UK taxpayers should foot £2bn or more to adopt Snoopers' Charter, says Inquiry

Parliamentary committee says bill would otherwise undermine the tech sector


IPB The first Parliamentary report into the UK's draft Investigatory Powers Bill, commonly referred to as the "Snoopers' Charter", says it has great potential to damage the nation's technology sector and the public should therefore pick up the tab for the £2bn (US$2.85bn) or so it will require to implement the data-harvesting legislation.

That's the gist of the report into the Bill, issued today by the UK's Science and Technology Select Committee.

The report argues that complying with the Bill will cost business so much that they'll be disadvantaged when competing with foreign rivals. The report also worries about reputational costs associated with the Bill's provisions for state hacking and mandatory decryption.

Focusing on the technological aspects of the Snoopers' Charter, the inquiry assessed it only in terms of its feasibility and cost, rather than whether its legal powers were proportionate to the threats they were intended to address. That second assessment is being made by the Joint Committee on the Draft Investigatory Powers Bill which is likely to publish its report within the next fortnight.

Nicola Blackwood MP, the committee's chair, stressed the bill's poor definitions of matters like decryption-on-demand (the removal of electronic protection) and the state's legalised hacking abilities (equipment interference). The committee's greatest worry, however, regarded "the feasibility of collecting and storing Internet Connection Records (ICRs), including concerns about ensuring security for the records from hackers."

"The Bill was intended to provide clarity to the industry, but the current draft contains very broad and ambiguous definitions of ICRs," wrote Blackwood, echoing the sentiments of the submissions her committee had received from almost every party except from the Home Office itself.

Does anyone here know what an 'Internet Connection Record' might be?

A consensus among those providing witness statements to the Science and Technology Committee's inquiry, as well as to the Joint Committee providing pre-legislative scrutiny of the draft legislation as a whole, criticised ICRs.

Some ISPs simply confessed ignorance as to what the Home Office could possible mean by the term, while other witnesses gave more robust denials regarding whether ICRs even existed. No witnesses believed they current possessed the capacity to collect ICRs, and there was much echo of The Register's analysis that £2bn was a far closer assessment of its implementation costs than £250m.

The report declared that “the Government must work with industry to improve estimates of all of the compliance costs associated with the measures in the draft Bill.”

Blackwood noted that there are "widespread doubts over the definition, not to mention the definability, of a number of the terms used in the draft Bill”, and the report specifically highlighted that there are "questions as to how collecting and storing ICRs is technically possible, and whether Data Retention Notices to retain all user ICRs are 'necessary and proportionate'."

When such concerns were first raised, UK home secretary Theresa May dismissed them before Parliament by claiming that: “If someone has visited a social media website, an internet connection record will only show that they accessed that site, not the particular pages they looked at, who they communicated with, or what they said. It is simply the modern equivalent of an itemised phone bill.”

Government must urgently review the legislation so that the obligations on the industry are clear and proportionate.

This has been disputed, however. As legal expert Graham Smith told The Register: “We didn't read books over the telephone, but as an entirely accidental by-product of communications technology, our reading habits are now trackable.”

Smith was further cited by the report as “pointing out that the draft Bill itself uses the term 'internet connection record' only in clause 47 and that this differs from the way in which 'relevant communications data' are defined in clause 71 (which details the powers to require retention of certain data).”

The report stated that Smith “described how the scope of 'relevant communications data' depended on thirteen interlinked definitions, and concluded that 'the clause 71 power looks as if it may cover a wider range of communications data than is achieved by adding 'Internet Connection Records' to the current list of retainable communications data.'”

All of which the committee found important, as any assessment of the feasibility of collecting and storing ICRs “depends on what they actually are.” The committee chair advocated that Government "urgently review the legislation so that the obligations on the industry are clear and proportionate."

Craptography, or: “Gov, your backdoor stinks!”

For many onlookers one of the most concerning clauses of the bill is 189(4)(c), as it provides the government with the ability to impose “obligations relating to the removal of electronic protection applied by a relevant operator to any communications or data.”

The Government's line on the matter is that it has no desire to “ban or limit cryptography”, and indeed this was trotted out recently in its response to a January petition on cryptography. How service providers were expected the fulfil their obligation under 189(4)(c) while transmitting end-to-end encrypted communications was unexplained.

The committee noted: “Apple and other communications companies have expressed concerns about whether the draft Bill might require them to adopt weaker standards of encryption. Apple have also reportedly stated that the draft Investigatory Powers Bill could be a catalyst for other countries to enact similar measures, leading to significant numbers of contradictory country-specific laws.”

As former MP for Cambridge, Dr Julian Huppert, noted, it is “unclear what would happen if a court were to be asked to take action against an operator who was unable to comply with this power because of the fundamental nature of their product: Any decentralised communications system is likely to render this clause impossible to comply with.”

