UK Surveillance Consultation Suggests It Is End-Point Security, Not Encryption, That Cameron Wants To Subvert

from the Snowden-was-right,-again dept

Fri, Feb 13th 2015 1:14am — Glyn Moody

A few weeks ago, we reported on David Cameron's apparent call to undermine all encryption in the UK. But as we noted then, it was not clear from his offhand remark what exactly he meant, or how he planned to implement the idea. A new consultation document on the legal framework of surveillance in the UK provides a clue, as spotted by The Guardian: Britain's security services have acknowledged they have the worldwide capability to bypass the growing use of encryption by internet companies by attacking the computers themselves.

The Home Office release of the innocuously sounding "draft equipment interference code of practice" on Friday put into the public domain the rules and safeguards surrounding the use of computer hacking outside the UK by the security services for the first time.

The publication of the draft code follows David Cameron's speech last month in which he pledged to break into encryption and ensure there was no "safe space" for terrorists or serious criminals which could not be monitored online by the security services with a ministerial warrant, effectively spelling out how it might be done.
That certainly makes sense. As Edward Snowden said during an early Q&A: Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
The new consultation document from the UK's Home Office seems to confirm that GCHQ can also find ways around it. It is one of two draft "codes of practice" for the main UK law governing surveillance, the Regulation of Investigatory Powers Act 2000 (RIPA). Although it's welcome that more details about the legislative framework are being provided, the way that is being done is problematic, as Carly Nyst, legal director of Privacy International, points out in the Guardian article: "GCHQ cannot legitimise their unlawful activities simply by publishing codes of conduct with no legislative force. In particular, the use by intelligence agencies of hacking -- an incredibly invasive and intrusive form of surveillance -- cannot be snuck in by the back door through the introduction of a code of conduct that has undergone neither parliamentary nor judicial scrutiny. It is surely no mistake that this code of conduct comes only days before GCHQ is due to argue the lawfulness of its hacking activities in court."
It is also striking that the codes of conduct were released on the same day that the UK's secretive Investigatory Powers Tribunal ruled that British intelligence services had broken the law, but that they were now in compliance because previously unknown policies had been made public. As Nyst speculates, it could be that the UK government is releasing more details of its spying in the form of these consultation documents in an attempt to head off future losses in the courts.

Whether or not that is the case, it certainly seems that the attempts by civil liberties groups to end or at least limit mass surveillance are already having an effect on the UK government, and forcing it to provide basic details of its hitherto completely-secret activities. That success is a strong incentive to continue fighting for more proportionality and meaningful oversight here.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, david cameron, encryption, end point security, gchq, privacy, surveillance, uk

14 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Ninja (profile), 13 Feb 2015 @ 2:06am

Even if they don't target encryption itself they'll need to open backdoors in the end points. Whether it is via introducing backdoors in widely used software or plain old virus/malware the effects are the same: a less secure Internet. The interesting thing as far as I understood it is that they think that compromising foreign computers and other gadgets is ok as if they won't open massive doors for people to use and build botnets that will come back to bite them. Even ignoring the botnets there are plenty of international transactions being done today by even the average Joe and if one end is compromised then both ends are exposed.

Nobody wins by weakening security in a connected world.
[ link to this | view in chronology ]
Richard (profile), 13 Feb 2015 @ 3:41am

Safe Space
The publication of the draft code follows David Cameron's speech last month in which he pledged to break into encryption and ensure there was no "safe space" for terrorists or serious criminals which could not be monitored online by the security services with a ministerial warrant, effectively spelling out how it might be done.

Unfortunately if there is no safe space for criminals on the internet then there is also no safe space from criminals either - and no safe space for my bank account!

Do they not realise how the two are linked?
[ link to this | view in chronology ]
- Anonymous Coward, 13 Feb 2015 @ 3:47am
  
  Re: Safe Space
  Do they not realise how the two are linked?
  
