UK Surveillance Powers Bill Could Force Startups To Build In Backdoors

 

While the Apple vs FBI court battle has drawn all eyes to the question of what should be considered ‘reasonable assistance’ for companies to provide law enforcement agencies, over in the UK the government is attempting to enshrine in law surveillance capabilities that would enable state agencies to compel even very small startups to build insecurities into their systems in order to be able to hack users on demand.

And the kicker is there would be no chance for companies compelled to do this to go public with the request, as Apple has done in the FBI instance, or even for them to be upfront with their users that they are being forced to compromise their privacy. The proposed legislation would require non-disclosure of any such state-enforced actions that companies are compelled to take.

“Any person to whom a technical capability notice is given, or any person employed or engaged for the purposes of that person’s business, is under a duty not to disclose the existence and contents of that notice to any person,” a Code of Practice on the proposed investigatory power notes.

The draft legislation is currently before parliament so is not yet law. However it is the government’s intention to drive the Investigatory Powers bill through parliament and onto the statute books by the end of this year, when other data retention powers are due to be sunsetted, leaving only a very short time frame for parliamentarians to scrutinize what is a highly complex and technical piece of legislation that extends to more than 250 pages, with a substantial clutch of attendant documents — including multiple highly detailed Codes of Practice for the various powers set out in the bill.

It is the worst form of a backdoor. It is a secret power to force companies to build all manner of backdoors to all sorts of systems to intrude directly onto a product or service that you are using or have bought.

In a draft Code of Practice on Equipment Interference (EQ), published earlier this month at the same time as the full bill, a section dryly entitled Maintenance of a technical capability notes that communication service providers (CSPs) may be required to “provide a technical capability to give effect to interception, equipment interference, bulk acquisition warrants or communications data acquisition authorisations”.

To be clear, CSPs means any Internet or phone company. So technology startups fall squarely into this bucket.

“The purpose of maintaining a technical capability is to ensure that, when a warrant is served, companies can give effect to it securely and quickly,” the EQ Code of Practice adds. “Small companies (with under 10,000 users) will not be obligated to provide a permanent technical capability, although they may be obligated to give effect to a warrant.”

So, in plain English, the provision provides for sweeping state powers to co-opt all but the tiniest of startups and technology platforms as surveillance entities, and does so with a power to compel them to pre-bake weaknesses into their systems on-demand.

Surely, then, the very definition of a ‘backdoor’, despite earlier government claims the legislation is not asking for backdoors (or demanding encryption keys). Of course state agencies would not need to ask for encryption keys if the law requires companies to have already perforated their security systems in order to afford the same agencies access to customer data on demand and in secret.

“Hacking powers have been broadened,” says Eric King, deputy director of humans rights group Privacy International, discussing the version of the bill now before parliament. “ICRs [Internet Connection Records, aka web browsing records on all users that ISPs would be forced to retain for a year] have been broadened.

“Issues around how they can force companies to hack have been explicitly confirmed now. But only now, robbing previous committees from being able to consider them and robbing companies and NGOs from being able to respond in a timely manner to those sorts of concerns.”

An earlier version of the bill was looked at by three government committees, all of which expressed substantial concerns, including the Security and Intelligence Committee slamming the draft bill for lacking clarity and for failing to enshrine privacy protections or provide adequately targeted surveillance measures.

King says the overwhelmingly majority of the changes the government has made to the draft legislation in response to the committee reports are “cosmetic”.

“In some circumstances, when undertaking a clarification, they’ve actually expanded the authority in the bill, so this seems to have been an exercise in ‘keep vague’, at an early stage, have a whole host of academics, NGOs, companies raise concerns about that lack of clarity, but keep it vague so that only at the very last minute, i.e. now, will they actually clarify those 200-odd issues. But they clarify each and every one of them in a way that confirms the worst fears of the lack of clarity expressed earlier,” he tells TechCrunch.

On EQ (aka state-compelled hacking of devices/systems), King says the sheer scale of the proposals are staggering, noting that the bill now affords domestic law enforcement, as well as security agencies, access to hugely intrusive capabilities to hack into systems.

“They built in systems that would force companies who have more than 10,000 users — which for a startup ten years ago used to be a hard thing, now you can quite quickly collect 10,000 users no problem — so it’s a very low threshold. They can serve a permanent notice to require you to bake into your product a technical capability that would allow you to then hack any one of your customers,” he says.

“And when law enforcement then later come along and say we want you to hack this customer, they’ve already forced the company to build the system to do that. So this essentially gets around the problem that’s being faced in the US with Apple and the FBI, where Apple built the security in and now the FBI are saying we want you to undo that.

