Electronic Frontier Foundation—written evidence (IPB0119)

December 21, 2015

The Electronic Frontier Foundation (EFF) is a global nonprofit, member-supported civil liberties organisation working to protect privacy and free expression in technology, law, policy, and standards in the information society. EFF actively encourages and challenges the executive and judiciary to support privacy and safeguard individual rights as emerging technologies become more prevalent in society. With over 26,000 dues-paying members in 90 countries and over 284,000 mailing-list subscribers world-wide, EFF is a leading voice in the global and national effort to ensure that fundamental liberties are respected in the digital environment.

We have a wide range of concerns regarding the Investigatory Powers Bill, which we have laid out in our joint submission with groups including Open Tech Institute, Center for Democracy and Technology, Access Now, and the American Civil Liberties Union. For the purpose of this individual submission we will focus on the sections of the bill covering equipment interference, bulk and targeted, introduced in Part 5 and Part 6, Chapter 3.

Executive Summary

We find significant cause for concern about equipment interference, both bulk and targeted. In particular, we draw the committee's attention to the following:

• The equally wide powers provided by targeted and bulk equipment interference, and the porous nature between the two — including the undefined role, application and limits of “targeted examination warrants” (S.81(9)).

• The lack of consideration, oversight or documentation of the effect of equipment interference on parties who are unrelated to the investigation, including the powers to compel a wide range of actors as “communication service providers” under S. 101 and S.145 (4).

• That Part 5’s S.83(g) targeting of computers that are being used to test, develop, or maintain targeted interference capabilities by other actors, including private companies, may well include a range of legitimate ICT research and practice.

• The lack of consideration, oversight or documentation of steps necessary to restore equipment (especially third-party equipment) to a state prior to the act of interference in cases where the warrants expire or are cancelled.

• That the technical changes necessary to provide this information are incompatible with the ICT services duties to protect the integrity of their systems, and duty to their customers.

• We are concerned that the secret government stockpiling of vulnerabilities that the adoption of widespread equipment interference will require could undermine the movement to a more secure and resilient digital communications infrastructure.

• We believe the compliance and actions required and legalised by Part 5 will prove at least as intrusive as the obligations for compliance enabled by national security notices, or technical capability notices as described in Part 9, with even less oversight or review.

The fundamental lack of oversight and unlimited scope of actions that can be taken or compelled by the various law enforcement and intelligence authorities under the draft's equipment interference powers must be amended and addressed in primary legislation. The current proposed statute provides so little ongoing insight into what equipment interference presently consists of, or limits on what it may become, that we believe secondary legislation or codes of practice will be unable to pierce the secrecy and ambiguity embedded in the bill's current framework.

We strongly urge the committee to push for equipment interference to be separated into separate legislation that can be more carefully considered. Without better safeguards, “future-proofing” these powers will simply future-proof equipment interference from Parliamentary and even executive oversight, while undermining public confidence in digital communications and the integrity of the global communications infrastructure, and their own property and possessions.

Statement of concern

1. Equipment Interference: Hacking by Any Other Name

2. The new equipment interference provisions describe a broad range of potential actions by law enforcement and the intelligence agencies. While the Secretary of State’s explanatory document describes the potential use of this power as “encompassing a wide range of activity from remote access to computers to downloading covertly the contents of a mobile phone during a search”, this barely scratches the surface of what equipment interference may be capable of.

3. The common term for “equipment interference” is “hacking”: breaking into and remotely controlling devices. It permits third parties to transform a general-purpose device such as a modern smartphone, laptop, or desktop computer into a surveillance machine.

4. Equipment interference is an extremely intrusive power, especially in the hands of governments and law enforcement agencies, whose activities are frequently shrouded in secrecy from the oversight of civil society and are only weakly checked by judicial or legislative powers. Equipment interference can give an attacker complete control of a communications device, successfully circumventing all encryption, granting access to all data and metadata on the device including, but not limited to, passwords for other systems, location data, cameras, and microphones), and allowing the attacker to execute arbitrary malicious code. It can be abused to plant incriminating evidence, deploy permanent malware, or rewrite existing data to any end.

5. Because it is so intrusive, equipment interference carries with it a tremendous possibility for abuse, and requires the strictest safeguards and oversight.

