Kieren McCarthy at The Register has an interesting article discussing the inclusion of encryption backdoors in the recently passed Investigatory Powers Act, also knows as the Snooper's Charter.
Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the UK government to undermine encryption and demand surveillance backdoors.
As the bill was passing through Parliament, several organizations noted their alarm at section 217 which obliged ISPs, telcos and other communications providers to let the government know in advance of any new products and services being deployed and allow the government to demand "technical" changes to software and systems.
[...] As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops – such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications.
Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored.
[...] In effect, the UK government has written into law a version of the much-derided Burr-Feinstein Bill proposed in the US, which would have undermined encryption in America. A backlash derailed that draft law.
[...] To be fair, there were some fears that Blighty's law would effectively kill off the UK software industry as well as undermine Brits' privacy, and expose them to surveillance and hacking by criminals exploiting these mandatory backdoors. This mild panic did bring about some changes to the UK's Investigatory Powers Bill before it was passed.
The question is: were the changes sufficient?
(Score: 5, Insightful) by bob_super on Monday December 05 2016, @07:34PM
After the Five Eyes, after Brexit, here comes "You really can't trust our products' security, we mean it".
Competitors to UK companies would like applaud, but they need to rush out to buy a rake for the windfall money.
In the meantime, The Bad Guys will keep using freely and widely available encryption tools.
(Score: 3, Interesting) by dyingtolive on Monday December 05 2016, @07:49PM
From what I recall, most of the bad guys haven't really been using encryption anyway.
Don't blame me, I voted for moose wang!
(Score: 2) by Zz9zZ on Monday December 05 2016, @08:07PM
Those are the ones you hear about... though you're correct, there are methods people can use to communicate that are quite secure, but those are like humanoid one-time pads.
~Tilting at windmills~
(Score: 1) by anubi on Tuesday December 06 2016, @04:47AM
Hell, under government supervision, we may just as well ROT13 it.... because under the rules as mandated by government, if backdoors are mandated, anyone interested in snooping will have the ability to do so anyway.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 3, Interesting) by Kilo110 on Monday December 05 2016, @07:39PM
It was bound to happen eventually. The bigger question is what will happen next?
(Score: 5, Insightful) by Azuma Hazuki on Monday December 05 2016, @07:55PM
Abuse, corruption, political prisoners, McCarthyism 2.0, Stasi 2.0, you name it. What the hell do you THINK this kind of technology is going to lead to in the hands of people who would pass a bill like this? I really hope some enterprising freedom-loving types are working on portable EMP generators as we speak...
I am "that girl" your mother warned you about...
(Score: 2) by Zz9zZ on Monday December 05 2016, @08:29PM
Hehe, we sent OURSELVES back to the dark age. Yes on purpose! "Ok grandkids just one more time... the ball really got started rolling with a thing we called Zuckerbook..."
~Tilting at windmills~
(Score: 1) by Type44Q on Monday December 05 2016, @09:07PM
Guillotines would be far more appropriate.
(Score: 2) by Phoenix666 on Tuesday December 06 2016, @05:58AM
You are right.
EMP generators would be good. More Wikileaks-style revelations would be good, too. Every kind of system or approach we can think of that takes levers of control out of the hands of People Who Are Up To No Good should be pursued. Home-brew additive manufacturing, distributed energy generation, alternatives to centralized communications networks (mesh networks?), and the like are examples. There are significant hurdles to be overcome. There's no denying that. If we don't do anything, though, and coast along waiting for somebody else to do the heavy lifting, then the outcome you foretold is what will come to pass.
Washington DC delenda est.
(Score: 2) by turgid on Monday December 05 2016, @08:15PM
How are they going to stop people writing their own encryption code?
I'm hardly a genius, but even with my mediocre mathematical and programming skills, I could probably throw something together that would be at least a minor inconvenience to "them." It would be nothing like professional quality but it might slow them down by a few hours, assuming someone noticed and wanted to look.
I'm sure there are millions of other people like me who have a bit of an education and access to programming tools.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: -1, Troll) by Anonymous Coward on Monday December 05 2016, @08:31PM
Dude that's a great idea bro! What's your github? I want to download your code.
(Score: 2) by turgid on Monday December 05 2016, @08:53PM
I don't think any of my home-made code is good enough to put on github :-)
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 0) by Anonymous Coward on Monday December 05 2016, @10:19PM
github contains good code? All of it?
(Score: 3, Interesting) by art guerrilla on Monday December 05 2016, @08:33PM
as alluded to above, if you have a decent one time pad to encrypt with, not going to get in unless /until someone squeals...
obviously not convenient, but we can't *always* have our cake and eat it, too...
(Score: 4, Insightful) by Unixnut on Monday December 05 2016, @08:55PM
That is what they want. Back when free encryption was in its infancy, and they could hack to their hearts content, everything was good. The problem is the open source movement, which resulted in a push for better and better software, including better encryption, being available to general public.
I suspect we are reaching a point where the main intelligence agencies have trouble breaking encryption, hence this new push to allow deliberate weakness and "side-channel" attacks, rather than attacking the encryption itself.
I am not sure how this law will work with existing open source software (unless it becomes illegal to download a copy of veracrypt, or crypt-dm for that matter). What I think it will affect are "appliances" like your phone, and proprietary software. The government can prevent the sale of devices not deemed compatible.
