"I am leaving it as I found it. Take over. It's yours." Ellis Wyatt
If you feel you're being compelled to act immorally, remember non-compliance — whatever the immediate consequences to yourself — is the only acceptable course of action. When we decide to spend our days building powerful tools, we enter into an implicit agreement not to let them fall into the wrong hands. If the government comes knocking, BURN IT DOWN. Make good on your debt to humanity.
> remember non-compliance — whatever the immediate consequences to yourself — is the only acceptable course of action
Seriously, can we get away from these fine-sounding (but otherwise utterly useless) slogans and clarion calls? There has to be a better response than a scorched-earth policy.
I'm a software developer based in the UK currently working on an app which will probably be affected by this bill. Apart from destroying the product and/or risking jail-time, are there any sensible options? Can I incorporate somewhere else in the EU and run everything from overseas? What if I am not a UK company but a DE company and everything happens from there?
I realise it's early days, but I'd hope HN could come up with some informed suggestions.
I think the only viable option would be to leave the UK. Not just you physically, all bank accounts and insurances too. When you have set up the company somewhere else (maybe netherlands, germany or sweden) you would have to renegotiate all contracts with all your clients, have new laywers, new accountants, etc...
I can not think of any way other than leaving, that will not compromise either your product, your customers or your integrity.
This is 'scrorched earth' if you will, without 'fine-sounding, useless slogans'. Consider this: If this crap becomes law, you certainly won't be alone when leaving. And when a critical amount of developers and entrepeneurs leave the UK permanently, the economy will suffer... greatly I think. And that, sad as it may sound, might be the only argument politicians would consider, when it comes to signing this bill.
> And that, sad as it may sound, might be the only argument politicians would consider, when it comes to signing this bill.
Sorry to be this guy, but you do realize you're talking about UK, right??
IF you have pay attention to anything that comes out of UK politicians and being actually implemented in the law, you would have a hard time believing that UK citizens' disobedience, not matter how loud, will change ANYTHING AT ALL!
Sadly, they're doomed and I cannot find a friend who left years ago and never looked back.
> Sadly, they're doomed and I cannot find a friend who left years ago and never looked back.

Is your double negative the right way round there? That means your British emigrant friends are looking to [move back to?] the UK.
I'm British, and recently left. I've met about 6-7 British people in my new country (I haven't been seeking them) and none have any intention of returning. Of course, they visit family and so on, but at present there's no reason not to.
I wasn't particularly looking to move here, though it was a country I'd thought about. Then someone forwarded a job advert to me, and I ended up with an offer I couldn't refuse :-)
Anywhere in the EU is easy to move to, and easy to move away from if you don't like it. The big differences are probably the ease of getting a job, speaking the language (or not needing to) and meeting local people.
I feel Scotland would do well to start hinting that tech startups may want to start there, given the likelihood of a successful referendum to leave the UK when it happens.
I'd suggest that everyone come join the party in the U.S., but then I realize that we have equally stupid politicians trying to run everything, too.
I get the sense that reincorporating in Bermuda, Gibraltar, or one of the Channel islands might help in some way, but I can't quite figure out just where in my brain that idea came from. Maybe it was one of those foil hat ideas that I had to discard because it only worked for Commonwealth citizens.
It would take a careful reading of the law to discover the most appropriate loophole. In the U.S., that often takes the form of having no meaningful penalty or enforcement for breaking a law. So, basically, companies just ignore it. But UK law works differently, so I can't say for certain whether that means a judge could invent an appropriate penalty or not.
Or better still, set up a foreign company, the sole shareholder of which is a trust of which you are a non executive beneficiary. Then make yourself a contractor to said company with an explicit contractual requirement that you must affirm that you have not been compelled (legally or otherwise) to author anything (code or otherwise) that may materially effect said company.
The govt will still probably try to find a way around it but at least you've made it very difficult for them.
The govt wouldn't give a squat about what contractual agreements you have made they can still compel you.
By your logic I can make the same deal with an explicit contractual requirement that I cannot be detained by the police and then go on a murder spree and say sorry I got a contract that says you can't arrest me...
As long as any entity related to the company has a UK address they'll get pinched the only way to "circumvent" the law is not to have any business in the UK.
>Setting yourself up in that manner would mean if it needed to be taken to court, it would be difficult for the UK govt to win.
I don't think you understand how the legal system in the UK works, or anywhere else for that matter.
You can't have contractual agreements that go against the law as it would constitute an illegal contract.
If you have a clause in the contract that requires you to either break the law outright or not to comply with it it will not be enforceable and will be considered void.
Not necessarily, what would happen in this case is that once you are compelled your contract to work on the code is terminated. Nothing illegal about such a contract.
You effectively are your employer (via a contract for services rather than employment per se). So by them giving you the notice they are also informing your employer.
You then get to fire yourself; it is definitely a burn it to the ground strategy, but this type of strategy has happened before and no doubt will happen again even if infrequently.
