Friday 15 January 2016

Snoopers’ Charter. Is Big Sister Watching You?

Snoopers’ Charter. Is Big Sister Watching You

Another surveillance Bill is to go before Parliament, but will it actually make us more secure, or is it just an invasion of our privacy? Nicole Kobie investigates

It’s back. The government is trying yet again to pass a Snoopers’ Charter, this time under the guise of the Investigatory Powers (IP) Bill. If passed, it will give various authorities – from police and spies to HMRC – the ability to see the websites we visit, who we message online, and even hack our PCs.


“This new Bill is very different in form from the last ‘Snoopers’ Charter’, though in some ways it has some of the same effects,” said Paul Bernal, law lecturer at the University of East Anglia. “It’s much more comprehensive than the old Communications Data Bill. Things like the sections on ‘equipment interference’ (the euphemism for hacking) and ‘bulk powers’ – which they try very hard but not entirely successfully to differentiate from ‘mass surveillance’ – are essentially new, and only really in place because the government was forced into putting them in by the various legal actions taken against it.”

The UK needs laws to manage surveillance and interception, but whether this is the right one remains to be seen – and as a draft, it could face many changes before it’s laid before Parliament in 2016. Here, we’ll talk though the history of the Bill, what’s in it, what it means for you, whether it can keep us safe from terror attacks and  serious crime and what you can do to help the UK set aside the idea of a Snoopers’ Charter for a robust, modern law that respects privacy while helping ensure security.

Long history


None of this is new. Regardless of who’s been in power, the government has been trying to pass a law covering digital surveillance since 2008. Back then, to help with investigations, telephone operators were already keeping phone and text message data for a year – not the contents of your SMS, but who you sent it to and when. Introduced by Labour, the Communications Data Bill 2008 looked to extend that to include email and other digital message metadata. This was to be stored for two years in a massive, searchable database.

Jacqui Smith, then the Home Secretary, said that without searchable access to such data, police and security services would have to consider a “massive expansion of surveillance”, according to a BBC report that year. At the time, the plans – particularly the database – were roundly criticised as ‘Orwellian’.

Labour didn’t manage to pass that Bill before the election in 2010, which brought in the coalition government. In 2012 there was a new draft Communications Data Bill requiring such metadata to be held for a year by internet and phone companies, though not in a large database. That Bill was blocked by the Liberal Democrats, with then Deputy Prime Minister Nick Clegg withdrawing his support in 2013.

After the Conservative Party took power in the last election, Home Secretary Theresa May pledged to try again. Her take is the new Investigatory Powers Bill.

What's in the Bill?


As a draft, much could be set to change before the Bill becomes law – if it becomes law – with committees already debating aspects of the document before the final version of the Bill is put before parliament next year. Here are the key points of the draft as it stands:

• Phone and internet companies would be required to store messaging data as well as the top-level domain of websites you visit for a year, in order to offer access to police and security services.

• It allows (for the first time) bulk collection of personal communications data.

• It allows authorities to hack computers and phones, alongside powers to bug them, and forces companies to help security services to break into their own systems.

• Communications of MPs can be intercepted, but only with the PM’s knowledge, while tapping journalists and other sensitive professions requires special permission.

• New oversight will create an investigatory powers commissioner and require judicial approval for some interceptions.

That’s the short version. The Bill runs to 297 pages of legal terminology – it’s not fun reading – but as with any potential law, the devil is in the detail and critics have been carefully unpicking the draft document to try to understand what the government is hoping to achieve.

Data collection


One of the most controversial aspects of the Bill is the requirement of communications service providers (CSPs) – such as ISPs, mobile operators and the like – to keep records of users’ browsing history, called “internet connection records”, for one year. That includes the top-level domain visited, such as www.bbc.co.uk, but not the individual pages visited.

The government has compared the internet connection records to phone call logs, saying they merely track what site you connected to, and not what you read or posted while there. “If someone has visited a social media website, an internet connection record will only show that they accessed that site, not the particular pages they looked at, who they communicated with, or what they said,” May told Parliament when the Bill was introduced.