6. Bulk and Bulkier Equipment Interference

7. The current bill subdivides equipment interference into “targeted” and “bulk” interference. This is a potentially misleading description of the division created by the bill. A look at the set of potential subject-matter for targeted warrants in S.83 demonstrates that they may be applied to wide set of equipment and circumstances, including “equipment that is being, or may be being used, for the purposes of a particular activity or activities of a particular description”. Targeted equipment interference is not targeted to a person; equipment affected by “targeted” interference may also be used by many other, innocent users.

8. Bulk interference contains none of the subject-matter restrictions of S.83; instead, bulk equipment interference facilitates the obtaining of overseas-related communications, private information, and equipment data (S.135 (2)). However, the broad range of intrusive actions that might be taken under both targeted and bulk interference remains the same.  Only the grounds of the warrant are different.

9. Grounds, Conduct and Steps: The Invisible Damage of Equipment Interference Warrants

10. This brings us to one of the problems with the oversight and authorisation system built into the current bill. The Secretary of State, Scottish Ministers, law enforcement chiefs, and Judicial Commissioner are involved in determining whether the warrant is necessary on the grounds defined as appropriate by the bill, and that the conduct authorised by the warrant is proportionate to what is sought to be achieved (see Ss.84,86,87, and 89).

11. This decision is based on the contents of the warrant. This contents for targeted warrants is described in S.93 (4) as “(a) the type of equipment that is to be interfered with, and (b) the conduct that the person to whom the warrant is addressed is authorised to take.”

12. However, the powers in targeted equipment interference warrants extend much further than just the conduct of the warrant-holder. As S.81(5)(b) notes, it also authorises conduct by any other person, and includes, via S.101, a power to require compliance from communications service providers (CSPs). The recipients of bulk interference warrants have similar powers under S.135(4) and S.145(4).  What process ensures that the conduct of these other entities (not warrant-holders) is necessary and proportionate?  How would accountability be established and routinized as a matter of democratic practice?

13. One of the greater risks to the public interest and the integrity of digital communications arises from these third-party requirements. This is because equipment interference can include such a wide range of possible actions, including the re-engineering of software to undermine its own privacy protections, and transform it into surveillance systems. The ultimate  actions taken by the authorities and CSPs are not required to be described within the warrant, and the safeguards of the bill are silent on limits to these actions, or requirements to limit potential side-effects on CSPs, their other customers, or the international communications infrastructure as a whole.

14. The bill's safeguards concern themselves with the grounds of the warrant, and a vague description of conduct. But it is the individual technical steps required from CSPs and third-parties that may well pose the most risk of overreach.

15. Section 101 Compliance, A New Burden on Technology Companies and Technologists

16. Previous law (Intelligence Services Act 1994, S.5 and the Police Act 1997, Part III) authorised action by intelligence agencies and law enforcement, but did not compel private parties to assist.  S.101 and S.145(4) of the proposed new bill confer for the first time an explicit duty on telecommunication providers to assist with the implementation of an equipment interference order.

17. This requirement widens the capabilities of law enforcement and the intelligence agencies from their own skillset and personnel, to include that of any and all organisations whose resources they might commandeer to execute an order. This represents a significant new responsibility for technology companies and technologists within the reach of British law.

18. The proposed bill’s definition of who might be included in such compelled actions is unreasonably broad. 101(5) defines “relevant telecommunication provider” as anyone who provides a telecommunication service, or could effectively control a UK telecommunication service (or a service that could be controlled from the UK). The word “relevant” in the bill therefore carries little practical meaning.

19. The limits on what these persons and organisations might be required to do is also left largely undefined. According to 101(2), the steps taken by CSPs required by warrants served by law enforcement need to be pre-approved by the Secretary of State, and be determined to be necessary and proportionate by him or her. But no such determination is required in the case of targeted equipment interference warrants presented by intelligence agencies. Under these warrants, telecommunication providers must obey any instructions given by or on behalf of the person to whom the warrant is addressed: but these steps are not described or included in a S.84,86 or S.87 warrant. (See the different documentation requirements described in S.101(1) and S.101(2), and the limited scope of S.101(4)).

