand here and refuse to give in. And, other tech companies that haven't been quite as vocal, including Google, Facebook, Microsoft and Twitter need to speak out against this, potentially to the point of threatening to pull out of the UK if the government doesn't adjust its policy. Without such a strong threat, it seems unlikely the UK government will recognize just how much danger they're putting the public in with this proposal.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, david cameron, encryption, going dark, snooper's charter, theresa may, uk
Companies: apple, facebook, google
Reader Comments
Subscribe: RSS
View by: Time | Thread
Pick ONE
I can only assume that the person who said this either didn't give the quote in person, or has the most amazing poker face in history. Forcing companies to be able to hand over private data, warrant or not, does not enhance the reputation of a company for protecting their users' data, it eliminates it. The UK government's actions here are directly undermining the reputations of the various companies, simply so they can sate their voyeuristic fetishes.
Hopefully companies like Apple -- who have made a big show of pushing non-backdoored-encryption take a stand here and refuse to give in. And, other tech companies who haven't been quite as vocal, including Google, Facebook, Microsoft and Twitter need to speak out against this, potentially to the point of threatening to pull out of the UK if the government doesn't adjust its policy. Without such a strong threat, it seems unlikely the UK government will recognize just how much danger they're putting the public in with this proposal.
It's not just that they should, but rather they have no other choice. If they give in here, if they pick the choice of the coward and stay silent, or issue the ultimatum and don't follow through, that's it, they've lost. And not just in the UK, if they allow mandated broken encryption in the UK, every government is going to be demanding the same ability, and the companies will have no choice but to comply. They either stand their ground here, refuse to give in, or cave entirely, everywhere.
The UK government has issued it's challenge, now to see how many companies are willing to call their bluff and stand firm, and how many will fold when pressured, showing all their previous protests to be nothing but empty words.
[ link to this | view in thread ]
[ link to this | view in thread ]
Turing is turning over in his grave.
[ link to this | view in thread ]
Re:
Neeeever.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
However, were that not the case that would just make this move even more idiotic. UK-based companies would be forced to break the encryption on their products, while companies based in other countries wouldn't, giving a huge boost to those non-UK companies.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
sorry... I actually had something to say
If our governments actually care about our safety, they would start requiring encryption, funding improved encryption, and taking action to fine those that do not use secure encryption methods. If our safety really mattered, we would start to have security standards required before someone connects to the Internet. Our anti-educated legislators need to understand that, if our software has weaknesses that allow them to access our information, then those weaknesses are also usable by those that would do us harm.
[ link to this | view in thread ]
What about open source?
Do to local laws, it's illegal to use this code in the UK. Please call your MP.
[ link to this | view in thread ]
Re: Pick ONE
[ link to this | view in thread ]
Re: What about open source?
That is unless enough people use it so that the security services are swamped in their efforts to compromise machines, it will only mark people as being of special interest.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
RIP UK tech sector
[ link to this | view in thread ]
BTW - a typo in sentence:
[ link to this | view in thread ]
Re: What about open source?
[ link to this | view in thread ]
Re: sorry... I actually had something to say
our information, then those weaknesses are also usable by
those that would do us harm.
Even further: These weaknesses will not only used by criminals to do harm to people, these weaknesses will also be used by adversaries against government agencies and critical infrastructure
[ link to this | view in thread ]
Umm Safes?
It ought to work out the same way as backdoors for digital will in the end. After all regardless of what the technologically clueless seem to think if electricity is added, things don't become magical and void of principles of logic.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: What about open source?
Hey! I do use en_GB.UTF-8, but that doesn't mean I'm in the UK, It just means, I want a correct spell checker ;).
[ link to this | view in thread ]
Re: Umm Safes?
https://hackaday.com/2015/09/21/this-is-what-a-real-bomb-looks-like/
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Umm Safes?
...and what happens when that combination is leaked and every "bad guy" in the world can access it without getting up off their seat?
"things don't become magical and void of principles of logic."
Indeed not. logic would dictate a massive number of difference between accessing the contents of a physical safe and accessing data held on a device somewhere on the internet (or contained in communications between those devices). See if you can think of a few.
[ link to this | view in thread ]
Foreign Phones
In addition, aren't "pirate" services likely to spring up all around the UK? "Roam with us -- we can't decrypt your phone". Be interesting too to see what foreign embassies have to say about this -- are they to be unencrypted too?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Umm Safes?
