Slashdot Log In
UK Building Eavesdropping Infrastructure
Posted by
timothy
on Sat Apr 29, 2000 10:26 PM
from the nothing-sacred-anymore-unless-known dept.
from the nothing-sacred-anymore-unless-known dept.
This Sunday Times story about a new office under MI5 scheduled to open later this year with the innocuous name of "Government Technical Assistance Centre" to oversee the content of e-mail sent by and to Britons ought to give pause to anyone interested in online privacy. Though governments will always be several steps behind determined privacy seekers, this bodes ill for anyone who'd prefer to keep the contents of their e-mail even nominally secret. "The security service and the police will still need Home Office
permission to search for e-mails and internet traffic, but they
can apply for general warrants that would enable them to
intercept communications for a company or an organisation," says the article. How comforting.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Re:Forcing Handover of PGP keys (Score:2)
Not only can they force you to hand over a key, but it is an offence under the bill to tell anyone that you have handed over the key - so you legally required to keep using your old key! Worse if you are not the key issuer - they just get it off your company / key provider, and no-one tells you.
"But, Sir, I've lost the key." NT problems have meant, for example, that I have had to change PGP keys twice in the past 12 months. Oh dear, under the current proposal, the burden of proof that you do not have access to the key is on you, not them.
So, I send an email with some {kiddie porn, spoof drugs information, death threats etc} to you, using the public key of a key pair I generated just to get you into trouble. I then bin the keys and the spooks raid you and demand the private key. You must prove (logically impossible that it it) that you do not possess the key.
Or, an ex-employer of yours is involved in something dodgy (after you have left, of course.) You hand back your corporate laptop, having deleted your private key. 12 months later, you are required to produce that key!
Them: "Where is the backup?"
Us: "Oh, I think I used that disk to try out a new Linux distro - its been reformatted."
Them: "Prove it!"
This bill is scarey. Fortunately, it is not yet law. Mind you, it isn't ?UCITA?, so it is only the government cracking your computers, not every Corp who wrote any piece of software you use.
Last rant: the ISPs are being made to pay for installing their ends of this system. They reckon it is going to cost between $75k and $250k per year for them to snoop for the Govt. They are not happy.
Re:The Police State Race (Score:2)
it seems the U.K. will probably win [a race to see who becomes a police state first]
Our government is doing its best to make the UK the best place in the world to host e-commerce (or so they tell me). Has anyone seen any evidence of this ?
So far I've seen the IR35 tax changes making freelance contractors extinct, or driving us abroad. We have Jack Straw's bill to make us surrender passwords, for the strong crypto they don't want us to have anyway. Now we have a tax on ISPs to not only spy on us, but to make us pay for doing so !
Feel like complaining ? Take a look at http://www.stand.org.uk/ [stand.org.uk] and join in
Legal Clarifications (Score:4)
First, in the UK as well as the countries that more or less inherited their constitutional structures from it, the doctrine of crown immunity means that it is not, in general, possible to sue the executive government. There is legislation specifically allowing many sorts of legal action against governments in all the relevant jurisdictions however I would be very surprised if the UK Government has passed legislation permitting the intelligence services to be sued - this would be very out of character in the home of the Official Secrets Act and oversight-free intelligence organisations.
Second, even assuming that the UK Government may be sued for the actions of the Security Service (commonly referred to as MI5), they would have to have done something illegal, and the illegality would have to be proven. Given that the Security Service can get warrants to read people's email, the whole process would presumably be above board. Even assuming the action was illegal (ie the proper permissions had not been sought) given the high level of secrecy surrounding Security Service operations, one probably have the greatest of difficulty proving anything useful.
Third, you can forget about going to court and complaining that the legislation is unconstitutional or otherwise beyond the power of parliament - this is a concept foreign to the UK constitutional arrangement. The parliament has power to pass any law. The only check on this might be an appeal to the European Court of Human Rights. If you are not from a Council of Europe country I don't think you have standing before that court and, even then, the court does not have a record of intervening in areas of "National Security".