20. The only qualification to this broad order is 101(6), which states that it “is not required by virtue of this section to take any steps that it is not reasonably practicable [for them]”, but with no guidance as how “reasonably practicable” may be determined, how providers might resolve disputes about practicability, or how users will be able to hold anyone accountable for rights-violations associated with such steps.

21. Telecommunications providers are further bound by the Section 102 gag order, which may prevent them from conferring with other experts in the field, other telecommunications providers that may have received similar order (and possibly even counsel) before executing the orders given by the warrant holder.

22. Note also that “relevant telecommunications provider” may include an engineer or other employee who has control of a telecommunications system.  Control is generally interpreted in contexts similar to this as legal control, but equipment interference by intelligence agencies has historically involved taking control of systems without legal right to do so2.

23. It may be then that a person with control of a telecommunications system may be interpreted here as an individual who has the capability to interfere with a telecommunications system, but not legal control. That is to say, a warrant might be served on British Telecom, for example, to compel them to interfere with a device they neither own nor legally control, such as a phone using their network in order to access its voicemail.

24. Similarly, an order might be served not on British Telecom as the provider of the telecommunication service, say, but upon an individual network administrator within British Telecom who has effective control of its systems, if not the legal right or management permission to use it for the purposes required by the warrant.

25. Such a power to incentivize an individual to secretly act against his employer’s interests is novel in traditional law, but is already common practice within the intelligence community. GCHQ has a section called Humint, “responsible for identifying, recruiting and running covert agents in the global telecommunications industry”3. Given existing practice, it is vital to clarify whether such behaviour are intended to be sanctioned within the Investigatory Powers Bill’s framework.

26. To summarise: under the new proposals, GCHQ can compel a wider range of technology companies within reach of UK law (and potentially individuals within those companies) to do anything within their power to transform the hardware or software they control into a surveillance device. They are not allowed to tell anyone what they have done to that technology, and will face criminal penalties if they do so.

A Government Power to Deploy Malware, Regardless of Consequence

27. “Equipment interference” carries with it the implication that the power is restricted to impeding normal equipment operations, but may also include adding unexpected new functionality to a device.

28. A company, or an individual within a company, for instance, might be compelled to insert malicious code into an existing product for the purposes of targeting equipment “of more than one person or organisation, where the interference is for the purpose of the same investigation of operation” (83(c)), in order to obtain any communications or private information.

29. This code could be placed into any piece of software or hardware accessible by the company or individual. The only constraint is that it must be “reasonably practicable” (101(6)).

30. The limit placed on both bulk and targeted equipment interference—that such acts do not violate S.2(1) (as in S.81(6) and S.135(5))—is no effective restraint, because the data collected would not necessarily be transmitted over a telecommunications network. Indeed, the most intrusive forms of data collection, including the use of laptops, smartphones and other electronic equipment to spy on its users, would not be excluded by this provision—especially when stored communications are expressly permitted to be collected, as they are in S.81(6) and S.135(5).

31. To give one example of how equipment interference, mediated by a telecommunications provider, might operate: In 2009, a software update was sent to all owners of Blackberry devices using the Etilsat network in the United Arab Emirates. The software required manual agreement by the end-user. If accepted, the new software transformed their mobile phone into a spying device, which, as the manufacturer of Blackberry, Research In Motion (RIM), wrote, “enabl[ed] unauthorised access to private or confidential information stored on the user's smartphone.”

32. RIM warned its own users about this software, because the update masqueraded as a legitimate upgrade to improve performance of the devices. RIM also had a strong incentive to protect its hardware’s reputation as a high-security device, as Blackberry smartphones had been sold to multiple government and international financial institutions. If RIM had been discovered to be the real author of such an update, it would have destroyed its reputation as a guardian of its customers’ data.

33. Under the proposed law, a British company could be compelled to distribute a similar update in order to facilitate the execution of an equipment interference warrant, and ordered to refrain from notifying their customers as RIM did. Such an update could be targeted at an individual, an organisation, or many organisations related to a single investigation.

34. Such updates are eminently “practicable” for companies to deploy, as they already maintain the infrastructure to provide such updates. For proprietary commercial software, it is also theoretically possible to comply with a secrecy requirement regarding the content of these updates.

