UK Surveillance Powers Bill Could Force Startups To Build In Backdoors

 

While the Apple vs FBI court battle has drawn all eyes to the question of what should be considered ‘reasonable assistance’ for companies to provide law enforcement agencies, over in the UK the government is attempting to enshrine in law surveillance capabilities that would enable state agencies to compel even very small startups to build insecurities into their systems in order to be able to hack users on demand.

And the kicker is there would be no chance for companies compelled to do this to go public with the request, as Apple has done in the FBI instance, or even for them to be upfront with their users that they are being forced to compromise their privacy. The proposed legislation would require non-disclosure of any such state-enforced actions that companies are compelled to take.

“Any person to whom a technical capability notice is given, or any person employed or engaged for the purposes of that person’s business, is under a duty not to disclose the existence and contents of that notice to any person,” a Code of Practice on the proposed investigatory power notes.

The draft legislation is currently before parliament so is not yet law. However it is the government’s intention to drive the Investigatory Powers bill through parliament and onto the statute books by the end of this year, when other data retention powers are due to be sunsetted, leaving only a very short time frame for parliamentarians to scrutinize what is a highly complex and technical piece of legislation that extends to more than 250 pages, with a substantial clutch of attendant documents — including multiple highly detailed Codes of Practice for the various powers set out in the bill.

It is the worst form of a backdoor. It is a secret power to force companies to build all manner of backdoors to all sorts of systems to intrude directly onto a product or service that you are using or have bought.

In a draft Code of Practice on Equipment Interference (EQ), published earlier this month at the same time as the full bill, a section dryly entitled Maintenance of a technical capability notes that communication service providers (CSPs) may be required to “provide a technical capability to give effect to interception, equipment interference, bulk acquisition warrants or communications data acquisition authorisations”.

To be clear, CSPs means any Internet or phone company. So technology startups fall squarely into this bucket.

“The purpose of maintaining a technical capability is to ensure that, when a warrant is served, companies can give effect to it securely and quickly,” the EQ Code of Practice adds. “Small companies (with under 10,000 users) will not be obligated to provide a permanent technical capability, although they may be obligated to give effect to a warrant.”

So, in plain English, the provision provides for sweeping state powers to co-opt all but the tiniest of startups and technology platforms as surveillance entities, and does so with a power to compel them to pre-bake weaknesses into their systems on-demand.

Surely, then, the very definition of a ‘backdoor’, despite earlier government claims the legislation is not asking for backdoors (or demanding encryption keys). Of course state agencies would not need to ask for encryption keys if the law requires companies to have already perforated their security systems in order to afford the same agencies access to customer data on demand and in secret.

“Hacking powers have been broadened,” says Eric King, deputy director of humans rights group Privacy International, discussing the version of the bill now before parliament. “ICRs [Internet Connection Records, aka web browsing records on all users that ISPs would be forced to retain for a year] have been broadened.

“Issues around how they can force companies to hack have been explicitly confirmed now. But only now, robbing previous committees from being able to consider them and robbing companies and NGOs from being able to respond in a timely manner to those sorts of concerns.”

An earlier version of the bill was looked at by three government committees, all of which expressed substantial concerns, including the Security and Intelligence Committee slamming the draft bill for lacking clarity and for failing to enshrine privacy protections or provide adequately targeted surveillance measures.

King says the overwhelmingly majority of the changes the government has made to the draft legislation in response to the committee reports are “cosmetic”.

“In some circumstances, when undertaking a clarification, they’ve actually expanded the authority in the bill, so this seems to have been an exercise in ‘keep vague’, at an early stage, have a whole host of academics, NGOs, companies raise concerns about that lack of clarity, but keep it vague so that only at the very last minute, i.e. now, will they actually clarify those 200-odd issues. But they clarify each and every one of them in a way that confirms the worst fears of the lack of clarity expressed earlier,” he tells TechCrunch.

On EQ (aka state-compelled hacking of devices/systems), King says the sheer scale of the proposals are staggering, noting that the bill now affords domestic law enforcement, as well as security agencies, access to hugely intrusive capabilities to hack into systems.

“They built in systems that would force companies who have more than 10,000 users — which for a startup ten years ago used to be a hard thing, now you can quite quickly collect 10,000 users no problem — so it’s a very low threshold. They can serve a permanent notice to require you to bake into your product a technical capability that would allow you to then hack any one of your customers,” he says.

“And when law enforcement then later come along and say we want you to hack this customer, they’ve already forced the company to build the system to do that. So this essentially gets around the problem that’s being faced in the US with Apple and the FBI, where Apple built the security in and now the FBI are saying we want you to undo that.

