UK's Snooper's Charter Includes Mandatory Backdoors For Encryption

from the crypto-wars-move-overseas dept

Remember earlier this week when we mocked the silly reports claiming that the UK government had "backed down" on its demands for a Snooper's Charter. As we noted at the time, it did not appear they were backing down at all, but pulling out a bogus publicity campaign where they decided to "ditch" some absolutely crazy ideas that never really would have been included in the first place, but still leaving in plenty of terrible ideas.

And, now we know that includes mandatory backdoors into encryption -- a stupid and dangerous policy that will directly put UK citizens at risk. While, thankfully, those pushing for crypto backdoors in the US have realized that it's a politically untenable idea, the UK's new "Investigatory Powers Bill" has gone in the other direction, and will mandate encryption backdoors and ban any encryption offerings where there is no backdoor for law enforcement.
Companies such as Apple, Google and others will no longer be able to offer encryption so advanced that even they cannot decipher it when asked to, the Daily Telegraph can disclose.

Measures in the Investigatory Powers Bill will place in law a requirement on tech firms and service providers to be able to provide unencrypted communications to the police or spy agencies if requested through a warrant.
UK Prime Minister David Cameron and Home Secretary Theresa May will undoubtedly make a big show of this over the next few months, claiming that they need this to keep the public safe, but that's a load of hogwash. Backdooring encryption does the opposite. It puts everyone at serious risk. It's a technically dangerous solution by technically clueless people. If there are backdoors in encryption you are opening up a massive attack vector for those with malicious intent -- and that doesn't even get into the question of authorities abusing such powers. This has been explained over and over again, and it appears that Cameron's government simply decided to ignore all the technical experts and go with a "but they have to!" approach.

If you recognize the long history of governments using surveillance powers for nefarious reasons this should worry you. But even if you 100% trust the government, this should worry you, because what they're asking for, on a technological basis, is to make your information significantly less safe and much more open to hackers and online criminals.
A Home Office spokesman said: “The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts. “That means ensuring that companies themselves can access the content of communications on their networks when presented with a warrant, as many of them already do for their own business purposes, for example to target advertising. These companies’ reputations rest on their ability to protect their users’ data.”
This belief that law enforcement needs this information to do its job is hogwash. For all of history prior to this, people have had methods of communicating entirely in secret, and since the dawn of civilization it was still possible to track down criminals and conspirators through traditional detective work. This belief that the content of these communications is absolutely necessary would seem to suggest that UK law enforcement is currently terrible at doing its job. I'd like to believe that's not true.

The big tech companies may now face a pretty big fight in the UK. Over the last few years, they've increasingly ramped up their efforts to provide more real privacy solutions that can actually protect your information. The UK wants to send things back to the stone age, and that's dangerous. Hopefully, companies like Apple -- which has made a big show of pushing non-backdoored-encryption -- take a stand here and refuse to give in. And, other tech companies that haven't been quite as vocal, including Google, Facebook, Microsoft and Twitter need to speak out against this, potentially to the point of threatening to pull out of the UK if the government doesn't adjust its policy. Without such a strong threat, it seems unlikely the UK government will recognize just how much danger they're putting the public in with this proposal.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, david cameron, encryption, going dark, snooper's charter, theresa may, uk
Companies: apple, facebook, google


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 4 Nov 2015 @ 5:09am

    Pick ONE

    “That means ensuring that companies themselves can access the content of communications on their networks when presented with a warrant, as many of them already do for their own business purposes, for example to target advertising. These companies’ reputations rest on their ability to protect their users’ data.

    I can only assume that the person who said this either didn't give the quote in person, or has the most amazing poker face in history. Forcing companies to be able to hand over private data, warrant or not, does not enhance the reputation of a company for protecting their users' data, it eliminates it. The UK government's actions here are directly undermining the reputations of the various companies, simply so they can sate their voyeuristic fetishes.

    Hopefully companies like Apple -- who have made a big show of pushing non-backdoored-encryption take a stand here and refuse to give in. And, other tech companies who haven't been quite as vocal, including Google, Facebook, Microsoft and Twitter need to speak out against this, potentially to the point of threatening to pull out of the UK if the government doesn't adjust its policy. Without such a strong threat, it seems unlikely the UK government will recognize just how much danger they're putting the public in with this proposal.

