NEWS

UK Moves to Expand Surveillance Capabilities

On 29 January 2017 the Investigatory Powers Bill (IPB) became law in the UK. It has been described by the likes of Edward Snowden as “the most extreme surveillance in the history of western democracy.”

Digital rights organization the Open Rights Group has obtained a leaked draft document. This is part of a closed government consultation on plans to put into practice some of the more controversial powers granted to it under the IPB.

These plans involve expanding the government’s surveillance capabilities in two key areas.

1. Mass realtime surveillance of Internet Service Providers and telecoms customers

According to the Draft Technical Regulations, the UK government will be able to intercept the realtime internet and phone data of one out of 10,000 citizens at any given time.

This mass surveillance capability will allow the government to monitor 6,500 citizens at any given moment in realtime.

Internet Service Providers (ISPs) and telecoms companies will be required to hand over this information “in an intelligible form,” within one working day. This includes encrypted content.

2. Introduction of” backdoor” access to encrypted products

ISPs will required to introduce backdoor access to their networks, so that they can remove encryption.

Based on previous comments made by senior government ministers, it is expected these provisions will also be applied to encrypted chat services such as WhatsApp, Facebook Messenger, and Apple iMessage.

This backdoor-ing of encrypted communications, in particular, is likely to be highly contentious. Not only is such a clear violation of individuals’ privacy ethically questionable at best, but it makes users less secure. A backdoor for law enforcement is also a backdoor for criminal hackers.

The proposals also raise major practical problems….

UK Companies Only?

Will the requirement only be enforced against UK companies? If so, then surely anyone who cares about privacy will simply use non-UK products? This would make such a law entirely ineffective at catching criminals or terrorists.

What it would achieve, however, is to destroy British technology businesses whose products rely on encryption. After all, why the hell would anyone choose to use a product that is known (or at least, can be assumed to be) backdoor-ed by the UK government?

This point is particularly relevant in the context of Brexit, because the tech industry is one business sector in which Britain is currently a world leader. Forcing UK-made encrypted products to include a backdoor must inevitably damage their market position.

International Companies?

The government could attempt to persuade companies such as Google, Facebook, Amazon, Apple, and Microsoft to cooperate with its plans, but what incentive would they have to do so?

This is especially true with the likes of Apple, which has strenuously resisted efforts by its own government to compromise its encryption. Microsoft, too, has recently shown little inclination to cooperate with the US government when it comes to spying on its customers.

If these US companies are unwilling to cooperate with the US government in this area, what hope does the UK government have of talking them round?

Alternatively, the UK government could attempt to force compliance with UK laws on international companies that wish to do business in the UK. However…

  1. The UK makes up a very small percentage of the global market. The damage done to international companies’ reputations by complying with UK demands would likely not be worth the relatively modest loss of income that withdrawing from the UK market would incur.
  2. Would the UK government really be willing to risk this happening? The financial cost to the UK economy could be near catastrophic.
  3. In addition to this, how would UK voters respond to news that they could no longer buy iPhones and Windows laptops, or access their Gmail accounts? There would be chaos!

What About Open Source?

The notion of effectively banning strong end-to-end encryption becomes even more laughable when we consider open source projects, such as OpenVPN or the Signal messenger app. These are among the most robust encryption products available, and can be downloaded from international servers by anyone with an internet connection.

Many open source programs are the result of community-led development. In the case of something such as Signal, which is developed by Open Whisper Systems, the non-profit nature of such software means the UK government has zero leverage in either persuading or coercing developers to comply with its rules.

Indeed, open source software can be audited to ensure that it has not been tampered with. If even a whiff of suspicion was aroused, it could be forked into new, untampered-with versions.

Meaningful Oversight?

As laid out in the IPB itself, a warrant will be required before such surveillance can be carried out. This must be issued by a secretary of state and authorised by a special judicial commissioner.

These judicial commissioners, however, are a group of retired judges, hand-picked by the government. They will not have the technological expertise or understanding of covert surveillance necessary to make informed decisions, so will effectively rubber-stamp ministerial edicts.

Their role, therefore, will simply be to ensure that the correct procedures have been followed. Even here, ministers can delay this minimal judicial oversight for five days simply by declaring the case “urgent.”

The Consultation

In theory, the government consultation that the leaked draft document is part of is open to comment from anyone. Responses must be filed with the Home Office before 19 May.

In reality, however, the government has done its best not to alert the general public about its plans. The document was only circulated among the UK government’s Technical Advisory Board and various government agencies such as MI5 and GCHQ. The Technical Advisory Board consists of representatives from six of the UK’s major telecoms companies.

It should be noted that the UK government is under no legal obligation to consult with anyone over its plans.

Conclusion

Despite the rather clandestine nature of the consultation, the plans outlined in the leaked document merely confirm that the government plans to push ahead with objectives already clearly laid out in the Investigatory Powers Act.

The fact that these plans are morally reprehensible and wildly impractical seems to be neither here nor there. If the government does succeed, it will critically damage UK technology companies and severely weaken the security of users of encrypted products.

It also means that UK citizens will be living in a surveillance state that would make George Orwell’s Big Brother proud.

Image credit: By Azat Valeev/Shutterstock.com

Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage

More

4 responses to “UK Moves to Expand Surveillance Capabilities

  1. Dear Douglas,

    For UK domiciled persons, does using a non-UK based VPN circumvent the IPB’s capabilities to surveil?

    Or is it possible that the UK ISPs could backdoor their customers routers and intercept pre-encrypted data? or steal encryption keys?

    Finally, do you think other five-eyes countries’ VPN operators will collaborate with the IPB?

    Thanks for all the great articles.
    Henry

    1. Hi Henry,

      – Yes. Using a non-UK VPN service (and a non-UK VPN server, just to be on the safe side) is an effective to prevent the UK governmnet from untargeted spying on you (it’s what I do).
      – If you run a VPN client on your computer, your outgoing data will be encrypted before it even reaches your router, and your incoming data after it passes through the router.
      – The UK will likely share all data it collects under the IPA with its FVEY partners. I’m sure the other FVEY countries would love to copy the UK and force their companies to introduce backdoors into their encryption products, but as we have seen with Apple, doing so will not be easy. As always, though, open source is the way to go…

    2. Thanks Douglas.
      For clarification…
      You said:
      “– If you run a VPN client on your computer, your outgoing data will be encrypted before it even reaches your router, and your incoming data after it passes through the router.”

      Did you mean to write that the “incoming (encrypted) data will be DECRYPTED after it passes through the router”?

      via a VPN client.

      Best wishes, Henry

Leave a Reply

Your email address will not be published. Required fields are marked *