“Here Britain’s taking a different approach, they’re saying, right from this point onwards we’re going to start ordering companies to build in this capability to hack your systems so that we never have to have this problem. But unlike in the US where Apple are able to openly discuss this, in all of the circumstances in the UK these companies would be gagged from talking about it. They’d be prohibited from going to the press, from informing their users, from having an open court hearing where the press could report.”

It’s a semantic game that’s being played here, about what constitutes weakening, what constitutes back-dooring, that the government is still playing hard and fast on in the hope that, essentially, a big lie sticks.

“It is the worst form of a backdoor,” adds King. “It is a secret power to force companies to build all manner of backdoors to all sorts of systems to intrude directly onto a product or service that you are using or have bought. And it would tie the companies into being complicit into actively attacking their users.

“So rather than a backdoor that’s provided that then governments exclusively use, this is roping in the companies and deputizing them and even paying for their staff, there’s powers in the Code to remunerate businesses who have to hire new staff or build new technologies to ensure that they can hack their customers.”

King also asserts that older and much criticized encryption/decryption powers in extant UK legislation (the Regulation of Investigatory Powers Act 2000) have not been adjusted, changed or integrated into the new bill, despite government claims the IP bill would seek to gather all investigatory powers into one place to provide for a clear and transparent framework for the operation of state investigatory capabilities.

“The powers will continue to stand alone outside of this bill and all of the issues dealing with encryption that we’re talking about are new powers, new capabilities, new ways to force companies to undermine, weaken, backdoor their architecture, their systems, including the removal of encryption systems,” he adds.

“It’s a semantic game that’s being played here, about what constitutes weakening, what constitutes back-dooring, that the government is still playing hard and fast on in the hope that, essentially, a big lie sticks.”

TechCrunch has contacted the UK Home Office asking for clarification on the Investigatory Powers bill’s position vis-a-vis state-mandated backdoors. The department had not responded at the time of publication. We will update this story with any response.

TechCrunch: http://tcrn.ch/1ouEa7D

« CIOs Fear Fines From New EU Data Laws
27% Of Known Malware First Appeared In 2015 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Link11 GmbH

Link11 GmbH

Link11 provides DDoS protection solutions to protect websites and complete server infrastructures from DDoS attacks.

Towergate Insurance

Towergate Insurance

Towergate Insurance is a leading UK specialist insurance broker. Business products include Cyber Liability Insurance.

7 Elements

7 Elements

7 Elements is an independent IT security testing company providing expertise in technical information assurance through security testing, incident response and consultancy.

SEPPmail

SEPPmail

SEPPmail is a patented e-mail encryption solution to secure your electronic communication.

Digital Innovation Hub Slovenia (DIH)

Digital Innovation Hub Slovenia (DIH)

DIH Slovenia is a central hub providing services to grow digital competencies in areas including robotics, IoT, cyberphysical systems and cybersecurity.

Ten Eleven Ventures

Ten Eleven Ventures

Ten Eleven is a specialized venture capital firm exclusively dedicated to helping cybersecurity companies thrive.

Quintillion Consulting

Quintillion Consulting

Quintillion Consulting is a strategic risk based consulting firm. We help companies safeguard the core business and IT capabilities that deliver competitive advantage.

AlJammaz Technologies

AlJammaz Technologies

AlJammaz Technologies is the leading Technology Value-Added Distributor, which distributes advanced technology products, solutions and services in area including networking and cybersecurity.

Periculus

Periculus

Periculus makes managing digital risk simple. Its integrated platform offers access to purchase cyber insurance and cyber security solutions uniquely tailored to fit the needs of every business.

Encova Insurance

Encova Insurance

Encova’s cyber liability coverage protects you and your customers in case of a security breach in your company's data.

Synoptek

Synoptek

Synoptek is a global systems integrator and managed IT services provider (MSP). We offer comprehensive IT management and consultancy services to organizations worldwide.

DC Two

DC Two

DC Two are a locally operated and supported Australian data centre, offering a suite of vertically integrated services covering every part of the data centre and cloud technology stack.

Red Helix

Red Helix

Red Helix (formerly Phoenix Datacom) is a market leader in network performance and cyber security.

Frontier Technology Inc. (FTI)

Frontier Technology Inc. (FTI)

Frontier Technology Inc provides the technology and deep data expertise to drive the best defense and intelligence solutions.

Metrics that Matter (MTM)

Metrics that Matter (MTM)

Metrics that Matter redefines how organizations approach cybersecurity by offering unprecedented insight into the value of their assets to criminals and tailored action plans to protect.

INT3L

INT3L

The INT3L group (formerly Defentek) is a provider of national security and intelligence solutions, systems and services.