14.1 C
London
Thursday, November 23, 2017
Home Tags Home Secretary

Tag: Home Secretary

Magical thinking meets willful ignorance at closed meeting Analysis  UK Home Secretary Amber Rudd kicked off a firestorm in the tech community Tuesday when she argued that "real people" don't need or use end-to-end encryption.…
Amber alert! The UK's Home Sec is heading this way Executives at Facebook, Google and other terrorist-enabling online services are said to be quaking in their boots as UK Home Secretary Amber Rudd swoops into Silicon Valley this week to read them the riot act.…
US tech giants react to UK Home Secretary Rudd Big Tech has told the UK government it will do more to remove extremist content from their networks, but has refused to offer concessions on encryption.…
How far will it go? You'll have to ask the Home Secretary Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the UK government to undermine encryption and demand surveillance backdoors. As the bill was passing through Parliament, several organizations noted their alarm at section 217 which obliged ISPs, telcos and other communications providers to let the government know in advance of any new products and services being deployed and allow the government to demand "technical" changes to software and systems. This was the proposed wording in the Code of Practice accompanying the legislation: CSPs subject to a technical capacity notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide a technical capability on the new service. As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops – such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications. Bye bye, encryption ... Wording from the latest version of the law Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored. In effect, the UK government has written into law a version of the much-derided Burr-Feinstein Bill proposed in the US, which would have undermined encryption in America.

A backlash derailed that draft law. No such backlash happened in the UK over the Investigatory Powers Bill, though, and so here we are. Web browser histories logged by ISPs 24/7, and the looming possibility of crippled cryptography.

There may be not much point using a VPN to conceal your web activities if it can be blown open by a technical capability notice. To be fair, there were some fears that Blighty's law would effectively kill off the UK software industry as well as undermine Brits' privacy, and expose them to surveillance and hacking by criminals exploiting these mandatory backdoors.

This mild panic did bring about some changes to the UK's Investigatory Powers Bill before it was passed. The question is: were the changes sufficient? The "anti-encryption" part of what is now UK law has moved from section 217 to sections 254-256 [PDF] and contains some additional safeguards.

But those safeguards, as they often are, are largely a judgement call by a Secretary of State. The wording is slightly improved in that by introducing any one of the Secretaries of State as a required signatory to any "technical capability notices", it introduces a minor choke-point and a degree of accountability. Rather than the security services or police being able to force any communications provider to tell them their new product plans and oblige technical changes, the issue will have to bubble up to the desk of a Cabinet minister, probably the Home Secretary. Consultation Once on his or her desk, one of the Secretaries of State will have to "consider that the conduct required by the notice is proportionate to what is sought to be achieved by that conduct." He or she will also have to consult the "Technical Advisory Board" – which was created in response to another unpopular piece of technical legislation, RIPA – and people that are "likely to be subject to any obligations specified in the regulations." Any notice that the secretary then decides to push forward will have to be approved by a "Judicial Commissioner" – a judge appointed by the Prime Minister in that role – who will take into account the same factors as the secretary but, critically, also have to consider "the same principles as would be applied by a court on an application for judicial review." If the commissioner refuses to approve the decision, he or she must provide a written reason for doing so.

But that decision can then be overridden by the new Investigatory Powers Commissioner. The Investigatory Powers Commissioner has been created specifically for this legislation and will be appointed by the Prime Minister.

That in itself was an issue subject to some debate with a select committee of MPs arguing that the commissioner should be appointed by the Lord Chief Justice rather than the Prime Minister.
In the end, the government won out. Some further improvements come in the form of more precise wording.

Any notice would have to specify what sort of obligation will be applied to a communications provider. Most noteworthy in this context is section 254 (5)(c): The obligations that may be specified in regulations under this section include, among other things ... obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data. Other obligations are clearly intended to allow for government tapping of internet communications and after-the-fact provision of stored data from ISPs. Consideration There is also a list of things a Secretary of State must consider before posting a relevant notice, including: likely benefits of the notice number of users technical feasibility of complying cost of complying, and "any other effect of the notice on the person" In short, what the law's passage through Parliament has done to the UK government's ability to force tech companies and telcos to introduce backdoors into their technologies is make it slower and a little tougher. Does it prevent the UK government from breaking encryption? It absolutely does not.
In fact, it foresees it. Does it mean that customers will be made aware that their communications and traffic are compromised by a backdoor? No, it does not.

