Written evidence submitted by the Electronic Frontier Foundation (IPB0017)

The Electronic Frontier Foundation (EFF) is a global nonprofit, member-supported civil liberties organisation working to protect privacy and free expression in technology, law, policy, and standards in the information society. EFF actively encourages and challenges the executive and judiciary to support privacy and safeguard individual rights as emerging technologies become more prevalent in society. With over 26,000 dues-paying members in 90 countries and over 284,000 mailing-list subscribers world-wide, EFF is a leading voice in the global and national effort to ensure that fundamental liberties are respected in the digital environment.

Executive summary

●        We have a wide range of concerns regarding the Investigatory Powers Bill. For the purpose of this document, we will focus on the consequences to technologists and technology companies of the new duties placed on them by Part 5 (“Equipment Interference”) of the Bill.

●        We find significant cause for concern about the broad ramifications of this section as it is currently proposed.

●        We believe that the technical changes necessary to provide this information are incompatible with the ICT services duties to protect the integrity of their systems, and duty to their customers.[1]

●        We are concerned by Part 5’s targeting of computers that are being used to test, develop, or maintain targeted interference capabilities by other actors, including private companies, as this may include a range of legitimate ICT research and practice.

●        We are concerned that the compliance required by Part 5 may prove as intrusive as the obligations for compliance enabled by national security notices, or technical capability notices as described in Chapter 2, with even less oversight or review.

●        EFF recommends greater oversight, transparency, and more narrowly-tailored language regarding equipment interference in this bill.

Statement of concern

Equipment Interference: Hacking by Any Other Name

1. The new equipment interference provisions describe a broad range of potential actions by law enforcement and the intelligence agencies. While the Secretary of State’s explanatory document describes the potential use of this power as “ encompassing a wide range of activity from remote access to computers to downloading covertly the contents of a mobile phone during a search”, this barely scratches the surface of what equipment interference may be capable of.

2. The common term for “equipment interference” is “hacking”: breaking into and remotely controlling devices. It permits third parties to transform a general-purpose device such as a modern smartphone, laptop, or desktop computer into a surveillance machine.

3. Equipment interference  is an extremely intrusive power, especially in the hands of governments and law enforcement agencies, whose activities are frequently shrouded in secrecy from the oversight of civil society and are only weakly checked by judicial or legislative powers. Equipment interference can give an attacker complete control of a communications device, successfully circumventing all encryption, granting access to all data and metadata on the device including, but not limited to, passwords for other systems, location data, cameras, and microphones), and allowing the attacker to execute arbitrary malicious code.

4. Because it is so intrusive, equipment interference carries with it a tremendous possibility for abuse, and requires the strictest safeguards and oversight.

Section 101 Compliance, A New Burden on Technology Companies and Technologists

5. The practice of equipment interference has, until now, taken place with little or no oversight, but also little in the way of legal obligations on service providers or other technology companies.

6. Previous law (Intelligence Services Act 1994, S.5 and the Police Act 1997, Part III) authorised action by intelligence agencies and law enforcement, but did not compel private parties to assist.  Section 101 of the proposed new bill confers for the first time an explicit duty on telecommunication providers to assist with the implementation of an equipment interference order.

7. This requirement widens the capabilities of law enforcement and the intelligence agencies from their own skillset and personnel, to include that of any and all organisations whose resources they might commandeer to execute an order. This represents a significant new responsibility for technology companies, and technologists within the reach of British law.

8. The proposed bill’s definition of who might be included in such compelled actions is unreasonably broad. 101(5) defines “relevant telecommunication provider” as anyone who provides a telecommunication service, or could effectively control a UK telecommunication service (or a service that could be controlled from the UK). The word “relevant” in the bill therefore carries little practical meaning.

9. The limits on what these persons and organisations might be required to do is also left largely undefined. According to 101(2), actions required by warrants served by law enforcement need to be pre-approved by the Secretary of State, and be determined to be necessary and proportionate by him or her. But no such determination is required  in the case of intelligence agency warrants. Under these warrants, telecommunication providers must obey any instructions given by or on behalf of the person to whom the warrant is addressed.

10. The only qualification to this broad order is 101(6), which states that it “is not required by virtue of this section to take any steps that it is not reasonably practicable [for them]”, but with no guidance as how “reasonably practicable” may be determined.

11. Telecommunications providers are further bound by the Section 102 gag order, which prevents them from conferring with other experts in the field (and possibly even counsel) before executing the orders given by the warrant holder.

12. Note also that “relevant telecommunications provider” may include an engineer or other employee who has control of a telecommunications system.  Control is generally interpreted in contexts similar to this as legal control, but equipment interference has historically involved taking control of systems without legal right to do so[2].

