Oh UK.gov. Say you're not for weakened encryption – Google and Facebook Facebook, Google, Microsoft, Twitter and Yahoo have called on the UK government to explicitly state it does not intend to weaken encryption in the forthcoming Investigatory Powers Bill, in a jointly submitted statement published today. The statement was one of 120 pieces of written evidence which have been submitted to the …
The banks don't give a shit. Their remote banking encryption is already laughable. by modern standards, and the main emphasis of their reaction to the internet has been using it to push as much responsibility as possible onto the user rather than themselves. You have barely any protection from internet banking fraud; the bank can and will claim that the end user is responsible for any breach (due either to being 'lax with passwords' or failing to secure their own computer to the standard necessary).
Theresa May signs off on warrant to obtain Microsoft emails for purpose of terrorism investigation X.
Judge signs off on it, yes X is valid.
Microsoft compelled to comply.
X is kept secret, so GCHQ/Agency demands EVERYTHING, on pinky swear promise to filter it for X without saying what X is.
A privacy inspector with 1 full time employee asks them once a year if they did anything naughty with that data.
They swear they've been nice.
Each year their huge data center gets bigger and bigger with no explanation as to why.
*******
The judge has no way of ensuring X.
Microsoft has no way of ensuring X, because its compelled to hand over everything covered regardless of jurisdiction, (FFS Microsoft hold Parliaments emails, every fucking country will have access to every UK email, political, passwords, trade secrets when they do the same).
X is kept secret so no data is ever deleted because no test of "relevent to X"is ever made.
The Data inspector is a joke. He's a man in a office given the mushroom treatment. Theresa May reveals a massive extra-legal database and he never knew about it?!
*****
The only way this could ever work is THE NORMAL LEGAL WAY. Judge issues a warrant for a specific criminal investigation about specific targets. Microsoft is told to hand over SPECIFIC data as per the warrant targets. It is told X under court order. Microsoft bound to keep target secret if judge demands. But only for a short time during investigation. By default target is told and gets opportunity to challenge the warrant.
You want to spy on Merkel? On the EU? So you phrase a law that is provide cover for this under guise of bulk data set filtering. In the process you create a domestic STASI that is easily turned against the UK.
Parliament rejected this with very very good reason, and it was right to do so.
"Theresa May signs off on warrant to obtain Microsoft emails for purpose of terrorism investigation X."
the real problem is that she doesn't even read them... if she were to actually read every one that lands on her desk and asked questions, she'd be tied up completely... she just signs them en-mass, probably with a rubber stamp...
https://www.privacyinternational.org/node/665
|In 2014, the home secretary authorised 2,345 interception warrants. As pointed out by her Conservative colleague David Davis MP: "If she is having to sign off 10 warrants a day, she can't possibly do it with the proper scrutiny needed."|
it's actually worse, that 10 a day assumes she isn't taking holidays or other absences...
>Perhaps a more enlightening statistic would be how many she refused to authorise.
"Perhaps a more enlightening statistic would be how many she read"
FTFY
Ten warrants for every working day? This is why we want judges not the home secretary approving these things. The implementation of law is the work of the judiciary, not the legislature. That helps make sure its non-political.
Fewer than 2,500 intercept warrants in the UK for a year amounts to around 1 for each 20,000 adults. That may actually not be unreasonable provided the number of people targeted in each warrant is sensible, the duration of the warrant is not too long, and there are legal constraints on use of the collected data. I suspect those are generally true in the UK, which seems to have a decent government overall.
While it is not sensible to think the Home Secretary spends much personal time examining the warrants for appropriateness or legal compliance, that does not imply that the office does not have employees who do so as part of their jobs, as both legal and political matters.
On the other hand, in the US, with a population roughly five times that of the UK, 2014 saw a total of 3,554 intercept warrants (1,279 federal and 2,275 state or local), for an average of about 1 per 65,000 adults. The average duration appears to have been about 33 days each. It is not clear that these numbers are exactly comparable to those quoted for the UK, and they are for content interceptions only and do not include orders for delivery of metadata.
"In 2014, the home secretary authorised 2,345 interception warrants"
Take a look at these warrants, e.g. GPW/1160 is authorization to backdoor anti-virus software.
You might think we're talking 2345 targets (or perhaps less than 10000), actually we're talking about 2345 *bulk data feeds*.
Bulk data obtained by warrant is fishing. They found this magic way to bypass the judiciary, simply scream "terrorist" and demand a bulk data set for some "filtering" that only they can do. He grants it, they go fishing for their full/real agenda (which is often political).
So now we have these Stasi f*kers with a massive database and no control mechanism threatening the UK.
And Mr David Stasi & Mrs Theresa Stasi want to legalize the bulk data set principle in law, trying to move the judiciary officially into a more vague toothless watchdog role.
"The only way this could ever work is THE NORMAL LEGAL WAY"
Agreed but let me extend this. There needs to be a feedback mechanism to ensure the whole procedure isn't being used for fishing expeditions.
The requester is obliged to report all warrants to the regulator along with the results. The regulator compares the percentages of results from different requesters. Anyone who has anomalous results gets investigated and the judges are kept aware of the various requesters' results. And spot checks are made to ensure the requester's returns are correct.
As there's a risk of regulatory capture between requesters & judges the judges could be given feedback to compare their percentages of successful warrants with their brother judges.
Finally the statistics are summarised in the regulator's annual report.
"Microsoft compelled to comply."