On the issue of the right of the British Government to listen to the communications of non-Brits outside Britain, the British government has always maintained that the Royal Prerogative of the Security of the Realm (or national security - the name changes) permits it to operate overseas intelligence services. This right is also claimed by other countries. While it doesn't legalise under the local law anything that the SIS may do outside Britain, it does mean that the electronic spying done by GCHQ and this new outfit from within the UK is unassailable under UK law and, since it occurs in Britain, not covered by anyone else's law.
Re:My real concern is (Score:2)
Far more "fun" if this gets used against government ministers, senior civil servents, police offices, etc...
Re:Brits, and encrypted email (Score:2)
if the email is encrypted the enforcement agencies can demand the key, and if you don supply it you are liable to a two year prison sentance ( this is the proposed RIP bill not yet an act of parliament)
Kinda-sorta OT: Is there an intro to PGP stuff? (Score:2)
I know next to nothing about encrypting e-mail, but am beginning to think that it might be wise to at least know how to do it and to have a PGP key so if someone wants to send me something private, they can do so (and if nothing else, I'd be s00p3r-d00p3r 31337, or something).
Is there, like, a "PGP for Dummies" page out there, which would explain the system in such a way that a newcower can understand it?
Thanks, and sorry for the WOB. And I was just kidding about the "1337" stuff.
Steve
========
Stephen C. VanDahm
Re:Actually, it'll be pretty easy (so to speak)... (Score:2)
Re:Hmm, what about for non-British persons? (Score:2)
Just a thought
Waitadoggone minute here. (Score:2)
other stories has spoken of nuclear landmines, genetically selective antipersonnel weapons, and has the inimitable John Ungoed Thomas for a reporter.
Oi, Britons!
Could we have some confirmation, please?
time to (Score:2)
Re:Sendmail upgrade? ssh? (Score:2)
In a word, yes.
It's not something you'd want to set up both directions if you don't own both servers, though.
ssh can use a combination of RSA keys and
HOWEVER, it's only secure if you tightly control both ends, which is not the case with, say, your ISP.
--
Curious (Score:2)
-----------------------
How'd Mozilla get involved here? (Score:2)
Mike Roberto (roberto@soul.apk.net [mailto]) -GAIM: MicroBerto
Hmm, what about for non-British persons? (Score:2)
Email will be encrypted, like web transactions (Score:2)
Within a few years, most email will be PGP encyrpted. Companies will definitely use it and most individuals will as well.
The real question is will governments have the ability to routinely crack 1024 & 2048 bit PGP messages. If they can decrypt any message in real time, then this becomes a real issue. Otherwise, communication will still be secure.
Re:Hmm, what about for non-British persons? (Score:2)
But there is under American law, and guess where I am sitting.
and that MI6's remit is to investigate foreign nationals
And that is an act of war.
Re:Hmm, what about for non-British persons? (OT) (Score:2)
It figures that a cop wouldn't know the law... (Score:4)
>> while in the U.S. all I would have to do is invoke my fifth amendment
>> right against self-incrimination.
>
> It wouldn't do you any good. The Fifth applies to the state's compelling
> you to testify against your self. It says precisely nothing against
> your case. There is no
> Fifth Amendment right to refuse to comply with a search warrant.