13. It may be then that a person with control of a telecommunications system may be interpreted here as an individual who has the capability to interfere with a telecommunications system, but not legal control. That is to say, a warrant might be served on British Telecom, for example, to compel them to interfere with a device they neither own nor legally control, such as a phone using their network.

14. Similarly, an order might be served not on British Telecom as the provider of the telecommunication service, say, but upon an individual network administrator within British Telecom who has effective control of its systems, if not the legal right  or management permission to use it for the purposes required by the warrant.

15. Such a power to incentivize an individual to secretly act against his employer’s interests is novel in traditional law, but is already common practice within the intelligence community. GCHQ has a section called Humint, “responsible for identifying, recruiting and running covert agents in the global telecommunications industry”[3]. Given existing practice, it is vital to clarify whether such behaviour are intended to be sanctioned within the Investigatory Powers Bill’s framework.

16. To summarise: under the new proposals, GCHQ can compel a wider range of technology companies within reach of UK law (and potentially individuals within those companies) to do anything within their power to transform the hardware or software they control into a surveillance device. They are not allowed to tell anyone what they have done to that technology, and will face criminal penalties if they do so.

A Government Power to Deploy Malware, Regardless of Consequence

17. “Equipment interference” carries with it the implication that the power is restricted to impeding normal equipment operations, but may also include adding unexpected new functionality to a device.

18. A company, or an individual within a company, for instance, might be compelled to insert malicious code into an existing product, for the purposes of targeting equipment “of more than one person or organisation, where the interference is for the purpose of the same investigation of operation” (83(c)), in order to obtain any communications or private information.

19. This code could be placed into any piece of software or hardware accessible by the company or individual. The only constraint is that it must be “reasonably practicable” (101(6)).

20. To give one example of how equipment interference, mediated by a telecommunications provider, might operate. In 2009, a software update was sent to all owners of Blackberry devices using the Etilsat network in the United Arab Emirates. The software required manual agreement by the end-user. If accepted, the new software transformed their mobile phone into a spying device, which, as the manufacturer of Blackberry, Research In Motion (RIM), wrote, “enabl[ed] unauthorised access to private or confidential information stored on the user's smartphone.”

21. RIM warned its own users about this software, because the update masqueraded as a legitimate upgrade to improve performance of the devices. RIM also had a strong incentive to protect its hardware’s reputation as a high-security device, as Blackberry smartphones had been sold to multiple government and international financial institutions. If RIM had been discovered to be the real author of such an update, it would have destroyed its reputation as a guardian of its customers’ data.

22. Under the proposed law, a British company could be compelled to distribute a similar update in order to facilitate the execution of an equipment interference warrant, and ordered to refrain from notifying their customers as RIM did. Such an update could be targeted at an individual, an organisation, or many organisations related to a single investigation.

23. Such updates are eminently “practicable” for companies to deploy, as they already maintain the infrastructure to provide such updates. For proprietary commercial software, it is also theoretically possible to comply with a secrecy requirement regarding the content of these updates.

24. However, because this software runs on end-user systems, there will always be a chance that such a targeted  “back door” to private data would be revealed. While a company may be compelled to keep silent regarding the purpose of an update, other external experts can examine the contents of the updates and reverse-engineer their purpose[4].

25. Such a revelation would effectively destroy a telecommunication provider’s reputation for protecting its end-users and the integrity of its systems: however, the request would be “reasonably practicable”, if practicable is defined merely as something that a company or individual can practically achieve.

Destroying Trust Across the Public and Private Sector

26. Because “relevant” appears to have no real power as a limiter in the bill, the law could also be used to involve organisations and individual technologists who might not be expected to be involved in espionage or assisting law-enforcement.  “Telecommunication providers” also covers a broader segment of the communications industry than might be expected by an everyday understanding of the term.

27. In particular, the expansion of the definition of “telecommunications service” in 193 (12) (first introduced in the Data Retention and Investigatory Powers Act), means that individual Internet services such as Facebook, Twitter, Dropbox, Microsoft Office Online, and others are included in the definition. Government departments such as the National Health Service or academic networks could also be included.

28. This means that, under the equipment interference provisions, a large part of the Internet industry, both private and public sector, could be required to act as a delivery mechanism for malware. Under the proposed law, GCHQ could compel any Internet company providing a service to configure their web servers to serve surveillance malware to the devices of those visiting to their website. Email providers could be compelled to append surveillance software as attachments to legitimate email.

29. Again, this use of Internet websites to deliver malware is a common practice of criminals and malicious state actors. Yahoo’s online advertising network has been used to insert malicious software[5] and attackers connected to the Chinese state broke into Amnesty Hong Kong’s website to deliver surveillance software to its visitors,[6] to give just a few examples.