[ link to this | view in thread ]
We need this!
It might not be the support we are hoping for but I am willing to take any support no matter how stupid the reason (almost).
I hope the big guns will stand firm and the government of the UK will learn a lesson not easily forgotten by neither the UK gov or any other. That message might be: "You may take our freedom, but you will never take our sweet tech", but the result will hopefully be the same.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
Obviously.
[ link to this | view in thread ]
Dear UK Government
Thanks for making our job easy.
Sincerely,
The NSA
Dear UK,
Thanks for leaving us a way in.
Sincerely,
All Hackers
Nihao UK,
You honor us by giving us free access to your computers.
Sincerely,
China
Dear UK,
What good is a wall if someone left the door open?
Fuck you,
UK Citizens
[ link to this | view in thread ]
[ link to this | view in thread ]
Read the proposal if you can, but this snippet might help
I won't interpret it, other more qualified than I am can do that
If you want to read the whole thing (it takes while) then go there
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473770/Draft_Investig atory_Powers_Bill.pdf
189 Maintenance of technical capability
(1) The Secretary of State may make regulations imposing specified obligations on relevant operators, or relevant operators of a specified description.
(2) In this section “relevant operator” means any person who provides, or is proposing to provide
(a) public postal services, or
(b) telecommunications services.
(3) Regulations under this section may impose an obligation on any relevant operators only if the Secretary of State considers it is reasonable to do so for the purpose of securing
(a) that it is (and remains) practicable to impose requirements on those relevant operators to provide assistance in relation to relevant 30 authorisations (see subsection (9)), and
(b) that it is (and remains) practicable for those relevant operators to comply with those requirements.
(4) The obligations that may be imposed by regulations under this section include,
among other things
(a) obligations to provide facilities or services of a specified description;
(b) obligations relating to apparatus owned or operated by a relevant
operator;
(c) obligations relating to the removal of electronic protection applied by a
relevant operator to any communications or data;
(d) obligations relating to the security of any postal or telecommunications services provided by a relevant operator;
(e) obligations relating to the handling or disclosure of any material or data.
(5) Before making any regulations under this section, the Secretary of State must consult the following persons—
(a) the Technical Advisory Board,
(b) persons appearing to the Secretary of State to be likely to be subject to the obligations specified in the regulations,
(c) persons representing persons falling within paragraph (b), and
(d) persons with statutory functions in relation to persons falling within that paragraph.
(6) The Secretary of State may give any person, or any person of a specified description, on whom obligations are imposed under this section a notice (a “technical capability notice”) requiring the person to take all the steps specified
in the notice for the purpose of complying with those obligations.
(7) The only steps that may be specified in a technical capability notice given to a person are steps which the Secretary of State considers to be necessary for securing that the person has the practical capability of providing any assistance
which the person may be required to provide in relation to any relevant authorisation.
(8) An obligation specified in regulations under this section may be imposed on, and a technical capability notice given to, persons outside the United Kingdom (and may require things to be done, or not to be done, outside the United Kingdom).
(9) In this section “relevant authorisation” means
(a) any warrant issued under Part 2, 5 or 6, or
(b) any authorisation or notice given under Part 3.
(10) Sections 190 and 191 contain further provision about technical capability notices.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: sorry... I actually had something to say
I look forward in breathless anticipation to all the !@#$storm of lawsuits and regulatory failure this policy will cause to be tossed out, beginning as soon as the first backdoor is discovered by the bad guys. The gov't has given these companies a golden "get out of jail card" for any hacks against them leaking PII & etc.
Popcorn time! That it's Perfidious Albion that'll be the showcase example of how to fail their citizenry is just gravy for me. Whoopee! Watch carefully world. We're about to be treated to a master class show on how and why not to let your masters do this sort of !@#$.
Too bad for the British Joe Sixpack, but this is what happens when you elect idiots. Try harder next time. Guy Faulks must be giggling with glee looking on.
[ link to this | view in thread ]
Doublethink as standard
[ link to this | view in thread ]
[ link to this | view in thread ]
NSA and GCHQ already have access to communications. Nowadays everybody is a terrorist or a criminal. To prevent crimes? Is this Minority Report?
[ link to this | view in thread ]
Perfect candidate for ISDS?
