Many critics have moral judgements against the Investigatory Powers Bill, but
experts argue it isn’t even technically feasible. Nicole Kobie explains their concerns
THERE ARE MANY issues
surrounding the
so-called Snoopers’
Charter, but one that
experts are trying to
answer is whether
it’s even possible.
The latest version
is the Investigatory
Powers (IP) Bill, which
is currently working
its way through
parliamentary
committees as
a draft. A vote is
due in 2016. Key
aspects include
provisions to collect
communications
metadata, such
as who you email
and when, but
not the content
of the message;
the ability for police
to hack computers
and bug phones;
and provisions to
potentially insert backdoors into
encrypted messaging systems
In last month’s issue of PC Pro,
we examined the plans behind the
draft bill and criticisms of it. This
month, we consider the technical
challenges, from the security and
network issues to costs and jargon.
But there’s a catch: although
the bill runs to 299 pages, the
technical details are vague, making
a consideration of the practical
feasibility difficult. “When you’re
trying to get a proper technical
analysis of the bill, at the moment
it’s very hard to do that,” Andrew
Kernahan, public affairs manager
at the ISP Association (ISPA), told
PC Pro. “I think the industry has
been quite clear, and ISPs have
been quite clear, that we need
more information to be able to
do this, because the internet is not
so straightforward.”
There’s good reason for fuzziness
on some details, as the government
is hoping to future-proof the law.
“It’s been explained to us that this
is a once-in-a-generation attempt
to pass a new law that works,” said
Kernahan. “While we welcome that,
unfortunately, passing technical
legislation like that doesn’t quite
work. So it’s hard to get real
technical analysis of
the proposals until
more information
is forthcoming from
the government.”
The parliamentary
Science and Technology
Committee has been
calling in experts to give
their thoughts on the
technical aspects of
the draft bill. Here’s
what they’ve said so far,
and what it means for
the feasibility of the
Snoopers’ Charter.
Legal jargon
Much of the confusion is due
to jargon. Antony Walker,
deputy CEO of industry
body TechUK, told the
committee: “Often language
used in the course of a
technological discussion
changes when it is used in a
more legal context.” Walker
mentioned certain phrases
such as “communications service”,
“internet connection records” (ICR)
and “equipment interference” – the
latter a euphemism for hacking –
saying that how such terms are
interpreted in a practical way has
“technical implications”. He added:
“The industry view is that we could
certainly benefit from perhaps
examples or clearer suggestions
as to what is and is not included.”
Mark Hughes, head of security
at BT, pointed out that his company
must know if the law applies only to
public networks or also to the private
networks it supplies to companies,
while Walker noted that equipment
definitions must be clarified to reveal
whether they include Internet of
Things gadgets, smart toys or even
connected cars. “In theory, the
manufacturer of the products could
be subject to a warrant to enable
interference with those devices,”
he noted, adding that all of this
affects whether or not the plans
are technically feasible
Logging web pages
One of the more controversial aspects
of the IP Bill is ICR and messaging
data, which Adrian Kennard, head
of ISP Andrews & Arnold, noted
in a written submission makes a
fundamental mistake about how
the internet works.
He argued such data should be
logged at browser or server level,
saying it makes no sense to log
web-page visits at the network level.
“This is because, like any ‘over the
top’ service, the browser and
computer breaks down what it is
doing in to packets of data, and
sends these over the internet… the
ISP sees just the packets in between,”
he said.
“It is a bit like saying that the
postal service has to log letters sent,
but they are thwarted by the fact that
every sender puts the letter through
a shredder first and each shredded
bit of each letter is being delivered,
mixed in with every other letter, to
a destination where it is glued back
together,” he added.
Technical costs
The money available also affects the
technical feasibility of the project.
The government has set aside £174
million to pay for data collection, but
ISPs argue that’s insufficient. “You
can do most things if you put enough
time and effort into it, and if you buy
the best kit and put a lot of resources
into it,” said Kernahan. “But that’s not
necessarily what the bill is going to
allow in terms of the sort of money
that they have available.”
That view was echoed by Mark
Hughes, who told the committee
that BT would“incur significant
cost if you implement the intent
and assumptions behind the
internet connection records part
of this bill”. He added that the
cost would either have to be
paid by government or passed
on to customers.
End of encryption
The IP Bill doesn’t outright ban
encryption, but it does provide
a means for authorities to
require communications
companies to collect users’
data. For an encrypted system,
that could mean creating
backdoors. Companies wouldn’t
be able to tell users they were
under such an order. “What is not
completely transparent is what
happens where a third party has
implemented end-to-end encryption
themselves and it would not be
technically feasible for the service
provider to remove that encryption,”
Walker said.
The requirement that companies
keep quiet about these backdoor
orders is especially challenging for
open-source companies, with Walker
pointing to Firefox-maker Mozilla.
“The very nature of its business,
which is based on inputs from the
open-source community, means that
a lot of its code has to be out in the
open,” he said. “Therefore, meeting
any of the equipment interference
requirements would be something
it could not conceal from the people
who provide the open-source
software. A company like that would
face very real, specific problems
BT’s Hughes pointed out that
future encryption systems, notably
Transport Layer Security 1.3, “will
have a big impact on the ability of
internet connection records to be
useful”, as it will encrypt transactions
earlier in the process, making it
to see what people are
to online.
Security concerns
ICR and other message
metadata collection
requirements mean ISPs,
particular, will be building
large databases of sensitive
information. Keeping
that safe will be difficult if
impossible – just ask
TalkTalk, which was hacked
last year. “It’s never going to
completely foolproof in
terms of security… and there’s
potentially more risk with
more data that’s made
available,” Kernahan said.
“The example that was given
at the evidence session last week
was the NSA themselves – which
is probably one of the most secure
organisations in the world – had
this known data leakage.
Walker also raised the spectre
of authorities hacking devices,
especially at a bulk level. “That is
regarded by a lot of people across
the industry as opening up the
potential for the maintenance,
or addition, of vulnerabilities in
networks or services that should
in reality be patched,” he said.
While that may leave an email
client with a flaw that could be
used by criminals, as well as spies,
it could have even more dramatic
repercussions on future devices such
as connected cars. “In a much more
connected world, with many more
connected devices on which we all
rely for our security and safety, we
have to think carefully about taking
that additional step
No comments:
Post a Comment