Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Encryption Security

UK Drafts Crypto Bill 71

Posted by Hemos from the joining-the-us-in-idiocy dept.
np-complete writes "The UK Guardian has an article here giving details of the governments proposed new crypto laws. The draft bill includes provision for decryption notices to be served on companies, and also allows for a prison sentence of up to two years for tipping people off that their comunications are being monitored. (Site may need free registration if their guest login doesn't work). " Gosh, perhaps the Brits and the FBI have been talking. *sigh*
This discussion has been archived. No new comments can be posted.

UK Draft Crypto Bill More

UK Draft Crypto Bill

Comments Filter:

  • I Blame The Yanks (Score:1)

    by Anonymous Coward
    This is actually a US conspiracy to take over the UK, and therefore the civilised world. France! China! Russia! Unite! Let's nuke the bastards now!

  • The real reason the NSA exists... (Score:1)

    by Anonymous Coward
    The NSA can monitor all the world's communications, it's true. But you guys don't know the REAL reason they exist. I will tell you now. It's porn, pure and simple. There are hundreds of gigabytes of porn transferred every day and the founder of the NSA must have been some visionary genius who decided to index them ALL. So all that computer and storage equipment they have, they just SAY they're monitoring mail but we all know better now. They're tracking and indexing porn.
  • In all likelyhood, the parts about "not disclosing that somebody is being monitored" would extend to Echelon as well, which would make it illegal to publish info on Echelon or similar efforts.


    ...phil
  • HTML(ish) version at
    http://www.ntk.net/ecbill/ [ntk.net].

    d.
  • Certainly. Just type out a second message, that is exactly the same length as the encrypted message, then XOR the two together. The result will be a key which, when applied to the encrypted message, will generate your second message.
  • The UK/US governments have been monitoring all telephone traffic (not just that going to Eire) for years. The listening station (the golf ball farm) at Harrogate was supposedly set up because of the cold war, yet it is still operating and guarded by military. The most ridiculous part of that place was when the locals tried to make it a listed building. They couldn't because it didn't exist.

    I don't see this new act working in court even it does get through parliment.
  • Looks like the goverments of the english-speaking world finally went nuts.?

    Ok, fine for me, continental europa has in general very liberal law on encryption and this will create thousands of new jobs here.

    We could discuss the word "liberal": the german ministry of inner security called "breaking encryption an act of aggression, encryption itself an act of defense."
    This coincidently wents along with an discussion about growing activity in spying science- and industrial secrets in germany, namely by the USA and the UK and most times even by "official" secret services.

    You think that can`t be a big problem?

    You are wrong! The known cases of stolen knowledge by the USA and the UK sum up to 30 Billion Dollars EACH YEAR. Makes some chinease bluecopies of uncle sam`s latest kill-o-zap look quite inexpensive :-)=

    Some interesting laws are coming in germany this year and I expect encryption to become a MUST, not a MUST NOT in several cases.
  • Re: power wieleded
    I didn't notice much power welided by John Major in his (eventual) minority government before the 97 election. Ah well.

    Re: bill
    The bill should die. I fear it will not as MPs are not technically savvy enough to work out that it stinks.
  • What you need is an encryption system that can insert random rubbish into the encrypted output. For example, if I encrypt a 100KB file, the output will be around 200KB, of which half is rubbish. The rubbish is stripped out when decrypting, but without decrypting, you can't tell what is rubbish and what isn't.

    The next stage is to have two different files, encrypted into the same output with two different keys. So I could have one 100KB file containing secret information, and a 100KB dummy file. The encrypted output contains both; but which you get depends on what key you use. To somebody who knows only one of the keys, it would appear that the output contains one file and 100KB of rubbish. There is no difference to tell what is rubbish and what might actually be encrypted data, unless you know all the keys.

    Then, when the police ask you to hand over your keys, give them the key that produces the dummy file. You can just claim that the other 100KB of encrypted data is rubbish. If your encryption software routinely pads out files with 50% rubbish, such a claim would be believable.
  • But if you had two keys, one producing the real message and one a fake, then law enforcement could make you reveal both.

    The idea of rubbish is needed so that you can convincingly claim that there is no other data in the message, and no other key.

  • In the UK you are a SUBJECT of the state not a citizen



    You're confusing the issue. You could abolish the monarchy, replace it with an elected (but powerless) presidency (like Italy's), and start calling each other Citizen and yelling "civis britannicus sum" tomorrow, but unless you changed the parliamentary system as well, the PM would keep all his powers.


