The US government has gained expansive new surveillance abilities, just a day after the UK also quietly passed into law sweeping surveillance powers for its intelligence services.
Download this free guide
Don’t become a victim!
Find out what are the most appropriate threat intelligence systems and services for your organisation
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Changes to the US federal code of criminal procedure allow judges to issue search warrants that give the FBI the authority to remotely access computers in any jurisdiction, reports Reuters.
The changes have come into effect despite efforts to block them by democratic senator Ron Wyden, who told the US Senate that the new law will give the government “unprecedented authority to hack into Americans’ personal phones, computers and other devices.”
Previously, the FBI needed to apply for a warrant in the right jurisdiction to hack a computer, but now a federal judge can approve a single search warrant covering multiple computers even if their owners are innocent or locations are unknown.
The changes have raised concerns in the light of the FBI’s unwillingness to reveal any details of what safeguards it has in place around its hacking tools.
Wyden said that by compromising computer systems and turning off security features, the FBI could leave them open to attackers.
The US Justice Department has argued that outdated statutes have hampered crime-fighting efforts, which is similar to the argument used by the UK’s Home Office to justify the controversial Investigatory Powers Bill, which, despite opposition from technology companies and civil rights groups, passed into law on 29 November 2016.
The bill received royal assent just days after a petition opposing the planned legislation topped the 100,000 signatures that should have triggered a parliamentary debate.
Open Rights Group used the support for the petition to call on parliament to hold a debate to review the planned legislation in light of pending court action that it claims could force a rewrite in future.
Jim Killock, executive director of Open Rights Group, described the new act as “one of the most extreme surveillance laws ever passed in a democracy”.
The law’s impact will be felt beyond the UK, he said, because other countries, including authoritarian regimes with poor human rights records, will use this law to justify their own intrusive surveillance regimes.
Eye-wateringly intrusive powers and flimsy safeguards
Bella Sankey, policy director for Liberty, said the legislation has “eye-wateringly intrusive powers and flimsy safeguards”, putting innocent people’s personal information at huge risk.
“This new law is world-leading – but only as a beacon for despots everywhere. The campaign for a surveillance law fit for the digital age continues, and must now move to the courts,” she said.
However, the government has shrugged off criticism by saying the new Investigatory Powers Act “dramatically increases transparency around the use of investigatory powers.
“It protects both privacy and security and underwent unprecedented scrutiny before becoming law,” the Home Office said in a statement.
The government said that at a time of “heightened security threat,” it is essential for law enforcement, security and intelligence services to have the powers they need to keep people safe.
“The Investigatory Powers Act transforms the law relating to the use and oversight of investigatory powers. It strengthens safeguards and introduces world-leading oversight arrangements,” the Home Office said.
The government also said the bill was subject to unprecedented scrutiny prior to and during its passage, and claims to have responded to the recommendations of three independent reports, three parliamentary committees and both houses of parliament.
“The government has placed privacy at the heart of the Investigatory Powers Act,” the Home Office said. “The Act makes clear the extent to which investigatory powers may be used and the strict safeguards that apply in order to maintain privacy.
“A new overarching ‘privacy clause’ was added to make absolutely clear that the protection of privacy is at the heart of this legislation.”
Despite the assurances around privacy, concerns around security of data remain, particularly with regard to the data the new legislation requires service providers to collect and store about users.
Government failing to address data security issues
Responding to news that the legislation had been passed, security firm Sophos said the government has failed to address data security issues raised by security and technology firms.
John Shaw, vice-president of product management at Sophos gave evidence at the Science and Technology Committee hearing about the draft bill in November 2015. He said that all complaints since the beginning of the consultation process about the government’s ability to force internet service providers (ISPs) and other tech companies to keep a years’ worth of records about all customers’ surfing habits have “fallen on deaf ears”.
The requirement is in theory for them to keep details of the pages visited by every UK resident and other “communications data”, but not the “content” of those pages.
“But any technologist will tell you that the distinction between the two is becoming increasingly blurred, he said. “Either way, they will hold a vast amount of sensitive data about all us – business and personal – such as who you bank with, who your energy provider is, what email service you use, who you send emails to and how often.”
Increased burden for ISPs to protect personal data
Shaw said his main concern is that this storage of personal data gives the cyber crime industry more opportunity to steal it, and places an increased burden on internet service providers (ISPs) to protect it.
“High-profile data leaks occur all too often, so why put more data at risk, especially after the revelations about TalkTalk, which is one of the ISPs that will need to store the data?
“The government’s advisers claim there will be very strict controls on the storing and security of the data. But I feel very nervous about that,” he said.
Weak definitions within the legislation
In addition to data security, Shaw said he remains concerned about back doors, weak definitions within the legislation, the knowledge of judicial commissioners and the effect of the law on ISPs.
Although Theresa May, as home secretary, said there would be no requirement on technology companies to provide access to their customers’ encrypted data through so-called back doors, Shaw said no mention of this is made in the legislation.
“In fact, there is no mention of encryption in the new bill at all. The government has tried to duck the issue. Sophos remains vehemently opposed to backdoors,” he said.
Weak definitions within the legislation mean that it is open to very broad interpretation. For example, the term “telecommunications operator” could apply to any company that enables data to pass between two or more computers in the UK, which would cover just about any tech company.
“We think the intent is that it applies to ISPs and other providers of email and instant messaging, but it is sloppy drafting that could be horribly abused in the future,” said Shaw.
No guarantees on the knowledge of judicial commissioners
There are also no guarantees that judicial commissioners charged with approving warrants and handling issues that arise from the new powers will have the relevant knowledge.
“The suggestion is that they be appointed from a pool of people such as retired judges, but they are hardly people famed for their understanding of complex technology,” he said, questioning whether this would really be a safeguard from rogue officers extracting more personal data than they should and using it for nefarious means.
Finally, Shaw said the unfair disadvantage to UK-based ISPs still seems to apply, despite claims to the contrary after the committee review stage.
“Section 262 clearly states that the term “telecommunications operator” applies to those operating systems based in the UK,” he said. “Whatever the law says, it is hard to see how the government will enforce it on companies such as Whatsapp or Google, who operate their communications services entirely outside the UK.”