Wednesday, 27 April 2016

Good question from @LordStras on #IPBill today - shame about the answer!

Lord Strasburger asked at 15:20 today:

My Lords, paragraph 217 of the Investigatory Powers Bill gives the government almost unlimited powers to force, in secret, companies to, I quote: "remove electronic protection" from their products. Could the minister tell the house how the government intends to use this power in the increasingly frequent case where a company has designed the security of its products so that even the company itself is incapable of unlocking the equipment or decrypting the data. Will Apple, and others, be require to redesign their products so that they can break in to them, or will they be required to stop selling them in the UK?

Lord Keen seems to totally miss the point, and ends up, after several questions, stating: There is no question of encryption keys being weakened. There is no question of encryption keys being made available in response to a warrant. The encryption key would remain wholly in the possession of the provider of the service. The warrant will ask that they apply the encryption key in order to provide the decrypt. So there is no weakening of any encryption in these circumstances.

I am sorry, but (a) why can they not answer a straight question, and (b) do they really not understand?

A company can make their communications system, like Apple with iMessage, so that Apple do not have the keys to decrypt the communications. So that the key does not "remain wholly in the possession of the provider of the service" and so that it is not reasonably practicable for them to decrypt the messages.

The question is whether paragraph 217 could be used to force a company to redesign such a system so that they do have access to keys. The problem is that if they do this they are weakening the encryption system. They are not following best practice. They are making the communications more vulnerable to attack.

Think about it for a second - any step that changes from "government cannot see message" to "government can see message" (even under strict rules) has to be a step to weaken the encryption in some way. One more person being able to see the message means it has weaker encryption.

Lord West goes on to repeat the stupidity of saying that there can be no place for terrorists and pedophiles to communicate - as if he wants to outlaw multiplications. As I have pointed out so many times, anyone, with no more than pen and paper and dice, can send secret communications without a "service provider" providing the encryption, and without a way for GCHQ or NSA to crack the encryption. That is a fact of life and mathematics and no amount of legislation or speeches in the Lords can change that. Get a clue Lord West, please.

7 comments:

  1. Could always email him at his parliamentary address and ask him to clarify his answer?

    ReplyDelete
  2. > There is no question of encryption keys being made available in response to a warrant. The encryption key would remain wholly in the possession of the provider of the service.

    That makes sense — the power to compel a provider to hand over keys exists already in s49 RIPA, which is not being modified by the bill, so this power need not replicate it.

    ReplyDelete
  3. I like to think that when I don't know anything on an issue, I don't open my mouth but instead research things.

    Over and over we see this ignorant morons talk about things they have no knowledge of. I've long been convinced that to become a politician you have to master the art of knowing nothing while thinking you know everything.

    ReplyDelete
  4. On a tangent, I'm sorely tempted to email every MP and Lord out there and tell then I will be able to easily prevent them from seeing what I'm up to if the IP Bill is logged.

    If nothing else, telling them they're a bunch of fools who have no knowledge of the technology and that technical circles laugh at them will be cathartic.

    ReplyDelete
  5. It's quite scary that these idiots are involved in running our country, when they actually don't have much of a clue.

    ReplyDelete
  6. Not only do they have no clue, they have "no mates". Why doesn't parliament employ competent specialists to advise them on such matters before they make utter fools of themselves? Someone that the government, MPs and Lords could ask about anything technical, who in turn could relay questions to other top specialists quickly as needed.

    ReplyDelete
  7. What they asking cannot viably happen, it would require all sorts of software vendors to change their ethos and make major technical changes to how enceyption works, the uk is just a small bit player in a large global market, even if this came law the uk gov would simply be ignored.

    ReplyDelete