  • What's wrong with this scenario? (apart from the jailtime, of course):

    Cop: Give us your encryption key.

    You: No.

    Cop: Right, you're under arrest. You have the
    right to remain silent, etc. etc.

    You: Okay, I'm remaining silent.

    Now since your key is in your head (you
    *didn't* write it down did you?) the police
    are stymied.

  • What it means is that everybody is free to use decryption, but if the police wish to read one of your encrypted messages, they can get a warrant that will require you to hand over your key. Presumably non-compliance would put you in contempt of court and you might end up in jail.

    However, if you're using encryption to cover up something that would get you a very long jail term anyway, you might as well just destroy your key and put up with a smaller term for contempt of court.
  • Too bad you all willingly gave him your guns. Bet one madman in Scotland doesn't look quite so dangerous any more.

    What an idiotic remark! What good would guns be against the Home Secretary or the Prime Minister?

    There were never enough guns floating around in the UK for a rebellious population to outgun the police, let alone the army. And the UK police are hardly bristling with firepower. Anyway, that's just not the way we do things here. We just hurl bricks and bottles. It's much friendlier that way.

    If you imagine that the laws allowing US citizens to bear arms are a significant factor holding your own government in check, you're probably indulging in pure fantasy. Your own police forces and National Guard are probably better armed than the rest of you are. And the US government has tanks and F-15's. I don't suppose they'd be that shy about using deadly force against you when you're shooting at them.

    I support the UK Govt's action to restrict private ownership of handguns. It might not disarm all the criminals but it sure does reduce the number of madmen armed with automatic or semi-automatic weapons.

    As a father of two small children I was deeply affected by the Dunblane massacre. I would have felt the same if the incident had taken place in your own country (though to me the mass shooting of twenty innocent infants is a thousand times worse than the shooting of twenty adolescents).

    If you are the sort of person who thinks that the right to strut around feeling self-important with a gun is worth a tragedy on the scale of Dunblane then you are a senseless and selfish shit who doesn't deserve to live. In my opinion.


    Consciousness is not what it thinks it is
    Thought exists only as an abstraction
  • That's exactly what was implied. It takes a much larger GIF or MP3 to cloak insert a text file into rather than just encrypting the text and sending that. Say you want to send a 10KB document. You'd need to mask it within 90KB of other info. Therefore, you need higher sustained bandwidth if you do this regularly.
  • I don't think self-incrimination applies. This would seem to fall more under laws dealing with documents than with speech. They can't legally make you talk, but they can make you turn over any relevant documents (with the appropriate warrants, subpoenas etc).
    This doesn't bother me. If they have to come to me with legal authority then I can defend myself. It's when they can access/monitor anything without my knowledge or consent that I object.
  • Good:
    They've realised that key escrow _will not work_ and is very, very bad for e-commerce. People need to be able to transact knowing their financial details are not available without their explicit consent.
    Requiring people to hand decryption keys over when required (by secretary of state etc.) as part of a legitimate criminal investigation is also ok, the government needs to be able to get evidence against criminals to prosecute them. We can also (just about) trust the government not to mis-use any small pieces of information they gain in this way, with the knowledge of the recipient (as opposed to being able to decrypt everything without the correspondent's knowledge, as key escrow allows).

    The Bad:
    Asking people to voluntarily hand keys in for escrow is just a bad idea, no criminals will hand in their keys, and is just a potential security hole for anyone using encryption.
    The heavy handed measures for informants and complaints etc, seems totally unjustified and way, way over the top. If I feel the government had no reason to get my decryption key from me, I expect to be able to recieve fair treatment when lodging a complaint, and expect a thorough investigation. There must be checks to stop law enforcement agencies abusing their powers, as they all seem so keen to do.
  • Unfortunately this seems to suggest that 'innocent until proven guilty' now doesn't count for anything.
  • Ya know, the more I read about this stuff, the sadder it makes me.

    I think the thing all of us need to do is say a big F.U. and start encrypting EVERYTHING we send - not just big important messages... I mean everything. Get your friends involved. Send everything via PGP as ascii plaintext. It has a really nice advertisement at the bottom for the PGP freeware.

    This will get more and more folks to at least see it. The whole process is so stinking simple: Get it, use it. Nothing is hard about that at all!

    Let's all quit whining about government intrusion into our privacy and do something about it.



    Mister programmer
    I got my hammer
    Gonna smash my smash my radio

  • Problem with steganography is that you need a channel with at least an order of magnitude higher sustained bandwith than the secure channel you want to hide.