The Government needs to do more to allay unfounded concerns that encryption will no longer be possible.

The Home Office told the committee that communications service providers would be expected to serve up plaintext data when ordered to do so. The report understood that this “would not apply to content that is encrypted end-to-end before being passed to the communications provider for transmission: 'What has to be removed is the electronic protection that the service-provider itself has put on the message. It is not removing encryption; it is removing electronic protection.”

The report concluded that the Government “should clarify and state clearly in the Codes of Practice that it will not be seeking unencrypted content in such cases, in line with the way existing legislation is currently applied.”

Blackwood herself concurred: “Encryption is important in providing the secure services on the internet we all rely on, from credit card transactions and commerce to legal or medical communications. It is essential that the integrity and security of legitimate online transactions is maintained if we are to trust in, and benefit from, the opportunities of an increasingly digital economy.”

She asserted that: “The Government needs to do more to allay unfounded concerns that encryption will no longer be possible.”

Hack, or “Interfere with the Equipment of” the Planet!

The report also considers "equipment interference" - hacking - and notes that it “encompasses a wide range of activity from remote access to computers to downloading covertly the contents of a mobile phone during a search.” Such interference has been consistently defended in in an environment increasingly featuring the widespread use of cryptography.

In his submission, the University of Cambridge's Ross Anderson acknowledged that the “right way to get around encryption is targeted equipment interference, and that is hack the laptop, the phone, the car, the Barbie doll or whatever of the gang boss you are going after, so that you get access to the microphones, to the cameras, and to the stored data. The wrong way to do it is bulk equipment interference.”

The report cited Big Brother Watch, which noted that “weakening a system does not mean that only law enforcement or the intelligence agencies can exploit it—'The system can be exploited by anyone who uncovers the weakness, including malicious actors, rogue states, or non-Government hackers'.”

We believed the industry case regarding public fear about 'equipment interference' is well founded.

Alarmingly clause 99 of the Snoopers' Charter would oblige domestic communication service providers to assist the Government in its hacking activities, while clause 102 wold make it a criminal offence for “any person employed for the purposes of the business of the relevant telecommunications provider” to disclose “any steps taken in pursuance” of this assistance.

According to industry witnesses, this offence would be inevitable for companies who open source their code, and thus were unable to conceal anything which had been tampered with from the public. The committee reported that it believed “the industry case regarding public fear about 'equipment interference' is well founded.”

As such, the committee recommended that the new Investigatory Powers Commissioner should report to the public on the extent to which these measures are used for security reasons, and should also “carefully monitor public reaction to this power.”

Blackwood said: “It is vital we get the balance right between protecting our security and the health of our economy.We need our security services to be able to do their job and prevent terrorism, but as legislators we need to be careful not to inadvertently disadvantage the UK’s rapidly growing Tech sector.” ®

Broader topics


Other stories you might like

  • D-Wave deploys first US-based Advantage quantum system
    For those that want to keep their data in the homeland

    Quantum computing outfit D-Wave Systems has announced availability of an Advantage quantum computer accessible via the cloud but physically located in the US, a key move for selling quantum services to American customers.

    D-Wave reported that the newly deployed system is the first of its Advantage line of quantum computers available via its Leap quantum cloud service that is physically located in the US, rather than operating out of D-Wave’s facilities in British Columbia.

    The new system is based at the University of Southern California, as part of the USC-Lockheed Martin Quantum Computing Center hosted at USC’s Information Sciences Institute, a factor that may encourage US organizations interested in evaluating quantum computing that are likely to want the assurance of accessing facilities based in the same country.

    Continue reading
  • Bosses using AI to hire candidates risk discriminating against disabled applicants
    US publishes technical guide to help organizations avoid violating Americans with Disabilities Act

    The Biden administration and Department of Justice have warned employers using AI software for recruitment purposes to take extra steps to support disabled job applicants or they risk violating the Americans with Disabilities Act (ADA).

    Under the ADA, employers must provide adequate accommodations to all qualified disabled job seekers so they can fairly take part in the application process. But the increasing rollout of machine learning algorithms by companies in their hiring processes opens new possibilities that can disadvantage candidates with disabilities. 

    The Equal Employment Opportunity Commission (EEOC) and the DoJ published a new document this week, providing technical guidance to ensure companies don't violate ADA when using AI technology for recruitment purposes.

    Continue reading
  • How ICE became a $2.8b domestic surveillance agency
    Your US tax dollars at work

    The US Immigration and Customs Enforcement (ICE) agency has spent about $2.8 billion over the past 14 years on a massive surveillance "dragnet" that uses big data and facial-recognition technology to secretly spy on most Americans, according to a report from Georgetown Law's Center on Privacy and Technology.