You cannot order up a search warrant in the U.S. to force a person to decrypt his own encrypted messages or data files. That doesn't fall under the rubric of a search warrant. Now, you could be ordered by a Court to produce the plaintext as part of testimony, under the threat of contempt of Court, *BUT*--and *here's the important part*, if the contents of the encrypted files would be self-incriminating, you don't have to decrypt them. Just say the magic words "On the advice of counsel I decline to answer, invoking my rights under the Fifth Amendment to the U.S. Constitution" and they can't make you decrypt the messages or data. But, the real kicker is, a defendant doesn't have to testify at his own trial. So, unless there were some other compelling reason for a defendant to testify, he wouldn't even have to utter those words (which a jury wouldn't like very much). Now, the prosecutor could in theory ask the judge to order decryption of the materials as part of the discovery process, but again the magic words come into play. If a police officer, however, executed a search warrant and seized my computer files, and told me to decrypt them, I'd say, "Fuck off porkmeister, and by the way I want an attorney so the questioning ends until I'm provided with one. And by the way, my drives are encrypted with 256-bit Blowfish *and* Triple-DES, and my RAM and swap partition are wiped with 32 pass extended character rotation on shutdown, so good luck." That is, they would be encrypted to that extent if I were a computer cracker, drug trafficker, arms dealer, etc. etc. As it is, the only encryption I use regularly is PGP, since I like to set a good example and to keep my conversations private, and a Windows program called Scramdisk which I use to keep my little sister and other users of my computer from accidentally tripping over my collection of bestiality pr0n.
>> suppodedly only with warrant, but you and I both know the reality
>
> No I don't know the reality that you're talking about. Of course,
> I'm just a ticket-writing donut-chomping cop, so I'd have no
> idea what law-enforcement officers would do.
That would be the reality--I wish it were an alternate one, but it isn't--in which some law enforcement types get an "us-vs.-them" attitude about suspects, forgetting for the time being that such suspects are in fact innocent until proven guilty and still enjoy the protections afforded by a Constitution which our ancestors fought for. Not all cops are like that, but quite a few are. I have first-hand experience with police officers who are willing to engage in extortion and violate the rights of suspects. I won't re-hash the particular charges since they can be found in a prior posting, but suffice it to say that the arresting officer attempted to extort a confession by threatening to say that I was violent and un-cooperative unless I told him what he wanted to hear, resulting in a very high bail. Naturally, he said, if I told him what he wanted to hear then he'd say I was cooperative and the magistrate would set a low bail, but if not, he'd say I was violent an un-cooperative. He then lied to the magistrate when I refused to confess, resulting in excess bail--which in itself is a violation of Constitutional rights to a reasonable bail. I checked the statutes in my state, and that qualifies as extortion, a worse felony than the one I was arrested for. The case against me was eventually dismissed, BTW.
This isn't even that far off-topic, since the essence of our fears when broad surveillance initiatives like this new UK legislation is that these surveillance powers will be abused. If it were all about catching terrorists and kiddy porn traffickers and people like that, there wouldn't be much uproar. The problem is that the potential to abuse this system is inherent. Corrupt or misguided LEA officers could use such broad powers to open Hoover-esque files on citizens who aren't doing anything really illegal, but who go against the grain of society in moral or (ir)religious ways. LEA could intercept e-mail and read it for fun, or worse agents could surveil against people they personally don't like or knew in some other capacity. Government agencies could monitor dissidents or people who have libertarian values, just waiting for someone to make a small slip like mentioning pot use to give them an excuse to pounce or discredit. Agencies also have a tendency to hold grudges--in the US the IRS, for example, has been shown to repeatedly audit and harass people it doesn't like, like whistleblowers and people who have beaten them in tax court. The potential for abuse is limitless, and that's why such systems are inherently bad--not because of the system itself, but because of the people who use and abuse it.
Just one quick quote: "The mushrooming of surveillance has been explained by the sense of panic
and crisis felt throughout the government during this period of extremely
vocal dissent, large demonstrations, political and campus violence, and
what at the time seemed the inauguration of a period of wide- spread
anarchy. While officials... suggested that these crises justified the
surveillance, they failed to recognize that the rights guaranteed by the
constitution are constant and unbending to the temper of the times..."--Senate Subcommittee on Constitutional Rights, 1973
Re:Legal Clarifications (Score:2)
Re:Hmm, what about for non-British persons? (OT) (Score:2)
Well if the person above was filing a lawsuit obviously they would not think it's frivolous, and think it would help in some way or another. I'm not quite sure what logic your using there. "Hey don't do that because you think you should do that, and I don't think you should, but I'm going to question it by asking you if you think you should do that." What?