That argument didn’t convince Paul Bernal. “Our browsing history really should remain private unless there’s a very good and specific reason to collect it,” he said. “The risks here are huge and not properly admitted: this is nothing like the ‘itemised phone bill’ mentioned by Theresa May at all, but a record of pretty much our entire online life.”

“Keeping a record of the websites that everyone has visited is an unprecedented step,” agreed Jim Killock, executive director of the Open Rights Group (ORG). “It doesn’t happen in the US or any EU or Commonwealth country and we don’t think it should happen in the UK. We would like to see these proposals dropped.”

The data collected isn’t limited to browsing records, but also includes messaging data. That doesn’t include the content of the message – that would qualify as ‘interception’, which we’ll get to later – but who you sent it to, when you sent it, where you sent it and how you sent it. For example, if you sent a friend a text, Facebook private message or email, your ISP or mobile company would know the date, location, and identity of who you sent it to, but not what the message actually said.

Of course, URLs reveal much about the content of a site, even if authorities don’t know what specific page you read. And, as many have noted, this will all be held by ISPs such as TalkTalk, which recently leaked the private information of tens of thousands of customers after being targeted by teenage hackers.

There are some controls on who can access such data. Only public authorities approved by parliament can see it, but that includes not only the police, security services and HMRC, but also the Departments of Health, Transport and Work and Pensions – as well as the Food Standards Agency (FSA) and the Gambling Commission.

Why might food investigators want access? The FSA told the online magazine Motherboard that “these powers were requested following the establishment of the National Food Crime Unit in response to the horsemeat incident in 2013”, saying that comms data is necessary to “identify offenders and their criminal activity”.

Local authorities can only access messaging data with magistrates’ approval, and are banned from seeing browsing records. Police, meanwhile, will not be widely allowed to access such data; they’ll have to seek permission from a senior police officer. If the person being targeted is a journalist’s source, authorities need judicial authorisation first – however, such oversight is already being criticised as too weak, which we’ll explore later.

Broken encryption


Before the draft Bill was released, there was speculation that encryption would be banned, spurred by comments from the Prime Minister that terrorists would not be given a “safe space” to hide online. Confusion reigned, as David Cameron’s office subsequently said the PM wasn’t calling for a ban on encryption. It’s nigh on impossible to ban encryption – it keeps online banking safe, after all – a point made by many after Cameron’s comments.

Despite the rampant speculation, there’s little reference to encryption in the actual IP Bill draft, and there is no outright ban. That doesn’t mean encryption isn’t at risk, however. The Bill keeps an existing legal tool to give companies a “technical capability notice”, which could require them to find ways to give security services access. And that means breaking encryption, noted Jim Killock: “Communications providers may also be compelled to compromise software – that is, weaken encryption – to comply with demands for interception.”

That means there would be no blanket ban on encryption in the UK, but that the government could order holes to be poked in it – and companies under such orders can’t tell users that they are under such technical requirements, under threat of two years in prison.

Government hacking


It’s no surprise that police and security services can tap phones, but if this Bill passes, they will also be legally allowed to hack computers and mobiles. “The Bill sets out the security agencies’ powers to break into our laptops and mobile phones, including worrying new powers for non-targeted ‘mass hacking’,” explained Killock. “It also gives the police hacking powers.”

The IP Bill euphemistically calls the practice “equipment interference”, and suggests that if authorities can’t get at your data in other ways – such as if you use VPNs and your own strong encryption – then they’ll simply hack your devices.

However, hacking is subject to the same tough rules as tapping phones, which the Bill refers to as interception. Both will be allowed only for serious crimes or national security, and will need the permission of the Secretary of State, as well as a judicial commissioner – a set-up the government refers to as ‘double lock’ oversight.

Oversight


For the first time, the so-called Snoopers’ Charter includes oversight, meaning there’s a higher power above GCHQ and the Home Secretary. In this case, that will be the investigatory powers commissioner, who will monitor surveillance and interception use and publicly report on it, as well as a panel of several judges who will approve some activities, including hacking and interception.