    It's not just that they should, but rather they have no other choice. If they give in here, if they pick the choice of the coward and stay silent, or issue the ultimatum and don't follow through, that's it, they've lost. And not just in the UK, if they allow mandated broken encryption in the UK, every government is going to be demanding the same ability, and the companies will have no choice but to comply. They either stand their ground here, refuse to give in, or cave entirely, everywhere.

    The UK government has issued it's challenge, now to see how many companies are willing to call their bluff and stand firm, and how many will fold when pressured, showing all their previous protests to be nothing but empty words.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Nov 2015 @ 7:30am

      Re: Pick ONE

      Apple and Google and others might. Facebook, run by sociopath Mark Zuckerberg, will cave because this provides them with perfect cover to sell even more user data than they already do. (When asked what's going on, they can simply shrug and say "we can't protect it any better".)

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Nov 2015 @ 11:13am

        Re: Re: Pick ONE

        Facebook, run by sociopath Mark Zuckerberg, will cave...

        "Cave" suggests that it isn't what Zuckerberg actually wants.
        "Rejoice" would be a better word.

        link to this | view in chronology ]

    • icon
      btr1701 (profile), 4 Nov 2015 @ 9:40am

      Re: Pick ONE

      > The UK government has issued it's challenge,
      > now to see how many companies are willing to
      > call their bluff and stand firm

      I foresee a huge black market springing up for American sourced iPhones, however this shakes out.

      If Apple stands firm and stops selling in the UK, people will be buying iPhones over here and sneaking them into Britain to sell at high profit.

      If they don't stand firm and start making "UK-specific" iPhones with broken encryption, the same thing will happen-- the demand for non-broken American iPhones will skyrocket.

      link to this | view in chronology ]

    • icon
      Ninja (profile), 4 Nov 2015 @ 11:28am

      Re: Pick ONE

      PArt of me would love to see this come into law and see the UK citizens AND the government (indirectly via money loss) being utterly screwed by it. Nothing against the British themselves but it would be a powerful example on how to shoot your own feet.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Nov 2015 @ 6:44am

    What I've been reading has been saying that this only applies to UK companies.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Nov 2015 @ 6:51am

      Re:

      Because the UK would never say 'If you do business here you are considered a UK company.'.

      Neeeever.

      link to this | view in chronology ]

    • icon
      That One Guy (profile), 4 Nov 2015 @ 7:08am

      Re:

      Unlikely, as the other AC notes they'll almost certainly take the stance that any company that does business in the UK is a 'UK company' with regards to having to comply. It's possible they might try and force UK companies to comply at first, and then assuming that works, they'll then turn their sights on non-UK companies, but I'm guessing they'll try and force broken encryption on all companies from the get-go.

      However, were that not the case that would just make this move even more idiotic. UK-based companies would be forced to break the encryption on their products, while companies based in other countries wouldn't, giving a huge boost to those non-UK companies.

      link to this | view in chronology ]

    • icon
      PaulT (profile), 4 Nov 2015 @ 7:41am

      Re:

      Well, there's your first problem - define "UK company". Most of the examples being talked about are US-based companies that happen to have UK local offices, and many companies that service the UK don't have one at all. Do you block companies without a local presence from doing business, or do you place any company that does so at a great disadvantage with those who aren't subject to such a law?

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Nov 2015 @ 8:43am

        Re: Re:

        You demand compliance with local regulations as a part of doing business in the country, grandstand on the global stage for a few weeks that 'x' company is a horrible devil getting a free ride on their economy, bring the corporation up on fines, technicalities and potentially lawsuits through a local biased court system, and after about a year or two of getting nowhere, walk back on the entire thing as people simply not understand the world they live in.

        Obviously.

        link to this | view in chronology ]

    • icon
      btr1701 (profile), 4 Nov 2015 @ 9:45am

      Re:

      > What I've been reading has been saying that this only
      > applies to UK companies.

      Even if it applies to all companies doing business in the UK, it doesn't even really address the problem.

      The "bad guys" who are savvy enough to conduct major terrorist operations are also savvy enough to use 3rd-party encryption software that's already on the market and is every bit as strong as the built-in OS encryption, and no UK law can stop that.

      The only people who are left vulnerable with a backdoored encryption system are the ones who *aren't* criminals, and who now have to worry about being affected by data breaches and Orwellian government surveillance.

      link to this | view in chronology ]

    • icon
      Ninja (profile), 4 Nov 2015 @ 11:31am

      Re:

      Hopefully if it passes the non-UK companies will halt operations immediately in the UK. That would be a beautiful start for the demise of this idiocy if it actually passes. The rest would be major damage to the finances as a whole once ill-intended ones inevitably find the doors and proceed to abuse them.

      link to this | view in chronology ]

      • identicon
        Dingledore the Flabberghaster, 5 Nov 2015 @ 2:53am

        Re: Re:

        Are there any phones made in the UK? Almost certainly not.