"Why must all problems be solved with a lawsuit?"
Mainly because the NSA, MI5 and several other orgs reading my mail do not reply to the polite letters I've sent them asking them to respect my privacy. Oddly enough the French have replied and noted they put me on the "Do not violate his/her privacy list". So I guess not all problems must be solved with a lawsuit.
Seriously though:
Regarding the PGP solution I think that is somewhat dangerous. Granted it's something I would do in the very short term, however that does not address the real problem. Addressing the root cause is much more important. Saying "Britain (or any other country, company, person, or machine for that matter) can look at my encrypted e-mail all the want for all that I care." just seems far too passive a response. Years later after they've taken it farther than e-mail and demand your key and it's an established and accepted practice to read e-mail you'll be in a bad position. Like saying "Sure you have a search warrant for my home, but you can't look in my safe!" In fact, in the US, if they have a search warrant for your home and your safe is in it you have to turn over the key in a timely manner or they can break into it legally. If they can not break in it and you do not turn over the key or "lost it" your criminally responsible. As you said picking a fight is not a good response, but picking one when it's too late is bad too.
Re:Hmm, what about for non-British persons? (Score:2)
Re:Hmm, what about for non-British persons? (OT) (Score:4)
This is a typical American response. Why must all problems be solved with a lawsuit? Look at how much we bitch and moan about frivolous lawsuits, and even not so frivolous ones like the DeCSS, Napster, and Microsoft suits. How come the first idea for action has to be a lawsuit? Would a lawsuit even help in this case? Could it prevent the British government from doing anything (especially since it doesn't appear that anyone has an concrete evidence of exactly what they're doing).
A better solution than figuring out someone to put some sort of blame on in an effort to make a little side cash is to encrypt your e-mail using PGP or GPG or some such utility. Britain (or any other country, company, person, or machine for that matter) can look at my encrypted e-mail all the want for all that I care.
Picking a fight is never the best way to solve anything. The best defense is a tactic which renders the opponent's offense useless, not one that fights back.
NOTE: I am an American
Re:Kinda-sorta OT: Is there an intro to PGP stuff? (Score:2)
Freedom exiles, anybody? (Score:2)
I take your point about emigration: many countries are currently going crazy on this issue.
However, maybe it will become like tax: a reason to move to one country over another. Since highly skilled IT people seems to be more mobile than others (except, perhaps, in the UK wher a study showed that 80% of the population lived within 5 miles of their birthplace) that could give a competitive advantage to such countries. Assuming, of course, that you belive in the "new e-conomy" and think that the stupid governments will not manage to shut the internet down completely.
So like we have tax exiles in Spain and other sunny places, could we have "Freedom Exiles" in the future?
If so, where would you go?
Don't be so sure.... (Score:2)
Re:But Wait! (Score:2)
The government passes laws and enforces them for a reason, you know. There must be a benefactor that the government believes itself to assist, or there would be no motivation to invade privacy. No government would legislate in a vaccuum. Or put even more plainly, there is a market for invasions of privacy; since the governments have a monopoly, only the most prized industries can afford to purchase it (that includes you,
The portions of, at least American, law that are focused on the protection of civil liberties for individuals are slowly being dwarfed by the body of law that is intended to protect businesses.
When was the last time the government became interested in the content of an email or website that pertained to the conduct of a business? Were they interested because they decided it would be a good way to spend time, or because they were compelled to by economic and political forces? Now try to remember a time any government cared about a website's or email's content that did not pertain to the conduct of a business.
...
Think of a single instance? I can't.
