Britain and Apple Fucking Your Privacy

Peter Fairbrother peter at m-o-o-t.org
Mon Nov 21 11:08:25 PST 2016 

On 21/11/16 15:02, Cannon wrote:
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
>
> 1. I wonder what effects this will have on encryption.
>
> Since encryption cannot be "decrypted on demand" if it is good
encryption, this means that likely true encryption will be banned in UK?


If you get served an order, you probably can't use forward secrecy.

That's about all that has changed in respect to encryption.

There are other changes, mainly to required communications data 
retention regimes for ISP's, which are far more invasive in civil 
liberty terms.

Mechanisms to require decryption have been in place for years, since 
2000 with RIPA, and some before. FSVO "much" they don't actually get 
used much, but they are there.

This part of the new Act only takes away the ability to say "I can't do 
it, I don't have the means (the key)", and only on some people 
(communications service providers), and only after they have been served 
an order to keep the "means of decryption".



An order under the new Act is only an order to, effectively, keep 
records of keys used - a requirement to disclose them or use them to 
decrypt ciphertext takes a warrant which is much harder to get.

(though those warrants are not as hard-to-get as they should be, or used 
to be - the Act changes that too, in a way which I personally believe is 
much more sinister in terms of the quantity of surveillance than 
anything the Act does in the new orders).

Note, it only applies to those who have been served an order to keep
keys used - and an order can only be served on communications service
providers, it cannot be served on private individuals or most [1] 
internet sites.

You can, partly, still use FS - supposing you used Diffie-Helman, you
would have to keep a record of your key-establishing secrets, rather 
than discarding them.

Which mostly nullifies the point of using FS: however not totally - the
other party, if they haven't been served an order, could discard their
key-establishing secrets.



Oh, and if Bob is not a "communications service provider", or is one but 
hasn't been served an order, or is outside the UK, then that part of the 
Act has no effect on Bob or Alice at all.  :)

The Home Office are shooting themselves (or rather us, the UK) in the 
foot a bit here. Very minor gain, lots of bad.



[1] but not all websites are exempt. If a site allows communications 
between individual visitors (rather than just between visitors and the 
site) then it can be served an order.

Or at least that's what the Home Office said, though I don't entirely 
agree that that is what the actual effect [2] of the Act will be.

So most social media sites can be served an order to keep keys used, or 
eg if they use don't use FS but do use SSL/TLS they would have to keep 
their private keys if served an order.

[2] eg it is unlikely, but perhaps a little uncertain, that cloud 
providers, or something like Apple iCloud, could be served an order.


> 2. And what are the details on allowing hacking, does this mean that
> spooks can lawfully bulk hack anyone/everything?

Almost anyone, in theory at least - but not everyone.

>
> And for those whom say "this does not affect me, I do not live in
> UK", yes this does affect everyone. Alot of your internet traffic
> gets routed all over the world including UK before reaching
> destination.

Yes.

> Any data captured by UK on you can be shared with your
> government without probable cause or suspicion of crime. This is done
> through intel sharing agreements within spy alliances such as FVEY.

Yes. Though I don't see how a boycott would change this, international 
traffic would still get routed through LINX.

> For security concerns I propose we boycott all and any technology,
> products, services, or businesses based in UK that complies with "the
> law" and has anything to do with technology or communications out of
> security concerns.

Any of those based in the UK will in practice have to comply with any 
orders served on them. Though some might float canaries. I don't think a 
boycott would achieve much.

> What government is doing here is fragmenting society and industry by
> making the "legal white economy" incompetent, weak, and insecure
> through excessive intervention and laws that are not compatible with
> modern times.

Agreed.

> While any company that wants to succeed and keep their
> data and operations secure will have to resort to the free market
> system "black economy" since government made rules are incompatible
> with modern era of technology. Then the free market will thrive as
> the "white economy" based businesses will rightfully suffer as a
> result of compliance.

Perhaps - though it probably won't happen in the UK :(

-- Peter Fairbrother

More information about the cypherpunks mailing list