#alternate TechCrunch » Feed TechCrunch » Comments Feed TechCrunch »
Costs And Risks Of UK’s Draft Surveillance Powers Probed Comments Feed
Product Hunt Revamps iOS App, Adds Live Chats And Podcast Player Server
Density, The Server Monitoring SaaS, Raises $1.5M For Further U.S.
Expansion alternate alternate TechCrunch WordPress.com
Menu TechCrunch Search
* Follow Us
* Facebook
* Instagram
* Twitter
* Youtube
* Flipboard
* LinkedIn
* Google+
* RSS
* More
+ Youtube
+ Flipboard
+ LinkedIn
+ Google+
+ RSS
Got a tip? Let us know.
* News
+ Channels
+ Startups
+ Mobile
+ Gadgets
+ Enterprise
+ Social
+ Europe
+ Asia
+ Old Crunch Network
+ Unicorn Leaderboard
+ Gift Guides
All Topics All Galleries
Video
Shows
* Apps
* Breaking News
* Bullish
* Crunch Report
* CES 2016
* Gadgets
* Interviews
* Reviews
* TC Cribs
* TC Features
All Shows
All Videos
Events
* TechCrunch Events
* Disrupt
* Startup Battlefield
* Crunchies
* Meetups
* International City Events
* Hackathon
* Include
* NFL’s 1ST and Future
* TC Davos 2016
* News About
* CES
All Events
CrunchBase
* Trending
* Apple
* Google
* Samsung
* News
* Startups
* Mobile
* Gadgets
* Enterprise
* Social
* Europe
Search TechCrunch
Search TechCrunch ____________________ (BUTTON) Search (BUTTON) Search
9th Annual CrunchiesFind Out Who Will Win The Crunchie For Best Mobile
App - Citymapper, Messenger, Periscope, Robinhood or Wish Get Your
Tickets Today
Europe
* At Davos, Kevin Spacey Predicts That Tech Firms Will Follow Netflix
Into Media
At Davos, Kevin Spacey Predicts That Tech Firms Will Follow Netflix
Into Media
* MariaDB Raises $9M More, Michael Howard Named New CEO, Monty
Widenius CTO
MariaDB Raises $9M More, Michael Howard Named New CEO, Monty Widenius CTO
* Kickstarter Needs Better Ways To Sanity-Check Complex Hardware
Projects, Says Zano Review
Kickstarter Needs Better Ways To Sanity-Check Complex Hardware Projects, Says
Zano Review
*
Browse more...
isp
* ProtonMail On Battling A Sustained DDoS Attack
ProtonMail On Battling A Sustained DDoS Attack
* PornTime Is PopcornTime For Other Kinds Of Movies
PornTime Is PopcornTime For Other Kinds Of Movies
* Google Shames Slow U.S. ISPs With Its New YouTube Video
Quality Report
Google Shames Slow U.S. ISPs With Its New YouTube Video Quality Report
*
Browse more...
mass surveillance
* EU-US Safe Harbor Data Flow Talks Still Sticking On Surveillance
EU-US Safe Harbor Data Flow Talks Still Sticking On Surveillance
* UK Surveillance Bill A Risk To Data Security And Privacy, Says ICO
UK Surveillance Bill A Risk To Data Security And Privacy, Says ICO
* Risks And Red Lines As UK Prepares To Reforge Surveillance Law
Risks And Red Lines As UK Prepares To Reforge Surveillance Law
*
Browse more...
surveillance
* State Lawmakers Create Coalition To Overhaul Digital Privacy Laws
State Lawmakers Create Coalition To Overhaul Digital Privacy Laws
* EU-US Safe Harbor Data Flow Talks Still Sticking On Surveillance
EU-US Safe Harbor Data Flow Talks Still Sticking On Surveillance
* UK Surveillance Bill A Risk To Data Security And Privacy, Says ICO
UK Surveillance Bill A Risk To Data Security And Privacy, Says ICO
*
Browse more...
encryption
* Why Cloud Computing Will Shake Up Security
Why Cloud Computing Will Shake Up Security
* Will 2016 See The End Of Closed-Source Politics?