All of the checks and balances are safely contained within the upper levels of government and the judiciary. Based on what both the UK and US government have done in the past with all-encompassing orders that are time-based rather than product-based, and considering the fact there is nothing that says it has to be done on a case-by-case basis, it's a safe bet that the government will approve one-size-fits-all "technical capability" notices for specific companies. Where will the balance between protecting consumers and providing access to law enforcement and security services lie? We will likely never know in any useful detail since no one is under any obligation to make that reasoning or argument available outside the small group of individuals that take the decision. Nuts of it Most critically, if a Cabinet minister decides she wants a backdoor to be introduced into some software, is there anything that can stop him or her? The answer to that is almost certainly no, except she can be slowed down and would likely make some concessions to move ahead. If the Home Secretary and the Prime Minister both want a backdoor into some service is there anything that can stop them? Again, no, but a brave Investigatory Powers Commissioner could delay it for a few years. And in the broader picture, will the UK government be able to force the likes of Twitter or Facebook or Google or Apple to introduce backdoors and/or hand over user data? And the answer to that is: let's wait and see. The UK government can certainly insist that a company not based in the UK carry out its orders – that situation is specifically included in the new law – but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the UK market. At the end of the day, will the UK security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will. Will they do it for less than that? You'll have to ask probably the Home Secretary. ® Sponsored: Customer Identity and Access Management

It requires telecom firms to store customers' Internet Connection Records for 12 months.

A controversial UK surveillance bill has become law, despite efforts to stop it.

The Investigatory Powers Act 2016 today received the final stamp of approval from the Queen—a practice called Royal Assent.
It requires telecom firms to store customers' Internet Connection Records for 12 months.

These records include top-level domains you visited, but not sub-pages (so it would show pcmag.com but not pcmag.com/apple or pcmag.com/android, for example).

This data would be accessible by law enforcement and intelligence agencies provided they secure the necessary warrants and judicial approvals, and be used to "disrupt terrorist attacks and prosecute suspects, according to the UK Home Office.

"The Internet presents new opportunities for terrorists and we must ensure we have the capabilities to confront this challenge," Home Secretary Amber Rudd said in a statement. "But it is also right that these powers are subject to strict safeguards and rigorous oversight."

That oversight includes an Investigatory Powers Commissioner to oversee the program, and protections for journalistic and legally privileged material, as well as tough sanctions for those abusing their power.

Security advocates, however, still have concerns about the law, which has been dubbed the "Snooper's Charter."

As Big Brother Watch notes, for example, a 2000 version of the bill provided 28 government organizations access to communications data. "Under the new Investigatory Powers Bill, this has now been extended to 48 organizations which now also have the power to snoop on citizen's browsing histories."

It also "extends the level of access police and intelligence agencies have to citizen's communications data and allows them to collect information on people's phone calls, text messages and social media conversations upon request," the group says.

A petition calling for an end to the Investigatory Powers Act launched earlier this year and has secured more than 138,000 digital signatures.
Since it got more than 100,000 signatures, the issue will get debated in Parliament, but that occured after the bill had passed through its parliamentary stage, so the debate shouldn't result in any major changes.

"This government is clear that, at a time of heightened security threat, it is essential our law enforcement, security and intelligence services have the powers they need to keep people safe," Rudd said.

Some provisions in the bill require testing and will not be set into motion "for some time," according to the Home Office.

All other mandates—like Internet Connection Records—are moving forward as the new law replaces 2014's Data Retention and Investigatory Powers Act, which sunsets on Dec. 31.

