Thursday, 14 July 2016
Will anyone buy a UK crypto solution ever again?
There was a long debate on the matter last night, and Earl Howe seems to miss the point.
Assuming that technical capability orders will be allowed that provide for a capability to remove protection from communications, it basically means that UK companies can be (secretly) banned from making encryption systems that are actually secure (where nobody but the parties communicating can ever see the communication).
So let's ask...
Would you buy this dodgy crypto product?
Would UK government , e.g. The Home Office, buy encryption solutions from a company in a country where they know that country's government can secretly force the supplier to have included some sort of "back door"? (whatever you call it, a means for third party access to the communications)
I'd actually like to see that question asked in the Lords ^^^
I think the answer would be no, and the same would be true for anyone wanting to buy some encryption solution...
Indeed, I have to wonder if the UK government would buy encryption solutions from UK providers after this, as they know that UK providers are basically not allowed to make a solution that is truly secure any more. The UK will have to buy crypto solutions from some other country!!!
On whom do you serve a technical capability order for open source code?
This is a biggie. The idea is to stop UK companies making secure solutions. Well, the idea is to stop anyone, even not in the UK, but there is no jurisdiction to do that. But what if the supplier is not just "not in the UK", but "not an entity" at all.
Open source comes from a collection of people contributing to source code that can be seen. Even if you tried to order one contributor to dumb down the solution, that could not be done in secret, and their change can be seen and removed by the "community".
Why do we need this?
The government want no safe place for a terrorist to communicate. That means there is no safe place for anyone to communicate as any system will not know if the user is a terrorist or not. That is what they want, and have clearly stated that.
But this law will simply mean UK providers cannot provide a safe place, for anyone, to communicate. It does not mean there are no safe places.
There are many ways to communicate secretly, including apps and solutions from non UK providers, open source solutions. Heck! Even pen, paper and dice.
So a person that wants to communicate secretly can do so with very little effort.
The people affected by this are the users that just want the convenience of using a product or service securely. Such products and services will not be allowed to exist, at least from UK suppliers. So those users suffer, as does the whole UK crypto industry.
The criminals do not suffer at all!