For example, the security services will be able to view your browsing history without a warrant, but they won’t be able to tap your phone or hack your computer without getting approval from the Home Secretary and a panel of judges. That ‘double lock’ means the Home Secretary can’t approve the most invasive activities with only her own signature, but must also convince others to give judicial approval. The only time the Home Secretary won’t need approval is in extremely time-sensitive cases, which the Bill currently defines as those needing action within five days – decide for yourself if judges can’t be expected to give approval during a single working week.

While the first steps toward oversight were generally welcomed, the details still need work, suggested Killock. “The Home Secretary claimed that the Bill will introduce judicial authorisation to some surveillance warrants, which would mean sign off by a Secretary of State and a Judicial Commissioner,” he said. “However, in reality, the Judicial Commissioner would only be signing off on the process, not on whether surveillance is justified. This in effect would be a rubber stamp, not authorisation. Judicial authorisation needs to be much more rigorous.”

What's the good news?


While you may not be a fan of police having hacking powers or spies collecting data in bulk, the simple fact is this has long been happening, which we know thanks in part to Edward Snowden’s leaks. The IP Bill would bring that activity into the open, and is being seen by some as an admission that such activities have been taking place and (perhaps optimistically) as a sign that GCHQ and the government are willing to be a bit more open about it.

“The government can no longer be as secretive as it used to be – and that is in general a good thing, but it does mean that they’re trying to set in stone powers that many people think they shouldn’t have,” said Bernal.

Indeed, Privacy International pointed out that the Bill includes “multiple bombshells” about government activity. “Did anyone know that the police were hacking? No,” said executive director Gus Hosein. “They also confirmed the suspicions of Privacy International, revealing that MI5 collects, retains and mines a database of phone records of everyone in the country, and has done so for the past decade.

“These intrusive powers were long shrouded behind the opaque ‘we can neither confirm nor deny’,” he added.

On the flip side, by legalising such surveillance, it also means the government isn’t reining in such activities, which many people had hoped would happen following the debate about digital spying sparked by Snowden. “The Bill endorses the bulk collection of communications data by the intelligence agencies as revealed by Edward Snowden,” said Killock.

“It does not limit or restrain the practices exposed by Edward Snowden. Judges and oversight need to guarantee that GCHQ are using their technical powers for targeted surveillance and that intercepted data should not be stored and analysed beyond what is necessary to capture specific targeted material, rather than using them in a blanket fashion for fishing expeditions.”

Perhaps the best aspect of the IP Bill is that it’s in draft form, opening up genuine debate over the serious issues of surveillance and security. “This Bill gives us the opportunity to demand that powers are granted by democratic consent, and not taken in secret, only when necessary in a modern democratic society under the rule of law,” said Hosein. “We can now have a national conversation about what kind of world we want to live in, which surely is one governed by fair laws and democratic deliberation, and not one of secret powers that is the reserve of despots.”

Whether the IP Bill passes or not, we’re all potentially under surveillance. That’s not paranoia: if our own government doesn’t spy on us, it’s safe to say the US or another nation may instead. After all, these laws apply only to snooping by police and security services in the UK, not internationally.

It’s safe to assume any capabilities entrenched in law here are also being used against foreigners, and the same is being done to us by other nations. We also have to believe the authorities aren’t installing these laws only to ignore them, or to follow the letter of them but not the spirit, and work round them to get the data they want.

F-Secure analyst Sean Sullivan said new laws should help keep authorities in check, for a time at least. “Militaryminded people seem to like following ‘the rules’, based on my research,” he said. “Problems of unwarranted surveillance occur when politicians push law enforcement and intelligence agencies to bend and stretch the law. A terrorist action can push politicians to act out of fear, while military-minded people act with an undue amount of concern towards some sort of absolutely security.”

Can this Bill stop terror attacks?


In 2013, a pair of extremists murdered Lee Rigby on a Woolwich street. Within days, Home Secretary Theresa May was citing the horrific crime as a reason to push through the Communications Data Bill.

