Security experts, civil liberty groups and technology organisations have pushed back against key sections of the recently revealed Investigatory Powers Bill in 46 separate written submissions to the government.
The proposals would enhance the snooping powers available to intelligence agencies and the government, while legitimising practices that remained firmly under wraps until the disclosures of Edward Snowden.
Now, as the bill faces increasing scrutiny, V3 has analysed the submissions sent to the Science and Technology Committee to pick out the key arguments, finding strong opposition to approaches on encryption, bulk surveillance and hacking.
The Firefox developer warned that the bill represents a “broad and dangerous” set of surveillance proposals that threaten user privacy and security on the internet.
“The open internet relies on technological and legal design decisions to ensure its continued vitality. Unfortunately, the legislation before you would undermine that framework, and represent a serious threat to open source software, online commerce, user privacy, security and trust,” the firm said.
“Keeping internet users safe does not have to cost them their privacy or the integrity of communications infrastructure. We believe the current legislation falls far short of striking the right balance.”
Snowden released the trove of NSA documents in 2013 and exposed the bulk collection of phone and internet records by law enforcement and spy agencies across the world, including the UK’s GCHQ.
The practices of bulk collection and retention “fundamentally undermine” the expectation of everyday internet users, according to Mozilla. “We are concerned that this bill would explicitly legalise these harmful practices, when it should instead rein them in,” the firm said.
Furthermore, Mozilla wants to see a “fully encrypted web”, contrary to the position of cyber spooks and governments.
“The use of encryption is growing daily, protecting more and more communications from interference and interception. The possibility that companies might be forced to weaken encryption on products would erode user trust in those products, harming the continued success of online commerce. This has a potentially huge impact on the internet,” the company said.
Big Brother Watch
Big Brother Watch (BBW), which has long campaigned against mass surveillance, maintained in its written submission that “interception should be targeted” instead of a broad sweep of every internet user.
“The draft bill proposes two forms of interception: targeted and bulk. Whilst we acknowledge that the draft bill has attempted to outline safeguards to protect the data of innocent people from being intercepted, we feel that there remains weakness in the proposed system,” the group said.
BBW criticised the ‘equipment interference’ proposals included in the bill as having “the potential to be very damaging”.
Many security experts have raised strong concerns about the risk to computer networks and the exploitation of zero-day flaws in this interference, which is effectively hacking.
“The unintended consequences which can occur during equipment interference are a very real threat. Put simply, weakening a system does not mean that only law enforcement or the intelligence agencies can exploit it. The system can be exploited by anyone who uncovers the weakness, including malicious actors, rogue states or non-government hackers,” the organisation said.
“Any approach to weaken, create backdoors or simply abandon encryption must be treated with extreme caution.”
Privacy International also criticised the bill for its stance on zero-day exploitation and hacking.
“We question whether hacking can ever be a legitimate form of state surveillance. By using zero-days offensively as part of attacks, British intelligence and police agencies are preventing potentially millions of individuals and companies from being protected,” it said.
“Such zero-day vulnerabilities could be used to target not only personal computers and phones, but other devices connected to the internet such as smartwatches, fitness bands, smart cars and more.”
The snooping proposals would force firms to retain metadata (the who, what, when and where of a communication rather than its content), yet hacking techniques take surveillance laws a step too far, according to Privacy International.
“When an agent takes control of a computer by hacking it, there are few limits on what can be done. Unlike intercept capabilities, hacking capabilities can be deployed in any number of configurations to do any number of different things,” the group said.
“The logging of keystrokes, tracking of locations, covert photography and video recording of the user and those around them enables intelligence agencies and the police to conduct real-time surveillance, while access to stored data enables analysis of a user’s movements for a lengthy period prior to the search [and] access to save documents, notes, draft messages and emails.”
Privacy International also said it believes limiting encryption could have severe implications for UK businesses.
“If implemented in its current form, the draft bill would require communications service providers to fundamentally weaken the security of their systems, which may cause them to question whether to continue doing business with and in the UK,” it said.
“Many of these [online] businesses contribute greatly to the British economy, and include the banking, financial and legal sectors, as well as the computer software, hardware, antivirus, gaming and startup industries.”
Indeed, BlackBerry was recently forced to stop trading in Pakistan after government intrusion requests into its software, showing that tech firms are willing to lose business if the legal environment is too onerous.
TechUK, which represents over 850 companies including Apple, Microsoft and Samsung, said: “The draft bill aims to reflect the government’s commitment to create a world leading, modern framework for surveillance. TechUK supports this goal.”
Yet while TechUK and the government share a common desire for updated regulation, the organisation takes issue with the finer details of the internet data collection and retention proposals. The bill would force ISPs to store data for 12 months and make it available to the government.
“Requiring the retention of [internet connection records] is a significant change for ISPs and will add additional costs to the running of these companies due to the vast amounts of data that passes through the internet on a daily basis,” the organisation said.
Indeed, it was revealed under recent committee scrutiny that retention of these internet records will cost the UK taxpayer over £17m a year.
“The security of internet connection records is particularly important, since access to such records by malicious actors can be even more dangerous than other types of communications data. This is due to the inferences about people’s activities and interests that such data can reveal and the increased opportunity of identity theft that arises from their collection,” TechUK warned.
The government’s understanding of encryption was heavily criticised by TechUK. “Although the government has been at pains to stress that it is not restricting or weakening encryption, and that all requirements in the bill regarding the ‘removal of electronic protection’ are already provided for in current legislation, further scrutiny around this is needed,” it said.
“The draft bill could be interpreted as giving the government the power to request companies to compromise their software in order to make encryption less secure in order to give an effect to a warrant.”