Investigatory Powers Act - Government mandated backdoors
zenadsl6186 at zen.co.uk
Fri Dec 2 11:03:41 GMT 2016
On 01/12/16 16:11, Paul Brown wrote:
> I assume the list has seen
Yes - more than a bit sensationalist, what with "backdoors" being
The Bill stinks, but let's get the reasons it stinks right please!
> Mandatory notification to HMG of system architecture changes/patches
> which might impair the ability of the security services to snoop and
> decrypt customer data.
yes - though there are limitations.
Sesction 6 (1) For the purposes of this Act, a person has lawful
authority to carry out an interception if, and only if—
(a) the interception is carried out in accordance with—
(i) a targeted interception warrant or mutual assistance warrant
under Chapter 1 of Part 2, or
(ii) a bulk interception warrant under Chapter 1 of Part 6,
Behaviour which amounts to interception would not be lawful even if
mandated under a Section 254 Technical capability notice (or under an
even-more-creepy section 253  National security notice).
So while requiring _notification_ of changes/patches would be lawful,
any order to _modify_ those changes/patches which had the effect of
making content available would not be lawful.
 which afaict exists primarily so treeesa can say "We have National
Security letters too".
> Other than making the UK a place the EU probably won't allow data to be
> processed post brexit (or even pre-brexit), what are the views in this
> forum of the practicability of this, and the probably impact to the UK
> as a whole - especially given the hugely broad definition of
> "Commmunication Service Provider"
(I think you mean "relevant operator")
The lack of clarity is probably at least as much of a problem as the
breadth of the definition.
Subsection 262 (10) “Telecommunications operator” means a person who—
(a) offers or provides a telecommunications service to persons in the
United Kingdom, [...]
Subsection 262 (11) “Telecommunications service” means any service that
consists in the provision of access to, *and* of facilities for making
use of, any telecommunication system [..].
So to be a "relevant operator" you have to both provide access to a
telecomms system, and to provide facilities for making use of that system.
Which would include ISPs, no doubt. But would it include Apple,
Facebook, Twitter etc? Do they provide facilities for making use of a
system, and also provide access to that system?
This is not clear, but the system involved cannot be the internet itself.
It could be Twitter's own systems, as Twitter provide access to them,
but do they provide facilities for making use of their systems? I guess
they actually do right now, but do they have to?
Subsection 262 (13) “Telecommunication system” means a system [..] that
exists [..] for the purpose of facilitating the transmission of
A typical website, perhaps with shopping facilities? Is the purpose of
that to get shopping orders, or to facilitate the transmission of
communication of shopping orders?
An everyday website, just giving information about eg woodworking.
Doesn't that exist to facilitate the transmission of
information, and isn't that a communication.
"Transmission of communications" - so perhaps cloud backup storage
service providers are out, as they exist to store data, not to make
communications. Or perhaps not, they do send data from user to store and
store to user.
Subsection 262 (12) For the purposes of subsection (11), the cases in
which a service is to be taken to consist in the provision of access to,
and of facilities for making use of, a telecommunication system include
any case where a service consists in or includes facilitating the
creation, management or storage of communications transmitted, or that
may be transmitted, by means of such a system.
Where do you draw the line? This is all very unclear. Either that, or
they mean to include *everybody*..
-- Peter Fairbrother
More information about the ukcrypto