    How about images, video or mp3s as cover for plain text? Sounds reasonable to me.
  • All the ones I knew have shut down. There may be some out there but I wouldn't rely on them!
  • I don't think they are going to enforce key escrow. As I understand it the select committee said key escrow was unworkable so it was taken out of the bill.
  • I've been a moderator at times and I'm in the UK. I think the moderators are selected randomly from slashdot readers with above a minimum amount of page views or something. This seems fair.

    Personally, I like the moderation system. Although it's by no means perfect it has improved slashdot and is better than any other system I've seen at other sites.

    The main problem I have is messages being moderated down for being off-topic. For instance, this message is off-topic compared to the headline article but is reply to your post and is relevant to that. I often see these type of posts moderated down.

    BTW I notice several posts have been moderated up now :-) We're being watched!
  • The UK has always had a poor record with regard to individual freedom. We do not have a constitution and the Freedom of Information act about to implemented is pretty much a joke.

    Unfortunatley, probably because UK governments have historically been fairly careful about wielding their totalitarian powers, there is little concern in the UK about these issues.

    As to the quote about lecturing the US on freedom - I didn't know we had been.

  • Blair spent a whole breakfast-time conference worrying about this issue ?
    Wow, he must take security and personal liberty really seriously ...

  • Something I didn't quite get while reading the article---it made it sound as if the offence was not (e.g.) someone walking into an office and saying, ``Hey, you're being bugged'', it was someone going to the public and saying, ``Hey, my company is being bugged''. Which is even scarier, really. Particularly the fact that any sort of complaint could result in a two-year jail sentence, without a proper trial. (Of course, my ideas of what comprises a ``proper trial'' are shaped by the fact I live in the US; but I'm guessing that ``excluding the complainant from attending and issuing orders to keep secret the evidence on national security grounds'' is not exactly the usual procedure in the UK, either.)

    This really does sound like something out of a dystopian novel. Even worse than some of the stuff the US has been pulling lately. I should hope it gets resolved quickly (and correctly!)... it looks like there are at least a few MPs on the right track. Does anyone know what the approximate likelihood of this passing is? (The article seemed to indicate that it hadn't come up for a vote yet.)

  • Here's the BBC article [bbc.co.uk] on the bill. It also provides a link to a copy of the actual draft bill [dti.gov.uk].

  • Legislation gets madder and madder.

    Surely if someone is being monitored, all I have to do is go up to them and say, you are NOT being monitored. (wink wink). No, of course you're not being monitored. (wink wink).

    Do anonymous mailers still exist BTW?

    As for requiring companies to disclose crypto stuff, I would imagine a company could defeat this by getting all their employees to generate their own private keys and take personal responsibility for keeping their own key private.
  • Even better still... why bother with PGP with all its commercial connotations and export problems, when you can do much the same things with GnuPG [gnupg.org] without export restriction (no IDEA or RSA)?

    (It doesn't support all the key formats of PGP but things generated in GnuPG can be imported into PGP with no problem...)

    Otherwise I agree entirely. Everyone should use ssh, gnupg/pgp-according-to-taste; I also like the idea further down this thread concerning double-encrypting things so you can say you've decrypted it and it is an encrypted file. The alternative is to get the government to back off the 1-level encrypted file as a valid format anyway...

    ~Tim, GnuPG and PGP keys on website [custard.org] :)

    ~Tim
    --
  • Erm... FWIW I thought there was a windoze version :)
    It's not as though I'd want to use it, being a (predictable) linux chap, but I understand it exists, albeit alpha-ware :)

    Mutt is also configureable - or if you have an external editor like vim/vi/emacs you can always pipe the entire document through pgp -at or the equivalent gpg command...

    Otherwise, I think there might be a learning curve getting all these windoze weenies onto FreeBSD :8]

    ~Tim
    --
  • From my understanding of ITAR (the base set of regulations on munitions and cryptography products agreed to by most countries), it is always legal to import a product assuming the export is legal from the parent country (at least for cryptography products). This means if you can legally export something from the UK, then you can legally import it in the US. The problem here is that many products originate in the US and cannot be legally exported (except to Canada). So it is also illegal to import them elsewhere, because the export would have occured through illegal, though trival, means.

