The UK government is closing in on a hugely significant decision that will transform how the law perceives privacy rights. The cause of this tipping point is the internet and digital technology.
UK security services have had access to phone and internet records for many years. Not even a ruling last year by the EU’s Court of Justice to render it an illegal breach of human rights could stop them, after the government fast-tracked an emergency law through Parliament to overrule it.
Indeed, the findings of a freedom of information request earlier this year by civil liberties group Big Brother Watch revealed that British police are granted access to private phone and email records almost every two minutes.
However, the government has claimed that this is not enough to sufficiently combat terrorist threats. Prime minister David Cameron said in January, ‘In our country, do we want to allow a means of communication between people that we cannot read? My answer to that question is: no, we must not.’
This statement was widely interpreted as a plan to ban end-to-end encryption in online messaging services like Facebook, WhatsApp and iMessage, which, the government claims, allow terrorists to plot attacks without being detected.
The policy plans have sparked anger and ridicule in the technology industry – not least because, privacy reasons aside, forcing companies to build back doors into their software to allow the government to intercept messages would essentially invite hackers to discover new vulnerabilities to infiltrate.
It also overlooks the fact that even if the technology companies did comply, terrorists could very easily just run a freely available encryption program to keep their communications private.
Indeed, it has been widely reported that ISIS is operating a so-called ‘cyber caliphate’ protected by its own encryption software. The terror group has actively sought to recruit skilled hackers and computer experts who guard their online communications from Western security services.
Nonetheless, the government has pressed ahead with its mission to introduce electronic surveillance by drafting these plans into the Investigatory Powers Bill – dubbed the ‘snooper’s charter’ – which was laid before Parliament at the beginning of November. Home secretary Theresa May will study a committee report on the draft proposals before placing a final bill before Parliament.
With public opinion seemingly split between acceptance that online surveillance is an inevitable consequence of the digital age and outrage at the loss of privacy, the government has pulled out all the stops in attempting to persuade British citizens that the bill is a necessary means of ensuring national security.
In September, MI5 even granted the first-ever live interview by a sitting MI5 boss, when Andrew Parker told the BBC that internet companies have ‘an ethical responsibility’ to alert security agencies to potential threats.
In a speech in October, Parker used a speech to reiterate the need for surveillance powers to be brought in line with modern technology, and dismissed accusations of mass surveillance.
He said MI5 needed the tools to infiltrate online communications between terrorists, but assured that will not mean ‘browsing at will through the lives of innocent people’. He added, ‘We use these tools within a framework of strict safeguards and rigorous oversight, but without them we would not be able to keep the country safe.’
The internet is now often referred to as the ‘fifth domain’, after land, sea, air and space, but is the only one not to be regulated in a way that gives government agencies the control they need to provide order and protection.
Paul Stokes, COO of Wynyard Group, which sells crime-fighting software to governments, is in favour of online surveillance, but says the right governance and processes must be in place to ensure that the relevant authorities use the data for the purpose of protecting citizens.
‘Helping law enforcement agencies analyse digital content such as encrypted data more easily means they can be even more responsive in tackling offenders, stopping trafficking and protecting children from exploitation,’ he says. ‘Fortunately, law enforcement agencies have always had an enormous range of tools in their arsenal, and they will continue to invest in new technologies in order to stay ahead of tech-savvy criminals.
‘This will inevitably include paying to develop counter-encryption capability, which is another burden on resources that could be better used to catch real criminals.’
However, the general consensus among technology businesses seems to fall on the other side of the fence. Greg Aligiannis, senior director of security at Echoworx, for example, believes that the government’s plans are a step too far. ‘It would be the most aggressive and unethical data-gathering attempt in UK history,’ he says.
‘It would also jeopardise the security of the systems that have been keeping cybercriminals at bay for years. Government agencies are not above the law, and should be able to obtain a search warrant should they have reasonable grounds to breach that privacy.’
Nigel Hawthorn, European spokesperson at Skyhigh Networks, adds, ‘If David Cameron asked you to shout out your credit card number and PIN each day in the nearest market square, would you?
‘His attempt to circumvent encryption would mean that all of our data, our financial transactions and our privacy would potentially be lost. In a time of data loss from the organisations we trust, and political and financial hacking, encryption is a key defence.’
If the government were able to go through with its plans to force companies to allow defence agencies to access communications, how exactly would it do it?
One solution could be to use split keys – for example, if the Ministry of Justice (MoJ) has one half of the key and MI5 has the other half. This would double the complexity but ensure that a single rogue agent couldn’t get more than they were allowed to.
If this new technology uses rolling keys, where they change on a regular basis, it would allow the MoJ to give access for only limited time frames but significantly increase complexity. And, if the technology is unique per person/session, it could allow incredible granularity without sacrificing security to others who aren’t related to the person in question, which again increases complexity and cost.
Whatever the approach, the affected system would be less secure as a result, according to Jeremiah Grossman, founder of WhiteHat Security.
‘I believe that the UK government will lose this battle,’ he says. ‘No company that wants to be trusted should bow to this demand and build a back door, as doors can be walked through by more than one person.
‘Encryption back doors mandated by governments will result in our IT systems being way more complicated, less secure and more expensive, with business outside our borders weakening the nation’s economy, and force a choice between security and privacy.’
The UK government would be wise to know that the notorious FREAK SSL vulnerability was available to hackers simply because the US government had demanded a lower form of encryption.
Back doors cannot be created and then not be vulnerable to exploitation from other parties, which is why the US government recently scrapped plans to force tech companies to build them in.
‘We just need UK politicians to realise the same thing or we risk becoming a laughing stock,’ says Hawthorn.
Meanwhile, if the UK government does ban encryption technologies, it sends the message to all other governments throughout the world that snooping is OK but law-abiding citizens do not have the right to personal privacy.
‘If you’re a business or an ordinary citizen that stays on the right side of the law, you must not feel as though your government is watching you, treating you like a criminal without due cause,’ says Aligiannis. ‘Any form of information sharing between a government and an organisation must be subject to judicial oversight.
‘History has shown that back doors are more of a liability than a deterrent to cybercrime. It’s akin to producing a master key and then hoping that no one finds it.’
So, many businesses are against the Investigatory Powers Bill, but where exactly do they stand in this spiralling balance between privacy and security? And do they have a responsibility to protect the privacy of their customers from the government?
For companies involved in the cloud industry, in particular, security of customer data is essential if they are to win – and more importantly, retain – customers. Without that trust in place, customers won’t commit their data to the cloud company and they won’t be able to provide services that people will pay for.
Looking at US versus European data protection laws, there is more emphasis on public disclosure in the US – and there is overlap on the issue of privacy with this mindset.
‘This is in my mind a better approach, as you rely on the market to reward success and punish failure,’ says Philippe Courtot, CEO of Qualys. ‘Companies do have to balance the needs of the vast majority of customers against the potential for bad actors or security risks on the same service.
Florian Bienvenu, VP EMEA at Good Technology, adds, ‘Organisations must fully accept the duty of care they take on when handling people’s private information. If people do not feel that their information is well protected from government or criminal intrusion, they could take their custom elsewhere.’