UK government proposes ‘licence to hack’ because encryption is becoming hard to beat
Wed 21 Oct 2015
A report from The Times today outlines (paywalled) that a bill likely to be presented to the British Parliament next month would give MI5, MI6 and GCHQ a ‘dizzying’ remit to hack the devices of individuals under investigation with permission from the Home Secretary, and that the measure is being drawn up because of the increasing difficulty of intercepting encrypted data in transit.
These new powers would exclude permission for such ad hoc surveillance of MPs.
The Investigatory Powers Bill would seek to take advantage of security flaws in software to access protected device and communications technologies, although this permission does not in itself solve the government-perceived problem of zero knowledge encryption, now a standard across mainstream consumer devices. In such cases the investigating power would still need to persuade the owner of the device to surrender the password or other means of authorisation in order to unlock the material.*
The Times spoke with digital evidence expert Peter Sommer, who said; “’Increasingly, (intelligence agents) can’t read communications sent over the internet because of encryption, so their ability to get information from interception is diminishing. Hacking is different from interception because it allows hackers to take control of the device, using it for surveillance and accessing data from the source, rather than simply intercepting them, which is becoming increasingly difficult.”
In June the Rt Hon Theresa May MP responded to the report by independent reviewer of terrorism legislation David Anderson QC by emphasising that new legislation should go forward without delay in order to anticipate the sunset provision in the Data Retention and Investigatory Powers Act 2014, which in 2014 restored the power for security services to access phone and internet records after a European court repealed an EU directive requiring telcos to retain communications data, on human rights grounds.
May said in her speech that “it is not possible to debate the balance between privacy and security – including the rights and wrongs of intrusive powers and the oversight arrangements that govern them – without also considering the threats that we face as a country. Those threats remain considerable, and they are evolving.” She also cited the need to have access to data regarding military, industrial and state espionage, as well as the online aspect of crimes involving child sexual exploitation.
The ‘licence to hack’ included in the Investigatory Powers Bill is not hindered by association with the Communications Data Bill, also known as ‘The Snoopers’ Charter’, formerly blocked by Liberal Democrats in the previous coalition government. Additionally the Home Secretary has confirmed that an application of the Wilson Doctrine will be provisioned in the bill, whereby MPs are not automatically subject to the same ‘right to be hacked’ as anyone else.
*One does wonder whether the advance of biometric-based authentication may not be hindered not only due to this kind of legislation, but through its potential to allow aggressors to coerce device access via retina, fingerprint, facial recognition or other non-complex biometric entry procedures