Encryption Backdoor Sneaks Into UK Law (theregister.co.uk) 137
Coisiche found a disturbing article from The Register about the U.K.'s new "Snoopers' Charter" law that has implications for tech companies around the world:
Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the U.K. government to undermine encryption and demand surveillance backdoors... As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops -- such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications. Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored... At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will.
The bill added the Secretaries of State as a required signatory to the "technical capacity" notices, which "introduces a minor choke-point and a degree of accountability." But the article argues the law ultimately anticipates the breaking of encryption, and without customer notification. "The U.K. government can certainly insist that a company not based in the U.K. carry out its orders -- that situation is specifically included in the new law -- but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the U.K. market."
The bill added the Secretaries of State as a required signatory to the "technical capacity" notices, which "introduces a minor choke-point and a degree of accountability." But the article argues the law ultimately anticipates the breaking of encryption, and without customer notification. "The U.K. government can certainly insist that a company not based in the U.K. carry out its orders -- that situation is specifically included in the new law -- but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the U.K. market."
They never learn (Score:5, Informative)
Re:They never learn (Score:5, Insightful)
You mean someone other than the people who work in the uk government, like that bunch of criminals isnt enough?
More importantly I suspect this will quite quickly drive many large businesses out of London. Those companies rely on their secrets, the prospect of any bored intern "with their heart in the right place" being able to send their every dirty secret to the daily mail almost certainly will gaurantee those already concerned by brexit relocate their offices sharpish.
Re: (Score:2)
These backdoors will be exploited by criminals. Hopefully IT companies won't comply to this madness.
You mean someone other than the people who work in the uk government, like that bunch of criminals isnt enough?
More importantly I suspect this will quite quickly drive many large businesses out of London. Those companies rely on their secrets, the prospect of any bored intern "with their heart in the right place" being able to send their every dirty secret to the daily mail almost certainly will gaurantee those already concerned by brexit relocate their offices sharpish.
Relax boys, it's all being done in the name of freedom.
Re: (Score:2)
not sure if I should mod you Funny, Insightful or Troll... =)
Re: (Score:2)
So exactly how does one force a back door into FOSS software, ban it?
Re: (Score:2)
The UK has a long history of court and police data walking.
"Journalists caught on tape in police bugging" ( 21 September 2002)
https://www.theguardian.com/uk... [theguardian.com]
Beyond that if your of interest to the GCHQ or NSA, expect some device or OS (hardware or software) on your network to be altered to log any password used or entered.
Any new hardware bought online might b
Re: (Score:3)
These backdoors will be exploited by criminals. Hopefully IT companies won't comply to this madness.
No more on-line banking ever more as you know it. If the government can get the decryption capability, so can the criminals.
Not only that, dare you to use your credit/debit card at any retailer. WOW,
Opportunity Cost + Retirement Fund (Score:5, Insightful)
The government wants back doors on demand, but sooner or later a government worker will see the opportunity to sell the details ...
And he then retires.
Re: (Score:2)
Re: (Score:2)
In prison? Only if he isn't smart enough to be outside the UK when he releases the documents. He could keep Snowden company for example.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Crown immunity, mate.
One of the reasons that some people want Britain to leave Europe. and on e of the reasons that some people want to leave Britain for Europe.
Re: (Score:2)
The government wants back doors on demand, but sooner or later a government worker will see the opportunity to sell the details ...
And he then retires.
Is it not possible that the government employee was already paid off by insuring this potential security breach gets into law?
I am a security freak. Being a retired senior (65+) I get free banking in Canada. I have two bank accounts and I use one for holding an amount to cover credit card purchases, and of course my credit card fallback goes against that bank account.
This new law allows every institution's encryption security to be handed over the the government along with test cases. So much for pri
For added fun. (Score:5, Insightful)
The term used 'relevant provider' - if you dig through the definitions is only defined as 'a person who provides a postal or telecommunications service' - which is broad enough to cover basically anything from someone running a wifi hotspot on to a massive ISP.
It can also plausibly be read as software vendors - including open source ones resident in the UK (or for who it is considered reasonable to compel even though they are outside the uk).
