Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
United Kingdom Encryption Government Privacy Security

UK Gov't Can Demand Backdoors, Give Prison Sentences For Disclosing Them (arstechnica.co.uk) 187

An anonymous reader writes with some of the latest news about the draft Investigatory Powers Bill. Ars reports: "Buried in the 300 pages of the draft Investigatory Powers Bill (aka the Snooper's Charter), published on Wednesday, is something called a 'technical capability notice' (Section 189). Despite its neutral-sounding name, this gives the UK's home secretary almost unlimited power to impose 'an obligation on any relevant operators'—any obligation—subject to the requirement that 'the Secretary of State considers it is reasonable to do so.' There is also the proviso that 'it is (and remains) practicable for those relevant operators to comply with those requirements,' which probably rules out breaking end-to-end encryption, but would still allow the home secretary to demand that companies add backdoors to their software and equipment. That's bad enough, but George Danezis, an associate professor in security and privacy engineering at University College London, points out that the Snooper's Charter is actually much, much worse. The Investigatory Powers Bill would also make it a criminal offense, punishable with up to 12 months in prison and/or a fine, for anyone involved to reveal the existence of those backdoors, in any circumstances (Section 190(8).)"

Professor of journalism at City University Heather Brook writes at the Gaurdian: "When the Home Office and intelligence agencies began promoting the idea that the new investigatory powers bill was a “climbdown”, I grew suspicious. If the powerful are forced to compromise they don’t crow about it or send out press releases – or, in the case of intelligence agencies, make off-the-record briefings outlining how they failed to get what they wanted. That could mean only one thing: they had got what they wanted. So why were they trying to fool the press and the public that they had lost? Simply because they had won. I never thought I’d say it, but George Orwell lacked vision. The spies have gone further than he could have imagined, creating in secret and without democratic authorization the ultimate panopticon. Now they hope the British public will make it legitimate."
This discussion has been archived. No new comments can be posted.

UK Gov't Can Demand Backdoors, Give Prison Sentences For Disclosing Them

Comments Filter:
  • by RobinH ( 124750 ) on Tuesday November 10, 2015 @05:51AM (#50899519) Homepage
    The scariest thing about living in a "democracy" (Republic) now is that the *majority* really don't care about their rights, as long as they can watch their reality TV and they have someone to publicly shame on Facebook/Twitter.
    • by Dog-Cow ( 21281 ) on Tuesday November 10, 2015 @05:55AM (#50899539)

      You are 100% right that the majority does not care. If they did, it would be simple enough to assume that all British companies are backdoored and to drive them out of business by using alternatives in other countries. Granted, those other companies might also be backdoored, but the point is to make a point to the local authorities.

      • by ArmoredDragon ( 3450605 ) on Tuesday November 10, 2015 @09:30AM (#50900411)

        I kind of wonder if this law would impact ARM Holdings, which has potential implications for the smartphone industry.

        • by AmiMoJo ( 196126 )

          It could completely destroy them, or at least force them to leave the UK.

          Say the Home Secretary, not really understanding these things, granted a request from MI5 to put a backdoor in the next version of the ARM ABI. If ARM comply it will probably be apparent to all the manufacturers who licence the design. Even if they somehow hide it, eventually it will be discovered and billions of devices will be exploitable with little prospect of a software fix. It could easily sink ARM.

          So either ARM screws themselves

        • by shugah ( 881805 )
          Box.com would also likely be effected. If I recall, one of the primary reasons for locating in the UK was to cloud storage outside the reach of the USA Patriot Act.
    • by Anonymous Coward

      > The scariest thing about living in a "democracy" (Republic) now is that the *majority* really don't care about their rights, as long as they can watch their reality TV

      As a non-US and non-UK citizen, my country's history was heavily inspired in fights for Freedom like the US Independence and the famous French Storming of the Bastille.

      Those were sad moments to make real the conquest of Freedoms which have a better taste when not tainted by blood. Notwithstanding that, they are of utmost importance and pe

    • What i find amazing is that you think this is something new.

      It is as old as democracy itself. As long as they aren't being bothered people won't bother doing something.

      oblig :http://xkcd.com/1601/

      pretty much sums it up.

      • It isn't new, its been available to the police and government since the first iteration of the Regulation of Investigatory Powers Act in 2000.

