Tag Archives: Mass Surveillance

“Bypassing” Encryption is the same as “Breaking” Encryption

According to the Vault 7 WikiLeaks data the CIA made phone malware that can read your private chats without breaking encryption.

Anyone with half a clue always knew that the best way to subvert encryption was to bypass encryption as we at TMG Corporate Services have always done. From our blog post Am I Being Surveilled? on 29th March 2016:

Still – the point is made I think – visual intercepts are economically viable even for local LE – it’s just an ultra low light wifi enabled pin-hole snake camera in the right spot. One above the driver and passenger seat belt brackets in a private vehicle is a good location (easy access to and plenty of space behind the plastic covering the B pillar to store the bits).

Five uninterrupted minutes and both are installed. Just wait for the target to take a Sunday drive and game on. Most people rest the handset on their lap while typing stationary in traffic or better still upright and in front or on top of the wheel when driving – using one hand – which gives a nice unobstructed keystroke by keystroke view of their typing activities.

Most successful hacks are low tech

Today I have seen a bunch of publications and experts trying to assure people that this is nothing to worry about. The purity of encryption is in tact. It is an academic point.

If you are in the business of handling sensitive data then don’t use your cell phone to transmit it. It’s that simple.

* In the hours since the documents were made available by WikiLeaks, a misconception was developed, making people believe the CIA “cracked” the encryption used by popular secure messaging software including Signal and WhatsApp.

WikiLeaks asserted that: “These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloakman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.”

This statement by WikiLeaks made most people think that the encryption used by end-to-end encrypted messaging clients such as Signal and WhatsApp has been broken. No, it hasn’t. Instead, the CIA has tools to gain access to entire phones, which would of course “bypass” encrypted messaging apps because it fails all other security systems virtually on the phone, granting total remote access to the agency.

The WikiLeaks documents do not show any attack particular against Signal or WhatsApp, but rather the agency hijacks the entire phone and listens in before the applications encrypt and transmit information.

It’s like you are sitting in a train next to the target and reading his 2-way text conversation on his phone or laptop while he’s still typing, this doesn’t mean that the security of the app the target is using has any issue.

In that case, it also doesn’t matter if the messages were encrypted in transit if you are already watching everything that happens on the device before any security measure comes into play.

But this also doesn’t mean that this makes the issue lighter, as noted by NSA whistleblower Edward Snowden, “This incorrectly implies CIA hacked these apps/encryption. But the docs show iOS/Android are what got hacked—a much bigger problem.”

* From The Hacker News

ENDS

“All uR devICE r belong 2 US”, Vault 7, Weeping Angel, the CIA & Your Samsung TV

CIA malware and hacking tools are built by EDG (Engineering Development Group), a software development group within CCI (Center for Cyber Intelligence), a department belonging to the CIA’s DDI (Directorate for Digital Innovation). The DDI is one of the five major directorates of the CIA.

The attack against Samsung smart TVs was developed in cooperation with the United Kingdom’s MI5/BTSS.

The EDG is responsible for the development, testing and operational support of all backdoors, exploits, malicious payloads, trojans, viruses and any other kind of malware used by the CIA in its covert operations world-wide.

The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell’s 1984, but “Weeping Angel”, developed by the CIA’s Embedded Devices Branch (EDB), which infests smart TVs, transforming them into covert microphones, is it’s most emblematic realization.

After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on.

In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.

ENDS

Extracted entirely from Vault 7: CIA Hacking Tools Revealed

The Regional Subjectivity of Crime & The Tests for Guilt

A definitive statement as to what constitutes Crime has successfully evaded scholars. But one thing that they all seem to agree on is that “A person is never punished merely for wrong thinking or evil thoughts”.

“Thought Crimes” Orwell style are not offences (Or are they?).

In an age of Mass Surveillance, Kinematic Fingerprinting & Emotion Detection, Mass Data Retention & the Investigatory Powers Act and Alphabet Agency Profiling based on Digital Activities, is that still the case?

Certainly there are many examples of arrest and detention for “thinking” a certain way. But that’s not for here at this time.

Rather than examining the definition of crime in a particular country I think it is more interesting to examine it in the global context. The majority of people tend to assume that Crime and Punishment can be generally assumed to be similar everywhere that they travel to.

As someone with a wanderlust tendency who has “walked the Earth” I can assure you that is not the case.

