Many security commentators reacted strongly to UK Prime Minister David Cameron’s stated desire to ensure that there could be “no safe place” on the internet for terrorists and criminals.
Mandatory back doors, front doors, skeleton keys or whatever you choose to call the more intrusive forms of lawful intercept could never be made 100% secure, resulting in the law-abiding public being put at risk. And open source encryption tools freely available on the internet make it trivial to bypass all but the most draconian controls.
With no sign of the UK Government retreating from the rhetoric, the recently published draft Investigatory Powers Bill was awaited with interest. In the run-up, The Telegraph published apocalyptic predictions of its impact, tweeted to his million-and-a-half followers by Edward Snowden.
— Edward Snowden (@Snowden) November 2, 2015
Having spent just a few hours studying the draft Bill my conclusion is that whilst there are areas of concern, it bears little resemblance to many of the more alarmist predictions.
There is no wholesale onslaught on encryption, it includes the very welcome introduction of judicial oversight, and it rationalises a whole rag-tag collection of dated legislation. There’s no way that David Cameron can claim that it achieves his stated objective, but don’t tell him I said that!
Press coverage since publication has focussed almost exclusively on Part 4 of the draft Bill, covering Retention of Communications Data. This, in particular, seems to be what has attracted the appellation of “snooper’s charter”.
It does indeed allow for the collection of Internet Connection Record (ICRs) by Communication Service Providers (CSPs), but these are strictly limited to the IP addresses or domain names of the endpoints of a communication. So if I browse to bbc.co.uk, that would be recorded, but not whether I was looking for programme listings, the news or the weather.
Specifically, anything following the slash after the domain name, as well as all content, cookies and browser or webpage metadata are excluded, and will of course be invisible in the case of an https connection.
If a youth on his way to radicalisation visits a known terrorist website, this could be picked up. And it would be equally if he were to visit a porn site. But if his new found hero chooses to hang out amongst boring bloggers at bloggingsite.com/incendiarypreacher, this will ring no alarm bells at all.
The draft Bill provides the power to require CSPs to retain data, but a warrant with judicial oversight is required before that data can be handed over, or for a CSP to assist in targeted interception.
Warrants are required for other forms of bulk data collection and also for the examination of data so collected.
Retention of ICRs is limited to 12 months, after which they must be irretrievably destroyed. Furthermore, procedural and technical controls must be applied to limit access to ICRs to the extent and number of staff strictly necessary.
Special protections are provided for certain professions such a journalists, whose need to protect their sources is recognised.
I’m not saying (as Home Secretary Theresa May has tried to assert) that this is no more intrusive than an itemised phone bill. The number of websites I visit in a day far exceeds the number of phone calls I make, and it’s possible that inferences could rightly or wrongly be drawn from the pattern.
Amongst the Guide to Powers and Safeguards (which precedes the formal draft Bill itself) examples are given of how ICRs would be “invaluable to law enforcement”. Some of these seem hardly credible. One example suggests that it might be useful to know that an individual had used mapping services.
Many of us use mapping services all the time, and there would be no indication in the ICRs whether a subject was familiarising himself with the layout of 10 Downing St for nefarious ends, or the geography of his forthcoming holiday destination for his own personal enjoyment.
It seems to me that the case for collecting ICRs has not been convincingly clinched. If there is indeed a case (and the spooks are famously reluctant to discuss anything about their methods), then it could be made more palatable by reducing the retention time to six, or even just three months. I suspect that the events on the path of a disillusioned youth’s journey into radicalisation are often swift and ephemeral, and that it may often take much less than a year to turn the corner.
The costs to an ISP of storing 12 months’ communications data may not be insignificant, and the implication is that these costs must be borne by the ISP. No doubt they would have to be passed on to users. There is at least a requirement for “feasibility and any other impact” (presumably including cost) to be considered.
But would it not be better to require CSPs to pay for access as they used it? At least this would encourage authorities to look closely at the need, rather than simply requesting data just because they could.
