The publication of the draft investigatory powers bill on Wednesday was a golden opportunity for the UK government to draft legislation that would provide security and privacy for the law-abiding citizens of the UK, and then by influence, for the world as a whole. That, however, is not what we have been handed.
What is on the table is a proposal for greater access to greater levels of data with nothing more substantial than a process of judicial review.
Digesting these proposals will take time, but at first glance this is a blueprint for the agencies and police to weaken the security and privacy of the masses in the name of national security. Much like previous attempts to resolve this challenging issue we find ourselves with proposals that appear to work, but once a light is shone on them, reveal problems that cannot be easily resolved or swept under the carpet.
The privacy-challenging proposals are broad reaching; access to encrypted data, the ability to hack devices and systems and a 12 month retention of Internet activity.
First the UK government has issued a demand to companies to hand over customers’ data in a readable format on issue of a warrant. No matter how often they say this is not an attack on encryption, it is.
Currently Apple is arguing this very point in the U.S. courts. Having been ordered by a court to hand over data from a customer’s iPhone they have explained that for 90% of their devices it “would be impossible” for them to adhere to the request. Why? Because the devices prevent access to data without the passcode, which only the device owner knows. This isn’t Apple being obstructive; this is about them providing a secure service to their customers. A service that restricts anyone other than the individual knowing the intimate details of their lives.
What is curious about the proposal in the draft Bill is that currently in the UK if you are arrested on suspicion of illegal activity you are required to hand over your device passcode or face the possibility of time in prison, a sensible approach. Yet these proposals will circumvent the individual by insisting on access from the company, undermining not only the relationship between citizen and state but the relationship between consumer and business.
Let’s not forget any weakening of encryption makes us all vulnerable as does the proposal to put equipment interference, otherwise known as hacking, on a legal footing. This previously secret technique used by the intelligence agencies, requires full scrutiny before being signed into law as it will legalize breaching the security of, not just individual devices but the machines and systems of companies and organizations.
We must not assume that this technique will only be used on terrorist or pedophile networks. Documents revealed by Edward Snowden showed that between 2009 and 2011 it was used as a method of middle man attack to infiltrate the systems of Belgacom, a European telecoms company providing a phone network in Belgium. The outcome of the sustained attack on this company revealed that the hack had gone to the core of the company’s infrastructure and enabled access to personal data of innocent individuals. The opportunity for collateral intrusion from equipment interference must be acknowledged as real and profound.
When you imagine what can be done to a treasure trove of data either through weakened encryption or a hacking attack it makes you seriously question the logic of another intrusive recommendation, that of requiring companies to retain all our Internet connection records for a year.
These records are not as bland as an itemized telephone bill, they list every Website you go to. They may be presented as mundane but can in reality reveal a great deal about you. This is why law enforcement find them so useful and why the Australian government refused to include the retention of such data in their recent surveillance law.
Imagine if the recent Talk Talk hacking scandal, which exposed a lack of encryption for 4 million people’s personally identifiable data had included Internet connection records. The mind boggles at the value of such a honeypot of information.
If these proposals persist, the UK will be the only democratic country in the world required to keep tabs on what its citizens do online.
With such plans for intrusive techniques to be deployed on British citizens you would have thought the government would have found a way to reassure us by promising full judicial authorization. But no, what has been proposed is nothing more than a tweak to the status quo; political sign-off with a politically appointed judge nodding approval.
In a world where technology will be sewn into the fabric of everything we do, and our lives will be defined by big data, the government has presented a surveillance law that exposes us all to cyber threats, leaves the judges as a review board and redefines the role of Secretary of State as little more than a signature machine for the technology age.