These invasions of privacy will be only carried out in cases of National Security. This sounds grave and dire enough so most people will think it justified, as I'm sure you agree. The point we disagree upon is when such a justification will be invoked. For some reason it sounds as if you think anyone and everyone is capable of arousing suspicion. I think that your paranoia is still too broad and mis-focused.
Suspicion will not be randomly meted out and privacy invasions be taken lightly, as it is not in the national interest (read: corporate interest). A scared consumer is a timid consumer is a tightwad consumer. Instead, it will be invoked when a corporation's public or private interests are threatened, likely because there will be laws against such things in due time. This way the privacy invasions will sound justified to a world of consumers.
Which sounds justified: "We had to intercept their communications because their continued collaboration would have brought an end to our burgeoning economy!" or "Thanks to our multi-billion dollar eavesdropping unit, we've collared a unit of 1337 21-st century vandals who intended to plaster underpasses with 'Hack the world' bumper stickers."
The first would be far more profitable and in Society's Best Interest than eavesdropping on arbitrary citizens.
I'm sorry to threaten your obviously firm beliefs, but you're atacking a consumerist tarbaby. No government cares about your email to HairyBear66990@aol.com... unless you're conspiring to overthrow the economy. Such economic terrorists are more dangerous, easier to target and more valuable than petty miscreants, vandals, dissenters whose impact on consumers are minimal and short-lived, or bombers, whose attacks are unlikely to be intercepted if they are communicated at all.
Re:where is the nominal privacy? (Score:3)
Because encryption doesn't work like that.
Any public-key cryptosystem is going to have roughly the same amount of complexity in the user interface regardless of how few or how many bits you use. So you may as well go with more bits.
Any "normal" cryptography has a huge problem: how to securely transmit the key! And you still run into user interface issues.
What we should be focusing on is making the user interface to strong crypto easier to use, rather than trying to make the crypto weaker. You brought up the passphrase issue. Perhaps the passphrase could be stored in RAM for the duration of your E-mail session at your option? (You'd have to do some work to get it to not be swapped out to disk, but that's easy enough to solve.)
People who really didn't care too much could have the passphrase stored on disk. This would solve the problem of unencrypted data on the network, but you're hosed if your computer gets seized by MI5 or the FBI. Of course, if all you have is E-mail from Mom with her recipe for chocolate chip cookies... but if you're seriously worried about that kind of thing, you DO want to type the passphrase in every time.
It's basically a tradeoff of security vs. convenience. The user interface should provide for all three options, and this is fairly simple programming.
---
Forcing Handover of PGP keys (Score:2)
Under new powers due to come into force this summer, police will be able to require individuals and companies to hand over computer "keys", special codes that unlock scrambled messages.
Is there a new Brittish law on this? Whats the penalty for not handing a PGP key over?
This sort of crap would not fly in the US or Canada. Imagine getting a visit from the authorities stealing your computer and when they can't find your PGP key from some old e-mail you sent (you deleted it) they imprison you because you are no longer able to decode an old e-mail that was completely innocous.
Major potential for abuse! If I was a Brittish voter I'd be on the phone now. Does anyone know the details of this new law here?
Re:Hmm, what about for non-British persons? (Score:2)
TORONTO (CP) - Up until the last minutes of her life, a Canadian woman maintained her innocence before she was executed by Vietnamese officials for smuggling drugs. Nguyen Thi Hiep, who would have turned 44 Thursday, who was convicted in 1997 along with her then 71-year-old mother, was shot by a firing squad early Monday. When Nguyen was marched in front of the firing squad, she was "gagged and blindfolded . . . continuing to maintain her innocence right up to the end,"Reynald Doiron, a Foreign Affairs spokesman, said Wednesday.
"She refused to sign a statement of guilt."
Up to the day of her execution, Toronto police were investigating whether Nguyen, who became a Canadian citizen in 1982, was being used as an unsuspecting mule by an organized drug ring...