A Moving Goalpost

The definition of “Crime” in a society has always been influenced by the prevailing norms that exist at any particular time amongst a group of people living together as a community.

Personal feelings, religious beliefs, preferences, tastes, experiences, economic expediency or laws based based on the personal opinions of a “leader” have been the motivations that translated into local laws that criminalised some acts and did not consider other acts as “criminal”.

A Simple Analogy: The Attitude to Cannabis in the USA

In 2017 I guess the simplest analogy would be the different attitude to marijuana in the United States. The use, possession, sale, cultivation, and transportation of cannabis is illegal under federal law in the United States but individual States are permitted to conditionally decriminalise cannabis for recreational or medical use.

Cannabis is listed at a Federal level as a Schedule I substance under the Controlled Substances Act of 1970 and is classified as a Schedule I drug. The DEA defines this classification as a substance that has a high potential of being abused by its users and has no acceptable medical uses.

So there exists a contradictory attitude of Federal versus certain State laws regarding the exact same matter – in the former it is a “crime”, in the latter it is not – in some States.

The Definition of Crime

“There is no one word in the whole lexicon of legal and criminological terms which is so elusive of definition as the word crime” (McCabe 1983:49)

It reminds me of the first thing that we were thought during my time as an Economics student – namely, that the study of Economics was an “inexact social science”.

Inexact laws that contain in their antecedents vague ceteris paribus (“all other things being equal”) conditions and “facts” based on local beliefs or tendencies do not constitute definitions.

The different definitions of crime and the vastly different tariffs which certain criminal offences attract are therefore, for the most part best understood in the context of the culture, religious practices and societal “norms” of the region or country that are being examined (excluding the universally abhorred offences – but irritatingly that is not always the case either).

Examples:

  • Judicial Corporal Punishment in Saudi Arabia for Possession of Alcohol (Flogging);
  • Mandatory death penalty for drug trafficking in Singapore;
  • Filipino President Rodrigo Duterte’s state sanctioned vigilante murders of suspected drug dealers;
  • The universal application of sharia (Islamic law) by certain countries;
  • The acceptance of sharia in some secular European countries as the basis for divorce, inheritance and other personal affairs of their Islamic population;

Looking around Google I came across the following definition of crime which was not accredited:

“Harmful act or omission against the public which the State wishes to prevent and which, upon conviction, is punishable by fine, imprisonment, and/or death. No conduct constitutes a crime unless it is declared criminal in the laws of the country. Some crimes (such as theft or criminal damage) may also be civil wrongs (torts) for which the victim(s) may claim damages in compensation.”

Types of Crime (In the Republic of Ireland) 

* A crime is defined in law in the Republic of Ireland as an act which may be punished by the State. The way in which a criminal offence is investigated and prosecuted depends on the type of crime involved. For these purposes criminal offences may be described in different ways such as:

  • Summary offences
  • Indictable offences
  • Minor offences
  • Serious offences
  • Arrestable offences

* Citizens Information. (19 July 2016). Classification of crimes in criminal cases. Journal, [online] Volume(Issue), P1. Available at: URL [Accessed 25th February. 2017].

The Test for “Guilt”

However, the mental state as well as the physical elements of a crime are key parts of establishing the guilt of a person committing an offence. In order for a person to be guilty of an offence there must be coincidence between two key concepts, that of “Mens Rea” and “Actus Reus”:

  • Mens Rea dictates that there must be a guilty mind, moral culpability and a blameworthy state of mind;
  • Actus Reus concerns itself with with the physical elements of the crime and excludes the mental element;

For guilt to be established then the two concepts must be coincidental “happening or existing at the same time”.

The latin phrase “Actus Non Facit Reum, Nisi Mens Sit Rea” translates as “An act does not itself constitute guilt unless the mind is guilty”.

REFERENCES

Naidoo, Jadel. 2016/2017. Diploma in Criminology Class Notes. Dublin Business School 1 (1) 1-14;

Penrose, Graham, AirGap Anonymity Collective (16 January 2017). Mass Surveillance & The Oxford Comma Analogy. Blog [online] Available at: URL [Accessed 25th February. 2017].