        Are there any phones made by the UK branches of global countries? Almost certainly not.

        Are there any modern smart phones built that can't have their firmware/software flashed? Maybe, but not mass market.

        link to this | view in chronology ]

    • identicon
      Dingledore the Flabberghaster, 5 Nov 2015 @ 2:47am

      Re:

      Presuming they get UK specific builds put onto the phones, your average consumer will end up with a device that won't be secure.

      More cautious people, including the criminal sector, will flash a secure build and still be encrypted.

      So who's being protected by this, and who's being put at substantial risk?

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Nov 2015 @ 6:45am

    Turing is turning over in his grave.

    The UK wants to be a logic-free, mathematics-free zone.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Nov 2015 @ 6:58am

    Because terrorists.

    link to this | view in chronology ]

  • icon
    SMobius (profile), 4 Nov 2015 @ 7:07am

    All this must be doing wonders the sales/downloads of personal VPN encryption tools. I don't have much worth spying on but I have started using more secure methods as a direct result of their policies. I wonder how many others are doing the same.

    link to this | view in chronology ]

    • identicon
      mcinsand, 4 Nov 2015 @ 7:15am

      Re:

      link to this | view in chronology ]

      • identicon
        mcinsand, 4 Nov 2015 @ 7:21am

        sorry... I actually had something to say

        As for what might be 'worth spying on,' I think the bullies are trying to convince us that, if we're doing nothing wrong, then we have no concerns (think of the scene where the controlled Minister of Magic in Harry Potter is saying the same). However, it's not the particular activity that is worth spying on, but that you might be communicating any activity at all. Let's say that the 'geniuses' have mandatory backdoors put in. Only a fool will think that those backdoors will remain secure. It's a matter of time that others crack the locks to begin collecting data on the average people. Such data could sadly be misused to plan something bad.

        If our governments actually care about our safety, they would start requiring encryption, funding improved encryption, and taking action to fine those that do not use secure encryption methods. If our safety really mattered, we would start to have security standards required before someone connects to the Internet. Our anti-educated legislators need to understand that, if our software has weaknesses that allow them to access our information, then those weaknesses are also usable by those that would do us harm.

        link to this | view in chronology ]

        • icon
          Seegras (profile), 4 Nov 2015 @ 7:38am

          Re: sorry... I actually had something to say

          if our software has weaknesses that allow them to access
          our information, then those weaknesses are also usable by
          those that would do us harm.


          Even further: These weaknesses will not only used by criminals to do harm to people, these weaknesses will also be used by adversaries against government agencies and critical infrastructure

          link to this | view in chronology ]

          • icon
            tqk (profile), 4 Nov 2015 @ 9:05am

            Re: Re: sorry... I actually had something to say

            These weaknesses will not only used by criminals to do harm to people, these weaknesses will also be used by adversaries against government agencies and critical infrastructure

            I look forward in breathless anticipation to all the !@#$storm of lawsuits and regulatory failure this policy will cause to be tossed out, beginning as soon as the first backdoor is discovered by the bad guys. The gov't has given these companies a golden "get out of jail card" for any hacks against them leaking PII & etc.

            Popcorn time! That it's Perfidious Albion that'll be the showcase example of how to fail their citizenry is just gravy for me. Whoopee! Watch carefully world. We're about to be treated to a master class show on how and why not to let your masters do this sort of !@#$.

            Too bad for the British Joe Sixpack, but this is what happens when you elect idiots. Try harder next time. Guy Faulks must be giggling with glee looking on.

            link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Nov 2015 @ 7:17am

    What's next - mandatory CCT cameras in every room of your house

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 4 Nov 2015 @ 7:20am

      Re:

      Of course, after all, only criminal terrorists try and hide their most personal moments from Big Br- the benevolent government that knows best.

      link to this | view in chronology ]

    • icon
      Valis (profile), 4 Nov 2015 @ 7:35am

      Re:

      There was a suggestion made by the UK gov. not long ago to put CCTV cameras inside council houses with microphones and speakers so that officials could "educate" parents on raising their kids. This is not a joke.