The same happened after the shootings and bombings that hit Paris in November, with calls to speed up the process of the IP Bill. In the days after the attacks, Lord Carlile – who formerly reviewed terror laws for the government – said that “extraordinary times” mean the Bill should be expedited, “so that rather than becoming law by the end of 2016, which is the plan, it should become law as soon as possible”.

That view was echoed by London Mayor Boris Johnson, the Sun newspaper and other journalists, and even Cameron initially signalled he may agree, telling Radio 4’s Today programme that “we should look at the timetable”. Critics disagreed, with the ORG saying “it is vital that it is scrutinised and debated properly”.

The pattern is noticeable: terror attacks and other extreme crimes lead to a tightening of laws, especially around surveillance and security. Indeed, Lord Carlile said after the Rigby murder that the crime should “haunt” then Liberal Democrat leader Nick Clegg, as he blocked the passage of the Communications Data Bill, and made similar comments after the Charlie Hebdo shootings in Paris at the beginning of 2015.

While it’s perhaps an understandable reaction to want to take every protective precaution in the wake of such terrible outrages, are the authorities right to do so? Bernal doesn’t think so. “I don’t think any of this Bill could have any impact on attacks like those that have just happened in France. The perpetrators of that attack – or at least a significant number of them – were already known to the authorities, and existing powers would have allowed those perpetrators to be under surveillance anyway. The same has been true of all recent attacks, from the murder of Lee Rigby and the Boston bombings to the Sydney siege and the Charlie Hebdo shootings. The kind of mass powers and collection of internet history of everyone is nothing to do with this kind of thing at all.”

Indeed, while officials told the NewYork Times the Paris attackers used encrypted communications, they offered no evidence, and a phone discovered at the scene of one of the crimes suggested the killers were simply texting each other to coordinate the attacks. As Bernal noted, the shooters and bombers were already known to authorities, so targeted interceptions could have been used – which are already allowed for under existing law.

On top of all that, France not only tightened its surveillance after the Charlie Hebdo attacks, but the NSA’s ‘215 Program’, which collects communications data en masse across Europe and the Middle East, is designed to “detect a Mumbai/Paris style attack,” according to Stewart Baker, a former NSA official, quoted in Slate.

In fact, all the data being collected may be making security services’ jobs harder. “The amount of metadata which is now being generated by internet technologies is scaling far beyond what any one particular agency can possibility analyse proactively,” said F-Secure’s Sullivan. “Politicians and the people who they serve need to begin realising that it’s more important to react to a crisis (whether it’s natural or human-made) than to waste resources in a futile effort to prevent one. An effective response will do more to dispel fear and thus negate the motivation of would-be attackers.”

While mass surveillance may not have prevented the Rigby murder or the Paris attacks, IS does use encrypted messaging apps, as do other terror organisations and more generic criminals. In the spotlight since the Paris attacks has been the secretive messaging app Telegram, which was used by IS to issue an announcement claiming the attacks as its work. The app’s owners have since shut down dozens of ‘channels’ that were apparently used by IS to release its messages.

“The good of encryption far, far outweighs the bad,” Sullivan said. “And criminals and terrorists don’t even rely on it.”

He added: “Criminals do not trust the latest generation of tech. Old feature phones are still very popular on underground auction sites. The Paris attackers reportedly had a criminal history which involved drug dealing. And, from what has been reported, they used ‘dumb’ phones and SMS (ie, plain text), burner phones and operational security in order to carry out attacks which were planned face to face.”

Staying private


If you don’t trust the powers that be not to snoop, you can take privacy into your own hands. However, remember that under the IP Bill the government could require any company to place backdoors in their services or software to make data extraction possible, and that the government is giving security services and police the power to hack computers, either of which would undermine the tools we’re about to discuss.

To protect your browsing, you could turn to a virtual private network. “A commercial VPN service is a useful option if you want to avoid having your web-browsing history stored by your local ISP,” said Sullivan. “Using an alternative DNS provider may also limit the amount of data that can be collected.”

