Investigatory Powers Act - Government mandated backdoors

[Peter Fairbrother]

On 01/12/16 16:11, Paul Brown wrote:
>
> I assume the list has seen
> http://www.theregister.co.uk/2016/11/30/investigatory_powers_act_backdoors/
> ?

Yes - more than a bit sensationalist, what with "backdoors" being 
required everywhere.

The Bill stinks, but let's get the reasons it stinks right please!


> Mandatory notification to HMG of system architecture changes/patches
> which might impair the ability of the security services to snoop and
> decrypt customer data.

yes - though there are limitations.

Sesction 6 (1) For the purposes of this Act, a person has lawful 
authority to carry out an interception if, and only if—
(a) the interception is carried out in accordance with—
(i) a targeted interception warrant or mutual assistance warrant
under Chapter 1 of Part 2, or
(ii) a bulk interception warrant under Chapter 1 of Part 6,

Behaviour which amounts to interception would not be lawful even if 
mandated under a Section 254 Technical capability notice (or under an 
even-more-creepy section 253 [1] National security notice).

So while requiring _notification_ of changes/patches would be lawful, 
any order to _modify_ those changes/patches which had the effect of 
making content available would not be lawful.


[1] which afaict exists primarily so treeesa can say "We have National 
Security letters too".

>
> Other than making the UK a place the EU probably won't allow data to be
> processed post brexit (or even pre-brexit), what are the views in this
> forum of the practicability of this, and the probably impact to the UK
> as a whole - especially given the hugely broad definition of
> "Commmunication Service Provider"

(I think you mean "relevant operator")

The lack of clarity is probably at least as much of a problem as the 
breadth of the definition.


Subsection 262 (10) “Telecommunications operator” means a person who—
(a) offers or provides a telecommunications service to persons in the
United Kingdom, [...]

Subsection 262 (11) “Telecommunications service” means any service that 
consists in the provision of access to, *and* of facilities for making 
use of, any telecommunication system [..].


So to be a "relevant operator" you have to both provide access to a 
telecomms system, and to provide facilities for making use of that system.

Which would include ISPs, no doubt. But would it include Apple, 
Facebook, Twitter etc? Do they provide facilities for making use of a 
system, and also provide access to that system?

This is not clear, but the system involved cannot be the internet itself.

It could be Twitter's own systems, as Twitter provide access to them, 
but do they provide facilities for making use of their systems? I guess 
they actually do right now, but do they have to?



Subsection 262 (13) “Telecommunication system” means a system [..] that 
exists [..] for the purpose of facilitating the transmission of
communications [..].


A typical website, perhaps with shopping facilities? Is the purpose of 
that to get shopping orders, or to facilitate the transmission of
communication of shopping orders?

An everyday website, just giving information about eg woodworking. 
Doesn't that exist to facilitate the transmission of
information, and isn't that a communication.

"Transmission of communications" - so perhaps cloud backup storage 
service providers are out, as they exist to store data, not to make 
communications. Or perhaps not, they do send data from user to store and 
store to user.

Subsection 262 (12) For the purposes of subsection (11), the cases in 
which a service is to be taken to consist in the provision of access to, 
and of facilities for making use of, a telecommunication system include 
any case where a service consists in or includes facilitating the 
creation, management or storage of communications transmitted, or that 
may be transmitted, by means of such a system.


Where do you draw the line? This is all very unclear.  Either that, or 
they mean to include *everybody*..



--  Peter Fairbrother