      link to this | view in chronology ]

      • icon
        PaulT (profile), 4 Nov 2015 @ 7:44am

        Re: Re:

        A lot of clueless fools in the government do tend to make ridiculous suggestions. Fortunately, there's enough sane people to stop them. So far, anyway. Mostly.

        link to this | view in chronology ]

      • icon
        Roger Strong (profile), 4 Nov 2015 @ 9:01am

        Re: Re:

        Not a joke; merely untrue. A wildly inaccurate story by the Daily Express that got endlessly repeated on conspiracy theory web sites.

        link to this | view in chronology ]

        • icon
          JoeCool (profile), 4 Nov 2015 @ 10:46am

          Re: Re: Re:

          Apparently, in very extreme cases families may be moved from their (often state funded) homes to 'core residential units' for 24 hour support and supervision, but this is very different from the Express report of the government planning to put "20,000 problem families under 24-hour CCTV supervision"


          That's right! It IS very different - it's even WORSE! Instead of putting cameras in people's homes, they'll ship them off to "camps" where they can be brainwa, err, HELPED in complete privacy.

          link to this | view in chronology ]

          • icon
            Roger Strong (profile), 4 Nov 2015 @ 11:28am

            Re: Re: Re: Re:

            Do you have a link showing that it's mandatory?

            (As opposed to "You've caused endless problems in your government-supplied housing. If you want continued government-supplied housing, this is what you get. Take it or leave it.")

            "Camps." "Brainwashing." That's quite the hyperbole there.

            link to this | view in chronology ]

            • icon
              JoeCool (profile), 4 Nov 2015 @ 11:37am

              Re: Re: Re: Re: Re:

              The quote comes from the link you provided. As to "camps" and "brainwashing", yeah, that's a bit of hyperbole, but read what you will into "moved from their (often state funded) homes to 'core residential units' for 24 hour support and supervision," but remember this is the UK we're talking about with its recent (and not so recent) moves that would make Orwell roll over in his grave.

              link to this | view in chronology ]

        • icon
          PaulT (profile), 5 Nov 2015 @ 1:03am

          Re: Re: Re:

          Ah, there's your problem.

          Here's a hint for overseas readers: if something appears in the Express, Mail or Sun (among others) and it's relating to favourite right-wing topics such as immigration, the EU or council benefits, it will either be an outright lie or greatly exaggerated. There's often a grain of truth somewhere, but if you find that grain and look at the original source, it usually doesn't say what those rags claim they say.

          No source is perfect or unbiased, unfortunately, but if you read something from the above sources your first reaction shouldn't be outrage at their claims. You should be considering how it differs from the truth.

          link to this | view in chronology ]

      • icon
        OldMugwump (profile), 4 Nov 2015 @ 9:29am

        Re: Re:

        George Orwell suggested the same thing 70 years ago.

        He'd be owed royalties.

        link to this | view in chronology ]

      • icon
        btr1701 (profile), 4 Nov 2015 @ 9:49am

        Re: Re:

        > There was a suggestion made by the UK gov. not long ago
        > to put CCTV cameras inside council houses

        What's a council house?

        link to this | view in chronology ]

    • identicon
      Suomynona, 4 Nov 2015 @ 9:47am

      Re: What's next - mandatory CCT cameras in every room of your house

      Of course not -- that would be much too expensive!

      A much cheaper and easier way (not to mention saving scarce IPv4 addresses) is to have blimps overhead with cameras pointing down at houses. Now one camera serves multiple households; think of the long term savings!

      Of course roofs obscure the view, so they would all have to be removed, but ... TERRORISTS!

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Nov 2015 @ 11:18am

      Re:

      What's next - mandatory CCT cameras in every room of your house

      That's what the Chief of Police in Houston, Texas proposed. It seems that those types are the same all over the world.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Nov 2015 @ 11:36am

      Re: What's next - mandatory CCT cameras in every room of your house

      Why bother when you already have built in webcams, smart tv's, or if your into the Xbox one, a Kinect?

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Nov 2015 @ 7:24am

    What about open source?

    Are openssl, gnupg, et al going to have to create a special compilation flag -D BRAIN_DEAD_UK_BACKDOORS and tell everyone that it's illegal to compile their code in the UK without defining it? Or will they just put code in the configure program that checks for a UK locale and exits saying something like

    Do to local laws, it's illegal to use this code in the UK. Please call your MP.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Nov 2015 @ 7:34am

      Re: What about open source?

