Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Encryption United Kingdom Government Privacy

Encryption Backdoor Sneaks Into UK Law (theregister.co.uk) 137

Coisiche found a disturbing article from The Register about the U.K.'s new "Snoopers' Charter" law that has implications for tech companies around the world: Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the U.K. government to undermine encryption and demand surveillance backdoors... As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops -- such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications. Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored... At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will.
The bill added the Secretaries of State as a required signatory to the "technical capacity" notices, which "introduces a minor choke-point and a degree of accountability." But the article argues the law ultimately anticipates the breaking of encryption, and without customer notification. "The U.K. government can certainly insist that a company not based in the U.K. carry out its orders -- that situation is specifically included in the new law -- but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the U.K. market."
This discussion has been archived. No new comments can be posted.

Encryption Backdoor Sneaks Into UK Law

Comments Filter:
  • They never learn (Score:5, Informative)

    by volodymyrbiryuk ( 4780959 ) on Saturday December 03, 2016 @11:45AM (#53415277)
    These backdoors will be exploited by criminals. Hopefully IT companies won't comply to this madness.
    • by mSparks43 ( 757109 ) on Saturday December 03, 2016 @02:05PM (#53415929) Homepage Journal

      You mean someone other than the people who work in the uk government, like that bunch of criminals isnt enough?

      More importantly I suspect this will quite quickly drive many large businesses out of London. Those companies rely on their secrets, the prospect of any bored intern "with their heart in the right place" being able to send their every dirty secret to the daily mail almost certainly will gaurantee those already concerned by brexit relocate their offices sharpish.

      • These backdoors will be exploited by criminals. Hopefully IT companies won't comply to this madness.

        You mean someone other than the people who work in the uk government, like that bunch of criminals isnt enough?

        More importantly I suspect this will quite quickly drive many large businesses out of London. Those companies rely on their secrets, the prospect of any bored intern "with their heart in the right place" being able to send their every dirty secret to the daily mail almost certainly will gaurantee those already concerned by brexit relocate their offices sharpish.

        Relax boys, it's all being done in the name of freedom.

    • by rtb61 ( 674572 )

      So exactly how does one force a back door into FOSS software, ban it?

      • by AHuxley ( 892839 )
        The telco access, the court document that first allowed your ISP to log you. That would be the national record of interest to anyone looking.
        The UK has a long history of court and police data walking.
        "Journalists caught on tape in police bugging" ( 21 September 2002)
        https://www.theguardian.com/uk... [theguardian.com]
        Beyond that if your of interest to the GCHQ or NSA, expect some device or OS (hardware or software) on your network to be altered to log any password used or entered.
        Any new hardware bought online might b
    • These backdoors will be exploited by criminals. Hopefully IT companies won't comply to this madness.

      No more on-line banking ever more as you know it. If the government can get the decryption capability, so can the criminals.
      Not only that, dare you to use your credit/debit card at any retailer. WOW,

  • by BoRegardless ( 721219 ) on Saturday December 03, 2016 @11:52AM (#53415323)

    The government wants back doors on demand, but sooner or later a government worker will see the opportunity to sell the details ...

    And he then retires.

    • by Dunbal ( 464142 ) *
      In prison. Although the damage will still be done.
      • by johanw ( 1001493 )

        In prison? Only if he isn't smart enough to be outside the UK when he releases the documents. He could keep Snowden company for example.

        • by Dunbal ( 464142 ) *
          If he was smart, he wouldn't break the law in the first place. Criminals think they won't get caught.
    • Does this not make the government an accessory before the fact. An inciter of said crime.
      • And?

        Crown immunity, mate.

        One of the reasons that some people want Britain to leave Europe. and on e of the reasons that some people want to leave Britain for Europe.

    • The government wants back doors on demand, but sooner or later a government worker will see the opportunity to sell the details ...

      And he then retires.

      Is it not possible that the government employee was already paid off by insuring this potential security breach gets into law?

      I am a security freak. Being a retired senior (65+) I get free banking in Canada. I have two bank accounts and I use one for holding an amount to cover credit card purchases, and of course my credit card fallback goes against that bank account.

