This will be my first blog where I am going to a) plead ignorance; b) ask for your input, and c) actually listed to someone else’s opinion (potentially).
I have just spent all day today going over parts of The Investigatory Powers Bill (IPB), the Regulation of Investigatory Powers Act (RIPA) of 2000, as well as listening to Theresa May’s statement on Parliamentlive.tv, all in an effort to find SOME evidence that it could “…allow Government to ban end-to-end encryption, technology powering iMessage and WhatsApp“.
OK, so that’s just according to The Independent, but The Guardian has their; “Investigatory powers bill: snooper’s charter to remain firmly in place“, The Telegraph has their; “Internet firms to be banned from offering unbreakable encryption under new laws” and so on.
All I could find in the IPB was this;
189 – Maintenance of technical capability
(4) The obligations that may be imposed by regulations under this section include, among other things—
(c) obligations relating to the removal of electronic protection applied by a relevant operator to any communications or data;
(e) obligations relating to the handling or disclosure of any material or data.
…as well as a reference to encryption as it related to RIPA, which states;
21 – Lawful acquisition and disclosure of communications data.
(4) In this Chapter “communications data” means any of the following—
(b) any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person—
So, first my ignorance; I do not speak Governmental legalese, so I have no idea is the vagueness of this is just way of saying ‘we can do anything we want’, or it’s an established-by-precedent way of saying ‘this is all we can do’.
I have also not read the whole, thing, it’s 300 pages long and makes the PCI DSS look like the last Harry Potter book,
Which brings me to the second part; your input. There will be those who have read not only the IPB, but the RIPA, the Communications Data Bill of 2012, as well as the Data Retention and Investigatory Powers Act of 2014. You also are likely to fall [mostly] into one of only two categories; for, and against.
I would love to hear reasoned thoughts from both, or at least point me to an unbiased Cliff Note version of each!
Finally, listening to someone else’s opinion; anyone who has been nice / bored enough to read my blogs over the last 2.5 years will not have read even one where I was in any way unsure of my opinion / stance. Even when it comes to security (what’s the font for sarcasm?).
In this case, I am 100% on the fence (mostly because of 1. above), but partially because any talk of ‘investigatory powers’ or ‘interception of communications’ will have significant impact on privacy, and the implementation of my real interest; Identity Management.
While my thoughts on privacy itself are public record, the impact of what these Governmental powers will have on putting true Identity Management into effect are far from clear to me. There will be no secure mobile payments, no Internet of Things, and no hiding from your wife if there is something in the middle capable of ‘reading’ my communications. Not because I don’t trust the Government, but because anything THEY have access to will eventually be available to the bad guys.
We work within established rules of decency, they don’t (the bad guys that is).
Basically, please help, all comments / thoughts welcomed.