IP Bill gets approval from terror laws watchdog

David Anderson QC
David Anderson QC

David Anderson QC, the UK's anti-terror law watchdog has given approval to the Investigatory Powers Bill (IPB) in a report titled ‘The Bulk Powers Review'.

In Anderson's 192-page report, he examines in detail a series of cases where GCHQ used bulk snooping on people's email, phone and internet use to save lives, and succeeded.

For this reason, the controversial law, which would see intelligence agencies given permission to monitor people's online activities, was approved by Anderson who said there was a “proven operational case” for MI5, MI6 and GCHQ to continue in their bulk collection of data.

Prime Minister Theresa May, who sparked the plans for the legislation in her time as Home Secretary said the report, “demonstrates how the bulk powers are of crucial importance.”

Commenting on the effects of the law, Kevin Bocek, chief security strategist at Venafi told SCMagazineUK.com: “The encryption debate has rumbled on for years and is now drawing to a crescendo that could result in the foundations of online trust being irreconcilably damaged. Our online world is predicated on a system of crypto-keys and digital certificates, which has formed the bedrock of secure communications for 20 years and the UK government is introducing the Snooper's Charter in order to force companies to break encryption and provide the contents of those encrypted communications.”

Bocek explains: “We have already seen examples of government overreach; whistleblower Edward Snowden lifted the veil on the NSA's activities (using a stolen key no less), and more recently the UK government was found to be spying on millions of its citizens. The fact is that governments are already over-stepping and gaining data on citizens, many of whom have committed no crime or infringement, without their knowledge or consent. And we don't know how far governments will reach. Will they demand real-time access to monitor transactions from banks? Or access to transport tracking systems?”

The report goes into details of how, in the wake of the Paris attacks last November, the spy agency MI5 was sifting through the emails and phone calls of 1,600 different targets to spot “further attack planning” across Europe.

The same goes for a terrorist cell which was primed to attack Britain last year, but the attack was disrupted at the 11th hour after MI5 acquired intelligence which allowed police to stop the plot “in the final hours before the planned attack” after the interception of emails and phone records by GCHQ.

In another case study the report tells how during the Afghan campaign a 50-strong team at GCHQ mounted a massive operation to help the SAS rescue Western hostages held by the Taliban.

The spy agency sifted through a mass of communications data to find details of the armed group which held the hostages and then hacked their phones and emails “to gain insight into the group's intent”.

The report explained, “This work enabled GCHQ to locate the group, monitor it and establish the group's links with known terrorist networks.”

Brian Spector, CEO at MIRACL, told SC: “This kind of bulk data collection will weaken the very products and standards that we all use to protect ourselves. The same vulnerabilities used by intelligence agencies to spy on global citizens can also be used by criminals to steal your passwords. We either enable spying – by either governments or hackers – or we defend against it.

“Given that most people now place all their personal data online, the IP Bill would grant enormous surveillance capabilities to the government. If the legislation proceeds, it could undermine trust in the Internet as a whole, from service providers, to device manufacturers, to the apps we use as part of our everyday lives. But it also has serious implications for tech companies who, under the proposals, would be legally bound to help UK police and security services access an individual's device. In addition, any software made by a British company could soon be perceived to be facilitating government spying on its customer's data. This could make it much harder for British technology and information security companies to compete globally.”

Anderson's report comes after a debate about the IP Bill in the House of Lords.

It was during this debate in the House of Lords' committee stage where the government highlighted the fact that the bill would allow the government to ask companies to break their own end-to-end encryption.

Earl Howe, a minister for defence and the government's deputy leader within the House of Lords, reaffirmed to his fellow lords that the government must maintain the right to access private communications data, whether it's encrypted or not.

He spoke in response to the proposing of several amendments to the IP Bill which would limit the government's ability to remove encryption, the issue at the heart of the debate.

He told the upper chamber, “I have to say that they are irresponsible proposals, which would remove the ​Government's ability to give a technical capability notice to telecommunications operators requiring them to remove encryption from the communications of criminals, terrorists and foreign spies.”

The House of Lords debate followed the the IP Bill being approved by most MPs in the UK House of Commons in June, in a vote of 444 to 69 in favour, most Labour MPs who had appeared to be against the bill voted in favour of it. The Scottish National Party (SNP) voted against it on privacy and civil rights grounds.

Javvad Malik, security advocate at AlienVault told SC,  “The IP Bill discussion is often framed as an ‘us' vs ‘them' argument. But as we discuss in our report “Privacy, the Feds, and Governments Surveillance” it appears that many agree on the intent (62 percent of security professionals supported governments being able to legally intercept communications relating to suspected terrorism and 41 percent would support the interception of those related to criminal activity).

The areas of contention stem around the ‘how' with many citing proposed bills underestimate the impact certain aspects could have to technology deployments, leaving the general public more exposed than before. The second aspect is the lack of confidence that governments have the ability to adhere to the accountability controls put in place to ensure the powers are only used appropriately.

Impact to the business is an interesting area worth exploring. Encryption being the largest source of controversy, particularly where the service provider doesn't have the key. The scope of the bill is vague and can be interpreted to cover any business that operates a public or private network. ISP's / telecoms providers will face the brunt of the bill and will have to field warrants, install new equipment, update technical capabilities, and provide search capabilities.

Similarly, cloud service providers will fall under the same umbrella. This includes social media platforms like Twitter or Facebook. In fact, any online business – even ones that aren't explicitly telecoms providers can be treated as such and require to comply with data intercept requests. For example, online commerce websites which also provide a facility for customers to communicate with each other e.g. eBay, can be treated as a telecoms provider. As the bill comes into force and we start seeing implementations of it, or challenges are made in court, we'll begin to see and understand the full impact of it.”

Leo Taddeo, chief security officer at Cryptzone told SC: "The government's power to conduct bulk interference of computers and smart phones over a large geographic areas should raise concerns for cyber-security professionals. Since it's hard to predict how a system will behave under the stress of the interference, there may be unforeseen degradation of critical security features. This highlights the need for private sector companies to work closely with government security agencies to ensure no unintended security vulnerabilities are created by these programs."