30. No constraints exist in the proposed law to limit what systems might be used for such malware delivery purposes. Indeed, under the duties regarding intelligence orders made under 101(1) (as opposed to 101(2) which requires steps to be approved by the Secretary of State), even the Secretary of State will not be informed of the role or actions of telecommunications providers.

The Unacceptably Broad Reach of Section 83(g)

31. A targeted equipment interference warrant may relate to 83(g) “equipment that is being, or may be used, to test, maintain or develop capabilities relating to interference with equipment for the purpose of obtaining communications, private information or equipment data.” This is alarmingly broad language, since capabilities relating to interference with equipment for the purpose of obtaining communications etc. includes private companies that build such software for use by governments and law enforcement (such as Boeing or Raytheon), private companies that build deep packet inspection tools for managing networks (such as Cisco Systems or Blue Coat), private security researchers using the tools of the trade to reverse engineer communications systems in order to find vulnerabilities, and academic researchers who do the same (such as Carnegie Mellon University researchers who recently attracted attention with their research about how to de-anonymize users on the Tor network).

32. Potentially, this section could cover anything from a laptop running standard network debugging tools to source code repositories such as GitHub, provided that they meet the other requirements for a warrant. It is unclear what scenario this language is intended to address. It may be intended to allow GCHQ to disable equipment interference that may be targeted at UK persons, but as written it puts significant academic and security research at risk.

Conclusions

33. The broad scope of machine interference warrants, the range of affected providers who may be compelled to assist, and the large set of potential targets, make this power one of most potentially intrusive in the new bill. It however lacks many of the review and oversight mechanisms attached to other powers.

34. Without sufficient oversight, these powers would undermine trust in a broad range of online services, technology companies, academic research, and government services. Without clarity of the limits of such powers, global companies would choose to move their services out of the reach of UK individuals and organisations.

35. At the very least, the equipment interference provisions must contain the same level of oversight, technical advice, and review as national security notices and technical capability notices in Chapter 2, in order to prevent practices that might not survive such overview being smuggled into use through Part 5.

36. In addition, we recommend that equipment interference should continue to be limited to the capabilities of the intelligence services and law enforcement, and other technology organisations or technologists should not be compelled to modify their own or others’ equipment separately from the procedures in Chapter 2 of the bill.

Outstanding questions

Q1: What is the practical meaning of “relevant” in the bill’s definition of “relevant telecommunication providers” 101(5)?

Q2. Does it mean that the person must have the targeted equipment under its legal control, or only its effective control? Can providers be compelled under law to interfere with equipment that they do not themselves own or legally control?

Q2: Can individuals be compelled to assist in complying with the warrant to interfere with equipment that they do not themselves own or legally control?

Q2: What oversight to provide for necessity and proportionality, and consistent process and requests are available for warrants granted under section 84, 86 and 87, if the checks in 101(2) and 101(4) do not apply?

Q3: What are the criteria for what is “reasonably practicable” in 101(6)? Is it based on current capabilities, financial burden, or consequences for the provider if the co-operation is revealed?

Q4: How far does the 102 gag order extend? Are providers allowed to discuss the actions they are required to take with counsel? With external technical experts? With internal staff?

Q5: What are the practical differences between the powers to order telecommunication providers to comply with warrants under Part 5,  and the compelled actions under national security notices, and technical capability notices operating under National Security Notices (S.188-)?

Q6: What process is available for challenging and redress will telecommunication providers have for demands that are unreasonable or impractible?

Q6b: Is this process available only post facto?

Q7: Given that refusing to comply with an order on the basis of its practicality may be seen as “prejudicial to … national security, the prevention or detection of serious crime, or the economic well-being of the United Kingdom”, or “jeopardise the success of an intelligence or security operation or law enforcement operation” 169(5), or “duly impede the operational effectiveness of an intelligence service, a police force, a government department or Her Majesty’s forces” 169(6), can the Judicial Commissioners ever refuse to authorise or revoke a warrant on the basis of its impracticality, or lack of necessity or proportionality?

Q8: If a demand is successfully challenged as impracticable, what requirements are in place on the Secretary of State or owners of a warrant to note this in future orders to other telecommunication providers?

Q9: Will the imposition of an order that previously determined as impracticable, onto another telecommunication provider (who chooses not to challenge the order) be deemed as an error under S.171? Or will the acceptance of a particular order by a single telecommunication provider establish a practice as reasonable and practicable for all similar telecommunication providers?

Q10: Does GCHQ have any guidelines for deciding whether to stockpile a 0-day vulnerability that they may use to facilitate future equipment interference?

Q11: Will GCHQ report on its stockpile of 0-days in the same manner as the NSA has done?[7]

Q12: What kind of data is section 83(g) meant to obtain that connect be obtained under other authorities granted in this bill?

November 2015