UK's new Snoopers' Charter just passed an encryption backdoor law by the backdoor

How far will it go? You'll have to ask the Home Secretary


Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the UK government to undermine encryption and demand surveillance backdoors.

As the bill was passing through Parliament, several organizations noted their alarm at section 217 which obliges ISPs, telcos and other communications providers to let the government know in advance of any new products and services being deployed and allow the government to demand "technical" changes to software and systems.

This was the proposed wording in the Code of Practice accompanying the legislation:

CSPs subject to a technical capacity notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide a technical capability on the new service.

As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops – such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications.

Bye bye, encryption ... Wording from the latest version of the law

Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored.

In effect, the UK government has written into law a version of the much-derided Burr-Feinstein Bill proposed in the US, which would have undermined encryption in America. A backlash derailed that draft law.

No such backlash happened in the UK over the Investigatory Powers Bill, though, and so here we are. Web browser histories logged by ISPs 24/7, and the looming possibility of crippled cryptography. There may be not much point using a VPN to conceal your web activities if it can be blown open by a technical capability notice.

To be fair, there were some fears that Blighty's law would effectively kill off the UK software industry as well as undermine Brits' privacy, and expose them to surveillance and hacking by criminals exploiting these mandatory backdoors. This mild panic did bring about some changes to the UK's Investigatory Powers Bill before it was passed.

The question is: were the changes sufficient?

The "anti-encryption" part of what is now UK law has moved from section 217 to sections 254-256 [PDF] and contains some additional safeguards. But those safeguards, as they often are, are largely a judgement call by a Secretary of State.

The wording is slightly improved in that by introducing any one of the Secretaries of State as a required signatory to any "technical capability notices", it introduces a minor choke-point and a degree of accountability. Rather than the security services or police being able to force any communications provider to tell them their new product plans and oblige technical changes, the issue will have to bubble up to the desk of a Cabinet minister, probably the Home Secretary.

Consultation

Once on his or her desk, one of the Secretaries of State will have to "consider that the conduct required by the notice is proportionate to what is sought to be achieved by that conduct."

He or she will also have to consult the "Technical Advisory Board" – which was created in response to another unpopular piece of technical legislation, RIPA – and people that are "likely to be subject to any obligations specified in the regulations."

Any notice that the secretary then decides to push forward will have to be approved by a "Judicial Commissioner" – a judge appointed by the Prime Minister in that role – who will take into account the same factors as the secretary but, critically, also have to consider "the same principles as would be applied by a court on an application for judicial review."

If the commissioner refuses to approve the decision, he or she must provide a written reason for doing so. But that decision can then be overridden by the new Investigatory Powers Commissioner.

The Investigatory Powers Commissioner has been created specifically for this legislation and will be appointed by the Prime Minister. That in itself was an issue subject to some debate with a select committee of MPs arguing that the commissioner should be appointed by the Lord Chief Justice rather than the Prime Minister. In the end, the government won out.

Some further improvements come in the form of more precise wording. Any notice would have to specify what sort of obligation will be applied to a communications provider. Most noteworthy in this context is section 254 (5)(c):

The obligations that may be specified in regulations under this section include, among other things ... obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data.

Other obligations are clearly intended to allow for government tapping of internet communications and after-the-fact provision of stored data from ISPs.

Consideration

There is also a list of things a Secretary of State must consider before posting a relevant notice, including:

  • likely benefits of the notice
  • number of users
  • technical feasibility of complying
  • cost of complying, and
  • "any other effect of the notice on the person"

In short, what the law's passage through Parliament has done to the UK government's ability to force tech companies and telcos to introduce backdoors into their technologies is make it slower and a little tougher.

Does it prevent the UK government from breaking encryption? It absolutely does not. In fact, it foresees it.

Does it mean that customers will be made aware that their communications and traffic are compromised by a backdoor? No, it does not. All of the checks and balances are safely contained within the upper levels of government and the judiciary.

