- Security TWENTY
- Women in Security
The UK’s tech industry could suffer from the so-called Snooper’s Charter; or Investigatory Powers Bill (IP Bill) to govern the use and oversight of investigatory powers by law enforcement and the security and intelligence agencies. The Snooper’s Charter threatens all our security online, writes Brian Spector, CEO, MIRACL.
Privacy concerns have been pushed to one side and the government is now on the cusp of being granted enormous surveillance capabilities. If they proceed, the proposals could undermine trust in the internet as a whole, from service providers, to device manufacturers, to the apps we use as part of our everyday lives. But it also has serious implications for tech companies who, under the proposals, would be legally bound to help UK police and security services access an individual’s device. What’s more, it represents a major risk to the reputations of British tech companies. The current wording of the bill means that any software made by a British company could soon be perceived to be facilitating government spying on its customer’s data. This could have enormous repercussions by making it much harder for British technology and information security companies to compete globally.
Despite several revisions, the current wording of the IP Bill suggests that it would force tech companies to create back-doors that allow government agencies to access data, or force tech companies to decrypt any potentially sensitive data as deemed necessary by government agencies. The Home Office has a chequered past when it comes to exploiting loosely worded legislation. For example, it can deem any service that connects to the Internet as a CSP, a Communications Service Provider. Since all services and software connects to the Internet these days, this classification can be extended to any business that offers connected services or software. Once classified as a CSP, the Home Office can mandate, through the technical assistance clauses in the legislation, a re-write of that business’ software to include back-doors. While this currently requires judicial approval, the burden of proof is still on the business to prove that any modification of its software would be an undue burden. The government’s unwillingness to categorically deny that it will seek back-doors creates an environment where all software and software-as-a-service offerings released by British companies will have the overhang of suspicion that they could have back-doors created to snoop on customers’ data. This will have major negative consequences for the British software industry as a whole, because any products or services released by a British company will be viewed as untrusted and insecure.
While the UK may be following a path laid out by the USA, not all governments choose to adopt such surveillance strategies. The Dutch government has said publicly that it will not force tech firms to share encrypted communications such as emails with its security agencies. In a letter to the Dutch parliament, the head of the Ministry of Security and Justice, Ard van der Steur, explained the government’s reasons for endorsing strong encryption, which sound quite similar to those cited by Apple’s CEO, Tim Cook. According to a translation of the letter, van der Steur points to the uses of encryption for protecting the privacy of citizens, securing confidential communications by government and businesses, and ensuring the security of internet commerce and banking against cybercrime.
British technology and information security companies are already being courted by the Dutch, Swiss and Luxembourg governments as places to re-domicile their businesses to ensure operational continuity because of their declarative statements on encryption. Many British businesses will respond to this call to lose the overhang of offering insecure products in a globally competitive environment.
Without an explicit ‘No back-doors’ statement written into the legislation, this bill will harm British industry by making it more difficult for British business to compete globally. It will also harm the security of its citizens, and create the kind of “business vs. government” mentality that will make us all less safe. The problem is that the IP bill wouldn’t just make it easier for the government to spy on UK citizens; it would also weaken the very products and standards that we all use to protect ourselves. The government believes that it can manipulate security in such a way that only they can take advantage of that subversion. But this is illogical. The same vulnerabilities used by intelligence agencies to spy on global citizens can also be used by criminals to steal your passwords. We either enable spying – by either governments or hackers – or we defend against it.
Government spying doesn’t just damage the products and technologies in question, it damages the trust in the internet entirely. Some of the potential applications of the Internet that would benefit citizens and entrepreneurs have already been stymied by unresolved trust issues. E-Voting has stalled and migration to the cloud is suffering. For the internet to continue to grow and flourish, we need to re-establish the foundation for trust. To do this, users need to believe that the systems they use online are not part of a government programme to spy and snoop on its citizens. We all own the Internet, and we need to fix it together.