Penrose, Graham, AirGap Anonymity Collective (3 January 2017). Orwell 4.0: The Stealth Advance of Kinematic Fingerprinting & Emotion Detection for Mass Manipulation. Blog [online] Available at: URL [Accessed 25th February. 2017].

Penrose, Graham, AirGap Anonymity Collective (21 November 2016). NSA, GCHQ, The Five Eyes Handing Ireland Cyber-Security Opportunity. Blog [online] Available at: URL [Accessed 25th February. 2017].

Penrose, Graham, AirGap Anonymity Collective (29 October 2016). Ireland is NOT a Privacy Advocate. Blog [online] Available at: URL [Accessed 25th February. 2017].

Hausman, Daniel M. 1984. Causal Priority. Noûs, 18 (2): 261-279.

Hausman, Daniel M. 1998. Causal asymmetries. Cambridge: Cambridge University Press.

Citizens Information. (19 July 2016). Classification of crimes in criminal cases. Journal, [online] Volume(Issue), P1. Available at: URL [Accessed 25th February. 2017].

ENDS

Is Moxie Still An Anarchist, Are Farcebook Deliberately Hobbling WhatsApp & Does SIGNAL Leak?

Recently I wrote in a blog post “When The Privacy Advocate Becomes An Apologist For The Opponent” about the main stream media sponsored spat that had @Moxie from @WhisperSystems siding with @WhatsApp and @Facebook in a face off against @Guardian and their contributor @tobiasboelter (Security and Crypto at UC Berkeley) in a “man in the middle” versus “design” versus “vulnerability” versus “backdoor” versus “privacy” versus “convenience” versus “user experience” tit for tat.

1. Is Moxie Still An Anarchist?

I said of Moxie Marlinspike that:

“When the advocates become apologists for the mainstream then they longer deserve to be called advocates in the purest sense of the word. And Moxie does consider himself “pure”. He is not. In July 2016 Wired wrote “Meet Moxie Marlinspike, the Anarchist Bringing Encryption to All of Us” but being an “anarchist” and an ally of Zuckerberg are incompatible ideological stances.”

The blog post drew some comment on Peerlyst and elsewhere that took the debate in a number of different directions that I think are worthy of note. My personal belief is that WhatsApp is a more inferior app than most people will accept and that Moxie’s stance also leads me to doubt the once unassailable position of Signal as a trustworthy option.

Peter Stone on Peerlyst commented that:

“Your assertion that Moxie‍ fundamentally is no longer an anarchist when he sides with Zuck holds. And you’re right it matters that they made this design choice, and yes it can be a threat if you have Governments in your threat model. I cannot argue with you at all. My only point, and thanks for the mention, was that it wasn’t, as such, a backdoor.”

Conclusion: Moxie is not an anarchist

2. Are Farcebook Deliberately Hobbling WhatsApp?

This comment led me to ask:

“I agree with you Peter and my post is only expressing my view from the lens of being one of those “crypto geeks” that you and Dave Howe were discussing on the original thread. I accept all of the points that you both make about barriers to entry / usage and cost factors for “average” users in adopting escalating levels of security. But would you agree with the statement that:

“WhatsApp have made a design choice that can be exploited as a backdoor – the rest is semantics”?

Any takers?”

Boelter in his articles laments the fact that Farcebook, after being notified of the weakness in the “design-choices” that they had made for WhatsApp, still refused to take action.

This to me betrays an unwillingness to properly secure the platform for whatever reason and while I accept that a legitimate interim position between releases of a product is to state “it is good enough – for now – but lets see if we can make it even better” that does not seem to be what the Farcebook approach is to ongoing WhatsApp app hardening.

I really liked what Dave Howe had to say in reply to my original comment:

“I can agree totally on the first part of that. WhatsApp have made a design choice that can be exploited as a backdoor.

In fact, I would go further; WhatsApp have made a series of poor design choices which impact severely the security of the solution.

The first is that mail will be retransmitted without an option to block if a new device is added.

The second is that a new device can be added and, by default, this will be silently accepted by the system, and

The third is that the account holder has no reliable way to know a new device was added unless WhatsApp notify them – which of course for a TLA “listening tap” will not happen.

However, “the rest is semantics” I disagree with.

The impact of these poor choices is severe, but the solution is still better than it was before the protocol was added, and more importantly, now WhatsApp is aware of the mistake, it is in a position to fix it.

