UK Law and Cyber-Spying

Hello all,

The Investigatory Powers Bill in the UK have left IT security experts confused. The draft of the internet surveillance law was introduced in the House of Commons. Home Secretary Theresa May stated that it is a break from measures in the ultimately unsuccessful Communications Data Bill of 2012.

The draft law reads; “will not impose any additional requirements in relation to encryption over and above the existing obligations in RIPA [the Regulation of Investigatory Powers Act, 2000]”

Under the RIPA regulation CSPs [communications service providers] are required to provide communications data when served with a notice, to assist in giving effect to interception warrants, and to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the CSP to whom the notice relates.

UK’s security and intelligence agencies are now having talks with organisations that run the popular messaging software mostly based in the US such as WhatsApp and Apple’s iMessage about the best ways to tap into chats. These apps provide strong end-to-end encryption for normal folks that’s easy to install and use, unlike tough-to-crack but infuriating-to-use PGP packages. Secure end-to-end crypto systems make sure only two people involved in the chat can decrypt messages and leaves no chance for eavesdroppers.
Diffie-Hellman protocol, is one option. It allows two people to create a shared secret known only to them using prime-number maths and this data is not accessible to communication providers either. There are many other communication encryption schemes available now especially in the wake of the Edward Snowden revelations of NSA-GCHQ mass surveillance.

Mainstream software like Facebook-owned WhatsApp and Apple maybe beyond the radar of the UK authorities. Make sure whatever code you decide to use is verified and trusted to work as advertised.
Implementation flaws (such as weak keys or bugs in the programming) and slip ups by users (such as accidentally leaking private keys) are enough to break cryptographic systems.

Security agencies are really looking to have a backdoor in cryptography so they can forcibly decrypt messages and calls. However, it’s not possible to build such system securely.

images (1)
Critics charge that the UK government is trying to effectively ban secure cryptography, but ministers deny this claim. Nevertheless, the bill suggest that communications providers operating in the UK may be ordered to “provide technical assistance” and remove electronic protections, possibly under a gagging order along the lines of a US National Security Letter.

UK government tries to further establish goal of making the UK the best place in the world for e-commerce by promoting good crypto. But also wants to let GCHQ and MI5 to decrypt communications and identify suspects in terrorist plots, child abuse, and other serious crimes.

The bill reads; “Equipment interference plays an important role in mitigating the loss of intelligence that may no longer be obtained through other techniques, such as interception, as a result of sophisticated encryption.”

Home Office fact sheets to accompany the draft bill on targeted interception  and equipment interference provide further insights into Number 10’s thinking.
The proposed law is being spun as a means of ensuring the entire cyberspace can be policed in the “face of technological advances”

Privacy advocate Liberty argues that the Investigatory Powers Bill is “Far from attempting to create a more targeted and effective system, the bill places the broad mass surveillance powers revealed by Edward Snowden on a statutory footing, including mass interception, mass acquisition of communications data, mass hacking, and retention of databases on huge swatches of the population,”.

Nigel Hawthorn, European spokesperson at Skyhigh Networks, argues that the bill provides more evidence that the government is out of touch with technology.
“Any law which bans end-to-end encryption will break data protection regulations and decrease security on the internet…There’s a complete misunderstanding of how end-to-end encryption works. It’s wrong to assume that forcing technology companies to break their own security is going to please the average man on the street, and this is not even technically possible in many instances. It’s not the first time the government has been wholly ignorant of technology, and despite the inevitable backlash from technology experts, politicians continue to announce these ill-thought-out unworkable proposals.” Hawthorn said.
Hawthorn argued that encryption is more important now with the increasing number of sponsored cyber-attacks and high-profile data breaches and so on.
Greg Aligiannis, senior security director at message encryption provider Echoworx, expressed fears that citizens’ internet records collected for the cops may be snatched by hackers; just look at the attacks on ISP TalkTalk, the US government’s Office of Personnel Management (OPM), and others. He also explained that the data collected by the government will need to be securely stored to prevent hackers accessing it because governments are prone to attacks as much as any other organisation.
“If a CSP is required to capture this data and store it, there is a question around who is going to fund the infrastructure costs…CSPs are already saying that data storage repositories are growing at an unmanageable rate – so how can this quantity of data be managed and securely transferred and stored? Will the data be in one central repository or multiple, and what about backup and storage? Another challenge will be keeping audit trails of who, what, when, and where in relation to the data. Moreover, how and when will the data be purged?” Bharat Mistry, cybersecurity consultant at Trend Micro said

The draft of the  Investigatory Powers Bill: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473770/Draft_Investigatory_Powers_Bill.pdf

xkcd_crypto_wrench_security


Source: Akati

Comments are closed.