Thursday 18 February 2016

Will the Investigatory Powers Bill enable hackers to access backdoors?

Will the Investigatory Powers Bill enable hackers to access backdoors?

Introduction and policymakers

As the Investigatory Powers Bill wends its way through parliament, questions have been asked not just about the loss of privacy it will mean to anyone connecting to the internet in the UK, there are fears that calls by the government for backdoors in encryption could be counterproductive.

While it stops short of banning end-to-end encryption, it will require tech firms to allow backdoor access to police and security services. There are fears that this could make such activities as online banking hard, if not impossible, to do safely.

The trouble with having a backdoor such as this is that if the security services can decrypt secure communication, so can others, and most likely that means hackers and other criminals.

But Jonathan Sander, vice president of Product Strategy at Lieberman Software says that the debate about backdoors in encryption suffers from both psychological and technological misunderstandings.

"Many people apply the principle that people who have nothing to hide have nothing to fear from a universal backdoor to encryption," he says. "In an era when so many politicians all over the world are being caught out with emails and tweets, you would think government might appreciate how much encryption may mean in our everyday lives."

Driven by policymakers, not spies

Memset's head of Security Thomas Owen suspects that the direction towards state-mandated backdoors and the deliberate weakening of security is being driven by policymakers, not the intelligence agencies themselves.

"Such a policy speaks of a fundamental lack of understanding of the problem and the space that they are working in," he says.

He says, if anything, a similar bill going through the Dutch parliament is "even more alarming" than the current state of the UK Intelligence Powers Bill and provides a vehicle for "sweeping, unaccountable" rights for state agencies.

"In these uncertain times, one spokesperson's comments on what a government 'does not want' to do cannot be compared to what a government 'legally can' do. When faced with the next terrorist threat or other related zeitgeist, it seems inevitable that best intentions crumble into maximum capabilities," he warns.

Nicola Fulford, head of Data Protection and Privacy at Kemp Little, told us that there are certain difficulties around encryption as far as the bill is concerned.

"Under the bill, there is a right for the government to request communication service providers (CSPs) for disclosure of certain communications data, including internet connection records which covers instant messaging applications," she says. "It is worth mentioning that communications data is distinct from contents data. Communications data is information about who sent the communication, to whom, when, how and so on – crucially, it does not contain the content of the communication."

She adds that the bill requires CSPs to assist with giving effect to any warrants for communications data, including removing any encryption applied to that data.

"So if CSPs encrypt communications data and are served with the interception warrant, they will need to have the ability to 'unlock' the contents to comply with the warrant," she says.

Parliament awakens?

MPs to the rescue?

Perhaps Parliament has finally woken up to the ramifications of the bill. Nicola Blackwood MP, chair of the Science & Technology Committee, says that getting the balance right between protecting our security and the health of our economy is "vital".

She warns that there is a lack of clarity within the draft Investigatory Powers Bill which is causing concern amongst businesses. "There are widespread doubts over the definition, not to mention the definability, of a number of the terms used in the draft bill. The government must urgently review the legislation so that the obligations on the industry are clear and proportionate," she says.

Blackwood adds that encryption is important in providing the secure services on the internet we all rely on, from credit card transactions and commerce to legal or medical communications.

"It is essential that the integrity and security of legitimate online transactions is maintained if we are to trust in, and benefit from, the opportunities of an increasingly digital economy. The government needs to do more to allay unfounded concerns that encryption will no longer be possible," she says.

If vendors selling within the UK are forced to include backdoors, this would lead to the creation of a black market or see users purchase abroad, says Nick Smalley, lead security consultant for Auriga.

"For communication encryption by third-party providers where users have no choice, they would probably look to encrypt the data separately assuming the transport mechanism does not check and prevent encrypted files," he says.

He says that history has shown that where there is a will there is normally a way around issues like this so until we know the details and the industry's response we can only speculate.

"Cost of products supporting this requirement will be greater due to the need to modify code and manage the logistics and this will probably force most end users to adopt their own personal encryption measures," says Smalley.

Putting heads together

Within the next 12 to 18 months, Smalley expects the industry and policymakers will have to put their heads together and draft a law. However, the practical applications of that law would be a "slow burn".

"Product lifecycles will prevent a quick implementation under 12 months and agreement of what to implement within the EU member states is likely to need compromise," he says. "This will take time resulting in an increase in the level of assurance required for a subject data access request which may be offset by the time taken to support the original operational imperative."

With the EU referendum around the corner, whether or not we stay in the Union could have an impact on the law itself. If the UK remains in the EU, it could be a possibility that the law would be in breach of human rights legislation as well as the General Data Protection Regulation.

Another block to the law, if enacted, would be public sector spending.

"Without significant public sector investment at a time of austerity within the rest of the public sector delivery of the digital platforms, its delivery is going to be challenging," says Des Ward, information governance director at trade association Innopsis.

"With further developments in the GDPR increasing the burden on the supply chain, and our security force being overstretched already, I can envisage that this will not be released in its current form," he says.

It would be quite amusing if the government's love of austerity stymies its love of mass surveillance.










http://ift.tt/1VrkUDm

No comments:

Post a Comment