Councils and police will continue to pass around sensitive data obtained using spying powers in the clear, after the government rejected calls to impose encryption. The proposal was made in response to a Home Office consultation on the Regulation of Investigatory Powers Act (RIPA), which allows hundreds of public bodies to …
If they are already passing around the data as .XLS workbooks, how the fuck does it become "not feasible" to encrypt that data, when even Excel has half-decent encryption options these days?
Mind you, if they did use password-based encryption I give pretty short odds on the chances of said password being included in plain text alongside the attachment.
The gubbmint tentacle where I work has banned sending encrypted emails in favour of - you guessed it - "password protected" ZIP files sent through the mail on a CD ROM. The reason? Encrypting emails is "too difficult" and "cannot guarantee security".
Idiots idiots idiots.
My flabber is ghasted
""It would be impractical to require all material obtained through the use of RIPA to be encrypted," it said."
Fucking retards the lot of them. Someone please LART these twats.
Apologies to the sensitive for my course language, but really, how long has PGP been around?
Quality - *just* what I needed.
Quality - I am sitting here laughing my head off..
A month ago I set up a system for email abroad (read: not in the UK or EU) that is managed under various bank and privacy laws. In other words, it requires anyone in the UK who wants to backdoor someone's privacy to be serious about it, because the casual "I think his dog is a terrorist" warrant issue won't work via international process. Typical clients are UK solicitors and private bankers.
There's more. The laws of the nation where it is hosted also imposes a duty of care of the information obtained via a warrant. Initially, only the investigating judge is allowed to see data so made accessible, and only when he or she deems the accusation proven and there is a case will the specific information be made available - to a small team with similar duties of care. The penalties for breaking that care are brutal - it is a criminal offence, so there is less enthusiasm to lose unencrypted CDs in the post or leave documents on the train (it's harder anyway because both actually work in that country).
So, in summary, hosting your email and data abroad will not help criminals because the right processes still exist. But it will stop the casual insider criminal from spilling your secrets or going on a fishing expedition because they don't like you. That's privacy done right.
In case someone thinks "but that means I'll be in violation of RIPA": no, YOU can be obliged to secretly provide data on your customer if you are a solicitor. But then you know. However, if you're a small office who has outsourced email and file hosting you will have no idea if data about your customer is leaking via your provider because making you aware is a criminal offence. All you will know is that YOU will take eventually the hit for someone screwing up and making that data public as you still have that duty of care - don't expect anyone in government or law enforcement to own up if they can get away with it..
Oh, and if you're a criminal planning to join - you have to pay by invoice. No credit cards, thanks.
Thank you, and goodnight.
Anon because El Reg knows who I am anyway :-)
Only a slight paraphrase...
To child: "Have you tidied your room?"
Child: "Yes, mum."
To world: "We do not believe it is proper for parents to preside over tidying when they would then have to inspect and judge the effectiveness of that tidying. But we are convinced that a better tidying regime is required, including the development of specific advice for children, and are working with others to develop it....
...It would be impractical to require all rooms in the house to be tidied. However, it is perfectly reasonable for members of the family to want reassurance that all appropriate steps are taken to protect the furniture. All family members have in place a variety of measures, including physical measures, the naughty step, and grounding, to ensure that a basic level of hygiene is maintained."
The other child: "Muuuuum, there's a dead body in Kevin's room...!"
Mine's under the body, could you just lift him up a bit so I can get at it?
So, if they can't be bothered to guarantee the integrity of the records they have, how can they prosecute using them?
To compare, if I were a computer forensics bod (I'm not, so correct me if I'm wrong), my understanding is that, in order to show viable evidence in a criminal prosecution, I would need to show that the chain of evidence, from the data source to the media shown in court, is all tamper-evident, i.e. no-one's changed it in any way.
So surely a case relying on this material could be blown wide open by the simple statement "Prove that your evidence has not been tampered with. Please explain what data security measures you have in place." Even the original data source becomes susceptible to tampering, so any sense of legal non-repudiation is destroyed.
(PS. Yes, I know that tamper-evident is not the same as 'cannot be read', but this gives me real doubts about a good chain of evidence via write-once media etc for this. Encryption ought to be a legal minimum.)
Crypto + RIPA == FAIL
Right, so let's get this straight...
Government fucktards can lock us up for keeping our private data private with proper encryption and refusing to give the key but they can't be locked up for disseminating private data because they can't be arsed to encrypt it?
I'd wish the entire cabinets' personal data was publically disseminated to show them why we don't want our perfectly innocent personal lives open to scrutiny but in the current culture of zero accountability the only people who'd benefit would be headline writers.
So their promises to store your seized keys....
...in a properly secured way were all lies then. If they can't secure the simple stuff then what happens if really sensitive passwords to things like web site, bank accounts and encryption keys are taken by the LEAs?
