Silicon.com: Snooping Bill gets security seal of disapproval

Owen Blacker ukcrypto at maillist.ox.ac.uk
Fri, 22 Sep 2000 10:53:28 +0100 

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: WebMaster@silicon.com [mailto:WebMaster@silicon.com]
> Sent: Thursday, September 21, 2000 10:08 AM
> To: owen.blacker@pres.co.uk
> Subject: Silicon.com: Snooping Bill gets security seal of
> disapproval  
> 
> 
> HEADLINE: Snooping Bill gets security seal of disapproval
> PUBLISHED: 1:22am on Tuesday 12th September 2000
> CHANNEL: Ebusiness security
> AUTHOR: Bob Walder
> SERVICE: http://www.silicon.com
> 
> TEXT OF STORY FOLLOWS:
> 
> If you thought the acronym RIP meant Rest In Peace then you 
> have another thing coming.
> 
> You'll be doing anything but resting in peace once the new 
> Regulation of Investigatory Powers Bill comes into effect 
> later this year.
> 
> And if you thought the phrase "innocent until proven guilty" 
> was a given in the British judicial system, then think again. 
> Once the aforementioned Bill is passed a whole raft of civil 
> liberties that we have taken for granted until now could 
> simply disappear. Because once the RIP Bill makes it onto the 
> statute books the basic idea is that all internet 
> communications that pass through the UK can be copied 
> automatically, and sent in full, to the spooks at MI5.
> 
> The idea is that government agencies -- with a suitable 
> warrant, of course -- should be able to tap into any internet 
> communication travelling to or from any particular user. In 
> fact, they will be able to access all your emails, follow 
> your online purchases, and even check out which websites you 
> are browsing in real time.
> 
> How is this to be achieved? Well the onus seems to be falling 
> on ISPs to install some form of black box monitoring system 
> within their networks that will allow traffic passing across 
> networks to be copied to a third party. Large companies may 
> also be forced to install such devices and, predictably, 
> neither they nor the ISPs are falling over themselves to 
> support such measures given that there will be significant 
> costs involved, in addition to the privacy issues.
> 
> The Home Office is quick to point out that police powers to 
> intercept communications under the new Bill will actually be 
> restricted more than at present and these powers will only be 
> used in defence of national security or on suspicion of 
> serious crime such as narcotics smuggling or terrorism. A 
> nice sentiment, but will those of us who know just how easy 
> it is to tap into internet communications at the best of 
> times really sleep easy knowing that the spooks have a 
> ready-made wire tap in every ISP in the country?
> 
> Still, not to worry, we can always encrypt all our data -- 
> that will put a spanner in their works, eh? Not really, since 
> the powers relating to encryption are even more Draconian 
> than those relating to interception and it is these powers 
> that are likely to have the most profound effect on ecommerce 
> in the UK.
> 
> The new Bill allows the Home Office and its representatives 
> to demand encryption keys be handed over to the authorities, 
> with penalties for failure to comply including two years in jail.
> 
> Note that this applies even to those organisations holding 
> keys for third parties. So if you are a key escrow agency or 
> are simply holding a copy of a key for a business partner you 
> can be forced to give it up. And you are not allowed to tell 
> the person who owns the key that you have been asked to hand 
> it over, meaning the person in question will continue to use 
> the key even though it is no longer secure. If you do tip 
> someone off, the penalty here can be up to five years in jail.
> 
> Nor is it any defence to say that you no longer possess the 
> key. The burden of proof has now shifted to the victim 
> (sorry, I mean alleged perpetrator) to convince the 
> authorities the key is no longer, or indeed ever was, in 
> their possession. This smacks of "guilty until you can prove 
> you are innocent", and flies in the face of everything we 
> have come to hold dear about our wonderful democracy and its 
> legal system.
> 
> After the latest reading in the House of Lords, this reverse 
> burden of proof has been toned down and the Home Office has 
> been quick to point out that they are not trying to send 
> people to jail for forgetting their passwords or losing keys.
> 
> But if the legislation is there, there is always the scope 
> for it to be misused, and the ramifications for businesses 
> wanting to conduct commerce on the internet are serious.
> 
> Under one RIP provision, company directors will be held 
> legally responsible for company data and the control of their 
> business's encryption keys. Directors would be subject to 
> fines or imprisonment if keys were lost.
> 
> How effective these measures will be against money 
> launderers, child pornographers and drug traffickers is 
> anybody's guess. But my guess is that the effect on such 
> lowlifes will be minimal, to say the least.
> 
> However, the effect on legitimate business-to-business (B2B) 
> communication in particular could be far-reaching and 
> potentially very damaging. The UK government's stated desire 
> to make Britain -- and I quote from the Department of Trade 
> and Industry document entitled 'Promoting Electronic 
> Commerce' -- "the best environment for electronic business by 
> 2002" certainly cannot be helped by such legislation.
> 
> The only way the government will achieve this is to abandon 
> this crippled Bill and start again from scratch -- this time 
> listening to industry experts who actually know what they are 
> talking about.
> 
> Otherwise, it could well be a case of UK ecommerce RIP.
> 
> 
> STORY ENDS
> 
> For more information on silicon.com go to http://www.silicon.com.
> 
> silicon.com - the who, what, when, where and why of ebusiness
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
Comment: Due to RIP, pls check for revocation before using this key!

iQA/AwUBOcssOFVeQSYAA2h0EQJ7pgCfbHf8xrzrk7QSQRisVU6dAYhUjsEAnRKq
KHoO+NE7/rcOB/tkLYE6tGDq
=BWkE
-----END PGP SIGNATURE-----

_____________________________________________________________________
This message has been checked for all known viruses by UUNET delivered 
through the MessageLabs Virus Control Centre. For further information visit
http://www.uk.uu.net/products/security/virus/