Will 2016 See The End Of Closed-Source Politics?
* UK Surveillance Bill A Risk To Data Security And Privacy, Says ICO
UK Surveillance Bill A Risk To Data Security And Privacy, Says ICO
*
Browse more...
Costs And Risks Of UK’s Draft Surveillance Powers Probed
Posted Dec 10, 2015 by Natasha Lomas (@riptari)
* 0
SHARES
*
*
*
*
*
*
*
*
*
Next Story
Product Hunt Revamps iOS App, Adds Live Chats And Podcast Player
[16164233084_7f9e0cd5fb_k.jpg?w=738]
A U.K. parliamentary committee tasked with scrutinizing the new
surveillance powers contained in the draft Investigatory Powers Bill
has heard several contradictory views on the proposed legislation.
The latest evidence session heard by the committee included questions
on the costs of implementing the web browsing
data retention requirement of the bill, and questions about the legal
requirements it might place on companies when end-to-end encryption is
being used to secure data. Concerns over provisions to sanction state
hacking en masse were also aired.
The amount of time the government has afforded for scrutiny of what is
very complex and technical legislation has already been criticized —
with committee members themselves complaining there is not enough time
for them to do a proper job.
The committee is expected to file its report by February 11, with the
government aiming to get a final bill through parliament and onto the
statute books before the end of next year.
Questions over costs
On the cost point, ISP BT’s Mark Hughes, president of BT security,
suggested the requirement for ISPs’ to capture and retain a log of
websites visited by their users would run to tens of millions of pounds
just for BT to do this.
A government impact assessment document accompanying the draft bill has
suggested this aspect of the proposed legislation would cost £174
million to implement. However Hughes cast doubt on that,
suggesting that a “large part” of that money would be required just for
BT to implement it — just one of hundreds of U.K. ISPs who may also be
subject to the requirement by the legislation. (Although the committee
also heard conflicting views on which U.K. ISPs would be required to
log users’ website visits.)
“It would cost us a large part of that figure to be able to implement,
looking over a period,” said Hughes. “When one looks at the internet
connection records part of the Bill, the bandwidth appetite in our
country is increasing very rapidly, so, clearly, assumptions have to be
put in that take account of the fact that bandwidth will increase.
Indeed, in the consultation some of that has been taken into account,
but the core key technical aspect of the internet connection records
part of this is the extent to which the sampling or 100% collection
goes on within the networks for them then to be able to comply.
Technically, there are many different options, depending upon what you
come up with, so there is a definite range of possible costs.”
Antony Walker, deputy CEO of digital tech trade association techUK, who
was also giving evidence, also expressed scepticism about the cost
estimate. “Given the uncertainty about the extent of the powers and the
implications of potentially a much broader range of communication
service providers, at this stage it is quite difficult to determine
whether or not that is an accurate figure. I have met very few people
across business who currently would regard it as a properly robust
figure,” he said.
BT’s Hughes was asked whether the industry is “relaxed” about the
current wording of the bill, which has been criticized as opaque and
open to interpretation — which resulted in something of a slap down to
the questioner.
“On a subject like this we are not relaxed about any area of it,
frankly, because it is an incredibly serious matter,” he rebuked the
committee.
Conflicting views on encryption
Asked by the committee whether there was anything in the draft bill
that could threaten the integrity of encryption, Walker said the
language of the bill remains a cause for concern here — saying it is
more “open to interpretation” than the organisation would like.
“The language around encryption remains a little opaque,” he told the
committee. “And responses from the Home Office when questioned on the
implications of some of those powers remain unclear.”
Walker flagged up a specific concern around end-to-end encryption,
noting that it’s not clear what a third party provider would be legally
required to do if they have implemented a form of encryption they
cannot themselves decrypt.
“The powers are such that the security services could request that
telecom service providers remove any encryption used by them to provide
information in the clear. What is not completely transparent is what
happens where a third party has implemented end-to-end encryption
themselves and it would not be technically feasible for the service
provider to remove that encryption. There is still some uncertainty and
concern across the industry about the implications for encryption,” he
said.