Based on what both the UK and US government have done in the past with all-encompassing orders that are time-based rather than product-based, and considering the fact there is nothing that says it has to be done on a case-by-case basis, it's a safe bet that the government will approve one-size-fits-all "technical capability" notices for specific companies.

Where will the balance between protecting consumers and providing access to law enforcement and security services lie? We will likely never know in any useful detail since no one is under any obligation to make that reasoning or argument available outside the small group of individuals that take the decision.

Nuts of it

Most critically, if a Cabinet minister decides she wants a backdoor to be introduced into some software, is there anything that can stop him or her? The answer to that is almost certainly no, except she can be slowed down and would likely make some concessions to move ahead.

If the Home Secretary and the Prime Minister both want a backdoor into some service is there anything that can stop them? Again, no, but a brave Investigatory Powers Commissioner could delay it for a few years.

And in the broader picture, will the UK government be able to force the likes of Twitter or Facebook or Google or Apple to introduce backdoors and/or hand over user data? And the answer to that is: let's wait and see.

The UK government can certainly insist that a company not based in the UK carry out its orders – that situation is specifically included in the new law – but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the UK market.

At the end of the day, will the UK security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will.

Will they do it for less than that? You'll have to ask probably the Home Secretary. ®


Other stories you might like

  • Demand for PC and smartphone chips drops 'like a rock' says CEO of China’s top chipmaker
    Markets outside China are doing better, but at home vendors have huge component stockpiles

    Demand for chips needed to make smartphones and PCs has dropped "like a rock" – but mostly in China, according to Zhao Haijun, the CEO of China's largest chipmaker Semiconductor Manufacturing International Corporation (SMIC).

    Speaking on the company's Q1 2022 earnings call last Friday, Zhao said smartphone makers currently have five months inventory to hand, so are working through that stockpile before ordering new product. Sales of PCs, consumer electronics and appliances are also in trouble, the CEO said, leaving some markets oversupplied with product for now. But unmet demand remains for silicon used for Wi-Fi 6, power conversion, green energy products, and analog-to-digital conversion.

    Zhao partly attributed sales slumps to the Ukraine war which has made the Russian market off limits to many vendors and effectively taken Ukraine's 44 million citizens out of the global market for non-essential purchases.

    Continue reading
  • Colocation consolidation: Analysts look at what's driving the feeding frenzy
    Sometimes a half-sized shipping container at the base of a cell tower is all you need

    Analysis Colocation facilities aren't just a place to drop a couple of servers anymore. Many are quickly becoming full-fledged infrastructure-as-a-service providers as they embrace new consumption-based models and place a stronger emphasis on networking and edge connectivity.

    But supporting the growing menagerie of value-added services takes a substantial footprint and an even larger customer base, a dynamic that's driven a wave of consolidation throughout the industry, analysts from Forrester Research and Gartner told The Register.

    "You can only provide those value-added services if you're big enough," Forrester research director Glenn O'Donnell said.

    Continue reading
  • D-Wave deploys first US-based Advantage quantum system
    For those that want to keep their data in the homeland

    Quantum computing outfit D-Wave Systems has announced availability of an Advantage quantum computer accessible via the cloud but physically located in the US, a key move for selling quantum services to American customers.

    D-Wave reported that the newly deployed system is the first of its Advantage line of quantum computers available via its Leap quantum cloud service that is physically located in the US, rather than operating out of D-Wave’s facilities in British Columbia.

    The new system is based at the University of Southern California, as part of the USC-Lockheed Martin Quantum Computing Center hosted at USC’s Information Sciences Institute, a factor that may encourage US organizations interested in evaluating quantum computing that are likely to want the assurance of accessing facilities based in the same country.