> Setting yourself up in that manner would mean more challenges and making it difficult for the UK govt to win in court.
But would it, really? This fails the same logical test as the warrant canary - it sounds comforting, but is absolutely useless in the real world.
You still have the same choices - you can follow the request, or ignore it. You can tell the world, or keep it secret.
In every scenario I can think of, this idea of "affirming you have not been compelled" provides absolutely no protection.
Are you able to provide an example that demonstrates how this off-shore/contractor setup would protect you from the UK equivalent of a NSL with a non-disclosure clause?
If you physically move to Germany, perhaps, but it appears you would need to discontinue all operations in this country. Nobody employed here, no bank accounts, etc.
Another person posted a somewhat insightful excerpt from the draft which covers this situation:
Supposed you work for a company in DE and UK gov try to compel you, just have someone outside the country revert changes.
Also, isn't the government bound by the Computer Misuse Act (and it's European and other foreign equivalents). That would make the coercion an illegal act.
Dare say there would be amendments intra UK but we'd need pan-European changes to be able to lawfully compel someone to access a [foreign] computer without authority
I agree, but it's likely to change nothing. I'm not being defeatist per se, but I went through all this with the RIP Act in 2000 and it was futile, even though the Conservatives went through some posturing in defence of civil liberties. But now they are introducing worse legislation and Labour can hardly say "this is unprecedented" or whatever, since they were so gung-ho about it fifteen years ago. I wrote many letters and got no decent responses, just boiler-plate reiterations of why it was "necessary."
Well from the theme of this thread an open letter in the Times signed by a large proportion of the CTOs of Silicon Roundabout saying "we'll go to jail or leave the country if this goes into effect" will probably at least get some face time with a minister over this.
Funny you mention the Lords ... I wrote a position paper for the Conservative front-bench spokesman for Trade and Industry about the RIP Act 2000. Worked better than letter-writing and meeting my MP. All this because I happened to play cricket with him occasionally.
The threat of a scorched earth policy needs to be strong enough for governments to either not consider these types of actions or suffer the consequences.
I can understand it not being practical for the people involved though, and I sympathize.
Can't you get a digital citizenship in Estonia and perhaps transfer you company to there?
Frankly it seems like a very good solution if the problem is laws in the UK. This program was launched specifically to attract entrepreneurs and offer them the means to launch tech businesses from anywhere in the world in Estonia.
You need to leave the UK. No amount of corporate charter red tape or offshore server hosting will let you get away with developing a secure product if Theresa May doesn't want you to.
The thing is, the actual probability of being asked to comply with this for a small company is fairly small: it's aimed at Facebook and Apple. And perhaps privacy-orientated services like Lavabit. Your best option is to retain a really good ECHR lawyer, because that's where the fight is going to be.
> being asked to comply with this for a small company is fairly small
This may be true for now, but I have seen far too many laws beeing used in other contexts than what they were intended for.
For now it maybe used in cases of 'terrorism'. In three years your products will get compromised because the state wants to catch a drug dealer. In 8 years, they also want to catch regular burglars, and in 10 years these laws may be used against you, because you forgot to mention a $100 bill on your tax declaration...
There is money to be made. When it comes down to making money by putting in backdoors or shutting it down and making none, the backdoor will be put in every time.
When London fails to become the "Fintech capital of the world" like it wants to be, because any fintech moving there has to main its own security and every potential customer knows it.
When UK companies are continually hacked and ripped off because the bad guys KNOW there's backdoors in every one of them, all they have to do is find them.
When the UK economy has taken enough of a beating. Then they might change their minds. Maybe.
I think quite a few people would not mind being a martyr.
The problem is that the most likely reality is that you will go to jail, your business will be shut down, you will never find another job again, your whole family will be added on all the government shit lists and nobody except your friends will know what happened.
There is a star system to martyrdom too. For 1 Snowden, there are probably thousands jailed and forgotten.
Martyrs more often than not seek out situations to sacrifice them self under rather than people who make the "right" call when pressed.
No right minded person in the world would rather go to jail than comply with this, the few that would really have an existential dilemma about this issue would most likely opt out to preemptively avoiding it than be the ones who sit at their desk with a gun in their hand and a bulletproof vest.
The government actions are immoral. When an entrepreneur has raised capital from investors, his personal reputation is on the line to be a good shepherd for their investment. Shutting down their company destroys the entrepreneur's personal investment and betrays their ability to keep their investors investment safe. This all comes back to the immorality of the government's actions in this area.
This times a million. It is better to pay the price for doing the right thing than to turn against your morals because of your comfort. And if enough people and companies do the same, things will change.
Evil prevails because good men do nothing. And this generation seem to be the masters at doing nothing.
A truly gutsy CEO would say screw you to an oppressive law or government. They'd be willing to die in prison for their beliefs, and shut the whole company down in the process. Take the story to media and watch the government's stupidity get them publically humiliated by the press and social media.
Things like this will only stop if they become political suicide for any party or politician that tries to implement them.
