Investigatory Powers Act - Government mandated backdoors

[Peter Fairbrother]

On 02/12/16 11:07, Roland Perry wrote:
> In article <20161201161134.Horde.mgH5fJInnXW5Fx1GRWN_Kj1 at mail.vbbc.biz>,
> Paul Brown <pol at geekstuff.tv> writes
>>
>> I assume the list has seen  http://www.theregister.co.uk/2016/11/30/inv
>> estigatory_powers_act_backdoors/  ?
>>
>> Mandatory notification to HMG of system architecture changes/patches
>> which might impair the ability of the security services to snoop and
>> decrypt customer data.
>
> I'll post word-for-word two paras A and B, which I sent to another list
> six months ago and are still completely applicable:
>
> A)      "It merely says that when a new service emerges it must be
>         notified to the authorities so that it can be assessed as to
>         whether it should be added (after the normal due process) to the
>         list of services for which the service provider has already
>         received warrants."
>
> While it appears at first glance to be instructing CSPs to ask for
> permission to introduce new services, there is no power for the Home
> Office to refuse such permission, and all they require is notification
> of what the new service is (for example starting a 5G mobile network in
> addition to your existing 2,3,4G one).

Yep.

> And as for new (or existing) services needing a backdoor, that's not
> what Act is asking for.
>
> B)      "Because a backdoor implies a 'key' being given to a third party
>         such law enforcement to do its own decryption, whereas the Bill
>         just asks for CSPs to use their existing key to the front door
>         to produce the plain text, if they are able to."

The Bill also permits the SoS to require "relevant operators" to 
maintain or perhaps generate the ability to produce the plain text.

Probably the most important example is Forward Secrecy in eg TLS suites. 
In order to maintain the ability to produce the plain text, relevant 
operators can effectively be required to modify their systems to retain 
the keys used rather than discarding them.

Some may consider that a required backdoor, but as the relevant operator 
keeps the keys, and they are not available to Plod etc without a 
warrant, I don't know whether it really counts. Maybe 1/2 a required 
backdoor.

Of course there is a small problem for the SoS and/or Plod here - if an 
effect of the modification to the system, eg removing the deletion of 
keys, makes any of the content available to a person other than the 
sender or recipient then it would be interception, and unlawful.

> In other words it's only the encryption applied internally by the CSP
> (or by someone acting on behalf of the CSP) which is involved. The
> classic (and now somewhat aged) example is 2G's A5/1.

Yep. Eg, crypto software writers are pretty much unaffected.

[..]
>> and the probably impact to  the UK as a whole - especially given the
>> hugely broad definition of  "Commmunication Service Provider"
>
> The measure is only expected to cover CSPs with more than 10,000
> customers

The term CSP or "Commmunication Service Provider" does not appear 
anywhere in the Bill. Apparently they have gone all trendy, and are 
"telecommunications operators" now.

"Expected to" - yeah, that sounds about typical.


-- Peter Fairbrother