MENU

Reason.com

Free Minds & Free Markets

You Don’t Have to Be British to Be Extremely Worried About U.K.’s New Surveillance Law

Nestled deep in the Investigatory Powers Bill is the authority to mandate encryption "back doors."

encryption keyWebking / Dreamstime.comQueen Elizabeth gave her assent to the British Investigatory Powers Bill on Tuesday, the last step needed before the massive surveillance authorization bill becomes law in 2017. A new, deeper analysis of the final law by tech experts suggests there's more to fear than simply government access to citizens' browser history. This law may ultimately put everybody's data privacy and security at risk.

To refresh everybody's memory, the Investigatory Powers Bill—nicknamed by critics the "Snooper's Charter"—formally legally increases the power of the British government to engage in online surveillance, provides rules to allow for the bulk collection of citizen metadata, and the authority to hack into devices remotely. The law requires Internet Service Providers to store information about users' browser history for a year and hand over this information to government officials when provided a warrant. Essentially the law formalizes some secretive surveillance methods already being used by government that were exposed by Edward Snowden, but it also provides for some judicial oversight.

While the law is being sold as a way to keep the United Kingdom "safe" and to fight terrorism, the reality is that a whole host of government agencies who have nothing to do with national defense will also have access to this information. These are agencies that investigate fraud and deal with taxation and licensing issues. It is abundantly clear to anybody familiar with the law that it is designed and intended to be used to investigate domestic crime, not just terrorism.

But there's more. Privacy advocates and tech companies had been fighting with the British government over the crafting of the law, particularly about the inclusion of mandates for encryption "back doors" so that government officials would not be stymied in their surveillance efforts.

While the new law doesn't officially mandate encryption back doors, U.K.-based tech media site The Register scoured the 300-page law and discovered buried deep within something just as bad. Government leaders will be able to give a company what they're calling a "technical capability notice" that can impose obligations and changes upon the products (software, apps, whatever) that may demand "removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data."

That is to say: The law doesn't mandate encryption back doors outright, but it gives the government the authority to demand that specific companies remove the encryption protecting data. That means the British government expects that all of these companies will have the capacity to break their own encryption on the demand. So in reality, the law does mandate encryption bypasses and back doors for communication tools, but it's allowing the companies to maintain control over the "keys."

If this sounds familiar to Americans, this line of the law has the same impact as the widely mocked terrible legislation proposed by Sens. Diane Feinstein (D-Calif.) and Richard Burr (R-N.C.) in the spring. In response to Apple's refusal to help the FBI decrypt the iPhone that was in the possession of one of the San Bernardino terrorists, the senators crafted the technologically illiterate "Compliance with Court Orders Act of 2016." Like the text of the British law, it doesn't order tech companies to create back doors for the government to bypass encryption, but it does require that the tech companies themselves bypass their own encryption when given a court order to do so.

What's the big deal? There is a simple truth that everybody who works within the tech industry or writes about technology understands that many government officials are either choosing to ignore or unwilling to accept: When a company creates encryption methods that have built-in bypass methods, there is no guarantee it will stay in the hands of the company or that only the "right people" will gain access. Accidents happen. Espionage happens. We saw an example of it earlier in the year when an internal security bypass used for testing operating systems at Microsoft accidentally got out into the hands of hackers. The hackers, who apparently had no malicious intent, used it try to demonstrate to government officials and the FBI the flaws in demanding that software and tech devices have encryption that can be bypassed.

For everybody else who isn't a citizen of the United Kingdom, they will have to worry that the security of their own tech devices and communication tools will be deliberately compromised by tech companies with encryption back doors so that they will be prepared to comply with demands for data by the British government. The law also permits sending these letters to tech companies based outside the United Kingdom but who operate within its borders. These demands affect people outside the United Kingdom in very significant ways.

Oh, and one other important detail: The company that receives one of these orders cannot tell anybody they've gotten an order unless the government gives them permission. So a company could be made to compromise its own security and encryption and not warn its own customers.

Since the law is not yet in operation, it's not yet clear what will happen to tech companies who are implementing "end-to-end" encryption, designed so that the company itself cannot access the data or information being communicated through its apps or tools. The law does require the government official to consider the "technical feasibility of complying" with the demand.

Perhaps the law will serve to push more tech companies into instituting end-to-end encryption in order to be able to tell the United Kingdom that it's simply not "feasible" for them to comply with a decryption order? If so, it's appropriate, given the broad surveillance power the United Kingdom has claimed for itself, to start worrying whether the next step will be to prohibit end-to-end encryption on communication tools within the country.