Your homes may be your castles, but your browsing histories belong to UK.gov IPBill Queen Elizabeth II today signs off on Parliament's Investigatory Powers Act, officially making it law. QEII not only had the last word on the new legislation — aka the Snoopers' Charter — she had the first. She publicly announced what the law would be called during the official opening of Parliament after last year's general election. A first draft of the Investigatory Powers Bill was published six months later, alongside a confession that successive British governments had been issuing secret directives to telcos to intercept their users' communications. Many were pleased such secret surveillance was now being more explicitly codified. Theresa May — then Home Secretary — claimed that it only introduced the one new power: "requiring communications service providers to retain internet connection records when given a notice by the Secretary of State". But this was disputed by civil liberties campaigners. Legal challenges against the bill are already under way, with members of the Don't Spy on Us coalition continuing their involvement in legal action against the proposed mass surveillance powers. The organisation notes: The UK’s legal regime for bulk surveillance is being challenged in two separate cases at the ECHR, while the data retention regime is being questioned in the UK and EU courts in the Watson (previously Watson-Davis) challenge. We expect both courts to place further demands for safeguards and restraints on the highly permissive UK surveillance regime. There has never existed a single law regarding data retention powers in the UK which has not, in some form or another, been amended due to a legal challenge. Popular opposition to the law has already provoked over 133,000 citizens to sign a petition calling for its repeal, and although that is unlikely to happen, the petition's motion must now be considered by Parliament. Those who campaigned against the legislation are disappointed. Bella Sankey, the Policy Director for Liberty, described today as "a sad day for our democracy." She added: "The Home Secretary is right that the Government has a duty to protect us, but these measures won't do the job. Instead they open every detail of every citizen's online life up to state eyes, drowning the authorities in data and putting innocent people's personal information at massive risk." Sankey added: "This new law is world-leading – but only as a beacon for despots everywhere. The campaign for a surveillance law fit for the digital age continues, and must now move to the courts." Jim Killock, exec director at digital rights campaigner the Open Rights Group, agreed: "Amber Rudd says the Investigatory Powers Act is world-leading legislation. She is right; it is one of the most extreme surveillance laws ever passed in a democracy. Its impact will be felt beyond the UK as other countries, including authoritarian regimes with poor human rights records, will use this law to justify their own intrusive surveillance regimes." He continued: "Although there are some improvements to oversight, the Bill will mean the police and intelligence agencies have unprecedented powers to surveil our private communications and Internet activity, whether or not we are suspected of a crime. Theresa May has finally got her snoopers' charter and democracy in the UK is the worse for it." ® Sponsored: Customer Identity and Access Management
EnlargeJustin Tallis/AFP/Getty Images reader comments 14 Share this story The UK's home secretary, Amber Rudd, has signed an extradition order agreeing that hacking suspect Lauri Love should face trial in the US. Love's family plan to appeal against the decision.

The 31-year-old—who has Asperger's syndrome—faces up to 99 years in prison and fears for his own life, his lawyers have said. A home office spokesperson told Ars: "On Monday 14 November, the secretary of state, having carefully considered all relevant matters, signed an order for Lauri Love’s extradition to the United States. Mr Love has been charged with various computer hacking offences which included targeting US military and federal government agencies." Rudd considered four so-called legal tests of the Extradition Act 2003: whether Love is at risk of the death penalty; whether specialty arrangements are in place; whether Love has previously been extradited from another country to the UK, thereby requiring consent from that country; and whether Love was previously transferred to the UK by the International Criminal Court. However, the home secretary concluded that none of these issues applied to Love. The extradition comes after more than 100 MPs recently penned a letter to President Barack Obama, urging him to prevent Love's extradition to the US on the grounds that the hacking suspect's case is similar to that of British citizen Gary McKinnon, whose extradition to the US was blocked in 2012 by then Home Secretary Theresa May. At the time, May introduced a forum bar to stop extradition in cases where the defendants' human rights were said to be at risk.

But the prime minister recently noted that the legal position for the forum bar had been changed, adding that it was "now a matter for the courts." In September, District Judge Nina Tempia ruled that Love should be extradited to the US to face trial over the alleged hacking of the US missile defence agency, the FBI, and America's central bank.