      This new law allows every institution's encryption security to be handed over the the government along with test cases. So much for pri

  • For added fun. (Score:5, Insightful)

    by queazocotal ( 915608 ) on Saturday December 03, 2016 @11:54AM (#53415339)

    The term used 'relevant provider' - if you dig through the definitions is only defined as 'a person who provides a postal or telecommunications service' - which is broad enough to cover basically anything from someone running a wifi hotspot on to a massive ISP.
    It can also plausibly be read as software vendors - including open source ones resident in the UK (or for who it is considered reasonable to compel even though they are outside the uk).
    This is UK primary legislation - it has theoretically been scrutinised by both houses of parliament.
    The actual enabling secondary legislation - that specifies how all this works and lets us understand how bad it is will just go through on the nod.

    • It can also plausibly be read as software vendors - including open source ones resident in the UK (or for who it is considered reasonable to compel even though they are outside the uk).

      Better encryption will just have to be anonymously created and maintained. But, once again, our dependence on the ISP for service makes all that moot when they engage in deep packet inspection and block and report all unauthorized protocols traveling through their wire. The only long term solution will be P2P ad hoc networkin

      • P2P ad-hoc doesn't really work. Mesh has various spectral problems - there isn't enough free legal spectrum.
        In addition, without a central operator, everyone has the opportunity to cheat, and use more of the bandwidth for their traffic than is fair.
        This, and bottlenecking due to random distribution of nodes means it basically can't work unless the P2P/mesh is over a very short distance of a few nodes only and it then hops off to the 'proper' internet.

        • P2P ad-hoc doesn't really work.

          So it's hopeless then? Should we just put our hands up, and say *We surrender*? I, for one, would love to know what would work. Personally I see the latency, bandwidth, jamming issue as a temporary one. Obstructions are meant to be overcome. Let's use any and all means available, and let the authoritarians weep.

          • In principle, something that can transmit text messages is doable.
            If you want a 'internet' that looks like the current one without centralised bodies, you need links between nodes that are many thousands of times faster than the desired peak per-user bandwidth.
            This is for the obvious reason that you'll need thousands of hops in order to get to the next state, never mind the next country.
            If those nodes all want to use the internet, then the amount of bandwidth you get per node is (simplistically) (1/number o

  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Saturday December 03, 2016 @11:56AM (#53415347) Homepage

    will be for law abiding citizens and low grade criminals/terrorists/... The real bad boys will know how to and will use good encryption. But then I can't see that the food standards agency [independent.co.uk] would be interested in real, hard, nasty people. This is why people are calling Theresa May the Pry Minister.

    • will be for law abiding citizens and low grade criminals/terrorists/... The real bad boys will know how to and will use good encryption. But then I can't see that the food standards agency [independent.co.uk] would be interested in real, hard, nasty people. This is why people are calling Theresa May the Pry Minister.

      Oh, I think they are calling her way worse names than that.

    • I wrote a letter to my MP, which was forwarded to some minister, who replied with the usual political "don't think it's right criminals and terrorists can communicate in secret" lines, saying that they do not intend to prevent people using strong cryptography (oblivious to the contradictions in what he wrote), and essentially the whole point, that end-to-end encrypted messaging can be achieved by anybody with a LAMP stack online somewhere and a couple of hours to write a few hundred lines of PHP, Javascript and HTML (using croptojs). We have a government of technologically clueless idiots.

    • by AmiMoJo ( 196126 )

      The really bad guys don't even bother. All the recent terror attacks have one thing in common: they didn't bother much with encryption.

      That's why governments want these laws. They think they will be able to spot these attacks. They are wrong, they will be overwhelmed with data and the bad guys will quickly start encrypting, along with everyone else. The damage done to the economy will be difficult to measure, but significant.

      • by Maritz ( 1829006 )

        That's why governments want these laws. They think they will be able to spot these attacks.