I wonder if most of the politicians in the UK actually understand what they're doing here? Some research have shown that in order to recognize brilliance, you basically have to be brilliant yourself:
In another story on Hacker News today, I find the following: "She offers a sample math problem from the test: You go to the store and there's a sale. Buy one, get the second half off. So if you buy two, how much do you pay? "High school-credentialed adults, they can't do this task — on average," says Carr."
Clearly, the majority of the voters in a democracy aren't very intelligent. This probably means that most of the politicians in a democracy, such as the UK, aren't very intelligent either.
This subject has received significant attention because as hard as it is to accept, it is all true. There has been a deliberate "Brave New World" effort to control the masses of democracies, under the assumption that leaving people to their own devices will ultimately result in chaos and destruction by someone else manipulating them (case in point: the Republican Party fiasco regarding Donald Trump)
If you are willing to see how your life and role as a passive consumer has been designed, watch the BBC documentary "Century of the Self," read Edward Bernays' "Crystallizing Public Opinion," and "Propaganda," and for an extra dose of depression, Noam Chomsky's "Profit Over People."
I haven't seen any of those yet, but I get the sneaking suspicion that they would all be preaching to the choir.
But I reached my current world view by extensive wearing of foil hats and painstaking calibration of handcrafted bullshit detectors, so it would be nice to see the analyses of those more reputable than my usual sources (by many orders of magnitude), just in case they would ever be useful in an appeal to authority.
For instance, I could tell my spouse something for years, such as "chia seeds are a better source of omega-3s than flaxseed, because the chia seed coat is digestible, whereas the flax seed coat has to be cracked mechanically, which allows the oils inside to become rancid due to oxidation between milling and ingestion." And this is dismissed and forgotten, until Dr. Mehmet Oz features chia seeds on his television show. Afterward, I'm still the only one actually eating the chia seeds, but at least I get less flak for it when I do.
The Cassandra Phenomenon: it's horribly demoralizing.
It's even worse with my homespun political analysis.
Register overseas (if possible). This is going to harm the UK economy a lot more than they think.
Founders will think twice and will only add to risk and burdens when you are already competing in an international, competitive, start-up space.
Remove the offending country from the equation by relinquishing legal responsibilities. I know a few founders who have talked about doing this so I hope the UK reverses this or never becomes a prolific start-up space (which would be a shame).
I hope avoidance becomes common practice, the UK is not the only country that incentivise start-ups. Others do and thankfully don't have draconian laws such as this.
If this gets approved and you're based in the UK, that's it. If you're based somewhere else are you safe or should you refuse to create accounts for people from the UK?
Let's have a show of hands of founders/folks with technical control, shall we? I for one will risk prison rather than put several hundred million consumers at risk, and will publish any such technical capability letter we receive.
They've already demonstrated with RIPA that they are perfectly willing to convict and sentence in these sorts of situations. Failure to disclose encryption passphrases can (and does) result in jail times of up to 2 years, or in cases which are deemed to have national security implications, 5 years. [1-3]
Talk on HN is comparatively cheap, and I suspect most people would reconsider their position when facing down the very real prospect of serving 5 years in HM Prison Belmarsh.
I'd take the odds on this. The number of people charged with failing to comply with a s. 49 notice is low (much lower than the number issued with them and whom don't comply). The number of people successfully charged is lower still. Some of the cases of successful convictions were also where people had admitted to having the key; your odds probably improve if you don't do this.
My understanding of s49 is that to convict you, the government has to prove that you had the ability to decrypt at _any time in the past_. If they do that, you can make a defence by showing that you _no longer do_. In other words, if the government shows you ever had the ability to decrypt, the burden of proof changes to you to show you no longer do. Pretty ridiculous.
It does mean that if you can make it patently obvious that you can't decrypt something, you have a good defence. One option therefore is to place control of decryption in the hands of not yourself, but a trusted agent outside the UK (or both, with both required to decrypt).
There may also be grounds for appeal in the ECourtHR, as there is precedent that the 'right to a fair trial' in the EConventionHR includes the right to remain silent, etc.
This is why I've been saying from day one that an Y Combinator focus on UK was the wrong move, because I expected the authoritarian mentality to only increase there over the next few years. The focus should've been on Germany, which at least has a strong Constitution (UK has none) and judges tend to be pro-privacy (although I imagine some data-mining/advertising startups would hate that).
Perhaps even more importantly, it's the people that care deeply about privacy there, too, and would protest obvious authoritarian moves by the government, while in the UK they seem to care almost as little about it as the Americans do.
Yes the German Government has been caught doing some nefarious stuff but if you compare the totality of what the UK government has been doing against what the German government has been doing, I'll take the German government every single time.
I say that as a UK citizen, also this is one of the areas where the EU has actually been really useful and I have a feeling we might leave in the referendum.
Germany has a strong constitution, yes, and an even stronger constitutional court... but: Take a look at poland and see how fast things can change.