I mean, both the legal backdooring of encryption and corp sovereignty provisions are basically inevitable at this point, so if life is giving lemons, time to start making fruit drinks?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Apple can easily fix this
[ link to this | view in thread ]
Re: Re: What about open source?
[ link to this | view in thread ]
If I were Apple...
1) Countries with a right to privacy and personal security.
2) Totalitarian regimes with no right to privacy or personal security.
The UK can select which version arrives with iPhones there. They can count on simple region blocking by Apple's servers to prevent UK iPhones from getting the secure version.
But it will be up to the UK to prevent other means, VPNs etc., from being used to download the secure firmware. And it will be up to their government to explain to their people why they're explicitly getting the China/Saudi Arabia/North Korea version.
The EULA for the secure version will have the usual "I Agree" button. The totalitarian version will require you to click on "I Obey."
[ link to this | view in thread ]
Re: Re:
He'd be owed royalties.
[ link to this | view in thread ]
Re: We need this!
Google gives away Android for free, so there's no financial hit to them if they refuse to break the encryption. The individual phone vendors (LG, Samsung, etc) will have to do their own hacks to be able to sell into the UK market. Parts of Android are GPL licensed, and any changes to those parts will need to be openly released - and any weaknesses will be found.
Good luck, UK. I think your phones are going to get a whole lot less secure than most people thought.
[ link to this | view in thread ]
Re: Pick ONE
> now to see how many companies are willing to
> call their bluff and stand firm
I foresee a huge black market springing up for American sourced iPhones, however this shakes out.
If Apple stands firm and stops selling in the UK, people will be buying iPhones over here and sneaking them into Britain to sell at high profit.
If they don't stand firm and start making "UK-specific" iPhones with broken encryption, the same thing will happen-- the demand for non-broken American iPhones will skyrocket.
[ link to this | view in thread ]
Re:
> applies to UK companies.
Even if it applies to all companies doing business in the UK, it doesn't even really address the problem.
The "bad guys" who are savvy enough to conduct major terrorist operations are also savvy enough to use 3rd-party encryption software that's already on the market and is every bit as strong as the built-in OS encryption, and no UK law can stop that.
The only people who are left vulnerable with a backdoored encryption system are the ones who *aren't* criminals, and who now have to worry about being affected by data breaches and Orwellian government surveillance.
[ link to this | view in thread ]
Re: What's next - mandatory CCT cameras in every room of your house
A much cheaper and easier way (not to mention saving scarce IPv4 addresses) is to have blimps overhead with cameras pointing down at houses. Now one camera serves multiple households; think of the long term savings!
Of course roofs obscure the view, so they would all have to be removed, but ... TERRORISTS!
[ link to this | view in thread ]
Re: Re:
> to put CCTV cameras inside council houses
What's a council house?
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Read the proposal if you can, but this snippet might help
> section may be imposed on, and a technical capability
> notice given to, persons outside the United Kingdom (and
> may require things to be done, or not to be done, outside
> the United Kingdom).
Good luck with that. If I'm a telecom company in the U.S. and the UK tries to impose one of these "obligations" on me, they're gonna get the big middle finger.
[ link to this | view in thread ]
Re: Re: Re:
That's right! It IS very different - it's even WORSE! Instead of putting cameras in people's homes, they'll ship them off to "camps" where they can be brainwa, err, HELPED in complete privacy.
[ link to this | view in thread ]
Re: Re: Pick ONE
"Cave" suggests that it isn't what Zuckerberg actually wants.
"Rejoice" would be a better word.
[ link to this | view in thread ]
Re:
That's what the Chief of Police in Houston, Texas proposed. It seems that those types are the same all over the world.
[ link to this | view in thread ]
Re: Pick ONE
[ link to this | view in thread ]
Re: Re: Re: Re:
(As opposed to "You've caused endless problems in your government-supplied housing. If you want continued government-supplied housing, this is what you get. Take it or leave it.")
"Camps." "Brainwashing." That's quite the hyperbole there.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: RIP UK tech sector
[ link to this | view in thread ]
Re: What's next - mandatory CCT cameras in every room of your house
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Read the proposal if you can, but this snippet might help
Well, you're not "a telecom company". AT&T would jump at the chance to cooperate.
[ link to this | view in thread ]
Re: Re: Read the proposal if you can, but this snippet might help
[ link to this | view in thread ]
Re: If I were Apple...
