Wednesday, 20 January 2016

Forget the technology

I am not sure I dumbed it down enough on the last post, so here goes.

The government have said they are not requiring "weakening the security of internet services", good.

The security of internet services is such that it is possible for two people to communicate where it is impossible (in any practical sense) for a third party to see that communication (without the one of the people telling them).

This is privacy, and it is important, as it saves us from criminals where that third party is a criminal.

But, the government have said they want "access the content of communications of terrorists and criminals".

But as we said, the security of internet services now can (and often does) mean it is impossible for a third party (even if that third party is the police) to access the content of communications.

There is a way to make it possible, obviously, and that is called "weakening the security of the internet".

Do you see the contradiction now?

The exact technicalities do not change that fundamental contradiction.


  1. Put it in practical terms for them maybe.

    Show them a TSA lock.

    Tell them how good the lock is, that it allows the TSA, the police, anyone really, to check bags whilst making them secure.

    Then tell them any idiot with a credit card - any baggage handler who feels he's underpaid and wants a new iWhatsit, any drug smuggler in Bangkok, anyone at all - can get that key.

    Ask them if they feel safe using the lock now.

  2. > they want "access the content of communications of terrorists and criminals" [but] they are not requiring "weakening the security of internet services"

    Is there a contradiction here?

    I may *want* something, but there may be limits (legal, policy (such as not wanting to weaken Internet security), inherent / physical / mathematical) to what I can actually get: I may have to accept that I cannot have what I want.

    1. Fair point, well, a pedantic one. There is an issue if they cannot have what they want, as that means worse laws, IMHO.

    2. Well, there does seem to be a contradiction, simply by virtue of them trying to pass a new law.

      (1) They don't want to weaken the security of the internet. i.e. they will leave the technical side alone and allow technology companies to build systems as secure as possible, including end-to-end encryption.

      (2) They say they need new laws to allow access to the communications of terrorists. Existing laws allow them to demand that service providers hand over any data they have access to, so it seems no new law is required. The only reason I can see for needing new legislation is to force service providers to decrypt more data than they currently can. This means weakening the protocols, which goes against what they already said in (1).

    3. > Existing laws allow them to demand that service providers hand over any data they have access to, so it seems no new law is required

      Two quick points about changes to permit more access to "the communications of terrorists" which are changes to the position today:

      - existing laws may permit them to demand data, but the duty of a provider to actually hand it over is more limited, short of being served with a court order. One of the changes is to bring a wider range of data within the "duty to provide".

      - existing laws are more limited in terms of what providers can be required to retain, for subsequent disclosure. One of the changes is to broaden this.

    4. And, the scope of who may be served (i.e. who is a communications provider) has been massively widened.

  3. > a pedantic one

    Thank you!

    > There is an issue if they cannot have what they want, as that means worse laws, IMHO

    I think that quite a lot of laws are compromises, when the promulgator's desired policy position conflicts with the wishes of others — see, for example, the network and information security directive, where the original requirement was to impose security obligations on all providers of information society services, and it has now been watered down and watered down and watered down.

    A problem, to my mind, is where the law could be read in a way as to demand things which are impossible, rather than the promulgator accepting that their policy cannot be achieved, and so drafting legislation within the parameters of what is possible. If the HO's position here is only to providers to provide interception product free of their own encryption (whether that involves captures encrypted then removing, or just capturing in the clear in the first place), don't include any wording which could indicate an obligation to remove third party encryption.