    On a totally different subject, I found out yesterday that a "crypologist" is a person who studies unknown animals, like bigfoot, lochness, etc. From this I take it "crypt" is the latin root for the unkown, and graphy is the practices/art of something? So cryptography really means "the art of the unkown." Sound like a some kind of cult activity. :)

  • Similar arguments against gun ownership are put up by the gun control crowd. Its the same exact situation. Encryption and guns are both sources of power. A democracy is supposed to be based off the idea that the people hold the power and the government derives its power from them. Attempts to limit or nullify the power of the people are sure signs that the kinds of people who would like to destroy our liberty are hard at work. I think its fitting that encryption technology is considered a "munition" because in some ways that is exactly what it is.

    Lee
  • no, as the previous reply said, escrow is unworkable. this merely makes it a criminal offence to not 'disclose the key which would make the message intelligable' to enforcement officers.

    I'm sorry officer, I cant give you the key since the message is in plain text and is a paper on superstring theory; the only way it could be intelligable to you is you studied rather more math... ;-)

    ray
  • Notifying someone of a wiretap on them can be considered interfering in an official investigation. That's already established, I believe.

    The other part about making people decrypt stuff is only logical. We currently can issue court orders to make people tun over all relevant documents to an investigation. What's the point if we can't force them to decrypt it?

    "What, turn over all the incriminating data on our company? Sure.. I hope the statue of limitations doesn't run out before you break the 2048-bit encryption on everything."

    Come on. It's not like they're forcing everyone to make them able to break it at any time with or without a court order like with key escrow. This is simply a necessary part of investigating a company or person who encrypts all their data. If you didn't have this, encryption would be a get out of jail free card since you could bury any and all evidence against yourself.
  • The article strongly implies that somehow they are going to enforce key escrow. If everyone in your company uses PGP then clearly you will know if your encryption key has been given up, because they will have to ask you for it.

    Hopefully this bill will die soon.
  • ...Or, would the self-incrimination exception prevent it, assuming the three branches of government are not all corrupt? Does anyone know of any precedents similar to this sort of intrusion of privacy in America?
  • Well, a few weeks back there was a story in Swedish newspapers about someone convicted for economical crimes.

    What the devil is an "economical crime"? Is that one where the crook gets his ski mask and gloves at a thrift store?
    /.

  • You are proposing a one-time-pad. But this only works if the key (your first message) is completely random. Otherwise, it is *very* easy to break.
  • How about encrypting twice, then all you could happily decrypt it for them and make it intelligable. They would find a still encrypted message was less than useful to them. It is intelligable as an encrypted message...
  • Somehow, I have little trouble believing this in the UK. Some provisions, like the one about tipping others off their communications may be monitored, are too totalitarian to believe. The US is taking some unreasonable provisions in the crypto area...but if this bill were introduced in the US, it'd be shouted down immediately.


    "Any country with an Official Secrets Act has no business lecturing the US on freedom." -- Tom Clancy
    --

  • is where it's at. "My my," says one spook to the other. "Those companies we're monitoritng for leaking sensitive information to the Fijis sure do send each other a lot of landscape pictures". The other spook agrees "But there's nothing wrong with that..."

    Problem with steganography is that you need a channel with at least an order of magnitude higher sustained bandwith than the secure channel you want to hide.
  • When it comes right down to it, this is a blatant violation of free speech. You are allowed to tip off your friends. Free speech does not imply that you have to be on the government's side. Guck the Fovernment. Anyhow...
  • There is already a (commercial) program out there that can do that. It actually uses two keys, so if you use one key, you get the actual message, but if you use the other key, you get the fake message. No 'rubbish' required (though padding messages is a good security measure no matter what). I believe it used elliptic curves, which is a bit out of style lately. I'm not sure what the company is called.
    ---
  • This is consistent. The US allows freedom for its own citizens to use strong encryption but does its (feeble and ineffectual) best to disallow export of that technology to the UK. The UK happily allows me to export my encryption software to the US (except that they can't use it, but never mind, the RSA patent will run out soon...) but might start getting antsy about me using it here.

    Both sides want the US to do better than the UK. From my own country, I question the sanity of this...

    (Incidentally, I find it interesting that the only post scored above 1 when I read this item was one asking whether the same thing could happen in the US. I wonder if the moderators have any interest in the UK at all? Should a thread about UK news possibly be moderated by UK people?)

  • ...without mandatory, key-escrow compliance, that is. The only effect this will have is that people will use unbreakable encryption. The odd thing about the whole article was that it seemed to suggest that a "decryption order" would mean that the target data would automagically be decrypted... What the hell?

