UK Surveillance Powers Bill Could Force Startups To Build In Backdoors

 

While the Apple vs FBI court battle has drawn all eyes to the question of what should be considered ‘reasonable assistance’ for companies to provide law enforcement agencies, over in the UK the government is attempting to enshrine in law surveillance capabilities that would enable state agencies to compel even very small startups to build insecurities into their systems in order to be able to hack users on demand.

And the kicker is there would be no chance for companies compelled to do this to go public with the request, as Apple has done in the FBI instance, or even for them to be upfront with their users that they are being forced to compromise their privacy. The proposed legislation would require non-disclosure of any such state-enforced actions that companies are compelled to take.

“Any person to whom a technical capability notice is given, or any person employed or engaged for the purposes of that person’s business, is under a duty not to disclose the existence and contents of that notice to any person,” a Code of Practice on the proposed investigatory power notes.

The draft legislation is currently before parliament so is not yet law. However it is the government’s intention to drive the Investigatory Powers bill through parliament and onto the statute books by the end of this year, when other data retention powers are due to be sunsetted, leaving only a very short time frame for parliamentarians to scrutinize what is a highly complex and technical piece of legislation that extends to more than 250 pages, with a substantial clutch of attendant documents — including multiple highly detailed Codes of Practice for the various powers set out in the bill.

It is the worst form of a backdoor. It is a secret power to force companies to build all manner of backdoors to all sorts of systems to intrude directly onto a product or service that you are using or have bought.

In a draft Code of Practice on Equipment Interference (EQ), published earlier this month at the same time as the full bill, a section dryly entitled Maintenance of a technical capability notes that communication service providers (CSPs) may be required to “provide a technical capability to give effect to interception, equipment interference, bulk acquisition warrants or communications data acquisition authorisations”.

To be clear, CSPs means any Internet or phone company. So technology startups fall squarely into this bucket.

“The purpose of maintaining a technical capability is to ensure that, when a warrant is served, companies can give effect to it securely and quickly,” the EQ Code of Practice adds. “Small companies (with under 10,000 users) will not be obligated to provide a permanent technical capability, although they may be obligated to give effect to a warrant.”

So, in plain English, the provision provides for sweeping state powers to co-opt all but the tiniest of startups and technology platforms as surveillance entities, and does so with a power to compel them to pre-bake weaknesses into their systems on-demand.

Surely, then, the very definition of a ‘backdoor’, despite earlier government claims the legislation is not asking for backdoors (or demanding encryption keys). Of course state agencies would not need to ask for encryption keys if the law requires companies to have already perforated their security systems in order to afford the same agencies access to customer data on demand and in secret.

“Hacking powers have been broadened,” says Eric King, deputy director of humans rights group Privacy International, discussing the version of the bill now before parliament. “ICRs [Internet Connection Records, aka web browsing records on all users that ISPs would be forced to retain for a year] have been broadened.

“Issues around how they can force companies to hack have been explicitly confirmed now. But only now, robbing previous committees from being able to consider them and robbing companies and NGOs from being able to respond in a timely manner to those sorts of concerns.”

An earlier version of the bill was looked at by three government committees, all of which expressed substantial concerns, including the Security and Intelligence Committee slamming the draft bill for lacking clarity and for failing to enshrine privacy protections or provide adequately targeted surveillance measures.

King says the overwhelmingly majority of the changes the government has made to the draft legislation in response to the committee reports are “cosmetic”.

“In some circumstances, when undertaking a clarification, they’ve actually expanded the authority in the bill, so this seems to have been an exercise in ‘keep vague’, at an early stage, have a whole host of academics, NGOs, companies raise concerns about that lack of clarity, but keep it vague so that only at the very last minute, i.e. now, will they actually clarify those 200-odd issues. But they clarify each and every one of them in a way that confirms the worst fears of the lack of clarity expressed earlier,” he tells TechCrunch.

On EQ (aka state-compelled hacking of devices/systems), King says the sheer scale of the proposals are staggering, noting that the bill now affords domestic law enforcement, as well as security agencies, access to hugely intrusive capabilities to hack into systems.

“They built in systems that would force companies who have more than 10,000 users — which for a startup ten years ago used to be a hard thing, now you can quite quickly collect 10,000 users no problem — so it’s a very low threshold. They can serve a permanent notice to require you to bake into your product a technical capability that would allow you to then hack any one of your customers,” he says.

“And when law enforcement then later come along and say we want you to hack this customer, they’ve already forced the company to build the system to do that. So this essentially gets around the problem that’s being faced in the US with Apple and the FBI, where Apple built the security in and now the FBI are saying we want you to undo that.