One concern with this part of the draft Bill is that there is no tight definition of a CSP. It obviously includes ISPs, but does it extend to VPN providers, or to Skype, Facebook, messaging apps and email services, all of which provide communications services? If so, few of these might wish to operate from the UK.
The draft Bill recognises the limitations of its jurisdiction. Extra-territorial entities are required to “have regard to” its requirements but cannot be compelled to comply.
So much for Retention of Data, but why I really wanted to examine the draft Bill was to see what it said about encryption, and how this matched up to some of the predictions. What I found was – wait for it – almost nothing!
Reassuringly, the Guide to Powers and Safeguards clearly states that there will be no additional requirements in relation to encryption beyond those in the existing RIPA legislation, which it defines as requiring CSPs to “to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the CSP”.
So if you access a website with https or use a VPN, then the encryption is not applied by the CSP, and there is nothing in the draft Bill to say you shouldn’t do so and no requirement for the CSP to attempt to crack the encryption with a man-in-the-middle or any other kind of attack.
Once again the imprecise definition of a CSP does introduce some uncertainty. CSPs (and I presume not necessarily just ISPs) are only required to “maintain” the ability to retain records. Lawyers might differ but to my mind this doesn’t include developing any new capability. But it’s unclear whether a developer would be obliged to build in such a capability in creating a new service or a new app. If so, this would make the UK an unattractive place for anyone to offer secure communications services.
When it comes to encryption it would seem that those with technical input to the draft Bill were a little less clueless about the subject than some of our politicians appear to be. If they really thought they had some smart guys in GCHQ who could effectively uninvent encryption if they tried hard enough, I would have suggested they first of all apply their minds to uninventing nuclear weapons.
But the smart way to defeat encryption is not to crack it but to bypass it, and this seems to be an objective of Part 5 of the draft Bill.
“Equipment Interference” is one of the spookier sections, covering a range of covert operations such as hacking into a subject’s computer, allowing access to messages and data before encryption or after decryption. It would be naive to think that this has not been going on all along, but it’s reassuring that it now becomes subject to proper regulation and judicial oversight.
Earlier this year it was alleged that GCHQ was implicated in a massive theft of SIM card authentication keys from Dutch firm Gemalto. If true, this is simply not the sort of thing you expect from the nation that invented cricket!
The legal basis would probably have been the Intelligence Services Act 1994. This provides for a warrant to be issued by the Secretary of State authorising the Security Services to perform actions that would otherwise be illegal. As such it’s incredibly broad. There is at least some hope that a warrant under the draft Bill for an action similar to the Gemalto breach would come under the critical eye of a cricket-loving judge!
Parts 6 and 7 of the draft Bill cover bulk warrants for interception, data acquisition, equipment interference and personal data. These too are spooky but they are undoubtedly nothing new. Whatever your view of them, it’s got to be an improvement if they are brought out of the shadows, properly codified and made subject to judicial review.
In conclusion, it seems to me that in some form at least, this draft Bill needs to become law. The area is currently governed by a jumble of legislation, no longer fit for purpose in the connected world we live in. Let the politicians and activists fight it out over Data Retention – we need the rest.
In a sense, perhaps it does mean after all that there is no safe place for criminals and terrorists. This is not because we will be able to read all their secret communications but because, as has always has been the case, they have to ensure that their operational security (OpSec) is perfect.
Intelligence gathering is not meant to be easy. It’s only easy in the sort of state where your every friend and colleague might be an informer, and then it’s always corrupt and unreliable. In a democracy, the spooks have to work hard for their intelligence. They can’t expect it on a plate delivered by a skeleton key.
The UK government has always claimed that the oversight of its security services is second to none in the world. I believe this draft Bill is an opportunity to ensure that really is the case and remains so.
Do you agree with Philip Le Riche’s assessment of the draft bill? Leave a comment below sharing your opinion.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.