Andrew Hewson, principal consultant at MTI Technology, asks if national security justifies new surveillance powers proposed by the Investigatory Powers Bill
The level of private data shared for intelligence purposes was universally exposed when Edward Snowden decided to reveal the extent of the US governments global surveillance programs in 2013.
Now, the Investigatory Powers Bill and continuous requests by the US government for access to the private data of companies, some in foreign countries, has brought the topic back into the limelight.
Statements from the Dutch government and more recently, the French government, appeared to kill off any discussions on built-in encryption weaknesses. This seemed to be a victory for data sovereignty, providing a snapshot of the sentiment in continental Europe to privacy. The UK, however, is still pushing ahead with plans to sanction the Investigatory Powers Bill currently under debate that could enforce companies to decrypt messages, when presented with a warrant.
The premise behind the Investigatory Powers Bill
This new draft bill signifies a digital shift in the surveillance powers of the UK government, by consolidating of a number of older acts into one.
The bill will require Internet service and communications providers to hold details of websites visited and time of the visits, for up to a year. The specific website viewed will not be disclosed however, unless there is a warrant.
Forcing these companies to retain this data, something that is not in practice in any other EU or Commonwealth country, will bring into question the security of this retained bulk of data. Some Internet service providers do not always encrypt the customer data they hold, making them vulnerable to external breaches – something that emerged from the recent TalkTalk hacking. This legislation could be putting these communication service providers at greater risk of breaches and data leaks.
The principle of end-to-end encryption as it stands means that no external parties, even the companies who operate WhatsApp and iMessage, have access to private messages. The change will force companies to provide unencrypted messages to law enforcement upon receiving a warrant.
In essence, this means that the encryption will have to be accessible by likes of Apple and Facebook, so that they are able to provide the messages when they are requested by law enforcement agencies. This expectation on companies to provide access to unencrypted messages will force them to utilise encryption methods that can un-scrambled.
The business issue is that communication services can no longer truly guarantee privacy in its services and its customers can never fully trust them. The security problem is that if the encryption is capable of being accessed by Apple and Facebook, it can also be accessed by more nefarious organisations such as terrorists and hackers. Once the encryption is weakened and can be deciphered, it is also readable to other outside entities.
Government directed hacking
The bill also legitimises certain instances of hackings that were prescribed in older legislations. Once a warrant presented and signed by a judge for ‘equipment interference’, companies will be forced to help law enforcement agencies to hack devices and more specifically, hack the accounts of their own customers.
The trust between customer and vendor will suffer the most if this becomes the law. Some businesses have already taken steps to remove themselves from the impact of this bill. Eris Industries and Ind.ie are just two companies who have chosen to move abroad before the bill has even passed through parliamentary debates.
Bringing surveillance into the 21st century
Commentators have reported that the likes of ISIS and other terrorist organisations utilise platforms such as WhatsApp and Telegram to communicate and coordinate. This highlights how far digital technologies have come in the last 10 years. As a result, government and legislators need to take the advancement of technology into consideration, when putting together bills aimed at combating terrorism and crime.
Targeted surveillance is the proposed answer, but at the cost of the targeted individual’s privacy. Under this legislation, thousands of such infringements may occur.
UK requesting foreign data and Safe Harbour 2.0
The Investigatory Powers Bill also proposes rights for the UK government to request data held outside of its geography. This would put the communication companies in a difficult position, stuck between the laws of two countries that contradict each other.
This is also reminiscent of discussions that arose following Safe Harbour, which discussed the legality of sharing private data to foreign nations. The renegotiated EU-US data sharing agreement, due to unveiled in February, also brings into question access to private citizen data for security purposes. The ongoing court case between the US federal government and Microsoft also brings to attention issues around private data. The federal government requested data from Microsoft stored in its datacentre in Ireland. It rightfully refused to hand the data over and the case is currently in the appeals court.
By conceding to the US government, Microsoft will surrender the private data of its customers, located in a foreign country. This precedent could enforce the sharing of data from countries like China – something the US would probably view as a matter of national security.
How much do you know about privacy? Try our quiz!