    • by umghhh ( 965931 )
      That is why we outsource these difficult mostly boring but for a society vital tasks to people that care i.e. politicians. It is a win/win.
    • by oobayly ( 1056050 ) on Tuesday November 10, 2015 @07:55AM (#50899859)

      I have a colleague who is perfectly happy to throw away his rights - "I don't care what they do if it's anti-terror related" and "we need to get rid of all this human rights bullshit", which was in response to my mention of civil rights, namely being detained without charge and warrant-less access of private data.

      The problem is that civil/human rights don't feature very high up on people's priorities because they don't need the obvious ones on a daily basis, and they don't realise how much of our daily lives is made possible because of those rights. More succinctly - people don't care about their rights until they need them.

      In a way, it's very similar to how all these people are leaving their countries to join ISIL - they're blind to the freedoms they've been afforded and go off to fight the kind of regimes their parents fought to escape from.

      • by havana9 ( 101033 )
        Quite a lot of Italians in the last century agreed with these ideas: they even made a party [wikipedia.org]. Unfortunately people that fought in the WWII are less and less, so the memories of what are authoritarian states is fading away.
  • Since you can't disclose it, what can you do? I guess your only option is to take a vacation in Russia. Perhaps someone there will talk to you and not do something insane like try to arrest you! They might understand your frustration and try to cheer you up by giving you a few presents.

    Is this like American law? If a Malaysian finds a back door in an Indian software program used by the Chinese and gives it to the Malaysian version of the NSA, will the Brits nab him when he passes through some airport in

    • by rcase5 ( 3781471 ) on Tuesday November 10, 2015 @06:41AM (#50899673)

      Is this like American law?

      No, it isn't. In the 90s, there was an effort by the Clinton Administration to implement a key escrow system whereby all encrypted transmissions would have been required to submit encryption keys to some agency, so that the government could eavesdrop on those transmissions. The IT community here in the U.S. had a shit fit, and eventually defeated that idea, even though the Clinton Administration tried to scare us into thinking that if they couldn't monitor such transmissions, all sorts of awful things might happen. Except for the attacks on September 11, 2001, nothing has happened here, and our government still had plenty of warning about those attacks even without these system in place.

      There have been other stories more recently where large telecommunications companies have been cooperating with the U.S. Government in essentially making a copy of all transmissions over the Internet. While those companies were not required to comply (and there were a few who chose not to), they did anyway. There was a huge stink made about that as well, and as far as I know, those operations have been shut down (I'm sure someone will correct me if I'm wrong).

      As far as I know, nobody here in the U.S. is required to install back doors into their systems so that government agencies can gain access at-will. After the kerfuffle in the 90s, I seriously doubt such a measure would pass into law. In a way, this highlights the silliness of the UK undertaking such a measure in their law. If UK concerns are required to put in back doors, but nobody else in the world has the same requirement, it means the UK government is essentially spying on their own citizens. They are also increasing the likelihood that a foreign concern (government, company or individual) could break into these systems and make it easier for them to effectively spy on the UK. This would drive people to host their email and web sites (among other things) on foreign servers (likely US or Canada), and could put UK hosting providers out of business, along with other consequences.

      If I were a British subject, I would complain to my representatives, LOUDLY, that this is a really bad idea.

      • by AHuxley ( 892839 )
        Re "I seriously doubt such a measure would pass into law"
        The NSA and GCHQ let a generation of users enjoy US based consumer operating systems that responded well to gov malware and keyloggers. After that any compiled export crypto is a junk layer. Some great busy work and a generation of legal distraction.
        Re "There was a huge stink made about that as well, and as far as I know, those operations have been shut down (I'm sure someone will correct me if I'm wrong)."
        The fuss made just further covered colle
      • If I were a British subject, I would complain to my representatives, LOUDLY, that this is a really bad idea.

        You are obviously outnumbered. Enjoy the ride.

      • While those companies were not required to comply (and there were a few who chose not to), they did anyway.

        Who told you that they were not required to comply? They lied to you [wikipedia.org].

        There was a huge stink made about that as well, and as far as I know, those operations have been shut down

        Who told you that these operations have been shut down? Guess what they did?

    • The Lavabit route (Score:4, Interesting)

      by tepples ( 727027 ) <tepples@gmai3.14159l.com minus pi> on Tuesday November 10, 2015 @09:30AM (#50900421) Homepage Journal

      Since you can't disclose it, what can you do?

      Does discontinuing a service entirely, as Lavabit did [wikipedia.org], constitute "disclosing it"? Or does this bill allow the government to force a private British citizen to provide a service to the public against his will?