The detail is therefore important, and while a lot of crypto purists would class anything not a provable success as an abject failure, a more pragmatic security enthusiast will take any improvement as an improvement, and work to build on that platform.

Similarly, to a purist, a system is broken if, given a compute cube the size of the moon, you could break a message on average every thousand years or so – while a pragmatist would say “it’s good enough – for now – but lets see if we can make it even better”

We need to push them to get better. If nothing else, this “backdoor” publicity put this in the public eye (only for Brexit and Trump to push it back under cover of course).

I have to wonder if there is some sort of instruction preventing them from doing so – I know they can insist on that in the UK now, but I wasn’t aware this was true in the US yet (See my blog post Silencing the Canary & The Key Powers & Reach of The IPA)

Solution is obvious though – increase user choice, and make it so they can turn that *off* if they want to, not off by default.

New device added? Have confirmation of new devices as an option.

Until confirmed, new messages will *not* be encoded to the new key, so you can email the old keyset asking if they really have added a new device.

Options can have “auto accept” “ask” and “deny” with the default set to “ask”.

Unacknowledged messages? Have that only resend if the new device is confirmed, and not until; that takes care of that problem too.

If users then choose to disable the “annoying popup” then that’s their choice, not something imposed on them by Farcebook.”

Aside from the poor “design choices” that are covered in “When The Privacy Advocate Becomes An Apologist For The Opponent” and above by Dave here are a few more “design choices” WhatsApp chose not to include from the SIGNAL protocol:

Ability To Password Protect The WhatsApp App

WhatsApp does not have any password system built into the app. WhatsApp say there are many apps in the Google Play store that provide that functionality so just tag on a third party app to make it even weaker

screen-shot-2017-02-01-at-20-41-45

“Disappearing Messages” Option in WhatsApp 

There is no “disappearing messages” option in WhatsApp.

Conclusion: Yes Farcebook are deliberately hobbling WhatsApp IMHO. Their reasons? I do not know but I do not accept “user experience” as a justification.

3. Does SIGNAL Leak? 

Would anyone care to comment on this statement regarding the signal app and “leakage”:

“Note that Open Whisper Systems, the makers of Signal, use other companies’ infrastructure to send its users alerts when they receive a new message. It uses Google on Android, and Apple on iPhone. That means information about who is receiving messages and when they were received may leak to these companies.”

Found at on a post on ELECTRONIC FRONTIER FOUNDATION Surveillance Self-Defense.

Conclusion: I don’t know

ENDS

Mass Surveillance & The Oxford Comma Analogy

Acknowledgments, Contributions & References: This blog post was written in collaboration with and using contributions from Mr. Dean Webb (find Dean’s profile on PeerLyst). The clever and insightful bits are all Dean, the space fillers and punctuation are mine – except the “Oxford Comma” analogy, which even though it is lifted from @Grammarly on Twitter, is mine – and I like it (a lot). Enjoy.

Who Do We Like, Who Do We Dislike (Today)

Wearable tech is on its way, for surveillance during times when one is away from the vidscreen. But we need this stuff in order to protect against Eurasia. We have always been at war with Eurasia. We will always be at war with Eurasia until 20 January, at noon. Then we will always have been at war with Eastasia. And then we will need all this stuff to protect against Eastasia.

On a more serious note, anonymity has been dead for quite some time. As an example, about 10 years ago Dean Webb was running a web forum for students involved in an academic competition.

He and other teachers had volunteered to be admins for the board. They had a student that began to harass others on the board and post some highly inappropriate material. They banned his account, and he would connect again with another account.

So, Dean took down the IP addresses he’d used for his accounts and did a quick lookup on their ownership. They were at a certain university, so he contacted that university with the information and the times of access and they were able to determine which student was involved.

He was told to stop posting, or face discipline at the university. That got him to stop.

Simple Methods, Complex Implications

The point is, that IP address and timestamp for most people is going to be what gets them in the end. They don’t know what a VPN is from a hole in the ground, let alone what a TOR node is.

At best, most of them will use a browser in anonymous / incognito mode, without realising that cookies are still retained and updated, credit card transactions remain on the record, and ISPs will still retain IP address information with timestamps.

It could be argued that a Layer 2 hijacking of someone else’s line is the way to go anonymously, but that involves a physical alteration of someone’s gear, and that means physical evidence, which is very difficult to erase completely.

