UK Government Goes Ahead With Revised Surveillance Bill

Despite a trio of parliamentary committees (ISC, STC and a joint select committee) criticizing the UK government’s draft surveillance legislation, and some committee members even calling for a complete rethink, the government is rushing ahead anyway.

It has introduced a tweaked version of the IP bill to parliament, and reiterated that new legislation “needs to be in force” by 31 December this year.

The Home Office has tightened up privacy safeguards in proposed new spying laws - but police will get more power to see Internet browsing records. The Investigatory Powers Bill will force service providers to store browsing records for 12 months. It will also give legal backing to bulk collection of Internet traffic.

The Home Office was forced to revise the draft bill after concerns by three committees of MPs it did not do enough to protect privacy and was too vague.

The Investigatory Powers Bill (IP bill) has been trailed as a necessary piece of legislation to plug so-called “capability gaps” for security and law enforcement agencies, and also as an overdue update to the legal framework around the use of such powers.

While never explicitly mentioned by government, the 2013 disclosures by NSA whistleblower Edward Snowden underlie the controversial attempt to put mass surveillance techniques that had been used for years by domestic security agencies (not always legally) on a secure legal footing.

The Home Office has published the full text of the amended bill, along with a clutch of documents relating to the proposed legislation, including codes of practice for the various powers.

The move comes less than a month after the bill was savaged by the Intelligence and Security committee, for having inconsistent and inadequate privacy protections, and yet having overly broad intrusive powers. You could say Home Secretary, Theresa May, is not for turning…

The Home Office claims the revised bill and the “further explanatory material” it has published responds to “the vast majority of the recommendations” made by the trio of critical committees.

Critics of the bill are saying the opposite — that the amended version of the bill does little to address fundamental concerns with the draft bill. And indeed, even further tightens the security screw in some instances — such as by extending police access to UK citizen’s web browsing records for specific crimes, as the Guardian has noted.

Police will also be able to deploy hacking in cases involving a “threat to life” or missing persons. And police use of these powers does not require the so-called “double-lock” ministerial authorisation that other intercept warrants do require.

In terms of the changes it has made in response to committee feedback, the government is saying it has “refined technical definitions” and published additional material such as the codes of conduct in the interests of increasing clarity about how powers in the bill will be used and why they are need.

It also claims to have enhanced privacy safeguards — noting specifically that it has added additional protections for journalists and lawyers.

On the web browsing records element of the legislation, it says it will “continue to work closely with industry to develop implementation plans for retaining Internet connection records in response to recommendations from the Joint Committee and the Science and Technology Committee”.

Internet connection records (or ISCs) refers to the requirement in the legislation that ISPs retain details on the websites accessed by users for the past 12 months. Industry concerns about the cost of implementing such a massive data capture system are clearly not going away. And the government’s early cost estimate for implementing ISCs (£247 million) looks unlikely to stand still.

Introducing the revised bill in parliament today, May claimed recommendations from the committees had “provided the basis for the legislation being brought forward today”.

Amendments to the draft legislation she specifically flagged up include a shorter period of time before urgent warrants that have been authorized solely by the Home Secretary must be retroactively reviewed by a judicial commissioner; the adding in of “statutory safeguards” to prevent domestic security agencies asking overseas partners to intercept communications where they do not have a warrant; and a degree of clarification on the bill’s encryption fudge — “to put beyond doubt that companies can only be asked to remove encryption that they themselves have applied (or has been applied on their behalf by a third party), and that they will not be asked to remove encryption where it is not practicable for them to do so”.

However she also noted the government has rejected calls to eject bulk equipment interference warrants (aka mass hacking as a sanctioned state agencies investigatory technique) from the bill. “This is a key operational requirement for GCHQ,” she told parliament. “We have published a public case for the use of bulk powers which sets out why this power remains necessary.”

The now published operational case for bulk EQ, as it’s known, and also bulk interception (aka mass surveillance) states that these are “foreign-focused powers” — allowing the security and intelligence agencies to “gather overseas-related communications of terrorists, serious criminals and state based threats in parts of the world where the UK may have a limited or no physical presence”.

“Warrants for these powers must not be sought with the intention of acquiring the communications or private data of people in the UK,” it adds. (The key phrase there is of course ‘with the intention of’ — as is the case when you use a very large scoop to harvest anything in bulk you are not able to be discriminating, and so UK citizens’ data is going to end up being lifted in this dragnet…)

Another recommendation the government has rejected is the justification of “economic well-being”, linked to national security, as a purpose for which some of the powers set out in the bill can be used. “That is in line with the statutory purposes of the intelligence agencies and relevant European Directives,” said May.

Now that the full text of the bill plus detailed documents pertaining to the proposed legislation are in the public domain there’s a crowd-sourced scrutiny effort in train, with people tweeting out a series of observations that would appear to contradict government claims.

Techcrunch: http://tcrn.ch/1RjemTI
BBC: http://bbc.in/1TNUKgr

 

« Mobile And IOT Technologies Are Inside The Curve Of Human Time.
ISIS Hack The Wrong Google »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Parasoft

Parasoft

Parasoft is an independent software testing and software quality assurance tool and solution vendor.

IoT Security Foundation (IoTSF)

IoT Security Foundation (IoTSF)

IoTSF is a collaborative, non-profit organisation with a mission to raise the quality and drive pervasive security in the Internet of Things.

CERT-PY

CERT-PY

CERT-PY is the national Computer Emergency Response Team for Paraguay.

NTOP

NTOP

NTOP develop high-quality network traffic analysis and DDoS protection software used by small individuals as well by large telecom operators.

Trustlook

Trustlook

Trustlook's SECUREai engine delivers the performance and scalability needed to provide total threat protection against malware and other forms of attack.

Cybersecurity Association of Maryland (CAMI)

Cybersecurity Association of Maryland (CAMI)

CAMI’s mission is to create a global cybersecurity marketplace in Maryland and generate thousands of high-pay jobs through the cybersecurity industry.

Energia Ventures

Energia Ventures

Energia Ventures is a three-month intensive accelerator for entrepreneurs with an innovative business in the energy, smart grid, cleantech, and cybersecurity sectors.

IP Twins

IP Twins

IP Twins offer a wide range of services related to domain names and online brand protection.

Threat Status

Threat Status

Threat Status are a Threat Intelligence company. We are the developers of Trillion. A cloud based Security As A Service (SaaS) platform.

VeriClouds

VeriClouds

VeriClouds is a password verification service that helps organizations detect compromised passwords and stop account takeover attacks.

Have I Been Pwned (HIBP)

Have I Been Pwned (HIBP)

Have I Been Pwned is a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or "pwned" in a data breach.

Bit Sentinel

Bit Sentinel

Bit Sentinel is an information security company. We help companies like yours discover, prioritize, and effectively remediate potential cybersecurity risks.

LockMagic

LockMagic

Lockmagic is an information asset management solution to protect, track, audit and control accesses to sensitive information inside and outside your organization.

Mediatech

Mediatech

Mediatech, specialized in managed Cybersecurity and Cloud services, a single point of contact for your company's IT and infrastructure.

Coastline Cybersecurity

Coastline Cybersecurity

Coastline Cyber is a cybersecurity consulting firm dedicated to helping organizations strengthen their security posture by reducing risks, mitigating threats, and protecting against attacks.

StackGen

StackGen

StackGen (formerly appCD) automatically generates Infrastructure from Code (IfC) based on application code with golden standards applied.