A new proposal in the United Kingdom is not only a threat to encryption, but it could also force companies to include backdoors into their products. If allowed to pass, this proposal could risk the security of millions of customers and cause irreparable financial damage.
What is it?
Earlier this year, we wrote about the Investigatory Powers Bill and how it could affect the UK. Unfortunately, the situation now appears to be much, much worse than we originally expected.
Back in May, the Open Rights Group published a leaked copy of a draft regarding the technical capabilities of the previous Investigatory Powers Bill. The Technical Capabilities Notice was mentioned as an undisclosed addendum in the original Investigatory Powers Bill, and was only recently presented at a closed-door consultation held by the Home Office to a short list of mainly Internet service providers and telecommunication companies.
Of particular interest in the draft is its requirements for communication providers to:
- Provide and maintain the capability to intercept communications or obtain secondary data and disclose anything obtained via the warrant.
- Maintain the capability to intercept transmissions and secondary data in real-time for every 1 in 10,000 users.
- Provide any information required in an easy-to-understand manner.
- Remove any encryption and other electronic protections.
However, what's even more concerning is the draft not only applies to electronic data — it also includes postal services. Part 2 of Schedule 1 states the following:
16. To provide and maintain the capability to disclose secondary data in a form specified in the technical capability notice.
17. To provide and maintain the capability to open, copy and reseal any postal item.
18. To comply with the obligations and requirements imposed by a technical capability notice in such a manner that the risk of any unauthorised persons becoming aware of any of the matters referred to in section 57(4) of the Act is minimised, in particular by ensuring that apparatus, systems or other facilities or services, as well as procedures and policies, are developed and maintained in accordance with agreed security standards and any guidance issued by the Secretary of State.
In other words, the Technical Capabilities Notice would not only give agencies the right to intercept your electronic communications, it would also give them the right to intercept and tamper with any physical mail you send or receive.
Who does it apply to?
The Investigatory Powers Bill only applies to Communications Service Providers — a broad term meant to cover as many past, present, and future communication methods which may include VPN providers — but Theresa May's true intentions are clear. The intent is to expand upon the Investigatory Powers Bill and the Technical Capability Notice to include virtually every kind of technology company imaginable.
“We will do this as soon as we can after the election, as long as we get back in, the level of threat clearly proves there is no more time to waste now. The social media companies have been laughing in our faces for too long.” - Unnamed Tory minister
Encryption has been the bane of law enforcement agencies for a long time, and tech companies are often asked to remove encryption to assist law enforcement agencies. Back in 2016, the FBI asked Apple to build backdoors into its phones to make it easier for law enforcement agencies to access their customers’ data— something Apple rightfully refused to do. Back in 2015, British Prime Minister David Cameron pledged to ban messaging apps that offered end-to-end encryption, and even urged President Barack Obama to ask American Internet companies to work more closely with British intelligence agencies to deny terrorists a "safe space" to communicate.
While certain crimes are horrendous, what Theresa May and the conservative party hope to achieve is downright terrifying. If allowed to pass, the possible repercussions would be unacceptable. Willfully allowing backdoors or zero-day exploits to exist on a system can lead to catastrophic consequences, of which the WannaCry ransomware in May 2017 is an excellent example. It took advantage of two exploits allegedly developed by the NSA — EternalBlue and DoublePulsar — to then transfer and execute the WannaCry ransomware. Due to the nature of the exploit, the victims themselves did not have to execute a file, visit a website or open an email, all of which are methods most malware use to spread. Instead, the malware was directly transferred to victims using backdoors without them being aware. Hundreds of thousands of computers were affected by WannaCry, with some high-profile targets including the NHS and FedEx. As a direct result of WannaCry, several hospitals across the UK were left unable to access patient files, and were forced to dismiss or cancel patient appointments, only accepting life-threatening conditions.
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.” - Microsoft in response to WannaCry.
With technology and computers playing such a vital part in modern society, leaked backdoors and exploits can have disastrous consequences. If Theresa May proceeds with her plans to force technology companies to include backdoors in their products and services, it could lead to potentially far worse ramifications than we already experienced with WannaCry. In 2016, damages caused by ransomware was estimated at $1.5 billion. WannaCry alone is estimated at $4 billion in damages.
What happens next?
Shadow Brokers, the hacker group allegedly responsible for stealing the tools from the NSA used in WannaCry, has claimed they have troves of tools from various agencies and have stated their aim to sell more exploits in June 2017.
Apple, Microsoft and other tech companies have all urged agencies to report any exploits so they can quickly fix them and better protect their customers. Agencies such as the NSA, FBI and CIA have instead chosen to hoard exploits for their own use, an issue Snowden has been critical of in the past. While Theresa May and those politicians responsible clearly intend for the backdoors and information they gather through bulk surveillance to not be leaked to unauthorized personnel, the NSA (and CIA before them) likely did not intend for their tools to get leaked. Any backdoors tech companies are forced to put into their products represent a safety risk for all their customers if they were ever leaked. If we've learned anything the past few months, it’s that leaks and breaches continue to happen.
“We also can’t afford to keep producing incredibly flawed software and hardware without any care or accountability for crafting code that is secure by design and not just secure by afterthought or patch. Virtually every hot consumer product these days has a computer chip, software and logic in it — and maybe even Internet connectivity. Left to their own devices, a great many of these online things that nobody wants anymore will grow outdated and insecure, and be hijacked for nefarious purposes — most likely to assist in massive online attacks designed to knock sites and individuals offline and to disrupt free speech and global commerce. [...] Unfortunately, there is no privacy without security. And so if we value privacy, we must also care more about security. But to preserve liberty, we need to care deeply about both.” - Brian Krebs, journalist, author, and owner of Krebs on Security
Theresa May is leading the UK down a dangerous path, and we can only hope that the rest of the world does not follow in her footsteps. It would not only put the safety and security of British citizens at risk, it also risks putting the UK behind the rest of the world when it comes to security, as people may be less inclined to buy British products knowing that they are not as secure as products developed elsewhere.
In essence, if Theresa May's proposal passes, all of your private pictures of your family, your children, private messages to your doctor, spouse, bank, and anything else that you may consider private would be accessible to anyone who knows about the implanted backdoor — whether it be the law enforcement agencies, cyber criminals, or your neighbor.
If you are a citizen in the UK, we would like to remind you that you should avoid using any VPN servers located in the UK if these laws pass. Companies without servers in the UK do not have to oblige with UK laws, and cannot be forced to include backdoors into their services or hand over encryption keys to UK law enforcement agencies.