In the UK, running a blog over HTTPS is an act of terrorism, says Scotland Yard
In a bizarre case, Scotland Yard is accusing a person for six separate acts of preparing terrorism. Those six acts include researching encryption, developing an “encrypted version” of his blog, and instructing others how to use encryption.
This is one of those cases where you do a double take. As reported by Ars Technica, UK’s Scotland Yard is charging a Cardiff person with preparing for terrorism – but the list of charges shows activities we associate with very ordinary precautionary privacy measures. “Developing an encrypted version of a blog” can be read as, and probably means, publishing it over HTTPS – such as this blog and many others, simply because it’s considered best practice.
He was also charged with having a flash drive in a cufflink with a bootable operating system, presumably Tails. Using open and free operating systems with the capacity for general-purpose encryption is now an act of terrorism?
UPDATE: Scotland Yard describes the case here in much more detail. The two charges discussed here are items 3 and 5:
Count 3: Preparation for terrorism. Between 31 December 2015 and 22 September 2016 [name redacted], with the intention of assisting another or others to commit acts of terrorism, engaged in conduct in preparation for giving effect to his intention namely, by researching an encryption programme, developing an encrypted version of his blog site and publishing the instructions around the use of programme on his blog site. Contrary to section 5 Terrorism Act 2006.
Count 5: On or before 22 September 2016 [name redacted] had in his possession an article namely one Universal Serial Bus (USB) cufflink that had an operating system loaded on to it for a purpose connected with the commission, preparation or instigation of terrorism, contrary to section 57 Terrorism Act 2000.
While this adds significant nuance to the Ars article above, the primary point still stands as to count three: the criminal act was researching encryption, developing an encrypted version of a blog site (which describes publishing over HTTPS and a few other things), and teaching encryption. The intent of this criminal act was to aid and assist terrorism, but the criminal act was still researching, deploying, and teaching cryptography. This is a hugely important nuance – quoting a comment from user Withabeard on Reddit:
He hasn’t been charged for helping terrorists.
He has been charged for having an encrypted blog. The reason authorities have chosen to charge him, is because that blog may contain material that helps terrorists. The distinction is small, but it has a massive impact on how we apply laws in the UK.
Helping other people conduce killing of other humans is already illegal in the UK, so that is what he should be charged with if there is evidence he did it.
But he has literally been charged with “instruction or training in the use of encryption programmes”.
It shouldn’t matter what the encryption was going to be used for, no-one should ever be charged with doing that.
(end of update insertion)
Three things are noteworthy in this bizarre case, in terms of predictions coming true.
The first is that four years ago, I predicted that the UK won’t just jail you for encryption, but for carrying astronomical noise, too. It’s already a crime to not give up keys to an encrypted document in the UK (effectively making encryption illegal), but it’s worse than that – it’s a five-years-in-prison offense to not give up the keys to something that appears encrypted to law enforcement, but may not actually be. In other words, carrying astronomical noise is a jailable offense, because it is indistinguishable from something encrypted, unless you can pull the documents the police claim are hidden in the radio noise from a magic hat. This case takes the UK significantly closer to such a reality, with charging a person for terrorism (!) merely for following privacy best practices.
The second observation is that in the cat-and-mouse game between surveillance and encryption, there will come a point where authorities start mistaking a right to attempt breaking into somebody’s privacy with a right to succeed with breaking into somebody’s privacy. Such a right has never existed, of course: even if law enforcement gets a search warrant for a house, including a right to attempt breaking a safe, there is never a right to succeed breaking into a safe, or a right to magically find what they think is there.
The third observation is the bizarre charge of “researching encryption” and “instructing others in how to use encryption”. According to Scotland Yard, learning and teaching mathematics is apparently terrorism. This would affect lots of efforts – for example, EFF’s HTTPS Everywhere and Linux Foundation’s Let’s Encrypt. Possibly even all the Linux repositories, as they contain lots of encryption and instruct others in setting it up.
This is a case that needs to be closely watched and Scotland Yard needs more than a slap on the wrist here.
Privacy remains your own responsibility.
UPDATE II: People who are pointing out that Scotland Yard is strictly legally in the right are most likely correct, but that’s missing the point. See the followup post: Scotland Yard, Terrorism, and Encryption: How wording of charges contain hidden layers designed to shape public opinion.
Comments are closed.
52 Comments
As I type this each letter on my keyboard is converted from a letter e.g. capital M which on the ASCII code chart is 77 then it needs to be converted to its binary number equivalent 01001101 which a computer can process.
Uh… There is no conversion of anything here. You press the ‘M’ key on your keyboard and the computer sees 01001101. That is it.
No. Assuming a regular PC keyboard, an M would be generated by a scancode combination of 0x2a+0x32 or 0x36+0x32 or 0x2a+0x36+0x32 or a previous receipt of 0x3a followed by 0x32.
In Windows, this gets converted into 0x0102 with VK parameter 0x4d. Or there are other types of WM messages that the thread can explicitly listen for. This is then typically converted into U+004d. This in turn may often be converted to an ANSI-based code table as 0x4d, or (unlikely) 0xd4.
But are you sure you meant M? Perhaps you meant М, which is U+041c or 0x8c in CP866. Or did you mean м, which is U+043c or 0xac.
My point is: that is not “it”. It’s more complicated. And it’s all about the context.
This article is deeply hyperbolic. He’s not being charged with using/teaching encryption, he’s being charged with “conduct in preparation for giving effect to his intention to commit acts terrorism or assisting another to commit such acts”. The specific things he did, in the process of assisting others to commit acts of terrorism, involved the use of encryption, but it does not follow that all uses of encryption are therefore illegal. Likewise, just because “developing an encrypted version of his blog” could describe simply using HTTPS, does not mean that using HTTPS is now illegal, because the criminal act is “conduct in preparation for giving effect to his intention to commit acts terrorism or assisting another to commit such acts”.
And further: he’s not being charged with “instruction or training in the use of encryption programmes”; he’s been charged with instruction or training in the use of encryption programmes knowing that the training would be used for the commission of terrorist acts — the latter part is what makes it a crime.
Perhaps you should get your legal advice from lawyers, not Reddit.
I think you’re missing something. all these charges stem from one single assertion on the part of the Met – that he’s a member of Isis. Maybe they have evidence for this, maybe they don’t. But once the police have made this assertion, which for all we know could be completely baseless, all these other perfectly harmless activities get pulled onto the charge list as acts aiding and abetting the terrorist organization that, we are assured, he is part of. It’s a positive feedback effect that magnifies the power of weak or nonexistent evidence. The law IS the problem, not this man’s alleged transgression of it
If the Met can’t prove a connection to ISIS then their whole case collapses. Membership in a proscribed organization is pretty much impossible to prosecute absent evidence of what the individual did in the organization.
So why pile on all the other charges? They’re not being honest here. Between Chilcot and Ferguson, no intelligent person ought to trust intelligence agencies or law enforcement further than they can throw them
For the same reason the US “Justice” Department piles on charges: To get the poor slob to plead guilty, or kill himself.
Also favoured as a jury will see a whole lot of offences as an indication of probable guilt, throw enough mud and eventually some will stick.
It’s a standard procedure for any attacker: Saturate your opponents defenses in the hope that something will break.
When you provide an encrytion service,there is no way you can garuntee someone wont use it for terrorism.
The same could be said of underwear, and knives, guns, and even the shirts terrorists wore.
That’s the whole point of terrorism, do crap to scare people that can’t really be stopped. If you stop encryption because “it could be used for terrorism” you are caving in to their wishes. Stop being such a coward.
That is my point. (Lawmakers) cant (shouldn’t)blindly attack tools because they “might be used in terrorism” since that would mean forcing everyone to consider taking responsibility into their hands for the maluse they may not even get to see- that would be ridiculous
Fighting this is the wrong approach. We have to let the law run the course to the far end of the reductio ad absurdum. One day, very soon too, it will down on someone that ‘a horrible mistake’ has been made. In the grand tradition of politicised institutions there will be absolutely no one in officialdom to blame, only the people who found themselves involved, through no fault of their own and without their consent, will be held accountable.
By then it will be too late.
Clickbait article… the author of the blog is suspected to be a member of ISIS
So charge for that then, and not for researching/deploying/teaching encryption.
They did. It’s the first thing on the list.
If using HTTPS is considered illegal encryption, then any eating utensil should be considered an unlicensed lethal weapon. Did they also charge him for owning a fork?
The point is that the article is plain wrong. HTTPS isn’t illegal. Your comment on a fork is instructive. If I go out and buy a fork (or a knife, or learn about encryption) with the intent of carrying out a terrorist act, then I’d fall under this legislation. It wouldn’t follow though that forks (or knives or encryption) are illegal.
Your myopia and obsession with defending your owners is astounding.
Where do you people come from? Because I promise if it’s not a government factory already, it will be soon.
The fact is that HTTPS IS illegal in this case. That is their entire assertion. The point is that it should never be illegal ever. Which frankly I think you already know. You’re just scared and kneeling in advance, or you’re a totalitarian wannabe.
“HTTPS IS illegal” [citation needed]
So charge him with terrorism and not this shit. They are going to set a nasty precedence with this case and it will kill internet innovation and entrepreneurs throughout the UK if any of these encryption charges stick.
Just imagine for a moment that Google sees a conviction here as too much risk to continue business in the UK and opts to leave. They would take 11 billion pounds out of the economy with them as they go. Its a stupid law and they need to find another way of handling this that won’t cause massive destruction to the rest of the internet community throughout the UK.
Saw this coming. UK does not value people’s security or privacy.