Other articles in this series:

The Investigatory Powers Act: A Pre-Commencement Briefing

The Investigatory Powers Act has, sadly but unsurprisingly, passed both houses of Parliament and will become law in the coming weeks.

This provides a valuable opportunity to take preemptive action against use of the Investigatory Powers Act in certain ways.

Most of my coverage of the legislation in its draft form still applies.

Briefing for end users

  • It is, in general, no longer safe to browse the web in the UK.

    What I mean by this is that browsing the web in the UK via any provider subject to a Retention Notice which includes a requirement to keep “Internet Connection Records” creates a clear and potent hazard to you.

    Although the Bill itself attempts to obfuscate this via the use of extremely evasive language, it appears that the UK Government wishes to create an aggregate database for all of these records which it can query without having to make requests of ISPs in each instance.

    The explanatory notes published concurrently with the introduction of the Bill at one point strongly imply that the Crown is frustrated the incapability, upon obtaining control over an illegal website, to determine the persons who have visited that website, in the absence of logs kept by its operator. The implication is that, upon finding some website, say example.com which is illegal, the UK would like to be able to, via its database, pull up a list of everyone who has accessed that website, so that investigations can be made against them.

    Because these “Internet Connection Records” record only hostnames, they do not record the extent to which a site is accessed. Any connection to such a site will lead to such a record being made.

    The end result of this is that anyone could with the utmost triviality frame you for accessing, say, some child pornography website later identified by the UK. All that is required is for your browser to be induced to make such a connection, say via the insertion of a hidden iframe into a page. If the page is accessed insecurely, this could be done via man-in-the-middle attack. Alternatively, this could be done by anyone with access to your Wi-Fi network, or who can obtain access by brute forcing a WPA2-PSK key.

    There has been at least one case where a man was found to have attempted to frame someone for possession of child pornography by planting it on their computer and then calling the police. It is plausible, then, possibly even inevitable that there will be others who were so framed, where this fact did not come to light during investigation and who were consequently convicted. After all, we can only know about the cases where the police happened to realise something was amiss.

    For many websites nowadays, I lose count of the number of hostnames they end up loading resources from. You think you are visiting one website; in actuality you are visiting many different domain names. It will not be possible to distinguish between these direct and indirect accesses.

    The hazard posed to users by these records, and their accumulation in a single giant database is intense.

  • In general, all web access should now be funneled through obfuscating means. In other words, Tor or “VPN” solutions. This is the only measure sufficient to mitigate the threat. Partial use of such solutions is likely to lead to discipline failures and consequent metadata leaks.

  • There are likely to be cases to bring in the European Court of Human Rights, or in domestic courts regarding Human Rights Act violations. Persons (natural or legal) with standing to bring cases (that is, persons who have some claimed harm and consequent petition for remedy) may be of use to organizations capable of organizing such actions. If you believe you are affected by the draconian provisions of the Investigatory Powers Act beyond merely being an internet user (of which there is no short supply), there could be some utility in communicating to a nonprofit organization in an appropriate position to spearhead such initiatives your willingness to become a plaintiff in such a case. Privacy International comes to mind, though I have no relation to them.

Briefing for ISPs, other service providers and general measures

  • If you care about this and are remotely interested in doing anything about it, you should use this brief, pre-commencement period to do anything you think you might not be able to do later.

  • An obvious first step is to publish, and commit to continuing to publish, a warrant canary, periodically.

    Such a canary should contain denials corresponding to all enumerated future possibilities that are found disagreeable.

    Even if, based on your reading of the law (there may be a question here), you believe that after being a party to one or more notices you will be prevented from reporting the number received, or even the fact that the number is nonzero, for the time being you are unbound and can commit to publishing statements that the numbers in question are zero until such time as you are legally prevented from doing so.

    For example:

    • “We have not received any National Security Notices, Retention Notices or Technical Capability Notices to date.”
    • “We have not been asked to assist with the implementation of any Equipment Interference Warrant or Bulk Interception Warrant to date.”
    • etc.

    Statements committing to future canonical behaviour, such as “We will always explain revoked encryption keys unless legally prevented from doing so”, may also be useful. (I personally make all three of the above assertions at the time I write this.)

    The underlying premise here is that the UK cannot compel you to lie. Moreover, in a commercial context where such statements are made at least in part for marketing purposes, to obtain customers, any lies would be lies for commercial gain, and thus a violation of the Fraud Act. As such, if as a commercial service provider the UK attempted to compel you to lie, they would be compelling you to break the law.

  • Consider adopting longer-term strategies for technical restructuring of systems to minimize your ability to acquiesce to the requests that may be made of you.

    Oral evidence given to the Intelligence and Security Committee by persons from the Home Office responsible for the issuance of Retention Notices appear to strongly imply that information such as Information Connection Records will not be expected from all ISPs. There appears to be an intimation that the collection of “Internet Connection Records“, and similar, will on the whole be based on what the systems of the ISP readily support, or on whether such data is already being processed.

    If you already process information along the lines of “Internet Connection Records”, consider taking measures to minimize the collection of this information.

  • Consider moving infrastructure which does not need to be in the UK, such as e. mail services, to another jurisdiction. Consider placing these services under the control of a separate legal entity to ensure that you cannot be compelled inside the UK with regard to facilities outside of the UK.