This is UK primary legislation - it has theoretically been scrutinised by both houses of parliament.
The actual enabling secondary legislation - that specifies how all this works and lets us understand how bad it is will just go through on the nod.
Re: (Score:2)
It can also plausibly be read as software vendors - including open source ones resident in the UK (or for who it is considered reasonable to compel even though they are outside the uk).
Better encryption will just have to be anonymously created and maintained. But, once again, our dependence on the ISP for service makes all that moot when they engage in deep packet inspection and block and report all unauthorized protocols traveling through their wire. The only long term solution will be P2P ad hoc networkin
Re: (Score:3)
P2P ad-hoc doesn't really work. Mesh has various spectral problems - there isn't enough free legal spectrum.
In addition, without a central operator, everyone has the opportunity to cheat, and use more of the bandwidth for their traffic than is fair.
This, and bottlenecking due to random distribution of nodes means it basically can't work unless the P2P/mesh is over a very short distance of a few nodes only and it then hops off to the 'proper' internet.
Re: (Score:2)
P2P ad-hoc doesn't really work.
So it's hopeless then? Should we just put our hands up, and say *We surrender*? I, for one, would love to know what would work. Personally I see the latency, bandwidth, jamming issue as a temporary one. Obstructions are meant to be overcome. Let's use any and all means available, and let the authoritarians weep.
Re: (Score:2)
In principle, something that can transmit text messages is doable.
If you want a 'internet' that looks like the current one without centralised bodies, you need links between nodes that are many thousands of times faster than the desired peak per-user bandwidth.
This is for the obvious reason that you'll need thousands of hops in order to get to the next state, never mind the next country.
If those nodes all want to use the internet, then the amount of bandwidth you get per node is (simplistically) (1/number o
Re: (Score:2)
Yeah, no doubt about it, we will have to be mobile, and maybe plant little self powered access points all over the city, in office broom closets, or in sunny spots in the street. Kinda "sprinkle" them around, keep 'em chasing after ghosts. What is really needed is to turn the majority away from authoritarian governments. That is the hard part. In the meantime, cat and mouse it is. May the best man win...
Re: (Score:2)
That only works if at least one of the candidates is "the right thing".
Re: For added fun. (Score:1)
Then it's over. The Internet is a lost cause. So what? Are you so attached to a mere communication network? Did it mean that much to you? Is your life over now?
The only communications affected (Score:4, Insightful)
will be for law abiding citizens and low grade criminals/terrorists/... The real bad boys will know how to and will use good encryption. But then I can't see that the food standards agency [independent.co.uk] would be interested in real, hard, nasty people. This is why people are calling Theresa May the Pry Minister.
Re: (Score:2)
will be for law abiding citizens and low grade criminals/terrorists/... The real bad boys will know how to and will use good encryption. But then I can't see that the food standards agency [independent.co.uk] would be interested in real, hard, nasty people. This is why people are calling Theresa May the Pry Minister.
Oh, I think they are calling her way worse names than that.
Re:The only communications affected (Score:4, Insightful)
I wrote a letter to my MP, which was forwarded to some minister, who replied with the usual political "don't think it's right criminals and terrorists can communicate in secret" lines, saying that they do not intend to prevent people using strong cryptography (oblivious to the contradictions in what he wrote), and essentially the whole point, that end-to-end encrypted messaging can be achieved by anybody with a LAMP stack online somewhere and a couple of hours to write a few hundred lines of PHP, Javascript and HTML (using croptojs). We have a government of technologically clueless idiots.
Re: (Score:3)
The really bad guys don't even bother. All the recent terror attacks have one thing in common: they didn't bother much with encryption.
That's why governments want these laws. They think they will be able to spot these attacks. They are wrong, they will be overwhelmed with data and the bad guys will quickly start encrypting, along with everyone else. The damage done to the economy will be difficult to measure, but significant.
Re: (Score:2)
That's why governments want these laws. They think they will be able to spot these attacks.
No. They want the laws because it enshrines them in power and gives them blackmail opportunities. The 'terrorism' bit is a convenient excuse and nothing more. They do not want to stop terrorist attacks at all.
