Witnesses at IPBill committee

Britain needs a fresh start for privacy

Witnesses: Professor Bill Buchanan, Erka Koivunen, Cyber Security Advisor, F-Secure and Eric King, Deputy Director, Privacy International.

Yesterday, F-Secure’s cyber security adviser Erka Koivunen was called to the British Parliament to give expert witness testimony to the Joint Committee scrutinising the draft Investigatory Powers Bill (also known as the Snoopers’ Charter).

Erka’s testimony follows F-Secure’s bid back in October to warn the government that its plans to implicate technology companies in its bid to collect data on people’s digital lives was technically flawed and potentially harmful to British business. You can watch his testimony here — it begins at timestamp 15:13:50 or 58:45 on a mobile device.

The draft Bill was introduced in early November, the Joint Committee has spent the last month or so listening to witness testimonies and receiving written evidence. We can expect the Committee to give its report in early next year after which the Bill would proceed to the Parliament sessions.

The Bill proposed by the Home Office aims to overhaul the powers law enforcement and intelligence agencies have to collect data within the UK. However, given the fact that most of the activities have been taking place already, the biggest changes appear to be how the government would define specific terms to its advantage.

We, and many other expert witnesses, have voiced our concerns over the ambiguity of the terms and lack of clarity as to which type of companies the requirements would fall to.

The text refers to telecommunications service operators as ‘Communications Service Providers’ (CSP), apparently in an effort to expand the scope from traditional operators to the likes of Skype, Facebook and Apple. Regardless of where in the world they operate from. The loosely defined providers are expected to collect and store data of their users’ internet usage – the so-called Internet Connection Records (ICR). In some government comments, these have been likened to an itemised telephone bill. Sounds harmless, doesn’t it?

There are also passages about interception and something that has been referred to as ‘Equipment Interference’. These are conducted in a targeted fashion but also in bulk or in a subject-matter fashion.

Nice, but what do these terms mean, exactly?

Interception is something that a layman would call eavesdropping.

This is where somebody else’s communication is being monitored, copied and stored without the consent of the communicating parties. According to the Bill, that someone can be an individual, a group of people exhibiting similar trait or basically everyone. The eavesdropper may snoop in on the content of the communication or may be limited to the so-called metadata. Eavesdropping can be considered to be a passive activity although the preparatory act of equipping the communications systems for eavesdropping and the data extraction are anything but passive.

Equipment Interference is a euphemism that covers everything from ‘police malware’ to be planted on a suspect’s computer and ranging all the way to introduction of backdoors to software products or outright breaking in to other people’s computers and networks. These actions are active by nature, and highly covert. The law enforcement and intelligence officials will not discuss anything about what, how or when. But here they are, asking for parliament’s blessing.

Even the obvious-sounding term appears to be laden with hidden meanings. In the evidence given to the Committee, it has become clear that the proposed Internet Connection Record is not a thing. This type of ‘itemized’ data is not being collected at the moment and the operators see no value in collecting such material. Rather the contrary! Collecting and storing session logs from all internet traffic and all users generates huge amounts of data that must at the same time be kept secure and accessible. Not an easy task!

To accompany Erka Koivunen’s appearance, F-Secure has also submitted written evidence which provides more detail for the Committee to consider.

Here are F-Secure’s main concerns:

Lack of clarity
o There is a great level of ambiguity in the Bill’s scope and applicability to not only F-Secure but technology and cyber security industry as a whole
o The Bill can be interpreted in a fashion that it forbids the use of strong cryptography, most notably the use of end-to-end encryption.

Extremely broad mandate
o The Bill introduces a variety of bulk collection methods and even the so-called targeted methods appear overly broad
o Our own evidence suggests that LE hasn’t exhausted even the existing avenues to acquire information via targeted requests.

