Author: HAX

Henrik “HAX” Alexandersson is a Swedish writer, thinker and political evangelist. Between 2009 and 2014 he worked in the European Parliament for the Swedish Pirate Party.

UK to escalate the war on encryption

The announced UK Investigatory Powers Bill is said to “force some of the world’s biggest internet companies including Google, Apple and Facebook to hand over encrypted messages from terror suspects”. (The Telegraph »)

To be fair, it should be pointed out that this specific part of the bill is said to be limited to “suspects under investigation”. So it’s not about blanket mass surveillance. But I’m sure that is being covered in other parts of the same bill, said to…

…”address ongoing capability gaps” that are hindering the ability of the security services to fight terrorism and other serious crime. (…)

A Home Office spokesman said the bill was a “landmark piece of legislation to cover the whole investigatory powers landscape in modern communications”.

I guess it’s going to be pretty bad. But back to the encryption issue. Ars Technica points out that…

In the face of these demands, some companies might decide to re-design their systems such that it would be impossible for them to break the encryption even if required to do so by law. This facility is already available from companies offering peer-to-peer encryption. If the UK government goes ahead with this plan, we are likely to see this approach being adopted by more communications providers and messaging apps, which would undermine the effectiveness of the proposed law.

So, the effect of far reaching legislation might actually be that it will be harder for authorities to obtain the information they want. Even in legitimate cases.

In the UK, you can be put in prison if you don’t surrender your encryption key to the authorities. But that isn’t much use when it comes to covert surveillance, is it?

With P2P encryption you can legislate as much as you want. It will not work.

This leaving the UK government with one option: To demand all P2P encryption to – somehow – be corrupted by back doors.

That would be a terrible idea. And if at all possible, it would only work with big, commonly used communication apps and systems. I cannot see how anything other than traditional and time consuming code breaking could be used against open source encryption software in P2P communications.

The only option left for the UK government might be to make such encryption illegal. And trust me, this is an option that will be taken under consideration…

The war on encryption is now entering the madcap phase.

/ HAX

The Telegraph: Google and Whatsapp will be forced to hand messages to MI5 »
Ars Technica: New UK law would give government access to encrypted Internet messaging apps »
Ars Technica: The new war on encryption is based on a lie »

Queens Speech and Big Brother

BBC summons up the Queens Speech from todays opening of the British Parliament. Here is what to expect when it comes to Big Brother-related bills…

Extremism Bill

This includes measures to tackle broadcasting of extremist material. The government wants to strengthen watchdog Ofcom so that it can take action against channels that transmit extremist content. The legislation will also propose the introduction of banning orders for extremist organisations who use hate speech in public places, but whose activities fall short of proscription. A new power to allow police and local authorities to close down premises used to support extremism will also feature. And employers will be able to check whether an individual is an extremist and barring them from working with children.

Investigatory Powers Bill

“New legislation will modernise the law on communications data,” the speech said. An Investigatory Powers Bill will revive plans to give intelligence agencies new tools to target communications data – branded a “snooper’s charter” by critics. The government says it will equip the police intelligence agencies with the tools to keep people safe.

…and what is not in the Queen’s Speech?

Although it appears in the Queen’s Speech, there is no legislation, either in full or draft form, on a British Bill of Rights. Instead, ministers will consult on the pros of replacing the Human Rights Act with a new legal framework of rights and responsibilities.

Read more at BBC Queen’s Speech 2015: Bill-by-bill »

Is the NSA to shut down bulk surveillance programs? Maybe not.

The NSA bulk surveillance program is hanging by a thread — as the controversial Patriot Act expires and as US Senate did not manage to adopt a replacement bill (the USA Freedom Act) before its week-long recess.

The Associated Press reports…

“In a chaotic scene during the wee hours of Saturday, Senate Republicans blocked a bill known as the USA Freedom Act, which would have ended the NSA’s bulk collection but preserved its ability to search the records held by the phone companies on a case-by-case basis. The bill was backed by President Barack Obama, House Republicans and the nation’s top law enforcement and intelligence officials.”

