Witnesses: Professor Bill Buchanan, Erka Koivunen, Cyber Security Advisor, F-Secure and Eric King, Deputy Director, Privacy International.
Yesterday, F-Secure’s cyber security adviser Erka Koivunen was called to the British Parliament to give expert witness testimony to the Joint Committee scrutinising the draft Investigatory Powers Bill (also known as the Snoopers’ Charter).
Erka’s testimony follows F-Secure’s bid back in October to warn the government that its plans to implicate technology companies in its bid to collect data on people’s digital lives was technically flawed and potentially harmful to British business. You can watch his testimony here — it begins at timestamp 15:13:50 or 58:45 on a mobile device.
The draft Bill was introduced in early November, the Joint Committee has spent the last month or so listening to witness testimonies and receiving written evidence. We can expect the Committee to give its report in early next year after which the Bill would proceed to the Parliament sessions.
The Bill proposed by the Home Office aims to overhaul the powers law enforcement and intelligence agencies have to collect data within the UK. However, given the fact that most of the activities have been taking place already, the biggest changes appear to be how the government would define specific terms to its advantage.
We, and many other expert witnesses, have voiced our concerns over the ambiguity of the terms and lack of clarity as to which type of companies the requirements would fall to.
The text refers to telecommunications service operators as ‘Communications Service Providers’ (CSP), apparently in an effort to expand the scope from traditional operators to the likes of Skype, Facebook and Apple. Regardless of where in the world they operate from. The loosely defined providers are expected to collect and store data of their users’ internet usage – the so-called Internet Connection Records (ICR). In some government comments, these have been likened to an itemised telephone bill. Sounds harmless, doesn’t it?
There are also passages about interception and something that has been referred to as ‘Equipment Interference’. These are conducted in a targeted fashion but also in bulk or in a subject-matter fashion.
Nice, but what do these terms mean, exactly?
Interception is something that a layman would call eavesdropping.
This is where somebody else’s communication is being monitored, copied and stored without the consent of the communicating parties. According to the Bill, that someone can be an individual, a group of people exhibiting similar trait or basically everyone. The eavesdropper may snoop in on the content of the communication or may be limited to the so-called metadata. Eavesdropping can be considered to be a passive activity although the preparatory act of equipping the communications systems for eavesdropping and the data extraction are anything but passive.
Equipment Interference is a euphemism that covers everything from ‘police malware’ to be planted on a suspect’s computer and ranging all the way to introduction of backdoors to software products or outright breaking in to other people’s computers and networks. These actions are active by nature, and highly covert. The law enforcement and intelligence officials will not discuss anything about what, how or when. But here they are, asking for parliament’s blessing.
Even the obvious-sounding term appears to be laden with hidden meanings. In the evidence given to the Committee, it has become clear that the proposed Internet Connection Record is not a thing. This type of ‘itemized’ data is not being collected at the moment and the operators see no value in collecting such material. Rather the contrary! Collecting and storing session logs from all internet traffic and all users generates huge amounts of data that must at the same time be kept secure and accessible. Not an easy task!
To accompany Erka Koivunen’s appearance, F-Secure has also submitted written evidence which provides more detail for the Committee to consider.
Here are F-Secure’s main concerns:
Lack of clarity
o There is a great level of ambiguity in the Bill’s scope and applicability to not only F-Secure but technology and cyber security industry as a whole
o The Bill can be interpreted in a fashion that it forbids the use of strong cryptography, most notably the use of end-to-end encryption.
Extremely broad mandate
o The Bill introduces a variety of bulk collection methods and even the so-called targeted methods appear overly broad
o Our own evidence suggests that LE hasn’t exhausted even the existing avenues to acquire information via targeted requests.
One mustn’t break the technological foundations of our information society in an effort to defend our safety
o By deliberately weakening cryptography and breaking the cyber security protections, one does harm to businesses and to ordinary citizens by exposing them to criminal activity online.
o By constantly lowering the barrier to engage in active network attacks one only encourages other nations and non-state actors to follow suit.
