Costs And Risks Of UK’s Draft Surveillance Powers Probed

A U.K. parliamentary committee tasked with scrutinizing the new surveillance powers contained in the draft Investigatory Powers Bill has heard several contradictory views on the proposed legislation.

The latest evidence session heard by the committee included questions on the costs of implementing the web browsing data retention requirement of the bill, and questions about the legal requirements it might place on companies when end-to-end encryption is being used to secure data. Concerns over provisions to sanction state hacking en masse were also aired.

The amount of time the government has afforded for scrutiny of what is very complex and technical legislation has already been criticized — with committee members themselves complaining there is not enough time for them to do a proper job.

The committee is expected to file its report by February 11, with the government aiming to get a final bill through parliament and onto the statute books before the end of next year.

Questions over costs

On the cost point, ISP BT’s Mark Hughes, president of BT security, suggested the requirement for ISPs’ to capture and retain a log of websites visited by their users would run to tens of millions of pounds just for BT to do this.

A government impact assessment document accompanying the draft bill has suggested this aspect of the proposed legislation would cost £174 million to implement. However Hughes cast doubt on that, suggesting that a “large part” of that money would be required just for BT to implement it — just one of hundreds of U.K. ISPs who may also be subject to the requirement by the legislation. (Although the committee also heard conflicting views on which U.K. ISPs would be required to log users’ website visits.)

“It would cost us a large part of that figure to be able to implement, looking over a period,” said Hughes. “When one looks at the internet connection records part of the Bill, the bandwidth appetite in our country is increasing very rapidly, so, clearly, assumptions have to be put in that take account of the fact that bandwidth will increase. Indeed, in the consultation some of that has been taken into account, but the core key technical aspect of the internet connection records part of this is the extent to which the sampling or 100% collection goes on within the networks for them then to be able to comply. Technically, there are many different options, depending upon what you come up with, so there is a definite range of possible costs.”

Antony Walker, deputy CEO of digital tech trade association techUK, who was also giving evidence, also expressed scepticism about the cost estimate. “Given the uncertainty about the extent of the powers and the implications of potentially a much broader range of communication service providers, at this stage it is quite difficult to determine whether or not that is an accurate figure. I have met very few people across business who currently would regard it as a properly robust figure,” he said.

BT’s Hughes was asked whether the industry is “relaxed” about the current wording of the bill, which has been criticized as opaque and open to interpretation — which resulted in something of a slap down to the questioner.

“On a subject like this we are not relaxed about any area of it, frankly, because it is an incredibly serious matter,” he rebuked the committee.

Conflicting views on encryption

Asked by the committee whether there was anything in the draft bill that could threaten the integrity of encryption, Walker said the language of the bill remains a cause for concern here — saying it is more “open to interpretation” than the organisation would like.

“The language around encryption remains a little opaque,” he told the committee. “And responses from the Home Office when questioned on the implications of some of those powers remain unclear.”

Walker flagged up a specific concern around end-to-end encryption, noting that it’s not clear what a third party provider would be legally required to do if they have implemented a form of encryption they cannot themselves decrypt.

“The powers are such that the security services could request that telecom service providers remove any encryption used by them to provide information in the clear. What is not completely transparent is what happens where a third party has implemented end-to-end encryption themselves and it would not be technically feasible for the service provider to remove that encryption. There is still some uncertainty and concern across the industry about the implications for encryption,” he said.

As it stands, Walker said industry is relying on comments made by the Home Secretary and other senior government ministers in order to interpret the bill. “They have been very clear about how they interpret the Bill, and to some extent we are relying on that interpretation,” he added.

But he reiterated that tech companies are still grappling with possible implications of the bill, given how vague definitions are, and the fact the draft bill was only published last month.

“I must stress that many companies are themselves still trying to work through the implications of the Bill and to understand it, so there are different views at this stage,” he said, answering a question about technical feasibility. “If we look at what is technically and reasonably practical in the various definitions of the Bill, we believe it means that when companies are providing services where there is end-to-end encryption instigated by a third party and not by themselves, it safeguards them from having to modify or change what they are doing, but it is open to interpretation.”

Walker said further reassurances are required that the bill would not require companies providing end-to-end encryption to modify their business practices.

We should not do anything to undermine the fact that security and privacy are a continuum of the same thing.

Later in his evidence session, Hughes also touched on this, noting: “We should not do anything to undermine the fact that security and privacy are a continuum of the same thing. It is important, and encryption has a significant role to play in that.”