At the time, Tempia said that she was satisfied that the decision was "compatible" with Love's Convention rights. On Tuesday, the home office said in its "Lauri Love Fact Sheet": The legislation does not permit the home secretary to consider human rights or health issues in extradition cases, nor would it be appropriate for the home secretary to do so. It is for a judge to decide whether or not extradition breaches an individual's human rights, or whether their health makes it unjust or oppressive to extradite them. Love's lawyers now have 14 days to mount an appeal against his extradition to the US. "We will be appealing," Love's father, Alexander Love told the BBC. "We are talking to our lawyers.
It was going to happen—it was inevitable—but it's still painful. "I cannot begin to express how much sorrow it causes me.

All we are asking for is British justice for a British citizen." This post originated on Ars Technica UK
A U.K. official has ordered the extradition of a British man to the United States on charges of hacking government computers belonging to NASA and the Department of Defense. Lauri Love, a 31-year-old hacktivist, has been fighting his extradition, but on Monday U.K. Home Secretary Amber Rudd signed the order. "Mr. Love has been charged with various computer hacking offences which included targeting U.S. military and federal government agencies," the U.K. Home Office said in a statement. The U.S. originally charged Love in 2013 for allegedly stealing confidential data from thousands of government employees, including Social Security numbers and credit card details. U.S. investigators accuse Love and his accomplices of causing millions of dollars in damages. Love’s defenders, however, claim he breached the U.S. government computers to protest the suicide of activist Aaron Swartz, who at the time was also facing hacking-related charges. Love fears that he won’t face a fair trial in the United States. "I would say my prospects of due process in America are essentially zero," Love has previously said. But this September, a U.K. judge paved the way for Love’s extradition to the United States, despite worries that he may attempt to commit suicide. Love has been diagnosed with Asperger Syndrome and has a history of depression. Although the U.K. home secretary had the final decision on the matter, she found no conditions to bar Love from being sent to the United States. Three U.S. courts have filed extradition requests for Love.
If convicted, he could face a maximum sentence of 99 years. However, his legal team has previously said that Love will seek permission to appeal his extradition to the U.K.'s High Court.
#OpLastResort hacker suspect on suicide watch It appears that appeals for clemency have come to naught after the UK Home Office confirmed that the extradition order for Lauri Love has been signed off by Home Secretary Amber Rudd. Love is facing charges that he was part of #OpLastResort, which stole large amounts of data from targets like the US Federal Reserve, the Department of Defense, NASA, and the FBI between 2012 and 2013.

The 31-year-old, who suffers from Asperger syndrome, faces 99 years in prison and millions of dollars in fines if he's convicted. "On Monday 14 November, the Secretary of State, having carefully considered all relevant matters, signed an order for Lauri Love's extradition to the United States," Home Office spokeswoman Rosie Libell told The Reg. "Mr Love has been charged with various computer hacking offences, which include targeting US military and federal government agencies." Love faces up to three trials in the US on hacking charges and, thanks to an extradition agreement arranged by then-Prime Minister Tony Blair, American prosecutors don't have to show evidence before a British court beforehand. Love now has 14 days to appeal Rudd's decision. In court, Love's lawyers have argued that Love, who has suffered mental illness for most of his life, would be at high risk of suicide if extradited.
In September, a British court ruled that this was not enough to stop his extradition, but on Monday Love reiterated that he was not going to travel to the US. Have I mentioned recently that I have absolutely zero intention of being taken to the USA against my will to be subjected to state violence? — Lauri Love (@LauriLoveX) November 12, 2016 (In the event of my death or disappearance a series of automated measures will trigger and numerous newsworthy revelations can be expected.) — Lauri Love (@LauriLoveX) November 14, 2016 Love's case has sparked huge amounts of interest and support. Last month over 100 members of parliament signed an open letter to US President Barack Obama, asking the leader of the Land of the FreeTM to reconsider the extradition. So far there has been no response, and Love is unlikely to get any mercy from President-elect Trump. ® Sponsored: Customer Identity and Access Management
EnlargeThe Courage Foundation reader comments 24 Share this story This week, culture minister Matt Hancock and more than 100 fellow MPs (Members of Parliament) have signed a letter calling on president Barack Obama to block Lauri Love's extradition to the US to face trial over the alleged hacking of the US missile defence agency, the FBI, and America's central bank. Love—an Asperger's syndrome sufferer from Stradishall, Suffolk—was told in September at a Westminster Magistrates' Court hearing that he was fit to be extradited to the US to face trial in that country.