Re: (Score:2)
Everyone could download Signal, and if that would be blocked switch a VPN or to Silence which uses sms encryption.
Re: (Score:3)
VPN use does not pose any issues to the GCHQ. It even makes the more interesting people more easy to find on any UK network
Re: (Score:2)
Re: (Score:3)
The security service contractors sold the UK that every interesting person, group cult, faith, political party, criminal would always talk on the phone (voic
Re: (Score:2)
Bear in mind, the cunts who are doing all this (Tories) are about 15 percentage points ahead in the polls.
Yeah, the British actually are that stupid.
End-to-end encryption (Score:5, Insightful)
You can badger my comms provider all you want. They don't have access to my keys or software.
Re: (Score:1)
Re: (Score:1)
So long as the end of your end-to-end encryption doesn't end in the UK from a "service provider". We have crept back towards a centralised model for everything from email and spreadsheets to code hosting. Next step is to put the internet back into the hands of the users with decentralised tech... Funny thing is hard transformative change only tends to come about in situations like this, that that's the upshot :)
Re:End-to-end encryption (Score:4, Interesting)
this
the challenge is to make truly decentralised versions of Internet communications technology popular and easy to use, therefore adopted widely. ...and to do this quickly, so decentral tech can be well established before governments try to make decentral and personally owned comms and encryption technology illegal.
Re: (Score:2)
What will be your solution be when your comm provider blocks "illegal" encryption?
Re:End-to-end encryption (Score:4, Interesting)
What will be your solution be when your comm provider blocks "illegal" encryption?
Use steganography. If they believe it's not encrypted, they'll let it go through.
Re: (Score:1)
Security through obscurity, yeah, I guess that could work. Might not do much against traffic analysis though. I still would rather see some form of independence from the ISP where we can broadcast and receive without anybody knowing where the signal is going. You know, radio...
All trends indicate a general move towards authoritarianism the world wide. Only technology can protect us from majority opinion in that direction.
Re: (Score:2)
No, you miss the point utterly. Steganography HIDES the data so the bastards won't know it is there. You still encrypt the data, though.
Re: (Score:2)
No, he's right. Steganography attempts to hide, but it doesn't do it well. TOR has been trying for years to sneak traffic through the great firewall, but it's a losing battle, and China has mostly won at this point. There always seems to be a statistical difference between hidden data and the normal data you're trying to hide in.
Re: (Score:2)
The Chinese system (and now the UK's) does not overly concern itself with ensuring every possible route through the Great Firewall is blocked--after all, geniuses gonna be ingenious. It merely suffices that the overwhelming majority cannot do this easily, and the technically adept live in fear of the consequences of their clearly pre-meditated actions. The censorship, and the chilling effect, is in the general drag; no need to close down every last loophole.
If John Allsup is right above, all that is require
Re: (Score:2)
If you look at the math of it, it's not clean that steganography can actually work securely; rather, it can increase the difficulty of detecting your signal.
The lower the proportional bandwidth of your hidden signal to the carrier, the more work it will take someone to spot that. But if you're in a totalitarian state, and so you have to be right every time and the state only has to get lucky once, then it's not so reassuring.
Plus, you have to have a believable reason for the carrier. You have to hide your
Re: (Score:1)
Steganography HIDES the data so the bastards won't know it is there.
That's kinda what "security through obscurity" is, like hiding the key (to the first door) under the doormat.
Re: (Score:2)
Steganography and "security through obscurity" aren't the same thing at all...
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Patrick Volkerding and Linus Thorvalds probably won't cooperate.
Re: (Score:3)
Oh, they won't. They won't.
I don't give a fuck either way, but in terms of making a point, you've been refuted.
Re: (Score:3, Informative)
They can then just come knocking and ask for the keys. Already before this legislation they could imprison (indefinitely?) the one who refuses to give their keys on request.
Re: (Score:2)
They can then just come knocking and ask for the keys.
At least I'll know exactly when that particular communications channel becomes insecure.
