What The U.K. Surveillance Powers Review Says On Encryption And Hacking

An independent review of U.K. surveillance powers conducted by QC David Anderson published its findings this week. Among its recommendations the report calls for judges to sign off interception warrants, and for a new law to govern surveillance powers — replacing the problematic patchwork of outdated and amended legislation that currently exists with stricter and more coherent oversight.

The report also supports continued use of “bulk data collection” (aka mass surveillance) by U.K. intelligence agencies — so long as “strict additional safeguards” oversee its usage and minimize privacy impacts.

Anderson writes:

…if the acceptable use of vast state powers is to be guaranteed, it cannot simply be by reference to the probity of its servants, the ingenuity of its enemies or current technical limitations on what it can do. Firm limits must also be written into law: not merely safeguards, but red lines that may not be crossed.

He also weighs in on encryption, although his recommendations here are rather more murky. In essence, he is taking the view that more widespread use of strong encryption ultimately sanctions mass surveillance — and even hacking activities by state agencies — as necessary workarounds to get at information that’s otherwise locked out of reach.

The 300-page+ report was commissioned by U.K. Prime Minister David Cameron last year in the wake of NSA whistleblower Edward Snowden’s revelations. Since then Cameron has stepped up his rhetoric in support of state surveillance powers, making hawkish pronouncements arguing for expanded capabilities — to the point where, earlier this year, he appeared to be calling for an effective ban on strong encryption.

“Are we going to allow a means of communication between people which even in extremis, with a signed warrant from the Home Secretary personally, that we cannot read? No we must not. The first duty of any government is to keep our country and our people safe,” said Cameron back in January.

Anderson’s review backs Cameron’s notion that encryption should not be an ultimate barrier to security agencies  — arguing that the power to “intercept a particular communication” or “track a particular individual” “needs to exist”, although he also qualifies this by saying such a power might only be usable “where skill or trickery can provide a way around the obstacle”.

What that means in practice appears to be a suggestion that surveillance capabilities should allow enough intrusiveness that strongly encrypted data can be got at — or its intelligence inferred — by other “ingenious or intrusive” means. Not by enforced backdoors, but by what amounts to a patchwork of investigatory workarounds.

Government-sanctioned hacking/malware is one mooted option, along with the triangulation offered by data retention powers plus data-mining of bulk datasets — which, presumably, expands the likelihood that encrypted comms can be caught in a less secure form somewhere in the digital haystack. All these ‘tricksy circumventions’ are offered up as an alternative to legislating to deliberately and systematically perforate encryption — i.e. by mandating backdoors be built into encrypted services.

Anderson writes (emphasis mine):

…There may be all sorts of reasons – not least, secure encryption – why it is not physically possible to intercept a particular communication, or track a particular individual. But the power to do so needs to exist, even if it is only usable in cases where skill or trickery can provide a way around the obstacle. Were it to be otherwise, entire channels of communication could be reduced to lawless spaces in which freedom is enjoyed only by the strong, and evil of all kinds can flourish.

This does not mean that state access to communications should be made easy. Few now contend for a master key to all communications held by the state, for a requirement to hold data locally in unencrypted form, or for a guaranteed facility to insert back doors into any telecommunications system. Such tools threaten the integrity of our communications and of the internet itself. Far preferable, on any view, is a law-based system in which encryption keys are handed over (by service providers or by the users themselves) only after properly authorised requests.

But in an imperfect world, in which many communications threatening to the UK are conducted over services whose providers do not or cannot comply with such requests, there is a compelling public interest in being able to penetrate any channel of communication, however partially or sporadically. Paedophiles should not be able to operate on the dark net with guaranteed impunity, and terrorists should not be able to render themselves undetectable simply by selecting an app on which their communications history will never be known even to the provider. Hence the argument for permitting ingenious or intrusive techniques (such as bulk data analysis or CNE [computer network exploitation]) which may go some way towards enabling otherwise insuperable obstacles to be circumvented. Hence, also, the argument for requiring certain data to be retained so that they can be used in piecing together a crime after the event.