One mustn’t break the technological foundations of our information society in an effort to defend our safety
o By deliberately weakening cryptography and breaking the cyber security protections, one does harm to businesses and to ordinary citizens by exposing them to criminal activity online.
o By constantly lowering the barrier to engage in active network attacks one only encourages other nations and non-state actors to follow suit.

Democracy requires transparency, freedom of speech requires privacy and we should expect that authorities give much consideration to proportionality. What is commendable about the Bill, however, is that what we believe to be the first time, the mandate of law enforcement and intelligence services to operate in cyberspace is being discussed in the Parliament. While we have strong reservation towards the Bill, we applaud British government’s courage to bring the difficult topic for the public debate and subject it to democratic process. We hope this is not the end but rather a fresh start.

More posts from this topic

18528198069_eb3bf5e72f_o

Is your identity safe online? You might be surprised

You might know what a VPN (Virtual Private Network) is. But if you’re like many people out there, you probably don’t use one. You should though. And when you finish this blog post, you’ll know why.   A VPN is a private network established over the internet. That might sound complicated, so simply put, a VPN provides security for your device’s internet connection. The layer of security VPNs provide is how you make sure that data you send and receive is encrypted and safe from trackers, hackers and anyone else trying to intercept your data while it’s in transit.   Companies and schools use VPNs to let people connect to local networks from anywhere. And you can also use a VPN to stay anonymous whether you’re at home, at work or school, or using an untrusted public network. And as an added bonus, of course, a VPN also lets you change your virtual location, which can mean unrestricted access to a whole world of content.   So why is online anonymity so important? Who better to answer that than two real Freedome VPN users. And while we can assure you these guys are both real, in keeping with the theme of anonymity, let’s just call them “John” and “Doe”.   “Anonymity is important because I really see it as a human right. Like if I’m looking for things that are really personal, I have the right to stay private and keep that information private,” says John, a university student who’s been using Freedome VPN for three months and counting.   Doe, who is 29 and in the IT industry, has used VPNs before, but recently switched to F-Secure’s Freedome. For him, using a VPN isn’t just about protecting himself today: it’s an investment in the future.   “I’ve never had problems myself, but we know for a fact that there are organizations and people out there right now who are looking to get their hands on our information and identities for whatever reason. This is definitely going to be a bigger problem in the future, and I want to be prepared,” says Doe.   Both John and Doe say that most of their friends in the tech industry are using VPNs right now. But unfortunately, there are lots of people out there who aren’t.   “I really wish people were more aware of the fact that they’re potentially giving away parts of their identity and privacy every single time they go online without a VPN,” says Doe.   John agrees.   “If you think about how people are feeding more and more of their personal information into a wider and wider range of sites, services etc., it’s obvious that the potential risks to our privacy are also increasing,” he says.   John and Doe definitely know what they’re talking about and we couldn’t agree more. There’s never been a better time to take control of your online anonymity. So check out the Freedome VPN site for videos and more info. And don’t forget to tap or click to get yours! [Image by Blue Coat Photos | Flickr]

