JRB - Fotolia

Bulk data collection unnecessary for surveillance, says cyber expert

Opting for bulk data collection and other intrusive surveillance overlooks other means available that do not involve collateral damage to businesses and innocent people, says cyber expert

Bulk data collection provided by the UK’s draft Investigatory Powers Bill is unnecessary for security and law enforcement surveillance, according to Erka Koivunen, cyber security advisor at F-Secure.

Authorities believe the internet is going “dark” due to the increasing use of encryption and therefore feel the need for bulk data collection, but this overlooks all that can be done with the metadata that is available, he told Computer Weekly.

Koivunen, who was called to give evidence to the Joint Committee appointed to examine the bill, agrees with the findings of Harvard’s Berkman Center for Internet and Society.

According to the Berkman report published on 1 February 2016, the trend towards encryption will not make it impossible to surveil criminals and bad actors for four main reasons.

First, the report notes that metadata is not encrypted, and the vast majority is likely to remain so because it needs to stay unencrypted for the systems to operate.

Location data from cell phones and other devices, telephone calling records, and header information in e-mail provides an enormous amount of surveillance data that was unavailable before these systems became widespread, the report said.

Second, the report said end-to-end encryption and other technological architectures for obscuring user data are unlikely to be adopted ubiquitously by companies. This is because the majority of businesses that provide communications services rely on access to user data for revenue streams and product functionality, including user data recovery should a password be forgotten.

Third, the report said software ecosystems tend to be fragmented, and for encryption to become both widespread and comprehensive, far more co-ordination and standardisation than currently exists would be required.

Finally, the report said networked sensors and the internet of things have the potential to drastically change surveillance because the images, video and audio captured by these devices may enable real-time intercept and recording with after-the fact access.“Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel,” the report said.

Alternative ways to collect information

The report, said Koivunen, supports the call for a more targeted, less intrusive approach to surveillance for security and law enforcement purposes than the one outlined by the draft bill.

“The requirement to provide back door access to encrypted data is absurd, especially as merely inspecting the metadata – which can be collected in a targeted way – can reveal a lot about what a suspect is doing, who they are interacting with, and anticipating what they will do next,” he said.  

Koivunen said information can also be gathered by using traditional surveillance methods such as putting a tail on suspects in the physical world, installing microphones in their homes and cars, and installing surveillance software on their mobile devices and computers.

“There are lot of ways of getting information about suspects without causing collateral damage to the infrastructure, other people and businesses,” he said.

Concern around trust in security services

F-Secure, as a supplier of encryption services, is among the technology firms that have expressed concerns about the draft bill’s potential effect on their business model.

In a joint written submission to the Joint Committee, Facebook, Google, Microsoft, Twitter and Yahoo said they are particularly concerned about extraterritorial jurisdiction, encryption, Data retention, judicial authorisation, bulk data collection, transparency and computer network exploitation.

As a Finnish company, Koivunen said F-Secure has always had the “luxury” of being free to design its products and services without fear of government interference, as Finland does not have any legislation requiring back door access to communications or weakened encryption.

But as a global supplier of information security products and services, he said F-Secure is concerned whenever there is an attempt “to shake that status quo” anywhere in the world that will undermine trust in all cyber security or privacy products and services.

UK bill could undermine user confidence

Koivunen said it is difficult for F-Secure to offer its Freedome mobile privacy app in some countries such as China. “The immediate fear for us when reading the [UK draft investigatory powers] bill was that the UK would also become one of those countries.”

Although F-Secure will try to follow whatever law the UK eventually passes, he said the company hopes that the final version is not worded in such a way that will undermine local user confidence in the company’s products and services because of fears of communications interception.

“Freedome promises users that it makes communications private, untrackable and anonymous, but some of the proposals in the draft bill are aimed at countering that,” said Koivunen.

Some encryption service providers, such as Echoworx, have threatened to leave the UK if the final version of the legislation requires weakened encryption or back door access, which could have severe economic consequences.

In addition to technology firms, Koivunen said the draft legislation will have a negative effect on businesses that use encryption, but are building the internal capacity to inspect content to improve defences against malware.

However, he said some of these companies are likely to feel uneasy about legislation that could force them to use this capability to collect data and surrender it to the government.

“The UK government needs to provide assurances that access to this internal data would not be required, that companies will be allowed to conduct their business safely, and that they will not become collateral damage because only suspects will be targeted,” said Koivunen.

Follow Finland’s example

The UK should follow the example of Finland, he said. In response to concerns from the IT industry and civil liberties groups, Finland gave the clear assurance that its current process of reforming surveillance legislation would not result in a requirement for back door access.

“We would like greater clarity around the issues of back door access and weakened encryption, as well as greater clarity on exactly how and when the most extreme measure would be used, how the government will ensure that they are used correctly and proportionately, and how security and privacy suppliers will be required to co-operate,” said Koivunen.  

The Joint Committee report, due to be published on 11 February 2016, will be the second report for legislators to consider in drafting a final text for new UK surveillance legislation.  

The first report on a parallel inquiry by parliament’s Science and Technology Committee published on 1 February 2016 said the draft is too vague and needs to be redrafted to avoid economic damage.

Committee chair Nicola Blackwood said it is vital to get the balance right between protecting security and the health of the UK economy.

“We need our security services to be able to do their job and prevent terrorism but, as legislators, we need to be careful not to inadvertently disadvantage the UK’s rapidly growing technology sector,” she said.

Read more about the draft Investigatory Powers Bill

  • Philip Virgo questions whether government is willing to pay for a surveillance regime that is fit for purpose.
  • The draft Investigatory Powers Bill could have major implications for telecommunication companies operating in the UK.
  • The draft Investigatory Powers Bill’s plan to increase surveillance is already controversial, but there are growing concerns over potential economic consequences.
  • UK information commissioner Christopher Graham calls for a regular review of interception powers and greater audit powers.

Read more on Privacy and data protection

Data Center
Data Management