Democracy requires transparency, freedom of speech requires privacy and we should expect that authorities give much consideration to proportionality. What is commendable about the Bill, however, is that what we believe to be the first time, the mandate of law enforcement and intelligence services to operate in cyberspace is being discussed in the Parliament. While we have strong reservation towards the Bill, we applaud British government’s courage to bring the difficult topic for the public debate and subject it to democratic process. We hope this is not the end but rather a fresh start.
What's easier than typing, clicking or even swiping left? For most of us, speaking. Until we can get actual USB ports in our brain, our mouths may be the quickest way to make our our desires known to our devices. And as it Internet of Things develops, we're going to be doing more and more talking to machines, including our thermostat, light bulbs and possibly even our drones. Fans of Siri and the Amazon Echo are already familiar with the benefits of a conversational interface. But, as with any new technology that gains widespread adoption, privacy and security concerns are inevitable. We spoke to F-Secure's Cyber Gandalf Andy Patel about what users of voice-activated technology should know as they make the leap into this newer realm of connectivity that has long been imagined by science fiction visionaries from Philip K. Dick to Star Trek's Gene Roddenberry. So are these voice-activated devices listening all the time? Yes. In order for a device to react to a voice command without the user pressing a button to activate the feature, the device must listen all the time. How could this be used against us? If a device streams voice data to a server for processing, a few privacy and security implications arise. If the data is being streamed in an insecure way, it can be intercepted by a third party. If the speech data is stored insecurely, it can become compromised in the case of a data breach. It can also potentially sold to a third party. Speech is processed into text. That text might be stored, it might be associated with its source, and it could also be leaked. When the speech processing service returns data to the device that requested the processing, it could also be intercepted. Are the any real privacy concerns for owners of voice-activated devices? Some companies outsource their speech recognition services and cannot properly account for the processes and collection methods used by those companies. Along those lines, just last year, Samsung TV voice recognition made the news for recording owners' chatter. Voice command systems can also be maliciously hijacked. Last year, a group of French researchers demoed a method for remotely controlling Siri from a distance, using sounds that triggered Siri’s voice control, but that couldn’t be recognized by a human. So what will voice-activated technology look like in five or ten years? Big names are interested in voice control because they attach it to AI and machine learning systems -- which are, in turn, fed by the Big Data they’ve collected -- for an interactive experience. The end goal would be a scenario where you could ask your computer to perform arbitrary tasks in the same manner as on Star Trek.
We used to search holiday magazines to find the hotel that offered the biggest pool and then triple check that the hotel has air conditioning. If we were really picky, we wouldn’t look twice at a hotel that didn’t offer cable TV. Now we see the perfect summer holiday in a different light. We can’t possibly leave our smartphones, tablets and laptops behind. A survey by Energy Company E.ON revealed that the most important feature hotels must have to even be considered is free Wi-Fi. Why do we find it so difficult to disconnect ourselves from the digital world? Even when we’re sitting in the beautiful sunshine, sipping on cocktails and splashing in the sea? Partly our digital dependence is practical, of course. The web helps us navigate around our holiday destinations finding the best attractions, the coolest bars and most remote beauty spots. But if we’re honest, many of us would admit that we’re so digitally connected because we don’t want to miss anything happening on Facebook, Instagram, Snapchat, Twitter and all the other social apps filling our electronic wonders. We continue to check in, trying to make our friends jealous by posting the latest update about our perfect holiday. Now that we’ve settled that an internet connection is a top holiday priority, why don’t we just use our phone network? Simple: we’ve all heard the horror story of someone getting crazy high bill after spending just a few days in Spain. So, we’re constantly on the search for a local bar or café that offers free Wi-Fi. It’s a fantastic feeling to be wiser than our internet provider – they can’t spring us with unheard-of charges. But connecting to public Wi-Fi comes with its own risks, and, I would argue, scarier ones than an unexpected post-holiday bill. For example, take a look at this infographic. It shows the personal data that can be intercepted and the risks you face to your privacy when you connect to public Wi-Fi without using a VPN. If the thought alone of anyone being able to snoop on what you do online isn’t enough to want to run away from ever connecting to public Wi-Fi again, then think about the bigger risks. The worst case scenario here is you could become a victim of stalking, receive threats, or have your identity stolen. This might sound farfetched, but with what information you reveal on public Wi-Fi, is it worth the risk? If you use a VPN like Freedome while on public Wi-Fi, all your internet traffic will be encrypted. This means instead of your internet traffic connecting directly to the websites from your device, revealing exactly what you’re doing online to the Wi-Fi provider, the VPN will garble your internet traffic and keep what you’re doing online anonymous. You internet privacy and safety is our biggest concern here, and Freedome will definitely provide that security. But here’s a little extra to boost your internet love and consumption when on holiday abroad: When in another country, you might not be able to stream your favorite content from back home. But with Freedome VPN, you can be “virtually” back in your home country, accessing all your favorite content as if you never left.