      Use of strong cryptography is only liable to offer protection from this government if a significant portion of the population use it. Failing that, it just identifies machines to be compromised.
      That is unless enough people use it so that the security services are swamped in their efforts to compromise machines, it will only mark people as being of special interest.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Nov 2015 @ 7:38am

      Re: What about open source?

      Luckily most open source software is hosted on US servers like GitHub so it seems safe for now.

      link to this | view in chronology ]

      • identicon
        David, 4 Nov 2015 @ 9:25am

        Re: Re: What about open source?

        And can easily be forked onto other Git repo's should the US do something stupid as well.

        link to this | view in chronology ]

    • icon
      Seegras (profile), 4 Nov 2015 @ 7:41am

      Re: What about open source?

      Or will they just put code in the configure program that checks for a UK locale ...

      Hey! I do use en_GB.UTF-8, but that doesn't mean I'm in the UK, It just means, I want a correct spell checker ;).

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Nov 2015 @ 7:35am

    RIP UK tech sector

    Seriously, what are they thinking?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Nov 2015 @ 11:34am

      Re: RIP UK tech sector

      That the word "citizen" needs to be rolled back to "subject".

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Nov 2015 @ 7:36am

    The UK is becoming an increasingly scary place. They are already prosecuting people at a prodigious rate for not giving up their passwords. Now, already armed with the power to compel passwords, they also want to break encryption.

    BTW - a typo in sentence:
    If you recognize the long history of governments using surveillance powers for nefarious reasons this should worry yo.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Nov 2015 @ 7:40am

    Umm Safes?

    Shouldn't they start with the older methods of securing data and require a government "good guy only" standard combination be required to every combination lock and a similar government "good guy only" master key for all key locks. There are some really smart locksmiths I'm sure they can do it.

    It ought to work out the same way as backdoors for digital will in the end. After all regardless of what the technologically clueless seem to think if electricity is added, things don't become magical and void of principles of logic.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Nov 2015 @ 7:43am

      Re: Umm Safes?

      Luckily, uncrackable safes don't come along very often.

      https://hackaday.com/2015/09/21/this-is-what-a-real-bomb-looks-like/

      link to this | view in chronology ]

    • icon
      PaulT (profile), 4 Nov 2015 @ 7:47am

      Re: Umm Safes?

      "Shouldn't they start with the older methods of securing data and require a government "good guy only" standard combination be required to every combination lock and a similar government "good guy only" master key for all key locks."

      ...and what happens when that combination is leaked and every "bad guy" in the world can access it without getting up off their seat?

      "things don't become magical and void of principles of logic."

      Indeed not. logic would dictate a massive number of difference between accessing the contents of a physical safe and accessing data held on a device somewhere on the internet (or contained in communications between those devices). See if you can think of a few.

      link to this | view in chronology ]

      • identicon
        beech, 4 Nov 2015 @ 8:13am

        Re: Re: Umm Safes?

        Woosh?

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Nov 2015 @ 4:16pm

        Re: Re: Umm Safes?

        Just an tongue in cheek analogy to illustrate the astounding stupidity of it, geared way down for those who can't comprehend if electricity is involved.

        link to this | view in chronology ]

  • identicon
    Adam, 4 Nov 2015 @ 8:03am

    Foreign Phones

    What about folks who travel to the UK with an encrypted phone? Will they be denied roaming service by UK providers? Will it become impossible to use the Wi-Fi system in your hotel if you're from away? Tourism might take a serious knock -- I, for one, wouldn't go to England because I have an iPhone and would want to use it.

    In addition, aren't "pirate" services likely to spring up all around the UK? "Roam with us -- we can't decrypt your phone". Be interesting too to see what foreign embassies have to say about this -- are they to be unencrypted too?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Nov 2015 @ 8:22am

    We need this!

    Not for catching terrorists or any of that other bollocks, but we need an example. Regular Joe and Jill may be ignorant of what the government are trying to do, but if Apple stand firm and withholds their iDevices and iServices from the UK market, there is going to be a lot of screaming.
    It might not be the support we are hoping for but I am willing to take any support no matter how stupid the reason (almost).
    I hope the big guns will stand firm and the government of the UK will learn a lesson not easily forgotten by neither the UK gov or any other. That message might be: "You may take our freedom, but you will never take our sweet tech", but the result will hopefully be the same.

    link to this | view in chronology ]

    • identicon
      David, 4 Nov 2015 @ 9:32am

      Re: We need this!