As it stands, Walker said industry is relying on comments made by the
Home Secretary and other senior government ministers in order
to interpret the bill. “They have been very clear about how they
interpret the Bill, and to some extent we are relying on that
interpretation,” he added.
But he reiterated that tech companies are still grappling with possible
implications of the bill, given how vague definitions are, and the fact
the draft bill was only published last month.
“I must stress that many companies are themselves still trying to work
through the implications of the Bill and to understand it, so there are
different views at this stage,” he said, answering a question about
technical feasibility. “If we look at what is technically and
reasonably practical in the various definitions of the Bill, we believe
it means that when companies are providing services where there is
end-to-end encryption instigated by a third party and not by
themselves, it safeguards them from having to modify or change what
they are doing, but it is open to interpretation.”
Walker said further reassurances are required that the bill would not
require companies providing end-to-end encryption to modify their
business practices.
We should not do anything to undermine the fact that security and
privacy are a continuum of the same thing.
Later in his evidence session, Hughes also touched on this, noting: “We
should not do anything to undermine the fact that security and privacy
are a continuum of the same thing. It is important, and encryption has
a significant role to play in that.”
Also giving evidence to the committee, Richard Alcock, director of the
Home Office’s oversight program for state use of communications data,
suggested senior civil servants have a different interpretation on the
encryption requirements vs those reassuring statements from senior
government ministers about ‘not banning encryption’.
Asked specifically whether companies which have deployed end-to-end
encryption will not be required to be able to provided decrypted data
when served with a government request, he said it is in fact his
understanding that the opposite is true (emphasis mine).
“In the context of interception, section 12 of RIPA [existing
legislation, the Regulation of Investigatory Powers Act] mandates that
there is an expectation that information is provided in the clear,
effectively, by those on whom a notice is served. It may be the case
that a service provider has certain encryption arrangements, but when
you are putting someone on interception cover you want to be able to
understand the content. There is an expectation — a clear mandation, in
fact — that data will be provided to law enforcement in the clear, as
has been the case. This Bill does exactly the same as section 12 of
RIPA.”
Another civil servant giving evidence to the committee, Professor
Bernard Silverman, chief scientific adviser to the Home Office, was
asked directly whether a reference in the bill requiring the “removal
of electronic protection” is a route to compromising encryption.
“My understanding of the Bill is that what has to be removed is the
electronic protection that the service provider itself has put on the
message. It is not removing encryption; it is removing electronic
protection. I do not know whether Richard [Alcock] wants to go into
more detail on that, but the short answer is that there is no threat to
encryption as such.”
However in response Alcock merely reiterated his view about the bill
mandating clear data be served up in response to a government warrant.
“It goes back to my previous point about provision of data in the
clear. Companies may have all manner of different encryption equipment,
which Government support. At the same time, when a notice is served to
provide intercept data, the expectation is that those data will be
provided in intelligible form — in the clear,” he reiterated.
At this point another witness, Dr Bob Nowill, chairman of Cyber
Security Challenge, pointed out that providing data in the clear may
not always be possible — i.e. if it has been end-to-end encrypted and a
service provider does not hold the encryption keys.
“The ISP or CSP could unwrap whatever they have put on, but if the
underlying data stream is encrypted by something proprietary and
unknown and is originating and terminating overseas, you would probably
have the devil of a job digging into it,” he pointed out.
To this Alcock suggested the route to obtaining ‘clear data’ is about
“forging constructive working relationships with the comms service
providers” — whatever that means. It might, for example, mean the state
leaning on Internet companies to backdoor their services to workaround
end-to-end encryption.
“All comms service providers are different. All systems are different.
We need to work out pragmatic ways in which we can satisfy requests
from the UK Government,” he said. “The expectation is that, when served
with a notice, providers would provide us with data in the clear. That
would involve working with the particular provider of the day to work
out how best that could be achieved.”
Fears over mass hacking
The committee also asked for views on provisions in the proposed
legislation to sanction equipment interference — aka state hacking
powers.
