Euro Security Watch with Mathew J. Schwartz

Legislation , Privacy

Britain's New Mass Surveillance Law Presages Crypto Fight Parliament Passes 'Snooper's Charter' Pilloried by Privacy Rights Groups
Britain's New Mass Surveillance Law Presages Crypto Fight

Britain has enacted a new mass surveillance law that continues to draw criticism from privacy advocates. The Investigatory Powers Act 2016 was passed by Parliament and signed into law by the Queen this week.

See Also: How to Scale Your Vendor Risk Management Program

The home secretary, Amber Rudd, hailed the IP Act using typical political bravado, lauding it as "world-leading legislation" providing "unprecedented transparency and substantial privacy protection" while allowing police and intelligence services to better battle terrorists.

But the new law enshrines the government's right to "bulk data collection" despite the EU's high court ruling that such untargeted collection violates human rights. And the inventor of the world wide web, Tim Berners-Lee, has slammed the new law, calling it a "security nightmare."

"This Snooper's Charter has no place in a modern democracy - it undermines our fundamental rights online," he tells the BBC. "The bulk collection of everyone's internet browsing data is disproportionate, creates a security nightmare for the ISPs who must store the data - and rides roughshod over our right to privacy. Meanwhile, the bulk hacking powers in the bill risk making the internet less safe for everyone."

Many privacy rights groups, which have been fighting the bill every step of the way, also remain concerned. Jim Killock, executive director of the Open Rights Group, has branded the IP Act as "one of the most extreme surveillance laws ever passed in a democracy," noting that it gives "police and intelligence agencies ... unprecedented powers to [monitor] our private communications and internet activity, whether or not we are suspected of a crime."

Numerous privacy experts predict that the bill will now be used by authoritarian regimes to justify their own domestic surveillance regimes.

Petition Seeks Overturn

A Parliament petition calling for the law to be repealed now has more than 140,000 signatures, which will require Parliament to consider debating the measure.

The Home Office has already responded to the petition, claiming that the new law was subject to "unprecedented scrutiny prior to and during its passage" and that more than 1,700 amendments to the bill were proposed and debated this year.

"The Investigatory Powers Act dramatically increases transparency around the use of investigatory powers," it claims. "It protects both privacy and security and underwent unprecedented scrutiny before becoming law."

If At First You Don't Succeed

This wasn't the first attempt by the government to push through the controversial law, which has been branded the Snooper's Charter by critics because of its focus on giving the government greater surveillance powers (see UK Debates Rebooted "Snooper's Charter").

The bill was first proposed by former Home Secretary Theresa May, who's now the country's prime minister. Critics say its passage may have been aided by Parliament's focus on Brexit.

The government says some provisions contained in the new law will need to be extensively tested and won't take effect for some time. But other parts of the law will take effect almost immediately. For example, before Dec. 31, when the current Data Retention and Investigatory Powers Act 2014 expires, ISPs and mobile phone services will be required to retain for 12 months the internet browsing, voice call, email, text, internet gaming and mobile phone usage records for every subscriber.

Backdoors Subvert Security

The new law also gives the government the power to demand that companies that do business in Britain weaken their crypto, on demand. That led many technology giants - including Apple, Facebook, Google, Microsoft, Twitter and Yahoo - to warn Parliament earlier this year that the bill stood to undermine personal security.

In particular, technical capability notices, as defined under clause 217 of the bill, can be imposed on any telecommunications operator, requiring them - in the bill's language - to remove any "electronic protections" on encrypted communications. The government can also legally prevent the organization from publicly discussing that it's been served with such a notice.

But strong crypto - meaning any strong encryption scheme with no backdoors - is essential for helping individuals, organizations and governments defend themselves against everyone from corrupt law enforcement agents and cybercriminals to foreign powers and bored teenagers.

"What a lot of politicians and lawmakers fail to understand is that if the U.K. government has a backdoor into encryption software, so does every other government on the planet," Dublin-based cybersecurity expert Brian Honan tells me. "So that means the Chinese, the Iranians, the North Koreans can get to that data. And they may not have the same qualms or structures in place to make sure that only authorized people get those keys or those keys are only used under certain conditions."

Thus, while the British government trumpets that its new surveillance law will help to better battle criminality and terrorism, if the government uses the law to weaken crypto by demanding backdoors, then it stands to make us all less safe.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network