It is frightening how fast a government can eviscerate the very foundations of democracy. This is even more appaling when you look at the fastest growing political power in Germany: The rightists from the AFD. I have no doubt that, what is happening right now in poland can happen in germany too, given enough time.
Piggybacking a bit here: would a startup based in the UK (as in, devs and managers live in the UK), but incorporated in the US (maybe through the new Stripe service), be held to this?
"7.14 Section 217(8) provides that obligations may be imposed on, and technical capability
notices given to, CSPs located outside the UK and may require things to be done or not
done outside the UK. Where a notice is to be given to a person outside the UK, the notice
may (in addition to electronic or other means of service) be given to the CSP:
-- By delivering it to the person’s principal office within the UK or, if the person does not have
an office in the UK, to any place in the UK where the person carries on business or
conducts activities; or
-- At an address in the UK specified by the person."
IANAL. International laws probably vary, but by having employees in a country, you may be subject to its laws.
For example, I am part owner of a Canadian company that sells an online service. If we hire US employees (developers), then we must collect sales tax and pay income tax for sales originating within the governing municipality.
Obviously, I am talking about US tax law, and your question is of a different nature, so the best thing to do is to contact a lawyer who has expertise in that area. I only offer my experience as evidence that the location of employees can impact the legal responsibilities of a foreign business.
The key issue, I think, is not what law-theoretically does and does not theoretically oblige you to comply with a jurisdiction, but the assets and people which are within reaching distance of the applicable government. Whether a service is accessible from the UK is irrelevant so long as you have no assets, no employees in the UK. Conversely, if you have assets or employees in the UK, you can expect them to be under threat of seizure or coercion, respectively.
I also don't think it's a safe assumption in any jurisdiction nowadays that the person who gets served with a notice will be an executive. It seems quite plausible to me that a front-line engineer could get served with a notice, and not even be allowed to tell an executive. Thus, even if your employees in the UK don't appear to have been coerced, this appearance could be deceiving.
There may be some limited countermeasures to this sort of thing, like regular audits of system configurations, etc. performed by a different group of people, and who will thus cry murder if they find any anomalies. This should work because the second group of people will not be the target of a notice, and thus not bound by its secrecy provisions. Possibly this group could do their auditing remotely, from outside the UK. Of course the in-UK group could, under coercion, rootkit the system to hide these changes, probably by being told to install government-issued software. Hmm...
What if you operate in UK and have an office there? So from the privacy conscious user perspective one would need to check that a company operating the specific website doesn't have anything do with UK, it's not very practical and makes GCHQ kinda happy.
It becomes interesting when a company operates in the UK, but does all its software development elsewhere. UK law can't compel foreign software developers not to talk about what they've been asked to do, so I don't really believe the law will be successful in keeping such monitoring secret.
Even more interesting is how this would work regarding open-source software. You can't keep such a backdoor secret in GPL'ed software and comply with the license, but a UK company couldn't release changes they'd made to comply with the law either. So if you suddenly see UK companies move away from GPL'ed software for no obvious reason, that may be a clue.
Whilst you can't compel foreign software developers not to talk about what they've been asked to do, there are probably a couple of ways this remains possible:
(a) Disclosure would likely result in liability for the executive officers and/or Company Directors, which might be contempt of court, or something more serious;
(b) Software developers working for Apple (an example) are likely under strict Non-Disclosure Agreements as part of their employment contracts, so the company served with such a request will likely make it clear to those responsible for technical implementation that it's covered by NDA.
Even in the case of (b) if a developer quits rather than implement the functionality, in many jurisdictions, the employer would have grounds to pursue a gag order.
If I quit a job at Apple over this, Apple might have to sue me for appearances sake, but my GoFundMe account would be quite fattened by the experience.
I wonder how people in the UK will respond if, for example, Google, Apple, Facebook and Microsoft all decide to no longer provide their internet services in the UK. How long would this bill last?
Also, it's quite concerning that four US based companies could influence a country's policies so much.
I am non-UK citizen living in the UK. People will not respond. The government and business can literally do anything here regarding sharing of private data with whomever they chose and barring a few "miscreants trying to stir up trouble", the general population will bend over, twice if you say please. Mustn't grumble!
> "It's a pretty regressive, insular country, ruled by fear."
I don't think it's quite like that, I think the media here has played a toxic role in our society. Many people still believe the BBC is an impartial news source, that alone speaks volumes. There's a tabloid-led mentality that is pervasive, and debates of any substance are limited by that.
Not sure why he credits only IBM but several large IT companies including IBM, Microsoft, HP, Dell and many others pressured the Indian government not to launch punitive strikes against Pakistan after the Mumbai attacks.
There was a very big fear that if India and Pakistan will go to war the global IT business would suffer greatly because of just how much of the global IT has been outsourced to India.
The list of "equipment interference agencies" includes "Her Majesty’s Revenue and Customs" (HMRC). For those of you not in the UK, that's the people responsible for collecting tax.