35. However, because this software runs on end-user systems, there will always be a chance that such a targeted  “back door” to private data would be revealed. While a company may be compelled to keep silent regarding the purpose of an update, other external experts can examine the contents of the updates and reverse-engineer their purpose4.

36. Such a revelation would effectively destroy a telecommunication provider’s reputation for protecting its end-users and the integrity of its systems: however, the request would be “reasonably practicable”, if practicable is defined merely as something that a company or individual can practically achieve.

37. Note too that a broad distribution of such spyware might be more “reasonably practicable” than a targeted distribution. It may often be easier and more covert for a company with an existing software update infrastructure to roll out an update for every user, than it would be to distribute an update to a single user or set of users.

38. Destroying Trust Across the Public and Private Sector

39. Because “relevant” appears to have no real power as a limiter in the bill, the law could also be used to involve organisations and individual technologists who might not be expected to be involved in espionage or assisting law-enforcement.  “Telecommunication providers” also covers a broader segment of the communications industry than might be expected by an everyday understanding of the term.

40. In particular, the expansion of the definition of “telecommunications service” in 193 (12) (first introduced in the Data Retention and Investigatory Powers Act), means that individual Internet services such as Facebook, Twitter, Dropbox, Microsoft Office Online,  content delivery networks such as Akamai, Fastly and CloudFlare and others are included in the definition. Government departments such as the National Health Service or academic networks could also be included.

41. This means that, under the equipment interference provisions, a large part of the Internet industry, both private and public sector, could be required to act as a delivery mechanism for malware. Under the proposed law, GCHQ could compel any Internet company providing a service to configure their web servers to serve surveillance malware to the devices of those visiting to their website. Email providers could be compelled to append surveillance software as attachments to legitimate email.

42. Again, this use of Internet websites to deliver malware is a common practice of criminals and malicious state actors. Yahoo’s online advertising network has been used to insert malicious software5 and attackers connected to the Chinese state broke into Amnesty Hong Kong’s website to deliver surveillance software to its visitors,6 to give just a few examples.

43. No constraints exist in the proposed law to limit what systems might be used for such malware delivery purposes. Indeed, under the duties regarding intelligence orders made under 101(1) (as opposed to 101(2) which requires steps to be approved by the Secretary of State), even the Secretary of State or Judicial Commissioners will not be informed of precise steps taken by telecommunications providers.  It is therefore difficult to understand how either ex ante or ex post oversight and accountability can be implemented.

44. A Note on State-Deployed Malware

45. Whether or not equipment interference will require the enforced co-operation of third parties, it will often require the exploitation of security flaws in the targeted equipment. For instance, if malware is distributed by email or via the web, it will first need to defeat the anti-malware protections of an anti-virus program, the web browser or email client, and finally the security defenses of the underlying operating system.

46. States are already known to bid for security flaws (or “vulnerabilities”) on the open market, competing with vendors and others to obtain confidential information on recently discovered problems with software.

47. For government to successfully use these vulnerabilities, they must keep them secret from companies responsible for securing communications systems, to prevent them from fixing the underlying insecure system before they can be used. (Vulnerabilities that are not yet known or fixed by the responsible vendors are called “0-day” vulnerabilities.)

48. This places governments practicing equipment interference in direct opposition to the overall security and integrity of the global communications infrastructure. To maintain an equipment interference capability, governments will need to prevent vendors and researchers from fixing dangerous security flaws.

49. If the UK government insists that equipment interference, including the deployment of malware and the undermining of vendor and user security, is a legitimate function of the state, the bill should also include provisions to ensure transparency and oversight over the collection of 0-days and similar tools, and oversight to limit this practice's effect on the overall security and integrity of communications infrastructure.

50. Bulk and Targeted Equipment Interference Will Require Much Stronger and Equivalent Restrictions and Oversight

51. All of the above examples apply equally to bulk and targeted equipment interference, demonstrating that the division of these two powers in the bill is unrelated to the level of oversight and clearly-defined limits that both powers require.

52. Even the pre-existing division between bulk and targeted equipment interference is not as compartmentalised as the bill would imply. Part 5 speaks of a “targeted examination warrant” that would provide for access to material obtained under a bulk equipment interference warrant (see S.81(9)). No description, safeguards or limits are described for this warrant. Either the existence of targeted examination warrants under Part 5 is a drafting error and should be removed, or much stronger controls placed on the examination of material gathered under a bulk equipment interference beyond its original grounds.