“Here Britain’s taking a different approach, they’re saying, right from this point onwards we’re going to start ordering companies to build in this capability to hack your systems so that we never have to have this problem. But unlike in the US where Apple are able to openly discuss this, in all of the circumstances in the UK these companies would be gagged from talking about it. They’d be prohibited from going to the press, from informing their users, from having an open court hearing where the press could report.”

It’s a semantic game that’s being played here, about what constitutes weakening, what constitutes back-dooring, that the government is still playing hard and fast on in the hope that, essentially, a big lie sticks.

“It is the worst form of a backdoor,” adds King. “It is a secret power to force companies to build all manner of backdoors to all sorts of systems to intrude directly onto a product or service that you are using or have bought. And it would tie the companies into being complicit into actively attacking their users.

“So rather than a backdoor that’s provided that then governments exclusively use, this is roping in the companies and deputizing them and even paying for their staff, there’s powers in the Code to remunerate businesses who have to hire new staff or build new technologies to ensure that they can hack their customers.”

King also asserts that older and much criticized encryption/decryption powers in extant UK legislation (the Regulation of Investigatory Powers Act 2000) have not been adjusted, changed or integrated into the new bill, despite government claims the IP bill would seek to gather all investigatory powers into one place to provide for a clear and transparent framework for the operation of state investigatory capabilities.

“The powers will continue to stand alone outside of this bill and all of the issues dealing with encryption that we’re talking about are new powers, new capabilities, new ways to force companies to undermine, weaken, backdoor their architecture, their systems, including the removal of encryption systems,” he adds.

“It’s a semantic game that’s being played here, about what constitutes weakening, what constitutes back-dooring, that the government is still playing hard and fast on in the hope that, essentially, a big lie sticks.”

TechCrunch has contacted the UK Home Office asking for clarification on the Investigatory Powers bill’s position vis-a-vis state-mandated backdoors. The department had not responded at the time of publication. We will update this story with any response.

TechCrunch: http://tcrn.ch/1ouEa7D

« CIOs Fear Fines From New EU Data Laws
27% Of Known Malware First Appeared In 2015 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Global Knowledge Training

Global Knowledge Training

Global Knowledge is a worldwide leader in IT and business training, featuring Cisco, Microsoft, VMware, IBM, security, cloud computing, and project management.

Virgil Security

Virgil Security

Virgil Security provides easy-to-deploy and easy-to-use cryptographic software and services for use by developers and end-users.

Me Learning

Me Learning

Me Learning provides engaging, informative and clearly explained learning materials for complex and challenging professional environments in areas including GDPR and Information Governance.

mPrest

mPrest

mPrest is a global provider of mission-critical monitoring and control solutions for the defense, security, utility and Industrial Internet of Things (IoT) sectors.

Redborder

Redborder

Redborder is an Open Source network visibility, data analytics, and cybersecurity Big Data solution that is scalable up to the needs of enterprise networks and service providers.

Telelogos

Telelogos

Telelogos is a European provider of Enterprise Mobility Management software, Digital Signage software and Data Transfer and Synchronization software.

Blancco Technology Group

Blancco Technology Group

Blancco Technology Group is a leading global provider of mobile device diagnostics and secure data erasure solutions.

SevenShift

SevenShift

SevenShift is a security consulting firm with a wealth of experience in the worlds of Cybersecurity and Internet of Things (IoT).

Netlawgic Legal Services

Netlawgic Legal Services

Netlawgic is exclusively focused on delivering cyber law solutions to the industry. We provide our clients with specialized attention and problem solving in all aspects of cyber law.

Acceptto

Acceptto

Acceptto offers the first unified and continuous authentication identity access platform with No-Password.

Dynics

Dynics

The Dynics ICS-Defender is an Industrial Control System Security Appliance for OT or OT/IT convergent environments.

Josef Ressel Centre for Intelligent & Secure Industrial Automation

Josef Ressel Centre for Intelligent & Secure Industrial Automation

The Josef Ressel Centre for Intelligent and Secure Industrial Automation investigates the fundamentals of digital assistants for industrial machines that enable intelligent and secure operation.

Judy Security

Judy Security

Judy (formerly AaDya Security) provides smart, simple, effective, all-in-one cybersecurity for SMBs. Get the 24/7 protection and support you deserve, at a price you can afford.

Robust Intelligence

Robust Intelligence

Robust Intelligence enables enterprises to secure their AI transformation with an automated solution to protect against security and safety threats.

GoCloud Systems

GoCloud Systems

GoCloud is an IT consulting firm. We provide IT strategy and cloud adoption services to the New Zealand Government, Non-Profit Organisations and private industry.

PriorityZero

PriorityZero

PriorityZero is a European company focused on remote security assessments and consulting services that operates on a global scale.