Also giving evidence to the committee, Richard Alcock, director of the Home Office’s oversight program for state use of communications data, suggested senior civil servants have a different interpretation on the encryption requirements vs those reassuring statements from senior government ministers about ‘not banning encryption’.

Asked specifically whether companies which have deployed end-to-end encryption will not be required to be able to provided decrypted data when served with a government request, he said it is in fact his understanding that the opposite is true (emphasis mine).

“In the context of interception, section 12 of RIPA [existing legislation, the Regulation of Investigatory Powers Act] mandates that there is an expectation that information is provided in the clear, effectively, by those on whom a notice is served. It may be the case that a service provider has certain encryption arrangements, but when you are putting someone on interception cover you want to be able to understand the content. There is an expectation — a clear mandation, in fact — that data will be provided to law enforcement in the clear, as has been the case. This Bill does exactly the same as section 12 of RIPA.”

Another civil servant giving evidence to the committee, Professor Bernard Silverman, chief scientific adviser to the Home Office, was asked directly whether a reference in the bill requiring the “removal of electronic protection” is a route to compromising encryption.

“My understanding of the Bill is that what has to be removed is the electronic protection that the service provider itself has put on the message. It is not removing encryption; it is removing electronic protection. I do not know whether Richard [Alcock] wants to go into more detail on that, but the short answer is that there is no threat to encryption as such.”

However in response Alcock merely reiterated his view about the bill mandating clear data be served up in response to a government warrant.

“It goes back to my previous point about provision of data in the clear. Companies may have all manner of different encryption equipment, which Government support. At the same time, when a notice is served to provide intercept data, the expectation is that those data will be provided in intelligible form — in the clear,” he reiterated.

At this point another witness, Dr Bob Nowill, chairman of Cyber Security Challenge, pointed out that providing data in the clear may not always be possible — i.e. if it has been end-to-end encrypted and a service provider does not hold the encryption keys.

“The ISP or CSP could unwrap whatever they have put on, but if the underlying data stream is encrypted by something proprietary and unknown and is originating and terminating overseas, you would probably have the devil of a job digging into it,” he pointed out.

To this Alcock suggested the route to obtaining ‘clear data’ is about “forging constructive working relationships with the comms service providers” — whatever that means. It might, for example, mean the state leaning on Internet companies to backdoor their services to workaround end-to-end encryption.

“All comms service providers are different. All systems are different. We need to work out pragmatic ways in which we can satisfy requests from the UK Government,” he said. “The expectation is that, when served with a notice, providers would provide us with data in the clear. That would involve working with the particular provider of the day to work out how best that could be achieved.”

Fears over mass hacking 

The committee also asked for views on provisions in the proposed legislation to sanction equipment interference — aka state hacking powers.

Walker expressed particular concern about the bill’s provision for mass hacking, dubbing this sweeping power “one of the areas of the Bill that is most problematic for many technology companies”.

“That is regarded by a lot of people across the industry as opening up the potential for the maintenance, or addition, of vulnerabilities in networks or services that should in reality be patched, because they present vulnerabilities for the individual and the service, and for the company in terms of liabilities and so on,” he said.

“You really have to think forward to the world in five or 10 years’ time, to the sheer range and diversity of equipment that potentially could be interfered with and the consequences of that. For example, if a vulnerability is found in a system that means you can automatically stop an autonomous or a semi-autonomous vehicle, and that vulnerability is exploited by somebody else for malicious purposes, there is a serious risk to life for the people involved. In a much more connected world, with many more connected devices on which we all rely for our security and safety, we have to think carefully about taking that additional step.”

Walker also noted that some companies believe mass hacking powers could have “significant reputational impacts on their business” — by undermining the security and credibility of their services.

“We are aware of some companies that said that makes them question where the right jurisdiction might be for them,” he added, implying the proposed law could lead to an exodus of such companies from the U.K.

Another specific concern regarding this provision that was flagged by Walker is to open source business models. He suggested there are “significant problems” for such companies when it comes to meeting state hacking requirements given that they do not conceal their source code and therefore could not conceal state hacking activities from the open source community.

“Potentially there are significant problems for companies based fundamentally on an open source business model. I think you have had evidence from Mozilla in that regard, which I think is quite instructive. The very nature of its business, which is based on inputs from the open source community, means that a lot of its code has to be out in the open. Therefore, meeting any of the equipment interference requirements would be something it could not conceal from the people who provide the open source software. A company like that would face very real specific problems.”