Snooper’s Charter Reloaded
Why it’s patchy and exclusive
This year had governments take sides over a new iteration of the Crypto Wars. Greatly affected by the 2011 DigiNotar attacks, which took down the Dutch CA, the Dutch government made a strong statement in favour of encryption. Fully supported by the Dutch intelligence services (AIVD & NCTV), they rightly stated that cybersecurity in both private and public sector would need to be strengthened, not weakened, in order to improve resilience and counter-terrorism efforts. After months of heated debate, the UK decided to take a different path; that of exclusion and ambiguous limits to power.
You can find the full “Investigatory Powers Bill” here.
Please find a summary at the end of the article.
What’s new with the Bill?
The previous iteration of the law included the controversial inclusion of “equipment interference”, which included the right for domestic intelligence organisations to perform wiretapping and required software companies (among others) to cooperate when asked to provide backdoors to their products.
Of course, it is needless to state that these backdoors would spell the death of those companies would often rely on security as their selling point and competitive advantage. Equipment Interference has already been compared to “authorised hacking”, or in Natasha Lomas’s words ‘authorising state actors to hack into devices, networks and services’.
This has already been flagged by Privacy International (a rising UK NGO focused on privacy rights) and a coalition of other NGOs, who believe that these laws are effectively a breach of the European Convention on Human Rights (particularly when such powers are exercised on individuals outside the UK). With #Brexit looming, it is unclear whether the UK Parliament cares all too much about what the ECHR has to say on this matter.
“Bulk Personal Datasets” — Why the IP Bill is Patchy
A newcomer as far as international investigatory policy is concerned, “Bulk Personal Datasets” are scarily self-explanatory. The IP Bill has legalised the acquisition, storage and analysis of data regardless of whether such data is of interest to intelligence services.
Taken straight from the Bill itself, as you can see, Clause 200 (1) (a) & (b) describe the scope and motive behind the collection of Bulk Personal Datasets. Parliament has detailed into law that BPDs are by definition aimed at ‘individuals (that) are not, and are unlikely to become, of interest to… intelligence.’
Of course, BPDs require warrants. Unfortunately, the Bill centralises all warrant powers at the top, which poses a host of problems.
This is only part of the legislation on BPD warrants. (please read through the entire section for more information).
The “Head of the intelligence service” is given the responsibility to consider what class or specific BPD warrants infringe on protected data, health records, or sensitive personal data. But realistically what Head of Intelligence, in their right mind, would refuse a counter-terrorism investigation warrant on the grounds of that data containing “health records”? Even if it is inscribed into law as a responsibility, the lack of accountability and the impossibility of gaining access to the data to prove anyone guilty, points towards an ineffective legislation.
Why the IP Bill is Exclusionary
Perhaps worse than the glaring loopholes is the strategic stance the UK government has adopted in the fight for cybersecurity. According to Brian Spector (CEO at MIRACL),
This has serious implications for technology companies who, under the proposals, would be legally found to help UK police and security services access an individual’s device. What’s more, the current wording of the Bill means that any software made by a British company could soon be perceived to be facilitating government spying on its customer data.
In addition to the “equipement interference” clauses another new power, the ‘Internet Connection Records’ (ICRs), obliges companies to collect and store real-time data on websites accessed by all users for a full 12 months. This data is supposed to enter a “Filter” that “matches ICRs to your mobile/phone data”.
Excluding the Private Sector
Not only do these measures restrict the private sector’s ability to secure the data and privacy of Britain’s citizens, but it also excludes their participation in future resilience/response initiatives. As we have seen during the course of the US Presidential Election, politically motivated cyber attacks are only mounting in complexity and quantity. It is crucial to understand that the UK cannot act alone against APTs and other transnational threats. A national government will always have a bête noire, and some of those might be called “Cozy Bear” or “Fancy Bear”.
In any cyber crisis scenario, it is essential to source the expertise of White-Hat hackers, or even Grey-Hats who may be incentivised to help the UK government. It is also vital that UK companies (those disproportionally affected by cyber-attacks in the UK) are purchasing software products that do not have zero-day vulnerabilities or any other type of backdoors.
Why “Snooper’s Charter” is a problem — Summarised
No, it’s not only about the ‘legitimate public expectation of openness and transparency in today’s society’ as cited by the UK Parliament’s Intelligence and Security Committee.
- You’re turning your back on a crucial community. The private sector, who both have the means and are most affected by cybersecurity flaws every day.
- The legislation is patchy at best. and is riddled with intentional loopholes at worst.
- More is not more. While it is commendable that Glen Greenwald deplores the huge amount of data that the UK has access to as a source of tyranny, what is most alarming is the way in which this big data is processed. Most data is not going to be read by GCHQ’s scrupulous eyes, it’s going to be inputted through a processor. The meta-data driven method can have many innocent citizens on the “firing line”.
- Quis custodiet ipsos custodes? Who guards the guardians? If the European Convention on Human Rights seemed to guard UK citizens from extensive privacy infringements and UK domestic law was used as a way for the UK Parliament to appeal to the infringement, then a new mechanism for Human Rights accountability is needed in the UK Post-Brexit.
This article was originally written and published by Yuji Develle on LinkedIn Pulse. You can find that here.