He notes elsewhere in the report that U.K. Agencies “do not look to legislation to give themselves a permanent trump card” to unlock encryption, adding: “Neither they nor anyone else has made a case to me for encryption to be placed under effective Government control, as in practice it was before the advent of public key encryption in the 1990s.”

Instead, the push from U.K. security agencies appears to be for a multitude of workarounds to get at encrypted intel — including gaining access to domestic and foreign companies’ own user datasets via “cooperation, enforced by law if needed, from companies abroad as well as in the U.K., which are able to provide readable interception product”.

“The Agencies seek to address impeded access to communications through their own cryptographic work,” the report adds. “They will also need to develop new methods of accessing data, for example through increased use of CNE [aka hacking]. They therefore want the capabilities and an appropriate legal framework within which this work can be carried out.”

Elsewhere in the report Anderson notes that the use of hacking by U.K. security agencies has not been clearly defined in national law — pointing out that this activity was only “recently acknowledged” by government, when it published the Draft Equipment Interference Code in February. Indeed, civil liberties organizations have accused the U.K. government of making ‘under the radar’ legislative changes to try to retroactively legalize state agency hacking activities.

Unsurprisingly Anderson recommends that hacking powers be clearly defined within a new oversight framework for state surveillance capabilities. He also touches on concerns there may be a need for “exceptional safeguards” in order for some types of hacking to be used legally — without specifying exactly which methods could warrant theses extra checks and balances.

[Hacking] presents a dizzying array of possibilities to the security and intelligence agencies.

“There are significant concerns regarding the use of these methods at all,” he writes. “In particular in relation to encryption, some are of the view that these methods are dangerous for the safety and security of the users of the internet. Moreover, CNE presents a dizzying array of possibilities to the security and intelligence agencies, and while some methods of CNE may be appropriate, many are of the view that there are others which are so intrusive that they would require exceptional safeguards for their use to be legal.”

While the intelligence and security agencies are the only U.K. public bodies currently afforded hacking (and mass surveillance) powers for investigatory purposes, the review notes that the U.K.’s National Crime Agency wants additional powers to be considered for domestic police forces — including “the possible future use by law enforcement of CNE”. So, to be clear, U.K. police forces are pushing to be allowed to use hacking to investigate criminal activity.

Anderson is specifically not supporting such an expansion of police powers, but he does suggest that invasive digital investigation techniques are likely to spread to other government agencies in future.

“There are still investigatory powers that only the security and intelligence agencies deploy: notably, bulk data collection and CNE. I have not suggested that this should change. But as technology develops, bulk data analysis (notably by private companies) becomes a standard feature of everyday life and digital investigation techniques become more widespread, the trend may prove to be towards convergence rather than the reverse,” he writes.

The report also touches on enforced decryption as a workaround method for thwarting secure encryption. Anderson says it was required 76 times in 2013-14, with two convictions over this period for failure to comply. But he notes the security agencies’ primary concern with this resort for circumventing encryption is the target may choose to opt for a smaller prison sentence for refusing to hand over their encryption keys than a more serious conviction for criminality based on whatever data they have encrypted. Hence the push for security agencies to have something else up their sleeve to workaround encryption.

Anderson’s report is not binding, so it remains to be seen how many of his recommendations will be adopted by the government as it drafts the new Investigatory Powers Bill, announced in the Queen’s Speech last month. The draft bill is due to be published this fall.

After the report’s publication this week, the government said it will “carefully consider” Anderson’s recommendations. However Home Secretary Theresa May has already signaled she may reject his proposal to strip ministers’ power to sign off interception warrants and hand that over to judges. That suggests the government is preparing to expand state surveillance capabilities without bracketing additional powers within the strict red lines Anderson believes are necessary in order to achieve an acceptable balance between state security and individual liberty — pushing the U.K. further out of step with countries such as the U.S. where politicians are now legislating to place limits on domestic spying powers.