ORG has responded to the leaked consultation on the Regulations of Technical Capability Notices.
The Open Rights Group is responding to this consultation despite the fact that we were not consulted directly. We believe that the narrow obligations for the Secretary of State to consult set out in Section 253 (6) of the Act do not necessarily preclude a broader process that involves civil society. There is a large degree of public interest in these Regulations, as evidenced in the media response to the publication of the draft text online by the Open Rights Group.
Moreover, given the substantial expansion of the organisations potentially covered by these Regulations, as discussed below, we believe that the Secretary of State likely has an obligation to consult much more broadly as many more types of organisations could be directly affected, including universities or hospitals. It is possible that this consultation does not comply with the requirements in Section 253(6). If the Secretary of State believes that only traditional telcos will be covered, this should be made clear.
Overall concerns about the security of telecommunications systems grow every day, The WannaCry ransomware - which appeared two weeks after we published the leaked document - highlights why we should be striving to uplift our security capability as a nation. We know the Home Office - and the men and women in the security and intelligence services - take these concerns very seriously and think hard about the balance of privacy, security and access to communications. However, communications surveillance and security nowadays impact the majority of the population, and we need a much broader debate with input beyond a small number of telecoms companies. That is why the Open Rights Group published the leaked Home Office consultation into technical capability notice regulations and is engaging in this consultation.
Throughout the passage of the Investigatory Powers Act 2016 concerns were raised about powers that could see telecoms companies forced to weaken the security of their products. The result is that British tech companies could have trust in their businesses undermined.
The draft Regulations focus on the requirement that any demands are “technically feasible”, but this is not the only obligation in the Act. There are no proper explanations for how the process of issuing a TCN should implement the General duties in relation to privacy in Section 2 of the Act. These include considering the public interest in the integrity and security of telecommunication systems and postal services, and any other aspects of the public interest in the protection of privacy.
The Regulations could explain that in the making of a TCN there should be a process of analyses and consultations, with safeguards to make sure that the risks to customers of any obligations are properly weighed.
Section 2 of the Act also requires consideration to any other obligations of public law. This could include reporting obligations to report breaches under Section 105B of the Communications Act 2003. The Regulations should include a process whereby a telecom operator could do this without breaking its secrecy obligations.
Given the highly technical nature of the TCNs, it is unclear how Judicial Commissioners are going to be supported to make a decision under Section 254.
The IP Act considerably widen the scope of organisations potentially covered by the obligations to implement a TCN. Webmail, social media, cloud hosts and over the top communications providers may be covered and the Regulations should provide more clarity as to how the new regime will operate. This includes private providers, such as schools, universities, hospitals and hotels. It also includes overseas providers. It is particularly worrying for companies providing security and privacy products, that need the trust of their customers. VPN providers, for instance, or companies offering encryption technologies, could be compelled to provide facilities to remove the very things they are selling.
Telecommunication service means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system. For the purpose of the Act, this service does not have to be provided by the person who actually offers it to the customers. In other words, the subcontractors are not exempt from the obligations imposed by the Regulations and the Act, even though the services they are offering and managing might not be their own. The subsequent paragraph 12 adds that “facilitating the creation, management or storage of communications transmitted, or that may be transmitted” by any telecommunication services falls into “telecommunication service.” Thus, an organisation may become a “telecommunication operator” if their business involves e.g. offering e-mail accounts (which does not have to be developed in house) and data/file storage or management service. The role of subcontractors should be clarified.
The Act also extends TCNs from interception to the acquisition of communications data, including bulk, and equipment interference, also bulk. The extension to communications data is problematic because there is no minimum threshold for the size of the operator, while the other powers require a minimum of 10,000 customers. We are deeply concerned that this mean TCNs could be imposed on a wide range of organisations and institutions, forcing them to install and maintain surveillance capabilities. These powers should be narrowed.
We are particularly concerned about requirements in Schedule 2 Part 1, related to acquisition to communications data.
“10. To install and maintain any apparatus provided to the operator by or on behalf of the Secretary of State for the purpose of enabling the operator to obtain or disclose communications data, including by providing and maintaining any apparatus, systems or other facilities or services necessary to install and maintain any apparatus so provided.”
Section 253 (5) of the Act makes reference to “obligations relating to apparatus owned or operated by a relevant operator”. This was not understood as an obligation to install black box equipment. This appears to be similar to the Russian SORM system that gives the authorities of that country direct access to private telecoms’ systems, with the difference that operators in the UK may not be expected to pay for the equipment.
Given that there are over half a million requests for communications data, plus an unknown volume of bulk data on calls and SMS obtained obtained every year, we believe that these brand new black boxes will become central to the new surveillance regime in the UK post-IP Act. This is before “internet connection records” become routine. Therefore we believe that this requires a lot more explanation and extra safeguards, as there will be little a telecoms provider can do - or know - in case of abuse.
The extension of TCNs to equipment interference is new and a major source of concern. Under the Intelligence Services Act, state agencies have been able to hack into devices, but there was no obligation on ISPs to create and maintain capabilities for that purpose.
This is truly uncharted territory, and we can barely imagine what this could mean in practice. From documents leaked by Edward Snowden in relation to the NSA TURBINE programme, we know that hacking can involve interception and modification of large volumes of internet traffic. We also know that GCHQ Computer Network Exploitation has included Capability against Cisco routers in the Pakistan Internet Exchange which afforded access to almost any user of the internet inside Pakistan, and to re-route selected traffic across international links towards GCHQ’s passive collection systems.
With the Regulations, these capabilities would not require covert operations, but would be maintained by the ISPs themselves.
Regulation of hacking activities themselves contain certain safeguards, such as an obligation to remove any “implants” after use. It is unclear what if any safeguards would operate here, but we are concerned about permanent capabilities.
Many times during the passing of the Act we were told that future proofing legislation meant pushing the details to Regulations and Codes of Practice, but unfortunately understanding remains patchy. This is nowhere more true than in relation to the powers to remove end-to-end encryption.
We are concerned about the potential for limitations to personal security that could result from technological limitations to encryption, most recently raised in Amber Rudd’s comments about WhatsApp, and hinted in the Conservative manifesto promise to remove safe spaces for terrorists online. As we have now seen, vulnerabilities and backdoors can get hacked or leaked. Weaker encryption for all means the majority of the population are more at risk from the few.
We believe that it is unacceptable that the Regulations do not provide the public with absolute clarity as to the operations of the technical obligations on operators to remove end-to-end encryption.