Soon, the power for UK police to hack computers will be solidified in a new law. A controversial piece of proposed surveillance legislation would explicitly grant police the ability to use computer network exploitation in investigations, and use evidence obtained from these methods in court.
The draft Investigatory Powers Bill would, among other things, force internet service providers to store the browsing histories of their customers for a full 12 months. But an oft-overlooked aspect of the draft Bill is that it would formally recognize “equipment interference” (EI)—the UK government's term for hacking. This would usher in new authorizations for how police can use tools such as malware to take data from computers, or exploits to crack the security features of devices.
The draft Bill in its current form is “effectively legitimizing hacking,” Paul Bernal, a lecturer in law at the University of East Anglia (UEA) with a focus on surveillance legislation, told Motherboard in a phone interview. The draft is currently being revised before it is considered as a Bill by the House of Commons and House of Lords.
UK cops have already been using EI for years under the Police Act 1997—a law that was not specifically designed for computer exploitation—as well as the Regulation of Investigatory Powers Act 2000 (RIPA), but through evidence sessions for several watchdogs tasked with scrutinising the draft Bill, we've learned more about how police hack.
What emerges is a wide use of EI in the UK without much public scrutiny. And some surveillance experts say that the vague terminology in the legislation could legitimize the spread of different invasive techniques.
"We use [EI] for a range of purposes, ranging from pretty much every-day relatively routine activities right up to far more high end."
A government fact sheet published as part of the draft Bill describes EI as “the power to obtain a variety of data from equipment,” including computers, tablets, and phones. Although agencies don’t detail any particular technologies, a separate government document reads that “more complex operations may involve exploiting vulnerabilities in software to gain control of devices or networks.”
In other words, EI encompasses hacking tools and malware. According to evidence from law enforcement bodies, EI is a “crucial tool” for police responding to emergency situations, “such as kidnap, where the ability to quickly use these techniques can be the difference between life and death.”
“We use [EI] for a range of purposes, ranging from pretty much every-day relatively routine activities right up to far more high end,” Chris Farrimond, deputy director of intelligence collection from the National Crime Agency (NCA), told the Joint Committee analysing the draft Bill in November.
Written evidence provided by the NCA, National Police Chiefs Council (NPCC), and HM Revenue & Customs (HMRC), reports that law enforcement bodies have used EI to detect and prevent “serious crime.” An NCA spokesperson referred to the definition of a “serious crime” under RIPA as offences that would result in three years in prison or more or that involve violence, substantial financial gain, or “a large number of persons in pursuit of a common purpose.”
In one case mentioned in the Impact Assessment of EI for the draft Bill, cops used EI to identify a criminal network importing Class A drugs. EI has also been used to counter “Islamist terrorism,” crimes related to paedophilia, and cybercrime.
The written evidence from law enforcement bodies says that they are concerned about the “Restrictions in the conduct of Equipment Interference for serious crime only.” “We would seek further capability,” Detective Superintendent Paul Hudson, who leads the Metropolitan Police Service’s Technical Surveillance Unit, said in oral evidence.
The government describes the list of agencies that can apply for EU warrants as “limited.” It includes the National Crime Agency (NCA), UK police forces, the Ministry of Defense police, Royal Military Police, Royal Navy Police, Royal Air Force Police, and HMRC (which deals with tax issues).
"As technology develops and criminals become ever more sophisticated with it, EI will become an increasingly crucial tool"
The general reason UK police give for using hacking tools is to obtain information that cannot be captured by other means. More specifically, they point to the fact that criminals have moved from more traditional modes of communication to devices and services where messages are unreadable even when intercepted. “For example where encryption technology is being used to hide criminal communications,” the written evidence from law enforcement bodies reads.
“As technology develops and criminals become ever more sophisticated with it, EI will become an increasingly crucial tool for LE in maintaining its ability to effectively prevent and detect serious crime,” they continue. A separate government document explicitly mentions that EI can be used to tackle the so-called dark web.