    Continue reading
  • Bosses using AI to hire candidates risk discriminating against disabled applicants
    US publishes technical guide to help organizations avoid violating Americans with Disabilities Act

    The Biden administration and Department of Justice have warned employers using AI software for recruitment purposes to take extra steps to support disabled job applicants or they risk violating the Americans with Disabilities Act (ADA).

    Under the ADA, employers must provide adequate accommodations to all qualified disabled job seekers so they can fairly take part in the application process. But the increasing rollout of machine learning algorithms by companies in their hiring processes opens new possibilities that can disadvantage candidates with disabilities. 

    The Equal Employment Opportunity Commission (EEOC) and the DoJ published a new document this week, providing technical guidance to ensure companies don't violate ADA when using AI technology for recruitment purposes.

    Continue reading
  • How ICE became a $2.8b domestic surveillance agency
    Your US tax dollars at work

    The US Immigration and Customs Enforcement (ICE) agency has spent about $2.8 billion over the past 14 years on a massive surveillance "dragnet" that uses big data and facial-recognition technology to secretly spy on most Americans, according to a report from Georgetown Law's Center on Privacy and Technology.

    The research took two years and included "hundreds" of Freedom of Information Act requests, along with reviews of ICE's contracting and procurement records. It details how ICE surveillance spending jumped from about $71 million annually in 2008 to about $388 million per year as of 2021. The network it has purchased with this $2.8 billion means that "ICE now operates as a domestic surveillance agency" and its methods cross "legal and ethical lines," the report concludes.

    ICE did not respond to The Register's request for comment.

    Continue reading
  • Fully automated AI networks less than 5 years away, reckons Juniper CEO
    You robot kids, get off my LAN

    AI will completely automate the network within five years, Juniper CEO Rami Rahim boasted during the company’s Global Summit this week.

    “I truly believe that just as there is this need today for a self-driving automobile, the future is around a self-driving network where humans literally have to do nothing,” he said. “It's probably weird for people to hear the CEO of a networking company say that… but that's exactly what we should be wishing for.”

    Rahim believes AI-driven automation is the latest phase in computer networking’s evolution, which began with the rise of TCP/IP and the internet, was accelerated by faster and more efficient silicon, and then made manageable by advances in software.

    Continue reading
  • Pictured: Sagittarius A*, the supermassive black hole at the center of the Milky Way
    We speak to scientists involved in historic first snap – and no, this isn't the M87*

    Astronomers have captured a clear image of the gigantic supermassive black hole at the center of our galaxy for the first time.

    Sagittarius A*, or Sgr A* for short, is 27,000 light-years from Earth. Scientists knew for a while there was a mysterious object in the constellation of Sagittarius emitting strong radio waves, though it wasn't really discovered until the 1970s. Although astronomers managed to characterize some of the object's properties, experts weren't quite sure what exactly they were looking at.

    Years later, in 2020, the Nobel Prize in physics was awarded to a pair of scientists, who mathematically proved the object must be a supermassive black hole. Now, their work has been experimentally verified in the form of the first-ever snap of Sgr A*, captured by more than 300 researchers working across 80 institutions in the Event Horizon Telescope Collaboration. 

    Continue reading
  • Shopping for malware: $260 gets you a password stealer. $90 for a crypto-miner...
    We take a look at low, low subscription prices – not that we want to give anyone any ideas

    A Tor-hidden website dubbed the Eternity Project is offering a toolkit of malware, including ransomware, worms, and – coming soon – distributed denial-of-service programs, at low prices.

    According to researchers at cyber-intelligence outfit Cyble, the Eternity site's operators also have a channel on Telegram, where they provide videos detailing features and functions of the Windows malware. Once bought, it's up to the buyer how victims' computers are infected; we'll leave that to your imagination.

    The Telegram channel has about 500 subscribers, Team Cyble documented this week. Once someone decides to purchase of one or more of Eternity's malware components, they have the option to customize the final binary executable for whatever crimes they want to commit.

    Continue reading

Biting the hand that feeds IT © 1998–2022