      Forget Apple, what about Google?

      Google gives away Android for free, so there's no financial hit to them if they refuse to break the encryption. The individual phone vendors (LG, Samsung, etc) will have to do their own hacks to be able to sell into the UK market. Parts of Android are GPL licensed, and any changes to those parts will need to be openly released - and any weaknesses will be found.

      Good luck, UK. I think your phones are going to get a whole lot less secure than most people thought.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Nov 2015 @ 8:37am

    I wonder how long it will be till someone's laptop gets stolen that has the backdoor information in plain text for easy access.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Nov 2015 @ 8:45am

    Dear UK Government

    Dear UK,
    Thanks for making our job easy.
    Sincerely,
    The NSA


    Dear UK,
    Thanks for leaving us a way in.
    Sincerely,
    All Hackers


    Nihao UK,
    You honor us by giving us free access to your computers.
    Sincerely,
    China


    Dear UK,
    What good is a wall if someone left the door open?
    Fuck you,
    UK Citizens

    link to this | view in chronology ]

  • icon
    shadygravy (profile), 4 Nov 2015 @ 8:51am

    Expect there will be a very long exceptions list: Every Bank and Financial service firm. Every government department. Every police organization. Teachers (because - you know protect the kids). The inclusion list will be much shorter - everyone who files an income tax.

    link to this | view in chronology ]

  • identicon
    Seamus, 4 Nov 2015 @ 8:57am

    Read the proposal if you can, but this snippet might help

    This * I think * is the relevant part of the Bill that is being interpreted as mandating back door access to encrypted data.

    I won't interpret it, other more qualified than I am can do that

    If you want to read the whole thing (it takes while) then go there

    https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473770/Draft_Investig atory_Powers_Bill.pdf




    189 Maintenance of technical capability

    (1) The Secretary of State may make regulations imposing specified obligations on relevant operators, or relevant operators of a specified description.

    (2) In this section “relevant operator” means any person who provides, or is proposing to provide
    (a) public postal services, or
    (b) telecommunications services.

    (3) Regulations under this section may impose an obligation on any relevant operators only if the Secretary of State considers it is reasonable to do so for the purpose of securing
    (a) that it is (and remains) practicable to impose requirements on those relevant operators to provide assistance in relation to relevant 30 authorisations (see subsection (9)), and
    (b) that it is (and remains) practicable for those relevant operators to comply with those requirements.

    (4) The obligations that may be imposed by regulations under this section include,
    among other things
    (a) obligations to provide facilities or services of a specified description;
    (b) obligations relating to apparatus owned or operated by a relevant
    operator;
    (c) obligations relating to the removal of electronic protection applied by a
    relevant operator to any communications or data;
    (d) obligations relating to the security of any postal or telecommunications services provided by a relevant operator;
    (e) obligations relating to the handling or disclosure of any material or data.

    (5) Before making any regulations under this section, the Secretary of State must consult the following persons—
    (a) the Technical Advisory Board,
    (b) persons appearing to the Secretary of State to be likely to be subject to the obligations specified in the regulations,
    (c) persons representing persons falling within paragraph (b), and
    (d) persons with statutory functions in relation to persons falling within that paragraph.

    (6) The Secretary of State may give any person, or any person of a specified description, on whom obligations are imposed under this section a notice (a “technical capability notice”) requiring the person to take all the steps specified
    in the notice for the purpose of complying with those obligations.

    (7) The only steps that may be specified in a technical capability notice given to a person are steps which the Secretary of State considers to be necessary for securing that the person has the practical capability of providing any assistance
    which the person may be required to provide in relation to any relevant authorisation.

    (8) An obligation specified in regulations under this section may be imposed on, and a technical capability notice given to, persons outside the United Kingdom (and may require things to be done, or not to be done, outside the United Kingdom).

    (9) In this section “relevant authorisation” means
    (a) any warrant issued under Part 2, 5 or 6, or
    (b) any authorisation or notice given under Part 3.

    (10) Sections 190 and 191 contain further provision about technical capability notices.

    link to this | view in chronology ]

    • icon
      btr1701 (profile), 4 Nov 2015 @ 10:12am

      Re: Read the proposal if you can, but this snippet might help

      > (8) An obligation specified in regulations under this
      > section may be imposed on, and a technical capability
      > notice given to, persons outside the United Kingdom (and
      > may require things to be done, or not to be done, outside
      > the United Kingdom).

