This week, a federal judge ordered Apple to assist in brute-forcing the passcode to a seized iPhone, spurring a vibrant cybersecurity debate. Meanwhile, in the UK, a proposed surveillance law could allow the government to force companies to do much the same thing, but in secret.
The draft Investigatory Powers Bill, which is currently being redrafted after scrutiny by several committees, would introduce a new set of regulations overseeing surveillance carried out by law enforcement, security and intelligence agencies.
It contains sections that some argue could be used to order technology companies to strip their customers' communications of encryption, or circumvent other digital protections in their products by engineering backdoors.
“I do think the powers are comparable, mostly as the powers are drafted so broadly and vaguely they could be interpreted that way,” Paul Bernal, a lecturer in law at the University of East Anglia with a focus on surveillance legislation, told Motherboard in a Twitter message.
Liberal Democrat peer Lord Strasburger, who is part of the Joint Committee looking into the draft Bill, on Friday tweeted, “Warning! UK [government] wants same power as FBI claims over Apple, secretly without oversight.” The Committee released its fairly critical nearly-200 page report last week.
Warning! UK govt wants same power as FBI claims over Apple, secretly without oversight. See this from draft #IPBill. pic.twitter.com/lVkIjGgW0Y
— Paul Strasburger (@LordStras) February 19, 2016
In his tweet, Strasburger pointed to section 189, which states that “The Secretary of State may make regulations imposing specified obligations on relevant operators.”
Those obligations could include “the removal of electronic protection” and “the security of any postal or telecommunications services.”
Ian Brown, professor of information security and privacy at the Oxford Internet Institute, told Motherboard in a phone interview that “Over broad, vague language is one of the core problems in this whole area.” He added that it would be fair to say the Home Office has been vague in its language because it wants to leave its technological options open.
One particular power proposed in the draft Bill relates to bulk equipment interference (EI)—the UK government's term for hacking. A government factsheet explains that bulk EI would be a power reserved for the security and intelligence agencies and for activity with a foreign focus. Brown said this could be used for spreading technological backdoors.
GCHQ could, Brown explained, “interfere with all the iPhones they can possibly reach and install the compromised OS on them.” (The Intelligence and Security Committee of Parliament, which also scrutinised the draft Bill, recommended that bulk equipment interference warrants be removed from the Bill.)
All of this sounds a lot like the crux of the debate which is going on in the US at the moment, where the FBI is demanding that Apple makes a custom operating system for a iPhone which belonged to one of the San Bernardino shooters. Court documents state that software should be designed to allow the FBI to make as many guesses at the suspect's passcode as it takes to unlock the device (sometimes, a user can only make a limited number of attempts to access an iPhone before data on the device is deleted, and incorrect passcode guesses temporarily lock the device from further attempts).
Matthew Rice, an advocacy officer with Privacy International, said in a phone call that the Bill would allow this sort of activity to happen in relative secrecy.
“Whereas in the Apple case what we have is a worldwide debate involving so many different actors, from Snowden, civil liberties campaigners, to Facebook and WhatsApp, in the UK case this would be done completely behind closed doors,” he said.
Indeed, the same section of the draft Bill highlighted by Lord Strasburger reads that, “A person to whom a relevant notice is given, or any person employed or engaged for the purposes of that person's business, must not disclose the existence and contents of the notice to any other person.”
“Therefore, you never get any judicial debate of the government's alleged interpretation of the law, let alone public debate or Parliamentary debate of it,” Brown added.