Even if anonymity is not completely dead (mostly dead, perhaps?), it is certainly outside the reach of most people because they lack general IT knowledge about the basics of the Internet.

I (Graham) was met with the following comment when I posted a tweet some time before Xmas 2016 about Identity Theft:

“despite the hysteria the theft of most peoples personal information is / will be inconsequential”

The use of the word “inconsequential” by the commenter on my post reminded me of the hilarious Doctor Evil therapy session monologue in the Austin Powers movie when Doctor Evil stated, when asked about his life, that “the details of my life are quite inconsequential”. But 60 seconds of monologue later it was quite clear that they were far from “inconsequential” – it is a matter of perspective as to what is and what is not. That is the problem. And that is the potential worry.

Threat Awareness & Counter Measures

The vast majority of people and their browsing habits are innocuous. The point though that the comment misses and which is the point that Dean makes in his comments about the average John Q. Citizen’s awareness of the threats and the countermeasures available is that the public in general has moved their private communications on to a platform where they do not understand the implications of the ability of externals to eavesdrop or to store and reference data at a future point.

There was a blog post I (Graham) made some time ago about the risk of “profiling” and of “false positives” and the threat that they posed especially with respect to miscarriages of justice. (See “The Sword of Islam” story below)

The point is not whether “the theft of most peoples personal information is / will be inconsequential” or the storage of most peoples browsing history or contacts with other parties is / will be inconsequential or not – the point is that it can be made to look very different to what was actually happening originally.

Like a misquoted partial comment in a newspaper article – actions taken out of context can look very different.

The Oxford Comma Analogy

Recently I posted a tweet about the Oxford comma and it does indirectly inform the point that I am trying to make here:

Excerpt begins from Grammarly

“Unless you’re writing for a particular publication or drafting an essay for school, whether or not you use the Oxford comma is generally up to you. However, omitting it can sometimes cause some strange misunderstandings.

“I love my parents, Lady Gaga and Humpty Dumpty.”

Without the Oxford comma, the sentence above could be interpreted as stating that you love your parents, and your parents are Lady Gaga and Humpty Dumpty. Here’s the same sentence with the Oxford comma:

“I love my parents, Lady Gaga, and Humpty Dumpty.”

Those who oppose the Oxford comma argue that rephrasing an already unclear sentence can solve the same problems that using the Oxford comma does. For example:

“I love my parents, Lady Gaga and Humpty Dumpty.”

could be rewritten as:

“I love Lady Gaga, Humpty Dumpty and my parents.”

Excerpt Ends

The analogy serves to demonstrate one of the main concerns of mass surveillance and mass retention of user data. People are now being profiled and tracked and their behaviours stored and analysed and they do not know why or by whom or for what purpose – they barely understand how to use a browser.

In the wrong hands that potentially makes them cannon fodder. Accuse me of being alarmist and dramatic – fair enough – so did everyone four years ago when I wrote about mass immigration as a weapon, the rise of radical Islam and the dangers of the USA supporting a sectarian Shi’a government in Baghdad, the marginalisation of Sunnis and the Ba’ath party, the randomness of the Arab Spring, the threat of Libya turning into a terrorist haven and so on.

The point is people ignore these developments at their peril but you may as well be talking to a concrete block. You can make all the compelling philosophical points that you like to someone but if they do not have the capacity to understand them then you are wasting your time.

And most of our politicians fall into that category.

Mass Profiling, Mass Surveillance Will Be Inconsequential Until It Isn’t

Dean once met a man named Saifal Islam. He has a devil of a time getting on an airplane because a terror group has the same name – “Sword of Islam”.

He is constantly explaining that the man (him) isn’t the group (them) and that he’s had his name longer than they’ve had theirs. That, yes, the group (them) should be banned from getting on airplanes, but that, no, the man (him) should be allowed on the plane.

Hell of a false positive, and that’s not the only one. Mismatches on felon voting lists, warrants served to the wrong address for no-knock police invasions, people told that they can’t renew driver’s licenses because they’re dead, the list goes on.

Be happy in the knowledge though that your data is apparently “inconsequential” and this privacy debate and the growing intrusion on your personal life is all “hysterical” alarmism.

You can use that statement when you are in the dock defending your very own hysterical “false positive” – no charge.

