UK gov says new Home Sec will have powers to ban end-to-end encryption

Zenaan Harkness zen at freedbms.net
Sun Jul 17 04:37:47 PDT 2016


On Sun, Jul 17, 2016 at 09:28:49AM +0100, Peter Fairbrother wrote:
> On 17/07/16 02:42, Zenaan Harkness wrote:
> >On Sat, Jul 16, 2016 at 06:02:57PM +0100, Peter Fairbrother wrote:
> >>On 16/07/16 09:28, Georgi Guninski wrote:
> >>>Hope this is not duplicate, the personal drivels were quite
> >>>noisy.
> >>>
> >>>http://www.theregister.co.uk/2016/07/14/gov_says_new_home_sec_iwilli_have_powers_to_ban_endtoend_encryption/
> >>>
> >>>>UK gov says new Home Sec will have powers to ban end-to-end encryption
> >>>
> >>>Very sound, nice and democratic...
> >
> >First part:
> >
> >>Things said in the Lords (or Commons), even by Government spokesmen, have
> >>approximately zero legal significance. To a very close approximation.
> >>Practically speaking, indistinguishable from zero.
> >>
> >>What the Courts look at is the wording of the Act.
> >>
> >>Which in this case is pretty bad, but not a power to ban end-to-end
> >>encryption.
> >>
> >>In fact, it doesn't affect most in-use forms of end-to-end encryption at
> >>all.
> >
> >Second part:
> >
> >>"Relevant operators" are persons who provide "any service that consists in
> >>the provision of access to, and of facilities for making use of, any
> >>telecommunication system (whether or not one provided by the person
> >>providing the service) [... including] any case where a service consists in
> >>or includes facilitating the creation, management or storage of
> >>communications  transmitted, or that may be transmitted, by means of such a
> >>system."
> >>
> >>That would include many commercial sites who use SSL/TLS. If you put a
> >>"contact me" link on your web pages, you are a "relevant operator". Gimme
> >>your SSL keys!
> >
> >I'm not sure how you can say the first part above, in the face of
> >quoting and saying what you do in the second part.
> >
> >>That's what the Bill actually says, if you read it carefully. Like RIPA, it
> >>is opaque beyond the point of obscurity, and it takes a lot of reading.
> >
> >You quoted the relevant part, thank you. That part does not take much
> >reading to see how bad it truly is, even though the rest (unquoted) of
> >the bill may be massively opaque.
> 
> Actually, just finding that in the Bill wasn't easy - and it isn't a single
> part, it's taken from at least five different places in the Bill. If it
> seems clear, then I did a good job putting them together.

Jolly good show ole chap! Jolly good show...

Listen up everyone, we have a humble servent of thee who doth provide
copious work products for thy glory and satisfaction. Please, do think
of the humble!



Here we go round the mulberry bush, the muleberyy bush, da mulled bree
bush, here we go ... ahem, ok, ok, I'll stop there.

Here we go again - now watch closely, I'll only do this once; it's a
magic trick see, so if I do it twice, it spoils the fun. Now:



First part:

> Thing is, while the Bill isn't good, it doesn't have anything at all to do
> with banning end-to-end encryption. Or banning any sort of encryption.


Second part:

> It can require "relevant operators" to maintain some backdoors, most
> obviously in mobile link encryption and some VPNs and other encrypted links
> which are operated by "relevant operators".
>
> Less obviously, it can be applied to some websites and the like.


Third part, which is really the first part repeated, for kicks:

> But there is no power to ban encryption anywhere in the Bill.


TADAAA!!!


And the winner is - no one! This is sad. The bill is sad. Your
interpretation is self contradictory. Your quotes are clear. The clarity
iluciferdated is appreciated. You contra conclusions are a weird kinda
magic trick.

But hey, feel free to keep saying black is white - at least I'm enjoying
it :D



> If you as a private person apply the encryption yourself, there is no power
> in the Bill to make you backdoor it (though there have been powers in RIPA
> to enforce demands for keys in some circumstances since 2001), and there is
> no power to prevent you from using encryption.

OK, I'll help out here - read this paragraph just above again, then
without blinking (I'm serious now) read the following paragraph three
times:

> >>"Relevant operators" are persons who provide "any service that consists in
> >>the provision of access to, and of facilities for making use of, any
> >>telecommunication system (whether or not one provided by the person
> >>providing the service) [... including] any case where a service consists in
> >>or includes facilitating the creation, management or storage of
> >>communications  transmitted, or that may be transmitted, by means of such a
> >>system."

I'm getting lazy, so I'm going to trust you to point out to us, in
simple terms, your own contradiction, e.g. how a commieputer program
running on my phone, and talking to Juan or Applebaum's phone which is
likewise running the same program, how this program for example could be
considered to be encompassed by "any service", with me, running that
program as the "relevant operator" of my telemaphone, which service so
operated consists of provision (to me the operator, likewise to Juan or
Appelbaum at the other end as mentioned) of "access to" or at the very
least "facilitates for making use of" a certain "telecommuniscations
system" provided by my ISP/Telco (and likewise by/for Juan or Applebaum
at the other end as previously mentions), and further which program
manages the latency of, facilitates the creation of the connection, and
optionally stores for the operator the data thereby transmitted, or that
may be transmitted next time I operate this sytsem, my means -of- the
system.

Again, I'll leave it to you to point out such an example for the benefit
of our loyal, deserving and patronising readers.



