Wednesday, 27 April 2016
Good question from @LordStras on #IPBill today - shame about the answer!
My Lords, paragraph 217 of the Investigatory Powers Bill gives the government almost unlimited powers to force, in secret, companies to, I quote: "remove electronic protection" from their products. Could the minister tell the house how the government intends to use this power in the increasingly frequent case where a company has designed the security of its products so that even the company itself is incapable of unlocking the equipment or decrypting the data. Will Apple, and others, be require to redesign their products so that they can break in to them, or will they be required to stop selling them in the UK?
Lord Keen seems to totally miss the point, and ends up, after several questions, stating: There is no question of encryption keys being weakened. There is no question of encryption keys being made available in response to a warrant. The encryption key would remain wholly in the possession of the provider of the service. The warrant will ask that they apply the encryption key in order to provide the decrypt. So there is no weakening of any encryption in these circumstances.
I am sorry, but (a) why can they not answer a straight question, and (b) do they really not understand?
A company can make their communications system, like Apple with iMessage, so that Apple do not have the keys to decrypt the communications. So that the key does not "remain wholly in the possession of the provider of the service" and so that it is not reasonably practicable for them to decrypt the messages.
The question is whether paragraph 217 could be used to force a company to redesign such a system so that they do have access to keys. The problem is that if they do this they are weakening the encryption system. They are not following best practice. They are making the communications more vulnerable to attack.
Think about it for a second - any step that changes from "government cannot see message" to "government can see message" (even under strict rules) has to be a step to weaken the encryption in some way. One more person being able to see the message means it has weaker encryption.
Lord West goes on to repeat the stupidity of saying that there can be no place for terrorists and pedophiles to communicate - as if he wants to outlaw multiplications. As I have pointed out so many times, anyone, with no more than pen and paper and dice, can send secret communications without a "service provider" providing the encryption, and without a way for GCHQ or NSA to crack the encryption. That is a fact of life and mathematics and no amount of legislation or speeches in the Lords can change that. Get a clue Lord West, please.