From: "Brian Toller", [EMAIL PROTECTED]
The following is culled from the Computer Buyer website and may be of
interest as this bill has been mentioned before on the list. The interesting
part is at the end as it appears reasonably easy to avoid the snoops if you
really need to.
"Inept" RIP Bill Passed
27 July - DN Wire -- The controversial Regulation of Investigatory Powers
(RIP) Bill has been passed by Parliament, despite being described as
"technically inept" in a new report.
The Bill, which gives the police extensive powers to install "black box"
interception devices on the networks of Internet service providers (ISPs)
and demand keys to encrypted data, has received fierce criticism from
opposition parties and independent watchdog organisations. Although several
important amendments were made to the Bill by the House of Lords last week,
including the allocation of �20m to cover black box installation costs and
the formation of a statutory advisory committee to oversee its
implementation, concerns persist over the Bill's wording.
The breadth of powers conferred by the legislation raise questions about its
compatibility with the European Convention on Human Rights, and RIP will
make Britain the only G8 country with government access to keys (GAK)
powers.
After the Lords debate, Casper Bowden, director of the Foundation for
Information Policy Research (FIPR), said, "it's zombie legislation. Although
clinically dead with macabre wounds, it still lumbers on menacing both
individual privacy and commercial confidence."
Now his fears have been confirmed in a report by two security experts, Ian
Brown and Brian Gladman. The report states that "the envisaged powers for
interception and for seizure of encryption keys are technically inept," and
details four "trivially easy" methods for circumventing the Bill's e-mail
snooping methods.
Although the Bill has been passed by Parliament, it still requires Royal
Assent before it enters the statute book. Unless the Queen has been keeping
her active interest in IT very well hidden, RIP should be in force before
the summer recess.
How to avoid being RIPped off...
None of the methods suggested in the report require particular technical
expertise.
The first is to connect to the Internet with a smaller ISP - since the
government intends to install the black boxes at a small number of large
ISPs, those using smaller providers are less at risk. The cost of installing
the interception devices at every ISP in the country will almost certainly
be prohibitive.
The second approach is to use an e-mail server located outside the UK. Since
the machines themselves will be located outside this jurisdiction,
enforcement agencies will be unable to access data stored on them. As for
traffic between e-mail client and server, Brown and Gladman recommend using
the Diffie-Hellman technique, which generates unique keys for the session
and are destroyed after use.
Thirdly, permanent Internet connections such as ADSL enable e-mail to be
delivered directly to the user's PC, without the need for a separate e-mail
server. As ADSL falls in price and becomes more popular (BT, take note),
black box devices will become increasingly redundant. Currently BT
subscribers will not be able to use this loophole for technical reasons.
The final method takes advantage of IPv6, a new Internet Protocol currently
being introduced. In addition to providing a vastly increased number of IP
addresses, all data sent using IPv6 is automatically encrypted. As before,
this will circumvent interception devices and render several of the Bill's
provisions worthless.
Joel Harrison
Brian T
--
I wouldn't call going to ADSL or IPv6 "trivially easy" solutions, myself.
IPv6 isn't even a commercial proposition at the moment and you have
to build the installation file yourself using the software from the
Microsoft development website. ADSL for home use won't be available
until the end of this month and it is available only in limited areas
and costs L40 a month. (Plus BTopenworld still uses an email server
at the moment anyway). Going to a smaller ISP is no guarantee because
it may be a big ISP next week. Using a mail server outside the UK
is the easiest and surest method.
Steve.
Cybershooters website: http://www.cybershooters.org
List admin: [EMAIL PROTECTED]
___________________________________________________________
T O P I C A The Email You Want. http://www.topica.com/t/16
Newsletters, Tips and Discussions on Your Favorite Topics
