[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: UK gov says new Home Sec will have powers to ban end-to-end encryption



On 17/07/16 02:42, Zenaan Harkness wrote:
On Sat, Jul 16, 2016 at 06:02:57PM +0100, Peter Fairbrother wrote:
On 16/07/16 09:28, Georgi Guninski wrote:
Hope this is not duplicate, the personal drivels were quite
noisy.

http://www.theregister.co.uk/2016/07/14/gov_says_new_home_sec_iwilli_have_powers_to_ban_endtoend_encryption/

UK gov says new Home Sec will have powers to ban end-to-end encryption

Very sound, nice and democratic...

First part:

Things said in the Lords (or Commons), even by Government spokesmen, have
approximately zero legal significance. To a very close approximation.
Practically speaking, indistinguishable from zero.

What the Courts look at is the wording of the Act.

Which in this case is pretty bad, but not a power to ban end-to-end
encryption.

In fact, it doesn't affect most in-use forms of end-to-end encryption at
all.

Second part:

"Relevant operators" are persons who provide "any service that consists in
the provision of access to, and of facilities for making use of, any
telecommunication system (whether or not one provided by the person
providing the service) [... including] any case where a service consists in
or includes facilitating the creation, management or storage of
communications  transmitted, or that may be transmitted, by means of such a
system."

That would include many commercial sites who use SSL/TLS. If you put a
"contact me" link on your web pages, you are a "relevant operator". Gimme
your SSL keys!

I'm not sure how you can say the first part above, in the face of
quoting and saying what you do in the second part.

That's what the Bill actually says, if you read it carefully. Like RIPA, it
is opaque beyond the point of obscurity, and it takes a lot of reading.

You quoted the relevant part, thank you. That part does not take much
reading to see how bad it truly is, even though the rest (unquoted) of
the bill may be massively opaque.

Actually, just finding that in the Bill wasn't easy - and it isn't a single part, it's taken from at least five different places in the Bill. If it seems clear, then I did a good job putting them together.

Thing is, while the Bill isn't good, it doesn't have anything at all to do with banning end-to-end encryption. Or banning any sort of encryption.

It can require "relevant operators" to maintain some backdoors, most obviously in mobile link encryption and some VPNs and other encrypted links which are operated by "relevant operators".

Less obviously, it can be applied to some websites and the like.

But there is no power to ban encryption anywhere in the Bill.

If you as a private person apply the encryption yourself, there is no power in the Bill to make you backdoor it (though there have been powers in RIPA to enforce demands for keys in some circumstances since 2001), and there is no power to prevent you from using encryption.

Good points? Only encryption which has been applied by a  "relevant
operator" is affected -

So something is good, or potentially good - let's find out what:

at least until the Home Secretary makes regulations
otherwise (which under the Bill she can do).

In other words, the bill doesn't automatically affect the status quo of
existing websites (website certificates?) because, well who knows,
that's the current interpretation but tomorrow's interpretation can just
as well be "hand over your keys bitch, or you're going to jail" even if
you are Facebook or Google (though the "going to jail" bit, if it were
possible, would be a good outcome for Facebook for example ... alas, I
dream)!

And the determination of who has to hand over keys (i.e. who is a
"relevant operator") is nothing more than whatever the Home Secretary
(currently female it seems)

Yep, we have a brand new female Home Secretary. The old one is now Prime Minister ...

(and she's madder than Mad Maggy Thatcher ever was 8-(

says! Perhaps next week is her bad week of
the month and your free speech website (nicely TLSed with personally
issued and in person verified certificate provider keys etc) happens to
have a discussion which pushes her (the Home Secretary's) trigger word
buttons.

And you say this is GOOD?!

WTF? Am I misunderstanding something here?

I was not clear - while the HS can extend the notices to eg include other forms of encryption not applied by "relevant operators", she cannot serve notices on, or force any other obligation on, anyone except "relevant operators".

If you are a private citizen and you aren't providing a service, she can't prevent you from doing any encryption you like, nor can she make you backdoor it.

PGP is okay, and there's not a thing in the Bill which says she can do anything to ban it.

Neither can she stop people using SSL/TLS, or except in the case of some UK-based servers, mandate backdoors in it.

She could in theory serve a notice on Google, Apple or Facebook - but in practice, none of these would actually be obligated to obey it.


Sounds as good as North America's endless extra-judicial drone killings
(that's murder, and despotic, in case it's not otherwise obvious to
you).

Bad points? It doesn't do anything at all against the clued-up terrorist or
criminal. It decreases security for legitimate actors and businesses.

You say that as though there are good points, see above.


BTW, things said in the Lords (or Commons), even by Government spokesmen,
have approximately zero legal significance. What the Courts look at is the
wording of the Act.

Thanks for quoting the relevant part of the act, and letting us know
that the definitions for "relevant operator"s will be handed down extra-
judicially by the Home Secretary.

err, no - that one is defined in the Bill, she can't change the meaning of "relevant operator".

She can change some of the things she requires "relevant operators" to do - but if you aren't a "relevant operator" she can't require you to do anything.

How very, democratic we might as well call it..

hmmm


-- Peter Fairbrother