Not good enough.
That’s the assessment of the Parliament’s Joint Committee that has been investigating the Draft Investigatory Powers Bill, which will set the guidelines for how the UK carries out intelligence gathering in this era when terror and cyberthreats are merging.
“Sharper, clearer definitions are required in order to protect both the privacy of citizens and viability of the British tech industry,” he said after reviewing the 198-page report.
Legislators hope to pass the bill before the Data Retention and Investigatory Powers Act 2014 expires in December of this year.
A few major problems stood out for Erka.
“The committee’s case for Equipment Interference, known by some as ‘hacking,’ is persuasive and also give voice to the equally persuasive critics of the Government having the power to intrude upon communications in way that lawfully captures evidence,” he said.
“However, there appears to be little discussion about collateral damage caused by bulk equipment interference activities. We’ve seen in the Stellar Wind and Belgacom cases that equipment interference activity on non-terrorist and non-combatant organizations can be used to create stepping-stones to the intended targets, or as way to hide the intelligence traces that would point the operation back to GCHQ.”
Limiting the scope of investigations is key, along with allowing developers that ability to preserve the integrity of their products.
“We support Mozilla and the open source community in the insistence that all vulnerabilities should be identified and fixed, regardless of who put them there,” Erka said.
The committee made a strikingly straightforward case for bulk collection of data, noting that search tools can make such information relevant.
“However, the justification for such powers — ‘why would the authorities request the bulk powers if they didn’t believe them to be effective’ — is simply naïve,” Erka said.
“It has been demonstrated many times over that GCHQ and NSA have invested lots of time and resources in bulk collection. It is only natural for them to defend their investment and seek to continue their work without interruption. Doing otherwise would put past conduct under scrutiny and future activities in question.”
Privacy advocates generally agree that the bill should not become law in its current form.
“It needs more than mere tweaking, it needs to be fundamentally rethought and rebuilt,” said Lord Paul Strasburger, who was on the committee.
“Like the other two committees, [we] found the Bill to be sloppy in its wording and short on vital details,” he said.
Erka notes that the clock is ticking quickly.
“The ‘sunset clause’ now forces the UK Government to work against the clock as the old RIPA authorities will cease to exist in the near future. Talk about “going dark!'”
The threat of a complete lapse in surveillance will be wielded by proponents of a purposely vague and broad law. That should not happen, especially given the abundance of input the government has.
“The bill, as written, fails to address our concerns about the potential for abuse and lack of oversight. We applaud the committee for addressing these shortcomings—and encourage the Government not to use the rush to pass the law as an excuse to pass a flawed bill.”
Photo: GCHQ/Crown Copyright/MOD
F-Secure invites our fellows to share their expertise and insights. For more posts by Fennel, click…
April 18, 2018