Or to lock the whole thing in an endless loop of appeals, as they have been doing to the US gov. MS should really publicize that more, tbh; it's costing them hundreds of thousands of dollars a day in fines and would earn them a lot of good will compared to the Win 10 snoopathon.
"we believe the best way for countries to promote the security and privacy interests of their citizens, while also respecting the sovereignty of other nations, is to ensure that surveillance is targeted, lawful, proportionate, necessary, jurisdictionally bounded, and transparent."
Why do I have a vision of Homer Simpson in my mind's eye? He - and most Tory ministers - will be thinking about doughnuts half way through that sentence.
The government does not want to weaken encryption for all the obvious security reasons already provided.
They want a back door to get access to the encrypted information which is a quite different request.
They are also clueless about technology and believe that the only reason a back door cannot be provided is because the tech industry has not tried to produce such a system as opposed to it not being technically possible to do.
Apart from using deliberately weak encryption there are at least a couple of ways such a back door could be provided, both of which, of course, are simply disasters waiting to happen as far as legitimate users are concerned and easily bypassed by the intended targets.
One is for the application to lodge the key with the network operator or directly with the govt. The other is for the govt to issue a public key to the application so that all messages would be encrypted twice, once with the user's key & once with the govts key and the two versions combined in the message format so the govt can decrypt intercepts without approaching the network operator. The immediate issue, of course is which govt? Probably the 5 Eyes would get together on that. The big problem, of course, is that the escrow key store would be a major target for hackers and a single private key would sooner or later be leaked, effectively decrypting all messages.
The result of introducing such an arrangement would be a rash of 3rd party applications offering end-to-end encryption, either generally available or through the dark net.
What part of "it won't work" do governments not understand?
Asking for a back door is by definition asking for encryption to be weakened.
You can't create an encryption system where there are extra backdoor keys that are distributed to the NSA, GCHQ, CSEC, and their counterparts in Australia, New Zealand, Russia, China, Germany, France, Congo, Nigeria, Myanmar, etc. without weakening security.
"Asking for a back door is by definition asking for encryption to be weakened."
No, it is not necessarily doing that. Key escrow does not weaken encryption in the sense that it is more vulnerable to to cryptanalysis. It weakens the security of encrypted messages by sharing keys with a third party, requiring that the communicants trust that the escrow agent will keep the keys safe from exploitation by those from whom the messages are to be kept secret. That is a quite different matter.
An upstanding, trusting citizen might have no particular problem trusting the government to do that. Criminals surely would object for obvious reasons. The great majority of those livingunder democratic regimes probably will object, if asked, on the general principal that while the agents of the government usually do not misbehave, they have been known to do so, and also that the key escrow with any third party increases the probability that criminals will obtain and use them for ill.
Bit off topic but these debates always remind me of someone I worked with a few years ago. He wanted some building work done at home. He got three similar quotes from some local builders and didn't quite know how to choose between them. Luckily his wife was a receptionist at the local county court. So she went into work and looked up the three builders on the court's computers. Two of them had CCJs (county court judgements) against them, so that cleared up the choice nicely.
Imagine your neighbour is a low level civil servant with access to your family's complete browsing history. Of course if this worries you, then you are probably a terrorist.
It would certainly make finding partners for kinky sex a lot easier for those lucky enough to be civil servants.
Also having ready access to your teenage daughters sext messages would reduce the time spent hunting for amature porn sites.
Plus no need to strike for higher wages when you can simply choose investments based on the internal mails of company directors.
from Wikipedia: "Chekism (from Cheka, the first Soviet secret police organization) is a term to describe the situation in the Soviet Union and contemporary Russia, where the secret political police control everything in society."
If we are not already there, Chekism is where we're headed.
Our secret police (GCHQ) will have so much on so many Britons there will be no pool of future politicians who could defy them.
Look already at how the NSA and GCHQ have done universal internal spying against the wishes of and formal testimony made to the lawmakers of the USA and UK, and look at how there has been no repercussions for those who either broke the law by spying internally or broke the law by perjuring themselves.
It is only a matter of time before our secret police exert the same supreme control on our industry that they do on our government.
You guys can rage on about "Tory Ministers" but remember it was "Labour" who set the precedents with the RIP Act.
Labour or Tory, Democrat or Republican, they all act the same, probably because they're all acting on 'orders' from their secret police overlords. (Maybe not 'orders', but 'recommendations they dare not question'.)
> they all act the same, probably because they're all acting on 'orders' from their secret police overlords.
Your post was all going so well until then. :)
There doesn't need to be a secret overlord when there are common values and interests: cover up my wrong-doing, make myself look better by having dirt on other people's wrong-doing.
When people serve Self, the worship always looks the same, whether its politicians, the police, CEOs, middle-management, the chap down the pub or me.
So let's see ... Google, Facebook, Apple and other global corporates with fundamentally commercial motivations, who collect bulk data in spades and are, in practice, beyond any practical governance or oversight, want to retain a monopoly on gathering ever increasing quantities of data about all of us?
We all have a great deal to lose if the prevailing, ludicrous UK government ideology wins out. The Dutch (as has often in the past been true over many contentious social issues) so far seem to be taking a more measured, rational and realistic stance.
This is not simply a matter of human rights and privacy (crucially important though these matters undoubtedly are). What Cameron & co propose will, effectively, break the internet. Without uncrackable and hole-free encryption most of what we currently expect from the net -- including virtually all financial and commercial transactions -- will cease to be secure.
You might imagine that a Tory regime would protect and even prioritise the needs of business users but evidently our current rulers are too blinkered and short-sighted to notice that they are shooting themselves (and all their corporate cronies) in the feet...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
