The Investigatory Powers Bill: Britain Wants You… To Hack Your Customers

The Electronic Frontier Foundation’s Eva Galperin and Danny O’Brien on how Britain plans to force tech companies to join Her Majesty’s Secret Service.

When we first wrote about the UK Investigatory Powers Bill on the EFF’s Deeplinks Blog, our initial read was that the draft law’s language was so dangerously ambiguous you could drive anything—from pervasive mass surveillance to secret cell phone backdoors — through its loopholes.

When Britain’s primary intelligence oversight committee came to much the same conclusion, we were informed in soothing tones that all these ambiguities would be resolved in forthcoming revisions to the legislation, and detailed in a series of upcoming Codes of Practice.

Well, the law has been revised, the Codes of Practice have been published and (with the aid of strong drink), we have reviewed them.

The civil liberties reforms made in the law were cosmetic:

… but the real meat is in the Codes of Practice, which confirmed far more of our fears than they have dispelled.

In particular, the Equipment Interference Code of Practice has doubled down on the UK government’s plan to turn almost any Internet company — in the UK or abroad — into a weapon of British intelligence and law enforcement.

If you’re an Internet company, or just run a website or WiFi hotspot, Britain wants you to help them hack into the world’s computers.

There’s a lot of talk right now about the FBI v. Apple and US government attempts to backdoor encryption, through litigation or legislation. But the IPB goes far beyond what the FBI is asking Apple to do in the US. In the UK, the plan is to not only compel companies to hack their own software or devices: they will also be commandeered to hack into other people’s equipment as well.

We may never even know which companies have been forced to comply with these orders, because they will be forbidden to disclose it. But if you’re running an Internet company, or just a website, you should pay attention, because these new powers may well be used on you.

Who, me?

Yes, probably you. The draft law states that they can require the assistance of all “communications service providers” or telecommunications operators: but that no longer means phone companies or Internet ISPs . The UK has redefined these terms so broadly that if you run an Internet company, administer a website, run an online video game, provision open source Internet software, operate a chat forum, or simply run a wifi hotspot, this power could be turned on you.

The new law defines a telecommunications operator as someone who “offer[s] a telecommunications service to persons in the UK”, or “control[s] or provide[s] a telecommunications system which is (in whole or in part) in or controlled in the UK.” And what’s a telecommunications system? It is:

…any system (including the apparatus comprised in it) which exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy.

We, and others, pointed out at the time that this was unconscionably broad. The new Equipment Interference Code of Practice helpfully clarifies that this is “intentionally broad so that it remains relevant for new technologies” (Our emphasis; their wording. In fact, what we’re going to describe is so hard to believe, you may want to follow along in the Code. This is all in Section 2, paragraph 18.)

The government makes just how clear how wide a net it will be casting: “Web-based email, messaging applications and cloud-based services” are specifically listed as being included. So are websites and services that only incidentally provide communications. The code specifically lists online marketplaces, hotels, airport lounges, and public transport as being potential “communications service providers” (CSP) and therefore affected by the bill (Section 2.21). Almost anything that has a capability to pass messages over the Internet (or via any “electro-magnetic energy”) is fair game.

Don’t think that being based outside the UK will help. The IP Bill makes it clear that as long as you’re offering a service to British users, it believes you — or your British employees — must comply with this law. (Section 6.3–6.4) If you’re outside Britain, the UK government can serve one of these orders on you simply by “making it available for inspection at a place in the UK.”

“…with a sign on the door saying beware of the leopard.”

So I’m a communications service provider now! How does the IPB affect me?

You must comply with “equipment interference warrants.” These are secret orders intended to allow various UK authorities to hack into or repurpose computing devices into surveillance systems (“equipment interference” is GCHQ terminology for “breaking into other people’s computers”). Any CSP served with one of these orders must obey its provisions.

Who can serve me an order?

The Investigatory Powers Bill grants the power to hack to Britain’s security and intelligence services (including GCHQ, MI5, MI6, and military intelligence), its police forces, and tax and customs authorities. Any of those groups can compel any CSP “inside or outside the UK” to provide assistance.

What can an order compel me to do?

A CSP must take all steps that are “reasonably practicable” to assist with the hacking warrant. You don’t get to decide what is “reasonably practicable”: the UK government does. Examples of what CSP might be expected to do (based on known GCHQ practices) might include:

include in your web advertisement inventory a fake advert that pushes malware to a group of your readers;

roll out spyware to computers you have control over that would seize email, take screengrabs, pictures and record conversations;

push updates to software you’ve written, including a government-specified backdoor;

rewrite a smartphone app to relay its users’ position directly to the British authorities;

search through emails or other personal data you host, to find passwords or information that could help the authorities to hack;

create or fake messages to cause password resets or mislead users into accessing malware-infected website.

But these are just one-off jobs for targeting individual criminals, right?

The equipment interference orders isn’t just for specific individuals — it can also be used against entire organizations, or a location (these are called “thematic warrants.” Section 4.). You might be asked to hack everyone in an office, or an entire intranet.

There’s also a separate order that covers “bulk equipment interference,” which means you could be involved in hacking systems such as the routers at an ISP to facilitate the mass surveillance of innocent Internet users. (Section 5, for those keeping up.)

Aren’t most of those actions illegal and/or unethical?

Usually, yes, but according the UK government, that’s just fine. The IPB’s Code of Practice states that “the Act makes lawful any conduct undertaken by a person … to whom an equipment interference warrant is addressed. This therefore authorises activity taken by CSPs … that would otherwise constitute an offence under the Computer Misuse Act, Data Protection legislation or other relevant legislation.”

The UK government plans to grant you a license to break any law, James Bond-style, as long as you spy for them.

Section 6.14, not “double-oh.”

How would I challenge an order if I receive one?

Not easily. Unlike Apple, you won’t be able to raise the matter publicly, as every order is secret, and sharing it is a crime, punishable with imprisonment. The UK government ultimately decides what is “reasonably practicable” for a CSP, and whether to prosecute you for failing to comply. The bill has its own tribunal and commissioner, but the Code of Practice is curiously silent on how CSPs can complain to them about these orders. They envisage you’ll be able to submit a form on a website.

In case you’re wondering: no, www.ip-uk.com’s feedback form does not use https.

What if I designed my service so that it’s unhackable, even by me?

That’ll be where another IPB power kicks in. “Technical Capability Notices” (Section 7) can be served on any CSP with more than 10,000 users (how many hits does your website get a month again?) These orders require that you engineer (or re-engineer) your systems so that your company can respond to future British surveillance orders “securely and quickly.”

Technical capability notices might also involve installing equipment or facilities for the UK government to use, or even designing and building your own equipment to help with their surveillance, much as the US government is currently demanding of Apple. The existence of this equipment must be kept confidential, of course. On the other hand, if you’re the lucky recipient of a technical capability notice, you must hereafter “notify the Government of new products and services in advance of their launch.” (Section 7.29) You are sworn to keep the UK government’s secrets, but the UK government must always be kept informed of your future plans.

Join the UK government to hear details of the latest iPhone.

What can I do about this?

The Investigatory Powers Bill is still under consideration by Parliament. If any of this (and there is far more than we could cover here) sounds like a step too far for you or your company, here’s what you can do:

Wherever you are in the world, please spread the word. The Investigatory Powers Bill represents a tremendous threat to privacy rights, innovation, and the trustworthiness of communications technology. Don’t let the British government turn every communications service into a surveillance device.

Danny O’Brien is International Director at the Electronic Frontier Foundation, and co-founder of Britain’s Open Rights Group. Eva Galperin is EFF’s Global Policy Analyst.