Given that most people now place all their personal data online, the proposals in the Investigatory Powers Bill – dubbed the ‘Snooper’s Charter’ would grant enormous surveillance capabilities to the government.
If they proceed, the proposals could undermine trust in the internet as a whole, from service providers, to device manufacturers, to the apps people use as part of their everyday lives.
But it also has serious implications for technology companies who, under the proposals, would be legally bound to help UK police and security services access an individual’s device.
What’s more, the current wording of the bill means that any software made by a British company could soon be perceived to be facilitating government spying on its customer’s data.
This could have enormous repercussions by making it much harder for British technology and information security companies to compete globally.
Despite several revisions, the current wording of the IP Bill suggests that it would force technology companies to create backdoors that allow government agencies to access data, or force them to decrypt any potentially sensitive data as deemed necessary by government agencies.
The Home Office has a chequered past when it comes to exploiting loosely worded legislation. For example, it can deem any service that connects to the internet as a CSP (communications service provider).
Since all services and software connects to the internet these days, this classification can be extended to any business that offers connected services or software.
Once classified as a CSP, the Home Office can mandate, through the technical assistance clauses in the legislation, a re-write of that business’ software to include backdoors.
While this currently requires judicial approval, the burden of proof is still on the business to prove that any modification of its software would be an undue burden.
The government’s unwillingness to categorically deny that it will seek backdoors creates an environment where all software and software-as-a-service offerings released by British companies will have the overhang of suspicion that they could have backdoors created to snoop on customers’ data.
This will have major negative consequences for the British software industry as a whole, because any products or services released by a British company will be viewed as untrusted and insecure.
While the UK may be following a path laid out by the USA, not all governments choose to adopt such surveillance strategies.
The Dutch government has said publicly that it will not force technology firms to share encrypted communications such as emails with its security agencies.
In a letter to the Dutch parliament, the head of the Ministry of Security and Justice, Ard van der Steur, explained the government’s reasons for endorsing strong encryption, which sound quite similar to those cited by Apple’s CEO, Tim Cook.
According to a translation of the letter, van der Steur pointed to the uses of encryption for protecting the privacy of citizens, securing confidential communications by government and businesses, and ensuring the security of internet commerce and banking against cybercrime.
British technology and information security companies are already being courted by the Dutch, Swiss and Luxembourg governments as places to re-domicile their businesses to ensure operational continuity because of their declarative statements on encryption.
Many British businesses will respond to this call in order to lose the overhang of offering insecure products in a globally competitive environment.
Without an explicit ‘No backdoors’ statement written into the legislation, this bill will harm British industry by making it more difficult for British business to compete globally.
It will also harm the security of its citizens, and create the kind of ‘business vs. government’ mentality that will make us all less safe.
The problem is that the IP bill wouldn’t just make it easier for the government to spy on UK citizens – it would also weaken the very products and standards that people use to protect themselves.
The government believes it can manipulate security in such a way that only they can take advantage of that subversion, but this is a fallacy. The same technologies, standards and products are used by everyone, so we either allow everyone to spy on everyone, or prevent anyone from spying on anyone.
If we insert vulnerabilities, we weaken security for everyone. The same vulnerabilities used by intelligence agencies to spy on global citizens can also be used by criminals to steal your passwords. We either enable spying – by either governments or hackers – or we defend against it.
This kind of government interference doesn’t just damage the products and technologies in question – it damages the trust in the internet entirely.
Some of the potential applications of the internet that would benefit citizens and entrepreneurs have already been stymied by unresolved trust issues. E-voting has stalled and migration to the cloud is suffering.
For the internet to continue to grow and flourish, we need to re-establish the foundation for trust. To do this, users need to believe that the systems they use online are not part of a government programme to spy and snoop on its citizens. We all own the internet, and we need to fix it together.
Sourced from Brian Spector, CEO, MIRACL
In 2013, security firm MIRACL (formerly known as Certivox) decided to pull its PrivateSky secure email product after GCHQ forced it to hand over users’ data. Rather than spend £500,000 building a backdoor into the system to mainline customer data to GCHQ, or potentially face jail for not complying with the government order, the company decided to shut down its service down entirely.