Ultimately, such a law isn't going to be effective in stopping smart criminals who are insistent on secrecy. There are so many third-party encryption tools out there created outside the United Kingdom and realistically out of their control, and they're advertising the fact that they don't have back doors to bypass. That means those who are really at risk of government snooping under this system are the average joes who don't think they'll ever be a target of this law because they aren't terrorists and don't realize this law is much, much broader than what they've been told.

This is perhaps why Snowden, in response to Donald Trump's election, noted that surveillance and online privacy issues are bigger than one particular politician or government.

Photo Credit: Webking / Dreamstime.com

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • DesigNate||

    If tech companies had any balls, they'd cease doing business in the UK altogether and tell their customers: "If you don't like being sent back to the stone age, by all means rise up against your oppressive government."

    Sadly, Brits being ridiculous hoplophobes have no means to do this.

    (This post should be considered juvenile bluster and the rantings of a mad man.)

  • BakedPenguin||

    Scott: Here you go.

  • Lee Genes||

    1984 was a how-to guide, obviously

  • Cloudbuster||

    Back in 1984, we all thought it was ridiculous that anyone would actually think that. A mere 30 years later and Britain has cameras everywhere and total electronic surveillance. The average Brit's life is as fully monitored as Winston Smith's and for equally nefarious purposes.

  • newlife3.0||

    Not me. Back in 1984 I was living way, way the hell out on a river with no road access small-time mining for gold. It was a clean, honest life. Meanwhile, the Feds--under Reagan--were implementing, supra-legally, the horrible ANILCA.

    We were under a microscope, with feds flying in and landing at our mining camps in helicopters whenever they felt like it--for no so-called violations, but because they could. The BLM immediate Napoleon-in-Charge of the Fortymile District at the time would actually make up rules on the spot: Rule # 34....(whatever he decreed at the moment...).

    I have boxes of records and proof, all of which former old-school BLM state directors told me to stash forever, 'cause it's not worth it, and "they" have more guns, money, and lawyers to wear anybody down forever. Still, we fought--against phony p$uedo greenie$, and the Feds.

    I could write a book...but...we tried.

    I'll never forgive Reagan for many things, (I voted Anderson), but allowing the abusive implementation of ANILCA, (and reneging on his promise to abolish the Education Dept. among others) is huge to me.

    I learned a lot. Including that, 1984 is real, it's just not that bad yet, (back then), but it'll get there.

  • newlife3.0||

    And that, you can't escape them. The romantic notion of going off in Alaska and living a free life was bullshit then, and it is now. Not that that was what I did, I ended up in there because of an offer to go gold mining when I had hitchhiked to Alaska, (the good 'ol days of border crossing with a backpack in the snow!! The things I got through...!), to fish and get a pocketful of money for a while, (I never have gone fishing for money after 37 years!).And try to make a living in an area--the customary use, mining, of which was the traditional use, and all you do is get helicoptered in Feds to harass and threaten you.

  • newlife3.0||

    Way too much to even scratch the surface. Even the Canadians land one morning, (at least they had the balls to land on same side of the river at that particular spot, unlike the US), pretending they thought we were in Canada. Incidentally, our Canadian neighbors, several miles downstream, were allowed to mine cleanly and unmolested by their government, and even have access!!

    No, "we all" didn't think it was ridiculous. We lived it. In the seemingly most unlikely place. I remember a friend in Fairbanks told me, back in the late 80's-early 90's, that his MO was to be as plugged in as he could to mess with 'em. But that was before the mass computer era. (Another story about coming in from the bush and discovering computers...).

    Anyway. I'm not going to reread this because I'm sure I'll delete it if I do. I lay low these days. But this notion of people being unaware of what was coming down the pipe--or pike or whatever it's called--gets on my nerves. Some of us knew.

  • kinnath||

    The Internet: RIP 2016

  • Rhywun||

    If my company did business in England - oh wait, it does - I would be looking to exit the English market right about now. Or searching for a way to break it to my customers that their data is about to be wide-open to the world.

  • ||

    Headline from 2018: "Last UK-based data centre closed down. MPs blame Brexit!"

  • DesigNate||

    That sounds about right.

  • ||

    This is a great madlib
    "You Don't Have to Be British to Be Extremely Worried About _______ "
    1) socialized dentistry
    2) walking outside with bare skin while the Day Star is in the sky
    3) bad food

  • R C Dean||

    While I suppose the UK has the authority to mandate backdoors etc. on UK-domiciled companies, and can ban software that doesn't have the backdoors from being sold or imported (over the internet - good luck!), I don't think it has any authority to order a US company to install a backdoor and hand the keys over to the UK government.