“Here Britain’s taking a different approach, they’re saying, right from this point onwards we’re going to start ordering companies to build in this capability to hack your systems so that we never have to have this problem. But unlike in the US where Apple are able to openly discuss this, in all of the circumstances in the UK these companies would be gagged from talking about it. They’d be prohibited from going to the press, from informing their users, from having an open court hearing where the press could report.”

It’s a semantic game that’s being played here, about what constitutes weakening, what constitutes back-dooring, that the government is still playing hard and fast on in the hope that, essentially, a big lie sticks.

“It is the worst form of a backdoor,” adds King. “It is a secret power to force companies to build all manner of backdoors to all sorts of systems to intrude directly onto a product or service that you are using or have bought. And it would tie the companies into being complicit into actively attacking their users.

“So rather than a backdoor that’s provided that then governments exclusively use, this is roping in the companies and deputizing them and even paying for their staff, there’s powers in the Code to remunerate businesses who have to hire new staff or build new technologies to ensure that they can hack their customers.”

King also asserts that older and much criticized encryption/decryption powers in extant UK legislation (the Regulation of Investigatory Powers Act 2000) have not been adjusted, changed or integrated into the new bill, despite government claims the IP bill would seek to gather all investigatory powers into one place to provide for a clear and transparent framework for the operation of state investigatory capabilities.

“The powers will continue to stand alone outside of this bill and all of the issues dealing with encryption that we’re talking about are new powers, new capabilities, new ways to force companies to undermine, weaken, backdoor their architecture, their systems, including the removal of encryption systems,” he adds.

“It’s a semantic game that’s being played here, about what constitutes weakening, what constitutes back-dooring, that the government is still playing hard and fast on in the hope that, essentially, a big lie sticks.”

TechCrunch has contacted the UK Home Office asking for clarification on the Investigatory Powers bill’s position vis-a-vis state-mandated backdoors. The department had not responded at the time of publication. We will update this story with any response.

TechCrunch: http://tcrn.ch/1ouEa7D

« CIOs Fear Fines From New EU Data Laws
27% Of Known Malware First Appeared In 2015 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Information Security Group (ISG) - Royal Holloway

Information Security Group (ISG) - Royal Holloway

The Information Security Group, Royal Holloway, University of London, is an Academic Centres of Excellence in Cyber Security Research.

Clifford Chance

Clifford Chance

Clifford Chance are one of the world's pre-eminent law firms with resources across five continents. Practice areas include Cyber Security & Information Protection

MobileIron

MobileIron

MobileIron provides EMM capabilities to IT organizations that need to secure mobile devices, applications and content.

Telefonica Tech

Telefonica Tech

Telefónica Cyber Security Tech is focused on the prevention, detection and appropriate response to security incidents aimed at protecting your digital services.

Cryptomathic

Cryptomathic

Cryptomathic is an expert on commercial crypto - we develop, deliver and support the most secure and efficient off-the-shelf and customised solutions.

International Telecommunication Union (ITU)

International Telecommunication Union (ITU)

ITU is the United Nations specialized agency for information and communication technologies – ICTs. Areas of activity include cybersecurity.

Cyberkov

Cyberkov

Cyberkov services include Pentesting, Vulnerability Assessments, Digital Forensics, Incident Response, Source Code Analysis and Security Training.

Pareteum

Pareteum

Pareteum is a leading Global provider of mobile networking software and services. Our mission is to provide a single solution to the problem of fully enabling and securing the Mobile Cloud.

archTIS

archTIS

archTIS specialises in the design and development of products, solutions and services for secure information sharing and collaboration.

Netragard

Netragard

Netragard has an established reputation for providing high-quality offensive and defensive security services.

ValueMentor

ValueMentor

ValueMentor is a leading cyber security service provider in the Middle East. We enable clients to reduce risk by taking a strategic approach to cybersecurity.

Help AG

Help AG

Help AG provides leading enterprise businesses and governments across the Middle East with strategic consultancy combined with tailored information security solutions and services.

Sentrium Security

Sentrium Security

Sentrium is committed to helping organisations protect their technology, information and people. Our range of bespoke services provide solutions to tackle a broad range of cyber security challenges.

Corsearch

Corsearch

Combining AI-powered technology and decades of industry expertise, Corsearch is revolutionizing how companies establish and protect their brands.

Auxilion

Auxilion

Auxilion is an award-winning provider of consulting and IT support services, technologies and consulting for public and private organisations in the UK and Ireland.

3DOT Solutions

3DOT Solutions

3DOT Solutions is an established UK cybersecurity consultancy focused on delivering end-to-end cyber security solutions for private and public sector customers.