        No. They want the laws because it enshrines them in power and gives them blackmail opportunities. The 'terrorism' bit is a convenient excuse and nothing more. They do not want to stop terrorist attacks at all.

    • by johanw ( 1001493 )

      Everyone could download Signal, and if that would be blocked switch a VPN or to Silence which uses sms encryption.

      • by AHuxley ( 892839 )
        The security services would have dedicated efforts on any trending app.
        VPN use does not pose any issues to the GCHQ. It even makes the more interesting people more easy to find on any UK network :)
        • by Maritz ( 1829006 )
          Yeah the GCHQ are godlike entities who can factor any large prime you care to mention. Spastic.
    • by AHuxley ( 892839 )
      They will just revert to the trusted networks of the 1950-80's. A holiday, tour, massive flow of illegal migrants, students, study trip or part of the jet set. Takes a few days or weeks for the round trip but no calls, voices or computer needed. MI6 or the CIA might get a photo of a meeting but if nothing is said and no later digital files exist...
      The security service contractors sold the UK that every interesting person, group cult, faith, political party, criminal would always talk on the phone (voic
    • by Maritz ( 1829006 )

      Bear in mind, the cunts who are doing all this (Tories) are about 15 percentage points ahead in the polls.

      Yeah, the British actually are that stupid.

  • by PPH ( 736903 ) on Saturday December 03, 2016 @11:59AM (#53415361)

    You can badger my comms provider all you want. They don't have access to my keys or software.

    • by Anonymous Coward
      Maybe everybody in the UK will be required to run a Bundestrojaner type setup that will snarf all their keys on demand. Protected with Trusted Computing, naturally. All you need is some creative interpretation of "relevant provider" so that the end user is a relevant provider of the E2E crypto.
    • by Anonymous Coward

      So long as the end of your end-to-end encryption doesn't end in the UK from a "service provider". We have crept back towards a centralised model for everything from email and spreadsheets to code hosting. Next step is to put the internet back into the hands of the users with decentralised tech... Funny thing is hard transformative change only tends to come about in situations like this, that that's the upshot :)

      • by presidenteloco ( 659168 ) on Saturday December 03, 2016 @12:30PM (#53415475)

        this

        the challenge is to make truly decentralised versions of Internet communications technology popular and easy to use, therefore adopted widely. ...and to do this quickly, so decentral tech can be well established before governments try to make decentral and personally owned comms and encryption technology illegal.

    • What will be your solution be when your comm provider blocks "illegal" encryption?

      • by Pieroxy ( 222434 ) on Saturday December 03, 2016 @12:48PM (#53415553) Homepage

        What will be your solution be when your comm provider blocks "illegal" encryption?

        Use steganography. If they believe it's not encrypted, they'll let it go through.

        • Security through obscurity, yeah, I guess that could work. Might not do much against traffic analysis though. I still would rather see some form of independence from the ISP where we can broadcast and receive without anybody knowing where the signal is going. You know, radio...

          All trends indicate a general move towards authoritarianism the world wide. Only technology can protect us from majority opinion in that direction.

          • by fnj ( 64210 )

            No, you miss the point utterly. Steganography HIDES the data so the bastards won't know it is there. You still encrypt the data, though.

            • by lgw ( 121541 )

              No, he's right. Steganography attempts to hide, but it doesn't do it well. TOR has been trying for years to sneak traffic through the great firewall, but it's a losing battle, and China has mostly won at this point. There always seems to be a statistical difference between hidden data and the normal data you're trying to hide in.

              • The Chinese system (and now the UK's) does not overly concern itself with ensuring every possible route through the Great Firewall is blocked--after all, geniuses gonna be ingenious. It merely suffices that the overwhelming majority cannot do this easily, and the technically adept live in fear of the consequences of their clearly pre-meditated actions. The censorship, and the chilling effect, is in the general drag; no need to close down every last loophole.
                If John Allsup is right above, all that is require

                • by lgw ( 121541 )

                  If you look at the math of it, it's not clean that steganography can actually work securely; rather, it can increase the difficulty of detecting your signal.

