UK Government Goes Ahead With Revised Surveillance Bill

Uploaded on 2016-03-04 in NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law

Despite a trio of parliamentary committees (ISC, STC and a joint select committee) criticizing the UK government’s draft surveillance legislation, and some committee members even calling for a complete rethink, the government is rushing ahead anyway.

It has introduced a tweaked version of the IP bill to parliament, and reiterated that new legislation “needs to be in force” by 31 December this year.

The Home Office has tightened up privacy safeguards in proposed new spying laws - but police will get more power to see Internet browsing records. The Investigatory Powers Bill will force service providers to store browsing records for 12 months. It will also give legal backing to bulk collection of Internet traffic.

The Home Office was forced to revise the draft bill after concerns by three committees of MPs it did not do enough to protect privacy and was too vague.

The Investigatory Powers Bill (IP bill) has been trailed as a necessary piece of legislation to plug so-called “capability gaps” for security and law enforcement agencies, and also as an overdue update to the legal framework around the use of such powers.

While never explicitly mentioned by government, the 2013 disclosures by NSA whistleblower Edward Snowden underlie the controversial attempt to put mass surveillance techniques that had been used for years by domestic security agencies (not always legally) on a secure legal footing.

The Home Office has published the full text of the amended bill, along with a clutch of documents relating to the proposed legislation, including codes of practice for the various powers.

The move comes less than a month after the bill was savaged by the Intelligence and Security committee, for having inconsistent and inadequate privacy protections, and yet having overly broad intrusive powers. You could say Home Secretary, Theresa May, is not for turning…

The Home Office claims the revised bill and the “further explanatory material” it has published responds to “the vast majority of the recommendations” made by the trio of critical committees.

Critics of the bill are saying the opposite — that the amended version of the bill does little to address fundamental concerns with the draft bill. And indeed, even further tightens the security screw in some instances — such as by extending police access to UK citizen’s web browsing records for specific crimes, as the Guardian has noted.

Police will also be able to deploy hacking in cases involving a “threat to life” or missing persons. And police use of these powers does not require the so-called “double-lock” ministerial authorisation that other intercept warrants do require.

In terms of the changes it has made in response to committee feedback, the government is saying it has “refined technical definitions” and published additional material such as the codes of conduct in the interests of increasing clarity about how powers in the bill will be used and why they are need.

It also claims to have enhanced privacy safeguards — noting specifically that it has added additional protections for journalists and lawyers.

On the web browsing records element of the legislation, it says it will “continue to work closely with industry to develop implementation plans for retaining Internet connection records in response to recommendations from the Joint Committee and the Science and Technology Committee”.

Internet connection records (or ISCs) refers to the requirement in the legislation that ISPs retain details on the websites accessed by users for the past 12 months. Industry concerns about the cost of implementing such a massive data capture system are clearly not going away. And the government’s early cost estimate for implementing ISCs (£247 million) looks unlikely to stand still.

Introducing the revised bill in parliament today, May claimed recommendations from the committees had “provided the basis for the legislation being brought forward today”.

Amendments to the draft legislation she specifically flagged up include a shorter period of time before urgent warrants that have been authorized solely by the Home Secretary must be retroactively reviewed by a judicial commissioner; the adding in of “statutory safeguards” to prevent domestic security agencies asking overseas partners to intercept communications where they do not have a warrant; and a degree of clarification on the bill’s encryption fudge — “to put beyond doubt that companies can only be asked to remove encryption that they themselves have applied (or has been applied on their behalf by a third party), and that they will not be asked to remove encryption where it is not practicable for them to do so”.

However she also noted the government has rejected calls to eject bulk equipment interference warrants (aka mass hacking as a sanctioned state agencies investigatory technique) from the bill. “This is a key operational requirement for GCHQ,” she told parliament. “We have published a public case for the use of bulk powers which sets out why this power remains necessary.”

The now published operational case for bulk EQ, as it’s known, and also bulk interception (aka mass surveillance) states that these are “foreign-focused powers” — allowing the security and intelligence agencies to “gather overseas-related communications of terrorists, serious criminals and state based threats in parts of the world where the UK may have a limited or no physical presence”.

“Warrants for these powers must not be sought with the intention of acquiring the communications or private data of people in the UK,” it adds. (The key phrase there is of course ‘with the intention of’ — as is the case when you use a very large scoop to harvest anything in bulk you are not able to be discriminating, and so UK citizens’ data is going to end up being lifted in this dragnet…)

Another recommendation the government has rejected is the justification of “economic well-being”, linked to national security, as a purpose for which some of the powers set out in the bill can be used. “That is in line with the statutory purposes of the intelligence agencies and relevant European Directives,” said May.

Now that the full text of the bill plus detailed documents pertaining to the proposed legislation are in the public domain there’s a crowd-sourced scrutiny effort in train, with people tweeting out a series of observations that would appear to contradict government claims.

Techcrunch: http://tcrn.ch/1RjemTI
BBC: http://bbc.in/1TNUKgr

 

« Mobile And IOT Technologies Are Inside The Curve Of Human Time.
ISIS Hack The Wrong Google »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Aurec

Aurec

Aurec provides specialist recruitment and contracting services including ICT professionals.

Securosis

Securosis

Securosis is an information security research and advisory firm dedicated to improving the practice of information security.

Okta

Okta

Okta is an enterprise-grade identity management service, built from the ground up in the cloud to address the challenges of a cloud-mobile-interconnected world.

Sentia

Sentia

Sentia is an IT and infrastructure firm, with focus on Outsourcing, IT operation and management, Hosting, Co-location, Network, and IT security.

4iQ

4iQ

4iQ fuses surface, social, deep and dark web sources to research and assess risks to people, infrastructure, intellectual property and reputation.

Attack Research

Attack Research

We go far beyond standard tools and scripted tests. Find out if your network or technology can stand real-world and dedicated attackers.

Ecubel

Ecubel

Ecubel is the market leader in Belgium in buying and selling used IT harware guaranteed by a certified data erasure.

TryHackMe

TryHackMe

TryHackMe is an online platform that teaches cyber security through short, gamified real-world labs. We have content for both complete beginners and seasoned hackers.

Security & Intelligence Division (SID) - Singapore

Security & Intelligence Division (SID) - Singapore

Security & Intelligence Division (SID) protects Singapore from external threats and safeguards its interests in areas related to terrorism, cyber security, other transnational threats, and geopolitics

HCS

HCS

HCS is an IT Company and Telecoms provider with an experienced team who are dedicated to ensuring our clients business systems are protected.

The Purple Guys

The Purple Guys

The Purple Guys offer Trouble-Free IT Support to businesses across the Central and Southern US. Safe and Secure, Rapid Response, Friendly Support that’s our Purple Promise.

Data Computer Services

Data Computer Services

Data Computer Services provides professional tailored IT Support and IT Services for businesses throughout Edinburgh and the Lothians.

Ivolv Cybersecurity

Ivolv Cybersecurity

Ivolv is here to assist your organization in building effective protection and resilience against cyber attacks.

AKIPS

AKIPS

AKIPS develops the world's most scalable network and infrastructure monitoring software, delivered as a turn-key software appliance.

Securily

Securily

Securily offers the ultimate solution for small to medium-sized businesses, blending cutting-edge AI with expert human insight to deliver the world’s easiest and most effective pentesting experience.

Vantyr

Vantyr

Vantyr's core mission is to safeguard the business-led adoption of SaaS applications by automating the lifecycle management and security of non-human identities.