On May 4th, the Register reported that the UK government has secretly drawn up details of its new bulk surveillance powers – giving itself the ability to monitor Brits' live communications and insert encryption backdoors.
In its draft technical capability notices paper, all communications companies – including phone networks and ISPs – will be obligated to provide real-time access to the full content of any named individual within one working day, as well as any "secondary data" relating to that person.
That includes encrypted content – which means that UK organizations will not be allowed to introduce true end-to-end encryption of their users' data but will be legally required to introduce a backdoor to their systems so the authorities can read any and all communications.
It does seem to me that the insistence of governments on backdoors – in light of the unanimous agreement of cybersecurity specialists that they don't work and never remain secret – is both tiresome and frightening. This act of stripping away safeguards on people's private data is also happy news for hackers, criminals, and anyone else who wants to snoop on the British people.
More scary still, communication providers will be required to make bulk surveillance possible by introducing systems that can provide real-time interception of 1 in 10,000 of its customers. In other words, the UK government will be able to simultaneously spy on 6,500 folks in the UK at any given moment.
According to the draft, telcos and other communication platforms must "provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data."
The live surveillance of individuals will require authorization from secretaries of state, overseen by a judge appointed by the prime minister. And there are a few safeguards built into the system following strong opposition to earlier drafts of the Investigatory Powers Act.
The technical capability notices paper has only been provided to a few companies – mostly ISPs and telcos – on a short four-week consultation, but a copy of the draft found its way to the Open Rights Group, which of course made it public. Thank you for the head's up!
According to the document, it has already passed through the UK's Technical Advisory Board, which comprises six telco representatives – currently O2, BT, BSkyB, Cable and Wireless, Vodafone and Virgin Media – plus six people from the government's intercepting agencies, and a board chairman. That means that the contents have already been largely agreed to by most of the organizations that have been included in the closed consultation.
It is unclear whether the Home Office intends to make it available for public comment after that time or whether it will seek to push it through the legislature before anyone outside the consultation group has an opportunity to review it. I can't imagine the Home Office wants public comment, but we'll see.
The rules will have to be formally approved by both houses of Parliament before becoming law. It would be most unsettling to this Anglophile to see the UK moving in such an Orwellian direction.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology