Tag: Home Secretary
A backlash derailed that draft law. No such backlash happened in the UK over the Investigatory Powers Bill, though, and so here we are. Web browser histories logged by ISPs 24/7, and the looming possibility of crippled cryptography.
There may be not much point using a VPN to conceal your web activities if it can be blown open by a technical capability notice. To be fair, there were some fears that Blighty's law would effectively kill off the UK software industry as well as undermine Brits' privacy, and expose them to surveillance and hacking by criminals exploiting these mandatory backdoors.
This mild panic did bring about some changes to the UK's Investigatory Powers Bill before it was passed. The question is: were the changes sufficient? The "anti-encryption" part of what is now UK law has moved from section 217 to sections 254-256 [PDF] and contains some additional safeguards.
But those safeguards, as they often are, are largely a judgement call by a Secretary of State. The wording is slightly improved in that by introducing any one of the Secretaries of State as a required signatory to any "technical capability notices", it introduces a minor choke-point and a degree of accountability. Rather than the security services or police being able to force any communications provider to tell them their new product plans and oblige technical changes, the issue will have to bubble up to the desk of a Cabinet minister, probably the Home Secretary. Consultation Once on his or her desk, one of the Secretaries of State will have to "consider that the conduct required by the notice is proportionate to what is sought to be achieved by that conduct." He or she will also have to consult the "Technical Advisory Board" – which was created in response to another unpopular piece of technical legislation, RIPA – and people that are "likely to be subject to any obligations specified in the regulations." Any notice that the secretary then decides to push forward will have to be approved by a "Judicial Commissioner" – a judge appointed by the Prime Minister in that role – who will take into account the same factors as the secretary but, critically, also have to consider "the same principles as would be applied by a court on an application for judicial review." If the commissioner refuses to approve the decision, he or she must provide a written reason for doing so.
But that decision can then be overridden by the new Investigatory Powers Commissioner. The Investigatory Powers Commissioner has been created specifically for this legislation and will be appointed by the Prime Minister.
That in itself was an issue subject to some debate with a select committee of MPs arguing that the commissioner should be appointed by the Lord Chief Justice rather than the Prime Minister.
In the end, the government won out. Some further improvements come in the form of more precise wording.
Any notice would have to specify what sort of obligation will be applied to a communications provider. Most noteworthy in this context is section 254 (5)(c): The obligations that may be specified in regulations under this section include, among other things ... obligations relating to the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data. Other obligations are clearly intended to allow for government tapping of internet communications and after-the-fact provision of stored data from ISPs. Consideration There is also a list of things a Secretary of State must consider before posting a relevant notice, including: likely benefits of the notice number of users technical feasibility of complying cost of complying, and "any other effect of the notice on the person" In short, what the law's passage through Parliament has done to the UK government's ability to force tech companies and telcos to introduce backdoors into their technologies is make it slower and a little tougher. Does it prevent the UK government from breaking encryption? It absolutely does not.
In fact, it foresees it. Does it mean that customers will be made aware that their communications and traffic are compromised by a backdoor? No, it does not.
All of the checks and balances are safely contained within the upper levels of government and the judiciary. Based on what both the UK and US government have done in the past with all-encompassing orders that are time-based rather than product-based, and considering the fact there is nothing that says it has to be done on a case-by-case basis, it's a safe bet that the government will approve one-size-fits-all "technical capability" notices for specific companies. Where will the balance between protecting consumers and providing access to law enforcement and security services lie? We will likely never know in any useful detail since no one is under any obligation to make that reasoning or argument available outside the small group of individuals that take the decision. Nuts of it Most critically, if a Cabinet minister decides she wants a backdoor to be introduced into some software, is there anything that can stop him or her? The answer to that is almost certainly no, except she can be slowed down and would likely make some concessions to move ahead. If the Home Secretary and the Prime Minister both want a backdoor into some service is there anything that can stop them? Again, no, but a brave Investigatory Powers Commissioner could delay it for a few years. And in the broader picture, will the UK government be able to force the likes of Twitter or Facebook or Google or Apple to introduce backdoors and/or hand over user data? And the answer to that is: let's wait and see. The UK government can certainly insist that a company not based in the UK carry out its orders – that situation is specifically included in the new law – but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the UK market. At the end of the day, will the UK security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will. Will they do it for less than that? You'll have to ask probably the Home Secretary. ® Sponsored: Customer Identity and Access Management
It requires telecom firms to store customers' Internet Connection Records for 12 months.
