Witnesses: Professor Bill Buchanan, Erka Koivunen, Cyber Security Advisor, F-Secure and Eric King, Deputy Director, Privacy International.
Yesterday, F-Secure’s cyber security adviser Erka Koivunen was called to the British Parliament to give expert witness testimony to the Joint Committee scrutinising the draft Investigatory Powers Bill (also known as the Snoopers’ Charter).
Erka’s testimony follows F-Secure’s bid back in October to warn the government that its plans to implicate technology companies in its bid to collect data on people’s digital lives was technically flawed and potentially harmful to British business. You can watch his testimony here — it begins at timestamp 15:13:50 or 58:45 on a mobile device.
The draft Bill was introduced in early November, the Joint Committee has spent the last month or so listening to witness testimonies and receiving written evidence. We can expect the Committee to give its report in early next year after which the Bill would proceed to the Parliament sessions.
The Bill proposed by the Home Office aims to overhaul the powers law enforcement and intelligence agencies have to collect data within the UK. However, given the fact that most of the activities have been taking place already, the biggest changes appear to be how the government would define specific terms to its advantage.
We, and many other expert witnesses, have voiced our concerns over the ambiguity of the terms and lack of clarity as to which type of companies the requirements would fall to.
The text refers to telecommunications service operators as ‘Communications Service Providers’ (CSP), apparently in an effort to expand the scope from traditional operators to the likes of Skype, Facebook and Apple. Regardless of where in the world they operate from. The loosely defined providers are expected to collect and store data of their users’ internet usage – the so-called Internet Connection Records (ICR). In some government comments, these have been likened to an itemised telephone bill. Sounds harmless, doesn’t it?
There are also passages about interception and something that has been referred to as ‘Equipment Interference’. These are conducted in a targeted fashion but also in bulk or in a subject-matter fashion.
Nice, but what do these terms mean, exactly?
Interception is something that a layman would call eavesdropping.
This is where somebody else’s communication is being monitored, copied and stored without the consent of the communicating parties. According to the Bill, that someone can be an individual, a group of people exhibiting similar trait or basically everyone. The eavesdropper may snoop in on the content of the communication or may be limited to the so-called metadata. Eavesdropping can be considered to be a passive activity although the preparatory act of equipping the communications systems for eavesdropping and the data extraction are anything but passive.
Equipment Interference is a euphemism that covers everything from ‘police malware’ to be planted on a suspect’s computer and ranging all the way to introduction of backdoors to software products or outright breaking in to other people’s computers and networks. These actions are active by nature, and highly covert. The law enforcement and intelligence officials will not discuss anything about what, how or when. But here they are, asking for parliament’s blessing.
Even the obvious-sounding term appears to be laden with hidden meanings. In the evidence given to the Committee, it has become clear that the proposed Internet Connection Record is not a thing. This type of ‘itemized’ data is not being collected at the moment and the operators see no value in collecting such material. Rather the contrary! Collecting and storing session logs from all internet traffic and all users generates huge amounts of data that must at the same time be kept secure and accessible. Not an easy task!
To accompany Erka Koivunen’s appearance, F-Secure has also submitted written evidence which provides more detail for the Committee to consider.
Here are F-Secure’s main concerns:
Lack of clarity
o There is a great level of ambiguity in the Bill’s scope and applicability to not only F-Secure but technology and cyber security industry as a whole
o The Bill can be interpreted in a fashion that it forbids the use of strong cryptography, most notably the use of end-to-end encryption.
Extremely broad mandate
o The Bill introduces a variety of bulk collection methods and even the so-called targeted methods appear overly broad
o Our own evidence suggests that LE hasn’t exhausted even the existing avenues to acquire information via targeted requests.
One mustn’t break the technological foundations of our information society in an effort to defend our safety
o By deliberately weakening cryptography and breaking the cyber security protections, one does harm to businesses and to ordinary citizens by exposing them to criminal activity online.
o By constantly lowering the barrier to engage in active network attacks one only encourages other nations and non-state actors to follow suit.
Democracy requires transparency, freedom of speech requires privacy and we should expect that authorities give much consideration to proportionality. What is commendable about the Bill, however, is that what we believe to be the first time, the mandate of law enforcement and intelligence services to operate in cyberspace is being discussed in the Parliament. While we have strong reservation towards the Bill, we applaud British government’s courage to bring the difficult topic for the public debate and subject it to democratic process. We hope this is not the end but rather a fresh start.
