News Unlimited: Analysis: RIP bill no match for technology

Owen Blacker owen.blacker at pres.co.uk
Tue, 27 Jun 2000 18:38:49 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.guardianunlimited.co.uk/netprivacy/article/0,2763,337139,00.
html

<BQ>
Analysis: RIP bill no match for technology 

Wily web users will easily be able to circumvent the government's
controversial internet surveillance bill, writes Mark Tran 

Tuesday June 27, 2000 

The government's contentious internet surveillance bill, already under
threat from the House of Lords, could be rendered unenforceable by
simple security mechanisms that already exist. 
The regulation of investigatory powers (RIP) bill has angered industry
and civil rights groups because of its implications for personal and
corporate privacy.

But one problem which has so far been overlooked is the practicalities
of its implementation. An investigation by Network News, a weekly
publication on internet issues, has highlighted two technical
loopholes which could render the bill unenforceable: users' ability to
hide their passwords; and the difficulty of tracing "keys" used to
encrypt information.

The bill allows security services such as MI5 to monitor a user's
internet patterns (although initially they won't be to look at the
contents of websites and email). If security services suspect criminal
activity, they can request a government warrant to intercept and
decode internet content.

The first technical hurdle facing the faces is the problem of
"steganographic file systems", which safeguard access to data on a
computer's hard drive. Users can select an infinite number of
passwords. One password is needed to get past the first layer, another
to get past the second layer and so on. Although the RIP bill obliges
users to reveal their passwords if requested, this system means there
is no way of knowing if a user has in fact revealed every password. 

The technology to implement steganographic file systems already exists
for Unix operating systems. Although it is not yet up and running for
the more popular Windows operating system, it would be easily
adaptable.

The second difficulty concerns the transmission of data from one user
to another. The Deffie-Hellman [sic] key exchange system, which has
been around for 20 years, enables users to conceal these
transmissions, thereby preventing the authorities from seeing which
sites are being visited and which messages sent.

The system creates a secret "key" - a pin number not known even by the
user - which scrambles the message while it is being sent over a
secure connection. After transmission, the key is destroyed
automatically. The system is inexpensive to install, virtually
undetectable - and legal. 

"One of the effects of the bill is to give an incentive to people to
deploy such technology," said Nicholas Bohm, a member of the
e-commerce working group of the Law Society. He said that the
government was becoming worried at the furore over the Home Office
proposals.

He predicts that the government will try to salvage the RIP bill by
getting rid of the more contentious aspects. "But if the Home Office
digs its feet in, it is possible there will be a revolt in the Lords,
who will throw it out."

Caspar Bowden, research director for the Foundation for Information
Policy, believes the outcry over RIP makes it more difficult for the
government to "steamroll" this legislation through. He said that a
situation which "allows you to be snooped on is not conducive for a
business-to-business environment or individuals".

The Home Office says it is confident that the bill takes account of
emerging technologies. A spokesman said the main task of RIP was to
update legislation dating back to 1985, and said security services
would rarely demand encryption keys from internet users. "Nine times
out of 10 we would ask for the plain text printout," the official
said.

But civil rights groups maintain that the bill represents an assault
on personal freedom - and businesses are angry at the potential loss
of commerce if dot.com companies shun the UK because of concerns about
confidentiality. Unease over the bill has reached such a pitch that
more than 48 pages of amendments have been proposed to block the home
secretary's proposals in the Lords.
</BQ>

Links from the article (may have wrapped):


http://www.guardianunlimited.co.uk/theissues/article/0,6512,334007,00.ht
ml
The RIP bill: the issue explained

http://www.guardianunlimited.co.uk/freespeech/0,2759,212402,00.html
Free speech on the net: special report


http://www.parliament.the-stationery-office.co.uk/pa/ld199900/ldbills/06
1/2000061.htm
the regulation of investigatory powers bill

http://www.vnunet.com/
Network News

http://www.fipr.org/
Foundation for Information Policy Research

- -----
Owen Blacker
Senior Internet Developer and InfoSec Consultant, pres.co
DSS: 0x7e3c8eab | 2f45 c60d 6a0a 0007 193d  d994 cd36 e021 7e3c 8eab
RSA: 0x38fee6c3 |      7c41 e69c 5b8a 484d  22af 1859 f4c9 307b


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2

iQA/AwUBOVjmiM024CF+PI6rEQLfiACfXlhH7JSRfd1bTh9hQSoPp8iX3VoAn1oo
rm/d10qRw21WPyovxBziYyFy
=UbbQ
-----END PGP SIGNATURE-----

_____________________________________________________________________
This message has been checked for all known viruses by UUNET delivered 
through the MessageLabs Virus Control Centre. For further information visit
http://www.uk.uu.net/products/security/virus/