  • kinnath||

    Sounds about right.

    I imagine the market for smart phones and personal computers will shrivel up to nothing pretty quickly.

  • Caput Lupinum||

    Won't stop them from trying. It'll be interesting to see how the larger US tech companies respond to this.

  • R C Dean||

    They will either come up with UK-only crippled products (which I am sure our government will then demand be mandatory here), or knuckle under unless they believe that selling devices/software with compromised security will cost them more business around the world than the UK sales they would lose by abandoning the UK market.

  • kinnath||

    So when the UK bans smart phones that have no backdoor, does that mean they confiscate every foreign phone possessed by travelers coming through customs and immigration?

  • ||

    This sort of thing will cover cellular phones, switches and routers, security cameras, etc. It also seriously compromises VPN software. The UK is a large enough market that many companies will consider compromising their systems to continue doing business there, especially when they know some others won't, so they'll increase their market share. Others will make "UK" versions of their otherwise-unchanged software/hardware, leading to compromises of the non-UK versions.

    Meantime, actual bad guys will just use older hardware and software, or illegally bring in uncompromised stuff, meaning normal citizens are going to be the only ones spied on. This is, certainly, the end goal anyway.

  • Nunya||

    Doesn't this go to the Microsoft case being argued here in the States that data in an Ireland data center is not discoverable by US order? The reverse should hold true, but based on the idiocy that Obama, Merkel, et all have proselytizing about global hegemony, I don't see any logic coming into scope.

  • newlife3.0||

    Well, the US ordered all the banks in the world to report to it account info of any US citizens the bank does business with under FATCA, so...

    And they do. At least, those which didn't cut off US citizens. So, authority, uh-huh. You'd think. But wrongly.

  • Grand Moff Serious Man||

    Isn't having an unwritten constitution grand?

  • Libertarian||

    OT: way to bury the lede, science alert!

    Doctors eventually removed 142 screwworm larvae from her head, resorting to using "bacon therapy" – luring the parasites out with pieces of meat placed over the worms.

    http://www.sciencealert.com/th.....in-decades

  • ||

    Is there anything bacon can't fix?

  • ||

    Yes, when bacon can change the girls' nappies, then bacon will be welcome in Fortress Maximus.

  • UnCivilServant||

    ... Barbarism. Even I, hater of everything, am a bacon fan.

  • ||

    Its a fair cop.

  • bacon-magic||

    It's magic.

  • ||

    Since then, local authorities have maintained a biological control called the sterile insect technique, to prevent the screwworm from re-entering the US from South and Central America.

    Are they seriously suggesting the maintaining a buffer zone, let's just call it a border, just for shits and giggles, is a wise thing to do? Are we sure we aren't being unnecessarily xenophobic and speciesist, dening entry from these locales, which totally don't have any sort of geographical demarcation at all?

    This process involves releasing infertile male flies that have been sterilised by radiation into the wild. Female flies only mate once in their lives, and when they mate with these infertile males, no offspring result, ensuring that the screwworm is bred out of existence in infested areas.

    Wait, wait, wait..... you mean this has already been done, and the results demonstrably beneficial? You'd think with this Zika stuff, they would be just setting up hot dates b'twixt the CRISPR fixed males and the dangerous Zika femmes.

  • ||

    We tried. Apparently the rich people in and around Miami and the Keys would rather have Zika than GMO mosquitoes. I assume because they are old and not breeders themselves any more.

  • JW||

    Wait, wait, wait..... you mean this has already been done, and the results demonstrably beneficial?

    I can recall reading about this very thing in the 60's or 70's.

  • ||

    Apparently Marlon Brando bought an island and paid a bunch of money for people to do pioneering work on pesticide free insect management.

  • Christophe||

    Radiation-sterilized is probably a really old technique compared to CRISPR gene drives.

    Hence why one is widely deployed, and the other, in our ever-more precautionary-principled age, is not.

  • bacon-magic||

    Mmmmmmm bacon. *drooooooooooooools

  • ||

    I mean as long as they don't have to show government issued identification to gain access to porn and Grindr, I don't see what the big...oh wait, they do?

    Theresa May, TEAR DOWN THIS FIREWALL.

  • Nunya||

    No, the firewall is in China. Us "free people" are totally not pike those horrible communists. At all. Hate the reds because we are different and "liberal". We are to be trusted.