  • by Coisiche ( 2000870 ) on Tuesday November 10, 2015 @06:27AM (#50899635)

    The clause about penalising those who reveal the existence of backdoors created for use by British security service surveillance is classic upper class twat thinking... "If we don't tell anyone it exists then no-one will find it, tee hee". Problem is there is a world full of people smarter than them that will find the backdoors easily.

    • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Tuesday November 10, 2015 @06:39AM (#50899661) Homepage Journal

      The clause about penalising those who reveal the existence of backdoors created for use by British security service surveillance is classic upper class twat thinking... "If we don't tell anyone it exists then no-one will find it, tee hee". Problem is there is a world full of people smarter than them that will find the backdoors easily.

      Your problem is that you assume that you're smarter than these people because they do things which are harmful to the citizenry. That's stupid. They're doing this shit on purpose. They have no illusions about being able to hide the back doors from malicious actors. They don't care about the fallout! They only want to stifle dissent, like any well-heeled fascist. If they make it illegal to talk about the back doors, then many people won't talk about them, and the full extent of the problem will be hidden from the masses. They aren't trying to avoid people discovering the back doors. They're trying to keep the masses of asses complacent.

      They are, of course, succeeding. You're glad they took your guns away. Next you'll be happy when they ban large chef's knives.

      • by Anonymous Coward

        "You're glad they took your guns away."
        You got that right.

      • "Next you'll be happy when they ban large chef's knives."

        The UK already has knife control. In fact, it is technically illegal to carry around any object, such as a flashlight or a cricket bat, that could be used as a weapon depending on the situation at a given time.

        • by Cederic ( 9623 )

          Joyfully it's also legal to carry around a rifle while you have a large knife on your belt.

          It's all down to circumstances.

    • by jeremyp ( 130771 ) on Tuesday November 10, 2015 @07:05AM (#50899731) Homepage Journal

      That's not the point at all. It's not about keeping the backdoors secret but about stopping people from advertising that they exist. Companies like Apple and Google and Facebook and even the BBC would comply with the request to put back doors in but they would put a notice on the log in screen (for British customers only) along the lines of

              "Although we respect your privacy, be aware that, by order of the British Government we have to make your data available to them on request".

      There's nothing like having a reminder every time you use Facebook, that your own government wants to snoop on you for driving up opposition.

      • Because legal ramifications stopped Edward Snowden, right?

        Nevermind the fact that in today's world, everyone everywhere is constantly looking at things for bugs, vulnerabilities, exploits, and once you're discovered, the game is up. You either have to patch the backdoor, rendering it useless, or anyone will be able to use it. You can't make it "just for us 'good' guys." (And of course, that's leaving aside the fact that it's highly problematic to be granting unchecked spying powers to domestic agencies,
      • by AmiMoJo ( 196126 )

        How would a multinational company even comply with this? Most of Google's services are not developed by Google's UK staff, or managed by them. If they tried to insert a backdoor it's likely that staff in the US would notice pretty quickly and kick up a fuss. UK law can't silence them.

        For example, Android OS updates and security fixes are managed by Google in the US. If the UK arm suddenly requested that they take that function over, but with no explanation as to why, it would be suspicious to say the least.

        • You develop versions for each country you sell in, which the local subsidiaries. Might create a whole market for "offshore electronics..."

          We are in trouble if these government overreaches are not stopped. Don't have much hope personally though.

    • by AHuxley ( 892839 )
      re " "If we don't tell anyone it exists then no-one will find it, tee hee""
      The UK got access to most embassies in Europe in the 1920's-30's, Engima, all French diplomatic communications after 1945 into the 1960's, almost all trusted export crypto used globally until the 1980's. More is now understood thanks to whistleblowers.
      It worked because nobody was smart enough to look or had the ability to openly publish Western crypto findings. No book, magazine, newspaper would really consider the story interest
  • So they will be enforcing "security by obscurity" ?
    • Yes, only it is illegal to even discover the backdoors. This is great for security firms. Those firms are off course not notified of the backdoors, but it will be illegal to report those malicious pieces of code. Unless they are programmed by a non-government criminal, in which case it is their job to disclose them. Nice!
      • Re:Huh (Score:4, Informative)

        by Tomahawk ( 1343 ) on Tuesday November 10, 2015 @08:23AM (#50899971) Homepage

        Only if they are in the UK. Everyone other country can find and tell everyone about the backdoors as they are not bound by UK law.

