UK Surveillance Powers Bill Could Force Startups To Build In Backdoors

Uploaded on 2016-04-06 in NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law

 

While the Apple vs FBI court battle has drawn all eyes to the question of what should be considered ‘reasonable assistance’ for companies to provide law enforcement agencies, over in the UK the government is attempting to enshrine in law surveillance capabilities that would enable state agencies to compel even very small startups to build insecurities into their systems in order to be able to hack users on demand.

And the kicker is there would be no chance for companies compelled to do this to go public with the request, as Apple has done in the FBI instance, or even for them to be upfront with their users that they are being forced to compromise their privacy. The proposed legislation would require non-disclosure of any such state-enforced actions that companies are compelled to take.

“Any person to whom a technical capability notice is given, or any person employed or engaged for the purposes of that person’s business, is under a duty not to disclose the existence and contents of that notice to any person,” a Code of Practice on the proposed investigatory power notes.

The draft legislation is currently before parliament so is not yet law. However it is the government’s intention to drive the Investigatory Powers bill through parliament and onto the statute books by the end of this year, when other data retention powers are due to be sunsetted, leaving only a very short time frame for parliamentarians to scrutinize what is a highly complex and technical piece of legislation that extends to more than 250 pages, with a substantial clutch of attendant documents — including multiple highly detailed Codes of Practice for the various powers set out in the bill.

It is the worst form of a backdoor. It is a secret power to force companies to build all manner of backdoors to all sorts of systems to intrude directly onto a product or service that you are using or have bought.

In a draft Code of Practice on Equipment Interference (EQ), published earlier this month at the same time as the full bill, a section dryly entitled Maintenance of a technical capability notes that communication service providers (CSPs) may be required to “provide a technical capability to give effect to interception, equipment interference, bulk acquisition warrants or communications data acquisition authorisations”.

To be clear, CSPs means any Internet or phone company. So technology startups fall squarely into this bucket.

“The purpose of maintaining a technical capability is to ensure that, when a warrant is served, companies can give effect to it securely and quickly,” the EQ Code of Practice adds. “Small companies (with under 10,000 users) will not be obligated to provide a permanent technical capability, although they may be obligated to give effect to a warrant.”

So, in plain English, the provision provides for sweeping state powers to co-opt all but the tiniest of startups and technology platforms as surveillance entities, and does so with a power to compel them to pre-bake weaknesses into their systems on-demand.

Surely, then, the very definition of a ‘backdoor’, despite earlier government claims the legislation is not asking for backdoors (or demanding encryption keys). Of course state agencies would not need to ask for encryption keys if the law requires companies to have already perforated their security systems in order to afford the same agencies access to customer data on demand and in secret.

“Hacking powers have been broadened,” says Eric King, deputy director of humans rights group Privacy International, discussing the version of the bill now before parliament. “ICRs [Internet Connection Records, aka web browsing records on all users that ISPs would be forced to retain for a year] have been broadened.

“Issues around how they can force companies to hack have been explicitly confirmed now. But only now, robbing previous committees from being able to consider them and robbing companies and NGOs from being able to respond in a timely manner to those sorts of concerns.”

An earlier version of the bill was looked at by three government committees, all of which expressed substantial concerns, including the Security and Intelligence Committee slamming the draft bill for lacking clarity and for failing to enshrine privacy protections or provide adequately targeted surveillance measures.

King says the overwhelmingly majority of the changes the government has made to the draft legislation in response to the committee reports are “cosmetic”.

“In some circumstances, when undertaking a clarification, they’ve actually expanded the authority in the bill, so this seems to have been an exercise in ‘keep vague’, at an early stage, have a whole host of academics, NGOs, companies raise concerns about that lack of clarity, but keep it vague so that only at the very last minute, i.e. now, will they actually clarify those 200-odd issues. But they clarify each and every one of them in a way that confirms the worst fears of the lack of clarity expressed earlier,” he tells TechCrunch.

On EQ (aka state-compelled hacking of devices/systems), King says the sheer scale of the proposals are staggering, noting that the bill now affords domestic law enforcement, as well as security agencies, access to hugely intrusive capabilities to hack into systems.

“They built in systems that would force companies who have more than 10,000 users — which for a startup ten years ago used to be a hard thing, now you can quite quickly collect 10,000 users no problem — so it’s a very low threshold. They can serve a permanent notice to require you to bake into your product a technical capability that would allow you to then hack any one of your customers,” he says.

