Computer businesses or IT staff who fail to destroy security on their products or services on demand, or who decline a Home Office order to hack their customers in Britain or overseas by installing or operating government malware, could face bankruptcy or long jail sentences if a new law before parliament goes ahead.

The little-noticed extended powers the government now seeks under the Investigatory Powers Bill can secretly compel anyone or any ICT business in the UK to carry out “equipment interference” – government language for hacking – and to make any change demanded to their products or systems to allow encryption or other security protections to be broken, or databases – called “bulk personal datasets” – to be stolen and added to integrated intelligence systems.

Technology companies face government orders to hack on demand The new law, if passed unchanged, would mean that no British IT product providing communications – including games, apps and services, as well as supposedly secure software systems – could truthfully and legally be marketed as “secure”. Revelations from former US intelligence officer Edward Snowden have shown that Britain’s communications intelligence agency GCHQ and its US counterpart National Security Agency (NSA) have both targeted computer games communications as means of getting to communications networks, as well as seeking both authorised and covert access to major social networks such as Facebook. Major international games companies, such as Scottish-based Rockstar Games, maker of Grand Theft Auto, now automatically provide online interplayer communications systems as part of their package. Intelligence agencies in the UK and elsewhere have said they need to have access to these systems so that their targets cannot hide by being players in Grand Theft Auto, World of Warcraft or Second Life.

MPs had only two weeks to read nearly 1,200 pages of new government documents The new powers are contained in the 258-page Investigatory Powers Bill, which the government plans to rush through Parliament and make law before the end of 2016. The Bill was introduced as a draft in November 2015, and then permitted only a short review and two weeks of “revision” before being re-introduced, one-third longer, at the start of March. At the same time, the government published nearly 1,200 additional pages of accompanying documentation, which MPs were given two weeks to read before deciding how to vote on the bill tomorrow (15 March 2016). Among documents which had not previously been provided to MPs was an 83-page Equipment interference code of practice, specifying how recipients of notices and warrants are required to respond. The government can require malware to be created, installed or delivered to carry out interception, acquisition or interference with computer equipment and communications or to acquire data. The only change made to the proposals after criticism has been to a section on technical capability notices requiring “relevant operators” to remove “electronic protection”, or encryption. Section 217 of the bill now specifies that operators would normally be required only to break encryption they had applied, not to attack and potentially cryptanalyse. But other powers can still require them to subvert third-party security systems, such as by installing equipment to enable man in the middle attacks.

Universities, schools and businesses can be served with hacking notices Under the new law, the range of companies and people who can be served with notices has been enlarged from public telecommunications service providers to anyone or any business which provides any type of communications services as a “telecommunications operator”. The new definition now includes universities and schools, Wi-Fi service operators, or app developers whose app includes a communications service that customers could use. Nothing is excluded. Previously, such notices could only be served on well-known public telecommunications operators, such as BT, Virgin and mobile phone companies. The notices can also require companies to create and install a “permanent capability” for unsupervised and remotely controlled government interference and interception, provided they have more than 10,000 customers.

Employees face five years in jail if they reveal existence of surveillance notices Both warranted and unwarranted illegal activity overseas can be enforced and directed by serving “national security notices” or “technical capability notices” on companies or individuals. There is no requirement that the person concerned own or control the business whose products are required to be tampered. According to the codes of practice, Parliament is being asked to approve that “any person to whom a technical capability notice is given, or any person employed or engaged for the purposes of that person’s business, is under a duty not to disclose the existence and contents of that notice to any person”. Managers or directors of their company are not excluded. The maximum penalty for revealing to anyone that a notice has been served or its contents without the permission of the secretary of state is five years’ imprisonment. The notices will also be able to be served on startups, requiring them to build government hacking or interception systems from the start. The government acknowledges that a reason for secrecy about the notices is because to reveal what is required may “harm the commercial interests of companies acting under a notice”.

Official hacking puts IT staff in vulnerable position The vulnerability of key IT personnel in Britain and overseas to official hacking has been highlighted in a stream of disclosures since 2004 about attacks on communications infrastructure. Vodafone systems administrator Kostas Tsalikidis was found hanged in Athens in 2005 two days after massive inserted code had been discovered in the network he had managed, causing the phone calls of key Greek ministers and others to be redirected to interception sites near to the US Embassy in Athens. The operation was later linked to US National Security Agency alterations to their networks initially carried out for claimed security reasons at the time of the Athens Olympics. Major European targets of GCHQ operations exposed by Edward Snowden include attacks on satellite communications service companies in Germany, the major Belgian telecommunications company Belgaco, and a SIM provider in the Netherlands. In each case, staff in the companies were ruthlessly targeted for malware attacks. In each case, the company and staff were not the actual targets.

More than 60 UK companies have been hacked by NSA An estimated 60 British computer networks and data companies have also been deliberately hacked and infected with malicious computer software, according to documents provided by former NSA analyst Edward Snowden. IP addresses listed in the documents suggest that, using a malware tool called Validator, NSA hackers may have secretly sabotaged British and international networks run by prominent computer companies, including Sky Broadband, UK2group, Areti Inernet, and Alentus UK, among others. Once Validator programs are “implanted” on target computers, they automatically hide their activities and prepare re-infection mechanisms to provide permanent access. One of the codenames used to designate the attack of a UK user of Sky Broadband, Ballonknot, is American slang for the anus.

Mobile phones targeted for hacking According to government papers published with the new bill, equipment interference “allows the security and intelligence agencies, law enforcement and the armed forces to interfere with electronic equipment such as computers and smartphones to obtain data, such as communications, from a device”. It “encompasses a wide range of activity from remote access to computers to downloading covertly the contents of a mobile phone”. According to government papers published with the new bill, equipment interference “allows the security and intelligence agencies, law enforcement and the armed forces to interfere with electronic equipment such as computers and smartphones to obtain data, such as communications, from a device” Warrants for bulk or targeted equipment interference will be required to be approved by a judicial commissioner, who is required to check that the issuing secretary of state has followed correct principles in the few minutes they will have had to read an application. In the cases of bulk warrants, no specific target will be specified.

Questions remain unanswered The Internet Service Providers Association (ISPA UK) has expressed concern about the speed with which the bill is being pushed through, pointing out “there are still questions to be answered”. In February 2016, the parliamentary review committee on the bill asked that the government define “national security” to provide clarity to the circumstances in which these warrants can be issued and orders given to companies and their staff. The government did not accept this recommendation, and stated: “It has been the policy of successive governments not to define national security in statute. Threats to national security are constantly evolving and difficult to predict, and it is vital that legislation should not constrain the ability of the security and intelligence agencies to protect the UK from new and emerging threats.”

New law offers no legal safeguards for technology company employees The new law provides no safeguards for companies or IT staff who may be asked to take part in hacking, even if it is illegal overseas in the countries where they may be ordered to plant or help plant malware. Companies or directors ordered to comply with a national security notice or similar order do not automatically incur criminal penalties for failure to carry out the orders, provided they do not reveal the details. But the law allows the government to take them to court, where they would then face unlimited sanctions for contempt.