So, again, be careful if you want to live until you are old and then die.
Re:The Police State Race (Score:4)
If you believe that a police state isn't a stable form of government, then ask yourself this: how did the Soviet Union and other Eastern Bloc governments remain in power for more than 60 years without being overthrown through popular revolution? Remember: the people most likely to rebel are those who remember what it was like before the police state came into being.
What killed the Soviet Union and other Eastern Bloc countries was economic competition from the outside. But that wouldn't exist in a world police state. Nor would references to other, better systems, except in the hands of a few: remember that a police state has to control information in order to control people. The way to make that happen is for the state to control the education systems and the means of information dissemination. Hence, controls on the communications infrastructure.
It should be obvious that you can't build a police state in a single generation, because the contrast would be too great. You have to build it a little at a time, slowly enough that people won't notice. A right removed here, a privilege revoked there, a restriction put somewhere else. Rebellion can only happen if the people believe that what they have isn't good, but whether or not they believe that is largely determined by what they can contrast their current condition against. That's why the "ruling class" has to remain untouchable and mysterious: the populace has to believe that there's no way for them to get from where they are to where the ruling class is, otherwise they'll yearn for it and become dissatisfied with their own conditions.
Also, one needn't formally try, convict, etc., a "criminal". One need only make something happen to them. A car accident, a heart attack, etc. A police state has no need for leniency, as long as the fact that the troublemaker died can't be traced back to the source. Obviously this works best when it's not obvious that the person in question was making trouble to begin with.
Lastly, a dumb populace is an easily managed populace. So a police state will be on a sharp lookout for those with above-average intelligence, so that they can deal with the issue, either by relocating them such that they have no more communiction with the rest of the population (this can be explained away by the government by saying that the person is going to a special school or something) or by arranging for an "accident" to happen to them.
Oh, well. I'm just rambling now. But it seems obvious to me that there are lots of ways that a police state can maintain itself indefinitely.
--
Silly Britons! (Score:2)
Re:time to (Score:2)
To clarify my previous post. The relevan section of the bill [parliament.uk] seems to be (my emphasis:
The fine is unlimited.
IANAL so somebody else will have to comment on the details.
Re:Sendmail upgrade? (Score:2)
This could be done, with procmail.
I'm not sure that it's a good idea, but it could be done.
Let me rephrase that; I'm sure it's *NOT* a good idea.
Just as there is a place for envelopes in this world, so is there a place for postcards. And even skywriting.
--
The answer to your problems (Score:2)
Or, you could use my other gibberish generator that can produce reams of this:
[mT0UYP8T(5KUb0Rn0Ng0-};+l3r73Gr"{$WUUp*]&U3hfe
Send that as plaintext, they'll think its encrypted and waste many hours trying to decode it.
Software to automatically alert on compromized key (Score:2)
The bill [parliament.uk] has an explicit defence where "the tipping-off occurred entirely as a result of software designed to give an automatic warning that a key had been compromised".
Does such software exist? Or could we write it, and how would it work?
It sounds like a nifty idea.
Re:Don't be so sure.... (Score:2)
I'm sufficiently paranoid that I think it's possible that the reason the DoJ stopped harassing Phil Zimmerman is that the NSA finally cracked RSA, or perhaps IDEA, and therefore, there was no reason to prosecute him or stop the free flow of PGP across borders.
In such a scenario, the NSA would want people to use PGP, believing it was truly secure, and they could still decrypt the messages.
It'll be twenty years before we find out if this has actually happened...
---
Re:Legal Clarifications (Score:2)
Re:Sendmail upgrade? (Score:2)
How much processor time? A lot, but presumably it could be sped up with a hardware SSL card, just like web servers do.
However, adopting it as a universal standard wouldn't cause any problems for spammers, because if most used it, they'd still also use "in the clear" protocol.
Why?
Because not everyone would use it, not everyone COULD use it, and because it is indeed expensive in terms of processor or buying that card.
