New spy laws bad for UK citizens
The Times today reported on an upcoming law that would explicitly guarantee UK spies the right to hack devices, something they’ve been able to do for some time.
The new law is bad for so many reasons:
- Hacking requires a so-called “warrant” from the Home Secretary, not a real warrant from a judge. Previous such warrants have signed off on entire surveillance programmes, such as OPTIC NERVE which recorded over a million Yahoo webcam private chats.
- The government has responded to the Anderson report recommendations of judicial oversight by offering to have a different cabinet minister sign off on the reports. This is no compromise at all on the government’s part, and completely evades the required judicial oversight.
- UK spies are to be granted carte blanche to hack foreign targets. The idea that any hack the UK government does should be legal poses a serious threat to the rest of the world’s security, and the UK would never accept a similar law passed by, say, China. Nor would it be remotely reasonable for the UK to blanket authorise military use abroad in this manner.
- The UK’s continued plans to withdraw from the European Court of Human Rights, which the current party was instrumental in creating after World War II, suggest that it knows what it’s doing is likely to be overruled on human rights grounds. There can be no other reason to withdraw from the ECHR while keeping its words in UK law, except as a prologue to cancelling some of those rights later.
- We can expect to see this hacking used in domestic crime cases, perhaps via the National Crime Agency who are known to use surveillance data. This moves state-sponsored hacking from “spying on Beijing” to “spying on Brighton”.
- Effectively, the legal warrant process for searching a person’s computer or smartphone will be far weaker than the current standard for searching a person or property, which requires a judge’s signature. It can also be done in complete secret. This represents a considerable removal of British people’s basic privacy rights.
- This law will probably legitimise the UK’s current mass surveillance system, which violates the basic privacy of the entire planet.
Perhaps most importantly, increased use of hacking requires the government to either surreptitiously implant backdoors in systems, or to stockpile and use vulnerabilities on a regular basis. All of these make the system less secure:
- Any deliberately vulnerability can be discovered and exploited by unintended actor, especially criminals or foreign spy agencies. Even the best guarded vulnerability only makes the system weaker, and cannot make it stronger.
- Buying vulnerabilities supports the black market trade in system exploits. This makes it easier for the bad guys to get system exploits.
- The black market trade in exploits encourages researchers to sell their exploits to the highest bidder instead of revealing the vulnerability to the developer. Black market prices are already higher than
- Any vulnerability GCHQ discovers by itself can be discovered by another third party. Stockpiling it for offensive use instead of allowing the vendor to fix it leaves the entire world vulnerable from all attackers.
- In any case, existing vulnerabiities leave everyone vulnerable to attack, including critical information systems, national infrastructure, and systems which contain private or personal information. Unlike with national security and physical border control, the government cannot effectively protect people’s systems from electronic attack, except by allowing those systems to remain strong.