    The research took two years and included "hundreds" of Freedom of Information Act requests, along with reviews of ICE's contracting and procurement records. It details how ICE surveillance spending jumped from about $71 million annually in 2008 to about $388 million per year as of 2021. The network it has purchased with this $2.8 billion means that "ICE now operates as a domestic surveillance agency" and its methods cross "legal and ethical lines," the report concludes.

    ICE did not respond to The Register's request for comment.

    Continue reading
  • Fully automated AI networks less than 5 years away, reckons Juniper CEO
    You robot kids, get off my LAN

    AI will completely automate the network within five years, Juniper CEO Rami Rahim boasted during the company’s Global Summit this week.

    “I truly believe that just as there is this need today for a self-driving automobile, the future is around a self-driving network where humans literally have to do nothing,” he said. “It's probably weird for people to hear the CEO of a networking company say that… but that's exactly what we should be wishing for.”

    Rahim believes AI-driven automation is the latest phase in computer networking’s evolution, which began with the rise of TCP/IP and the internet, was accelerated by faster and more efficient silicon, and then made manageable by advances in software.

    Continue reading
  • Pictured: Sagittarius A*, the supermassive black hole at the center of the Milky Way
    We speak to scientists involved in historic first snap – and no, this isn't the M87*

    Astronomers have captured a clear image of the gigantic supermassive black hole at the center of our galaxy for the first time.

    Sagittarius A*, or Sgr A* for short, is 27,000 light-years from Earth. Scientists knew for a while there was a mysterious object in the constellation of Sagittarius emitting strong radio waves, though it wasn't really discovered until the 1970s. Although astronomers managed to characterize some of the object's properties, experts weren't quite sure what exactly they were looking at.

    Years later, in 2020, the Nobel Prize in physics was awarded to a pair of scientists, who mathematically proved the object must be a supermassive black hole. Now, their work has been experimentally verified in the form of the first-ever snap of Sgr A*, captured by more than 300 researchers working across 80 institutions in the Event Horizon Telescope Collaboration. 

    Continue reading
  • Shopping for malware: $260 gets you a password stealer. $90 for a crypto-miner...
    We take a look at low, low subscription prices – not that we want to give anyone any ideas

    A Tor-hidden website dubbed the Eternity Project is offering a toolkit of malware, including ransomware, worms, and – coming soon – distributed denial-of-service programs, at low prices.

    According to researchers at cyber-intelligence outfit Cyble, the Eternity site's operators also have a channel on Telegram, where they provide videos detailing features and functions of the Windows malware. Once bought, it's up to the buyer how victims' computers are infected; we'll leave that to your imagination.

    The Telegram channel has about 500 subscribers, Team Cyble documented this week. Once someone decides to purchase of one or more of Eternity's malware components, they have the option to customize the final binary executable for whatever crimes they want to commit.

    Continue reading
  • Ukrainian crook jailed in US for selling thousands of stolen login credentials
    Touting info on 6,700 compromised systems will get you four years behind bars

    A Ukrainian man has been sentenced to four years in a US federal prison for selling on a dark-web marketplace stolen login credentials for more than 6,700 compromised servers.

    Glib Oleksandr Ivanov-Tolpintsev, 28, was arrested by Polish authorities in Korczowa, Poland, on October 3, 2020, and extradited to America. He pleaded guilty on February 22, and was sentenced on Thursday in a Florida federal district court. The court also ordered Ivanov-Tolpintsev, of Chernivtsi, Ukraine, to forfeit his ill-gotten gains of $82,648 from the credential theft scheme.

    The prosecution's documents [PDF] detail an unnamed, dark-web marketplace on which usernames and passwords along with personal data, including more than 330,000 dates of birth and social security numbers belonging to US residents, were bought and sold illegally.

    Continue reading
  • Another ex-eBay exec admits cyberstalking web souk critics
    David Harville is seventh to cop to harassment campaign

    David Harville, eBay's former director of global resiliency, pleaded guilty this week to five felony counts of participating in a plan to harass and intimidate journalists who were critical of the online auction business.

    Harville is the last of seven former eBay employees/contractors charged by the US Justice Department to have admitted participating in a 2019 cyberstalking campaign to silence Ina and David Steiner, who publish the web newsletter and website EcommerceBytes.

    Former eBay employees/contractors Philip Cooke, Brian Gilbert, Stephanie Popp, Veronica Zea, and Stephanie Stockwell previously pleaded guilty. Cooke last July was sentenced to 18 months behind bars. Gilbert, Popp, Zea and Stockwell are currently awaiting sentencing.

    Continue reading

Biting the hand that feeds IT © 1998–2022