Letter on the Investigatory Powers Bill
The British government is in the process of reviewing and acting upon a draft to extend the surveillance powers of British police and intelligence forces. Many have criticized the pervasiveness of the proposed regulations, and currently a Review Committee of the British Parliament is open to receive feedbacks from the public. Following is the letter I submitted to the Committee to the Science and Technology Committee on the Investigatory Powers Bill. I invite all of you to express your opinions on a bill that might become an example for many other European countries to follow. You have time until the end of today, November 27th 2015.
Among the many chapters of the Investigatory Powers Bill, the ones concerning Equipment Interference and especially Bulk Equipment Interference are among the most concerning. In this letter I will focus on analyzing and commenting on such parts, however that is not to be considered as a silent approval of the remaining chapters of the charter, which I’m confident others will scrutinize in great depth.
Equipment Interference, despite how loosely defined it is in the draft, remains a very intrusive and powerful instrument in the hands of law enforcement and intelligence agencies. In order to perform an Equipment Interference, the authorized agency would engage either into installing physical hardware implants inside a selected computer or mobile device, or, more likely, utilize software vulnerabilities or malicious network attacks in order to remotely gain access to the selected device and install a monitoring software (commonly known as “malware” or “spyware”) to covertly collect information, including documents, emails, chat messages, and voice calls, stored and produced by the user through his or her daily use of the device. By compromising the end-user devices, such as a mobile phone or computer, it grants not only access to communication on transit, as regular passive wiretapping, but to any information that the target has produced, sent, or received in the past, presently, and in the future. It is, in fact, the most intrusive method of monitoring one can employ, and therefore it must be used with care. The definitive ability for law enforcement and intelligence agencies to employ these methods is not something to be granted lightly, and the strictest regulation and strongest oversight have to be adopted, if at all.
In a moment where the use of computer compromise is still a very nebulous practice and it is little understood by policy makers, it is imperative that in legitimizing it now, we not only take into consideration the very immediate threats to society and the immediate investigative requirements, but that we deeply analyze the potential impact, the unexpected collateral damage, and the inevitable long term effects. The adoption of offensive technologies such as the use of equipment interference tends to foster a market of surrounding services, prompting existing and new commercial ventures to invest into the production and sale of intrusive systems, such as highly sophisticated monitoring software as well as software vulnerabilities and exploits. Software vulnerabilities are logical flaws or flaws in design, commonly present in computer software, that can be leveraged (through the use of specifically crafted payloads, commonly known as “exploits”) to locally or remotely execute some malicious code that enables an attacker to maintain access and persistence over the compromised device. While it isn’t necessarily always the case, vulnerabilities and exploits are a very common vehicle to perform a compromise.
While understanding the flaws of existing computer systems is an important practice that needs to be protected, disregarding the importance of improving defenses and capitalizing on the secrecy of security vulnerabilities can have a severe damaging effect over the overall security of our systems. Since legitimate targets make use of the very same technology of any other regular Internet and computer user, if a security hole is left unpatched, it remains open for others to discover and abuse, including criminal organizations and foreign state-actors. It is therefore important to remember that technology is an universal good, and if it is maintained insecure for the benefit of certain intelligence or investigative powers, it will remain insecure for everybody else as well, including the same police and intelligence forces.
Because of this, I believe it is important to limit as much as possible the widespread adoption of such offensive technologies, and commit to the best possible extent to develop defenses and assist software vendors in remediating to the flaws their products are affected by. While the need to adopt end-point compromise is understandable and the tactical advantage of secretly maintain the exclusivity on software vulnerabilities might seem desirable, I would recommend to prevent the abuse of such vulnerabilities and possibly establish a process to responsibly disclose them to the respective vendors for the benefit not only of British citizens, but global society as a whole. This would involve the British Government reporting security vulnerabilities they find to companies like Apple, Google, or Microsoft so that everyones systems can be patched, and secured against attack. A security flaw can’t be delimited to a selected part of the population, despite how despicable and dangerous it might be, but it does in fact affect everybody, with no exclusion.