July 28, 2016
BY 
amazon Echo, voice-activated, internet of things

Yes, Your Voice-Activated IoT Devices Are Always Listening

What's easier than typing, clicking or even swiping left? For most of us, speaking. Until we can get actual USB ports in our brain, our mouths may be the quickest way to make our our desires known to our devices. And as it Internet of Things develops, we're going to be doing more and more talking to machines, including our thermostat, light bulbs and possibly even our drones. Fans of Siri and the Amazon Echo are already familiar with the benefits of a conversational interface. But, as with any new technology that gains widespread adoption, privacy and security concerns are inevitable. We spoke to F-Secure's Cyber Gandalf Andy Patel about what users of voice-activated technology should know as they make the leap into this newer realm of connectivity that has long been imagined by science fiction visionaries from Philip K. Dick to Star Trek's Gene Roddenberry. So are these voice-activated devices listening all the time? Yes. In order for a device to react to a voice command without the user pressing a button to activate the feature, the device must listen all the time. How could this be used against us? If a device streams voice data to a server for processing, a few privacy and security implications arise. If the data is being streamed in an insecure way, it can be intercepted by a third party. If the speech data is stored insecurely, it can become compromised in the case of a data breach. It can also potentially sold to a third party. Speech is processed into text. That text might be stored, it might be associated with its source, and it could also be leaked. When the speech processing service returns data to the device that requested the processing, it could also be intercepted. Are the any real privacy concerns for owners of voice-activated devices? Some companies outsource their speech recognition services and cannot properly account for the processes and collection methods used by those companies. Along those lines, just last year, Samsung TV voice recognition made the news for recording owners' chatter. Voice command systems can also be maliciously hijacked. Last year, a group of French researchers demoed a method for remotely controlling Siri from a distance, using sounds that triggered Siri’s voice control, but that couldn’t be recognized by a human. So what will voice-activated technology look like in five or ten years? Big names are interested in voice control because they attach it to AI and machine learning systems -- which are, in turn, fed by the Big Data they’ve collected -- for an interactive experience. The end goal would be a scenario where you could ask your computer to perform arbitrary tasks in the same manner as on Star Trek.

July 21, 2016
BY 
Traveling and using public wifi - privacy is at risk

Free Wi-Fi is a vacation must, but are we paying with our privacy?

We used to search holiday magazines to find the hotel that offered the biggest pool and then triple check that the hotel has air conditioning. If we were really picky, we wouldn’t look twice at a hotel that didn’t offer cable TV. Now we see the perfect summer holiday in a different light. We can’t possibly leave our smartphones, tablets and laptops behind. A survey by Energy Company E.ON revealed that the most important feature hotels must have to even be considered is free Wi-Fi. Why do we find it so difficult to disconnect ourselves from the digital world? Even when we’re sitting in the beautiful sunshine, sipping on cocktails and splashing in the sea? Partly our digital dependence is practical, of course. The web helps us navigate around our holiday destinations finding the best attractions, the coolest bars and most remote beauty spots. But if we’re honest, many of us would admit that we’re so digitally connected because we don’t want to miss anything happening on Facebook, Instagram, Snapchat, Twitter and all the other social apps filling our electronic wonders. We continue to check in, trying to make our friends jealous by posting the latest update about our perfect holiday. Now that we’ve settled that an internet connection is a top holiday priority, why don’t we just use our phone network? Simple: we’ve all heard the horror story of someone getting crazy high bill after spending just a few days in Spain. So, we’re constantly on the search for a local bar or café that offers free Wi-Fi. It’s a fantastic feeling to be wiser than our internet provider – they can’t spring us with unheard-of charges. But connecting to public Wi-Fi comes with its own risks, and, I would argue, scarier ones than an unexpected post-holiday bill. For example, take a look at this infographic. It shows the personal data that can be intercepted and the risks you face to your privacy when you connect to public Wi-Fi without using a VPN. If the thought alone of anyone being able to snoop on what you do online isn’t enough to want to run away from ever connecting to public Wi-Fi again, then think about the bigger risks. The worst case scenario here is you could become a victim of stalking, receive threats, or have your identity stolen. This might sound farfetched, but with what information you reveal on public Wi-Fi, is it worth the risk? If you use a VPN like Freedome while on public Wi-Fi, all your internet traffic will be encrypted. This means instead of your internet traffic connecting directly to the websites from your device, revealing exactly what you’re doing online to the Wi-Fi provider, the VPN will garble your internet traffic and keep what you’re doing online anonymous. You internet privacy and safety is our biggest concern here, and Freedome will definitely provide that security. But here’s a little extra to boost your internet love and consumption when on holiday abroad: When in another country, you might not be able to stream your favorite content from back home. But with Freedome VPN, you can be “virtually” back in your home country, accessing all your favorite content as if you never left.

July 20, 2016
BY