“And when law enforcement then later come along and say we want you to hack this customer, they’ve already forced the company to build the system to do that. So this essentially gets around the problem that’s being faced in the US with Apple and the FBI, where Apple built the security in and now the FBI are saying we want you to undo that.

“Here Britain’s taking a different approach, they’re saying, right from this point onwards we’re going to start ordering companies to build in this capability to hack your systems so that we never have to have this problem. But unlike in the US where Apple are able to openly discuss this, in all of the circumstances in the UK these companies would be gagged from talking about it. They’d be prohibited from going to the press, from informing their users, from having an open court hearing where the press could report.”

It’s a semantic game that’s being played here, about what constitutes weakening, what constitutes back-dooring, that the government is still playing hard and fast on in the hope that, essentially, a big lie sticks.

“It is the worst form of a backdoor,” adds King. “It is a secret power to force companies to build all manner of backdoors to all sorts of systems to intrude directly onto a product or service that you are using or have bought. And it would tie the companies into being complicit into actively attacking their users.

“So rather than a backdoor that’s provided that then governments exclusively use, this is roping in the companies and deputizing them and even paying for their staff, there’s powers in the Code to remunerate businesses who have to hire new staff or build new technologies to ensure that they can hack their customers.”

King also asserts that older and much criticized encryption/decryption powers in extant UK legislation (the Regulation of Investigatory Powers Act 2000) have not been adjusted, changed or integrated into the new bill, despite government claims the IP bill would seek to gather all investigatory powers into one place to provide for a clear and transparent framework for the operation of state investigatory capabilities.

“The powers will continue to stand alone outside of this bill and all of the issues dealing with encryption that we’re talking about are new powers, new capabilities, new ways to force companies to undermine, weaken, backdoor their architecture, their systems, including the removal of encryption systems,” he adds.

“It’s a semantic game that’s being played here, about what constitutes weakening, what constitutes back-dooring, that the government is still playing hard and fast on in the hope that, essentially, a big lie sticks.”

TechCrunch has contacted the UK Home Office asking for clarification on the Investigatory Powers bill’s position vis-a-vis state-mandated backdoors. The department had not responded at the time of publication. We will update this story with any response.

TechCrunch: http://tcrn.ch/1ouEa7D

« CIOs Fear Fines From New EU Data Laws
27% Of Known Malware First Appeared In 2015 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Marsh

Marsh

Marsh is a global leader in insurance broking and risk management and has been a leader in combatting cyber threats since their emergence.

IBackup

IBackup

IBackup is a Web Based Online Backup service provider.

AppSec Labs

AppSec Labs

AppSec Labs specialise in application security. Our mission is to raise awareness in the software development world to the importance of integrating software security across the development lifecycle.

DCIT

DCIT

DCIT is a specialist in providing comprehensive consulting and auditing services in the field of information technology, PROVYS development software and security system AuditSquare.

SGCyberSecurity

SGCyberSecurity

SGCyberSecurity is Singapore's No.1 Cyber Security portal. From this platform, you will be able to find useful articles, resources and connect with the security companies for your business needs.

NSO Group

NSO Group

NSO Group develops technology that enables government intelligence and law enforcement agencies to prevent and investigate terrorism and crime.

DataCloak

DataCloak

DataCloak is an innovation company that focus on providing enterprise data-in-motion security solutions based on zero-trust security technology.

CoverWallet

CoverWallet

CoverWallet combines deep analytics, thoughtful design and state of the art technology to help small businesses with all their insurance needs including Cyber Liability.

spriteCloud

spriteCloud

spriteCloud is an independent software testing, test automation and cybersecurity services provider.

Visible Statement

Visible Statement

Visible Statement is a computer-based delivery system designed to insure the retention and recall of your most important security training messages.

Whistic

Whistic

Whistic is a cloud-based platform that uses a unique approach to address the challenges of third-party risk management.

Nassec

Nassec

Nassec is a Cyber Security firm dedicated to providing the best vulnerability management solutions. We offer tailor-made cyber security solutions based upon your requirements and nature of business.

Lavabit

Lavabit

Lavabit's Dark Internet Mail Environment is a secure, open-source, secure end-to-end communications platform for asynchronous messaging across the internet.

Allot

Allot

Allot are a global provider of leading innovative network intelligence and security solutions for Service Providers and Enterprises worldwide.

Hexagon

Hexagon

Hexagon is a global leader in digital reality solutions. We are putting data to work to boost efficiency, productivity, quality and safety.

ZeroGPT

ZeroGPT

ZeroGPT.com stands at the forefront of AI detection tools, specializing in the precise identification of ChatGPT-generated text.