Re:End-to-end encryption (Score:5, Informative)
That may work in a pgp-like setup but is completely useless when dealing with perfect forward secrecy like Signal uses. I don't HAVE the key for the past messages anymore, and if I deleted the messages NOONE can decrypt them anymore.
Re: (Score:1)
Then you go to jail for not using approved encryption. Even if all you do is send your grocery list to your wife.
Re: (Score:2)
Junk US and UK encryption will be on most of the normal OS devices and systems.
Most of the IM services are logged or the surrounding OS is full of trapdoors and backdoors.
They will then look at the surrounding software and hardware to see what could log input. Remote code update for your UK telco approved phone.
If its really bespoke some extra gov hardwar
Re: (Score:2)
Re: (Score:2)
From Germany
https://netzpolitik.org/2016/p... [netzpolitik.org]
Re "Keyboard logging before encryption? lol."
The UK's Code of practice for the use of equipment interference by the security and intelligence agencies can be found at
https://www.gov.uk/government/... [www.gov.uk]
Recall Bullrun, Edgehill https://en.wikipedia.org/wiki/... [wikipedia.org]
Revealed: how US and UK spy agencies defeat internet privacy and security (6 September 2013)
https://www.theguardian.com/wo... [theguardian.com]
Could be fun (Score:2)
if some big tech companies would leave the U.K. market because of that. But of course it wouldn't go well with the shareholders. :D
Re:Could be fun (Score:5, Insightful)
Right. Because companies abandoned China in droves because of their evil policies.
Oh, wait. No their didn't. Every man and their dog wants to move in to the massively growing and profitable market of China.
The UK is the same deal. It's a massive financial and tech hub, so companies aren't going anywhere.
Though they ARE busy trying to wreck that with the Brexit.
The population of China is roughly 1.4 billion people. The population of England is 0.053 billion. England has 4% of the population of China. Tech companies care a lot more about the marketplace of China than they do about England.
So that leaves the "massive financial and tech hub" you describe in England. How many financial companies are going to want to maintain, never mind expand, their presence in a country which is allowed to actively monitor their most secure communications? If I were CEO of a global financial company I would be very concerned about the backlash from my customers if my company were to remain in such a country.
Re: (Score:3, Insightful)
It's the whole UK you need to consider, not just England, you geographically-challenged clod.
But yes, AFAIK a not inconsiderable amount of the financial institutions HQ'd in London have made and are beginning to act on plans to leave the UK for (likely) Paris. The City of London (i.e. the tiny bit full of the worst of the wankers) is stuffed full of them and they're all going to bugger off, likely reducing property prices there and as any semblance of financial recovery in the UK is based on a property boo
Re: (Score:2)
The GDP of China is 9.2 trillion USD. The GDP of the UK is 2.7 trillion USD. It's not all about warm bodies, you know...
Re: (Score:2)
So that leaves the "massive financial and tech hub" you describe in England. How many financial companies are going to want to maintain, never mind expand, their presence in a country which is allowed to actively monitor their most secure communications? If I were CEO of a global financial company I would be very concerned about the backlash from my customers if my company were to remain in such a country.
Not really a problem after Brexit. ;-)
Re: (Score:2)
Most of them won't, but the ones doing the largest business are quite likely to, and are quite likely to want to reduce their exposure at somebody else's cost.
Re: (Score:2)
I know it's not going to happen. It was just wishful thinking.
Apple should be leaving, but you know they are not going to. They will fold and then the lawmakers in the US sees that and they will have to give in at home as well.
Re: (Score:2)
Any mic that got activated would get hours of been in an empty parked car, a university lecture or work gossip every day, repetitive music or video game soundtracks. Fun for all the new transl
Re: (Score:2)
How will they know.... (Score:2)
Re: (Score:2)
If it does not revert as expected someone has found, been give or feels the need to use real crypto and its time to access their computer, device and capture keystrokes.
If that fails, get a logger into the keyboard or telco device as hardware or an upgrade.
Any new device ordered online and been delivered is open to security service upgrades during shipment.
UK import grade cryptography (Score:5, Insightful)
Here comes UK_1DES and Dual_UK_DRBG.
