Friday, 5 May 2017

Is end to end encryption banned?

The register has reported on the horrifying technical capabilities that the government is introducing now we have the Investigatory Powers Act (here).

One of the key points is: That includes encrypted content – which means that UK organizations will not be allowed to introduce true end-to-end encryption of their users' data but will be legally required to introduce a backdoor to their systems so the authorities can read any and all communications.

My first comment, as always, is that this targets non-criminals - the normal users of communications, and makes us all more vulnerable to criminals by introducing exploitable back doors. The criminals wishing to communicate can do so - encryption is not made illegal as such, just that encryption applied by, or on behalf of, the telco has to be breakable. It will not even be suspicious to use encryption as even MPs do this, and so do many web sites you visit - the telco will not be able to see the content of https sessions, for example.

So criminals are in the clear - just in case any criminals were worried about this...

However, it does not necessarily mean end to end encryption is banned. For a start, it is only going to be practically enforceable against UK companies. But even then, as long as the encryption is applied by (or on behalf) of someone that is not a communications provider, that should be fine. End to end encryption is applied by, on on behalf of, the end users, not the telco.

This may mean that is someone makes an end to end encrypted communications app, they may have to be a separate company that does the app itself, and manages keys, to the company that passes the data or manages end point addressing. I don't believe that just making a device or writing an app puts you under this crazy regime. I am sure someone will say if I have that wrong.

So it should mean FireBrick IPsec tunnels are fine.

The complication would come where we "manage" the FireBrick for a customers, and that may have to change at some point. However, we normally don't actually manage any IPsec for people, we advise on how to set up keys and configure things but don't have access to those keys ourselves as an ISP.

The fact that encryption will still be legal, and practical, and usable by criminals, just shows how bloody stupid this all is, and what a waste of public money it is (money we could be spending on the NHS).


5 comments:

  1. I don't get this at all if it only applies to "communications providers" unless the definition of "communication providers" changes?

    I'm not aware of any UK "communication provider" who supplies IP-layer encryption to consumers?

    Is this not really just about monitoring the L2TP/whatever tunnels ISPs use? Presumably some peering is done via said tunnels at LINX and non-UK companies - or even at AMS-IX where UK law doesn't apply. Access to the tunnel at source (in the UK) would seem to be the intent here?

    I suspect (as is sadly now normal) El Reg has gone for a clickbait article rather than a more nuanced article as in days of old :)

    When VPNs on mobile networks get blocked is the time to worry. Mobile networks in the UK are the "canary in the coalmine" as bad stuff invariably happens there first.

    What happens after May "gets her mandate" and we're away from the ECJ is another matter. I doubt it'll be good given a recent YouGov poll was asking this in Tory areas of the UK last week:

    https://wingsoverscotland.com/wp-content/uploads/2017/04/ygf.jpg

    and this :

    https://wingsoverscotland.com/wp-content/uploads/2017/04/IMG_9099.jpg

    Scary that polls are being commissioned to ask this. Scarier still that the MSM don't call them out on it anymore.....

    ReplyDelete
  2. Would mean the isp can't use https for their portals...

    ReplyDelete
  3. The open rights group have the paper up here:

    https://www.openrightsgroup.org/ourwork/reports/home-office-consultation:-investigatory-powers-(technical-capability)-regulations-2017

    I don't think in this case El Reg have oversold it that much.

    ReplyDelete
  4. Presumably it stops an ISP like AA from running all their backhaul traffic over IPSec. This means that instead of having to snoop individual ISPs, UK.gov only need to bother with BT, TT etc.

    ReplyDelete
    Replies
    1. Not really, if we did IPSec ppp (as some ISPs do) then not applied by BT so BT do not have to remove it. Also for data retention they are not allowed to ask BT to snoop AAISP traffic (but they might ask BT anyway). Issue is the Orr providers like WhatsApp getting an order.

      Delete