    Encryption control is all or nothing. And certainly, key escrow means useless encryption. One thing - I'm getting f'n sick and tired of hearing about "pedophiles" and "terrorists". If encryption is banned, outright, they will be the only suckers who still use it!
  • Yah see here's where the self-incrimination difference between the UK and the States kicks in. Even so, what can a judge really do, if you say that your key was on a floppy that you destroyed when the pigs walked in (I use floppies like this myself, for certain circumstances, on a box with no swap)?? How can you be held in contempt, if you swear you don't know the key, and can prove you don't have it? The only solution for governments is to ban crypto, outright, and privacy too, while they're at it...

    And also, what about secure, offshore storage? The market for it is certainly going to increase, if this kind of legislative crap keeps up.
  • ...and yesterday, when my girlfriend opened her mailbox, she was alarmed to notice that the envelope containing her VISA statement had been opened. As crypto-preventable crime against "law-abiding citizens" (whoever the hell they are) increases, we'll see this sort of legislation get thrown out, by public demand. N.B., the asswipe that opened the VISA statement was probably the postman!
  • It's an elective dictatorship in the UK. The prime minister has more powers than any other head of government in the West.

    In the UK you are a SUBJECT of the state not a citizen

  • > In the UK you are a SUBJECT of the state not a citizen

    That's right - we don't have rights, only duties.
  • If they really want to, the security services can probably steam open your envelope quite stealthily, and then reseal and send it back on its somewhat-delayed way...

    (Strong) crypto isn't *nearly* as easy for 'em.
  • If your (true) algorithm doesn't change the byte count, you *could* claim you were using an OTP, and have the suitable key already prepared...
  • you will not find even one law enforcement agency that will tell you that they were not able to convict someone of a crime because that person was using encryption to protect his computer files

    Well, a few weeks back there was a story in Swedish newspapers about someone convicted for economical crimes. His computer contained encrypted files that the attorneys suspected contained further incriminating evidence (from the file names etc) but as they were unable to decrypt the documents he got the computer back and could safely destroy all evidence (if that was what it was).
  • This is made even more worrying given that in the last fortnight, details have emerged showing that the UK Ministry of Defence monitored all phone calls and email communications passing from Ireland into or through the UK secretly. The Irish were, understandably, slightly irked at this. On top of that there's the joint UKUSA Echelon system which monitors communications throughout the UK, Europe, and Africa. The EU are, funnily enough, annoyed at this as well. If they gain the ability to serve decryption orders, then the thought police would have a ridiculously scary amount of power.
  • The main listening station is at Menwith hill; this is what I was referring to by ECHELON, the existence of which was confirmed recently by a European Commission Report entitled "Assessing the Technologies of Political Control" (though it was initially revealed in an article in the New Statesman in the 80's). Interestingly, Mark Thomas (lefty type comic on C4) has set up a website [menwithhill.co.uk] advertising balloon tours over the site during the summer, with all the required paraphenalia such as parabolic microphones and such...
  • In an even more devious way, you could try using one-time pads. Generate your message you want to keep private, and then generate a message the same length as this which is full of non-private (preferably believable) information. Next generate some high-quality random data (okay, it's not exactly trivial, but there are a number of ways of doing this) so thatyou have a file of random data the same size as your message. Now, XOR each bit of message data with the random data. This gives you your encrypted message. The random data is your key. To regain your message from the encrypted version, simply XOR with your key again. This will give you your original message, since
    K XOR (K XOR M) = (K XOR K) XOR M = f XOR M = M
    (where K is the key, M the message, and (K XOR M) the encrypted message.)
    Now the devious bit. XOR your encrypted message file with your "alternative" message file. This file is your dummy key. If you surrender this key, then the resulting cleartext will be your dummy message, since
    (D XOR (K XOR M)) XOR (K XOR M) = D
    (where D is the dummy message)

    Of course, this isn't very useful for transmitting information, since it's secret-key based, and requires a key as large as the file to be encrypted, but it's entertaining for it's sheer deviousness :-)
  • Hardly surprising at all... this comes at the insistence of the man who wants to lock up people with severe personality disorders without a proper trial even if they haven't committed a crime. Still, at least we don't have a death penalty... yet.
  • For those interested, here is a link about the ECHELON Surveillance system that is used by the US, UK, Canada, Australia, & New Zealand(before some Kiwis blew the lid off it).

    http://fly.hiwaay.net/~pspoole/echelon.html

Slashdot Top Deals

"Experience has proved that some people indeed know everything." -- Russell Baker

Close