> >>Good points? Only encryption which has been applied by a  "relevant
> >>operator" is affected -
> >
> >So something is good, or potentially good - let's find out what:
> >
> >>at least until the Home Secretary makes regulations
> >>otherwise (which under the Bill she can do).
> >
> >In other words, the bill doesn't automatically affect the status quo of
> >existing websites (website certificates?) because, well who knows,
> >that's the current interpretation but tomorrow's interpretation can just
> >as well be "hand over your keys bitch, or you're going to jail" even if
> >you are Facebook or Google (though the "going to jail" bit, if it were
> >possible, would be a good outcome for Facebook for example ... alas, I
> >dream)!
> >
> >And the determination of who has to hand over keys (i.e. who is a
> >"relevant operator") is nothing more than whatever the Home Secretary
> >(currently female it seems)
> 
> Yep, we have a brand new female Home Secretary. The old one is now Prime
> Minister ...
> 
> (and she's madder than Mad Maggy Thatcher ever was 8-(
> 
> says! Perhaps next week is her bad week of
> >the month and your free speech website (nicely TLSed with personally
> >issued and in person verified certificate provider keys etc) happens to
> >have a discussion which pushes her (the Home Secretary's) trigger word
> >buttons.
> >
> >And you say this is GOOD?!
> >
> >WTF? Am I misunderstanding something here?
> 
> I was not clear - while the HS can extend the notices to eg include other
> forms of encryption

(I'll assume those particular forms of encryption are those particular
forms of encryption not covered by the Act of course, since as you so
magnanimously pointed out, the Act does not ban any end to end
encryption.)


> not applied by "relevant operators", she cannot serve
> notices on, or force any other obligation on, anyone except "relevant
> operators".

Ahh ok, so so long as I am not added to her unilaterally designated and
completely hidden (for national security purposes of course) "no fly"
list, whoops sorry, I mean "may not end to end encrypt" list, i.e. as
long as I am not designated as a terrorist, whoops sorry again, I mean
"relevant operator",

which I am not entitled to know about,

and for which, if I were so designated, either individually or as a
class, say "those humans who have subscribed to cypherpunks list, made a
phone call to Iraq or Syria, made any donation to Greenpeace (those
bloody terrorists), or used the Tor Browser Bundle, attended a Communist
Party event, participated in an Occupy protest, or have any family
member who protested against Vietnam war, Falklands war, Afganistan war,
the cold war or any other way,

then I should be ok to keep using end to end encryption?


> If you are a private citizen and you aren't providing a service,

Which for example if I am running Linphone in a VM on CyanogenMod on my
mobile handset, I could never be "considered to be providing or
operating or managing and potentially providing access to" any
"telecommunications service" to myself, with or without "conference
room" audio facility to connect a few Libyans in a conference call, or
...

Can you see the picture?


> she can't prevent you from doing any encryption you like,
> nor can she make you backdoor it.

As long as ALL of the above conditions are met, and ALL of the
conditions we have not yet thought of are met, by me, then I should be
A-OK, she'll be right mate, just end to end encrypt right on brother...

right?


> PGP is okay,

Woah! Awesome. Thanks Peter for your legal interpretation of that Act
and its exemption for PGP!

Come on guys, now swap out libtorcrypt.so and plug in libgpgcrypt.so
instead - Peter tells us that'll be A-OK and we'll all get a free ticket
for facilitating our end to end voice, text, chat and video calls to any
and all, right around the world!


Jump on the Free Train - We live in a dee-mock-crass see?

Sing it brother, we are SAVED! Sing it from the hill tops!


> and there's not a thing in the Bill which says she can do
> anything to ban it.

Phew! Pete, brother, you really had me going there for a while I really
thought we were all fucked..


> Neither can she stop people using SSL/TLS, or except in the case of some
> UK-based servers, mandate backdoors in it.

Ahh ok, so as long as Juan or Applebaum don't run their phone directory
and voice service daemon on their mobile handset, in the geographic
territory called UK, only THEN are we all ok.

Shit, I dunno WHAT to believe. Peter, you make it so confusing?


> She could in theory serve a notice on Google, Apple or Facebook - but in
> practice, none of these would actually be obligated to obey it.

Because they could never be classified by her as relevant operators -
only terrorist would ever be so classified.



   Ladies, and, Gentlemen!

   We have conclusion!



> >Sounds as good as North America's endless extra-judicial drone killings
> >(that's murder, and despotic, in case it's not otherwise obvious to
> >you).
> >
> >>Bad points? It doesn't do anything at all against the clued-up terrorist or
> >>criminal. It decreases security for legitimate actors and businesses.
> >
> >You say that as though there are good points, see above.
> >
> >
> >>BTW, things said in the Lords (or Commons), even by Government spokesmen,
> >>have approximately zero legal significance. What the Courts look at is the
> >>wording of the Act.
> >
> >Thanks for quoting the relevant part of the act, and letting us know
> >that the definitions for "relevant operator"s will be handed down extra-
> >judicially by the Home Secretary.
> 
> err, no - that one is defined in the Bill, she can't change the meaning of
> "relevant operator".
> 
> She can change some of the things she requires "relevant operators" to do -
> but if you aren't a "relevant operator" she can't require you to do
> anything.

Wellllll ... Peter ... you certainly cleared all that up. The bill only
applies to relevant operators, which could never be Facebook or Google,
probably could never be end user operators, unless possibly their bodies
are physically located in the UK, but it's likely the new Act would
apply to terrorist, but we're not sure, we do no it will likely harm
Facebook and Google, but it doesn't apply to them because no court would
ever uphold that they are relevant operators.


Peter, we mere humans are eternally grateful. Please, do come again...



More information about the cypherpunks mailing list