There will be an emergency session scheduled for Sunday, May 31st.

This is a cliff hanger. But even if the replacement bill will be adopted, bulk mass surveillance will not end. It will only change form.

The USA Freedom Act obliges telecoms meta data to be kept by the phone companies. This is the same model as in the EU Data Retention Directive. Even though this directive has been invalidated by the European Court of Justice for breaching human rights, it is already implemented in most EU member states.

In many EU countries authorities use data retention on a massive scale and in a rather indiscriminate way. There are even attempts to give the police direct online access to meta data held by the telecoms, in some countries.

So even if the Freedom Act might be adopted it will not be the end of bulk collection of telecoms data in the US. It will not be as bad as the Patriot Act, but still it will be pretty bad.

However, it will be interesting to see what happens if the Freedom Act is not adopted before the Patriot Act expires. In that case the NSA might have to shut down parts of their operation. At least for some time. (For all the public is allowed to know…)

• NSA is getting ready to shut down bulk surveillance programs in response to failed Senate vote »
• NSA winds down once-secret phone-records collection program »

Update: Julian Assange: Despite Congressional Standoff, NSA Has Secret Authority to Continue Spying Unabated »

/ HAX

Mixed US messages on cyber security

In South Korea US Secretary of State John Kerry gave a speech on cyber security and international law earlier this week. Some quotes…

“As I’ve mentioned, the basic rules of international law apply in cyberspace. Acts of aggression are not permissible.”

“First, no country should conduct or knowingly support online activity that intentionally damages or impedes the use of another country’s critical infrastructure. Second, no country should seek either to prevent emergency teams from responding to a cybersecurity incident, or allow its own teams to cause harm. Third, no country should conduct or support cyber-enabled theft of intellectual property, trade secrets, or other confidential business information for commercial gain. Fourth, every country should mitigate malicious cyber activity emanating from its soil, and they should do so in a transparent, accountable and cooperative way. And fifth, every country should do what it can to help states that are victimized by a cyberattack.”

The obvious question is: Does that include the NSA?

Is the alleged NSA attack on the SWIFT bank transfer system a “malicious cyber activity”?

What about all the mischief documented in NSA:s own Powerpoint presentations, revealed to the world by Edward Snowden? Does that count as “malicious cyber activity”?

Might the British GCHQ:s attack on Belgacom and the EU institutions be considered as a “malicious cyber activity”?

The Swedish government (Swedens FRA is a very close partner with NSA and GCHQ) has proposed that Swedish military should be allowed to conduct “active” surveillance — i.e. cyber attacks. (The Snowden files have reviled that Swedish FRA already are involved in such activities, in cooperation with GCHQ. So this is just about adjusting the law to what is actually going on.) Would that count as “malicious cyber activity”?

When John Kerry calls for international rules — would they apply to all countries?

Probably not.

/ HAX

Link: Kerry: Internet ‘Needs Rules to Be Able to Flourish and Work Properly’ »

Pirate Bay domains seized by Swedish court

Today a Swedish district court decided that Pirate Bay founder Fredrik Neij no longer can control the domains piratebay.se and thepiratebay.se – as they have been used for “illegal activities”.

However – the court does not give the government control over the domains. They stay with the domain top level administrator, the Punkt.se foundation.

On the one hand, it is strange that domain names can be seized. It is like if a street adress would be seized, because of illegal activities carried out there.

On the other hand, it is interesting that the court does not accept the prosecutors demand for the domain names to be handed over to the Swedish government. This still gives top domain administrators some leverage – and indicates that they are not liable for how a domain is used.

But the most important lesson to be learned from todays verdict is that we need to build a decentralised system for domain names — where they cannot be seized or taken down.

/ HAX

Read more: Key Pirate Bay Domains Must Be Seized, Court Rules »