In particular, certain passages of the Equipment Interference chapter seem to be particularly concerning. First of all, the charter suggests that the use of Equipment Interference would be limited to the investigation of serious crimes, matters of national security, and economic interests of the United Kingdom as long as those interests also relate to national security. I believe that it would be beneficial to provide a better and more narrow definition of what such crimes and matters would involve. The draft doesn’t for example define what could be classified as a “serious crime” and leaves largely up to speculation how economic interests of the UK could directly relate to immediate threats to its national security.
In the process of defining what types of crimes and of targets Equipment Interference might be used against, I invite the committee to carefully evaluate whether such definitions could be prone to unexpected interpretations. For example, the clause in Article 83(g) specifies that Equipment Interference could be used against “equipment that is being, or may be used, to test, maintain or develop capabilities relating to interference with equipment for the purpose of obtaining communications, private information or equipment data”. Such definition appears too loose, it doesn’t specify an intent or a particular criminal behavior, and it might be construed to investigate legitimate security research, which would dangerously discourage British researchers and security experts to do their much needed work. I recommend, for example, such point to be taken out of the bill.
Since the safety of modern operating systems and network communications heavily relies on the integrity and ethical behavior of software vendors and service providers, I find Article 101 to be concerning. Such Article would effectively coerce Internet Service Providers, hosting providers, software vendors, and others, into sabotaging the integrity of automatic updates, web pages, and many other types of served content, into serving malicious code to invisibly compromise the end-point of the customer or user. This could very likely cause a chilling effect that would damage the trust the users invest into their service providers, and consequently also damage legitimate businesses. Additionally hijacking the legitimate functioning of such services might also lead to unexpected collateral damage and compromising additional users that might not be the intended targets of the investigation, effectively disrespecting their rights and invading their private lives.
Bulk Equipment Interference
Chapter 3, Bulk Equipment Interference Warrants, besides inheriting all the fundamental problems I illustrated above, would extend the power of intelligence services into using Equipment Interference to a degree I find deeply concerning. A Bulk Equipment Interference warrant would effectively grant intelligence services the license to compromise computer systems at large, without limitations of scope, numbers, location, or type of activity such systems are used to perpetrate.
Extraordinarily, Clause 135 specifies that “bulk equipment interference is not targeted against particular person(s), organization(s) or location(s) or against equipment that is being used for particular activities”. Since in technical terms, actively compromising a computer systems requires at the very least to identify the nature of such system, the introduction of Bulk Equipment Interference appears as an attempt of intelligence services at obtaining the ability to opportunistically compromise any system they might deem interesting. It is unclear to what end such a power is sought. No operational case has been made, and I cannot conceive of one that would justify such extreme powers.
My best guess is that the goal of the power is indeed to deploy Equipment Interference in an untargeted manner, compromising a large number of computers to establish a strategic and tactical vantage point in case the access to such systems might prove fruitful in future and yet unidentified circumstances.
This could not only lead to the compromise of large numbers of personal systems of innocent and unsuspicious Internet users, but also to the compromise of legitimate businesses and foreign institutions. For example, Article 136(3) specifies that a computer system is relevant for compromise under a Bulk Equipment Interference warrant “if any communications and private information are held on or by means of the system”. Under such terms, intelligence services could be legitimized in the attack and compromise of foreign Internet Service Providers and software vendors, as we have in fact observed through past disclosures on international press with the disclosure of GCHQ’s attacks of the Belgian Belgacom telecommunications provider, known for providing connectivity to European institutions, and the SIM cards manufacturer Gemalto. In both cases, the British GCHQ was found involved into breaking into unsuspecting European legitimate technology and Internet businesses in order to obtain a tactical advantage, identify and monitor the activity of their customer base, and potentially use the obtained access as a trampoline for further attacks. Besides being legally, ethically, and morally questionable, these intrusions have necessarily caused operational and financial damage to those businesses, who are not a threat to nationality security, which is plainly unacceptable.
I believe that the introduction of Bulk Equipment Interference warrants would undermine the trustworthiness of global Internet services as well as foster an unaccountable use of disproportionate force. Given the inherit dangers and risks involved into directly breaking into computer systems, and the immense powers and access to information it can provide, providing intelligence services a way to operate at large and unchecked, would greatly destabilize the already precarious state of security of Internet-connected devices worldwide. I believe that Bulk Equipment Interference warrants should be removed from the Investigatory Powers Bill, and eventually, the use of untargeted compromise of computer systems be explicitly forbidden.