Investigatory Powers Act - Government mandated backdoors

Roland Perry lists at internetpolicyagency.com
Fri Dec 2 11:07:06 GMT 2016 

In article <20161201161134.Horde.mgH5fJInnXW5Fx1GRWN_Kj1 at mail.vbbc.biz>,
Paul Brown <pol at geekstuff.tv> writes
>
>I assume the list has seen  http://www.theregister.co.uk/2016/11/30/inv
>estigatory_powers_act_backdoors/  ?
>
>Mandatory notification to HMG of system architecture changes/patches
>which might impair the ability of the security services to snoop and
>decrypt customer data.

I'll post word-for-word two paras A and B, which I sent to another list
six months ago and are still completely applicable:

A)      "It merely says that when a new service emerges it must be
        notified to the authorities so that it can be assessed as to
        whether it should be added (after the normal due process) to the
        list of services for which the service provider has already
        received warrants."

While it appears at first glance to be instructing CSPs to ask for
permission to introduce new services, there is no power for the Home
Office to refuse such permission, and all they require is notification
of what the new service is (for example starting a 5G mobile network in
addition to your existing 2,3,4G one).

And as for new (or existing) services needing a backdoor, that's not
what Act is asking for.

B)      "Because a backdoor implies a 'key' being given to a third party
        such law enforcement to do its own decryption, whereas the Bill
        just asks for CSPs to use their existing key to the front door
        to produce the plain text, if they are able to."

In other words it's only the encryption applied internally by the CSP
(or by someone acting on behalf of the CSP) which is involved. The
classic (and now somewhat aged) example is 2G's A5/1.

>Other than making the UK a place the EU probably won't allow data to
>be processed post brexit (or even pre-brexit),

It's actually no-change from the RIPA scheme we've had for the last 16
years.

>what are the views in  this forum of the practicability of this,

If it's not practical, it can't be forced on the CSP under the wide
ranging provisions in the Act for proportionality, the activities of the
enhanced Technical Advisory Board, and so on.

>and the probably impact to  the UK as a whole - especially given the
>hugely broad definition of  "Commmunication Service Provider"

The measure is only expected to cover CSPs with more than 10,000
customers
-- 
Roland Perry

More information about the ukcrypto mailing list