(Image: Shutterstock)

This article, Apple, Google, Microsoft attack government hacking plans, originally appeared on ZDNet.com.

Tech companies including Apple, Microsoft, Google and Facebook have criticized plans by the UK government for a new law that would allow law enforcement to hack computer systems to access data.

The equipment interference provisions in the draft Investigatory Powers Bill would allow the intelligence and security services, police and the armed forces to hack into devices to obtain data, such as communications, when they have a warrant to do so. The government argues that the hacking provisions - part of the wider internet surveillance legislation - are needed so that law enforcement can intercept the communications of criminals even when they are encrypted.

However tech companies have warned that the plan would set a dangerous precedent that would be followed by other countries, will damage trust in their services and may be impossible to implement anyway.

The wrong way

In a combined submission to the committee of MPs examining the legislation, technology giants Facebook, Google, Microsoft, Twitter and Yahoo! warned this provision would be a step in the wrong direction: “To the extent this could involve the introduction of risks or vulnerabilities into products or services, it would be a very dangerous precedent to set, and we would urge your government to reconsider,” they said.

They warned that the legislation doesn’t currently contain any requirements to protect network integrity and cyber security or any requirement for agencies to inform companies of vulnerabilities that could later be exploited by others.

“We urge the government to make clear that actions taken under authorization do not introduce new risks or vulnerabilities for users or businesses” they said.

In its submission Apple said the plans would put tech companies in a very difficult position. “For the consumer in, say, Germany, this might represent hacking of their data by an Irish business on behalf of the UK state under a bulk warrant - activity which the provider is not even allowed to confirm or deny. Maintaining trust in such circumstances will be extremely difficult.”

It said there is a need for much greater clarity as to how the powers in the bill will be applied especially because this legislation will set a precedent “which, if followed by other countries, could endanger the privacy and security of users in the UK and elsewhere.”

Mobile operator Vodafone warned that equipment interference elements are perhaps the most contentious of all the powers within the scope of the draft bill.

“The obligations relating to equipment interference have the potential to significantly undermine trust in the United Kingdom’s communications service providers”, it warned.

It said equipment interference amounts to a “major imposition on the freedom of an operator to design and operate its services in the way it sees fit” and said that under the powers in the bill, service providers could be “under secret obligations to operate a backdoor in the equipment or services provided to customers”, and questioned whether such an “intrusive power” is necessary at all.

Vodafone adds that any equipment interference requirement should not force companies to reduce their own security standards, something important in an environment where operators face regular attacks from third parties. It warned “any weakening of our network or service defences, which protect critical national infrastructure and attempt to maximise the availability of essential services, would be highly undesirable.”

The telecoms operator also warned that the legislation as it stands could be used to require an operator to be actively involved in an equipment interference operation. Instead of simply providing data or implementing an interception warrant, this could mean companies would be required to “actively seek out vulnerabilities for exploitation, or to develop vulnerabilities and exploits”, it warned.

“Turning network operator employees into spies and hackers is manifestly inappropriate, and the framework should be modified to expressly limit the requirement to assist to exclude this type of requirement,” it said.

Firefox maker Mozilla warned that the “bulk systems intrusion” provisions in the bill could be used to “compel a software developer, like Mozilla, to ship hostile software, essentially malware, to a user – or many users – without notice.”