Clearly these people are far too important to have to take care of other people's data!
Sack the lot of them!
Simple solution -- stop collecting the data until you can secure it.
If it isn't feasible to encrypt the data then it isn't feasible to collect and distribute it, end of story.
So, fucktards, kindly stop passing information about your bosses* around unencrypted.
*Since we pay for the useless pieces of excrement we own them, not the other way around.
Citizens data does not matter
But they did get mightily upset when the Telegraph published some of their data ....
Retards = Wolf in sheep's clothing.
They don't give a Flying F#@k about all of us...
"continue to pass around sensitive data"
That should read, "continue to pass around OUR sensitive data"
Meanwhile they will make bloody sure THEIR sensitive data (like expenses) never leaks and if it does, there will be strong laws in place to burn anyone who dares to leak their data.
One law for the powerful, another for the peasants ... as usual. They really don't give a Flying F#@k about all of us.
Plus how many sub-contracted companies are going to be freely accessing our data.
“Such data were accessed by authorities using RIPA powers 504,073 times last year. “
Yeah and thats just the start of the nightmare. How many of the 504073 spying moves are by local councils yet even more shocking is that the arrogant self centered control freaks in government have now secretly give literally Police State powers to the local councils to allow them to enter our homes without the police! (even the police are angry about it!), so now the councils are free to be their own police force, to enter our homes and are allowed by the new law changes to take our property for minor offenses like council tax.
So what the hell happens if you live in a flat where a previous tenant has failed to pay their council tax! ... I've been in that situation and had the loud and angry council debt collection bailiffs waking me up, just so I could prove to them I'm not who they are after. Thankfully I got through to them. Now imagine poorly trained arrogant local council thugs with the power of some kind of Police State SS being able to enter our homes and take our property as and when they choose and by taking it they personally profit from it because councils will sub-contract this work out. Its utterly jaw dropping they have so quietly sneaked this law past us all. i.e...
So now they refuse to protect our data. Almost every move of this government keeps showing the bloody minded control freaks in power don't care about us at all. We are just the peasants that our ever more powerful masters are free to keep spying on and bullying around however they bloody well choose, with utter contempt for protecting us.
I don't see how we can suffer at least another 6 months of this government, they need to be thrown out now. They keep showing they are too dangerous to trust at all with our privacy, freedom, liberty and even democracy.
If it is not encrypted, then all reasonable steps have not been taken! Encryption is not hard. Any moron can do it! And I should know, I am one of those encrypting moron.
"in order to show viable evidence in a criminal prosecution I would need to show that the chain of evidence, from the data source to the media shown in court, is all tamper-evident, i.e. no-one's changed it in any way"
A reasonable definition although there are a few other requirements as well. However, a few weeks ago, el Reg carried an item that the Geheime StaatsPolizei (sorry; Metropolitan Police force) are trying to get this revoked to make it easier to secure a conviction - presumably on the basis that "you own a computer = you are a terrorist"
If you encrypt the data or uses hashes then it becomes difficult to add a couple of extra phone numbers/addresses to the investigation to help your mate on another case.
I wonder what tinpot institution qualified these arseholes to make such judgements. Especially considering that Central Gov has shown itself to be incapable of securing its own dirty washing over the years.
why am i not surprised
oh, and by the way, you're not allowed to look at ANY of our information...at any time.
I support this product and/or service.
It makes so wonderfully clear that the government likes words as long as they don't have to understand what they mean. Too bad their reassurances sound vacuous enough to obviate the need to fund outer space exploration. Carry on government.
Information wants to be free...
"The almost invariable practice is to sent data, unencrypted, as CSV or XLS files. From [communications provider] to [public body], and then on to everyone else."
... and then onto a USB stick, and then on for a little train ride...
I like this consistency. If the gov believes they have the right to snoop on every byte of data transferred over the 'net, then it is only fair that the rest of the world should get glimpse as well... that's applied Freedom of Information.
I wonder what dictionary they're using.
Practical: "... physical security measures, security procedures, staff vetting and training ..."
@Simple solution -- stop collecting the data until you can secure it.
I'm sure that is the only solution that never occurred to them.
Things could be worse. In the USA the NSA remains unapologetic for all the things they never admitted to. However, the outsiders who used to be insiders have turned public discourse into a futile search for a spell checker. I have to go to El Reg for a board to read. I believe the current President's surname to be 'Obama', but I haven't seen it spelled that way in months. Unfortunately this indicates that the people who think bad spelling would fool the NSA probably didn't understand what they were supporting before. Sometimes it is better to hear 'Tough Shit' than to hold your breath until they come to their senses.
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Analysis Oh no, Joe: WinPhone users already griping over 8.1 mega-update
- Leaked pics show EMBIGGENED iPhone 6 screen
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- OK, we get the message, Microsoft: Windows Defender splats 1000s of WinXP, Server 2k3 PCs