Witnesses at IPBill committee

Britain needs a fresh start for privacy

Witnesses: Professor Bill Buchanan, Erka Koivunen, Cyber Security Advisor, F-Secure and Eric King, Deputy Director, Privacy International.

Yesterday, F-Secure’s cyber security adviser Erka Koivunen was called to the British Parliament to give expert witness testimony to the Joint Committee scrutinising the draft Investigatory Powers Bill (also known as the Snoopers’ Charter).

Erka’s testimony follows F-Secure’s bid back in October to warn the government that its plans to implicate technology companies in its bid to collect data on people’s digital lives was technically flawed and potentially harmful to British business. You can watch his testimony here — it begins at timestamp 15:13:50 or 58:45 on a mobile device.

The draft Bill was introduced in early November, the Joint Committee has spent the last month or so listening to witness testimonies and receiving written evidence. We can expect the Committee to give its report in early next year after which the Bill would proceed to the Parliament sessions.

The Bill proposed by the Home Office aims to overhaul the powers law enforcement and intelligence agencies have to collect data within the UK. However, given the fact that most of the activities have been taking place already, the biggest changes appear to be how the government would define specific terms to its advantage.

We, and many other expert witnesses, have voiced our concerns over the ambiguity of the terms and lack of clarity as to which type of companies the requirements would fall to.

The text refers to telecommunications service operators as ‘Communications Service Providers’ (CSP), apparently in an effort to expand the scope from traditional operators to the likes of Skype, Facebook and Apple. Regardless of where in the world they operate from. The loosely defined providers are expected to collect and store data of their users’ internet usage – the so-called Internet Connection Records (ICR). In some government comments, these have been likened to an itemised telephone bill. Sounds harmless, doesn’t it?

There are also passages about interception and something that has been referred to as ‘Equipment Interference’. These are conducted in a targeted fashion but also in bulk or in a subject-matter fashion.

Nice, but what do these terms mean, exactly?

Interception is something that a layman would call eavesdropping.

This is where somebody else’s communication is being monitored, copied and stored without the consent of the communicating parties. According to the Bill, that someone can be an individual, a group of people exhibiting similar trait or basically everyone. The eavesdropper may snoop in on the content of the communication or may be limited to the so-called metadata. Eavesdropping can be considered to be a passive activity although the preparatory act of equipping the communications systems for eavesdropping and the data extraction are anything but passive.

Equipment Interference is a euphemism that covers everything from ‘police malware’ to be planted on a suspect’s computer and ranging all the way to introduction of backdoors to software products or outright breaking in to other people’s computers and networks. These actions are active by nature, and highly covert. The law enforcement and intelligence officials will not discuss anything about what, how or when. But here they are, asking for parliament’s blessing.

Even the obvious-sounding term appears to be laden with hidden meanings. In the evidence given to the Committee, it has become clear that the proposed Internet Connection Record is not a thing. This type of ‘itemized’ data is not being collected at the moment and the operators see no value in collecting such material. Rather the contrary! Collecting and storing session logs from all internet traffic and all users generates huge amounts of data that must at the same time be kept secure and accessible. Not an easy task!

To accompany Erka Koivunen’s appearance, F-Secure has also submitted written evidence which provides more detail for the Committee to consider.

Here are F-Secure’s main concerns:

Lack of clarity
o There is a great level of ambiguity in the Bill’s scope and applicability to not only F-Secure but technology and cyber security industry as a whole
o The Bill can be interpreted in a fashion that it forbids the use of strong cryptography, most notably the use of end-to-end encryption.

Extremely broad mandate
o The Bill introduces a variety of bulk collection methods and even the so-called targeted methods appear overly broad
o Our own evidence suggests that LE hasn’t exhausted even the existing avenues to acquire information via targeted requests.

One mustn’t break the technological foundations of our information society in an effort to defend our safety
o By deliberately weakening cryptography and breaking the cyber security protections, one does harm to businesses and to ordinary citizens by exposing them to criminal activity online.
o By constantly lowering the barrier to engage in active network attacks one only encourages other nations and non-state actors to follow suit.

Democracy requires transparency, freedom of speech requires privacy and we should expect that authorities give much consideration to proportionality. What is commendable about the Bill, however, is that what we believe to be the first time, the mandate of law enforcement and intelligence services to operate in cyberspace is being discussed in the Parliament. While we have strong reservation towards the Bill, we applaud British government’s courage to bring the difficult topic for the public debate and subject it to democratic process. We hope this is not the end but rather a fresh start.