Re: (Score:3)
and china and russia and probably all of the islamic countries, plus lets not forget Best Korea (grin).
there are a lot that feel its their right to snoop on other people's comms.
personally, I think this is a right that all people have, to comm in private and with NO one spying. period. full stop. ends never justifies this. I know I'm extreme on this but better this extreme than middle or moderate on the other way.
I used to travel to the UK regularly. I have not been in well over 15 years and have no pl
Re: (Score:3)
I used to travel to the UK regularly. I have not been in well over 15 years and have no plans to ever visit the UK again. sad, as it was a nice place, once (at least to a visitor). now, I'd avoid going there unless 100% necessary. and so far, no travel has ever come up to be 100% necessary.
That's funny - in a sad way - because I live in Britain and I feel exactly the same way about going to the USA. In the 1930s my parents - both teachers of French and German - used to visit Germany regularly every summer. I'm not as brave as they were - or perhaps I have benefit of hindsight.
It is getting worse everywhere. (Score:1)
The two options left are to emigrate to a country that understands the dangers of compromising cryptography and personal rights, or create a country that will, through legal or extralegal means.
The opportunities to do either are dwindling with every day. The US for instance now requires thousands of dollars in fees to even have the opportunity to renounce your citizenship, and I imagine other countries will soon follow America's Shining Example(TM) and find new ways to keep their citizens from leaving while
Re: (Score:2)
But it is very very difficult to win permanent residence in Switzerland - let alone citizenship. And the cost of living is exceedingly high.
Re:It is getting worse everywhere. (Score:4, Insightful)
Move to a third world country where the government doesn't have the resources to waste on this kind of shit.
Re: (Score:2)
There is a third option.
Move to a third world country where the government doesn't have the resources to waste on this kind of shit.
The problem is third world countries tend to be stomping grounds for the 1st and 2nd world countries.
Re: (Score:3, Informative)
It's already here: Enter the CESG's very own MIKEY SAKKE: http://www.theregister.co.uk/2016/02/04/gchq_voice_encryption/ [theregister.co.uk]
UK Government-approved(TM) encryption. The backdoor isn't a backdoor, because the Gov says it isn't.
Here https://www.ncsc.gov.uk/articles/development-mikey-sakke [ncsc.gov.uk] is the take from the National Cyber Security Centre.
Of course (Score:3)
Re: (Score:3, Insightful)
You mean like Apple DRM that locks you out of your legal audio library after an OS update until you authenticate yourself again via apple.com? How about Steam DRM, Sony DRM, Microsoft DRM, Adobe DRM, Oracle DRM, IBM DRM? Fsckwit. Let's add Samsung, LG and Sony HDTVs that call home as soon as you turn them on and disable network functionality when the mothership cannot be contacted. And you're worried about a trivial DRM in text files that has been breakable for years? Dumbass.
Circumventing DRM is illegal an
Re: (Score:2)
Redundant verbiage excised (Score:4, Insightful)
"At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will".
At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they feel like it? Yes, they will.
FTFY.
Re: (Score:2)
Dear UK jackboots: eojhbfgyuhiojopdopfwdfdiodhidoidfuoisdfpoiifdfoddnvdj
Maybe that means "fuck you, come and get me fuckers".
And yet once again, they'll learn. (Score:5, Insightful)
You can't put a back door in something, and only have certain people able to walk through it. If there's a vulnerability in the encryption that can be used to crack it by the service provider, someone else can do the same.
If this were implemented in the UK, it would totally kill Web commerce there. Who's going to put financial details across the Internet when it's as good as sent unencrypted? And if actual encryption is permitted for that purpose, well, then it can be used for any other purpose too.
I don't know why it's so difficult to understand. If you deliberately make something insecure, then it is, by definition, insecure. If it's designed to be secure, then even the designer can't break in, because if they can, someone else could do the same.
Re: (Score:2, Interesting)
You can guarantee the industry will respond by pushing the blame onto customers as far and as fast as possible. Once you've got a security weakness in there that you *cannot legally fix* there's basically no other way for companies to respond. Sure, mandate that we all have to make a copy of our keys and leave them with the gubmint - I can guarantee they'll refuse to be held responsible when China or Russia steals ALL of them. That's your problem.
