24-11-2016 | | By Paul Whytock
Those of you who’ve read George Orwell’s book Nineteen Eighty-Four will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. In the story telescreens are placed in peoples’ homes that not only provide sanitised state-approved information but also act as surveillance monitors even when turned off.
In this way the Big Brother State could monitor any subversive and criminal activities by its citizens.
OK, so now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag.
Sound a bit far fetched to you? Well it’s set to become a reality here in the UK once the The Investigatory Powers Bill passes into law, which it is expected to do by the end of the year, following final amendments and Royal Assent.
Needless to say the Bill has raised monumental concerns about the invasion of individual citizens’ privacy. But counterbalancing those concerns and weighing heavily in favour of the Bill are the ways in which it will help to detect and deter terror attacks and the sort of cyber crime that can potential cause chaos to a country’s financial operations and major infrastructure systems such as public transport.
So what does The Investigatory Powers Bill mean to the likes of you and me?
The major element is Internet Service Providers (ISPs) and mobile communication companies will be required by law to maintain records of websites visited by every customer for 12 months. These records will be accessible to police, security services and other public bodies providing they have an appropriate warrant. In addition to that security services will be legally empowered to bug computers and phones upon approval of a warrant.
Not only will companies be legally obliged to assist with these operations but may well be asked to bypass encryption. This is causing major concern.
There is no doubt that such surveillance facilities will be massively useful in the fight against crime but the one thing that must be considered is that the moment huge databases of information are created there will always be scores of hackers licking their pernicious lips at the thought of penetrating such information-rich targets.
The whole problem here is the issue of encryption and the suggestion that it could be bypassed to help organisations that have a warrant to gain access to database information.
Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all. A worrying precedent would be set once security services have a key to unlock the system because it creates potential database vulnerabilities that could provide an opportunity for malicious intruders.
However Earl Howe, Minister of State for Defence and Deputy Leader in the House of Lords has been quoted as saying it would be entirely sensible for the government to work with ISPs to determine whether it would be reasonably practicable to take steps to develop and maintain a technical capability to remove encryption that has been applied to communications or data.
However, Parliament’s Science and Technology Select Committee has already raised concerns over the impact the legislation could have on the UK’s technology sector.
Further complexities regarding data security and how warrant holders could access databases come in the form of services like Apple’s iMessage and WhatsApp which both use end-to-end encryption. This is a system where only the communicating users can read the messages. Even the provider of the communication service cannot access the cryptographic keys needed to decrypt the text. The systems are designed to defeat any attempts at surveillance and therefore companies that use end-to-end encryption are unable to hand over texts of their customers' messages to the authorities.
Apple Computer already has concerns about the Bill. It believes it could be required to modify iMessage and we already know from the situation that developed between Apple and the FBI regarding the decryption of one of its phones how much that company considers secure encryption as a fundamental right regarding its business.
And so the encryption issues surrounding The Investigatory Powers Bill rumble on despite the fact the Bill is expected to pass into law by the end of this year.
And they are issues that require robust, rock-solid solutions to adequately protect the mass of extremely confidential information that will be data-based under the requirements of the Bill.
Without them we will undoubtedly see more huge cyber attacks such as the recent one on telecoms provider Three Mobile where hackers successfully accessed its customer upgrade database after using an employee login. This put the private details of millions of its customers at risk.