The 31-year-old faces up to 99 years in prison in the US if convicted.

According to his lawyers, Love has said he fears for his life. Hacking allegations against Love stem from the Anonymous-related #OpLastResort hack in 2013.

The initiative targeted the US Army, the US Federal Reserve, the FBI, NASA, and the Missile Defense Agency in retaliation over the tragic suicide of Aaron Swartz as the hacktivist infamously awaited trial. Love is accused of participating through SQL injection attacks, Love's legal team have argued that their client's case is similar to that of British citizen Gary McKinnon, whose extradition to the US was blocked in 2012 by then home secretary Theresa May.

At the time, May introduced a forum bar to stop extradition in cases where the defendants' human rights were said to be at risk. Hancock, who is the Love family's local MP, signed the letter alongside a cross-party coalition of 104 other politicos.

The missive to Obama asks: The UK has prosecuted at least twelve computer hackers who have hacked US-based computer systems.
Indeed, Mr Love would be the first UK-based computer hacker to be extradited and denied the opportunity to face a full prosecution in the UK.

The UK criminal justice system is equipped to bring justice through sentencing and rehabilitating people who are adjudged to have committed these crimes. Many of these twelve cases did not involve individuals who have significant mental health issues, nor Asperger Syndrome and were not at a high-risk of suicide, yet they were not extradited. We would like to ask, why then is the United States insistent on Mr Love’s extradition despite the UK having a proven track record of appropriately sentencing and rehabilitating individuals who have committed computer hacking offences against the US? The MPs seek an "act of compassion" from the US president by urging him in his final days of office to personally intervene in the case, kill the extradition order, and allow it to be heard in the UK. "You would be acting to prevent this vulnerable and mentally unwell man from being placed in a situation where he will most probably take his own life," the letter states. Prime minister May—when recently quizzed in parliament by McKinnon campaigner and MP David Burrowes—said of the forum bar: "We subsequently changed the legal position on that, so it is now a matter for the courts.

There are certain parameters that the courts look at in terms of the extradition decision and that is then passed to the home secretary.
It is for the courts to determine the human rights aspects of any case that comes forward." She added: "It was right, I think, to introduce the forum bar to make sure there was that challenge for cases here in the United Kingdom, as to whether they should be held here in the United Kingdom, but the legal process is very clear and the home secretary is part of that legal process." This post originated on Ars Technica UK
EnlargeWikimedia Commons/Maria Joner reader comments 35 Share this story The UK's Tory government cabinet ministers have reportedly been officially banned from wearing Apple Watches to crucial meetings in case they're compromised by Russian hackers. "The Russians are trying to hack everything," one unnamed source told the Telegraph. Apple Watches were said to be popular with several ministers, including former justice secretary and failed leadership candidate Michael Gove, who wore them to cabinet meetings during David Cameron's tenure as prime minister. However, under PM Theresa May—the former home secretary who repeatedly pushed for Britain's spies to have greater surveillance powers—the devices have been summarily banned amid fears that Russian security services could use them to listen in on government business. Cabinet ministers have been banned from bringing smartphones and tablets to meetings since late 2013. It was reported at the time that an iPad used during a presentation by then-cabinet minister Francis "Digital by Default" Maude was removed from the room "even before discussions could begin," and smartphones were placed into "soundproof lead-lined boxes." There were also fears that USB sticks handed to delegates at the G20 summit in Saint Petersburg that year could have been loaded with malware. Russian hackers are apparently everywhere at the moment, with the US department of homeland security officially accusing Putin's regime of attempting to disrupt the US elections amid a series of political hacks.

But Russia is by no means the only nation chancing its arm with government hacks. Last year, the NSA was accused of spying on Angela Merkel and other high-ranking German officials using Reign malware. This isn't the first time Apple Watches have disrupted cabinet meetings.