The next post will be “KarmaWare & Thieves of Thoughts” again in collaboration with Mr. Dean Webb.

ENDS

Silencing the Canary & The Key Powers & Reach of The IPA

Please Note: This post is not an advertisement for or an endorsement of ProtonMail 

The Investigatory Powers Bill (IPB) was approved by the UK Parliament and after receiving Royal Assent this week will become The Investigatory Powers Act (IPA) coming into force in 2017. The law gives broad new powers to the UK’s intelligence agencies (GCHQ, MI5, MI6) and law enforcement.

In theory, companies offering encryption services, that are not based in the UK, do not fall under the jurisdiction of the IPA – but that is not actually the reality. Strong encryption isn’t just important for privacy, but also key to providing security in the digital age.

Laws like the IPA pose an unprecedented threat to democracy, and are strikingly similar to surveillance laws from totalitarian states but there are tools today that can help protect your digital rights.

Below is a short summary of the most relevant points of the IPA which was written by ProtonMail, a Swiss based firm that offers encrypted email services. The key powers of the Investigatory Powers Act are:

(Start of ProtonMail Summary – Paraphrased)

Retention of Internet browsing records for 1 year

This is in our opinion the worst part of the law. Imagine your browsing history for the entire past year accessible to the government or police without a warrant. This would allow the construction of detailed profiles on every citizen, and categorization based on political views, personal beliefs, and much more. All UK communication service providers (so Internet providers, phone companies, email providers, etc), will be required to retain 1 year of your internet connection records in a central database. This database includes what sites you visited, when you visited the site, for how long, who you called, who you emailed, etc. All of this data will be stored in a central database accessible to the government and law enforcement. More troubling is that no warrant or judicial oversight is required to gain access to this database, the police will have sole discretion to decide when they need to access this database.

Bulk collection of communications data

British communications providers will be required by law to assist in intercepting communications data in relation to an investigation. So far, foreign companies are not required to comply, but as we will discuss below, there are some caveats to this.

Breaking Encryption

Communication providers will be mandated by law to remove encryption whenever it is “practical”. The law is particularly dangerous because it doesn’t well define what is the meaning of “practical”, which means this can be subject to the government’s interpretation.

Enforcement of gag orders

When a communications provider receives a request for data, it is not permitted to reveal that the request took place. Under the IPA, it is now a criminal offense for either the communications provider, or somebody working for the provider, to reveal a data request. Thus, if the powers of the IPA are abused, a whistleblower would be committing a criminal offense by revealing the abuse.

Impact of the IPA outside of the UK

In theory, the IPA only applies to UK companies, but today with the rise of large multinational tech companies, even non-UK companies can be pressured to comply if they have a significant UK presence and employees in the UK.

Since any such requests will happen behind the scenes, we will never know if foreign companies do comply with the IPA. Since the UK is a member of the Five Eyes network, along with the USA, Canada, Australia, and New Zealand, the intelligence scooped up by the IPA will also be shared with US intelligence so UK residents could find their private data being shared beyond UK borders.

Encrypted email accounts can protect your email communications from being intercepted or read by government agencies. The rest of your online activities can also be protected. In particular, using VPN services that don’t have a physical presence in the UK, and also using apps like Signal for text messaging, or Tresorit for file sharing.

Most importantly, everyone needs to spread the word that more surveillance and less encryption isn’t the solution to today’s security challenges.

(End of ProtonMail Summary)

Silencing the Canary 

A warrant canary is a colloquial term for a regularly published statement that a service provider has not received legal process that it would be prohibited from saying it had received. The canary is a reference to the canaries used to provide warnings in coal mines, which would become sick before miners from carbon monoxide poisoning, warning of the danger.

Once a service provider does receive legal process, the speech prohibition goes into place, and the canary statement is removed. Warrant canaries are often provided in conjunction with a transparency report, listing the process the service provider can publicly say it received over the course of a particular time period.

A company might issue a semi-annual transparency report, stating that it had not received any national security letters in the six month period. NSLs under the Patriot Act come with a gag, which purports to prevent the recipient from saying it has received one. (While a federal court has ruled that the NSL gags are unconstitutional, that order is currently stayed pending the government’s appeal). When the company who is in receipt of an NSL issues a subsequent transparency report without that statement, the reader may infer from the silence that the company has now received an NSL.