[ link to this | view in thread ]
How does this stuff get through without a public vote?
I am so gob-smacked I have no words. There will be no way to do this without making everybody totally open as the mechanism for activating the backdoor __will__ make it into the public domain, either by leaking or re-engineering, and then it'll be all over the net and then any encryption on your devices will be useless. This is so absurd.
[ link to this | view in thread ]
A complicated solution
...And then drop the parameters of the socket to the open source community, and see how fast they can come up with a robust free-for-EVERYbody encryption plug.
Block this, mofos.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Tubbed and buttered.
Does it say no UK encryption software packages without backdoors or no encrypted data in the UK without backdoors?
Because the former case just requires people to seek out foreign encryption kits. The latter...well that's going to collapse in spectacular house-of-cards fashion.
[ link to this | view in thread ]
Re: Tubbed and buttered.
Which actually might propel the socket solution, so that a fourth party can make (and be responsible for) the crypto. Apple and Google would be able to say "It's out of our hands."
[ link to this | view in thread ]
fUcK
[ link to this | view in thread ]
Re: Re: Umm Safes?
[ link to this | view in thread ]
Re: Cameron
Are you unaware of the recently held election where he was re-elected with a majority (aka carte blanche in parliamentary terms)? He's just getting started (again).
Obviously, democracy is either far too nuanced a process for today's electorates (blame public education or TV?) or else hopelessly rigged in favor of those contesting in them (cf. the US' FEC). I might suggest they try burning down parliament with said contestants inside, but that didn't work out well at all for Guy Faulks when he tried it. Aside, I've often wondered why Brits are even allowed to celebrate Guy Faulks Day, but they're British; says it all.
Just enjoy the show and thank your lucky stars you're not a Brit, or if you are, accept my heart felt sympathy. Sucks to be them.
[ link to this | view in thread ]
Re: Re: Re: Read the proposal if you can, but this snippet might help
[ link to this | view in thread ]
I would also note that strictly speaking the "safe space" in question would not be online but on the person's own phone. That would be no different from an uncrackable safe a person had in their house. What the government would in effect be doing would be compelling the companies which make safes to give them access to a master combination which they could use to open every safe in the UK.
Needless to say such a combination would be a safecracker's dream!
[ link to this | view in thread ]
ISPs only
I'm considering running a script that visits 20 random websites each day…
[ link to this | view in thread ]
Re: Re: Re: Umm Safes?
[ link to this | view in thread ]
Re: Re: Re:
Here's a hint for overseas readers: if something appears in the Express, Mail or Sun (among others) and it's relating to favourite right-wing topics such as immigration, the EU or council benefits, it will either be an outright lie or greatly exaggerated. There's often a grain of truth somewhere, but if you find that grain and look at the original source, it usually doesn't say what those rags claim they say.
No source is perfect or unbiased, unfortunately, but if you read something from the above sources your first reaction shouldn't be outrage at their claims. You should be considering how it differs from the truth.
[ link to this | view in thread ]
Re:
More cautious people, including the criminal sector, will flash a secure build and still be encrypted.
So who's being protected by this, and who's being put at substantial risk?
[ link to this | view in thread ]
Re: Re:
Are there any phones made by the UK branches of global countries? Almost certainly not.
Are there any modern smart phones built that can't have their firmware/software flashed? Maybe, but not mass market.
[ link to this | view in thread ]
why not ban terrorism? it is faster!
only the "terrorist- crypto- math"
[ link to this | view in thread ]
I still prefer installing crypto that only good guys can use.
[ link to this | view in thread ]
Re: Re: Re: Read the proposal if you can, but this snippet might help
> Clara on Doctor Who. Then I might consider it...
What?!? Clara the Impossibly Cute?
She needs to stay forever. It's the horrible new Doctor that needs to go.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Read the proposal if you can, but this snippet might help
[ link to this | view in thread ]
Re: I still prefer installing crypto that only good guys can use.
[ link to this | view in thread ]
Re: Re: Re: Read the proposal if you can, but this snippet might help
Your wish has been granted, I suppose?
http://www.radiotimes.com/news/2015-11-04/peter-capaldi-warns-that-claras-doctor-who-exit-wi ll-be-a-long--and-painful--goodbye
[ link to this | view in thread ]