      Good luck with that. If I'm a telecom company in the U.S. and the UK tries to impose one of these "obligations" on me, they're gonna get the big middle finger.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Nov 2015 @ 11:42am

        Re: Re: Read the proposal if you can, but this snippet might help

        Good luck with that. If I'm a telecom company in the U.S. and the UK tries to impose one of these "obligations" on me, they're gonna get the big middle finger.

        Well, you're not "a telecom company". AT&T would jump at the chance to cooperate.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Nov 2015 @ 11:42am

        Re: Re: Read the proposal if you can, but this snippet might help

        Damn straight. Well, unless they offered to force the BBC to kill off Clara on Doctor Who. Then I might consider it...

        link to this | view in chronology ]

    • icon
      nasch (profile), 5 Nov 2015 @ 4:03pm

      Re: Read the proposal if you can, but this snippet might help

      Is it just me, or does that never get around to actually defining what obligations can actually be imposed? It's just a list of vague categories. Maybe that part is specified later. Or maybe it's intentionally that vague so almost anything can be included.

      link to this | view in chronology ]

  • identicon
    Harry Tuttle, 4 Nov 2015 @ 9:06am

    Doublethink as standard

    Doubleplus good if you ask me! Weakness is strength, remember! Especially when it comes to crypto.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Nov 2015 @ 9:11am

    Stop doing business with UK.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Nov 2015 @ 9:13am

    "with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts."

    NSA and GCHQ already have access to communications. Nowadays everybody is a terrorist or a criminal. To prevent crimes? Is this Minority Report?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Nov 2015 @ 9:19am

    Perfect candidate for ISDS?

    Wouldn't this type of action by GB be a poster child for a "good" application of an investor-state dispute settlement/corporate sovereignty case?

    I mean, both the legal backdooring of encryption and corp sovereignty provisions are basically inevitable at this point, so if life is giving lemons, time to start making fruit drinks?

    link to this | view in chronology ]

  • icon
    Almost Anonymous (profile), 4 Nov 2015 @ 9:24am

    Apple can easily fix this

    "No iPhones for the UK." Cameron will cave.

    link to this | view in chronology ]

  • icon
    Roger Strong (profile), 4 Nov 2015 @ 9:26am

    If I were Apple...

    I'd release two versions of the iPhone firmware. I'd make it explicit what the two versions are about:

    1) Countries with a right to privacy and personal security.

    2) Totalitarian regimes with no right to privacy or personal security.

    The UK can select which version arrives with iPhones there. They can count on simple region blocking by Apple's servers to prevent UK iPhones from getting the secure version.

    But it will be up to the UK to prevent other means, VPNs etc., from being used to download the secure firmware. And it will be up to their government to explain to their people why they're explicitly getting the China/Saudi Arabia/North Korea version.

    The EULA for the secure version will have the usual "I Agree" button. The totalitarian version will require you to click on "I Obey."

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Nov 2015 @ 11:53am

      Re: If I were Apple...

      They could offer the iTotalitarian version in only one finish: black & yellow "caution" stripes. Hell, give it square corners.

      link to this | view in chronology ]

  • identicon
    Mr P, 4 Nov 2015 @ 12:13pm

    How does this stuff get through without a public vote?

    See title. Can somebody help me understand how this can happen?
    I am so gob-smacked I have no words. There will be no way to do this without making everybody totally open as the mechanism for activating the backdoor __will__ make it into the public domain, either by leaking or re-engineering, and then it'll be all over the net and then any encryption on your devices will be useless. This is so absurd.

    link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 4 Nov 2015 @ 12:22pm

    A complicated solution

    Would be to box the encryption process into an add-on socket, to ease the process of regionizing the OS. That way, Apple / Google could insert clean encryption or government-approved encryption with ease.

    ...And then drop the parameters of the socket to the open source community, and see how fast they can come up with a robust free-for-EVERYbody encryption plug.