In 1853 a strange new invention appeared in the English cityscape, and caused a small wave of moral outrage among Victorians. This perceived threat to social order was not a new drug, political movement or saucy romance novel, but the seemingly harmless letter box. One reason was the shocking development of women now being able to post letters without consent from their husbands or fathers, and the other one was that sending anonymous letters would now be even easier. Maybe Victorians weren’t very thick-skinned, and were worried about unsigned letters calling people zounderkites and rantallions skyrocketing. Who knows? History now tells us that these attempts to control this early form of long-distance communication were ridiculous. And yet, a modern version of this debate is happening even today: there are those who want to make encrypted, anonymous communication available for everyone, and those who wish to restrict it. No new technology comes without drawbacks, and encryption is no exception. However, just as with the Victorian letter box, the pros greatly outweigh the cons. But why do people want to be anonymous online? Those who oppose encryption and other methods which advance online anonymity often throw around the tired argument “If you don’t have anything to hide, you have no need to be anonymous”. Not only does this statement show an astounding lack of perspective, it is also blatantly false. According to CBS there is a rising increase in desire for online anonymity, and there are many perfectly valid and legitimate reason to cover your tracks online. A lot of us just don’t feel comfortable with their Internet Service Provider, employer or even government having access to their surfing information. We all have a right to privacy, but technology is increasing the size of our digital footprint to the point when we can never know who is monitoring what we do online. Legislation, like the aptly nicknamed Snoopers Charter have the potential to give governments and ISP’s blanket rights to monitor web traffic of normal users in the name of security. This means the responsibility to protect our individual privacy rests increasingly in our own hands, and VPN services like our own Freedome go a long way in making that happen. For many people, it’s about control. We share aspects of our lives and personality on social media and other websites, but the choice of what we share should be ours to make. This control is taken away by advertisers and tracking companies, who collect information about us from different websites and piece them together to form elaborate dossiers which contain way more information about us than most would be comfortable sharing, like your medical information or what kind of porn you watch. For many, part of being anonymous online is blocking this kind of intrusive tracking, and it’s hard to find fault in that. The most serious group of people wanting anonymity are those for whom it is not so much a matter of principle but a matter of life and death. We are talking about activists, journalists and opposition supporters who operate under oppressive regimes or in places where criminals seek out and silence those who speak against them. It’s easy for those who support intrusive privacy legislation to forget that the governments who enact them will invariably have ulterior motives to “catching terrorists” or “protecting national security”: they give governments the power to control what we say. Open and free communication is the greatest tool the masses have to keep those in power accountable for their actions, and there is nothing open or free about the kind of mass surveillance which is happening more and more, legally and otherwise. What are your reasons to be anonymous online? This is not a black & white subject, and we’d be glad to hear your thoughts via the Freedome twitter channel @FreedomeVPN.
Today is World Press Freedom Day – a day created by UNESCO in recognition of the importance of free speech, as well as the important role journalists play in using this right to help inform citizens about what’s going on with the world around them. This year’s main event is being held in Helsinki, Finland, and co-hosted by the Finnish government. There was lots happening at Finlandia Hall – the event’s “ground zero”. And because Finland is home to F-Secure’s headquarters, we were there in full force to express our support for the journalists who, according to Reporters without Borders, put their privacy, freedom, and even their lives on the line to keep us all informed. Mikko Hypponen, F-Secure’s Chief Research Officer, delivered a keynote address ahead of a discussion called “Protecting your rights: Surveillance Overreach, Data Protection, and Online Censorship”. “But right now, over the last couple of years, the biggest changes in this field have not been with online crime. They’ve been with governments entering the online, cyber attack business,” Hypponen told the audience. [youtube https://www.youtube.com/watch?v=l4InPx7xraI?start=754] After his speech, Mikko shared some additional thoughts on Apple vs. the FBI, and World Press Freedom Day. [youtube=https://www.youtube.com/watch?v=BBINozrQGlc&w=420&h=315] Sean Sullivan was also there, along with one of F-Secure Labs’ forensic analysts to help journalists check their devices, and provide security tips on how they can protect their data. “Without privacy, we can’t have free press. And without a free press, we cannot have democracy. And without democracy, we cannot have freedom,” Mikko told the audience. And that’s not just rhetoric – it’s something we’re backing up. Any journalist interested in using encryption to protect themselves against unwanted surveillance can get in touch with us before May 15 to get a free, 3-device, 12-month subscription for F-Secure's Freedome VPN, which lets users encrypt their communications, block tracking attempts and malicious websites, and change their virtual location. All journalists need to do is send a confirmation of their valid press credentials (for example, an image) by direct message to our Twitter feed (@FSecure) before May 15. Edited to add: We also caught a panel discussion about digital threats to journalists with F-Secure Cyber Security Advisor Erka Koivunen, Tanzanian journalist and newspaper editor Dennis Msacky, and University professor, writer and journalist Hanna Nikkanen. [youtube=https://www.youtube.com/watch?v=WYifFDj2UaI&w=420&h=315]
Collision is coming to a close today, and what a week it’s been. F-Secure’s Chief Research Officer Mikko Hyppönen was there earlier in the week, and gave a compelling talk on the evolution of cyber crime. He also gave a quick post-talk interview, so check out this Quickfire article to learn who Mikko thinks deserves a slap in the face. F-Secure also ran a basic Wi-Fi experiment at Collision*, similar to ones conducted in 2014 and 2015. While the experiment conducted at Collision had a smaller scope than our previous investigations, it does prove that people are still pretty promiscuous when it comes to connecting to public Wi-Fi hotspots without the proper protection, such as a VPN. In the first two days of Collision, we observed nearly one hundred people connecting to a phony Wi-Fi hotspot. And none of them were encrypting their traffic. Connecting to a phony Wi-Fi hotspot can open the door to all kinds of problems. Hackers have been known to use similar setups to help them “sniff” people’s Internet traffic, allowing them to do things like read personal messages, log the websites people visit, and even steal passwords and other sensitive information. So if you make a habit of using public Wi-Fi hotspots – whether you’re at a tech conference, an airport, a café, or a hotel – you should give Freedome a try to keep you and your private data safe and secure. [Image by Erin Pettigrew | Flickr]