  • Equipment interference warrants confer a duty to assist on third parties. You may be commandeered to undermine your own security.

    Although equipment interference warrants most obviously are authorizations for the state to engage in hacking, there is the potential for them to be used simply to authorize the state to demand that the party they would otherwise be hacking must assist them to achieve the same end.

  • It should be noted that violation of the gag orders provided for in the Bill is not a crime.

    The gag orders are “enforceable by civil proceedings by the Secretary of State for an injunction, or for specific performance of a statutory duty under section 45 of the Court of Session Act 1988, or for any other appropriate relief.”

    It does not appear from this that punitive rulings can be made, although I may be mistaken. Of course, the violation of any injunction issued by a court would constitute Contempt of Court, which can be a crime.

    As such, it almost appears that first violation of a gag order by a legal entity could be essentially “free”.

  • Consider making and possibly publishing a resolution to “provide no aid or comfort” to UK authorities except where legally obliged to do so. Adopt a “work to rule” or rather, a “work to law” policy.

    As I wrote previously, oral evidence given by the Home Office to the Intelligence and Security Committee indicates that in practice, where the Home Office intends to issue a Retention Notice, the Home Office in general contacts an ISP informing them of this and develops a relationship with them, working with them to determine what it would and would not be reasonable to ask them to collect from a technical perspective.

    The Home Office appears to be used to working with large ISPs which do not actually care about what they are being asked to do, but would like to avoid liability or bad PR. In this regard the relationship between these large ISPs and the Home Office is in fact highly consensual, and the ISPs simply want the theatre of legal compulsion so they have a convincing response if attacked in the press, and the theatre of the gag order in case anyone gives them bad press for them keeping quiet about it.

    Only the Retention Notice issuance itself is protected by the gag order, so nothing, as far as I can tell, precludes an ISP from screaming to the public the instant they are approached by the Home Office in prospect of a possible future Retention Notice issuance. Since it appears that the Home Office has devised the Retention Notice mechanism in this legislation under the assumption that it will hold such preliminary meetings, preventing them from doing so may be a significant setback to them. For example, the Home Office may request meetings, and may solicit information about one's technical architecture so as to assess feasibility. However, it does not appear that anything obliges the divulgance of such information, and such information should therefore not be divulged on the grounds that it provides aid and comfort to what is, for the purposes of this excercise, the enemy. Agreeing to such voluntary meetings may be of strategic benefit to an ISP, as it may allow them to extract as much information as possible from Home Office representatives regarding their aims and intentions. Conversely information provided in the opposite direction should be minimised.

    It is unclear to what extent the expectations of the Home Office with regard to the process for its issuance of Retention Notices also applies to Technical Capability Notices. Since the issuance of Technical Capability Notices will require information about an organization's technical capability, it is plausible that a similar pre-compulsion negotiation process will be followed.

Briefing for providers of other communications services and developers of cryptographic applications

See also the above section.

This legislation provides methods by which service providers who provide end-to-end encryption may be forced not only simply to provide data they already possess, but also to modify their services to facilitate access. The UK is not alone here; a comparable case in the US was Lavabit.

Communications services involving end-to-end cryptography which are designed cryptographically to withstand the compromise of servers, which involve separately distributed client applications can be secured by the easier and separable task of securing the distribution of the client application.

Conversely, communications services involving end-to-end cryptography which use browser-delivered JavaScript crypto cannot be secured from server compromise.

The simplest measure to take to mitigate the impact of the bill on transmissible goods and services, such as software or communications services, is to evacuate the UK jurisdiction and provide those goods and services from other locations.

Persons working on software or controlling non-UK communications services from within the UK may wish to institute code review or two-man systems as appropriate to mitigate the threat of coercion of persons inside the UK.

For software projects, consider instituting code review and requiring review by persons from a plurality of jurisdictions. Consider implementing reproducible builds for binary distribution, and ensure that all builds are made plurally using a plurality of persons and jurisdictions.

Facilities for communication with the software project or service should minimize the opportunities for first contact to be with a UK person liable to compulsion. Instead, project or organization points of contact should go to a person operating under a pre-agreed policy of publishing any communication made by any government worldwide made in prospect of weakening cryptographic systems, wherever it is legally possible to do so. These first contact persons should be chosen for their occupancy of strategically chosen jurisdictions. Adoption of this policy discourages governments from even attempting to solicit the weaking of cryptographic systems.

This advice also applies to distributors of software, not just the upstream developers. OS distros, for example, should assume that they may be threatened.

Make software open source where possible, as the nature of open source development makes it one of the most secure against government interference in cryptographic capability.

(Relevant parts of law: Equipment Interference warrants and the duty to assist conferred on third parties (s. 129); Technical Capability Notices.)

Definition of “telecommunications operator”

§262
  1. “Telecommunications operator” means a person who—
    1. offers or provides a telecommunications service to persons in the United Kingdom, or
    2. controls or provides a telecommunications system which is (wholly or partly)—
      1. in the United Kingdom, or
      2. controlled from the United Kingdom.
  2. “Telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service).
  3. For the purposes of subsection (11), the cases in which a service is to be taken to consist in the provision of access to, and facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.
  4. “Telecommunications system” means a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy.

After staring at this section for some considerable time, I am not prepared to state with confidence that it does not include entities publishing cryptographic software but not providing communications services themselves.

Colophon

Corrections welcome.

Other articles in this series: