Respected UK tech elder statesman and journalist Rupert Goodwins blasts the UK government's plan to impose secret gag-orders on researchers who discover government-inserted security flaws in widely used products, with prison sentences of up to a year for blowing the whistle or even mentioning the gag orders in a court of law.
These gag-orders short-circuit the normal -- and vital -- process of independent security research, which involves continuous auditing and assessment of digital tools, followed by a staged disclosure of critical flaws -- first to the vendor, then users, then the public.
Under the Snoopers Charter proposal, security researchers undertaking this important work could find themselves on the receiving end of threats of prison sentences. Who would want to be a security researcher in that environment? And if Britain's security research establishment is traded off for infinite, unaccountable, secret powers for the nation's spies, how will British individuals, institutions and companies secure themselves?
Let’s look at that in a world where the Snooper's Charter has become law. I find the backdoor and tell a colleague. She doesn’t answer my e-mail, but I get a knock at the door—turns out that GCHQ was behind the attack. I am now banned forever from mentioning to anyone what I found—or that I found anything. The backdoor is later exploited by the bad guys and my client is hit. Why didn’t you find it, they ask? I can only shrug. Soon, my consultancy is in disarray. If I’m sued for incompetence, I cannot defend myself. I can write no papers, warn no people.
There are various other bad scenarios, but the basics remain the same: as a security researcher, I could at any time stand on an invisible landmine, placed by the same people who’ve denied me the use of a metal detector. I'm essentially forbidden from digging into any backdoor, to find out who was behind the attack: it could be gangsters, or it could be someone who can and will throw me in jail.
The Snooper’s Charter would devastate computer security research in the UK
[Rupert Goodwins/Ars Technica]
(Image: Mines warning sign, Matthias Kabel, CC-BY-SA)