Why would the tax department ever be allowed to do something like this directly? They seem incapable of fairly collecting the taxes of the country, what business do they have acting as an "equipment interference agency"?
They have an investigatory arm of their own and have been known to go after corporate data, particularly email, as part of looking into what they believe may be tax fraud.
One could reasonably question why this isn't a department or division of another agency, perhaps NCA, but I think it's a fair statement that forensic accounting and investigation is a somewhat specialised skill.
And also the Competition and Markets Authority, who will be able to obtain a warrant to hack corporate servers in order to investigate 'serious crimes' as defined by the Enterprise Act.
Unfortunately the sands are shifting under me and since we are about two steps back from full idiocracy I can't see it changing.
We have an electorate is willfully almost gleefully uninformed, ruled over by politicians who are venal and rarely if ever held to account.
The whole system is bullshit from council to ministers.
The interesting question for me is more "has it always been this bad and we didn't know or are things actually worse now", I'm leaning towards the former as if you look at the history of government (in this country and most countries tbh) it's a litany of abuse after abuse.
I think it's safe to say that if this passes, UK security companies will no longer exist for all intents and purposes. I'm not saying they'll immediately go out of business, but I can't imagine anyone in their right mind trusting any UK business again, especially companies outside the UK. I'm not simply talking about companies whose main line of business is security, but essentially every technology company that even has an SSL'd website. Considering the wide variety of global competition, how could a serious CTO allow his company to do business with any UK company knowing he's exposing his own company to risks that could shut it down? No one in their right mind would do that.
The same can be said if the FBI wins the Apple case. I cannot see how this will not destroy at the very least the country's technology infrastructure. I'm not sure about the UK, but certainly in the US such actions would lead to a recession or worse considering that technology is pretty much the only sector to have recovered since the on-going recession. I suspect similar consequences for any country whose economy relies so heavily on technology, however.
#3. People who receive the key from #1 (in the future).
This may be next year's elected official, or the official elected in 10 years, or the spy who will work in the office 7 years and 2 months from now. Can you guarantee the intentions and actions of every single future government employee and official? This, in my opinion, is the biggest threat!
You can't even guarantee the intentions and actions of the government in its entirety, good governments have historically been succeeded by bad ones in roughly the same way that rain eventually follows sunshine and the other way around. To assume infinite stability of government is a major mistake.
The second occurrence is not only inevitable, it refutes the notion of a door in the first place, which is supposed to be fully opened at some stage for long periods, not temporarily opened in-case-of-emergency, or half-shut just-in-case.
No, they do think and know (2) will happen, and are probably hoping it does, as they realise that when it happens they can use it as an argument as to why they need MORE surveillance powers and MORE backdoors because "the bad guys" are STILL getting through, so more surveillance powers will be needed to keep you safe from the evil without, and to help you keep your British values good and strong.
Playing Devil's Advocate, couldn't the company require something signed with their private key to open the back door?
Apple (for example) would already be in serious trouble is someone got their private keys, they use them to sign OS updates for example. If they could generate a device-specific signed cookie to say "open up", what harm would that do?
These things also have a habit of growing arms and legs - so another issue is the number of people with the key. I can almost guarantee that at some point the number of people with the key will grow (police forces, councils...)
Yet another issue is oversight of those with the key (who watches the watchers)
As a UK-based founder (of a service with more than 10,000 users, which I guess could be targeted): what real steps could I take to make it technically impossible to comply with an order like this?
I would sooner leave the UK than sell out on our users and be forced to keep quiet and carry on.
The key tool in the box, I think, is to give people orders that you expressly state can't be later revoked. You can use this to construct something like the human equivalent of an HSM. (An HSM, after all, is something that you give orders that in general can't later be superceded, namely about how to control access to cryptographic keys, thus allowing you to reason strongly about the security it provides.)
These people will need to be outside the UK, and be people you trust doubly: firstly to secure whatever cryptographic materials you escrow with them, and secondly because they can by virtue of that escrow hold your company hostage.
Some possibilities include setting things up so they have to review all source code changes (making it impossible for you to sneak anything by them); and some manner of non-duress verification protocol. One possibility off the top of my head for such a protocol is to declare that a failure to state a certain password in any conversation constitutes a duress indication. Obviously for this to work all such conversations must be secure. The idea is that when you're the subject of a notice and are asking them to backdoor things with the government breathing down your neck (possibly literally), the person on the other end starts acting oddly mutinous, but you appear to be doing everything you can to get them to comply. So long as the government can't prove you've done anything to be unhelpful - can't prove the existence of the non-duress password - it seems like it would be hard to find a case to prosecute you.
It doesn't sound like you can. Once you've created a secure system you can't be forced to open, the government will simply tell you to add a backdoor and not allow you to talk about it.
It's moving towards a kind of Daily Mail fantasy land, in which there are peedos and brown-skinned terrorists everywhere, simultaneously wanting to live their lives taking advantage of the country, and also destroy it.