A controversial UK surveillance bill has become law, despite efforts to stop it.
The Investigatory Powers Act 2016 today received the final stamp of approval from the Queen—a practice called Royal Assent.
It requires telecom firms to store customers' Internet Connection Records for 12 months.
These records include top-level domains you visited, but not sub-pages (so it would show pcmag.com but not pcmag.com/apple or pcmag.com/android, for example).
This data would be accessible by law enforcement and intelligence agencies provided they secure the necessary warrants and judicial approvals, and be used to "disrupt terrorist attacks and prosecute suspects, according to the UK Home Office.
"The Internet presents new opportunities for terrorists and we must ensure we have the capabilities to confront this challenge," Home Secretary Amber Rudd said in a statement. "But it is also right that these powers are subject to strict safeguards and rigorous oversight."
That oversight includes an Investigatory Powers Commissioner to oversee the program, and protections for journalistic and legally privileged material, as well as tough sanctions for those abusing their power.
Security advocates, however, still have concerns about the law, which has been dubbed the "Snooper's Charter."
As Big Brother Watch notes, for example, a 2000 version of the bill provided 28 government organizations access to communications data. "Under the new Investigatory Powers Bill, this has now been extended to 48 organizations which now also have the power to snoop on citizen's browsing histories."
It also "extends the level of access police and intelligence agencies have to citizen's communications data and allows them to collect information on people's phone calls, text messages and social media conversations upon request," the group says.
A petition calling for an end to the Investigatory Powers Act launched earlier this year and has secured more than 138,000 digital signatures.
Since it got more than 100,000 signatures, the issue will get debated in Parliament, but that occured after the bill had passed through its parliamentary stage, so the debate shouldn't result in any major changes.
"This government is clear that, at a time of heightened security threat, it is essential our law enforcement, security and intelligence services have the powers they need to keep people safe," Rudd said.
Some provisions in the bill require testing and will not be set into motion "for some time," according to the Home Office.
All other mandates—like Internet Connection Records—are moving forward as the new law replaces 2014's Data Retention and Investigatory Powers Act, which sunsets on Dec. 31.
The 31-year-old—who has Asperger's syndrome—faces up to 99 years in prison and fears for his own life, his lawyers have said. A home office spokesperson told Ars: "On Monday 14 November, the secretary of state, having carefully considered all relevant matters, signed an order for Lauri Love’s extradition to the United States. Mr Love has been charged with various computer hacking offences which included targeting US military and federal government agencies." Rudd considered four so-called legal tests of the Extradition Act 2003: whether Love is at risk of the death penalty; whether specialty arrangements are in place; whether Love has previously been extradited from another country to the UK, thereby requiring consent from that country; and whether Love was previously transferred to the UK by the International Criminal Court. However, the home secretary concluded that none of these issues applied to Love. The extradition comes after more than 100 MPs recently penned a letter to President Barack Obama, urging him to prevent Love's extradition to the US on the grounds that the hacking suspect's case is similar to that of British citizen Gary McKinnon, whose extradition to the US was blocked in 2012 by then Home Secretary Theresa May. At the time, May introduced a forum bar to stop extradition in cases where the defendants' human rights were said to be at risk.
But the prime minister recently noted that the legal position for the forum bar had been changed, adding that it was "now a matter for the courts." In September, District Judge Nina Tempia ruled that Love should be extradited to the US to face trial over the alleged hacking of the US missile defence agency, the FBI, and America's central bank.
At the time, Tempia said that she was satisfied that the decision was "compatible" with Love's Convention rights. On Tuesday, the home office said in its "Lauri Love Fact Sheet": The legislation does not permit the home secretary to consider human rights or health issues in extradition cases, nor would it be appropriate for the home secretary to do so. It is for a judge to decide whether or not extradition breaches an individual's human rights, or whether their health makes it unjust or oppressive to extradite them. Love's lawyers now have 14 days to mount an appeal against his extradition to the US. "We will be appealing," Love's father, Alexander Love told the BBC. "We are talking to our lawyers.
