UK Government Goes Ahead With Revised Surveillance Bill

Uploaded on 2016-03-04 in NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law

Despite a trio of parliamentary committees (ISC, STC and a joint select committee) criticizing the UK government’s draft surveillance legislation, and some committee members even calling for a complete rethink, the government is rushing ahead anyway.

It has introduced a tweaked version of the IP bill to parliament, and reiterated that new legislation “needs to be in force” by 31 December this year.

The Home Office has tightened up privacy safeguards in proposed new spying laws - but police will get more power to see Internet browsing records. The Investigatory Powers Bill will force service providers to store browsing records for 12 months. It will also give legal backing to bulk collection of Internet traffic.

The Home Office was forced to revise the draft bill after concerns by three committees of MPs it did not do enough to protect privacy and was too vague.

The Investigatory Powers Bill (IP bill) has been trailed as a necessary piece of legislation to plug so-called “capability gaps” for security and law enforcement agencies, and also as an overdue update to the legal framework around the use of such powers.

While never explicitly mentioned by government, the 2013 disclosures by NSA whistleblower Edward Snowden underlie the controversial attempt to put mass surveillance techniques that had been used for years by domestic security agencies (not always legally) on a secure legal footing.

The Home Office has published the full text of the amended bill, along with a clutch of documents relating to the proposed legislation, including codes of practice for the various powers.

The move comes less than a month after the bill was savaged by the Intelligence and Security committee, for having inconsistent and inadequate privacy protections, and yet having overly broad intrusive powers. You could say Home Secretary, Theresa May, is not for turning…

The Home Office claims the revised bill and the “further explanatory material” it has published responds to “the vast majority of the recommendations” made by the trio of critical committees.

Critics of the bill are saying the opposite — that the amended version of the bill does little to address fundamental concerns with the draft bill. And indeed, even further tightens the security screw in some instances — such as by extending police access to UK citizen’s web browsing records for specific crimes, as the Guardian has noted.

Police will also be able to deploy hacking in cases involving a “threat to life” or missing persons. And police use of these powers does not require the so-called “double-lock” ministerial authorisation that other intercept warrants do require.

In terms of the changes it has made in response to committee feedback, the government is saying it has “refined technical definitions” and published additional material such as the codes of conduct in the interests of increasing clarity about how powers in the bill will be used and why they are need.

It also claims to have enhanced privacy safeguards — noting specifically that it has added additional protections for journalists and lawyers.

On the web browsing records element of the legislation, it says it will “continue to work closely with industry to develop implementation plans for retaining Internet connection records in response to recommendations from the Joint Committee and the Science and Technology Committee”.

Internet connection records (or ISCs) refers to the requirement in the legislation that ISPs retain details on the websites accessed by users for the past 12 months. Industry concerns about the cost of implementing such a massive data capture system are clearly not going away. And the government’s early cost estimate for implementing ISCs (£247 million) looks unlikely to stand still.

Introducing the revised bill in parliament today, May claimed recommendations from the committees had “provided the basis for the legislation being brought forward today”.

Amendments to the draft legislation she specifically flagged up include a shorter period of time before urgent warrants that have been authorized solely by the Home Secretary must be retroactively reviewed by a judicial commissioner; the adding in of “statutory safeguards” to prevent domestic security agencies asking overseas partners to intercept communications where they do not have a warrant; and a degree of clarification on the bill’s encryption fudge — “to put beyond doubt that companies can only be asked to remove encryption that they themselves have applied (or has been applied on their behalf by a third party), and that they will not be asked to remove encryption where it is not practicable for them to do so”.

However she also noted the government has rejected calls to eject bulk equipment interference warrants (aka mass hacking as a sanctioned state agencies investigatory technique) from the bill. “This is a key operational requirement for GCHQ,” she told parliament. “We have published a public case for the use of bulk powers which sets out why this power remains necessary.”

The now published operational case for bulk EQ, as it’s known, and also bulk interception (aka mass surveillance) states that these are “foreign-focused powers” — allowing the security and intelligence agencies to “gather overseas-related communications of terrorists, serious criminals and state based threats in parts of the world where the UK may have a limited or no physical presence”.

“Warrants for these powers must not be sought with the intention of acquiring the communications or private data of people in the UK,” it adds. (The key phrase there is of course ‘with the intention of’ — as is the case when you use a very large scoop to harvest anything in bulk you are not able to be discriminating, and so UK citizens’ data is going to end up being lifted in this dragnet…)

Another recommendation the government has rejected is the justification of “economic well-being”, linked to national security, as a purpose for which some of the powers set out in the bill can be used. “That is in line with the statutory purposes of the intelligence agencies and relevant European Directives,” said May.

Now that the full text of the bill plus detailed documents pertaining to the proposed legislation are in the public domain there’s a crowd-sourced scrutiny effort in train, with people tweeting out a series of observations that would appear to contradict government claims.

Techcrunch: http://tcrn.ch/1RjemTI
BBC: http://bbc.in/1TNUKgr

 

« Mobile And IOT Technologies Are Inside The Curve Of Human Time.
ISIS Hack The Wrong Google »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

D-RisQ

D-RisQ

D-RisQ is focussed on delivering techniques to reduce the development costs of complex systems and software whilst maximising compliance

Cybertrust Japan

Cybertrust Japan

Cybertrust Japan provides a comprehensive security certification and digital authentication service, enabling customers to build and manage highly secure IT infrastructures.

Atea

Atea

Atea is the market leader in IT infrastructure for businesses and public-sector organizations in Europe’s Nordic and Baltic regions.

Nubo Software

Nubo Software

Nubo’s Virtual Mobile Infrastructure creates a virtual corporate device on your employee smartphones and tablets. Enable unlimited mobility without leaving any data at risk.

NetSecurity

NetSecurity

NetSecurity is a Brazilian company specializing in Information Security. We provide Managed Security Services (MSS), network security solutions and other specialist services.

Zamna

Zamna

Zamna (formerly VChain Technology) is an award-winning software company building GDPR compliant identity platforms for the aviation industry.

CorkBIC International Security Accelerator

CorkBIC International Security Accelerator

CorkBIC International Security Accelerator invests in early stage disruptive companies in the security industry including, Cybersecurity, Internet of Things (IOT), Blockchain and AI.

Allthenticate

Allthenticate

Allthenticate Single Device Authentication (SDA), enables seamless authentication in both the physical and digital words while unifying management in one easy-to-use interface.

Prove Identity

Prove Identity

Prove (formerly Payfone) is a leader in mobile & digital identity authentication for the connected world.

ScorpionShield

ScorpionShield

ScorpionShield CyberSecurity is an EC-Council Accredited Training Center, and an On-Demand Service for Cybersecurity professionals.

Celcom

Celcom

Celcom is the oldest mobile telecommunications provider in Malaysia, providing solutions and services to consumers and businesses.

HarfangLab

HarfangLab

HarfangLab develops a hunting software to boost detection and neutralization of cyberattacks against companies endpoints.

Marlink

Marlink

Marlink smartly integrates hybrid, future-ready network solutions so you can benefit from the best available connectivity and IT to accelerate your digitalisation and empower your remote operations.

Board of Cyber

Board of Cyber

Board of Cyber offers Security Rating: a fast, non-intrusive, continuous, 100% automated solution to evaluate the cyber performance of an organization.

Incode

Incode

Incode is the leading provider of world-class identity solutions that is reinventing the way humans authenticate and verify their identities online.

SECTA5

SECTA5

SECTA5 is a cybersecurity company building a next-generation Continuous Threat and Exposure Management platform, leveraging the expertise of offensively trained cyber defenders.