However, that comes with a warning. “More than ISPs might be classified as Communications Service Providers (CSPs),” Sullivan noted. “The Bill, as currently written, has a very broad definition of ‘communications’ and, as such, almost any service could potentially be considered a CSP. Reportedly, Theresa May recently declined to  answer whether VPNs are considered CSPs. I don’t think they have decided yet.”

That would mean metadata flowing via VPNs would have to be recorded. However, Sullivan said we will know if that’s the case. “It won’t be a secret – the act requires the Government to send a retention notice to the CSP, at which point the VPN service would be free to label itself as a CSP. They wouldn’t be able to inform anybody  being tracked by the Government – but generalised transparency reports would provide an idea.”

You can also encrypt your own data (see below). If you use an encrypted messaging service, the government could force the provider to insert a backdoor, but Sullivan said that’s unlikely as it’s not normally necessary. “The majority of internet services are not completely encrypted from end-to-end, and even those that are can still  provide valuable metadata about who chatted with whom,” he explained. “It’s possible to force companies to log metadata without injecting ‘backdoors’ into the technology.” That means using an encrypted service will protect the content of your messages, but still reveal who you were speaking to.

What can you do?


Aside from taking technical measures to protect your own communications from the government – be that GCHQ or food investigators – the fact that this Bill is a draft means there’s time to rein it in and strengthen the oversight, or whatever other changes you think it needs.

The deadline for submissions to the committee passed in November, but you can still contact your MP to express your opinion, or support groups such as ORG or Privacy International, which will hopefully be asked to present evidence at the various committee meetings.

Most MPs aren’t tech experts, but if you’re reading Computer Shopper, you clearly are, so give them the benefit of your technical savvy and help make sure we end up with a surveillance law that doesn’t leave us open to TalkTalk-style hacks or interfere with our right to privacy, while still giving GCHQ and the police the powers they need to fight terrorists and serious crime.

Otherwise, after years of battling, we may finally end up with a Snoopers’ Charter, rather than a modern law that finds the balance between privacy and security.


Broadband costs


The government has budgeted £175 million to help ISPs pay to hold internet connection records for a year, but that’s apparently not enough.

Matthew Hare, head of ISP Gigaclear, told a parliamentary committee examining the Investigatory Powers Bill that he’s concerned about the amount of data ISPs would have to collect and how much that would cost. “The indiscriminate collection of mass data across effectively every user of the internet in this country will have a massive cost,” he said.

James Blessing, the chair of the Internet Services Providers’ Association, said customers will end up having to pay for that with price rises. “Even if the hardware costs are met up front, which is the established method for cost recovery, the ongoing costs of storing and looking after that data – the cost of powering servers with hard discs spinning – will still have to come out of individual end-user customer price rises,” he said. “They will not be massive, but they will still be price rises.”

Encrypting your data


The IP Bill is essentially about communications, but if you want to start with your own PC, you can encrypt your entire hard drive using Microsoft’s BitLocker, if that works with your PC, or you can opt for alternatives such as AESCrypt or DiskCryptor. If you want to encrypt USB sticks or other external drives, BitLocker to Go will handle that for you.

If you want to ensure you’re always on the HTTPS version of a site if there is one, you can install the HTTPS Everywhere extension from the Electronic Frontier Foundation for Firefox and Chrome. If you want to protect everything you send, install a VPN.

Cloud storage systems such as Dropbox are encrypted, but the company holds the key, so it can be unlocked if required by law. If you want a stronger level of encryption, simply upload your files in encrypted folders, such as setting up a TrueCrypt folder inside Dropbox.

Email is normally encrypted during transit, but that’s not true of end-to-end encryption. In Outlook, you can use digital certificates to encrypt messages, requiring the sender and recipient to exchange digitally signed messages. Step-by-step instructions are at tinyurl.com/337outlook.

The most common way of encrypting data through the entire email process is PGP, which lets you create a public and private key. Email clients such as Thunderbird and Postbox let you encrypt easily, but you can also do it with your webmail of choice via the browser plugin Mailvelope.