The Telegraph also reports that when Gove was chief whip he accidentally played a few bars of a Beyonce song while "surreptitiously checking his e-mails." This post originated on Ars Technica UK
New system to ensure suppliers are up to scratch on IT security A high-profile project has been launched with the aim of strengthening UK enterprises' IT security. The Cyber Highway was launched in London on Tuesday by Lord David Blunkett.

The resource offers a “user-friendly online portal for large enterprises that want to strengthen the cyber defence of their supply chain.” Corporations will, essentially, be able to monitor in real-time the progress their suppliers are making en route to Cyber Essentials certification. Cyber Essentials is a UK government scheme that launched in June 2014 and is designed to help organisations protect themselves against hackers and malware infections.
It’s largely about baseline security controls. So basically, Cyber Highway ensures that your suppliers are following the Cyber Essentials requirements of good security – which is crucial as more and more Whitehall departments insist on suppliers being Cyber Essentials certified. Lord Blunkett – a former Home Secretary and chairman of Cyber Essentials Direct, the outfit behind The Cyber Highway – said: “The UK Government has made significant progress.

Government departments now require suppliers bidding for particular contracts to be Cyber Essentials certified, and next month sees the launch of the National Cyber Security Centre.

These are all steps in the right direction but we can and must go further, especially to assist many more companies to become certified.” Small organisations account for 92 per cent of cyber attacks, often because of limited resources.

The issue of vulnerabilities in third-party suppliers leading to compromises of the companies they serve has been around for years, and gained much greater prominence after a mega-breach at US retailer Target was traced back to its refrigeration, heating and air conditioning subcontractor. Cyber Essentials Direct chief exec John Lyons said: “We have spent the last eighteen months designing a practical and helpful approach to help de-risk and secure otherwise vulnerable supply chains from cyber attack.” All about the baseline Javvad Malik, security advocate at security tools firm AlienVault, said that Cyber Essentials was helpful in improving baseline security standards. “There definitely have been benefits from cyber essentials,” Malik explained. “Many small businesses that were not even aware of security needs or requirements have, by way of Cyber Security Essentials, been able to establish a baseline.

The better-equipped and aware of security needs companies are, the better the chance they can spot, prevent, and respond to a cyber attack. However, we may not see a visible reduction in the amount of data breaches immediately.

The process needs time to distil through organisations.

During this time, it is likely that attackers will change their tactics – but overall the security bar will be raised. “The most important thing enterprises should be doing is [to] know what their assets are, where they are located, and be aware of when [they are] attacked, compromised, or stolen,” Malik added. Gubi Singh, COO at pen testing and management threat detection firm Redscan, noted that many businesses, particularly small- and medium-sized ones, are “still complacent” about the risks posed by cyber threats. “Obtaining accreditation like Cyber Essentials demonstrates to customers, partners and investors that a company takes protection of data seriously, and many businesses are now waking up to the competitive advantages of having effective security controls in place,” Singh said. Compliance is not a tick box exercise, however. With the threat landscape evolving on a daily basis, defences and processes need to be continually reviewed to keep pace with the latest attacks,” he added. Prospects Firms that gain Cyber Essentials certification through The Cyber Highway will have access to AIG’s CyberEdge range of cyber liability insurance cover at reduced rates. Cyber Highway said it was in talks with 300 companies representing supply chain businesses in the retail and technology sectors about getting onto its platform. The organisations have also signed up an unnamed High Street bank as a customer.

Government suppliers are another potential source of customers. Malcolm Carrie, industry programme director of the Defence Cyber Protection Partnership, said, “Cyber Essentials is the ground level for the Defence supply chain – the Defence Cyber Protection Partnership has layered further controls on top of it to address higher-risk scenarios.
Smoothing the path to obtaining Cyber Essentials certification is welcome.” Overseas governments are also in talks with Cyber Essentials Direct about implementing the Cyber Essentials programme in their own countries.  For example, CyberNB (Cyber New Brunswick), Canada’s first provincial body to develop a comprehensive cyber security strategy, is weighing up the benefits of The Cyber Highway. ®