Witnesses at IPBill committee

Britain needs a fresh start for privacy

Witnesses: Professor Bill Buchanan, Erka Koivunen, Cyber Security Advisor, F-Secure and Eric King, Deputy Director, Privacy International.

Yesterday, F-Secure’s cyber security adviser Erka Koivunen was called to the British Parliament to give expert witness testimony to the Joint Committee scrutinising the draft Investigatory Powers Bill (also known as the Snoopers’ Charter).

Erka’s testimony follows F-Secure’s bid back in October to warn the government that its plans to implicate technology companies in its bid to collect data on people’s digital lives was technically flawed and potentially harmful to British business. You can watch his testimony here — it begins at timestamp 15:13:50 or 58:45 on a mobile device.

The draft Bill was introduced in early November, the Joint Committee has spent the last month or so listening to witness testimonies and receiving written evidence. We can expect the Committee to give its report in early next year after which the Bill would proceed to the Parliament sessions.

The Bill proposed by the Home Office aims to overhaul the powers law enforcement and intelligence agencies have to collect data within the UK. However, given the fact that most of the activities have been taking place already, the biggest changes appear to be how the government would define specific terms to its advantage.

We, and many other expert witnesses, have voiced our concerns over the ambiguity of the terms and lack of clarity as to which type of companies the requirements would fall to.

The text refers to telecommunications service operators as ‘Communications Service Providers’ (CSP), apparently in an effort to expand the scope from traditional operators to the likes of Skype, Facebook and Apple. Regardless of where in the world they operate from. The loosely defined providers are expected to collect and store data of their users’ internet usage – the so-called Internet Connection Records (ICR). In some government comments, these have been likened to an itemised telephone bill. Sounds harmless, doesn’t it?

There are also passages about interception and something that has been referred to as ‘Equipment Interference’. These are conducted in a targeted fashion but also in bulk or in a subject-matter fashion.

Nice, but what do these terms mean, exactly?

Interception is something that a layman would call eavesdropping.

This is where somebody else’s communication is being monitored, copied and stored without the consent of the communicating parties. According to the Bill, that someone can be an individual, a group of people exhibiting similar trait or basically everyone. The eavesdropper may snoop in on the content of the communication or may be limited to the so-called metadata. Eavesdropping can be considered to be a passive activity although the preparatory act of equipping the communications systems for eavesdropping and the data extraction are anything but passive.

Equipment Interference is a euphemism that covers everything from ‘police malware’ to be planted on a suspect’s computer and ranging all the way to introduction of backdoors to software products or outright breaking in to other people’s computers and networks. These actions are active by nature, and highly covert. The law enforcement and intelligence officials will not discuss anything about what, how or when. But here they are, asking for parliament’s blessing.

Even the obvious-sounding term appears to be laden with hidden meanings. In the evidence given to the Committee, it has become clear that the proposed Internet Connection Record is not a thing. This type of ‘itemized’ data is not being collected at the moment and the operators see no value in collecting such material. Rather the contrary! Collecting and storing session logs from all internet traffic and all users generates huge amounts of data that must at the same time be kept secure and accessible. Not an easy task!

To accompany Erka Koivunen’s appearance, F-Secure has also submitted written evidence which provides more detail for the Committee to consider.

Here are F-Secure’s main concerns:

Lack of clarity
o There is a great level of ambiguity in the Bill’s scope and applicability to not only F-Secure but technology and cyber security industry as a whole
o The Bill can be interpreted in a fashion that it forbids the use of strong cryptography, most notably the use of end-to-end encryption.

Extremely broad mandate
o The Bill introduces a variety of bulk collection methods and even the so-called targeted methods appear overly broad
o Our own evidence suggests that LE hasn’t exhausted even the existing avenues to acquire information via targeted requests.

One mustn’t break the technological foundations of our information society in an effort to defend our safety
o By deliberately weakening cryptography and breaking the cyber security protections, one does harm to businesses and to ordinary citizens by exposing them to criminal activity online.
o By constantly lowering the barrier to engage in active network attacks one only encourages other nations and non-state actors to follow suit.

Democracy requires transparency, freedom of speech requires privacy and we should expect that authorities give much consideration to proportionality. What is commendable about the Bill, however, is that what we believe to be the first time, the mandate of law enforcement and intelligence services to operate in cyberspace is being discussed in the Parliament. While we have strong reservation towards the Bill, we applaud British government’s courage to bring the difficult topic for the public debate and subject it to democratic process. We hope this is not the end but rather a fresh start.