--
Steganography (Score:2)
Re:Echelon (Score:2)
Experience has shown that government doesn't give up its power; it expands its power. Causes that may seem good or justifiable at first turn ugly once future politicians modify them. That's why someone should be worried.
Re:Echelon (Score:4)
But I did not speak out,
Because I was not a Jew.
Then they came for the Communists,
And I did not speak out,
Because I was not a Communist.
Then they came for the trade-unionists,
And I did not speak out,
Because I was not a trade-unionist.
Then they came for the Catholics,
And I did not speak out,
Because I was not a Catholic.
Then they came for me,
And there was no one left to speak out for me."
- Pastor Niemller (Anti-Nazi Resistance Movement)
Or how about just:
"We must all hang together, or assuredly we shall all hang separately."
- Ben Franklin
Actually, it'll be pretty easy (so to speak)... (Score:4)
In reality, the system could be set up to begin the filtering process at the level of large ISPs--easy enough in Britain since there are fewer ISPs than in the States. Also, it's been shown amply that, despite the U.S.'s prudishness and stupidity about sex and progressive social issues, we do have far more privacy protections in place than Britain and many other EU nations. For example, in Britain they can legally force you to decrypt data, while in the U.S. all I would have to do is invoke my fifth amendment right against self-incrimination. In the same vein, while the U.S. wiretapping legislation CALEA is forcing ISPs to install the capability for law enforcement to conduct digital surveillance of selected customers (supposedly only with warrant, but you and I both know the reality), I can see the UK pushing through a measure to force large ISPs to install government servers which would have all e-mail traffic pass through them practically transparently while simultaneously using the NSA's advanced context-based semantic filtering capabilities to forward copies of those selected e-mails to government computers for further analysis. Since the UK is the US's closest ally, seeing as Echelon was originally a US-UK joint operation into which the Aussies and Canadians were brought, you can bet that British Intelligence has the same advanced filtering technology that the NSA does. The key here is that, the UK intelligence services can get away with doing this openly, and might even get to force ISPs to install their monitoring equipment for them, but in the US no one would even think of openly proposing that all e-mails be subject to such snooping.
Lastly, if someone can find the older story I mentioned above, please give the link. I don't know why I can't find it, but I know it's there...
Re:How'd Mozilla get involved here? (Score:2)
Echelon (Score:2)
First off, YOU (yes, YOU) are not interesting enough for them to watch you. Sure, they could, but why would they? Did you e-mail this guy [mailto] something the secret service didn't like? Do you have a small catchet of U-238 that you keep under your bed "for emergencies"? Arms dealer (no, supercomputers don't count)? Okay then, why are you worried?
Your system administrator should be feared much more than any "global eavesdropping network" - he can read your e-mail, see what pr0n sites you've been looking at, hell.. he can even let the president know what you think of him (using your own e-mail addy, how nice!). Why the hell do you care - as long as they aren't spying on domestic stuff I'm not worried. Let the boys have their toys.
Now, *clickity-click* what was your username?
The point is not (Score:2)
Equipment was added to allow the feds to (with proper warrants) eavesdrop. It's simply to make it easier for them to eavesdrop when they have a legal right to.
Re:Legal Clarifications (Score:2)
Re:Sendmail upgrade? (Score:5)
RFC 2246 [ietf.org] defines (and has for well over a year now) the protocol, and the latest commercial releases of sendmail [sendmail.com] implement it.
So does the Sun Internet Mail Server [sun.com]
Finally, Weitse Venema's postfix MTA [postfix.org] has a freely-available TLS patch [tu-cottbus.de] that implements SMTP encryption for those of us who don't want to pay for it.
There's even an RPM available.
Postfix, BTW, which used to be called vmailer, is the IBM Alphaworks [ibm.com] free MTA project that was covered here in
As, indeed, was this entire portion of this thread.