Walker expressed particular concern about the bill’s provision for mass
hacking, dubbing this sweeping power “one of the areas of the Bill that
is most problematic for many technology companies”.
“That is regarded by a lot of people across the industry as opening up
the potential for the maintenance, or addition, of vulnerabilities in
networks or services that should in reality be patched, because they
present vulnerabilities for the individual and the service, and for the
company in terms of liabilities and so on,” he said.
“You really have to think forward to the world in five or 10 years’
time, to the sheer range and diversity of equipment that potentially
could be interfered with and the consequences of that. For example, if
a vulnerability is found in a system that means you can automatically
stop an autonomous or a semi-autonomous vehicle, and that vulnerability
is exploited by somebody else for malicious purposes, there is a
serious risk to life for the people involved. In a much more connected
world, with many more connected devices on which we all rely for our
security and safety, we have to think carefully about taking that
additional step.”
Walker also noted that some companies believe mass hacking powers could
have “significant reputational impacts on their business” — by
undermining the security and credibility of their services.
“We are aware of some companies that said that makes them question
where the right jurisdiction might be for them,” he added, implying the
proposed law could lead to an exodus of such companies from the U.K.
Another specific concern regarding this provision that was flagged by
Walker is to open source business models. He suggested there are
“significant problems” for such companies when it comes to meeting
state hacking requirements given that they do not conceal their source
code and therefore could not conceal state hacking activities from the
open source community.
“Potentially there are significant problems for companies based
fundamentally on an open source business model. I think you have had
evidence from Mozilla in that regard, which I think is quite
instructive. The very nature of its business, which is based on inputs
from the open source community, means that a lot of its code has to be
out in the open. Therefore, meeting any of the equipment interference
requirements would be something it could not conceal from the people
who provide the open source software. A company like that would face
very real specific problems.”
Featured Image: Phil Dolby/Flickr UNDER A CC BY 2.0 LICENSE
* 0
SHARES
* 0
Share
* 0
Tweet
* 0
Share
* 0
* 0
* 0
*
*
Advertisement
Advertisement
TechCrunch Newsletters
[ ] TechCrunch Daily Our top headlines Delivered daily
[ ] TC Week-in-Review Top stories of the week Delivered weekly
[ ] CrunchBase Daily The latest startup funding announcements Delivered
daily
[ ] TC Europe The top European tech stories Delivered weekly
[ ] TC Gadgets Top stories about gadgets Delivered weekly
[ ] TC Mobile & Apps Top stories about apps Delivered weekly
[ ] TC Startups Top stories about startups Delivered weekly
[ ] TC Social Media Top stories about social Delivered weekly
[ ] TC Asia The top Asian tech stories Delivered weekly
[ ] Crunch Network The best from our contributors Delivered weekly
View More
Enter Address ____________________ (BUTTON) Subscribe
Latest Crunch Report
* Facebook Sports Stadium Wants to Be Your New Sports Hub | Crunch
Report
Facebook Sports Stadium Wants to Be Your New Sports Hub | Crunch Report
Watch More Episodes
* isp
* mass surveillance
* surveillance
* encryption
* Europe
* Popular Posts
Featured Stories
* Costs And Risks Of UK’s Draft Surveillance Powers Probed
Don Baer On Politician's Approach To Technology
VIDEO | 12:03 | Breaking News
