The equipment interference provisions in the draft Investigatory Powers Bill would allow the intelligence and security services, police and the armed forces to hack into devices to obtain data, such as communications, when they have a warrant to do so. The government argues that the hacking provisions – part of the wider internet surveillance legislation – are needed so that law enforcement can intercept the communications of criminals even when they are encrypted.
Tech companies including Apple, Microsoft, Google and Facebook have criticized plans by the UK government for a new law that would allow law enforcement to hack computer systems to access data.
However tech companies have warned that the plan would set a dangerous precedent that would be followed by other countries, will damage trust in their services and may be impossible to implement anyway.
In a combined submission to the committee of MPs examining the legislation, technology giants Facebook, Google, Microsoft, Twitter and Yahoo! warned this provision would be a step in the wrong direction: “To the extent this could involve the introduction of risks or vulnerabilities into products or services, it would be a very dangerous precedent to set, and we would urge your government to reconsider,” they said.
They warned that the legislation doesn’t currently contain any requirements to protect network integrity and cyber security or any requirement for agencies to inform companies of vulnerabilities that could later be exploited by others.
“We urge the government to make clear that actions taken under authorization do not introduce new risks or vulnerabilities for users or businesses” they said.
In its submission Apple said the plans would put tech companies in a very difficult position. “For the consumer in, say, Germany, this might represent hacking of their data by an Irish business on behalf of the UK state under a bulk warrant – activity which the provider is not even allowed to confirm or deny. Maintaining trust in such circumstances will be extremely difficult.”
It said there is a need for much greater clarity as to how the powers in the bill will be applied especially because this legislation will set a precedent “which, if followed by other countries, could endanger the privacy and security of users in the UK and elsewhere.”
Mobile operator Vodafone warned that equipment interference elements are perhaps the most contentious of all the powers within the scope of the draft bill.
“The obligations relating to equipment interference have the potential to significantly undermine trust in the United Kingdom’s communications service providers”, it warned.
It said equipment interference amounts to a “major imposition on the freedom of an operator to design and operate its services in the way it sees fit” and said that under the powers in the bill, service providers could be “under secret obligations to operate a backdoor in the equipment or services provided to customers”, and questioned whether such an “intrusive power” is necessary at all.
Vodafone adds that any equipment interference requirement should not force companies to reduce their own security standards, something important in an environment where operators face regular attacks from third parties. It warned “any weakening of our network or service defences, which protect critical national infrastructure and attempt to maximise the availability of essential services, would be highly undesirable.”
The telecoms operator also warned that the legislation as it stands could be used to require an operator to be actively involved in an equipment interference operation. Instead of simply providing data or implementing an interception warrant, this could mean companies would be required to “actively seek out vulnerabilities for exploitation, or to develop vulnerabilities and exploits”, it warned.
“Turning network operator employees into spies and hackers is manifestly inappropriate, and the framework should be modified to expressly limit the requirement to assist to exclude this type of requirement,” it said.
Firefox maker Mozilla warned that the “bulk systems intrusion” provisions in the bill could be used to “compel a software developer, like Mozilla, to ship hostile software, essentially malware, to a user — or many users — without notice.”
The company said this is “problematic” from both philosophical and practical perspectives. Because Mozilla’s products are open source any user has access to the source code, and may freely modify and redistribute it, which means changes to its software are public. “Were we compelled to create a version of Firefox that was modified to permit surreptitious intrusion subject to a government order, the modifications could and would be discovered by the Mozilla community,” it warned.
But the issue of hacking is not the only concern raised about the proposed legislation. Facebook, Google, Microsoft, Twitter and Yahoo! also said they were concerned that the UK’s insistence that its laws should apply to companies based in other countries could create conflicting legal obligations and that an “increasingly chaotic international legal system will leave companies in the impossible position of deciding whose laws to violate”. The UK should make it clear that no company would be required to comply with a warrant if doing so would contravene its legal obligations in other jurisdictions, they said.
In its submission the United Nations human rights rapporteurs warned that the draft bill could result in mass surveillance “that lacks adequate independent oversight and transparency that will ultimately stifle fundamental freedoms and exert a chilling effect on the rights to freedom of expression and freedom of association.”