I see my tax bill going down, knowing that the few hundred quid extra I have per year (which is basically lost in the financial noise for me - meaningless) means that somewhere someone who really needed that money or the service it paid for is now being fucked over. I don't even know who; Cameron and chums (I go sailing sometimes with a chap who used to share a house with Dave Cameron; apparently he was a self-entitled tosser then as well) are fucking poor people over on my behalf, presumably thinking that this is what I want. Or maybe they don't even think it's what I want; maybe they're on some bizarre Randian kick, living in the Westminster bubble in which poor people simply don't deserve any help, and this is some kind of moral crusade from their messed-up Westminster bubble. The benefit to me; zero. The cost to the people at the bottom; devastating.
I see our "leaders" acting as absolute cowards; these are the people who should be inspiring us, but instead they rush to surrender our freedoms as fast as they can. Again, presumably because the Daily Mail tells them that this is what we want. The other lot aren't any better. Remember when Harman wanted to introduce compulsory ID cards? She had a long record of voting in favour of more government power and fewer civil liberties. Intellectual and moral cowards, the lot of them.
This is what I struggle with. Are they evil, blind, or both? The Conservatives are firmly in power now. Labour, the Lib Dems and even UKIP have been neutered. Corbyn is not going to lead Labour to victory in 2020.
You would think that they could relax. They no longer need to pander to the tabloids. If they liked, they could dismantle the media and rebuild it in their image. They could build a gigantic statue of Theresa May. They could go to war. The potential for evil doings is endless.
Instead they spend their time fucking over disabled people. I mean... why? What's in it for them?
While there has been a lot of bad news in this area, and a lot of nonsensical lawmaking, there has also been a lot of internet hysteria over very little.
We have problems. It's not a police state (yet) any more than the US or other western nations.
> "So we can probably expect a Tory gov for a long time. Not that Blairs labour were much better..."
I beg to differ. I was no fan of Blair, but the current Tory government is absolutely blatant in its disregard for public service. Here's the latest example, from earlier today...
"Heartless Iain Duncan Smith today claimed people thanked him for taking their benefits away.
He was accused of "losing the plot" after making a string of increasingly bizarre claims about his department's cruel benefit sanctions regime.
The Tory Work and Pensions secretary said 75% of people who have had their benefits stopped under his department's cruel sanctions regime said it helped them "focus and get on."
A spokesperson for the Department for Work and Pensions (DWP) was not immediately able to back up Mr Duncan Smith's claim.
But the sister of ex-soldier David Clapson, who died starving and penniless after having his benefits stopped said: "I don't think my brother said it had helped him get on.""
P.S. I know the Mirror isn't the best news source, but in this case the evidence is pretty clear.
This is a slightly different situation since it's within the realm of possibility for companies to implement security measures which make it difficult (or impossible) for interception of data by LEO.
That isn't really true in the case of houses so there's no need to legislate for "TSA locks" (master key system). Obtaining a warrant is still required but once you have authority, you can bash in the door, drill the lock, etc.
> This is a slightly different situation since it's within the realm of possibility for companies to implement security measures which make it difficult (or impossible) for interception of data by LEO.
I don't understand why people imagine this to be a novel situation. LEOs can't get documents if the suspect always destroys them immediately after reading them. If you keep your secrets in a box in a hole in the middle of the desert, a warrant isn't going to find it or even prove it exists.
That has never been an excuse to ban paper shredders or track everyone's movements 24/7 in case they ever went to a secret place to do a secret thing.
I was wondering how I might be affected as a non-UK app user? It sounds like any company which has employees in the UK could be compelled to install a backdoor if this legislation becomes law. I'm not sure how this would play out but I'm hoping that if this becomes law it isn't essentially a law forcing a backdoor into all the apps that I use on a daily basis. My guess is that the companies would release geo-targeted versions of their backdoored apps for UK users downloading them from the various app stores and non-UK users would still be downloading the non-backdoored versions. But maybe not?
I believe that whilst a CSP (small IT company with >10K users) cannot directly publish details about a warrant, they are able to publish things like "We have responded to 2 warrants in the first quarter".
7.21 in the notes pdf about section 115 in the Bill
"This includes provision for CSPs to be able to publish
information in relation to the number of warrants they have given effect to. In order to
ensure that this does not reveal sensitive information that could undermine the ability of the
security and intelligence and law enforcement agencies to do their job, further information
on the way in which this information can be published is set out in regulations. The
regulations make clear that statistical information can be published on the number of
warrants that a CSP has given effect to within a specified range rather than the exact
number.
"
So a company can both disclose the number of warrants and are authorized to disclose information about warrants in general and not particular ones.
For example, a company would be allowed to publish how much warrants have cost them and taxpayers.
Meanwhile in the UK: "Fingerprints and DNA of at least 45 terrorist suspects must be destroyed after police forces failed to complete paperwork which would have allowed them to be stored indefinitely in anti-terror databases, a watchdog has disclosed. The error means potentially vital forensic evidence will be lost at a time when Britain is in a high state of terror alert. "
Better wording of a back door is donwgraded security. For an institution whose sole purpose is to engender security, they do the opposite. It's like saying they have better, more expensive guns than the rest of us.