Every time you go online, your personal privacy is at risk – it’s as simple as that. Whether you’re creating an account on a website, shopping, or just browsing, information like your email, IP address and browsing history are potential targets for interested parties. All too often, that information is sold on or sometimes even stolen without you even knowing it. And the threats to our online privacy and security are evolving. Fast. As F-Secure’s Online Protection Service Lead, Christine Bejerasco’s job is to make life online safer and more secure. “We’re basically online defenders. And when your job is to create solutions that help protect people, the criminals and attackers you’re protecting them against always step up their game. So it’s like an arms race. They come up with new ways of attacking users and our job is to outsmart them and defend our users,” Christine says. Sounds pretty dramatic, right? Well that’s because it is. While it used to be that the biggest threat to your online privacy was spam and viruses, the risks of today and tomorrow are potentially way more serious. “Right now we’re in the middle of different waves of ransomware. That’s basically malware that turns people’s files into formats they can’t use. We’ve already seen cases of companies and individual people having their systems and files hijacked for ransom. It’s serious stuff and in many cases very sad. If your online assets aren’t protected right now you should kind of feel like you’re going to bed at night with your front door not only unlocked but wide open.” Christine and her team of 11 online security superheroes (eight full-time members and three super-talented interns) are on the case in Helsinki. Here’s more on Christine and her work in her own words: Where are you from? The Philippines Where do you live and work? I live in Espoo and work at F-Secure in Ruoholahti, Helsinki. Describe your job in 160 characters or less? Online guardian who strives to give F-Secure users a worry-free online experience. One word that best describes your work? Engaging How long is a typical work day for you? There is no typical workday. It ranges from 6 – 13 hours, depending on what’s happening. What sparked your interest in online security? At the start it was just a job. As a computer science graduate, I was just looking for a job where I could do something related to my field. And then when I joined a software security company in the Philippines, I was introduced to this world of online threats and it’s really hard to leave all the excitement behind. So I’ve stayed in the industry ever since. Craziest story you’ve ever heard about online protection breach? Ashley Madison. Some people thought it was just a funny story, but it had pretty serious consequences for some of the people on that list. Does it frustrate you that so many people don’t care about protecting their online privacy? Yeah, it definitely does. But you grow to understand that people don’t value things until they lose it. It’s like insurance. You don’t think about it until something bad happens and then you care. What’s your greatest work achievement? Shaping the online protection service in the Labs from its starting stages to where we are today. What’s your idea of happiness? Road trips and a bottle of really good beer. Which (non-work-related) talent would you most like to have? Hmmm… tough. Maybe, stock-market prediction skills? What are your favorite apps? Things Stumbleupon What blogs do you like? Security blogs (F-Secure Security blog of course and others – too many to list.) Self-Help Blogs (Zen Habits, Marc and Angel, etc.) Who do you admire most? I admire quite a few people for different reasons. Warren Buffett for his intensity, simplicity and generosity. Mikko Hyppönen for his idealism and undying dedication to the online security fight. And Mother Theresa for embodying the true meaning of how being alive is like being in school for your soul. Do you ever, ever go online without protection? Not with systems associated to me personally, or with someone else. But of course, when we are analyzing online threats, then yes. See how to take control of your online privacy – watch the film and hear more from Christine. See how Freedome VPN will keep you protected and get it now.