                  The lower the proportional bandwidth of your hidden signal to the carrier, the more work it will take someone to spot that. But if you're in a totalitarian state, and so you have to be right every time and the state only has to get lucky once, then it's not so reassuring.

                  Plus, you have to have a believable reason for the carrier. You have to hide your

            • Steganography HIDES the data so the bastards won't know it is there.

              That's kinda what "security through obscurity" is, like hiding the key (to the first door) under the doormat.

          • by Pieroxy ( 222434 )

            Steganography and "security through obscurity" aren't the same thing at all...

      • Pluggable transports [torproject.org] to the rescue.
    • That's alright, the provider of your OS will be compelled to "update" your machine to provide them your code keys.
    • Re: (Score:3, Informative)

      by Anonymous Coward

      They can then just come knocking and ask for the keys. Already before this legislation they could imprison (indefinitely?) the one who refuses to give their keys on request.

      • by PPH ( 736903 )

        They can then just come knocking and ask for the keys.

        At least I'll know exactly when that particular communications channel becomes insecure.

      • by johanw ( 1001493 ) on Saturday December 03, 2016 @05:13PM (#53416713)

        That may work in a pgp-like setup but is completely useless when dealing with perfect forward secrecy like Signal uses. I don't HAVE the key for the past messages anymore, and if I deleted the messages NOONE can decrypt them anymore.

    • by Anonymous Coward

      Then you go to jail for not using approved encryption. Even if all you do is send your grocery list to your wife.

    • by AHuxley ( 892839 )
      The use of working encryption will be something the GCHQ will find as all other messages resolve to plain text thanks to UK and US vendor cooperation.
      Junk US and UK encryption will be on most of the normal OS devices and systems.
      Most of the IM services are logged or the surrounding OS is full of trapdoors and backdoors.
      They will then look at the surrounding software and hardware to see what could log input. Remote code update for your UK telco approved phone.
      If its really bespoke some extra gov hardwar
  • if some big tech companies would leave the U.K. market because of that. But of course it wouldn't go well with the shareholders. :D

    • by AHuxley ( 892839 )
      Every device in the UK would have a trap door or back door for the security services. Anyone interesting would register a few cheap junk UK devices and give them to family, boring friends and have them be interesting all day, everyday :) Recharge the batteries every night and be ready for a few road trips next day.
      Any mic that got activated would get hours of been in an empty parked car, a university lecture or work gossip every day, repetitive music or video game soundtracks. Fun for all the new transl
  • ... the difference between innocent content and encrypted content that uses steganography to appear innocent?
    • by AHuxley ( 892839 )
      Any US or UK brand will help so any tame OS, telco brand encryption will revert to plain text.
      If it does not revert as expected someone has found, been give or feels the need to use real crypto and its time to access their computer, device and capture keystrokes.
      If that fails, get a logger into the keyboard or telco device as hardware or an upgrade.
      Any new device ordered online and been delivered is open to security service upgrades during shipment.
  • by sinij ( 911942 ) on Saturday December 03, 2016 @12:18PM (#53415435)
    This will lead to "UK import grade cryptography", where the rest of the world will have security, and UK will have back doors they wanted so badly. Plus, thanks to Brexit it isn't like they are that big of a market.

    Here comes UK_1DES and Dual_UK_DRBG.
    • and china and russia and probably all of the islamic countries, plus lets not forget Best Korea (grin).

      there are a lot that feel its their right to snoop on other people's comms.

      personally, I think this is a right that all people have, to comm in private and with NO one spying. period. full stop. ends never justifies this. I know I'm extreme on this but better this extreme than middle or moderate on the other way.

      I used to travel to the UK regularly. I have not been in well over 15 years and have no pl

      • I used to travel to the UK regularly. I have not been in well over 15 years and have no plans to ever visit the UK again. sad, as it was a nice place, once (at least to a visitor). now, I'd avoid going there unless 100% necessary. and so far, no travel has ever come up to be 100% necessary.

        That's funny - in a sad way - because I live in Britain and I feel exactly the same way about going to the USA. In the 1930s my parents - both teachers of French and German - used to visit Germany regularly every summer. I'm not as brave as they were - or perhaps I have benefit of hindsight.

