A few months ago The Science and Technology Committee of the UK government released a lengthy third report of its investigation of Theresa May’s new investigatory powers bill, which the Home Secretary initially proposed in November of last year. Its overall view of the bill echoes the concerns raised when it was first revealed by May; “The draft Investigatory Powers Bill addresses issues of fundamental importance for the country’s security, but also for the burdens that will arise from it—those that will be placed on communications businesses and those on law-abiding people who may suffer a loss of privacy.”
Many MP’s have described the bill as “vague” and “confusing,” and its lack of support and approval has not been contained within the walls of Parliament. Tech companies like Apple and Google have expressed their dissent of the legislation, reflecting the general disapproval across Silicon Valley. Joining these unfavourable outlooks of the bill are the privacy advocates who are concerned about the neglecting of the civil liberties of UK citizens were the bill to be passed.
For Theresa May, the new legislation has been hit with criticism from a range of interested groups, condemning various faults with the bill, though many of those concerns can be consolidated into two key areas. The first of them being the obligation for technology companies to assist prosecutors and law enforcement agencies in the hacking of computers and other internet-capable devices. Essentially, the bill requires these companies to keep encryption keys, or at least leave loopholes to bypass encrypted devices, something that has been highly contested by Silicon Valley firms. Second is the breach of privacy the bill commits, of which privacy advocates did not hesitate to highlight. The new laws require internet service providers (ISPs) to record and list all of the websites visited and accessed by internet users in the UK, holding them for up to 12 months, during which can be accessible by the police, security services and other agencies, with a warrant.
Another possible controversiality of the bill involves the economic complexities; holding large amounts of data will require lots of taxpayers money, and so it is plausible to highlight this as a potential obstruction for George Osborne, the Chancellor of the Exchequer, who has been keen to balance the UK’s public expenses by the end of the Parliament.
Overall the bill may do somewhat of a good job of updating and modernising old laws, to keep up with the dynamic modern digital age, yet it still contains major flaws which present it from being sustainable. The breach of privacy may be upheld by legal hindrances from data protection agencies (DPAs), the demanding of companies to leave keys to their consumers’ data under doormats will be sharply opposed by giant tech companies, and the expense of deployment may provide further constraints on the bill. With all this to consider, the Home Secretary will not have an easy time getting the laws through. The struggle against tech giants and civil liberties will be tough, but hopefully, by illuminating the various flaws, the Conservative government can work to make the proper and necessary amendments needed to make the bill more satisfactory before it has any chance of success.
Keeping Keys Under Doormats
It did not take long for a reaction from the valley to hit the press after Theresa May revealed the details of the bill to fellow MP’s in parliament. The first to announce their inevitable disapproval was Apple. “We believe it would be wrong to weaken security for hundreds of millions of law-abiding customers so that it will also be weaker for the very few who pose a threat,” Apple said in a statement back in December. “In this rapidly evolving cyber-threat environment, companies should remain free to implement strong encryption to protect customers.”
Then came the rest of them; Google, Facebook, Microsoft, Twitter, Yahoo, and an army of other smaller tech companies from the valley came out, about a month later, with a statement also condemning Theresa’s proposals. “The actions the UK Government takes here could have far reaching implications-for our customers, for your own citizens, and for the future of the global technology industry,” the conglomerate declared harmoniously. With this, it is clear that sides have been drawn, and the tech companies are most definitely not on the favourable one.
The details of the bill layout how CSPs (communication service providers) in the UK, as well as overseas, will be made to assist in the hacking of devices. The bill essentially would require “CSPs to provide communications data when served with a notice, to assist in giving effect to interception warrants, and to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the CSP to whom the notice relates.” The reasoning for such legal duties is based on the argument for strengthening national security. In a modern world in which our lives have become even more engrained into a single ubiquitous platform, known as the internet, where all the information about us is consolidated into one place, with our emails, messages, bank statements, phone calls all revealing the details of almost every aspect of our existence, governments and security agencies want to be able to have access to such a gold mine of information to filter out the criminals and malefactors to establish greater security for all.
To be clear though, the tech companies do object to greater security, just the method to achieve it, which is the requirement that companies leave encryption keys under doormats, or at least leave loopholes to enable the infiltration of the devices of UK citizens. Leaving vulnerabilities in the software, or even hardware, of computer devices for agencies to use when prosecuting criminals is, in the current cyber landscape, rather foolish. The internet is fraught with cyber criminals, who constantly develop techniques to bypass the very security measures aimed to keep them out. The existence of the dark web acts as library for software vulnerabilities and malicious software, filled up with findings of cyber criminals and bought and utilised by other cyber criminals. Around 300 million pieces of damaging software were created last year, according to research by Verizon and Symantec, thus painting a very bleak and dangerous picture, in which nobody on the net can guarantee immunity from cyber attacks even with the most sophisticated security parameters in place.
Due to such realities, it does not seem plausible for the government to purposefully leave network infrastructures or consumers’ devices vulnerable, since it would make them exposed to an array of damaging threats. To quote America’s Information Technology Industry Council, representing the likes of Apple and Microsoft, “Weakening security with the aim of strengthening it simply does not make sense.”