Which collectively if you think about it, and round up all the PCs in each home, and all the security that goes into them, it's (collectively) the most militarized group of computers there is, and they obviously don't feel outgunned.
>For an institution whose sole purpose is to engender security, they do the opposite.
Well the security they engender is mostly physical security i.e. not getting blown up by terrorists while the security they want to breach is information security. I could see why some people would not mind trading privacy for reducing the chance of getting blown up, all else being unconsidered.
> Well the security they engender is mostly physical security i.e. not getting blown up by terrorists while the security they want to breach is information security.
This is exactly my point. They use the terrorist strawman to frame their agenda; which is to hack all the internets without anyone batting an eyelid.
Information technology is but one facet of reality, and a reflection. It is not the whole thing. It's for this reason it is more suitable to get to the core of why anyone would want to commit an act such as blowing oneself up in the first place.
It's like going all guns blazing on the symptoms of flu. Unless a cure is invented it will haunt us and we only have symptomatic relief.
I can understand the motivations for going after anyone doing something technically interesting with a computer (actually a rare thing unless you are supremely skilled and have chosen a life of learning systems and divulging technical manuals). Also see: homebrew crypto
The problem is that some privacy is essential for democracy to function: you can't have the secret police going around bugging political parties and feeding information to their preferred candidates. Breaching encryption is like Watergate but without all the tedious need to physically break into a hotel.
> Breaching encryption is like Watergate but without all the tedious need to physically break into a hotel.
I don't agree. When I'm in a hotel room, I'm supposed to enjoy some privacy. If this bill passes, you will know a priori that electronic communication is under judiciary control. As I said before, it will be the same as it has always been with telephone.
Really, absolutely-private remote communication didn't even exist before the advent of computers. And now it looks like it's a fundamental human right and no discussion is possible. I don't think that such a bill should be forced on UK (or any other) people, but fighting criminality is at least as important, and I'm not shocked that compromises are being proposed and discussed.
Remote communication other than by courier didn't exist at all prior to the 19th century and the telegraph. That's why it was left out of the construction of the 4th Amendment.
You can make an argument for crimefighting, but then you have to stay within the judicial boundaries: limited access, requiring a warrant, limited use, requirement for basis for suspicion. The crimefighting process is there to produce evidence which is then presented to a court in public.
The problem with the IPbill is that it comes from the military intelligence point of view instead. The process produces intelligence which is then classified and is illegal for the public to see. There are warrants to be issued under the IP bill: it is a criminal offence for the people on whom the warrant is served to "to disclose to any person, without reasonable excuse, the existence or contents
of the warrant." This provision does not come with a time limit. You can be ordered to hack activists or opposition parties or human rights lawyers and not allowed to whistleblow, ever.
There are some extraordinary little subclauses like 154.(9):
"Any conduct which is carried out in accordance with a bulk equipment interference warrant is lawful for all purposes"
You make a sensible point against this particular bill.
I just can't understand why any resemblance of a limitation of the privacy over electronic communication is greeted with such outrage. I do understand that encryption can be either controllable XOR secure. But my point is that secure encryption has never been a right: actually, the discussion has just started, due to the recent spread of its usage.
Again, telephone and (thanks for reminding) courier have always been controllable, thus not secure. Deciding whether a non-controllable medium of remote communication should exist, and who may use it, is a social and political question (like, for example, cloning: it is technically possible, but drastically controlled by laws). I understand it's quite natural for us HN-ers to stand on one side, but the world is bigger that HN.
And that's partly why the mistrust exists. Law enforcement agencies are not given the benefit of the doubt on this because of previous abuses. There's a history here which is too long to #include every time the subject comes up.
Deciding whether a non-controllable medium of remote communication should exist, and who may use it, is a social and political question
"Controllable" is a word shift from "secret", and that's what the US 1st Amendment guarantees: the existence of non-controllable means of remote communication. After all, one of the founding heroes of the US was a ""terrorist"" who brought messages to the other members of his anti-government cell.
The UK situation is much worse, and a full discussion would have to involve the abuses of the last generation of antiterrorist police and military action in Northern Ireland.
Not only that, privacy is integral to physical security. If you have no privacy then attackers know exactly when and where you're vulnerable to physical attack.
I suspect that there will be a massive drive from early adopters, such as HN readers, to shift toward FOSS and decentralised services, where such laws wouldn't apply (I'd have thought), in order to avoid state intrusion on their private affairs.
Others would then follow, and although a lucrative industry might suffer, in the long run we may all be better off.
After reading this article, news about this scares me. What happens when we leave a governments power unchecked? There have been too many times throughout history where unchecked power can lead to disastrous consequences. We need our voices to be heard, not silenced by the government.
One option could be to introduce a third party user driven based end-2-end encryption on the data. This would mean, you can say "Man i am happy to cooperate but i have nothing in my control".