        • by Anonymous Coward

          The two options left are to emigrate to a country that understands the dangers of compromising cryptography and personal rights, or create a country that will, through legal or extralegal means.

          The opportunities to do either are dwindling with every day. The US for instance now requires thousands of dollars in fees to even have the opportunity to renounce your citizenship, and I imagine other countries will soon follow America's Shining Example(TM) and find new ways to keep their citizens from leaving while

          • by fnj ( 64210 )

            But it is very very difficult to win permanent residence in Switzerland - let alone citizenship. And the cost of living is exceedingly high.

          • by anarcobra ( 1551067 ) on Saturday December 03, 2016 @06:27PM (#53416969)
            There is a third option.
            Move to a third world country where the government doesn't have the resources to waste on this kind of shit.
            • by Rakarra ( 112805 )

              There is a third option.
              Move to a third world country where the government doesn't have the resources to waste on this kind of shit.

              The problem is third world countries tend to be stomping grounds for the 1st and 2nd world countries.

    • Re: (Score:3, Informative)

      It's already here: Enter the CESG's very own MIKEY SAKKE: http://www.theregister.co.uk/2016/02/04/gchq_voice_encryption/ [theregister.co.uk]

      UK Government-approved(TM) encryption. The backdoor isn't a backdoor, because the Gov says it isn't.

      Here https://www.ncsc.gov.uk/articles/development-mikey-sakke [ncsc.gov.uk] is the take from the National Cyber Security Centre.

  • by 101percent ( 589072 ) on Saturday December 03, 2016 @12:33PM (#53415497)
    It's gonna be perfectly legal for Amazon to sell you that DRM encrypted book that you cannot decrypt.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      You mean like Apple DRM that locks you out of your legal audio library after an OS update until you authenticate yourself again via apple.com? How about Steam DRM, Sony DRM, Microsoft DRM, Adobe DRM, Oracle DRM, IBM DRM? Fsckwit. Let's add Samsung, LG and Sony HDTVs that call home as soon as you turn them on and disable network functionality when the mothership cannot be contacted. And you're worried about a trivial DRM in text files that has been breakable for years? Dumbass.

      Circumventing DRM is illegal an

  • by Archtech ( 159117 ) on Saturday December 03, 2016 @12:59PM (#53415585)

    "At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will".

    At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they feel like it? Yes, they will.

    FTFY.

    • by fnj ( 64210 )

      Dear UK jackboots: eojhbfgyuhiojopdopfwdfdiodhidoidfuoisdfpoiifdfoddnvdj

      Maybe that means "fuck you, come and get me fuckers".

  • by laughingcoyote ( 762272 ) <barghesthowl.excite@com> on Saturday December 03, 2016 @01:05PM (#53415639) Journal

    You can't put a back door in something, and only have certain people able to walk through it. If there's a vulnerability in the encryption that can be used to crack it by the service provider, someone else can do the same.

    If this were implemented in the UK, it would totally kill Web commerce there. Who's going to put financial details across the Internet when it's as good as sent unencrypted? And if actual encryption is permitted for that purpose, well, then it can be used for any other purpose too.

    I don't know why it's so difficult to understand. If you deliberately make something insecure, then it is, by definition, insecure. If it's designed to be secure, then even the designer can't break in, because if they can, someone else could do the same.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      You can guarantee the industry will respond by pushing the blame onto customers as far and as fast as possible. Once you've got a security weakness in there that you *cannot legally fix* there's basically no other way for companies to respond. Sure, mandate that we all have to make a copy of our keys and leave them with the gubmint - I can guarantee they'll refuse to be held responsible when China or Russia steals ALL of them. That's your problem.