53.            The Unacceptably Broad Reach of Section 83(g)

54. A targeted equipment interference warrant may relate to 83(g) “equipment that is being, or may be used, to test, maintain or develop capabilities relating to interference with equipment for the purpose of obtaining communications, private information or equipment data.” This is alarmingly broad language, since capabilities relating to interference with equipment for the purpose of obtaining communications etc. includes private companies that build such software for use by governments and law enforcement (such as Boeing or Raytheon), private companies that build deep packet inspection tools for managing networks (such as Cisco Systems or Blue Coat), private security researchers using the tools of the trade to reverse engineer communications systems in order to find vulnerabilities, and academic researchers who do the same (such as Carnegie Mellon University researchers who recently attracted attention with their research about how to de-anonymize users on the Tor network).

55. Potentially, this section could cover anything from a laptop running standard network debugging tools to source code repositories such as GitHub, provided that they meet the other requirements for a warrant. This section may be intended to allow GCHQ to disable equipment interference that may be targeted at UK persons, but as written it puts significant academic and security research at risk.

56. Clearing Up the Mess: Amelioration, Remuneration and Notification

57. Both targeted and bulk equipment interference provisions envisage the end or termination of an equipment interference warrant. Warrants can expire (Ss.94-95 and S.141-142), be cancelled (S.98 and S.144) or be retroactively refused by the Judicial Commissioners (S.92).

58. The assumption within these procedures is that ending a warrant restores the equipment to its previous, uninterfered-with, state. The parallel made is with a surveillance warrant, where once the surveillance is concluded, no additional steps need to be taken.

59. This is not true with equipment interference. At the very least, bill should make clear that malware installed or distributed under the warrant must be removed, services and equipment interference restored to their initial conditions, and CSPs required (and possibly remunerated) to restore the privacy and security of their services. The process for terminated warrants should include statutorily required post-hoc reviews.

60. Notification should also be considered as an integral part of restoring the status quo after a warrant has expired or revoked, particularly if it did so as a result of a Judicial Commissioner rejection of an emergency warrant.

61. In general, the Investigatory Powers Bill is silent on notification, either to innocent parties, or third parties commandeered to interfere with their own or others' equipment. The committee should include obligatory  notification requirements, as a vital tool of transparency and to prevent overreach.

62. Limitations on Realtime Wiretaps

63. S. 81(2) appears to indicate that an equipment interference warrant can be used to obtain a very broad range of data (ie “communications”). S. 81(6) attempts to exclude the interception of communications that are not “stored communications” (ie realtime wiretaps). However, these intentions appear to be thwarted by language that only places these limits communications obtained under S. 81(3) and not S. 81(2).

64. The James Bond Clause

65. S. 81(5) and S.106(5) states that a targeted equipment interference warrant authorizes “any conduct that is necessary to do what is expressly authorized in the warrant.” Subsequent language only goes on to add to the list of conduct that is allowed, rather than providing any sort of narrowness or specificity. This section fails to specify who is empowered to decide what constitutes “necessary” conduct. Furthermore, there is no indication of whether “necessary conduct” must fall within the bounds of the law,or if this section is meant to grant immunity from prosecution for conduct carried out in the process of carrying out the warrant. It also makes no mention of the interaction between UK law, and the law of country where such conduct may take place. As currently written, S. 81(5) could be interpreted as granting the sort of powers normally associated with the fictional world of James Bond's intelligence services, rather than conduct within the rule of law.

66. Conclusions              f

67. The broad scope of machine interference warrants, the range of affected providers who may be compelled to assist, and the large set of potential targets, make this power one of most potentially intrusive in the new bill. It however lacks many of the review and oversight mechanisms attached to other powers.

68. Without sufficient oversightthese powers would undermine trust in a broad range of online services, technology companies, academic research, and government services. Without clarity of the limits of such powers, global companies would choose to move their services out of the reach of UK individuals and organisations.

69. The bill's division between bulk and targeted equipment interference is unclear and porous. Both powers create substantially new capabilities to interfere and damage with communications services and affect innocent users. Both should require equally high levels of oversight and review.

