Notes on Scrambling for Safety 2016 – Equipment Interference Session
7 January 2016
The second session is on “Equipment Interference”, Hacking or “Computer Network Exploitation”. There is little mention of this in previous legislation, and as a result there was much confusion about oversight according to Eric King, who chairs the session. This changes earlier this year with the publication of the code of practice, since it allows us to talk about these issues publicly, and now these powers are also in the bill.
Caroline Wilson Palow, from Privacy International, starts with the state of the law on equipment interference. The publication of the code of practice was the first time this power was unveiled. Three major laws are relevant: the computer misuse acts makes it illegal for most people to hack, but some exceptions were foreseen for investigations for example; the intelligence services claim they were authorized to hack under the intelligence services act, which authorizes them to interfere with either property or telecommunications equipment — there are domestic provisions, but also allows them to violate the law abroad; finally, the police act allows them to interfere with property and telco. This was the landscape, and earlier this year the code of practice confirms that they services and policy can interfere with equipment. Domestically this requires some warrant, but abroad it is very broad as long as computers are outside the UK. Interestingly the equipment has to be overseas. The IPBill has targetted equipment interference, to replace the relevant sections from the intelligence services and policy acts. However those warrants can be broad to cover a lot of equipment, including “thematic warrants”, that are not in fact all that different from more bulk warrants, simply by specifying location or activity to justify hacking into a lot of equipment. Then there is Bulk Equipment Interference, that seems to be targeted overseas. That covers hacking any equipment as long as the information sought was overseas, including possibly equipment in the UK.
Malcolm Hutty from LINX is next. LINX is an internet exchange point, where many internet network operators connect to each other to exchange data (and interconnect on the cheap to make the internet work) — there are 600+ network operators there from the UK and abroad. They carry 3 TBit a second. Linx represents its members, but it does not have a collective view about proportionality, but it will inform the debate on the technical matters. Equipment interference relates, however, to their core business — in fact a critical infrastructure, and a lot of their work goes into securing it. As a result they do have a perspective as to what it takes to secure critical infrastructure. So while they work with parts of the government when it comes to secure their infrastructure, other parts of governments seems to be going around poking holes in it. There might be some legitimate uses of equipment interference, such as when looking at seized evidence. Similarly, if some of the data is stored in a cloud, it might be fine to use a client to access it. Modifying the data opens up issues of integrity of evidence. However, going further opens up questions: exploiting a software vulnerability to break to security provisions of a coud providers is new territory. How to know how much damage this will cause? Using such capabilities, and assume that only good guys will use such vulnerabilities, while assuming the bad guys will not is magical thinking. Once those techniques are applied against infrastructure, there is a question of how to assess the necessity and proportionality of equipment interference. It is hard enough for the operators themselves to assess what the critical inputs to critical systems are — if you were to hack into them it is difficult to know the extent of the damage. It is very difficult for an intelligence officer to assess the impact of using a vulnerability, without knowing all details of how systems are used. And the impact ranges from the minor to the absolutely catastrophic. Thus this part of the bill needs to be reviewed not only for the balance of security and privacy, but also to avoid harm to the security of the UK.
Antony Walker, from TechUK represents the internet service providers in the UK. This sector is important and growing, and all these companies depend on securing the trust of their customers to stay in business. Thus the questions of equipment interference has a direct relevance on how those companies can sell themselves and be trusted around the world. This has a serious economic impact. A number of things raise serious concerns or need improvements. The UK government has to be congratulated for presenting a bill with these issues to have this debate. One of the ambition was a clear bill, and as the bill stands this bill is quite imprecise in its definitions and the definitions of powers; the powers are vague, while the safeguards are narrowly defined. As a result companies are struggling to understand: for example the language around encryption; as well as equipment interference. Secondly, this is a unique opportunity to influence this global issue. Thus the more this bill introduces extra-territoriality the more difficult it will be to play nicely with others around the work, whose cooperation is needed to secure cyber space. Targeted interference might be necessary; however, compulsion to assist is very different, and also provisions on bulk interference are a real problem. There is a risk that those provisions will increase the number of vulnerabilities, instead of fixing them. So when it comes to bulk interference we need to pay attention to proportionality, and this will affect more than phone, and things like the internet of things.
Kier Starmer MP is next, from Labour. The IPBill is going to be a major legal and legislative issue in the next 12 months. The review of surveillance legislation since RIPA is well overdue. RIPA was about phones and landlines, Facebook did not exist back then. Just as powers are extended, from the Labour party point of view, the safeguards have to be subject to the same scrutiny. Kier is in charge of this policy at Labour, he worked for Liberty and represented high-profile cases, and worked as director of public prosecutions. For example a plot to bring down planes across the Atlantic, and there was a need to get data in real-time, and prosecute. Comms data is used routinely for more day-to-day cases, including serious exploitation cases. Some initial thoughts on the bill: it is a draft that needs to be discussed. It is in that part of the process that earlier bills were stopped. It is a long bill and the devil is in the details. The second challenge is oversight: there is a “double lock” but this is not full judicial oversight, and he thinks that judges could be doing this job of oversight. Another aspects that needs scrutiny is the retention or data. Overall this bill is necessary, but it is important to get it right.
Finally, Chris Farrimond from the National Crime Agency. He was at SFS about 16 years ago. He points out that the role of the police is to protect the public, and the principle of policing by consent is still important. In the past policing was about local matters, whereas now they are about national and international operations. So explaining to the public the relevance of police actions to them is harder. There are however processes through which intrusive powers are overseen: everything action has an audit train, an applicant that has to make a case, explain the proportionality of the request. So there is an accountable authorizing officer. The IPBill is mostly about updating legislation, since older laws are not keeping up to date with new technologies. While the techniques are not brand new powers, he sees them as an updating — maybe with the discussion about ICRs. The powers of equipment interference, for example follows the existing powers about interfering with premises. However, powers of equipment interference are much more specific. The codes of practice are going to be very import, since they are really the up-to-date dos and donts, and the police has to comply with them.