UK Government Goes Ahead With Revised Surveillance Bill

Uploaded on 2016-03-04 in NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law

Despite a trio of parliamentary committees (ISC, STC and a joint select committee) criticizing the UK government’s draft surveillance legislation, and some committee members even calling for a complete rethink, the government is rushing ahead anyway.

It has introduced a tweaked version of the IP bill to parliament, and reiterated that new legislation “needs to be in force” by 31 December this year.

The Home Office has tightened up privacy safeguards in proposed new spying laws - but police will get more power to see Internet browsing records. The Investigatory Powers Bill will force service providers to store browsing records for 12 months. It will also give legal backing to bulk collection of Internet traffic.

The Home Office was forced to revise the draft bill after concerns by three committees of MPs it did not do enough to protect privacy and was too vague.

The Investigatory Powers Bill (IP bill) has been trailed as a necessary piece of legislation to plug so-called “capability gaps” for security and law enforcement agencies, and also as an overdue update to the legal framework around the use of such powers.

While never explicitly mentioned by government, the 2013 disclosures by NSA whistleblower Edward Snowden underlie the controversial attempt to put mass surveillance techniques that had been used for years by domestic security agencies (not always legally) on a secure legal footing.

The Home Office has published the full text of the amended bill, along with a clutch of documents relating to the proposed legislation, including codes of practice for the various powers.

The move comes less than a month after the bill was savaged by the Intelligence and Security committee, for having inconsistent and inadequate privacy protections, and yet having overly broad intrusive powers. You could say Home Secretary, Theresa May, is not for turning…

The Home Office claims the revised bill and the “further explanatory material” it has published responds to “the vast majority of the recommendations” made by the trio of critical committees.

Critics of the bill are saying the opposite — that the amended version of the bill does little to address fundamental concerns with the draft bill. And indeed, even further tightens the security screw in some instances — such as by extending police access to UK citizen’s web browsing records for specific crimes, as the Guardian has noted.

Police will also be able to deploy hacking in cases involving a “threat to life” or missing persons. And police use of these powers does not require the so-called “double-lock” ministerial authorisation that other intercept warrants do require.

In terms of the changes it has made in response to committee feedback, the government is saying it has “refined technical definitions” and published additional material such as the codes of conduct in the interests of increasing clarity about how powers in the bill will be used and why they are need.

It also claims to have enhanced privacy safeguards — noting specifically that it has added additional protections for journalists and lawyers.

On the web browsing records element of the legislation, it says it will “continue to work closely with industry to develop implementation plans for retaining Internet connection records in response to recommendations from the Joint Committee and the Science and Technology Committee”.

Internet connection records (or ISCs) refers to the requirement in the legislation that ISPs retain details on the websites accessed by users for the past 12 months. Industry concerns about the cost of implementing such a massive data capture system are clearly not going away. And the government’s early cost estimate for implementing ISCs (£247 million) looks unlikely to stand still.

Introducing the revised bill in parliament today, May claimed recommendations from the committees had “provided the basis for the legislation being brought forward today”.

Amendments to the draft legislation she specifically flagged up include a shorter period of time before urgent warrants that have been authorized solely by the Home Secretary must be retroactively reviewed by a judicial commissioner; the adding in of “statutory safeguards” to prevent domestic security agencies asking overseas partners to intercept communications where they do not have a warrant; and a degree of clarification on the bill’s encryption fudge — “to put beyond doubt that companies can only be asked to remove encryption that they themselves have applied (or has been applied on their behalf by a third party), and that they will not be asked to remove encryption where it is not practicable for them to do so”.

However she also noted the government has rejected calls to eject bulk equipment interference warrants (aka mass hacking as a sanctioned state agencies investigatory technique) from the bill. “This is a key operational requirement for GCHQ,” she told parliament. “We have published a public case for the use of bulk powers which sets out why this power remains necessary.”

The now published operational case for bulk EQ, as it’s known, and also bulk interception (aka mass surveillance) states that these are “foreign-focused powers” — allowing the security and intelligence agencies to “gather overseas-related communications of terrorists, serious criminals and state based threats in parts of the world where the UK may have a limited or no physical presence”.

“Warrants for these powers must not be sought with the intention of acquiring the communications or private data of people in the UK,” it adds. (The key phrase there is of course ‘with the intention of’ — as is the case when you use a very large scoop to harvest anything in bulk you are not able to be discriminating, and so UK citizens’ data is going to end up being lifted in this dragnet…)

Another recommendation the government has rejected is the justification of “economic well-being”, linked to national security, as a purpose for which some of the powers set out in the bill can be used. “That is in line with the statutory purposes of the intelligence agencies and relevant European Directives,” said May.

Now that the full text of the bill plus detailed documents pertaining to the proposed legislation are in the public domain there’s a crowd-sourced scrutiny effort in train, with people tweeting out a series of observations that would appear to contradict government claims.

Techcrunch: http://tcrn.ch/1RjemTI
BBC: http://bbc.in/1TNUKgr

 

« Mobile And IOT Technologies Are Inside The Curve Of Human Time.
ISIS Hack The Wrong Google »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

MAY Cyber Technology

MAY Cyber Technology

MAY Cyber Technology is a Security Management solutions provider located in Turkey & Germany.

StrongKey

StrongKey

StrongKey (formerly StrongAuth) is a leader in Enterprise Key Management Infrastructure, bringing new levels of capability and data security at a price point significantly lower than other solutions.

Greenetics Solutions

Greenetics Solutions

Greenetics Solutions is a company focused on providing solutions for information security.

Aporeto

Aporeto

The Aporeto platform protects cloud applications from attack by authenticating and authorizing all communications with a cryptographically signed identity assigned to every workload.

Intuity

Intuity

The Intuity suite of services provides companies with a complete awareness of their security status and helps them in an efficient, efficient and sustainable improvement process.

Iowa Cyber Hub

Iowa Cyber Hub

Iowa Cyber Hub is a cybersecurity education partnership between Iowa State University and Des Moines Area Community College.

Billington CyberSecurity

Billington CyberSecurity

Billington CyberSecurity is a leading, independent education company with an exclusive focus on cybersecurity.

Calyptix Security

Calyptix Security

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology.

In Fidem

In Fidem

In Fidem specializes in information security management, with a bold approach that views cybersecurity as a springboard to organizational transformation rather than a barrier to innovation.

Digital Boundary Group (DBG)

Digital Boundary Group (DBG)

Digital Boundary Group (DBG) is an information technology security assurance services firm providing information technology security auditing and compliance assessment services to clients worldwide.

ISECURION Technology & Consulting

ISECURION Technology & Consulting

ISECURION is an information security consulting company. We provide a unique blend of services to our customers catering to the current information security landscape.

OryxLabs

OryxLabs

OryxLabs provide advanced enterprise digital risk protection solutions. Learn more about how 24x7 continuous assessment, monitoring, and improvement can secure your network.

Strata Information Group (SIG)

Strata Information Group (SIG)

Strata Information Group (SIG) is a trusted partner in IT solutions and consulting services.

MyTurn Career LLC

MyTurn Career LLC

Looking for a rewarding career in cybersecurity? Explore a wide range of cybersecurity jobs and opportunities in this rapidly evolving field.

Thoropass

Thoropass

Thoropass (formerly Laika) helps you get and stay compliant with smart software and expert services.

Irys Technologies

Irys Technologies

Irys Technologies specialize in pioneering digital transformation solutions designed to streamline communications and enhance maintenance and operational efficiency for a variety of sectors.