We haven’t heard much lately about the Investigatory Powers Bill – dubbed the “Snooper’s Charter” by its opponents – and to be fair there’s been quite a lot on. We’ve had Brexit and its fallout, the Rio Olympics, Internet of Things botnets running wild, and now President-elect Trump all jostling for column inches as 2016 continues to be the year of too much news.
Very quietly on Halloween, when most of us were looking in a different direction, the Investigatory Powers Bill passed its third reading in the House of Lords, moving it one step closer to becoming law. If all goes smoothly it will be written into UK law by the end of the year.
Now the bill has been granted royal assent, turning it into an Act of Parliament, in a move which many see as legitimising state surveillance powers at the expense of citizens’ privacy.
The UK has just legalized the most extreme surveillance in the history of western democracy. It goes farther than many autocracies. https://t.co/yvmv8CoHrj
— Edward Snowden (@Snowden) November 17, 2016
As we covered in our previous post on the Investigatory Powers Bill (and this one on its close cousin the Draft Communications Data Bill) there’s been considerable backlash from security organisations, communications companies and members of the public who feel the powers contained within the bill could amount to privacy violations, potentially leaving data exposed to abuse and unwarranted mass collection and surveillance.
It’s perhaps no surprise that the Lords’ reading of the bill moved through the House so quietly. Apart from being lost in the noise of the various media storms intersecting over Autumn 2016, it’s likely preferable for the government to try and get this bill passed with the minimum opposition from the media.
What’s it for and what will it do?
The bill is aimed primarily as a counter-terrorism measure, requiring communications providers to store communications data and handing power to investigating organisations to examine communications history, including lists of websites visited, if they have a warrant to do so from the courts.
While no-one’s looking to argue a case against preventing terrorism, the bill proposes increased surveillance powers, extending to:
- “Equipment Interference” *cough-Hacking-cough* – Security agencies will be officially and explicitly permitted to hack computers and other devices for the first time. As we’ve seen in the US investigation and subsequent breaking of the encryption on the San Bernardino shooter’s iPhone, this can be useful when communications data may be pertinent to investigations. This is not confined to individual suspects’ devices – if the authorities can prove relevance to an investigation they will potentially be given permission for “bulk hacks”, including all those present at one location.
- Records – Police forces and security services will have access to “Internet Connection Records” – essentially a list of all web addresses visited by an individual – if it is proven pertinent to their investigations, meaning ISPs will be forced to retain this data for 12 months (and we know that ISPs are never targeted by hackers). This info will be stored in a “search engine” style database for easy recall and correlation by the authorities – without requiring external sign-off beforehand, only internal authorisation.
- Bulk data collection – Users who are not the subject of investigations will not be exempt from having their data scrutinised by authorities if it is swept along with data which they have a warrant to collect – potentially violating the European Convention on Human Rights.
- An end to end-to-end encryption – Messaging service providers could be required to remove end-to-end encryption on future products, meaning conversations held on fully encrypted messaging services like WhatsApp will no longer be as safe and private as they once were.
Automatically part and parcel with this is lowered defences – In July, there were calls in the House of Lords from Earl Howe, minister of state for defence, that steps should be taken to “develop and maintain a technical capability to remove encryption that has been applied to communications or data.”
What he’s talking about essentially boils down to installing pathways for authorities to bypass encryption – backdoors to you and me. If backdoors to decrypt sensitive data are fitted for law enforcement agencies, how long until these are discovered and exploited by hackers? We’ve seen before with the numerous NSA hacking tool thefts and subsequent leaks that methods held by surveillance agencies are vulnerable to exploitation by illicit third parties.
Put another way, imagine if the army installed a secret backdoor into their armoury to allow access to weapons stores in the event that war was suddenly declared. A criminal could wander along and discover this backdoor. Once they did they would have access to the same destructive capabilities as the army. Do we want criminals to gain access to our networks and data at their leisure?
Who’s for it and who’s against?
Back in March, a letter to the Guardian signed by more than 200 lawyers claimed the Bill falls short of international standards on surveillance and is “unfit for purpose”. At this stage, the only thing standing in the bill’s way of becoming law is Royal Assent, pending any small amendments proposed by the House of Commons being voted through by the Lords.
Security advocates have also spoken out against the act, with Independent Expert Graham Cluley describing the draft bill as “bonkers” on BBC Radio 5Live, claiming that it would lead to
“watered-down security for all of us.”
Commissum’s Chief Operating Officer and Head of Consulting, Jay George, shares similar concerns, adding that “more time should be spent speaking to security experts to make sure the bill’s powers have sufficient scrutiny, governance and oversight.”
“If it’s possible there is a backdoor that the security services can use, that same backdoor can be used by criminals.” – Graham Cluley (5Live interview, January 2015)
On the other hand, Prime Minister Theresa May helped draft the initial bill back when she was Home Secretary. Her predecessor as head of the country, David Cameron, also extolled the virtues of the bill and called, rather worryingly, for a “ban on encryption”. To a certain extent, that will come to pass once the bill becomes law, as under the bill communication service providers will no longer be able to install encryption to communications that even they cannot break.
Commissum can help your business enhance security measures in preparation for the Investigatory Powers Act. We’re experts in assisting companies pre-empt and react to changing legislation to make sure their security is able to meet evolving threats which thrive on uncertainty and change, thanks to our decades of experience doing just that. Get in touch to see how we can help you prepare for the Investigatory Powers Bill.