It was going to happen—it was inevitable—but it's still painful. "I cannot begin to express how much sorrow it causes me.
All we are asking for is British justice for a British citizen." This post originated on Ars Technica UK
If convicted, he could face a maximum sentence of 99 years. However, his legal team has previously said that Love will seek permission to appeal his extradition to the U.K.'s High Court.
The 31-year-old, who suffers from Asperger syndrome, faces 99 years in prison and millions of dollars in fines if he's convicted. "On Monday 14 November, the Secretary of State, having carefully considered all relevant matters, signed an order for Lauri Love's extradition to the United States," Home Office spokeswoman Rosie Libell told The Reg. "Mr Love has been charged with various computer hacking offences, which include targeting US military and federal government agencies." Love faces up to three trials in the US on hacking charges and, thanks to an extradition agreement arranged by then-Prime Minister Tony Blair, American prosecutors don't have to show evidence before a British court beforehand. Love now has 14 days to appeal Rudd's decision. In court, Love's lawyers have argued that Love, who has suffered mental illness for most of his life, would be at high risk of suicide if extradited.
In September, a British court ruled that this was not enough to stop his extradition, but on Monday Love reiterated that he was not going to travel to the US. Have I mentioned recently that I have absolutely zero intention of being taken to the USA against my will to be subjected to state violence? — Lauri Love (@LauriLoveX) November 12, 2016 (In the event of my death or disappearance a series of automated measures will trigger and numerous newsworthy revelations can be expected.) — Lauri Love (@LauriLoveX) November 14, 2016 Love's case has sparked huge amounts of interest and support. Last month over 100 members of parliament signed an open letter to US President Barack Obama, asking the leader of the Land of the FreeTM to reconsider the extradition. So far there has been no response, and Love is unlikely to get any mercy from President-elect Trump. ® Sponsored: Customer Identity and Access Management
The 31-year-old faces up to 99 years in prison in the US if convicted.
According to his lawyers, Love has said he fears for his life. Hacking allegations against Love stem from the Anonymous-related #OpLastResort hack in 2013.
The initiative targeted the US Army, the US Federal Reserve, the FBI, NASA, and the Missile Defense Agency in retaliation over the tragic suicide of Aaron Swartz as the hacktivist infamously awaited trial. Love is accused of participating through SQL injection attacks, Love's legal team have argued that their client's case is similar to that of British citizen Gary McKinnon, whose extradition to the US was blocked in 2012 by then home secretary Theresa May.
At the time, May introduced a forum bar to stop extradition in cases where the defendants' human rights were said to be at risk. Hancock, who is the Love family's local MP, signed the letter alongside a cross-party coalition of 104 other politicos.
The missive to Obama asks: The UK has prosecuted at least twelve computer hackers who have hacked US-based computer systems.
Indeed, Mr Love would be the first UK-based computer hacker to be extradited and denied the opportunity to face a full prosecution in the UK.
The UK criminal justice system is equipped to bring justice through sentencing and rehabilitating people who are adjudged to have committed these crimes. Many of these twelve cases did not involve individuals who have significant mental health issues, nor Asperger Syndrome and were not at a high-risk of suicide, yet they were not extradited. We would like to ask, why then is the United States insistent on Mr Love’s extradition despite the UK having a proven track record of appropriately sentencing and rehabilitating individuals who have committed computer hacking offences against the US? The MPs seek an "act of compassion" from the US president by urging him in his final days of office to personally intervene in the case, kill the extradition order, and allow it to be heard in the UK. "You would be acting to prevent this vulnerable and mentally unwell man from being placed in a situation where he will most probably take his own life," the letter states. Prime minister May—when recently quizzed in parliament by McKinnon campaigner and MP David Burrowes—said of the forum bar: "We subsequently changed the legal position on that, so it is now a matter for the courts.
There are certain parameters that the courts look at in terms of the extradition decision and that is then passed to the home secretary.