        • I wonder: If someone from outside the UK found and reported a backdoor used by the UK government, could a UK security firm repeat this report in any way (since it has now been disclosed)? Or would that get them in trouble too? Either way, could they tell colleagues outside of the UK "hey, want to see something interesting, look over there" (i.e. not saying where/what the backdoor is but pointing their colleagues in the right direction) without getting in trouble?

          • Yes: although there have been attempts to prevent publication in the UK of facts 'revealed' in another country, the government has usually ended up taking the pragmatic approach and back down - if it is out overseas, then it is OK to publish in the UK -- but often only after quite some delay.

        • by pla ( 258480 )
          Only if they are in the UK. Everyone other country can find and tell everyone about the backdoors as they are not bound by UK law.

          Yet another reason to run Antivir or Kaspersky or ESET.

          It strikes me as sublimely ironic that the realities of the current international political landscape make it far, far safer for most of us to run software from a country with a government antagonistic to my own - Sure, it no doubt still contains malware friendly to Germany or Russia or Slovakia, but those governments ha
  • by serviscope_minor ( 664417 ) on Tuesday November 10, 2015 @06:39AM (#50899665) Journal

    Ooh it's all OK then. It'll only happen if the home secretary thinks it's "reasonable". Good job we don't have a party independent constitution which guarantees there's always a hard line nutcases as home secretary.

    The answer of "is it reasonable according to the home secretary" is always a resounding "yes", with a side order of "fuck you, proles".

  • Shortsighted law (Score:5, Insightful)

    by wienerschnizzel ( 1409447 ) on Tuesday November 10, 2015 @06:56AM (#50899719)

    So what happens if the backdoor leads to a different criminal offence - such as leaking of the medical records of millions of citizens? Will the company be allowed to disclose that the vulnerability has been introduced to comply with another law? Can the company be held liable for the consequences?

  • by shabble ( 90296 ) <metnysr_slashdot@shabble.co.uk> on Tuesday November 10, 2015 @07:20AM (#50899773)

    Professor of journalism at City University Heather Brook writes at the Gaurdian

    Someone's misspelt Grauniad [urbandictionary.com].

  • by nospam007 ( 722110 ) * on Tuesday November 10, 2015 @07:31AM (#50899803)

    One can only hope that they will leave the EU, the sooner, the better.

    • Re: (Score:1, Flamebait)

      by Tomahawk ( 1343 )

      Well, if they stay in the EU, and the EU decide to come up with a complete different set of conflicting laws, they may be obliged to change their laws to match that of the EU.
      By leaving the EU, any protection the EU can give to its citizens goes away. And the EU are very big on personal privacy.

      By leaving the EU, UK citizen would likely be worse off.

      Unfortunately for them, they probably don't think that way - saving the pound* is probably more important to most of them. *sigh*

      * Many will say that the poun

      • by AmiMoJo ( 196126 )

        Yeah, sorry Europe, we know we are being tawts but we need to stay in because the ECHR is the only thing that stops us descending into an East Germany style paranoia fuelled police state.

  • Catch-22? (Score:4, Insightful)

    by NetAlien ( 2855345 ) on Tuesday November 10, 2015 @07:32AM (#50899807)
    Does this prevent an implementer from disclosing it to the agency itself? "The Investigatory Powers Bill would also make it a criminal offense, punishable with up to 12 months in prison and/or a fine, for anyone involved to reveal the existence of those backdoors, in any circumstances (Section 190(8).)"
  • by account_deleted ( 4530225 ) on Tuesday November 10, 2015 @07:55AM (#50899857)
    Comment removed based on user account deletion
  • They did that when they voted for these people. Five more years... Enjoy

  • by Tomahawk ( 1343 ) on Tuesday November 10, 2015 @08:03AM (#50899883) Homepage

    When I was studying IT Security and encryption, one of the things that came up a lot was that you should always assume the process of the encryption is known [as well as some of the text of the message]. Typically it's because the encryption process is a standard (AES, for example). Security through obscurity doesn't exist. And it's far easier to keep a key secret than an algorithm (or source code).

    So if the UK are trying to ensure that a backdoor exists in any encryption method created, then EVERYONE IS GOING TO KNOW ABOUT IT! It will be impossible to keep the existence of a backdoor secret. They may have a 12 month sentence for anyone who leaks this information, but you have to assume that it will be leaked, and you have to assume that everyone (who wants to) will know how it works.