In addition to the fallacious concept of weakening security to strengthen it, there is a business incentive amongst tech companies which contrasts the agenda of the UK government to establish national security in the digital age. The Snowden revelations from 3 years ago generated an explosion of criticism and concern of the secretive mass surveillance of civilians. While making people uneasy of mass surveillance, companies like Apple and Microsoft recognised the business opportunity attached to such a universal worry. The desire for greater privacy, and protection from the state, created a lucrative pathway for Silicon Valley; all they had to do was show how committed they were to consumer privacy and security, and demonstrate such commitment with their products and services. As a result, the likes of Apple and Microsoft have done just that. Microsoft has confirmed its European users that their data would be out of the reach of the NSA by containing within data centres located in Germany, and Apple utilises end-to-end encryption with messaging and video chatting to also protect its users from unwanted third parties. Other companies, like Google and the rest, have also demonstrated their ways of ensuring greater privacy, particularly Facebook, which, in the past, has been heavily criticised for its lack of concern of consumer privacy rights for a number of years.
The big tech firms, with all their might, will not tolerate the new legislation on the grounds that it would fail to provide adequate security for companies and its consumers, and the breach of privacy contradicts the business incentives needed for strong brand loyalty and reputation which translate into greater profits. These provide the basis for the valley’s arguments against, though it is also the privacy advocates and DPA’s who will also be keen to have their stance against the bill heard loud and clear.
Theresa, You Can Blame Edward
Privacy has become a highly contentious subject thanks to the Snowden revelations from a few years ago. As both sides of the debate become increasingly polarised over time since, it has become harder for governments to establish legislation to make it easier to achieve national security in the modern digital age, just as it has become equally as difficult for those with similar ideals to Snowden, as well as DPAs and other civil liberty promoters, to persevere the right to privacy.
The argument in favour of security has always been a valid one. Since the internet has become a helpful platform for criminals, terrorists and other malefactors to plan out and execute attacks and other damaging acts, prosecutors need the tools to achieve adequate security in this digital age, absent of impediments as much as possible. Encryption, for example, provides a difficult barrier to break through in order to gather the data belonging to criminal suspects. Therefore public authorities need the leeway to be able to have access to as much information needed do this very job, suggesting that encryption backdoors are necessary. Theresa May has very much emphasised this point throughout her promotion of the new laws, stating in her foreword within the bill’s official documentation: “The Government is committed to ensuring law enforcement and the security and intelligence agencies have the powers they need to keep us safe in the face of an evolving threat and an increasingly complicated communications environment.”
The bill does not permit the bulk collection of data without legal validation. One of the merits of the bill, which was lacking in previous snooping laws, is that requesting access to the data collected by ISPs requires a specialised warrant issued by the Secretary of State and granted permission to come into force by a Judicial Commissioner. This thorough process better ensures that only legitimate requests are granted, of which the Conservative government would hope put citizens at ease about their data being collected, consolidated and analysed without their consent.
Though this has failed. Privacy advocates, including the chief privacy guardian of the world Edward Snowden. In a tweet reacting to the bill, when it was initially introduced, Mr Snowden described the bill, disapprovingly, as “…the most intrusive and least accountable surveillance regime in the West”. The justification of ‘bulk powers’ will be looked at as weak, no matter how much judicial oversight is in place, particularly in the eyes of European regulators. The European Court of Justice (EUJC) as well as the Court of Human Rights, will be, undoubtedly, looking for the gaping loopholes in the bill that expose an unlawful breach of privacy and the consequential damages. The lack of certainty that the government can sufficiently protect citizens’ data from hackers and online malicious actors is not the only flaw of the new laws which has been highlighted by tech companies, but also the threat to civil liberties that DPAs and even other MPs have pointed out. Of course, many agree that security agencies should be able to get a hold of personal data and access databases in certain circumstances, but determining what these circumstances look like is what makes the justification for snooping fairly feeble.
Some may also argue that since the bill only permits the collection of just merely the website addresses which have been visited, and therefore not revealing the actual content of those websites accessed, it makes it difficult to identify the actual intentions of a user with the limited information collected. Thus, there is the possibility that perhaps prosecutors may come to misinformed conclusions, resulting in misguided arrests or prosecutions based on possibly false premises. This is particularly worrisome given the current circumstances in which even a slight clue indicating any kind of act, or at least association with, terrorism, may spark premature reactions from security agencies, which could be observed by some as scope to harassing those mistakingly affiliated with such acts, such as the Islamic community. The new bill, therefore, entertains an array of messy legal battles with civil liberties, making survival doubtful.
A Fight To the End
Just as The Cyber Solicitor had completed this article, Apple stood up against the FBI and rejected the bureaucracy’s request to provide encryption backdoors in help infiltrate the phones of one of the San Bernardino shooters. The tech giant rejected the request on the grounds that the hacking of one iPhone would put other iPhone users at risk, as all it takes is one weak link in the chain for hackers to get through and cause universal damage. This kind of scenario is exactly what Theresa May’s investigatory powers bill is designed to deal with; giving prosecutors the powers they need to investigate crimes and protect the nation. Everyone agrees with this, but it is finding a way to do that without compromising civil liberties or undermining the cybersecurity which will prove difficult. The problem with a new bill like this is its attempt to deal with unprecedented situations in a new and unfamiliar age. Furthermore, with the pace of technological development, and the agonisingly slow process of passing and amending laws, proposed legislation often fails to keep up, thus resulting in laws which quickly become out of date and become completely nugatory. The Conservative government, as part of its agenda, has committed to establishing a new ‘British Bill of Rights’ to replace the Human Rights Act, which may provide as a potential block against the new surveillance laws. But even if this is successful, the bill will still have to face the wrath of the tech giants and the civil liberty cheerleaders who oppose such propositions. So, with that, the tough tussle will go on, for a while.