More posts from this topic

Juhannus

How To Prepare Yourself and Your Phone For Juhannus

In Finland, there is this thing called juhannus. A few years ago, our former colleague Hetta described it like this: Well, Midsummer – or juhannus – as it is called in Finnish, is one of the most important public holidays in our calendar. It is celebrated, as you probably guessed, close to the dates of the Summer Solstice, when day is at its longest in the northern hemisphere. Finland being so far up north, the sun doesn’t set on juhannus at all. Considering that in the winter we get the never ending night, it’s no surprise we celebrate the sun not setting. So what do Finns do to celebrate juhannus? I already told you we flock to our summer cottages, but what then? We decorate the cottage with birch branches to celebrate the summer, we stock up on new potatoes which are just now in season and strawberries as well. We fire up the barbecue and eat grilled sausages to our hearts content. We burn bonfires that rival with the unsetting sun. And we get drunk. If that isn't vivid enough, this video may help: [protected-iframe id="f18649f0b62adf8eb1ec638fa5066050-10874323-9129869" info="https://www.facebook.com/plugins/video.php?href=https%3A%2F%2Fwww.facebook.com%2Fsuomifinland100%2Fvideos%2F1278272918868972%2F&show_text=0&width=560" width="560" height="315" frameborder="0" style="border: none; overflow: hidden;" scrolling="no"] And because the celebration is just so... celebratory, it's easy to lose your phone. So here are a few ways to prepare yourself for a party that lasts all night. 1. Don't use 5683 as your passcode. That spells love and it's also one of the first passcodes anyone trying to crack into your phone will try. So use something much more creative -- and use a 6-digit code if you can on your iPhone. You can also encrypt your Android. 2. Write down your IMEI number. If you lose your phone, you're going to need this so make sure you have it written down somewhere safe. 3. Back your content up. This makes your life a lot easier if your party goes too well and it's pretty simple on any iOS device. Just make sure you're using a strong, unique password for your iCloud account. Unfortunately on an Android phone, you'll have to use a third-party app. 4. Maybe just leave it home. Enjoy being with your friends and assume that they'll get the pictures you need to refresh your memory. And while you're out you can give your phone a quick internal "clean" with our free Boost app. [Image by Janne Hellsten | Flickr]

June 22, 2016
Porn blog post image

4 People who can see what Porn you Watch, and 4 Tips to Stop it

In the grand scheme of things, there certainly are more important facets to online privacy than keeping one’s porn habits private (government overreach, identity theft, credit card fraud to name a few). However, adult browsing histories are one of the secrets in their online lives people want to protect the most, so it might be disconcerting to know that porn browsing is not as private as one might think. A large majority of web users are lulled into a false sense of security by incognito mode or private browsing, but this is only one of the steps needed toward becoming private online. Here are a few people who have access to this info, along  with a few easy tips that can be taken to prevent this from happening. 1. Anyone on the same hotspot No one is suggesting you should watch porn at your local coffee shop (in fact, please don’t). However, what people surf in places like the privacy of their hotel room should probably stay there. With that in mind, the following statement might be more than a little disconcerting: What you do on Wi-Fi can be usually be seen by pretty much anyone connected to that hotspot. It doesn't require great hacking skills to see what other people connected to the same network are doing. Only traffic on encrypted websites starting with https is always secure, and almost no adult sites fall under this category. 2. Foreign web service providers When traveling, it's easy to forget that what might be culturally acceptable in one country can land you in hot water with the authorities in another. Whether on public Wi-Fi or roaming on the network of a foreign internet service provider, they may be bound by law to report anyone surfing adult material. The personal freedom we enjoy to surf anything we want online is so second nature to many of us by now, we easily forget the same isn't true for others. 3. Analytics and advertisers (often one and the same) It might not bee too surprising to hear that most companies aren't exactly jumping at the chance to be associated with adult websites. For this reason, networks that serve ads to adult websites don't serve ads to "normal" websites, making porn sites mostly self-contained when it comes to using your private information for advertising purposes. Unfortunately, your adult browsing can still be connected to you. Many adult websites implement analytic services, as well as "like" and "share" buttons, that feed into major advertisers such as Google and Facebook. 4. Your employer (in the U.S. and many other countries) Now, we are DEFINITELY not suggesting you watch naughty stuff at work. I mean, they call it NSFW for a reason. However, that doesn’t change the fact that in some countries, companies have an uncomfortable amount of rights to spy on their workers. It’s natural that employers don’t want their workers doing anything illegal, but you still have a right to privacy, even on a work network. What are your options? So what can you do to prevent privacy intrusions? The first and most obvious choice is to not supply any personal information to adult websites. A lot of porn sites require registration in order to comment on videos (if that's your thing) or to view content in higher quality. Keeping a separate email address for adult websites is therefore highly recommended. The other obvious choice is to always have private browsing on, as this prevents cookie-based tracking and embarrassing browsing histories from being saved on your computer. A slightly more technical but still very easy tip is to disable JavaScript from your browser settings while surfing adult websites. A lot of websites don't function without JavaScript, but all the adult websites we tried for research purposes work just fine. JavaScript makes it much easier  to do something called device fingerprinting. This frustratingly intrusive method of snooping involves the use of scripts to identify your computer based on variables such as your screen size, operating system and number of installed fonts. It might not seem like it, but there are enough variables to make most devices in the world completely unique. But the simplest and most efficient method of controlling your privacy is to use a VPN. A VPN (virtual private network) encrypts all your traffic, meaning no one is able to intercept it and see what sites you visit or what you download. It also hides your real IP address, the unique number which can easily be used to identify you online. A top-tier VPN like Freedome also contains extra features like anti-tracking to stop advertising networks from identifying you, and malware protection to automatically block webpages that contain malicious code. The app is easy to use, and available on most platforms. Online privacy is not a difficult or expensive  goal to achieve, and by following these few steps you will be able to surf what you want without worry.

June 13, 2016
BY