If this law forces people to make their own weak encryption algos, then it is a win for them, we are back to the 90s with the 56-bit key length DES equivalent which they can break into to their hearts content.
(Score: 2) by bob_super on Monday December 05 2016, @10:35PM
Someone needs to write a dumbed-down generator of random 2048-bit primes.
You don't need much of an algorithm to be safe with a huge key, shared out-of-band.
(Score: 0) by Anonymous Coward on Monday December 05 2016, @10:27PM
Yes, home-made encryption. But with the continuation of government onslaught, how long do you think home-made will keep working? People can be made afraid to do certain things and over time, the government will win. All your data (private and public) will be kept in Tel-Aviv forever. If there is no one fighting for freedom, that is.
(Score: 2, Insightful) by Anonymous Coward on Monday December 05 2016, @10:32PM
How are they going to stop people writing their own encryption code?
I'm hardly a genius, but even with my mediocre mathematical and programming skills, I could probably throw something together that would be at least a minor inconvenience to "them." It would be nothing like professional quality but it might slow them down by a few hours, assuming someone noticed and wanted to look.
I'm sure there are millions of other people like me who have a bit of an education and access to programming tools.
They don't need to.
1) Writing good encryption code is *hard*, even if you know the math behind it. See all the security problems that have been found through professional products throughout the years, including TrueCrypt. They are usually fixed, but that they exist is proof enough.
2) How many people do you know who have the knowledge, interest, and the resources (including time) to do this?
3) The harder you make it to install encryption, the fewer people will do so. Compare the default-encrypted of iPhones (millions of people have them, only a handful of "terrorists", huge false-positive rate), to a home brew solution (a couple of dozen people have them, a handful of "terrorists", a much less bad false-positive rate, and more resources can be spent to crack each individual machine).
4) The mere fact it is illegal will reduce usage. Consider how trivial it is to pick a lock (with a bump key it takes merely seconds). Yet, how many people have locks, and how few locks actually get picked?
(Score: 1, Insightful) by Anonymous Coward on Tuesday December 06 2016, @06:45AM
Or better yet, it’s UK, “give us your keys or wait in this nice prison we have here.”
(Score: 2) by Kromagv0 on Tuesday December 06 2016, @04:08PM
To be fair the problems with TrueCrypt aren't with the encryption but with all the other stuff attached to it. That said creating a good encryption algorithm is hard even for experts. For example looking the AES finalists, 256 bit versions only, Serpent, Twofish, and Mars were thought to have the highest security margin with Rijndael viewed as begin adequate. Turns out that Serpent's S-Boxes aren't as good [iacr.org] as initially believe. For Twofish there is a chosen plaintext attack that breaks it, However AES seems to be having problems as there are 2 attacks that break it although one is a related key attack.
T-Shirts and bumper stickers [zazzle.com] to offend someone
(Score: 1) by EETech1 on Wednesday December 07 2016, @01:25AM
The best part is it's not a standard, so whatever they decipher it to, they have no way of proving it.
Just like a one time pad can mean anything, so can an incorrectly decrypted homegrown cypher.
(Unless you post it to GitHub)
(Score: 3, Insightful) by EETech1 on Monday December 05 2016, @09:24PM
I'll bet that if Apple, Google etc. just said "nope, sorry we're not making a custom cracked version for you" and refused sell the latest new shiny to them, that there would soon be changes to that law.
Sorry. No Google products for you.
Oops, no more iAnythings either.
We have a few nice flip phones that you can Facebook on through the government access portal though.
And there's GhcqMail installed on there too.
The revolt would be quick.
(Score: 3, Interesting) by turgid on Monday December 05 2016, @09:29PM
The revolt would be quick.
Especially when terrorists and paedophiles crack the weaker government-sanctioned systems...
Or would it? Would anyone care? They're too busy watching Strictly Come Dancing, Big Brother, X-Factor and reading the Daily Mail, Express, Sun...
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2, Insightful) by pTamok on Monday December 05 2016, @10:52PM
The law will only really affect providers of services who are trying to sell secure data storage, or incorporate secure data into their product.
Most Terms & Conditions for provision of services will already have a 'law enforcement' exception, and what this new law does is make it clear that if the service provider can provide law enforcement with decrypted data, they will (or be forced to), using whatever methods are available to them (which may include loading a zero-day malware keylogger on your PC to grab passwords). Or, you could simply be arrested and required to hand over your decryption keys, and jailed if you do not.
This will not affect most businesses, as even financial and healthcare systems, with their concentration on data privacy, will have law enforcement exceptions.
However, if you want to store sensitive data in the UK that you don't want to (potentially) share with the law enforcement agencies (like the police, HMRC and other organisations), then now is the time to realise that is no longer possible (even if it was in the past).
If you trust the British authorities not to abuse access to your data - you are happy.
If you do not trust the British authorities, and do not wish them to have access to your data - time to find a country whose authorities you do trust in preference to the UK ones. Without being funny, that might turn out to be a rather short list of other choices.
(Score: 0) by Anonymous Coward on Tuesday December 06 2016, @01:02AM
it will probably not be used for this but theres a flip side to the coin: being able to force a service provider to install more secure gear. just saying ...