More posts from this topic

Connected

Wherever You’re Connected, You Should Be Protected

Protecting yourself on the internet used to be a lot simpler -- mostly because you weren't always on the internet. Now we can be online from when we wake up until when we go to sleep. We seamlessly shift from chatting to shopping to banking -- rarely sticking to one device or platform for too long. Most of us aren't just a Mac or PC or an Android anymore -- we're all of the above. “I, and I think most people, have a cross-platform household – I use several different devices with different operating systems on a daily basis," F-Secure security advisor Sean Sullivan explains. The old paradigm of just protecting your PC or your phone can leave your devices exposed to threats. And even the best security software in the world won't protect your public Wi-Fi connection from being snooped on, possibly exposing your most private details, including passwords. That's why we've launched F-Secure total security and privacy, which combines F-Secure SAFE and F-Secure Freedome. F-Secure SAFE is a multi-device internet security suite that protects all your devices. Freedome is a VPN offers a simple way to encrypt your communications over public Wi-Fi and change your virtual location to access geo-blocked sites and services while blocking malicious websites and online tracking. You can still purchase F-Secure SAFE and Freedome separately. And there have been recent improvements to both, including: Silent upgrades that ensure SAFE is automatically updated Parental controls now available on all supported SAFE platforms Ability to create Freedome Wi-Fi hotspots with Android devices while VPN is turned on "Buying separate products to protect iOS, Windows, Macs and whatever else isn’t just expensive, but it means you have to get used to different pieces of software designed to do the same thing," Sean explains. F-Secure total security and privacy is now available for a free trial here. If you're a current SAFE customer, you can't upgrade to total security and privacy but you should receive a discount offer for Freedome. "Bundling protective measures into packages to run on different devices is more economical and more user friendly, both of which are good for security.” Cheers, Sandra [Image by Hans Kylberg | Flickr]  

September 27, 2016
yahoo

What You Need to Know About the Yahoo Hack

Reports that half a billion Yahoo accounts were hacked in 2014 "by a state-sponsored actor" were confirmed today by the tech giant. This hack of "names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions" is the largest in the company's history and one of the most consequential breaches of all time. Our security advisor Sean Sullivan told CNN what Yahoo users need to know right now: [youtube https://www.youtube.com/watch?v=kO-70yKF4bE] He also gave a longer interview to Data Breach Today about the wider implications of the hack. The most important takeaway from this attack is you should always use an extra layer of protection -- in this case Yahoo's two-factor authentication on all your accounts -- and never reuse any important password. Even though Yahoo's passwords stored your passwords with encryption, it's still possible for criminals to get access to them, especially if they are weak. A former Yahoo employee told Reuters that the answers to security questions were deliberately left unencrypted to help catch fake accounts more easily because fake accounts that used the same answers over and over. Sean always uses nonsense answers for so-called security questions so they aren't guessable by anyone who knows him or follows him on social media. He recommends you do the same. So what should you do now? Sean recommends you "walk, not run" to your Yahoo account to disable your security questions and change your password -- and change them on any other site where you've used them to something unique. Make sure you create non-human passwords -- not patterns like yahoo1985. Make them long and difficult to remember. If they're between 20 and 32 characters, they are nearly uncrackable, as our senior researcher Jarno Niemelä recommends. And to deal with all that complexity, use a password manager like our F-Secure KEY, which is free on one device. You can also store your nonsense answers to your security questions in there. Then turn on two-factor authentication, if you haven't already. If you're wondering who might have carried out such a massive attack, Sean does have a hypothesis. [Image by Christian Barmala | Flickr]

September 23, 2016
BY 
android_wi-fi

How to Create a Portable Hotspot on Android with VPN on

Many Android users (myself included) have long found it annoying that creating a working portable hotspot is not possible while using a VPN on the device that shares the connection.  From the user interface to the lines of code that power the app behind it, a driving principle of designing Freedome has always been to make the kind of VPN that only makes your online experience better, without hindering it in any way. Tethering with VPN is now possible This is why we are extremely happy - both personally and for our users - to announce that our new Android release (out now on Google Play) makes it possible to have Freedome turned on while sharing your connection with other devices. We are also the first (as far as we know) major VPN provider to make this happen. Instructions on setting up a portable hotspot The new update automatically allows you to create a portable hotspot with Freedome VPN, so the instructions are fairly simple. Download Freedome VPN on your Android Turn on the portable hotspot feature from your Android settings Keeping it simple, as usual! A note on privacy It’s worth noting for the sake of your privacy that the tethered device’s traffic will NOT go through the VPN tunnel of the device sharing the connection. According to Freedome Product Development Director Harri Kiljander: “Android does not allow tethered devices access to the VPN tunnel. This is a deliberate choice forced by Android for security reasons. For instance, when using VPN to access your employer’s network, they might not want your friends and family there. Also a VPN tunnel shared with others wouldn’t really be a private network anymore” In other words, remember to use Freedome on laptops and any other devices you connect to your own hotspots with. If you have any questions, drop us a line on Twitter. Enjoy!

September 23, 2016
BY