It is viewed by some as the most extreme surveillance programme of any developed Western nation, yet the Investigatory Powers (IP) Act passed into law in November 2016. The Act sets out plans for internet providers to keep complete records of every website their customers visit.
It also gives surveillance agencies the ability to force companies to help hack into phones. This is in addition to powers that will apparently allow the government to bypass encryption.
Experts agree the Act will have huge implications for data security, and it has therefore met strong opposition. Perhaps the biggest concern is around bulk powers allowing public authorities to access large quantities of data for specified purposes.
So deep is the concern that in December last year, the European Court of Justice ruled the UK government's “general and indiscriminate retention” of emails illegal. In addition, human rights group Liberty has launched a crowd-funded legal campaign against the Act.
However, on the other side of the debate, the government says the IP Act provides much needed transparency into surveillance services and is required to cope with the increasingly complex nature of terrorism.
Martin Hoskins, leader of the Grant Thornton privacy practice, served as a specialist adviser to the joint committee on the draft Bill. He says the IP Act will provide law enforcement with better tools to investigate crimes.
Hoskins says it's wrong to say the Act gives surveillance agencies "new” powers to hack into phones. “These powers have existed – and have been used – for many years. What the Act does is make the surveillance agencies more accountable to the commissioners, who have greater powers to audit what they are doing. This provides a greater level of public reassurance over the actions of surveillance agencies.”
Therefore, he says, the IP Act makes what the surveillance agencies do more transparent. “Let's not be naive and think the British surveillance agencies are the only ones doing this stuff,” he tells SC Media UK.
“Every surveillance agency does this – or tries to do it – even the French and the Germans. The difference, though, is that the Brits are more open about it because they are confident they can adequately control what their surveillance agencies can do.”
But many experts think the risks of the IP Act outweigh the benefits. Tirath Bansal, founder of MyOrb and the pro-privacy campaign #Stop2084 calls the Act an “Orwellian surveillance regime”, adding: “It means the state can access your data from your smart home and smart car, and anywhere else where we use technology. Trust and safety will no longer be possible for business owners and their customers.”
Under the Act, providers have to retain large amounts of data for 12 months. This requirement will have the biggest impact on everyone in the UK, according to John Shaw, VP product management at Sophos. He points out that this includes browsing history as well as communications such as voice calls or data transfer from one business application to another.
The intention is to protect citizens from criminals, but these large amounts of sensitive information will also provide an attractive target for hackers. Shaw says: “They could find out who you bank with, who your suppliers are, and who your employees are. Armed with that data, we know criminals can cause a lot of damage.”
In fact, even some members of the surveillance community disagree with the IP Act's approach. Among these is former NSA technical director William Binney, who is quoted as saying this type of mass surveillance programme is misguided because by collecting too much information, the agencies are unable to spot potential attacks. He and others instead advocate targeted information collecting to perform the surveillance required to catch criminals.
Taking this into account, Loz Kaye, co-founder of Open Intelligence Think Tank says the Investigatory Powers Act “throws up real challenges” for UK businesses. He explains: “Most directly, ISPs and communications providers face potentially disruptive new obligations. This is not just a question of storage of data and its protection, but also staffing, training and increased liabilities.”
Although the large ISPs will be able to absorb costs, Kaye points out it creates an uncertain picture for smaller providers.
Another major issue is the apparent powers that will allow the government to bypass encryption. Section 217 obliges communications providers to let the government know in advance of new products and services and the state is also able to ask for changes to software and systems. Some experts say this could include the creation of a backdoor into systems.
Whether surveillance agencies will go as far as to ask for a backdoor is not clear within the Bill itself, Shaw says. “last year, the prime minister said the government would not ask for backdoors; now it doesn't say either way. It is clear they can ask the communications service provider to decrypt when asked to. Some people think they will ask for a backdoor, but I think that's paranoid.”
But Hoskins says the encryption debate, and whether the surveillance agencies will demand backdoors, is “pretty futile”. “Whether people like it or not, there is such a thing as the lawful interception of communications, and this is an incredibly good investigative tool,” he says.
Even so, many experts think the IP Act will stifle innovation among security companies. “Essentially, it says that if you are going to produce a product or service that goes against the Investigatory Powers Act you must inform the government,” says Jamal Elmellas, chief technology officer at Auriga Consulting. “So if you are a vendor developing a new encryption product, you have to notify them. Why would I bother making an innovative security product if I have to hand over the details to the government?”
The nature of the government's ‘technical capability notice' enabling it to influence products and services is “quite vague”, according to Mark O'Halloran, partner, head of commercial services at Coffin Mew Solicitors.
But it also comes with a ‘secrecy notice' attached – so firms cannot let the request be known. “The concern of the capability notice is it could direct how the product is developed and therefore reduce security,” he warns.
Meanwhile, adding to the risks, according to Kevin Bocek, chief cyber-security strategist at Venafi, forcing legitimate companies into surveillance programmes creates blueprints for new attacks. “Take Stuxnet, for example: The US government exploited the blind trust of Windows to accept digital certificates. Soon cyber-criminals began creating malware authorised with stolen digital certificates. Today, the malicious use of certificates is commonplace.”
Because weakened security goes against the very nature of technology firms, many point to the chance of a ‘test case' where a vendor might refuse a government agency request.
Several experts cite the example of the Apple case last year in the US, which saw the technology firm refuse to unlock its iPhone device for the FBI due to the security weaknesses that would arise as a result. Apple showed that large software and hardware vendors can say “no”, says Elmellas. “But in the UK, the commissioner will ask firms to give access to encryption keys, or will say the company can't operate in this country,” he warns.
Even so, this approach could anger global vendors, he says. “For example, what would happen if [Israeli firm] Check Point was asked to either build a backdoor or release their data in transit so it can be read? You will get organisations saying, ‘your legislation covers the UK – and my customers are from Denmark', for example. Why would they let the UK look at Danish people's data?”
Another major concern is the range of public bodies that have rights under the IP Act, including the NHS, Department for Work and Pensions and even the Food Standards Agency.
O'Halloran predicts this information could be used to investigate citizens who are fraudulently claiming benefits, rather than the more major crimes outlined in the Act.
In the more distant future, says Elmellas, bulk data collection could even see algorithms used to discern from someone's browsing history that they are likely to commit a crime.
For now, it is down to businesses and citizens to ensure they are secure. David Emm, principal security researcher, Kaspersky Lab, advises: “If you are sending data anywhere, you need to to encrypt it yourself. You need to take responsibility in much the same way as if you outsource to the cloud, taking sensitive data and encrypting it.”
Businesses should also ensure they are using a VPN when connecting to unsecured Wi-Fi such as when working from a coffee shop, says Shaw. For example: “When a user is in a café in the UK on an open wireless connection, should they be a little more concerned that the government can see what they are doing? People should make sure they are making use of a VPN and ensuring what they are doing is not readable to a third party.”
Two-factor authentication is important to make it harder for hackers to access customer data, says Shaw, although he concedes: “These are things that companies should be doing anyway.”With the risk growing bigger all the time, the need for security will apply to the government too. Elmellas says: “Wherever they manage this from, the government will have to ensure they maintain their in-depth vetting process and incredibly robust security, including their equipment and security architecture which is open to today's very capable hackers.”