On 21/11/16 15:02, Cannon wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
1. I wonder what effects this will have on encryption.
Since encryption cannot be "decrypted on demand" if it is good encryption, this means that likely true encryption will be banned in UK?
If you get served an order, you probably can't use forward secrecy. That's about all that has changed in respect to encryption. There are other changes, mainly to required communications data retention regimes for ISP's, which are far more invasive in civil liberty terms. Mechanisms to require decryption have been in place for years, since 2000 with RIPA, and some before. FSVO "much" they don't actually get used much, but they are there. This part of the new Act only takes away the ability to say "I can't do it, I don't have the means (the key)", and only on some people (communications service providers), and only after they have been served an order to keep the "means of decryption". An order under the new Act is only an order to, effectively, keep records of keys used - a requirement to disclose them or use them to decrypt ciphertext takes a warrant which is much harder to get. (though those warrants are not as hard-to-get as they should be, or used to be - the Act changes that too, in a way which I personally believe is much more sinister in terms of the quantity of surveillance than anything the Act does in the new orders). Note, it only applies to those who have been served an order to keep keys used - and an order can only be served on communications service providers, it cannot be served on private individuals or most [1] internet sites. You can, partly, still use FS - supposing you used Diffie-Helman, you would have to keep a record of your key-establishing secrets, rather than discarding them. Which mostly nullifies the point of using FS: however not totally - the other party, if they haven't been served an order, could discard their key-establishing secrets. Oh, and if Bob is not a "communications service provider", or is one but hasn't been served an order, or is outside the UK, then that part of the Act has no effect on Bob or Alice at all. :) The Home Office are shooting themselves (or rather us, the UK) in the foot a bit here. Very minor gain, lots of bad. [1] but not all websites are exempt. If a site allows communications between individual visitors (rather than just between visitors and the site) then it can be served an order. Or at least that's what the Home Office said, though I don't entirely agree that that is what the actual effect [2] of the Act will be. So most social media sites can be served an order to keep keys used, or eg if they use don't use FS but do use SSL/TLS they would have to keep their private keys if served an order. [2] eg it is unlikely, but perhaps a little uncertain, that cloud providers, or something like Apple iCloud, could be served an order.
2. And what are the details on allowing hacking, does this mean that spooks can lawfully bulk hack anyone/everything?
Almost anyone, in theory at least - but not everyone.
And for those whom say "this does not affect me, I do not live in UK", yes this does affect everyone. Alot of your internet traffic gets routed all over the world including UK before reaching destination.
Yes.
Any data captured by UK on you can be shared with your government without probable cause or suspicion of crime. This is done through intel sharing agreements within spy alliances such as FVEY.
Yes. Though I don't see how a boycott would change this, international traffic would still get routed through LINX.
For security concerns I propose we boycott all and any technology, products, services, or businesses based in UK that complies with "the law" and has anything to do with technology or communications out of security concerns.
Any of those based in the UK will in practice have to comply with any orders served on them. Though some might float canaries. I don't think a boycott would achieve much.
What government is doing here is fragmenting society and industry by making the "legal white economy" incompetent, weak, and insecure through excessive intervention and laws that are not compatible with modern times.
Agreed.
While any company that wants to succeed and keep their data and operations secure will have to resort to the free market system "black economy" since government made rules are incompatible with modern era of technology. Then the free market will thrive as the "white economy" based businesses will rightfully suffer as a result of compliance.
Perhaps - though it probably won't happen in the UK :( -- Peter Fairbrother