* Werner Herzog On His Documentary Lo And Behold, Cockroach Movies
And Moving To Mars
Werner Herzog On His Documentary Lo And Behold, Cockroach Movies And Moving
To Mars
1 hour ago | Matthew Panzarino
* Get Ready For A Smaller iPhone 6s Mini
Get Ready For A Smaller iPhone 6s Mini
4 hours ago | Romain Dillet
* Netflix Makes Good On Promises To Crack Down On VPNs, But Blocks
Are Short-Lived
Netflix Makes Good On Promises To Crack Down On VPNs, But Blocks
Are Short-Lived
5 hours ago | Sarah Perez
* Forthcoming Samsung Galaxy S7 Benchmarks Leak
Forthcoming Samsung Galaxy S7 Benchmarks Leak
11 hours ago | Natasha Lomas
Latest From Europe
* At Davos, Kevin Spacey Predicts That Tech Firms Will Follow Netflix
Into Media
At Davos, Kevin Spacey Predicts That Tech Firms Will Follow Netflix
Into Media
yesterday | Mike Butcher
* MariaDB Raises $9M More, Michael Howard Named New CEO, Monty
Widenius CTO
MariaDB Raises $9M More, Michael Howard Named New CEO, Monty Widenius CTO
yesterday | Ingrid Lunden
* Kickstarter Needs Better Ways To Sanity-Check Complex Hardware
Projects, Says Zano Review
Kickstarter Needs Better Ways To Sanity-Check Complex Hardware Projects, Says
Zano Review
yesterday | Natasha Lomas
* PieSync, The Belgium Startup That Syncs Contacts Across Cloud Apps,
Raises $1.6M
PieSync, The Belgium Startup That Syncs Contacts Across Cloud Apps,
Raises $1.6M
yesterday | Steve O'Hear
Up Next
Product Hunt Revamps iOS App, Adds Live Chats And Podcast Player
Posted Dec 10, 2015
CrunchBoard
Job Listings
*
Principal Analyst - Marketing Technology
CarMax
*
Architect - Enterprise Information
CarMax
*
Senior Software Developer - Web Development
CarMax
*
Online Systems Platform Manager
CarMax
*
Team Manager- CRM
CarMax
More from CrunchBoard
Advertisement
TechCrunch
[crunch-network.jpg]
* News
* TCTV
* Events
* CrunchBase
About
* Staff
* Contact Us
* Advertise With Us
* Send Us A Tip
International
* China
* Europe
* Japan
Follow TechCrunch
* Facebook
* Twitter
* Google+
* LinkedIn
* Youtube
* Pinterest
* Tumblr
* Instagram
* StumbleUpon
* Feed
TechCrunch Apps
* iOS
* Android
* Windows 8
Subscribe to TechCrunch Daily
Latest headlines delivered to you daily
[X]
Subscribe to Subscribe to TechCrunch
Daily
Enter Email Address ____________________ (BUTTON) Subscribe
© 2013-2016 AOL Inc. All rights reserved. Aol Tech Privacy Policy About
Our Ads Anti Harassment Policy Terms of Service
Powered by WordPress.com VIP
Fonts by
[b?c1=2&c2=6036210&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1]
* TechCrunch (BUTTON)
*
News
+ Startups
+ Mobile
+ Gadgets
+ Enterprise
+ Social
+ Europe
+ Asia
+ Old Crunch Network
+ Unicorn Leaderboard
+ Gift Guides
+ All Galleries
Videos
* Apps
* Breaking News
* Bullish
* Crunch Report
* CES 2016
* All Shows
* All Videos
Events
* Disrupt
* Startup Battlefield
* Crunchies
* Meetups
* International City Events
* Hackathon
* Include
* NFL’s 1ST and Future
* TC Davos 2016
* All Events
CrunchBase
____________________ (BUTTON)
(BUTTON)
Most Popular
Get Ready For A Smaller iPhone 6s Mini
4 hours ago by Romain Dillet
Forthcoming Samsung Galaxy S7 Benchmarks Leak
11 hours ago by Natasha Lomas
A Day After Launch, “Exploding Kittens” Tops The App Store
1 hour ago by Sarah Perez
Why Cloud Computing Will Shake Up Security
2 hours ago by Tom Gillis
Netflix Makes Good On Promises To Crack Down On VPNs, But Blocks
Are Short-Lived
5 hours ago by Sarah Perez
Apple Has A New Apple TV Ad, And It’s All About Apps
1 hour ago by Romain Dillet
SpaceX Tested Its Capsule That Will Send Humans To Space
1 hour ago by Emily Calandrelli
FiveStars Gets $50M To Help Small Retailers Run Loyalty Programs Like
Their Bigger Rivals
8 hours ago by Ingrid Lunden
Google Reportedly Paid Apple $1B In 2014 To Remain Default Search
Engine On iOS
17 hours ago by Jon Russell