The IPA has a different approach to this Silencing the Canary: the lawfulness of the U.K. Investigatory Powers Bill’s secrecy provisions under the ECHR .

END

Official Government Response to “Repeal the new Surveillance Laws (Investigatory Powers Act)” Petition

Dear Graham Penrose,

The Government has responded to the petition you signed – “Repeal the new Surveillance laws (Investigatory Powers Act)”.

Government responded:

The Investigatory Powers Act dramatically increases transparency around the use of investigatory powers. It protects both privacy and security and underwent unprecedented scrutiny before becoming law.

The Government is clear that, at a time of heightened security threat, it is essential our law enforcement, security and intelligence services have the powers they need to keep people safe.

The Investigatory Powers Act transforms the law relating to the use and oversight of Investigatory powers. It strengthens safeguards and introduces world-leading oversight arrangements.

The Act does three key things. First, it brings together powers already available to law enforcement and the security and intelligence agencies to obtain communications and data about communications. It makes these powers – and the safeguards that apply to them – clear and understandable.

Second, it radically overhauls the way these powers are authorised and overseen. It introduces a ‘double-lock’ for the most intrusive powers, including interception and all of the bulk capabilities, so warrants require the approval of a Judicial Commissioner. And it creates a powerful new Investigatory Powers Commissioner to oversee how these powers are used.

Third, it ensures powers are fit for the digital age. The Act makes a single new provision for the retention of internet connection records in order for law enforcement to identify the communications service to which a device has connected. This will restore capabilities that have been lost as a result of changes in the way people communicate.

Public scrutiny

The Bill was subject to unprecedented scrutiny prior to and during its passage.

The Bill responded to three independent reports: by David Anderson QC, the Independent Reviewer of Terrorism Legislation; by the Royal United Services Institute’s Independent Surveillance Review Panel; and by the Intelligence and Security Committee of Parliament. All three of those authoritative independent reports agreed a new law was needed.

The Government responded to the recommendations of those reports in the form of a draft Bill, published in November 2015. That draft Bill was submitted for pre-legislative scrutiny by a Joint Committee of both Houses of Parliament. The Intelligence and Security Committee and the House of Commons Science and Technology Committee conducted parallel scrutiny. Between them, those Committees received over 1,500 pages of written submissions and heard oral evidence from the Government, industry, civil liberties groups and many others. The recommendations made by those Committees informed changes to the Bill and the publication of further supporting material.

A revised Bill was introduced in the House of Commons on 1 March, and completed its passage on 16 November, meeting the timetable for legislation set by Parliament during the passage of the Data Retention and Investigatory Powers Act 2014. Over 1,700 amendments to the Bill were tabled and debated during this time.

The Government has adopted an open and consultative approach throughout the passage of this legislation, tabling or accepting a significant number of amendments in both Houses of Parliament in order to improve transparency and strengthen privacy protections. These included enhanced protections for trade unions and journalistic and legally privileged material, and the introduction of a threshold to ensure internet connection records cannot be used to investigate minor crimes.

Privacy and Oversight

The Government has placed privacy at the heart of the Investigatory Powers Act. The Act makes clear the extent to which investigatory powers may be used and the strict safeguards that apply in order to maintain privacy.

A new overarching ‘privacy clause’ was added to make absolutely clear that the protection of privacy is at the heart of this legislation. This privacy clause ensures that in each and every case a public authority must consider whether less intrusive means could be used, and must have regard to human rights and the particular sensitivity of certain information. The powers can only be exercised when it is necessary and proportionate to do so, and the Act includes tough sanctions – including the creation of new criminal offences – for those misusing the powers.
The safeguards in this Act reflect the UK’s international reputation for protecting human rights. The unprecedented transparency and the new safeguards – including the ‘double lock’ for the most sensitive powers – set an international benchmark for how the law can protect both privacy and security.

Home Office

Click this link to view the response online:

https://petition.parliament.uk/petitions/173199?reveal_response=yes

This petition has over 100,000 signatures. The Petitions Committee will consider it for a debate. They can also gather further evidence and press the government for action.

The Committee is made up of 11 MPs, from political parties in government and in opposition. It is entirely independent of the Government. Find out more about the Committee: https://petition.parliament.uk/help#petitions-committee

Thanks,
The Petitions Team
UK Government and Parliament