    This, then, leads to the problem of how to implement such a backdoor in such a way that only one group can use it but everyone else can't -- simply, impossible.

    This reminds me of one of the major flaws of Enigma (that a character can't be encoded as itself) that was insisted upon by people who didn't really understand encryption - a flaw that was, in a large part, responsible to helping to break the Enigma codes.

    • by AmiMoJo ( 196126 ) on Tuesday November 10, 2015 @08:44AM (#50900081) Homepage Journal

      They may have a 12 month sentence for anyone who leaks this information, but you have to assume that it will be leaked, and you have to assume that everyone (who wants to) will know how it works.

      Even if it isn't leaked, chances are someone will find it. People are constantly looking for backdoors left in for debugging or by nefarious companies/governments, or for flaws that can be exploited. It's probably worse than 50/50 that the person discovering the problem will make it public rather than just selling it on the black market, or giving it to their employer (e.g. foreign security services).

      This creates a huge problem for companies that are forced to create backdoors. When discovered will they be able to patch it immediately? Maybe the reason why some companies take months to fix problems is because GCHQ/NSA won't let them fix it. Will they be compensated for the reputational damage? If it's a security focused company a backdoor could destroy them.

      Tech companies really need to move to another EU country where they will be safe from having their business destroyed overnight on the whims of a clueless Home Secretary.

    • I don't think they have any backdoors in the encryption itself in mind. They're thinking about particular implementations. Suppose, for instance, you make an encryption program. They will either force you to give them the source code so they can compile a backdoor version themselves or 'ask' you to put a backdoor in it. The backdoor will most likely be some key escrow. Unless it's made transparent in the first place, it's hard to detect this from the outside in an executable without extensive reverse engine

  • by Anonymous Coward on Tuesday November 10, 2015 @08:21AM (#50899961)

    They demand a back door -- you make it. They ask what it is, you say you are in compliance with the law and cannot disclose any information.

    WIN!

  • by DanJ_UK ( 980165 ) * on Tuesday November 10, 2015 @09:19AM (#50900321) Homepage
    Yes, I and, several other British overlords are taking some serious consideration to moving to Amsterdam or Berlin, for good.

    This is after the impending EU referendum which, anyone with a brain will be voting against so that we can actually stay in Europe.
    • Yes, I and, several other British overlords are taking some serious consideration to moving to Amsterdam or Berlin, for good.

      Berlin? Isn't that the city famous in this age primarily for that wall that only came down just recently? History, it's not just for boring schoolkids with any more

      • by DanJ_UK ( 980165 ) *
        Berlin, isn't that one of the most culturally diverse and liberal cities in the whole of Europe now? Have you ever travelled out of the US?

        I'm not sure what the relevance of your comment was, nor what the intention of it was but if you haven't been to Berlin, you should go, it's fantastic.
  • ... of the backdoor can easily be done off the record, so there is no paper trail identifying one specific individual, ensuring that nobody goes to jail, or who specifically to issue a fine to. You can't even necessarily fine the company, because as far as anyone may know, the back door's existence was discovered by somebody outside of the company, and could have even been announced to incriminate them, unless you also make it illegal for companies to make software that might get reverse engineered by som

  • I once wanted to go to Australia, NZ and Scotland. No more. Every time I think they can't slide further into the abyss they do. Heck I don't even want to go to Canada any more.

  • "We have not been instructed by HM Government to put any back doors in our software."

  • What we need are Google, Apple, Facebook, Twitter and other companies in the communication business cease all operations in Great Britain when this (or similar legislation) passes.

    Let the people of the UK deal with the government when Apple, Google, Facebook, Twitter, etc. stop doing business with them because of this law. If suddenly the people of England couldn't buy a smart phone, update their status, or tweet their latest selfie because of the government, they would take to the streets and they would ha

    • by gweihir ( 88907 )

      Ultimately, that is the only option. Conversely, any product that is still available in the UK after this law passes has to be regarded as compromised.

  • We set up a public database where companies can register the fact that they are not creating any backdoors. This registration has to be renewed each year. This registration is not illegal - it simply informs the public that the government has not made any special demands, which is perfectly lawful.

    Of course, if the government does make any special demands, the company cannot register the lack of backdoors anymore, and the registration will automatically be removed from the database. From that point we know

  • If the cannot get mobile phones, network equipment, computer OSes, etc., they may notice how utterly stupid they have become. Then, maybe not.

On a clear disk you can seek forever. -- P. Denning

Working...