Fuck it, just take all the security off and we can laugh as t
Welcome to China (Score:1)
Re: (Score:2, Informative)
I love Signal. The desktop/mobile platform is easy enough to get most of my friends on it, even non techies. However, I still have plenty of friends who say "I'm not a criminal, I don't need encryption" ... I have failed to convince them otherwise. Also, Signal is easier than encrypted email, just wish e2e email was easier.
What are the implications on encryption? (Score:3)
Does this law mean a UK user could get thrown in jail for using an encryption scheme for which the government has no backdoor access?
Re: (Score:3, Informative)
Does this law mean a UK user could get thrown in jail for using an encryption scheme for which the government has no backdoor access?
Yes, section 49 of part III of the Regulation of Investigatory Powers act [theregister.co.uk] compels the operator of said encryption to hand over the keys or face prison.
Re: (Score:3)
Anonymously send someone some random binary data. Prosecution win.
Re: (Score:2)
I don't think doing it in public, where others are known to be able to access it, counts. But that's the general idea.
Re: (Score:2)
If the app is secure, the junk OS that it works on will capture what is needed.
The best tool the security services have is tending apps that are offered as free, secure and have huge amounts of global users built on junk crypto.
Its hard work to sell against free and to get other users using bespoke working secure solutions.
Any for sale e
Who wants to comply this way? (Score:2)
Who wants to comply this way?
1. The users password works .gov.uk domain, there's another backdoor password "admin"
2. There's a government backdoor password
3. If if's a computer located in the
I'll take my Nobel Peace Prize to go, please...
Learning Opportunity (Score:2)
For the rest of the World anyway.
Let the UK implement their silly backdoor idea and just sit back and wait.
If a decade goes by without the whole thing being compromised it would impress me.
See how much it costs them to clean up that mess after someone exploits their newly implemented idea.
A master key is very convenient, but very insecure. Both digitally and in its original form, the common door lock.
Though, when I needed to bypass such things ( door locks ) I certainly appreciated it when they made my job
I migrated for freedom and it's the only fix (Score:1)
Sadly the governments of the world are heading in an non-democratic direction and the masses are gobbling it up. If you want freedom, liberty, security you're not going to be able to live just anywhere. You are going to have to move. There is no other solution that'll work.
Jason Sorens realized this way back in 2001. He realized the only way that we'll ever be able to secure some level of freedom moving forward is if enough people moved to a prosperous region for the pursuit of it. His essay got a lot of pe
While they're at it... (Score:1)
One of the issues of this law (Score:3)
... is that people who adopted it don't understand really how things work. The moment one installs a backdoor into a program, that can be found and accessed by anyone. And usually the people looking for those are either working for security companies (case in which it isn't that much of a problem, provided those people's ethics are intact) or not - and it's the latter that carries some issues with it.
I can understand the concern for security, however this exposes everybody, not only people with malicious intent, and it can have effects that ripple beyond getting law enforcement new tools. It can put everybody's data at risk and this means everybody, from large corporations who are using backdoored software to individuals trying to protect their naughty (or not) private pictures.
I suppose it all boils down to stopping usage of the cloud, storing everything locally with drawer HD and/or optical medium backups, middle fingering iCloud, Dropbox, Google Drive, OneDrive and so on. Losing convenience over gaining safety and security is one way of dealing with the whole issue.
As for browsing histories and what not, I don't really think people who wish to do harm are googling incriminating stuff or accessing suspect websites, so it's all looking rather pointless. Then again, people give up their data rather easily e.g. to Google for convenience, so the issue lies with educating people. I fear though that when it will become apparent to everybody, it will be too late. People don't realise it now, in the 11th hour, albeit there are strong warnings out there - https://en.wikipedia.org/wiki/... [wikipedia.org]
The Solution Is Cost (Score:2)
By always encoding small messages into very large bundles it forces them to hire more people to check manually.
That creates jobs, slows down their progress, increases errors, and fills up their storage.
They'll just get tired and go away after awhile.
Re: (Score:2)