This echoes the fierce “going dark” debate in the US. The FBI and US law enforcement have repeatedly claimed that they are losing visibility of criminals' actions and communications because of the proliferation of message and hard-drive encryption. On this premise, the FBI has asked for an extra $38 million to develop encryption-beating tools, and recently demanded that Apple assist in the brute-forcing of an iPhone passcode.
Back on the other side of the Atlantic, the NCA seems to be developing its hacking abilities too. In oral evidence, Keith Bristow, director general of the NCA, said that recently-announced funding for the agency mostly relates to its “digital capabilities.”
Law enforcement won’t detail what tools are being used in equipment interference. A spokesperson for the National Crime Agency told Motherboard in an email that, “The NCA leads the law enforcement response to serious and organised criminality impacting the UK. However, to preserve operational effectiveness we do not routinely disclose details of specific tools or techniques deployed in addressing those threats.”
The Metropolitan Police declined to comment, and the NPCC did not respond.
"It's deliberately vague, in the sense that they want to leave their options open"
Independent surveillance expert and privacy activist Eric King claims the term “equipment interference” is so vague that it may also include other information-gathering technologies that aren’t strictly hacking, such as IMSI-catchers—devices which can pick up a phone’s unique identification number, and in some cases also obtain text messages and calls.
Because of the lack of information around what actual capabilities are being used under equipment interference, King feels that law enforcement has not done enough “to provide Parliament with the basic information to allow them to consider the scope, the damage, [and] the concerns that such powers will have.” (The NCA and the Metropolitan Police did provide an off-the-record meeting to at least one of the Committees scrutinising the Bill, in which they explained the type of EI activities used.)
“It's deliberately vague, in the sense that they want to leave their options open,” Bernal said. “As the purpose of equipment interference is to get things you can't get through any other way, it's right from their perspective to leave it as open as possible.”
If UK law enforcement has already been exploiting computers for years, what would actually change under the draft Bill?
First of all, it would offer a new legal framework for police hacking techniques. At the moment, police often hack under Part III of the Police Act 1997—specifically with “property interference” authorisations, which also includes things such as bugging a car or a room.
“It's bonkers, because Parliament had absolutely no idea that they were consenting to hacking when they were passing the Police Act,” King said. (Law enforcement sometimes carry out equipment interference with other authorisations, including under RIPA surveillance regulations).
In their evidence, UK law enforcement bodies say that: “The IPB [Investigatory Powers Bill] consolidates the existing legislation and sets out a clear framework for the authorisation of equipment interference.”
That new authorisation mechanism will be the so-called “double-lock” system, where warrants issued by a Chief Constable will need to be approved by a Judicial Commissioner.
Hudson from the Metropolitan Police Servicesaid in oral evidence that this move would not affect the speed of the authorisation process, and added that it “reflects the Police Act.”
Bernal described the double-lock as “just a new rubber-stamping mechanism.”
“The judicial authorisers are, to an extent, just checking that the process has gone through correctly,” he said. “I’m not convinced the judges will understand the risks and implications any more than anyone else.”
Another change under the Bill is that material obtained from hacking would, for the first time, be permissible as evidence in a court of law. King said this was a positive thing “because it will allow defendants to challenge potential abuses by police using equipment interference.”
The Home Office did not fulfill a request for comment.
A revised version of the draft Bill is expected to be introduced in the Spring. From here, it will travel through the normal parliamentary process, and debated within the House of Commons and House of Lords. The sunset clause on the Data Retention and Investigatory Powers Act 2014 (DRIPA), existing surveillance legislation which is planned to be replaced by the draft Bill, runs out in December.
“I think the biggest thing right now is that we are operating, somewhat, in the dark,” Bernal said, meaning that the general population, and perhaps legislators, aren’t fully aware of what law enforcement are actually doing.
“We do need to ask ourselves: Actually, do we think this sort of thing is okay, and if so, on what terms?” Bernal said.