  They believe there is some magic that will hide the backdoors from everybody but authorized users who are told about the backdoor by the secret holder, which works well in the Harry Potter world..
  [ link to this | view in chronology ]
  - That One Guy (profile), 13 Feb 2015 @ 7:13am
    
    Re: Re: Safe Space
    Nah, they have enough smart people in the organizations that I'm sure they know such 'magic backdoors' are fantasy, they just don't care what happens to the systems they compromise and undermine, as long as their job is easier as a result.
    [ link to this | view in chronology ]
    - Anonymous Coward, 13 Feb 2015 @ 8:43am
      
      Re: Re: Re: Safe Space
      The people pushing this agenda are managers and politicians, and they they order people to do what they want, while totally ignoring any warning or advice that they are asking for the impossible. To such people the magic back doors are possible, because they want them to be, and if what is implemented is compromised, it is the implementers that failed to produce what they were told to produce.; and not them demanding the impossible.
      [ link to this | view in chronology ]
      - John Fenderson (profile), 13 Feb 2015 @ 8:52am
        
        Re: Re: Re: Re: Safe Space
        I think that it's very clear that lawmakers often get confused and think that they can make anything at all happen if they just pass the right law.
        [ link to this | view in chronology ]
Anonymous SuperCoward, 13 Feb 2015 @ 3:51am

...it certainly seems that the attempts by civil liberties groups to end or at least limit mass surveillance are already having an effect on the UK government, and forcing it to provide basic details of its hitherto completely-secret activities. That success is a strong incentive to continue fighting for more proportionality and meaningful oversight here.
Indeed. Every little piece of information liberated counts. Every negative mention of the illegitimate security state counts. Every encrypted packet and choice not to patronize collaborating companies counts. Give no ground.
[ link to this | view in chronology ]
Anonymous Coward, 13 Feb 2015 @ 3:52am

No, i suspect that they'll keep on doing with even MORE secrecy
[ link to this | view in chronology ]
Anonymous Coward, 13 Feb 2015 @ 4:04am

If the released the details too all the exploits they know about to the devs of the exploitable material so that they can harden security, then maybe.....MAYBE some good might come of this

Makes me think, if they discover a foreign nation with an exploit, they'd try to harden their own systems against it wouldn't they, especially if the system is not easilly replaceable or too far integrated........so they may know of secret exploits and may already have the update that fixes it
[ link to this | view in chronology ]
Anonymous Coward, 13 Feb 2015 @ 4:07am

Obviously, since they use pretty much the same mathematical algorithms themselves, they could expose more than they bargained for attacking the algorithm itself. Much easier to strong-arm software makers and/or trick users into installing crap.
Want endpoint security? Go full OSS, but even there there's no 100% guarantee & you have to give up on media that relies on proprietary codecs.
[ link to this | view in chronology ]
- Anonymous Coward, 13 Feb 2015 @ 5:30am
  
  Re:
  "Go full OSS, but even there there's no 100% guarantee"
  
  USeless if the hardware is compromised. There are all kinds of ways of getting data out of systems without the mecahnisms being in the software. What are you going to do? Build your own fab plant? Open source hardware is a tall order when the planet is already full of subvertable chips and no government is likely to let chip fabrication facilities spring up 'unmonitored' for obvious and valid security reasons.
  [ link to this | view in chronology ]
  - Anonymous Coward, 13 Feb 2015 @ 5:42am
    
    Re: Re: deep fat
    'no government is likely to let chip fabrication facilities spring up 'unmonitored'
    excepting they cant stop it. my friend has an old chip maker (no, not deep fat) that his company was throwing out and he makes his own ones for effects pedals.
    [ link to this | view in chronology ]
Anonymous Coward, 13 Feb 2015 @ 6:00am

That's actually worse. How can he say at the same time that he wants weak systems but "strong cybersecurity"?
[ link to this | view in chronology ]
Anonymous Coward, 13 Feb 2015 @ 12:04pm

All these arguments are pointless in a way.
It's time to face up to the fact that cameron is an enemy of the UK and should be made to face appropriate 'sanctions'
[ link to this | view in chronology ]