Security and Privacy Experts Slam ‘Snooper’s Charter II’

The draft Investigatory Powers Bill has finally been announced by home secretary Theresa May, requiring telcos to store web records for 12 months, authorizing bulk collection of UK data, and appearing to sign the death warrant for end-to-end encryption services in the country.

The long awaited sequel to the ‘Snooper’s Charter’—voted down by coalition partners the Lib Dems last time around—is already set to be hugely controversial.

It articulates for the first time in law the powers for bulk collection of personal data by the state first revealed in secret documents made public by NSA whistleblower Edward Snowden.

The draft bill also authorizes publicly for the first time police and intelligence agencies to hack into and bug phones and computers.

It requires ISPs and the like to retain the browsing history of UK users for 12 months, although just the website and not the specific pages. For the latter, police and intelligence officers would need a warrant.

And it seems to suggest an effective ban on end-to-end encryption, by clarifying the law as per the Regulation of Investigatory Powers Act (RIPA) in the following paragraph:

“RIPA requires CSPs to provide communications data when served with a notice, to assist in giving effect to interception warrants, and to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the CSP to whom the notice relates.”

May argued that the bill would provide “world leading oversight” of the powers of state snoopers.

Specifically, it gives a panel of seven judicial commissioners the power of veto over ministerial authorization of intercept warrants in a so-called “double lock,” although exemptions are allowed in “urgent cases” of up to five days.

Police would also not be able to access a journalist’s sources without a warrant from a judge.

As for foreign internet service providers, they would be required to assist in bypassing end-to-end encryption and enabling access to specific data requests, but not in the collection of bulk communications data.

The bill unsurprisingly has privacy activists concerned.

Liberty director Shami Chakrabarti described it in a statement as a “breath-taking attack on the internet security of every man, woman and child in our country.”

"We must now look to parliament to step in where ministers have failed and strike a better balance between privacy and surveillance," she added.

Trend Micro cybersecurity consultant, Bharat Mistry, argued that forcing ISPs to retain more data would raise issues of who’s going to pay for it, and expose them to a greater threat of cyber attacks.

“Capturing and storing this additional data is only going to increase the management and operational challenges of protecting it. Ultimately, CSPs will be forced to re-visit their data protection strategy and consider a tiered ‘one size fits all’ model that will be cost prohibitive and increases risk,” he added.

“Consider a CSP potentially capturing data about surfing habits [of] everyone—this will undoubtedly draw the attention of advanced threat actors such as nation states and hacktivists with strong political agendas; ISIS for example.”

Browsing data could also be used by hackers looking to extort money from individuals, as per the Ashley Madison breach.

Nigel Hawthorn of Skyhigh Networks argued that a de facto ban on end-to-end encryption will break data protection laws and “decrease security on the internet.”

“There’s a complete misunderstanding of how end-to-end encryption works. It’s wrong to assume that forcing technology companies to break their own security is going to please the average man on the street, and this is not even technically possible in many instances,” he added.

“It’s not the first time the government has been wholly ignorant of technology, and despite the inevitable backlash from technology experts, politicians continue to announce these ill-thought-out unworkable proposals.”

The bill’s proposals on encryption would actually give criminals the upper hand, Hawthorn claimed.

“You can’t just uninvent encryption, so if this government stops innocent people using unbreakable encryption via legitimate businesses, the only people left using it will be the criminals.”

Antony Walker, deputy CEO of trade body techUK, struck a more guarded note, arguing that the draft requires “very careful scrutiny.”

“The importance of the task ahead of the Joint Parliamentary Scrutiny Committee cannot be overstated,” he added.

A round-up of the main arguments against banning end-to-end encryption are neatly summarized by F-Secure here.

What’s Hot on Infosecurity Magazine?