70. This review must extend to the steps taken by CSPs and others to implement the warrant. Such actions must be anticipated and documented in the warrant, and reviewed by an independent technical and civil liberties body.

71. The current language of the bill means that such oversight is impossible. This will not be amendable with secondary legislation or codes of practice, since the most dangerous elements of the power are currently hidden from review by Parliament, the judiciary, and in some cases, even the Government itself.

72. Equipment interference is a deeply intrusive power, with no history of successful oversight or control. Rather than abandoning specific language in the pursuit of making this power “future-proof”, Parliament should carefully consider whether such a power can ever be proportionate.

73. We urge the committee to consider separating it from the rest of the legislation for closer consideration, under a more reasonable time-frame. .

Outstanding questions

Q1: What is the practical meaning of “relevant” in the bill’s definition of “relevant telecommunication providers” 101(5)?

Q2. Does it mean that the person must have the targeted equipment under its legal control, or only its effective control? Can providers be compelled under law to interfere with equipment that they do not themselves own or legally control?

Q3: Can individuals be compelled to assist in complying with the warrant to interfere with equipment that they do not themselves own or legally control?

Q4: What oversight to provide for necessity and proportionality, and consistent process and requests are available for steps taken under warrants granted under section 84, 86 and 87, if the checks in 101(2) and 101(4) do not apply?

Q5: Can the descriptions of all warrants be expanded to include documentation of the conduct required of third-parties, including CSPs?

Q6: Can the consideration of “necessary” and “proportionate” be similarly expanded to include the steps taken by CSPs and all other third-parties?

Q7: What are the criteria for what is “reasonably practicable” in 101(6)? Is it based on current capabilities, financial burden, or consequences for the provider if the co-operation is revealed?

Q8: How far does the 102 gag order extend? Are providers allowed to discuss the actions they are required to take with counsel? With external technical experts? With internal staff?

Q9: What practical limits (with examples) do S.81(6) and S.135(5) place on equipment interference warrants?

Q10: What are the practical differences between the powers to order telecommunication providers to comply with warrants under Part 5, and the compelled actions under national security notices, and technical capability notices operating under National Security Notices (S.188-)?

Q11: What process for challenging and redress will telecommunication providers have for demands that are unreasonable or impracticable?

Q11b: Is this process available only post facto?

Q12: Given that refusing to comply with an order on the basis of its practicality may be seen as “prejudicial to … national security, the prevention or detection of serious crime, or the economic well-being of the United Kingdom”, or “jeopardise the success of an intelligence or security operation or law enforcement operation” 169(5), or “duly impede the operational effectiveness of an intelligence service, a police force, a government department or Her Majesty’s forces” 169(6), can the Judicial Commissioners ever refuse to authorise or revoke a warrant on the basis of its impracticality, or the lack of necessity or proportionality of the conduct it requires or acts it compels?

Q13: If a demand is successfully challenged as impracticable, what requirements are in place on the Secretary of State or owners of a warrant to note this in future orders to other telecommunication providers?

Q14: Will the imposition of an order that previously determined as impracticable, onto another telecommunication provider (who chooses not to challenge the order) be deemed as an error under S.171? Or will the acceptance of a particular order by a single telecommunication provider establish a practice as reasonable and practicable for all similar telecommunication providers?

Q15: Does GCHQ have any guidelines for deciding whether to stockpile a 0-day vulnerability that they may use to facilitate future equipment interference?

Q16: Will GCHQ report on its stockpile of 0-days in the same manner as the NSA has done?

Q17: What kind of data is section 83(g) meant to obtain that connect be obtained under other authorities granted in this bill?

Q18: What provisions will be made to restore interfered equipment to its initial state?

Q19: Who will be notified in the event of the expiring, cancellation or invalidating of an equipment interference warrant?

Q20: What kinds of targets are appropriate for equipment interference under S. 83(g)? Security researchers? Anti-virus companies? Academic institutions?

Q21: Are there any limits to what could comprise a “relevant system” in S. 82? Can you give some examples?

Q22: Are there any limits to what constitutes “necessary action” in S 81(5)? Does action have to be within the limits of the law? If not, does this language grant immunity from prosecution?

21 December 2015