Investigatory Powers Act - Government mandated backdoors
zenadsl6186 at zen.co.uk
Fri Dec 2 13:30:07 GMT 2016
On 02/12/16 11:07, Roland Perry wrote:
> In article <20161201161134.Horde.mgH5fJInnXW5Fx1GRWN_Kj1 at mail.vbbc.biz>,
> Paul Brown <pol at geekstuff.tv> writes
>> I assume the list has seen http://www.theregister.co.uk/2016/11/30/inv
>> estigatory_powers_act_backdoors/ ?
>> Mandatory notification to HMG of system architecture changes/patches
>> which might impair the ability of the security services to snoop and
>> decrypt customer data.
> I'll post word-for-word two paras A and B, which I sent to another list
> six months ago and are still completely applicable:
> A) "It merely says that when a new service emerges it must be
> notified to the authorities so that it can be assessed as to
> whether it should be added (after the normal due process) to the
> list of services for which the service provider has already
> received warrants."
> While it appears at first glance to be instructing CSPs to ask for
> permission to introduce new services, there is no power for the Home
> Office to refuse such permission, and all they require is notification
> of what the new service is (for example starting a 5G mobile network in
> addition to your existing 2,3,4G one).
> And as for new (or existing) services needing a backdoor, that's not
> what Act is asking for.
> B) "Because a backdoor implies a 'key' being given to a third party
> such law enforcement to do its own decryption, whereas the Bill
> just asks for CSPs to use their existing key to the front door
> to produce the plain text, if they are able to."
The Bill also permits the SoS to require "relevant operators" to
maintain or perhaps generate the ability to produce the plain text.
Probably the most important example is Forward Secrecy in eg TLS suites.
In order to maintain the ability to produce the plain text, relevant
operators can effectively be required to modify their systems to retain
the keys used rather than discarding them.
Some may consider that a required backdoor, but as the relevant operator
keeps the keys, and they are not available to Plod etc without a
warrant, I don't know whether it really counts. Maybe 1/2 a required
Of course there is a small problem for the SoS and/or Plod here - if an
effect of the modification to the system, eg removing the deletion of
keys, makes any of the content available to a person other than the
sender or recipient then it would be interception, and unlawful.
> In other words it's only the encryption applied internally by the CSP
> (or by someone acting on behalf of the CSP) which is involved. The
> classic (and now somewhat aged) example is 2G's A5/1.
Yep. Eg, crypto software writers are pretty much unaffected.
>> and the probably impact to the UK as a whole - especially given the
>> hugely broad definition of "Commmunication Service Provider"
> The measure is only expected to cover CSPs with more than 10,000
The term CSP or "Commmunication Service Provider" does not appear
anywhere in the Bill. Apparently they have gone all trendy, and are
"telecommunications operators" now.
"Expected to" - yeah, that sounds about typical.
-- Peter Fairbrother
More information about the ukcrypto