Leaked: The UK's secret blueprint with telcos for mass spying on internet, phones – and backdoors The UK government has secretly drawn up more details of its new bulk surveillance powers – awarding itself the ability to monitor Brits' live communications, and insert encryption backdoors by the backdoor. In its draft technical capability notices paper [PDF], all communications companies – including phone networks and ISPs …
It does not restrict the use of encryption. What it effectively prohibits is the provision of encryption by carriers. So customers just have to get their encryption from somewhere else.
This has been the position in New Zealand, for example, for some time. As a tool for nobbling local companies competing in the data security space, it'll probably work a treat. As a way of stopping the use of strong encryption, not so much.
I'm not sure that they haven't already lost the technology war. See this short video about Signal at theintercept.com.
Maybe, but if being based in the US is your criterion for not trusting encryption, iPhones and Android are not safe, so we may as well not even try. theintercept.com came about as a result of Glenn Greenwald publishing Edward Snowden's revelations, so they are very strong on encryption and I'm inclined to trust their recommendation of Signal.
Yes, it was Snowden's recommendation: https://whispersystems.org/
Sorry, totalitarian rulers, but unless you plan on using technical measures to physically block access to foreign (as in beyond your jurisdictional powers) VPN privacy services, what you plan to "allow" is of no consequence.
Although I fully expect that such services will in fact eventually end up being deemed "illegal", in principle, even if it's beyond their power to actually stop us using them.
The draft does not seem to say this - it seems aimed at communication carriers. On the other hand, is there anything to prevent another order, or perhaps a new law, requiring devices sold in the UK with manufacturer provided encryption be decryptable by the manufacturer, much the same as this order appears to require carriers to be able to decrypt communications encrypted by or for them?
Seems like a cunning plan to put local ISPs out of business. They will flee to overseas providers as private data gets hoovered, bank transactions get hijacked and everyone is massively defrauded. The entire UK internet user base will be transformed into low-hanging fruit if this shit ever passes.
Unless of course the HMG thought all this through carefully, just like the NSA and CIA did. Good luck with that.
I'm sorry, Steve, but I have to get you down from your high horses because Android poses no problem to mass surveillance lovers. On my beautiful shiny Samsung Galaxy S6 an application I want to shutdown (because I don't use it) will always be restarted and the button to disable it is greyed out. More than that, I disabled notifications from this application and now it sends me notifications to alert me that it can't send me notifications. My wife's LG pesters her to download and install Evernote and there's no way to tell it to shove off. This is to prove that you have absolutely no control over Android, somebody else has so it can't protect you like Linux would do. Linux trusts and obeys you while Android is not, even though it runs a Linux kernel.
"Android rooting is your friend"
Deliberately circumventing platform security is not your "friend" and certainly shouldn't be the expectation that users have to get the functionality they want.
Send a message with your money, people. Don't buy crap phones.
"Maybe you shoukd consider a technically competent choice of phone over the big brand loyalty."
100% agree, your problem is not with android, but with LG and Samsung. My Nexus doesn't do anything like this, runs the latest Android version and gets monthly security updates. Android isn't one thing it's thousands of things don't assume they are all the same.
By illegal we mean it outlaws the implementation of truly secure encryption. You, as an individual, using it may not be in trouble, but you, an app developer, will be if your product doesn't obey a technical capability notice served on it (that's a backdoor with a fancy name).
C.
This post has been deleted by its author
outlaws the implementation of truly secure encryption
That's the end of the economic system as we know it. Quantum key distribution is out, vpns are out, ssh is out. This will never happen.
what I got from the document which means they will block them
They can block my outbound ssh if they're willing to pay my wages until I'm 70, or they can do one. I'm happy to take this to court. If they're not blocking ssh then the law is moot.
> but you, an app developer, will be [in trouble]
Is that correct? From the PDF, "A technical capability notice imposes obligations on a telecommunications operator or postal operator in order to", implies that this could not be applied to an app developer per se, although it could be applied to an app delivered by a telco or postal operator.
There may be more to read in the full act et al, but I didn't see anything applying to individuals. Although that could be the next logical step.
Regardless of the scope though, this proposal does appear to place an obligation on telcos etc to undermine the fundamental security of the communication systems they provide in a manner that can eventually be subverted by ne'er-do-wells. I did particularly like the obligation to design for the hacking of any supplied equipment, "1. To provide and maintain the capability for interference with equipment to be carried out, for the purpose of obtaining communications, equipment data or any other information ..."
"14. To consider the obligations and requirements imposed by any technical capability notice when designing or developing new telecommunications services or telecommunication systems."
That there looks like banning e2e encryption and building in realtime monitoring.
If my Auntie had balls she'd be my Uncle.
"Looks like" doesn't cut it. Encryption has not been banned in the UK. The UK has reserved the right to punch a hole in it whenever it wants to, and it will probably be unsuccessful.
This is a disturbing development, but not a surprising one.
If you're developer in the UK making something that can be considered a telecoms app or service, you need to avoid e2e encryption and build in realtime monitoring otherwise, if you are told to give up data on someone, you won't be able to respond in 24 hours with the data they ask for and therefore you will have broken the law.
They even tell you to consider this law when designing your app or service.
But no, there's no "we ban e2e encryption" clause. Why would there need to be if you end up in a whole heap of trouble anyway?
"you, an app developer, will be"
It's vague, but the legislation reads very much as if app developers aren't included because they don't provide end points. The same wording was used in previous legislation that never covered apps. However an enterprising policeman might argue that Skype, for example, is a communication provider.
He doesn't need to argue, Skype etc... already are covered:
A telecommunication service is defined at Clause 223(13) as ‘a system that exists for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy’.
Again, it's the over the top services that will be the "fun".
MPLS/BGP/TCP et al can be inspected, as it's a known protocol. If the packet's going up/down said wires turn out to contain encrypted stuff, that's WAY beyond the OpCo's wires, and the Telco's will simply go "meh" as it's not in their domain to control, unless they start doing DPI and being ordered to block anything they can't decode.
In which case we'll see digital steganography of another kind. Stuff will look like/be valid traffic, and just be nonsense, with anything relevant buried in some way that'll be harder to spot.
That's a horrible piece of English. Could argue this only covers electrical and electronic hardware? Skype is facilitated by using a system based on these, but could just as well use Naval Flags or the CLACKS to transmit, but does not actually directly "facilitate the transmission of communications by any means involving the use of electrical or electromagnetic energy".
Several hundred million in legal fees later...
A telecommunication service is defined at Clause 223(13) as ‘a system that exists for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy’.
Interesting. Returning to pneumatic tube technology may be worthwhile after all. As long as it's pumped by hand.
"telecommunication service is defined at Clause 223(13) as ‘a system that exists for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy’."
so the post office is not a telecommunications provider but someone using smoke signals is?
Hence skype is "Cloud" not p2p anymore. MS has too much to lose if leaned upon.
So no large telcoms provider can provide e2e encryption. That means you have to do your own. I'm not sure that changes much, if you are at all interested in privacy.
In short, you probably shouldn't trust anyone with a significant amount of money to lose from non-compliance. It doesn't matter how much encryption your application does if the OS taps the microphone.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
