Some views and opinions
The widespread use of smartphones, emails and social media over the last decade has given the intelligence agencies access to private data on a scale few in the last century would have imagined possible. Orwell’s Big Brother looks clunky compared with the intelligence agencies now.
We should all be worried. Journalists now routinely deal with their sources on smartphones and laptops. Covert access has become a quick and easy way to identify a source.
If sources understand they can be identified in this way they will be reluctant to risk dismissal (or possibly prosecution) to pass on information. We will get fewer stories telling us things that government and big business does not want us to know.
But this debate isn’t really about privacy versus security. Yes, the authorities do care a little more about security than civil liberties groups, but that’s their job (and if you were the Home Secretary who has to read security briefings and take responsibility for people’s safety, you probably would too). And yes, the civil liberties groups do worry more about privacy than the spies, because that’s their job.
But journalist Kelly Fiveash of The Register speculates that the true cost could be closer to £2 billion, as current estimates do not take into account the potential costs for interception of bulk personal data and hacking into computer systems.
A consequence of this mess is that the surveillance programme has been plagued by a steady drip of embarrassing stories of massively expanding official powers at the expense of personal privacy in recent years. They range from the revelations of Edward Snowden, the former US security contractor, to the Karma Police operation, where GCHQ collected the browsing habits of every “visible user” on the internet. At least it cannot be claimed that the agency does not have a sense of humour: Karma Police is named after a Radiohead song that includes the line, “This is what you’ll get when you mess with us”.
So new legislation is certainly necessary. But the draft bill, while moving fractionally in the right direction, has serious flaws. The government has tried to bring its multitudinous powers together in a single bill. In this it has failed, with a number of important powers still lying outside the scope of the checks and oversights proposed under the draft legislation.
The excessive procedural detail, apparent multiple complex layers of authorisation, and use of linguistic trompe l’oeils such as “equipment interference” (apparently nothing to do with hacking) and “bulk interception” (nothing like mass surveillance) in this Bill could easily distract readers of the legislation from appreciating the true nature of the powers contained therein. But make no mistake, currently this Bill is about surveillance and hacking on a mass scale.
Blanket, indiscriminate interception and retention of people’s communications by any other name is still mass surveillance and it can never be proportionate. If adopted in its current form, the IP Bill will authorise the intelligence services to intercept, in bulk, all email, text and internet communications in and out of the UK; demand phone and internet companies hand over entire databases full of records about what their customers do online and on their phones; acquire databases of other personal information from other companies and government departments, and hack into whole networks and millions of smartphones consecutively, rummaging through individuals’ most private thoughts and records.
Among key clauses of the RIPA legislation, Communications Service Providers (CSPs) must maintain permanent interception capabilities that include the ability “to remove any encryption applied by the CSP” to the subject of a warrant.
The Home Office confirmed that if the bill was currently passed, the legislation would require access to any encrypted transaction if a warrant is forthcoming from police or intelligence agencies.
Although seemingly formalising existing pieces of legislation, the bill has raised questions over the legality of any system that does not provide a means to access data in the case of an interception warrant.
Graeme Stewart, managing director for LogPoint technology in the UK and Ireland, said that with UK authorities having been using encryption technology for years, the proposed legislation could put significant additional responsibilities on local government and other public organisations.
Stewart said that the need for authorities and even health bodies to retroactively implement changes to existing encryption technology to meet the bill’s requirements created significant potential technical and workload challenges on under pressure public bodies. The exact nature of these challenges would also depend on how access is granted.
“If an intelligence service or police force goes to a council for example to legally gain access to encrypted data, they may not be able to provide carte blanche access,” he said.
“The likely administrative burden on a local authority will be the last thing they need and I doubt it will be welcomed by these organisations.”
Pointing to the experience of Nordic markets where LogPoint was first set up, Stewart noted that the advanced digital economies of Denmark and Norway had led to a rapid demand for online services that have created huge amounts of data for authorities to manage.
He noted that if the UK followed Denmark’s example then the volume of its data “would shoot through the roof”, leading to additional costs and effort being required by authorities to make sure they are able to provide access to encrypted data and maintaining security.
While accepting the general public may back granting access to encrypted data in the case of a judge-approved warrant process, Stewart noted that the implications of ensuring that all encrypted information can be accessed via a warrant could create longer-term issues around public confidence in data handling.
When implementing methods of communication for information deemed as classified or highly personal, such as data communicated between a local council and health authority, Stewart said price standard is often treated as a secondary consideration to system security.
In ensuring access to these encrypted systems, he argued there was the possibility of the encryption focus switching, particularly for certain organisations, to put in secure access as efficiently and simply as possible in certain cases. Ensuring public confidence in an authority’s ability to effectively manage and protect information would likely become increasingly vital.
Citing a traditionally more suspicious British public attitude to government around failed attempts at issuing a central UK identity card system, Stewart said the potential breach of information such as medical records would likely result in a significant backlash around data use from the public.
He added that the bill also had the potential to extend technological, administrative and confidentiality burdens on authorities.
Another security expert working across the UK public sector noted that if the bill was passed, an authority would abide by a warrant and ensure access to required data, though the actual wording of the law would be important.
The expert noted that it would be possible to provide access to encrypted information in a number of ways, with use of an encryption key not always providing the quickest means to access data. One possible alternative could be in going direct to a data source as an easier option for authorities in certain cases.
“In addition, questions should be asked around the application of the law: such as, how does the UK law apply to services outside the UK? Seeing as the Internet and cloud services are global, a website in another country may use TLS encryption from your browser to the website,” noted the source.
“If the provider hasn’t given the keys to the UK, then who is liable? Would it be the overseas website or the user? As is usual, I’m not sure, full, qualified and knowledgeable thought has gone into this law.”
Outlining the bill to parliament this week, home secretary Theresa May promised the proposed legislation it would not ban encryption, while committing to introduce what she called a ‘double-lock’ process to authorise warrants of the most “intrusive investigatory powers.”
“Democratic accountability, through the secretary of state, to ensure our intelligence agencies operate in the interests of the citizens of this country, and the public reassurance of independent, judicial authorisation,” she said.
Under the bill – expected to be introduced to parliament by next spring – local authorities will be banned from accessing communications data themselves.