  • Je suis Woodchipper||

    does anyone write encryption software in the UK?

  • Scarecrow & WoodChipper Repair||

    The government ... oh wait, you said encryption.

  • esteve7||

    I work in IT, and anyone who thinks there should be an encryption backdoor simply does not know what they are talking about. They have no concept of how encryption works, and really don't know much about anything if they think a backdoor is a good idea.

    #UsefulIdiots

  • Nunya||

    What's wrong with going in the back door. Oh, you meant something different. Carry on!

  • Quincy.||

    Queen Elizabeth gave her assent to the British Investigatory Powers Bill on Tuesday, the last step needed before the massive surveillance authorization bill becomes law in 2017.

    Season 7 of the The Crown to be written by Charlie Brooker.

  • RBS||

    Wasn't this one of the subplots of the newest James Bond movie?

  • Je suis Woodchipper||

    is Theresa May now literally worse than Trumpitler?

  • UnCivilServant||

    She was always an awful political animal.

    I was sad when she was picked as PM. For a while I was deluded into thinking her term would not be as bad as I feared. Then my initial suspicions were proven correct.

  • AlmightyJB||

    I know right. The statist cheer this 1984 shit on while while they call everyone else fascist. It would be funny if they didn't have any power.

  • Fist of Etiquette||

    1 if by LAN, 2 if by C prompt.

  • ||

    SHAME! SHAME THE PUNNER!

  • Bee Tagger||

    The RedHats are coming.

  • Scarecrow & WoodChipper Repair||

    +1 size XL

  • Juvenile Bluster||

    Oh, and one other important detail: The company that receives one of these orders cannot tell anybody they've gotten an order unless the government gives them permission. So a company could be made to compromise its own security and encryption and not warn its own customers.

    What they can do, however, is what US websites have done regarding national security letters: You give regular updates in which you tell people you haven't received one... and then you give a blank update.

  • Cloudbuster||

    I've had lawyers advise that the government does not find this sort of "signaling" amusing and will count any such identification by omission practice as a violation of the order.

  • Cynical Asshole||

    Since the law is not yet in operation, it's not yet clear what will happen to tech companies who are implementing "end-to-end" encryption, designed so that the company itself cannot access the data or information being communicated through its apps or tools.

    Hopefully they'll tell the UK to go pound sand, but I highly doubt it.

    I expect most tech companies to bend over, grab their ankles, and open their back doors nice and wide...

  • gbear||

    For your own good is a persuasive argument that will eventually make a man agree to his own destruction.

  • Cloudbuster||

    "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be
    better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with approval of their own conscience." -- C.S. Lewis, The Humanitarian Theory of Punishment

  • bacon-magic||

    Is that a Swastikey in the caption?

  • Cloudbuster||

    Use Tor. And don't use Tor hubs in the UK.

  • IRWIN ROMMEL||

    YUP !!

  • Christophe||

    Nuke GHCQ from orbit, it's the only way to be sure.

  • Alan@.4||

    If I may make so bold, I draw the following conclusion re this legislation. A giant hole might well have been blown in the insufficiently tall and broad wall that protects the rights and freedom of people from "government", which while it may claim that "we are acting for your own good", has been known to lie more than little, more than once.

  • IRWIN ROMMEL||

    "I'll respect you in the morning", "the checks in the mail", -------AND------- the BIGGEST LIE OF ALL, "I'm from the government and I'm here to help you".

  • Holger da Dane||

    I imagine the British government relies heavily on devices and software that is made outside their borders?

    Companies should just comply and sell encryptionless devices in the UK, but refuse to provide anything to the British government that they can't also sell to British citizens. The pants shitting would be extremely entertaining.

  • Holger da Dane||

    In fact write it right into their EULAs that their encryption products may not be sold to or used by British government agencies.

    Open source licenses could be modified in the same way.

  • IRWIN ROMMEL||

    Dumb bastard Brits rely on the friggin queeran thanks to their spinelessness.

  • IRWIN ROMMEL||

    Looks like an opportunity for computer security CAPITALISTS. Build it, and they will come to buy it.

  • Longtobefree||

    "removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data."
    So an individual who encrypts using "other" software is legal.

    Good luck with the corporate clowns growing a pair. As far as I can find with limited (but legal) skills at the web, only Barrett has refused to bow to a government. When California outlawed their fifty caliber rifles for citizens, Barrett refused to sell any more of it's merchandise to any and all California state agencies.
    If only other companies would follow suit.

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online