Thursday, 14 July 2016

Will anyone buy a UK crypto solution ever again?

The Investigatory Powers Bill is progressing through the Lords, and facing some stupid issues still.

There was a long debate on the matter last night, and Earl Howe seems to miss the point.

Assuming that technical capability orders will be allowed that provide for a capability to remove protection from communications, it basically means that UK companies can be (secretly) banned from making encryption systems that are actually secure (where nobody but the parties communicating can ever see the communication).

So let's ask...

Would you buy this dodgy crypto product?

Would UK government , e.g. The Home Office, buy encryption solutions from a company in a country where they know that country's government can secretly force the supplier to have included some sort of "back door"? (whatever you call it, a means for third party access to the communications)

I'd actually like to see that question asked in the Lords ^^^

I think the answer would be no, and the same would be true for anyone wanting to buy some encryption solution...

Indeed, I have to wonder if the UK government would buy encryption solutions from UK providers after this, as they know that UK providers are basically not allowed to make a solution that is truly secure any more. The UK will have to buy crypto solutions from some other country!!!

On whom do you serve a technical capability order for open source code?

This is a biggie. The idea is to stop UK companies making secure solutions. Well, the idea is to stop anyone, even not in the UK, but there is no jurisdiction to do that. But what if the supplier is not just "not in the UK", but "not an entity" at all.

Open source comes from a collection of people contributing to source code that can be seen. Even if you tried to order one contributor to dumb down the solution, that could not be done in secret, and their change can be seen and removed by the "community".

Why do we need this?

The government want no safe place for a terrorist to communicate. That means there is no safe place for anyone to communicate as any system will not know if the user is a terrorist or not. That is what they want, and have clearly stated that.

But this law will simply mean UK providers cannot provide a safe place, for anyone, to communicate. It does not mean there are no safe places.

There are many ways to communicate secretly, including apps and solutions from non UK providers, open source solutions. Heck! Even pen, paper and dice.

So a person that wants to communicate secretly can do so with very little effort.

The people affected by this are the users that just want the convenience of using a product or service securely. Such products and services will not be allowed to exist, at least from UK suppliers. So those users suffer, as does the whole UK crypto industry.

The criminals do not suffer at all!


  1. This reminds me of the control they're also trying to get in place that porn websites validate the age of the user.

    It's completely pointless.

    There are more porn websites outside the UK than inside, and the chance of a child stumbling across a UK one is much less than a non-UK!

    All it does is disadvantage UK porn makers ... a legal industry!

    It will drive porn out of the UK, closing UK businesses and reducing employment...

    Now I think of it maybe that's the point? Not to protect the children but to drive that "sinful" porn business out of the UK!

    1. Or, if one were feeling cynical, a precursor to blocking content from outside the UK "because it doesn't adhere to UK 'think of the children' regulations".

  2. Do you know that union flag is upside down?

    1. Did you know the country is somewhat in distress? Of course I did!!!!

    2. You can't say whether or not it's upside down without knowing where the flag pole is. Provided the pole is to the right of that flag, it's fine.

  3. At "Official" classification, the govt approved encryption products (remote access) are generally provided by US companies, e.g. Cisco and Microsoft.... So we're all set there.

    Interesting side thought, does the IP bill require snooping on traffic transiting a private (non-internet) network?

    What if AAISP start providing a PRIVATE uk network to UK citizens for peer-peer communications, along with an international gateway to the internet (e.g. the private network gateways to the internet outside of the UK)

    1. I think the IP bill can pretty much do what it likes, but I'll be reviewing when it comes in to law to see what can be done.

  4. These politicians are unbelievable. is there a way to get through to them and educate them?

  5. What this means is that we will have to go back to dialup connections for our credit card transactions.