      Fuck it, just take all the security off and we can laugh as t

  • The US and UK are now just copying China. They've seen how people will just accept it and let them do anything they want. Bunch of sheep... The only good thing I see is this will push us even more to create tougher encryption and anonymity tools. Encrypt everything, encrypt it now.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      I love Signal. The desktop/mobile platform is easy enough to get most of my friends on it, even non techies. However, I still have plenty of friends who say "I'm not a criminal, I don't need encryption" ... I have failed to convince them otherwise. Also, Signal is easier than encrypted email, just wish e2e email was easier.

  • Does this law mean a UK user could get thrown in jail for using an encryption scheme for which the government has no backdoor access?

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Does this law mean a UK user could get thrown in jail for using an encryption scheme for which the government has no backdoor access?

      Yes, section 49 of part III of the Regulation of Investigatory Powers act [theregister.co.uk] compels the operator of said encryption to hand over the keys or face prison.

    • by HiThere ( 15173 )

      Anonymously send someone some random binary data. Prosecution win.

    • by AHuxley ( 892839 )
      From a big brand, telco, US OS, consumer product or service who wants to sell int he UK everything will have to revert to plain text, voice or other useful data as sold.
      If the app is secure, the junk OS that it works on will capture what is needed.
      The best tool the security services have is tending apps that are offered as free, secure and have huge amounts of global users built on junk crypto.
      Its hard work to sell against free and to get other users using bespoke working secure solutions.
      Any for sale e
  • Who wants to comply this way?

    1. The users password works
    2. There's a government backdoor password
    3. If if's a computer located in the .gov.uk domain, there's another backdoor password "admin"

    I'll take my Nobel Peace Prize to go, please...

  • For the rest of the World anyway.

    Let the UK implement their silly backdoor idea and just sit back and wait.

    If a decade goes by without the whole thing being compromised it would impress me.

    See how much it costs them to clean up that mess after someone exploits their newly implemented idea.

    A master key is very convenient, but very insecure. Both digitally and in its original form, the common door lock.

    Though, when I needed to bypass such things ( door locks ) I certainly appreciated it when they made my job

  • Sadly the governments of the world are heading in an non-democratic direction and the masses are gobbling it up. If you want freedom, liberty, security you're not going to be able to live just anywhere. You are going to have to move. There is no other solution that'll work.

    Jason Sorens realized this way back in 2001. He realized the only way that we'll ever be able to secure some level of freedom moving forward is if enough people moved to a prosperous region for the pursuit of it. His essay got a lot of pe

  • ...why don't they mandate that nobody is allowed locks on their back doors? We want the police to be able to sneak in and check up on us in case we're criminals, peodophiles, or terrorists, don't we?
  • by cosmin_c ( 3381765 ) on Sunday December 04, 2016 @01:48AM (#53418515)

    ... is that people who adopted it don't understand really how things work. The moment one installs a backdoor into a program, that can be found and accessed by anyone. And usually the people looking for those are either working for security companies (case in which it isn't that much of a problem, provided those people's ethics are intact) or not - and it's the latter that carries some issues with it.

    I can understand the concern for security, however this exposes everybody, not only people with malicious intent, and it can have effects that ripple beyond getting law enforcement new tools. It can put everybody's data at risk and this means everybody, from large corporations who are using backdoored software to individuals trying to protect their naughty (or not) private pictures.

    I suppose it all boils down to stopping usage of the cloud, storing everything locally with drawer HD and/or optical medium backups, middle fingering iCloud, Dropbox, Google Drive, OneDrive and so on. Losing convenience over gaining safety and security is one way of dealing with the whole issue.

    As for browsing histories and what not, I don't really think people who wish to do harm are googling incriminating stuff or accessing suspect websites, so it's all looking rather pointless. Then again, people give up their data rather easily e.g. to Google for convenience, so the issue lies with educating people. I fear though that when it will become apparent to everybody, it will be too late. People don't realise it now, in the 11th hour, albeit there are strong warnings out there - https://en.wikipedia.org/wiki/... [wikipedia.org]

  • By always encoding small messages into very large bundles it forces them to hire more people to check manually.
    That creates jobs, slows down their progress, increases errors, and fills up their storage.

    They'll just get tired and go away after awhile.
     

What the large print giveth, the small print taketh away.

Working...