It is for the courts to determine the human rights aspects of any case that comes forward." She added: "It was right, I think, to introduce the forum bar to make sure there was that challenge for cases here in the United Kingdom, as to whether they should be held here in the United Kingdom, but the legal process is very clear and the home secretary is part of that legal process." This post originated on Ars Technica UK
But Russia is by no means the only nation chancing its arm with government hacks. Last year, the NSA was accused of spying on Angela Merkel and other high-ranking German officials using Reign malware. This isn't the first time Apple Watches have disrupted cabinet meetings.
The Telegraph also reports that when Gove was chief whip he accidentally played a few bars of a Beyonce song while "surreptitiously checking his e-mails." This post originated on Ars Technica UK
The resource offers a “user-friendly online portal for large enterprises that want to strengthen the cyber defence of their supply chain.” Corporations will, essentially, be able to monitor in real-time the progress their suppliers are making en route to Cyber Essentials certification. Cyber Essentials is a UK government scheme that launched in June 2014 and is designed to help organisations protect themselves against hackers and malware infections.
It’s largely about baseline security controls. So basically, Cyber Highway ensures that your suppliers are following the Cyber Essentials requirements of good security – which is crucial as more and more Whitehall departments insist on suppliers being Cyber Essentials certified. Lord Blunkett – a former Home Secretary and chairman of Cyber Essentials Direct, the outfit behind The Cyber Highway – said: “The UK Government has made significant progress.
Government departments now require suppliers bidding for particular contracts to be Cyber Essentials certified, and next month sees the launch of the National Cyber Security Centre.
These are all steps in the right direction but we can and must go further, especially to assist many more companies to become certified.” Small organisations account for 92 per cent of cyber attacks, often because of limited resources.
The issue of vulnerabilities in third-party suppliers leading to compromises of the companies they serve has been around for years, and gained much greater prominence after a mega-breach at US retailer Target was traced back to its refrigeration, heating and air conditioning subcontractor. Cyber Essentials Direct chief exec John Lyons said: “We have spent the last eighteen months designing a practical and helpful approach to help de-risk and secure otherwise vulnerable supply chains from cyber attack.” All about the baseline Javvad Malik, security advocate at security tools firm AlienVault, said that Cyber Essentials was helpful in improving baseline security standards. “There definitely have been benefits from cyber essentials,” Malik explained. “Many small businesses that were not even aware of security needs or requirements have, by way of Cyber Security Essentials, been able to establish a baseline.
The better-equipped and aware of security needs companies are, the better the chance they can spot, prevent, and respond to a cyber attack. However, we may not see a visible reduction in the amount of data breaches immediately.
The process needs time to distil through organisations.
During this time, it is likely that attackers will change their tactics – but overall the security bar will be raised. “The most important thing enterprises should be doing is [to] know what their assets are, where they are located, and be aware of when [they are] attacked, compromised, or stolen,” Malik added. Gubi Singh, COO at pen testing and management threat detection firm Redscan, noted that many businesses, particularly small- and medium-sized ones, are “still complacent” about the risks posed by cyber threats. “Obtaining accreditation like Cyber Essentials demonstrates to customers, partners and investors that a company takes protection of data seriously, and many businesses are now waking up to the competitive advantages of having effective security controls in place,” Singh said. Compliance is not a tick box exercise, however. With the threat landscape evolving on a daily basis, defences and processes need to be continually reviewed to keep pace with the latest attacks,” he added. Prospects Firms that gain Cyber Essentials certification through The Cyber Highway will have access to AIG’s CyberEdge range of cyber liability insurance cover at reduced rates. Cyber Highway said it was in talks with 300 companies representing supply chain businesses in the retail and technology sectors about getting onto its platform. The organisations have also signed up an unnamed High Street bank as a customer.
Government suppliers are another potential source of customers. Malcolm Carrie, industry programme director of the Defence Cyber Protection Partnership, said, “Cyber Essentials is the ground level for the Defence supply chain – the Defence Cyber Protection Partnership has layered further controls on top of it to address higher-risk scenarios.
Smoothing the path to obtaining Cyber Essentials certification is welcome.” Overseas governments are also in talks with Cyber Essentials Direct about implementing the Cyber Essentials programme in their own countries. For example, CyberNB (Cyber New Brunswick), Canada’s first provincial body to develop a comprehensive cyber security strategy, is weighing up the benefits of The Cyber Highway. ®