No - because the definition of CSP is vague enough to include any professional provider of online content and/or services.
So it's more likely that 100% of UK startups (with at least 10,000 users) will be covered.
This doesn't mean that startups have to build in backdoors now. But it does mean that if someone from the Ministry of Something or Other or MI5/6 or the Police turns up and demands a backdoor and/or access to records, the startup has to comply.
I have no idea where this leaves Apple, providers of VPNs, or startups trying to provide secure communications.
At a guess it means they'll probably try to stay outside of UK jurisdiction. And I won't be even slightly surprised if banning VPNs is the next step.
It's obvious this is going to collide head-on with the Apple vs FBI case in the US. But this time we won't be able to follow it, because the legislation includes a press and reporting gag.
The UK's Home Office is notorious for being stuffed full of authoritarian paranoiacs, and they're always doing stupid shit like this. You can't even blame the current gov because it was the same story with the previous crowd - although the authoritarian paranoiacs in power now seem to be trying to take things to the next few levels.
The definition of CSC is key and I suspect will need to be defined in law quitly lobbying a few Lords or sympathetic MP's to ammend the bill would be better - praying Apples very weak case against the FBI in aid wont help.
it mandates providing capability for interception, interference, and acquisition.
I wonder if we're going to see companies making increased efforts to make as much customer information completely unavailable to themselves to make these warrants not worth applying for? Unfortunately most businesses cannot operate in this manner fully, obviously.
>“Small companies (with under 10,000 users) will not be obligated to provide a permanent technical capability, although they may be obligated to give effect to a warrant.”
I can imagine someone getting creative and redefining what they call a user… though I can imagine this devolving into if you have under x page views… and then x time spent on site… how much bandwidth over the wire… etc.
Such a joke, I hope everyone is enjoying their view of the circus lol
People are missing the point a lot here. I have good reason to believe that this is being pushed and supported by those seeking punitive enforcement of copyright laws. Combine this with recent internet tracking laws and you have a serious problem
I think there was this idea that crypto nerds could just ignore politics and seek liberty via technological solutions and live in their own little make believe geek data haven wonderland. Wrong.
I looked through the draft bill a few months ago and I couldn't find the "we will force you to put backdoors in your software" anywhere in the bill.
Most of it seems like bureaucrats trying to get access to information after they have obtained warrants. It all seems a lot more boring and a lot less cloak and dagger if you actually dredge through the bill here:
The document mentions encryption four times and backdoors no times. One of those times is to say that the bill does not change anything about encryption that isn't already in law under this bill, RIPA: https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Po...
Really actually more scared of RIPA (which is already law) than this:
"In October 2014, it was revealed that RIPA had been used by UK police forces to obtain information about journalists' sources in at least two cases. These related to the so-called Plebgate inquiry and the prosecution of Chris Huhne for perversion of the course of justice."
It's amazing to me that the first two cases are absolute abuses of power; I thought we were still being told that these laws were to stop terrorists and paedophiles, not find out journalists sources...
Section 189(4)(c) of the Draft Investigatory Powers Bill places "obligations relating to the removal of electronic protection applied by a relevant operator to any communications or data".
A relevant operator includes telecommunications services, defined in s193(11) as "any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service)"
s217(4)(c): "obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data".
There's an appeals process, but the gist is that they're not outright banning backdoors. But if they come knocking, you better find a way to remove any protection that's there. Which is rather chilling.
If the government goes to a judge and gets a court order to access information this is what I consider reasonable and in fact a good thing!
It seems to suggest that technical feasibility and cost needs to be taken into account as well. If it's technically impossible due to Spider Oak style end to end encryption or for example the new iPhones (6+6s) having some very advanced encryption features I'm not certain that there is a requirement to insert a backdoor.
If the security services were monitoring a person who was genuinely planning to kill people and they asked you to put in a limited back door?
Most services remember do not have encrypted backend systems and it'll probably always be this way.
Mass surveillance is the complete opposite of this and is a totally unreasonable intrusion.
Except if you put in the back door it's not limited to that one person planning to kill people. It would be for everyone, in which case it is potentially mass surveillance.
Not to mention that the "someone planning to kill a bunch of people" scenario never actually happens. Typically these tools are used when prosecuting regular people for regular crimes, or looking for information after an attack has already happened (San Bernadino). Nobody has yet been able to point to a case of consequence where this type of surveillance was ever used for someone actively planning an attack.
I guess it depends on what you mean by a "backdoor"; being able to remove any CSP added encryption upon request and being forced to explicitly add easily enabled monitoring tools (only if above a certain size or if the CSP is considered likely to be served warrants) is a backdoor by quite a few people's definition.
If you feel you're being compelled to act immorally, remember non-compliance — whatever the immediate consequences to yourself — is the only acceptable course of action. When we decide to spend our days building powerful tools, we enter into an implicit agreement not to let them fall into the wrong hands. If the government comes knocking, BURN IT DOWN. Make good on your debt to humanity.