It would be hugely ironic if the Government’s plans to help it seize back control of the digital age actually pushed technology firms even further down the path of encryption.
The second version of the Investigatory Powers Bill – or Snoopers Charter, as it has been colloquially dubbed – was published by the Home Office on March 1st. This came in light of criticism of the first version – published in December – from three parliamentary joint committees: the Science and Technology Committee, the Intelligence and Security Committee, and the Joint Committee for the bill itself – which made some 86 recommendations alone.
The revised version aimed to appease demands for change, but has failed to pour water on the fears that ignited huge debate over public concerns around encryption, hacking and mass data theft.
Indeed, Dr Gus Hosein, executive director of Privacy International, said of the revised bill: “It would be shameful to even consider this change cosmetic… The continued inclusion of powers for bulk interception and bulk equipment interference – hacking by any other name – leaves the right to privacy dangerously undermined and the security of our infrastructure at risk.”
What’s so wrong with the bill?
Summarising the bill in general, NSA whistleblower Edward Snowden tweeted: 'By my read, #SnoopersCharter legitimises mass surveillance. It is the most intrusive and least accountable surveillance regime in the West.'
A key issue with the proposed bill is the requirement for service providers to keep an itemised list of users’ browsing histories in the last 12 months on file for access by the police and authorities. This has drawn understandable concerns over whether this data would remain secure, especially in the wake of the recent TalkTalk customer data hack.
The bill would also give security services greater power to acquire bulk collections of data – NHS health records, for example – and be legalised to bug computers and phones with an approved warrant – which companies would legally have to assist them with.
The Government’s outlined take on encryption is also extremely controversial. Companies have voiced their concerns that this could give security services the power to eavesdrop on messages whenever they liked. But the revised bill clarified the Government’s encryption standpoint, making it clear that companies can only be asked to remove encryption that they themselves have applied, and only where it is 'practicable' for them to do so.
Take a positive mentality
The implications of the Snoopers Charter may sound all doom and gloom for the technology and communications industries and the British public, but there is a glimmer of light for technology companies that choose to build a positive response to the language being used.
When it comes to encryption, the vagueness of the Government’s use of the word ‘practicable’ has the potential to be extremely broad, potentially encompassing anything that fits ‘when the government has a warrant and the technology company has the power to do it’. It would therefore not be surprising if security companies took steps to make it impracticable for them to decrypt their solutions, in response to the Government’s demands.
For example, in the current Apple/San Bernardino case in the US, the steps that the FBI is asking for, such as updating the iPhone with a new version of iOS that disables brute force attack protections, are entirely practicable. The FBI has a court order and Apple can do it, but are arguing that they shouldn’t. However, Apple themselves have said they are currently working on solutions that will prevent them having to take this action with future devices, which is precisely what could turn laws like this into a positive driver for the security industry.
To protect themselves against the burden of the new legislation, UK companies may have to go a step further and ensure their products are secure, even from themselves. The only way businesses can protect their users’ data fully is by ensuring that they cannot access it, even upon request.
There are a few methods that could be taken to achieve this, such as making a device or software platform verify and reject updates that lower security standards. The goal then becomes developing security solutions that are more intelligent and resilient, and more capable of protecting businesses from outside threats and forced internal actions.
Another reading of the Investigatory Powers Bill was announced on March 15th, with a final vote on its introduction likely before the end of April.
Jonathan Parker-Bray, CEO and Founder of Pryvate