The UK Government truly doesn't have a clue

In the UK, if you want to pass controversial laws you mention some key phrases, terrorism, sexual predator, rapists, children..

These simple phrases kick off a chain reaction in the UK popular press which in turn disseminate what is known in tech circles as FUD, Fear, uncertainty and doubt..

This week the government has been generating headlines because it is trying to pass a "snooping bill" which is designed to give our security services more power to obtain information about individuals. ISP's the people who supply your internet connection are going to be asked to keep 12 months of logs containing every website you've visited in that 12 Months.

The government are being very careful to explain that this will be only the core site information so for example if you visit https://www.wired.co.uk/news/archive/2015-11/04/surveillance-bill-government-internet-history all that will be logged is www.wired.co.uk

However in true legal speak the proposed bill also has a lot of wooly far reaching statements and wording in it

Authorities will have the legal powers to run 'specific equipment interference,' this bolsters provisions which only existed in guidelines before this.

All police forces, as well as the security agencies, will be able to hack into devices, and "more sensitive and intrusive techniques" will be covered by a separate code of practice.

which if history has anything to show us in the UK, will lead to potential misuse and rewriting of the bill later on. Something the UK Government already has precedent in when it comes to snooping laws..

This year the government has already bypassed the normal parliamentary process (debate) and sunk under the radar an amendment as a second legislation to the existing Computer Misuse Act no regulators, commissioners responsible for overseeing the intelligence agencies, the Information Commissioner's Office, industry, NGOs or the public were notified or consulted about the proposed legislative changes

On June 6, the UK government introduced the new legislation via the Serious Crime Bill that would allow GCHQ, intelligence officers, and the police to hack without criminal liability. The bill passed into law on March 3 this year, and became effective on May 3.

This would tell me that the government is trying to setup a "soft" and "public friendly" law which won't generate too much of a fuss from the British public, who in the most part glaze over and lose interest in things like IT and security in the most part, especially  if there is an article about the Xfactor or a football player on the opposite page.

The truth is when pitched to the public as only logging the domain name, not the content which will be logged most people will probably accept this as fine especially as it will only be used to hunt terrorists, rapists, paedophiles and other bad people..

However as I've already mentioned, successive UK governments have many examples of adding under the radar changes to existing bills by passing the usual debate before something becomes law. So its not going to take long before the press dies down and the log information required is also expanded to include not just where you went, but the search results and content you actually looked at.

Taking a step back I asked myself what does being able to providing the UK polic and security agencies with the main domain you've visited give these security agencies.

Its been documented before services such as gmail were used in terrorists plots by multiple people using the same accounts and saving the messages in drafts and not sending them. However knowing that a person is one of the several million people with a gmail account tells you nothing. This goes for many other of the services that the people being hunted down use which are the same services you and I use.

The "people of interest" this bill is being used to look into are known to be tech savvy, so they are not just connecting directly to usenet, forums and sites. This is being done over VPN technologies which span the globe. Once connected to an encrypted VPN your ISP has no idea where your computer is connected to..

And this leads very well to the second area the UK government is looking to legislate against. In an ideal world it would like to ban end to end encryption on "civilian devices".

The new law (the Investigatory Powers Bill) would give government investigators “to see if someone used Snapchat at 07:30 GMT on their smartphone at home and then two hours later looked at Twitter’s website via their laptop at work, but neither the text typed into the app, nor the specific pages looked at on the social network would be accessible.” this we have covered already, however the disturbing part of the law is the IPB also requires that companies must take “reasonable” steps to provide data when a warrant is issued, even if that warrant applies to encrypted communication.

If a device isn't able to do this, then it would be breaking the law, which is interesting because Companies like Apple literally can’t take “reasonable” steps to provide law enforcement with information because they no longer have the ability to peer into their own encrypted devices without user-provided information.

Would this mean that Apple would be forced to stop selling its devices in the UK?

In a statement from the home office to the telegraph

The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts. That means ensuring that companies themselves can access the content of communications on their networks when presented with a warrant, as many of them already do for their own business purposes, for example to target advertising. These companies’ reputations rest on their ability to protect their users’ data.” (Emphasis added).

the most prudent statement here would be

That means ensuring that companies themselves can access the content of communications on their networks when presented with a warrant

This means the encryption Google, Microsoft, Apple (US Companies) use would need to be "broken" in order for UK security agencies to see the content of encrypted transmissions.

Think about that for a second, if there is a method of obtaining your bank data, emails, NHS data in an unencrypted format how long do you think it will be before some enterprising 15 year old also figures out how to do that and starts selling your data online?

In putting this forward to protect US from terrorists, paedophiles and rapists what the government is actually doing is in one swoop making the possibility of YOUR personal data becoming accessible on the internet..

And this is something the government agrees with its own CESG site in multiple locations advocates the use of end to end encryption as do all the major IT security compliance organisations.

Essentially the UK government is running scared, and I'd be the first to agree that it needs to reform its security services. However I'd suggest that after many years of chipping the budgets in the wrong area reducing the actual boots on the ground the men and women on the front line of M15, M16 and the Police force what is happening here is seen as a cheap easy way to make us feel safer. at a core level there is no replacement for people in the fight against all the above topics. What this bill will actually do it make unethical access to your data from unintended third parties much much easier.

What we are seeing is the softly softly public facing part of a Government bill which over time will inflate, warp and change to include much much more scope for obtaining data and "snooping" it will be made easier to obtain the data and there will be less recourse for the government if it obtained the data not by the letter of the law..

As a small parting worry there was a quote on one site "Ministers will debate this bill in Parliament" that strikes me about as effective as Fish debating how to ride a bicycle..

References:
https://www.wired.co.uk/news/archive/2015-11/04/surveillance-bill-government-internet-history
https://arstechnica.co.uk/tech-policy/2015/05/uk-government-quietly-rewrites-hacking-laws-to-grant-gchq-immunity/
https://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/11970391/Internet-firms-to-be-banned-from-offering-out-of-reach-communications-under-new-laws.html