--
Bits of laws, bits of crypto, bits of thoughts (Score:3)
The RIP Bill is certainly one of the most controversial bills I've noticed in my time. For those who can be bothered reading them:
Stand.org.uk [stand.org.uk]
Bills before Parliament currently [parliament.uk]
What is scary to notice is this particular set of bills, all called to the Houses of Commons (and Lords) by Mr Jack Straw (the man who seems to be getting the blame for the RIP bill):
The [T] bill grants full powers to the police, without warrant, without "Innocent Until Proven Guilty" if they suspect you of terrorism. Terrorism now can include environmental and anti-capitalist demonstrations.
The [CaT] bill makes owning software which removes copy-protection illegal (I have no idea what this would mean to anyone with a copy of the source for DeCSS, which could be seen as a form of copy-protection).
[RIP] bill has enough people ranting about it to be ridiculous. Some people think that the government can't afford to enforce this bill (estimates of tens of millions for a year), and that the bill won't be passed. That said, the bill is already at the stage where it needs a lawyer to write a formal document to get changes made to it. I guess we'll know the truth around 4th October (unless the date has changed) which is when the bill is to come into action.
Given that list of bills that are being changed, and the changes that have come to light, it seems as though the UK government is heading towards a semi-police-state sort of arrangement? Check out this site for their latest ideas on censorship:
School Internet Access [indexoncensorship.org]
What I think has to be borne in mind is that most countries (all of them that I've come across) do not give you "Privacy" as a right. All legal systems seem to rely on the fact that the citizens will be open about certain things - namely they will give the police access to their homes when presented with a warrant. In many ways, the RIP bill is fair in asking for you to hand over your keys. However, what are not fair, or well thought through, are the consequences for not doing so.
Stand's website already mentions one major problem with the "Give us your keys or go to jail" mentality - any hard-core terrorist group would rather go to jail for 2 years for obstruction of justice than face life imprisonment because their encrypted mails had their keys given out. This applies to paedophilia (another of the crimes that the government is trying to tighten up on), where the Department of Trade and Industry provided a "brochure" on cryptography/legislation in the UK:
Encryption and Law Enforcement [cabinet-office.gov.uk]
To me, that brochure summarises the way the government believes it can (and actually manages to) control its people - for the most part, the general population in this country is willing to believe that paedophilia == bad, paedophiles use crypto, terrorists use crypto, ergo: crypto == bad and we must do everything in our power to make sure that the Finally, I see two or three ways around these problems (which seem to be caused by men-in-suits who have no idea about what they are legislating):
Well, that's my four-quid's worth.
-- Maz
Re:time to (Score:3)
And this is meant to be a Labour government! Can't someone organise some sort of effective demonstration against this bill? stand.org.uk don't seem to be doing much about it - I'm sure the Blair government would like to see all the techies/dotcom wizards waving placards saying "byebye Britain's e-future! we're all off to america/scandinavia! (p.s. thanks for educating us!)"
If they're not worried about the brain drain on this country (e.g. computer consultants leaving after E14, contractors etc pissed at IR35 ...) then maybe this would make them sit up and think!
Sendmail upgrade? (Score:5)
It is too difficult and time consuming to gather public keys from all your associates esp. people who don't know about PGP etc..
Even when you have the public key it is too much hassle to type in your passphrae for routine email making encrypted mail stand out all the more.
But the truth is we don't need to have passphrase protected emails all the time. Only when we are leery of government search warrants do we need to protect the content at the source/destination. Insteed what is necessery is a encapsulation of the email as it travels the internet. This way it can't be picked up by packet sniffers and it will be impossible to ferret out the real encrypted email.
To this end I suggest a addition to sendmail. Every time it delivers a message to the recieving computer a one time key (diffie-hellman) is generated so the message text is unreadable as it travels the internet.
Before we couldn't do this but now with the loosining of laws this is possible...not perfect but better than the status quo