    Block this, mofos.

    link to this | view in chronology ]

  • identicon
    AJ, 4 Nov 2015 @ 12:29pm

    You have to know that some idiot from the office of bureaucratic bureaucracies will send the key to the "back door" *gigidy* in plain txt in an email that will be forwarded to the department of distributions, who will make sure everyone on the planet is CC'd into the original email chain. Then, in an effort to confirm their stupidity, the Gov will then pretend it never happened and leave the key exactly as it is and not change it. Warm up your microwave's people, your going to need a bunch of popcorn for this one...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Nov 2015 @ 1:10pm

    Cameron is appearing to turn into quite the dictator! i wonder what he and his government will do when there are serious breeches in bank security and customers sue the gTory government for forcing security measures to be so lapse that hackers can get into servers and pilfer bank accounts and passwords. it wont be the banks fault if forced to leave a backdoor available for government. if it can get in you can bet anyone else who wants to will. then what will happen when people are killed because terrorists got info they needed from lapse security on web sites or mail servers? the man is a fucking menace to the citizens of the UK and his government needs replacing!

    link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 4 Nov 2015 @ 1:26pm

      Tubbed and buttered.

      I expect that Banks and businesses will knowingly break the law, or just move their data offshore.

      Does it say no UK encryption software packages without backdoors or no encrypted data in the UK without backdoors?

      Because the former case just requires people to seek out foreign encryption kits. The latter...well that's going to collapse in spectacular house-of-cards fashion.

      link to this | view in chronology ]

      • icon
        Uriel-238 (profile), 4 Nov 2015 @ 1:30pm

        Re: Tubbed and buttered.

        Yeah, it looks like they want the ability to take your data to the crypto company and ask them to crack it (which means the burden is on them to facilitate it) and then, I suppose fine a company who made the crypto if they can't crack it.

        Which actually might propel the socket solution, so that a fourth party can make (and be responsible for) the crypto. Apple and Google would be able to say "It's out of our hands."

        link to this | view in chronology ]

    • icon
      tqk (profile), 4 Nov 2015 @ 4:24pm

      Re: Cameron

      the man is a fucking menace to the citizens of the UK and his government needs replacing!

      Are you unaware of the recently held election where he was re-elected with a majority (aka carte blanche in parliamentary terms)? He's just getting started (again).

      Obviously, democracy is either far too nuanced a process for today's electorates (blame public education or TV?) or else hopelessly rigged in favor of those contesting in them (cf. the US' FEC). I might suggest they try burning down parliament with said contestants inside, but that didn't work out well at all for Guy Faulks when he tried it. Aside, I've often wondered why Brits are even allowed to celebrate Guy Faulks Day, but they're British; says it all.

      Just enjoy the show and thank your lucky stars you're not a Brit, or if you are, accept my heart felt sympathy. Sucks to be them.

      link to this | view in chronology ]

  • icon
    Rapnel (profile), 4 Nov 2015 @ 4:06pm

    The United Kingdom? More like the Tyrannical Isles of Plight.

    fUcK

    link to this | view in chronology ]

  • identicon
    Stephen, 4 Nov 2015 @ 7:03pm

    I see David Cameron is trying the age-old tactic of instilling fear and terror into the populace. The Telegraph's article noted:
    David Cameron, the Prime Minister, pleaded with the public and MPs to back his raft of new surveillance measures. He said terrorists, paedophiles and criminals must not be allowed a “safe space” online.
    So in order to catch a handful of nasties he is demanding the the rights of EVERYbody be downgraded.

    I would also note that strictly speaking the "safe space" in question would not be online but on the person's own phone. That would be no different from an uncrackable safe a person had in their house. What the government would in effect be doing would be compelling the companies which make safes to give them access to a master combination which they could use to open every safe in the UK.

    Needless to say such a combination would be a safecracker's dream!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Nov 2015 @ 10:52pm

    ISPs only

    So far as I can tell right now, the bill only applies to ISPs, so actual end-to-end encryption is still legal.

    I'm considering running a script that visits 20 random websites each day…

    link to this | view in chronology ]

  • identicon
    Genius, 5 Nov 2015 @ 6:16am

    why not ban terrorism? it is faster!

    UK is not banning math,
    only the "terrorist- crypto- math"

    link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 5 Nov 2015 @ 11:00am

      I still prefer installing crypto that only good guys can use.

      And while we're at it, we should make bullets that only kill bad people.

      link to this | view in chronology ]

      • icon
        That One Guy (profile), 5 Nov 2015 @ 10:36pm

        Re: I still prefer installing crypto that only good guys can use.

        The US already has the latter, as evidenced by the fact that every single person shot and/or killed by the police is determined by the 'investigation' of the incident to have been a criminal. Since only criminals are ever killed by police, clearly the police have magic 'bad people only' bullets, so no need to wish for them, they're already here.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Nov 2015 @ 1:34pm

    the unicorn paradox

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.